[cisco-voip] Enabling CUCM/WebEx/B2B - firewall’ing thoughts?

Lelio Fulgenzi lelio at uoguelph.ca
Fri Aug 3 11:16:51 EDT 2018 

This is a great summary Terry. Thanks!

Little by little, I’m getting on board with all of it.

The only part I’m struggling with is the ACLs to prevent the inbound SIP attacks / probing (for lack of a better term). If there is an overlap of the ports used for B2B and MRA, then I can’t see myself being able to setup ACLs that will prevent SIP attacks but still allow MRA from everywhere.

I’m going to be doing a bit more reading and discussion to try and understand that relationship.

Lelio


---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>

www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: Terry Cheema <terry.cheema at gmail.com>
Sent: Thursday, August 2, 2018 7:27 PM
To: Lelio Fulgenzi <lelio at uoguelph.ca>
Cc: Brian Meade <bmeade90 at vt.edu>; cisco-voip voyp list <cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Enabling CUCM/WebEx/B2B - firewall’ing thoughts?

Lelio,

From the sounds of it looks like you already have MRA expressways and want to enable B2B on the same for VC/SIP end points registered to CUCM - you will need -

1) If both the MRA and B2B go to same CUCM then the ports for neighbour zone (between Exp-C and CUCM need to be different from MRA, you can set these up at exp-c and CUCM SIP trunk)

2) There has to be a separate traversal zone between exp-c and exp-e as well for B2B, using a different port. If existing MRA is using 7001, use 7002 for B2B.

3) For outbound calls to Webex setup is fairly simple, As long as you have opened the required firewall ports,  (which you can find in the admin guide)
You don’t need any SRV records for outbound only sip route patterns/trunk on CUCM and expressway zones/search rules.

4) For inbound calls from WebEx you will need to publish theSRV records for your domain. (Only needed if you have enabled or require call me or call my video system from Webex)

5) As others have mentioned, CMR calls to webex don’t require RMS license.

6) Also be mindful of the internet bandwidth; depending on your usage.

7) Regards to Security; you can setup ACL at your routers, switches (l2 vacls, acls - normally comes up to your organisations network policy on what you have already in place), obviously firewalls. The complete list of ports is in the admin guide.

-Terry
Sent from my iPhone

On 3 Aug 2018, at 6:44 am, Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>> wrote:
It's always up to the caller and what SRV records they check and in which order.  Webex always prefers the TLS SRV records first though.

On Thu, Aug 2, 2018 at 12:10 PM Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:

Thanks Brian.

I meant to write: _without_ the need for licenses – but good to be corrected, since it does firm up my assumptions.

I’ll take a look at the document. We’re working with a partner, so I’m hoping not to have to be to versed with he deployment details too much, but the options available will be good to review.

Will all B2B calls try 5061? If so, then that breaks my theory / thought about using ACLs, since MRA needs those ports.

---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>

www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>>
Sent: Wednesday, August 1, 2018 9:16 AM
To: Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>
Cc: cisco-voip voyp list <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: Re: [cisco-voip] Enabling CUCM/WebEx/B2B - firewall’ing thoughts?

Lelio,

You don't need RMS licenses for Webex calls.  You need to use the exact settings mentioned in thehttps://www.cisco.com/c/dam/en/us/td/docs/collaboration/webex_centers/esp/WebEx_Meeting_Center_Video_Conferencing_Enterprise_Dep<https://www.cisco.com/c/dam/en/us/td/docs/collaboration/webex_centers/esp/WebEx_Meeting_Center_Video_Conferencing_Enterprise_Deployment_Guide_WBS31_WBS32.pdf>Webex CMR Guide though- https://www.cisco.com/c/dam/en/us/td/docs/collaboration/webex_centers/esp/WebEx_Meeting_Center_Video_Conferencing_Enterprise_Dep<https://www.cisco.com/c/dam/en/us/td/docs/collaboration/webex_centers/esp/WebEx_Meeting_Center_Video_Conferencing_Enterprise_Deployment_Guide_WBS31_WBS32.pdf>https://www.cisco.com/c/dam/en/us/td/docs/collaboration/webex_centers/esp/WebEx_Meeting_Center_Video_Conferencing_Enterprise_Deployment_Guide_WBS31_WBS32.pdfloyment_Guide_WBS31_WBS32.pdf<https://www.cisco.com/c/dam/en/us/td/docs/collaboration/webex_centers/esp/WebEx_Meeting_Center_Video_Conferencing_Enterprise_Deployment_Guide_WBS31_WBS32.pdf>

Also Webex will typically try TLS inbound so I would just go with the _sips SRV record and just open inbound 5061 along with the audio ports.  You can disable TCP/UDP 5060 from the Expressway as well.

You can also setup mutual TLS with Webex for even more security.  That way Expressway is only trusting Webex certificates for inbound calls.  Most of that documentation is in the Hybrid Services Call Service Connect documentation.

On Wed, Aug 1, 2018 at 9:09 AM Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:

We’re finally taking a turn (not to be confused with TURN - hahaha) at getting CUCM talking to WebEx. Im guessing this is simply a B2B setup with the need for licenses.

The question I have is whether or not I should be activating ACLs anywhere along the path to avoid the expressways from getting hammered and clogging up the logs.

We’ll be enabling this on the MRA expressway pairs for the time being.

From my understanding, MRA uses 5061, 8443, 5222 inbound and B2B uses 5060.

Would it be advisable, to build ACLs only allowing certain address (space) to connect?

This would be on top of any rules/zones we build into the ExpE and CUCM (css).

We’re trying to avoid the obvious impact of scanning Ip addresses/uri’s for sip connectivity.

What are people doing?

-sent from mobile device-

Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354<tel:519-824-4120;56354> | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>

www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180803/3b8323d2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1297 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180803/3b8323d2/attachment.png>

More information about the cisco-voip mailing list