<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.xmsochpdefault, li.xmsochpdefault, div.xmsochpdefault
{mso-style-name:x_msochpdefault;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Calibri","sans-serif";}
span.xmsohyperlink
{mso-style-name:x_msohyperlink;
color:blue;
text-decoration:underline;}
span.xmsohyperlinkfollowed
{mso-style-name:x_msohyperlinkfollowed;
color:purple;
text-decoration:underline;}
span.xemailstyle17
{mso-style-name:x_emailstyle17;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">So just out of curiosity, how insane would I be considered to try and mix usage on the appliance, making it a proxy, gateway, etc at the same time? It looks
like the house of cards gets pretty hairy to try and combine these roles, so given the cost of a new chassis I assume most people wouldn’t go down that route.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Adam<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Josh Warcop [mailto:josh@warcop.com]
<br>
<b>Sent:</b> Monday, December 01, 2014 9:52 PM<br>
<b>To:</b> NateCCIE; 'Brian Meade'; 'Pawlowski, Adam'<br>
<b>Cc:</b> cisco-voip@puck.nether.net<br>
<b>Subject:</b> RE: [cisco-voip] Expressway - 3rd Party Border Recommendation<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">TAC opened 3 bugs on my behalf related to CUBE line-side SIP proxy. Not including the documentation bugs that were opened. CUBE in that fashion has a few specific use cases
and in my simple use case of replacing ASA phone-proxy it didn't hold up. Expressway is your go to solution for Jabber and TC endpoints and soon DX series.
<br>
<br>
Not saying CUBE proxy is terrible, but I would tread carefully down that path and do plenty of testing.<br>
<br>
Sent from my Windows Phone<o:p></o:p></span></p>
</div>
</div>
<div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:
</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:nateccie@gmail.com">NateCCIE</a></span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Sent: </span>
</b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">12/1/2014 7:58 PM</span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">To: </span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:bmeade90@vt.edu">'Brian Meade'</a>;
<a href="mailto:ajp26@buffalo.edu">'Pawlowski, Adam'</a></span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Cc: </span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a></span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Subject: </span>
</b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Re: [cisco-voip] Expressway - 3rd Party Border Recommendation</span><o:p></o:p></p>
</div>
<div>
<div>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Expressway is the first thought, then CUBE Lineside proxy would be where to go for 3<sup>rd</sup> party.</span><o:p></o:p></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a href="https://ciscocollab.wordpress.com/2014/04/08/cube-sip-lineside-phone-vpn-configuration/">https://ciscocollab.wordpress.com/2014/04/08/cube-sip-lineside-phone-vpn-configuration/</a></span><o:p></o:p></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> cisco-voip [<a href="mailto:cisco-voip-bounces@puck.nether.net">mailto:cisco-voip-bounces@puck.nether.net</a>]
<b>On Behalf Of </b>Brian Meade<br>
<b>Sent:</b> Monday, December 1, 2014 11:51 AM<br>
<b>To:</b> Pawlowski, Adam<br>
<b>Cc:</b> <a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b> Re: [cisco-voip] Expressway - 3rd Party Border Recommendation</span><o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<div>
<p class="xmsonormal">I've done this before with a large Avaya setup. We had all of the UC stuff in a separate VRF and all soft clients had to come through an SBC for registration. We demoed Sipera and Acme. Sipera got the job done cheaper, but Acme scaled
much better for us. I think CUCM supports Acme SBCs as well as an alternative to CUBE.<o:p></o:p></p>
<div>
<p class="xmsonormal"> <o:p></o:p></p>
</div>
<div>
<p class="xmsonormal">Brian<o:p></o:p></p>
</div>
</div>
<div>
<p class="xmsonormal"> <o:p></o:p></p>
<div>
<p class="xmsonormal">On Mon, Dec 1, 2014 at 1:23 PM, Pawlowski, Adam <<a href="mailto:ajp26@buffalo.edu" target="_blank">ajp26@buffalo.edu</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<p class="xmsonormal">Afternoon all,<br>
<br>
Trying to get some opinion on how (if) you would put up a perimeter to your UCM clusters to bring in 3rd party clients, softphones, etc, that are SIP based and reside outside of your secured LAN? Most of our desktops are on public addresses, not behind
any particular hardware firewall, just software on the host. I'm concerned that the host could be compromised, or as seen with some soft clients, they just get harassed by driveby SIP/H.323 scans and calls.<br>
<br>
I haven't seen any great justification for trying to fence/proxy connectivity to the UCM for Jabber, X-Lite, etc, to the cluster, but general security practice is saying that if you can make it more secure, it is at least worth looking into.<br>
<br>
I've looked at trying to set the UBE up for proxy/passthrough registrar, and this seems tedious because it doesn't proxy auth and requires dial-peer configuration (making dual usage as a gateway cumbersome). I have heard "use expressway" a few times
but have no idea how that would work for 3rd party SIP devices. Other than that, I spent a bit of time looking at stuff from Edgewater, OpenSIPS, etc, but it is not clear to me if any of these products are worth the trouble, and what the Cisco recommended
way to go about this is.<br>
<br>
Anyone have any experience or thought in this area? Is this a bad idea? Anything to say about trying to secure potentially 'untrusted' connectivity on a larger scale?<br>
<br>
Regards,<br>
<br>
Adam Pawlowski<br>
SUNYAB<br>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p>
</blockquote>
</div>
<p class="xmsonormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>