[cisco-voip] Enabling CUCM/WebEx/B2B - firewall?ing thoughts?
Pawlowski, Adam
ajp26 at buffalo.edu
Fri Aug 3 12:06:11 EDT 2018
As far as I am aware you're not going to be able to avoid people "scanning" the Expressway, and yet also let you use it for MRA and B2B.
The system has automated protections (fail2ban) and you can set your search rules up to not let the repeated SIP Vicious and google's garbage probes make it even into the Expressway - C or your infra.
MRA uses other ports for audio I believe, and not just 5060/5061/8443/5222.
B2B in my experience still tries 5060 even if the call supports encryption over sip/tcp. "sips" on 5061 and mtls on 5062 are things as well but not everything will go there. Most people do not have functional encryption if they haven't set their system up recently. Especially for XMPP Fed (looking at cisco.com .... )
We run MRA and B2B on the same pair, and leave the E open to do whatever it needs to do. I need to tighten up my search rules as I learn more about those, but, it has yet to be an issue.
The box logs an absolute ton of messaging if you send it to remote syslog, so we dropped it down to filter for important non-info messages to clear that up.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180803/82825a39/attachment.html>
More information about the cisco-voip
mailing list