[cisco-voip] Enabling CUCM/WebEx/B2B - firewall?ing thoughts?
Lelio Fulgenzi
lelio at uoguelph.ca
Fri Aug 3 12:25:30 EDT 2018
Thanks Adam. This is certainly the feeling I'm getting. I'm likely going to have to rely on the rules that are available on the E and use CSS on the CUCM and expect that our first time out of the gate, we might see some issues.
Good call about lowering the syslog sev for remote sylog monitoring.
---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook
[University of Guelph Cornerstone with Improve Life tagline]
From: cisco-voip <cisco-voip-bounces at puck.nether.net> On Behalf Of Pawlowski, Adam
Sent: Friday, August 3, 2018 12:06 PM
To: 'cisco-voip at puck.nether.net' <cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Enabling CUCM/WebEx/B2B - firewall?ing thoughts?
As far as I am aware you're not going to be able to avoid people "scanning" the Expressway, and yet also let you use it for MRA and B2B.
The system has automated protections (fail2ban) and you can set your search rules up to not let the repeated SIP Vicious and google's garbage probes make it even into the Expressway - C or your infra.
MRA uses other ports for audio I believe, and not just 5060/5061/8443/5222.
B2B in my experience still tries 5060 even if the call supports encryption over sip/tcp. "sips" on 5061 and mtls on 5062 are things as well but not everything will go there. Most people do not have functional encryption if they haven't set their system up recently. Especially for XMPP Fed (looking at cisco.com .... )
We run MRA and B2B on the same pair, and leave the E open to do whatever it needs to do. I need to tighten up my search rules as I learn more about those, but, it has yet to be an issue.
The box logs an absolute ton of messaging if you send it to remote syslog, so we dropped it down to filter for important non-info messages to clear that up.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180803/c964655d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1297 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180803/c964655d/attachment.png>
More information about the cisco-voip
mailing list