[cisco-voip] setting up access for APNS - granular vs wide open internet access

Lelio Fulgenzi lelio at uoguelph.ca
Fri Aug 10 17:02:30 EDT 2018 

Expressway update uploaded to Collaboration CCP in Communities. 

Including updates about APNS / forward proxy support in 8.11 and beyond. ☹

---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook



-----Original Message-----
From: Patrick Robitaille <Patrick.Robitaille at aqr.com> 
Sent: Thursday, August 2, 2018 2:08 PM
To: Lelio Fulgenzi <lelio at uoguelph.ca>
Cc: Matthew Loraditch <MLoraditch at heliontechnologies.com>; voyp list, cisco-voip (cisco-voip at puck.nether.net) <cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] setting up access for APNS - granular vs wide open internet access

Check out release notes for Expressways too as they’re planning forward proxy for this purpose as well.

- - -
Patrick Robitaille, patrick.robitaille at aqr.com<mailto:patrick.robitaille at aqr.com>
O: (203) 742-3797 | C: (203) 914-9572


On Aug 2, 2018, at 12:42 PM, Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:

Thanks Matthew – we’re on v11.5, so I’ll try to drum up the similar chapter.

I’m not sure we’ve got URL based firewall rules implemented or available. I will have to ask.

Good to hear you’ve not had problems with outbound access.

As far as smart licensing is concerned, we were ok using the proxy there, since it would be ok if it went down. If we open up complete access though, the need for that goes away.



---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>

www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook

<image001.png>

From: Matthew Loraditch <MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>>
Sent: Thursday, August 2, 2018 12:33 PM
To: Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>; voyp list, cisco-voip (cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>) <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: RE: setting up access for APNS - granular vs wide open internet access

See page 5 here: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/12_0_1/systemConfig/cucm_b_system-configuration-guide-1201/cucm_b_system-configuration-guide-1201_chapter_01011000.pdf

For what servers your servers will need to talk to, if you can do URL based firewall rules that would work.

If not the servers are all Cisco’s and in the Webex cloud so the IP blocks aren’t that many: https://collaborationhelp.cisco.com/article/en-us/WBX264
Now I’m not 100% certain if ALL webex services fall within those IPs. That article is designed for Teams and Meetings.

I will add I’ve never operated in an environment as tight/regulated as yours, but I have 23 clusters that have been able to talk outbound to internet since their beginnings and never had an issue that had to do with that.

Also you are going to have to think about this internet thing again when you go to 12.x+ and smart licensing so you may want to look up those requirements as well. A few more options exist there where going offline intermittently isn’t as much of a deal.






Matthew Loraditch​

Sr. Network Engineer


p: 443.541.1518<tel:443.541.1518>



w: www.heliontechnologies.com<http://www.heliontechnologies.com/>

 |

e: MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>


<image002.png>


<image003.png><https://facebook.com/heliontech>



<image004.png><https://twitter.com/heliontech>


<image005.png><https://www.linkedin.com/company/helion-technologies>





<image006.jpg><https://heliontechnologies.com/events/14th-annual-automotive-cx-summit-hosted-thought-leadership-summits/>




From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> On Behalf Of Lelio Fulgenzi
Sent: Thursday, August 2, 2018 11:58 AM
To: voyp list, cisco-voip (cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>) <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: [cisco-voip] setting up access for APNS - granular vs wide open internet access


Another issue we are facing is setting up the collaboration servers (CUCM, IMP) to talk out of our private network to the internet to talk to Cisco and Apple servers.

Just wondering what others have been doing.

Our networking team has suggested the simplest way would be to add a PAT rule at our edge for the servers (or network) so that they can communicate out to the internet as required. There would be no ACLs applied, so they could talk to anywhere. By applying the PAT on the edge, all internal communications would continue with the internal addressing. The PAT would only allow established communications – no outside-to-inside initiated talk allowed.

The other alternative would be to put a bunch of xlate’s on our data centre firewall, one for each source collab server and cisco/apple dest pair – this could be 10s of statements.

The first means I have no control over who the servers can talk to on the internet. Which scares me.

The second would mean quite a bit of extra upfront work, and managing those statements if/when Cisco and apple update their ip addresses.

There is the proxy option, but the current proxy service we have is likely not to be considered mission critical and attaching the APNS configuration to this likely wouldn’t go over well.

What have others done in this situation?

Thanks!


---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>

www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook

<image001.png>

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

________________________________

Disclaimer: This e-mail may contain confidential and/or privileged information. If you are not the intended recipient or have received this e-mail in error, please notify the sender immediately and destroy/delete this e-mail. You are hereby notified that any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly prohibited.

AQR Capital Management, LLC, along with its affiliates (collectively "AQR") may collect certain personal information from you. AQR operates pursuant to a Global Privacy Policy which describes the types of personal information we obtain, how we use the information, with whom we share it and the choices available to you regarding our use of the information. We also describe the measures we take to protect the security of the information and how you can contact us about our privacy practices. By providing your personal information you agree to do so pursuant to the Global Privacy Policy. For a copy of the Global Privacy Policy please click here<https://www.aqr.com/Privacy-Policy>.

This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All information contained in this communication is not warranted as to completeness or accuracy and is subject to change without notice. Any comments or statements made in this communication do not necessarily reflect those of AQR Capital Management, LLC and its affiliates.

More information about the cisco-voip mailing list