[cisco-voip] Enabling CUCM/WebEx/B2B - firewall’ing thoughts?

Brian Meade bmeade90 at vt.edu
Thu Aug 2 16:44:48 EDT 2018 

It's always up to the caller and what SRV records they check and in which
order.  Webex always prefers the TLS SRV records first though.

On Thu, Aug 2, 2018 at 12:10 PM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:

>
>
> Thanks Brian.
>
>
>
> I meant to write: _*without*_ the need for licenses – but good to be
> corrected, since it does firm up my assumptions.
>
>
>
> I’ll take a look at the document. We’re working with a partner, so I’m
> hoping not to have to be to versed with he deployment details too much, but
> the options available will be good to review.
>
>
>
> Will all B2B calls try 5061? If so, then that breaks my theory / thought
> about using ACLs, since MRA needs those ports.
>
>
>
> ---
>
> *Lelio Fulgenzi, B.A.* | Senior Analyst
>
> Computing and Communications Services | University of Guelph
>
> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
> N1G 2W1
>
> 519-824-4120 Ext. 56354 | lelio at uoguelph.ca
>
>
>
> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>
>
>
> [image: University of Guelph Cornerstone with Improve Life tagline]
>
>
>
> *From:* Brian Meade <bmeade90 at vt.edu>
> *Sent:* Wednesday, August 1, 2018 9:16 AM
> *To:* Lelio Fulgenzi <lelio at uoguelph.ca>
> *Cc:* cisco-voip voyp list <cisco-voip at puck.nether.net>
> *Subject:* Re: [cisco-voip] Enabling CUCM/WebEx/B2B - firewall’ing
> thoughts?
>
>
>
> Lelio,
>
>
>
> You don't need RMS licenses for Webex calls.  You need to use the exact
> settings mentioned in the Webex CMR Guide though-
> https://www.cisco.com/c/dam/en/us/td/docs/collaboration/webex_centers/esp/WebEx_Meeting_Center_Video_Conferencing_Enterprise_Deployment_Guide_WBS31_WBS32.pdf
>
>
>
> Also Webex will typically try TLS inbound so I would just go with the
> _sips SRV record and just open inbound 5061 along with the audio ports.
> You can disable TCP/UDP 5060 from the Expressway as well.
>
>
>
> You can also setup mutual TLS with Webex for even more security.  That way
> Expressway is only trusting Webex certificates for inbound calls.  Most of
> that documentation is in the Hybrid Services Call Service Connect
> documentation.
>
>
>
> On Wed, Aug 1, 2018 at 9:09 AM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>
>
>
> We’re finally taking a turn (not to be confused with TURN - hahaha) at
> getting CUCM talking to WebEx. Im guessing this is simply a B2B setup with
> the need for licenses.
>
>
>
> The question I have is whether or not I should be activating ACLs anywhere
> along the path to avoid the expressways from getting hammered and clogging
> up the logs.
>
>
>
> We’ll be enabling this on the MRA expressway pairs for the time being.
>
>
>
> From my understanding, MRA uses 5061, 8443, 5222 inbound and B2B uses
> 5060.
>
>
>
> Would it be advisable, to build ACLs only allowing certain address (space)
> to connect?
>
>
>
> This would be on top of any rules/zones we build into the ExpE and CUCM
> (css).
>
>
>
> We’re trying to avoid the obvious impact of scanning Ip addresses/uri’s
> for sip connectivity.
>
>
>
> What are people doing?
>
>
>
> *-sent from mobile device-*
>
>
>
> *Lelio Fulgenzi, B.A.* | Senior Analyst
>
> Computing and Communications Services | University of Guelph
>
> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
> N1G 2W1
>
> 519-824-4120 Ext. 56354 <519-824-4120;56354> | lelio at uoguelph.ca
>
>
>
> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180802/b8506aa4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1297 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180802/b8506aa4/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1297 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180802/b8506aa4/attachment-0001.png>

More information about the cisco-voip mailing list