[cisco-voip] Enabling CUCM/WebEx/B2B - firewall’ing thoughts?
Lelio Fulgenzi
lelio at uoguelph.ca
Thu Aug 2 12:09:39 EDT 2018
Thanks Brian.
I meant to write: _without_ the need for licenses – but good to be corrected, since it does firm up my assumptions.
I’ll take a look at the document. We’re working with a partner, so I’m hoping not to have to be to versed with he deployment details too much, but the options available will be good to review.
Will all B2B calls try 5061? If so, then that breaks my theory / thought about using ACLs, since MRA needs those ports.
---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook
[University of Guelph Cornerstone with Improve Life tagline]
From: Brian Meade <bmeade90 at vt.edu>
Sent: Wednesday, August 1, 2018 9:16 AM
To: Lelio Fulgenzi <lelio at uoguelph.ca>
Cc: cisco-voip voyp list <cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Enabling CUCM/WebEx/B2B - firewall’ing thoughts?
Lelio,
You don't need RMS licenses for Webex calls. You need to use the exact settings mentioned in the Webex CMR Guide though- https://www.cisco.com/c/dam/en/us/td/docs/collaboration/webex_centers/esp/WebEx_Meeting_Center_Video_Conferencing_Enterprise_Deployment_Guide_WBS31_WBS32.pdf
Also Webex will typically try TLS inbound so I would just go with the _sips SRV record and just open inbound 5061 along with the audio ports. You can disable TCP/UDP 5060 from the Expressway as well.
You can also setup mutual TLS with Webex for even more security. That way Expressway is only trusting Webex certificates for inbound calls. Most of that documentation is in the Hybrid Services Call Service Connect documentation.
On Wed, Aug 1, 2018 at 9:09 AM Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:
We’re finally taking a turn (not to be confused with TURN - hahaha) at getting CUCM talking to WebEx. Im guessing this is simply a B2B setup with the need for licenses.
The question I have is whether or not I should be activating ACLs anywhere along the path to avoid the expressways from getting hammered and clogging up the logs.
We’ll be enabling this on the MRA expressway pairs for the time being.
From my understanding, MRA uses 5061, 8443, 5222 inbound and B2B uses 5060.
Would it be advisable, to build ACLs only allowing certain address (space) to connect?
This would be on top of any rules/zones we build into the ExpE and CUCM (css).
We’re trying to avoid the obvious impact of scanning Ip addresses/uri’s for sip connectivity.
What are people doing?
-sent from mobile device-
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354<tel:519-824-4120;56354> | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180802/5fde2cd2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1297 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180802/5fde2cd2/attachment.png>
More information about the cisco-voip
mailing list