<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: verdana,helvetica,sans-serif; font-size: 10pt; color: #000000'><br>Thanks Brian.<div><br></div><div>Right now, it's going to be for on-campus users only. We are re-evaluating our NAC solution, so for now, it's going to be limited to a few hard coded subnets that we will be "trusting" (eeeeeeek). I'm hoping that our NAC solution will have some sort of way to ensure that only certain groups of users will be allowed through, but that's for another day.</div><div><br></div><div>What do you mean by Collab Edge architecture though? Do you mean ExpressWay C/E? If so, yes, we're going to be looking at that as well as part of the phased approach. Although without a split DNS deployment, we might have some issues. :(</div><div><br></div><div>I'm hoping that through some ingenious configuration, we might actually be able to use the EW on-campus for some devices that are can't negotiate voice VLANs properly. </div><div><br></div><div>Do you see IPCommunicator living a long life? Or has it seen the last of days?</div><div><br></div><div><br></div><div><br></div><div><br><div><span name="x"></span>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst, Network Infrastructure<br>Computing and Communications Services (CCS)<br>University of Guelph<br><br>519‐824‐4120 Ext 56354<br>lelio@uoguelph.ca<br>www.uoguelph.ca/ccs<br>Room 037, Animal Science and Nutrition Building<br>Guelph, Ontario, N1G 2W1<span name="x"></span><br></div><br><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Brian Meade" <bmeade90@vt.edu><br><b>To: </b>"Lelio Fulgenzi" <lelio@uoguelph.ca><br><b>Cc: </b>"cisco-voip voyp list" <cisco-voip@puck.nether.net><br><b>Sent: </b>Thursday, May 14, 2015 2:47:20 PM<br><b>Subject: </b>Re: [cisco-voip] setting up firewall security for jabber and/of IP Communicator<br><br><div dir="ltr">No multi-line support or extension mobility on Jabber which means most people can't use it for UCCX yet. You can use it as long as you don't need EM or multiple lines for your agents.<div><br></div><div>Are you opening it up for people connecting remotely without VPN? If so, you'll want to use a Collab Edge architecture as it's not safe to open up CUCM/IM&P directly.</div><div><br></div><div>If it's just for internal users, you should be good to go with the ACLs.</div><div><br></div><div>You shouldn't need to worry about any multicast for Jabber/CIPC outside of MMOH which you mentioned.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 14, 2015 at 2:30 PM, Lelio Fulgenzi <span dir="ltr"><<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:verdana,helvetica,sans-serif;font-size:10pt;color:#000000"><div style="color:rgb(0,0,0);font-family:verdana,helvetica,sans-serif;font-size:10pt"><br></div><div style="color:rgb(0,0,0);font-family:verdana,helvetica,sans-serif;font-size:10pt"><span style="font-size:13.3333330154419px">I'm about to set up firewall security so Jabber clients (and IP Communicator) can access the telephony servers (CUCM, Connection, IM&P, UCCx, etc) and I was</span> hoping to get some ideas as to what others have done and if I'm missing anything obvious here. <span style="font-size:10pt">I'm using the CUCM/IM&P port list as well as the Jabber deployment guide to get the Jabber port list. For the firewall, we </span><span style="font-size:10pt">are using an ASA appliance pair, v 9.1(3).</span></div><div style="color:rgb(0,0,0);font-family:verdana,helvetica,sans-serif;font-size:10pt"><span style="font-size:10pt"><br></span></div><div style="color:rgb(0,0,0);font-family:verdana,helvetica,sans-serif;font-size:10pt"><span style="font-size:10pt">Typically we build the ACL statements with the source address object group coupled with destination address object group and the destination port object group. I don't think there is a need to build the ACL with a source port object group at this time.</span></div><div style="color:rgb(0,0,0);font-family:verdana,helvetica,sans-serif;font-size:10pt"><span style="font-size:10pt"><br></span></div><div><font face="verdana, helvetica, sans-serif"><span style="font-size:10pt">I've also been told that we might have some multicast limitations with the firewall, </span><span style="font-size:13.3333330154419px">basically</span><span style="font-size:10pt">, multicast traffic can't pass through our firewall.</span></font></div><div><font face="verdana, helvetica, sans-serif"><span style="font-size:10pt"><br></span></font></div><div><font face="verdana, helvetica, sans-serif"><span style="font-size:13.3333330154419px">Any comments would be helpful. But I'm wondering, specifically:</span></font></div><div><ul><li><font face="verdana, helvetica, sans-serif"><span style="font-size:13.3333330154419px">Are people deploying IP Communicator still? For all the benefits of Jabber, I don't see it as a replacement for a softphone with access to all the buttons and apps that are available, like services, directories, conference/join, etc. Does UCCx work with Jabber for example?</span></font></li><li><font face="verdana, helvetica, sans-serif"><span style="font-size:13.3333330154419px">What have others done for firewall ACL building? Is there a firewall feature set I'm not aware of that will simplify my life?</span></font></li><li><font face="verdana, helvetica, sans-serif"><span style="font-size:13.3333330154419px">Are there any multicast requirements when deploying Jabber and IPCommunicator? Aside from MoH?</span></font></li></ul><div><font face="verdana, helvetica, sans-serif"><span style="font-size:13.3333330154419px">Thanks in advance for any help!</span></font></div></div><div><font face="verdana, helvetica, sans-serif"><span style="font-size:13.3333330154419px"><br></span></font></div><div><font face="verdana, helvetica, sans-serif"><span style="font-size:13.3333330154419px">Lelio</span></font></div><div><font face="verdana, helvetica, sans-serif"><span style="font-size:13.3333330154419px"><br></span></font></div><br><br><div style="color:rgb(0,0,0);font-family:verdana,helvetica,sans-serif;font-size:10pt"><span></span>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst, Network Infrastructure<br>Computing and Communications Services (CCS)<br>University of Guelph<br><br><a href="tel:519%E2%80%90824%E2%80%904120%20Ext%2056354" target="_blank">519‐824‐4120 Ext 56354</a><br><a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a><br><a href="http://www.uoguelph.ca/ccs" target="_blank">www.uoguelph.ca/ccs</a><br>Room 037, Animal Science and Nutrition Building<br>Guelph, Ontario, N1G 2W1<span></span><br></div><br></div></div><br>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br></div>
</div><br></div></div></body></html>