[cisco-voip] setting up access for APNS - granular vs wide open internet access

Brian Meade bmeade90 at vt.edu
Thu Aug 2 16:47:07 EDT 2018


Sounds like a CYA type of thing similar to how call recording over MRA was
for a while.  I think x8.11 is supposed to be the release that the
forward-proxy is officially supported for APNS.

On Thu, Aug 2, 2018 at 3:15 PM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:

> I _thought_ I remember reading about that. That would have been my
> preference!
>
> 8.10/8.11 womp womp womp
>
> CAUTION: At present the built-in Expressway forward proxy is not suitable
> for use with Cisco Unified
> Communications Manager and/or IM and Presence Service, and is not
> supported for those products. The
> forward proxy is in the Expressway user interface, but it should not be
> used. This means that if you
> require a forward proxy deployment, you need to use a suitable third-party
> HTTPS proxy.
>
> But is this referring to any forward proxy stuff or just non-APNS proxy?
>
>
> ---
> Lelio Fulgenzi, B.A. | Senior Analyst
> Computing and Communications Services | University of Guelph
> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
> N1G 2W1
> 519-824-4120 Ext. 56354 | lelio at uoguelph.ca
>
> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>
>
>
> -----Original Message-----
> From: Patrick Robitaille <Patrick.Robitaille at aqr.com>
> Sent: Thursday, August 2, 2018 2:08 PM
> To: Lelio Fulgenzi <lelio at uoguelph.ca>
> Cc: Matthew Loraditch <MLoraditch at heliontechnologies.com>; voyp list,
> cisco-voip (cisco-voip at puck.nether.net) <cisco-voip at puck.nether.net>
> Subject: Re: [cisco-voip] setting up access for APNS - granular vs wide
> open internet access
>
> Check out release notes for Expressways too as they’re planning forward
> proxy for this purpose as well.
>
> - - -
> Patrick Robitaille, patrick.robitaille at aqr.com<mailto:
> patrick.robitaille at aqr.com>
> O: (203) 742-3797 | C: (203) 914-9572
>
>
> On Aug 2, 2018, at 12:42 PM, Lelio Fulgenzi <lelio at uoguelph.ca<mailto:
> lelio at uoguelph.ca>> wrote:
>
> Thanks Matthew – we’re on v11.5, so I’ll try to drum up the similar
> chapter.
>
> I’m not sure we’ve got URL based firewall rules implemented or available.
> I will have to ask.
>
> Good to hear you’ve not had problems with outbound access.
>
> As far as smart licensing is concerned, we were ok using the proxy there,
> since it would be ok if it went down. If we open up complete access though,
> the need for that goes away.
>
>
>
> ---
> Lelio Fulgenzi, B.A. | Senior Analyst
> Computing and Communications Services | University of Guelph Room 037
> Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
> 519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
>
> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram,
> Twitter and Facebook
>
> <image001.png>
>
> From: Matthew Loraditch <MLoraditch at heliontechnologies.com<mailto:
> MLoraditch at heliontechnologies.com>>
> Sent: Thursday, August 2, 2018 12:33 PM
> To: Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>; voyp
> list, cisco-voip (cisco-voip at puck.nether.net<mailto:
> cisco-voip at puck.nether.net>) <cisco-voip at puck.nether.net<mailto:
> cisco-voip at puck.nether.net>>
> Subject: RE: setting up access for APNS - granular vs wide open internet
> access
>
> See page 5 here:
> https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/12_0_1/systemConfig/cucm_b_system-configuration-guide-1201/cucm_b_system-configuration-guide-1201_chapter_01011000.pdf
>
> For what servers your servers will need to talk to, if you can do URL
> based firewall rules that would work.
>
> If not the servers are all Cisco’s and in the Webex cloud so the IP blocks
> aren’t that many: https://collaborationhelp.cisco.com/article/en-us/WBX264
> Now I’m not 100% certain if ALL webex services fall within those IPs. That
> article is designed for Teams and Meetings.
>
> I will add I’ve never operated in an environment as tight/regulated as
> yours, but I have 23 clusters that have been able to talk outbound to
> internet since their beginnings and never had an issue that had to do with
> that.
>
> Also you are going to have to think about this internet thing again when
> you go to 12.x+ and smart licensing so you may want to look up those
> requirements as well. A few more options exist there where going offline
> intermittently isn’t as much of a deal.
>
>
>
>
>
>
> Matthew Loraditch​
>
> Sr. Network Engineer
>
>
> p: 443.541.1518<tel:443.541.1518>
