[cisco-voip] setting up access for APNS - granular vs wide open internet access

Lelio Fulgenzi lelio at uoguelph.ca
Thu Aug 2 12:42:06 EDT 2018


Thanks Matthew – we’re on v11.5, so I’ll try to drum up the similar chapter.

I’m not sure we’ve got URL based firewall rules implemented or available. I will have to ask.

Good to hear you’ve not had problems with outbound access.

As far as smart licensing is concerned, we were ok using the proxy there, since it would be ok if it went down. If we open up complete access though, the need for that goes away.



---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>

www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: Matthew Loraditch <MLoraditch at heliontechnologies.com>
Sent: Thursday, August 2, 2018 12:33 PM
To: Lelio Fulgenzi <lelio at uoguelph.ca>; voyp list, cisco-voip (cisco-voip at puck.nether.net) <cisco-voip at puck.nether.net>
Subject: RE: setting up access for APNS - granular vs wide open internet access

See page 5 here: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/12_0_1/systemConfig/cucm_b_system-configuration-guide-1201/cucm_b_system-configuration-guide-1201_chapter_01011000.pdf

For what servers your servers will need to talk to, if you can do URL based firewall rules that would work.

If not the servers are all Cisco’s and in the Webex cloud so the IP blocks aren’t that many: https://collaborationhelp.cisco.com/article/en-us/WBX264
Now I’m not 100% certain if ALL webex services fall within those IPs. That article is designed for Teams and Meetings.

I will add I’ve never operated in an environment as tight/regulated as yours, but I have 23 clusters that have been able to talk outbound to internet since their beginnings and never had an issue that had to do with that.

Also you are going to have to think about this internet thing again when you go to 12.x+ and smart licensing so you may want to look up those requirements as well. A few more options exist there where going offline intermittently isn’t as much of a deal.






Matthew Loraditch​

Sr. Network Engineer


p: 443.541.1518<tel:443.541.1518>



w: www.heliontechnologies.com<http://www.heliontechnologies.com/>

 |

e: MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>


[cid:image002.png at 01D42A5E.37BEA380]


[Facebook]<https://facebook.com/heliontech>



[Twitter]<https://twitter.com/heliontech>


[LinkedIn]<https://www.linkedin.com/company/helion-technologies>





[Helion joins Automotive CX Summit]<https://heliontechnologies.com/events/14th-annual-automotive-cx-summit-hosted-thought-leadership-summits/>




From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> On Behalf Of Lelio Fulgenzi
Sent: Thursday, August 2, 2018 11:58 AM
To: voyp list, cisco-voip (cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>) <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: [cisco-voip] setting up access for APNS - granular vs wide open internet access


Another issue we are facing is setting up the collaboration servers (CUCM, IMP) to talk out of our private network to the internet to talk to Cisco and Apple servers.

Just wondering what others have been doing.

Our networking team has suggested the simplest way would be to add a PAT rule at our edge for the servers (or network) so that they can communicate out to the internet as required. There would be no ACLs applied, so they could talk to anywhere. By applying the PAT on the edge, all internal communications would continue with the internal addressing. The PAT would only allow established communications – no outside-to-inside initiated talk allowed.

The other alternative would be to put a bunch of xlate’s on our data centre firewall, one for each source collab server and cisco/apple dest pair – this could be 10s of statements.

The first means I have no control over who the servers can talk to on the internet. Which scares me.

The second would mean quite a bit of extra upfront work, and managing those statements if/when Cisco and apple update their ip addresses.

There is the proxy option, but the current proxy service we have is likely not to be considered mission critical and attaching the APNS configuration to this likely wouldn’t go over well.

What have others done in this situation?

Thanks!


---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>

www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180802/da92d180/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1297 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180802/da92d180/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 8404 bytes
Desc: image002.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180802/da92d180/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 431 bytes
Desc: image003.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180802/da92d180/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 561 bytes
Desc: image004.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180802/da92d180/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 444 bytes
Desc: image005.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180802/da92d180/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.jpg
Type: image/jpeg
Size: 27642 bytes
Desc: image006.jpg
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180802/da92d180/attachment.jpg>


More information about the cisco-voip mailing list