>
>
>
> w: www.heliontechnologies.com<http://www.heliontechnologies.com/>
>
>  |
>
> e: MLoraditch at heliontechnologies.com<mailto:
> MLoraditch at heliontechnologies.com>
>
>
> <image002.png>
>
>
> <image003.png><https://facebook.com/heliontech>
>
>
>
> <image004.png><https://twitter.com/heliontech>
>
>
> <image005.png><https://www.linkedin.com/company/helion-technologies>
>
>
>
>
>
> <image006.jpg><
> https://heliontechnologies.com/events/14th-annual-automotive-cx-summit-hosted-thought-leadership-summits/
> >
>
>
>
>
> From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:
> cisco-voip-bounces at puck.nether.net>> On Behalf Of Lelio Fulgenzi
> Sent: Thursday, August 2, 2018 11:58 AM
> To: voyp list, cisco-voip (cisco-voip at puck.nether.net<mailto:
> cisco-voip at puck.nether.net>) <cisco-voip at puck.nether.net<mailto:
> cisco-voip at puck.nether.net>>
> Subject: [cisco-voip] setting up access for APNS - granular vs wide open
> internet access
>
>
> Another issue we are facing is setting up the collaboration servers (CUCM,
> IMP) to talk out of our private network to the internet to talk to Cisco
> and Apple servers.
>
> Just wondering what others have been doing.
>
> Our networking team has suggested the simplest way would be to add a PAT
> rule at our edge for the servers (or network) so that they can communicate
> out to the internet as required. There would be no ACLs applied, so they
> could talk to anywhere. By applying the PAT on the edge, all internal
> communications would continue with the internal addressing. The PAT would
> only allow established communications – no outside-to-inside initiated talk
> allowed.
>
> The other alternative would be to put a bunch of xlate’s on our data
> centre firewall, one for each source collab server and cisco/apple dest
> pair – this could be 10s of statements.
>
> The first means I have no control over who the servers can talk to on the
> internet. Which scares me.
>
> The second would mean quite a bit of extra upfront work, and managing
> those statements if/when Cisco and apple update their ip addresses.
>
> There is the proxy option, but the current proxy service we have is likely
> not to be considered mission critical and attaching the APNS configuration
> to this likely wouldn’t go over well.
>
> What have others done in this situation?
>
> Thanks!
>
>
> ---
> Lelio Fulgenzi, B.A. | Senior Analyst
> Computing and Communications Services | University of Guelph Room 037
> Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
> 519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
>
> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram,
> Twitter and Facebook
>
> <image001.png>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> ________________________________
>
> Disclaimer: This e-mail may contain confidential and/or privileged
> information. If you are not the intended recipient or have received this
> e-mail in error, please notify the sender immediately and destroy/delete
> this e-mail. You are hereby notified that any unauthorized copying,
> disclosure or distribution of the material in this e-mail is strictly
> prohibited.
>
> AQR Capital Management, LLC, along with its affiliates (collectively
> "AQR") may collect certain personal information from you. AQR operates
> pursuant to a Global Privacy Policy which describes the types of personal
> information we obtain, how we use the information, with whom we share it
> and the choices available to you regarding our use of the information. We
> also describe the measures we take to protect the security of the
> information and how you can contact us about our privacy practices. By
> providing your personal information you agree to do so pursuant to the
> Global Privacy Policy. For a copy of the Global Privacy Policy please click
> here<https://www.aqr.com/Privacy-Policy>.
>
> This communication is for informational purposes only. It is not intended
> as an offer or solicitation for the purchase or sale of any financial
> instrument or as an official confirmation of any transaction. All
> information contained in this communication is not warranted as to
> completeness or accuracy and is subject to change without notice. Any
> comments or statements made in this communication do not necessarily
> reflect those of AQR Capital Management, LLC and its affiliates.
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180802/ac10a353/attachment.html>


More information about the cisco-voip mailing list