<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Symbol";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">No snipe intended! Just been a rough day here.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Normally I wouldn’t get too far into details but, I feel like there are other customers out there who would have a similar network design with an in and an out,
and it maybe be simpler to deploy this way, given the considerations.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">And as always, I like to post and see what I can learn, especially from superstars such as yourself
</span><span style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">J</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Best,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Adam Pawlowski<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">SUNYAB NCS<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Ryan Huff <ryanhuff@outlook.com>
<br>
<b>Sent:</b> Tuesday, April 30, 2019 12:09 PM<br>
<b>To:</b> Pawlowski, Adam <ajp26@buffalo.edu><br>
<b>Cc:</b> cisco-voip@puck.nether.net<br>
<b>Subject:</b> Re: [cisco-voip] Expressway E Firewall Rule Activation<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Adam,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">I certainly didn't mean to imply the, "Expressway Edge on a Stick" method doesn't work, though out of pure technical curiosity, I would be curious as to what exists in your environment
that would make a " single NIC" Expressway Edge deployment more preferred than "dual NICs" (not that I expect you would or could say). I can think of very few reasons that a single NIC edge would be more ideal than a dual NIC edge (outside of the infosec team
just not wanting to screw with the firewall, or production not being able to sustain a maintenance window); its easier to troubleshoot, easier to install, easier to support and easier to secure.<br>
<br>
Though, I suspect I'm, "preaching to the choir", lol </span><span style="font-family:"Segoe UI Symbol",sans-serif;color:black">😉</span><span style="font-family:"Calibri",sans-serif;color:black">. All good my friend.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Ryan<o:p></o:p></span></p>
</div>
<div id="Signature">
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> Pawlowski, Adam <</span><a href="mailto:ajp26@buffalo.edu"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">ajp26@buffalo.edu</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">><br>
<b>Sent:</b> Tuesday, April 30, 2019 11:36 AM<br>
<b>To:</b> 'Ryan Huff'<br>
<b>Cc:</b> </span><a href="mailto:cisco-voip@puck.nether.net"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">cisco-voip@puck.nether.net</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><br>
<b>Subject:</b> RE: [cisco-voip] Expressway E Firewall Rule Activation</span> <o:p>
</o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Ryan,</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The “tl;dr” is that we were sort of given the recommendation by Cisco to just run it with the single interface given our environment and requirements, and hasn’t
given us any trouble that I can recall.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Long story is …
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><br>
Our environment ends up being the driver for a lot of this, as it is sort of a historic design from the early internet, with just about everything on public address space, and various services and networks secured behind firewalls as needed from internal and
external alike. </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In the dual interface design, the outside interface sits in a “DMZ” with a firewall, which we don’t have available explicitly. There is a border firewall but
that isn’t really its function. The inside leg has to sit somewhere as well, which is a place that doesn’t exist.
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><br>
We did have a competitor’s border proxy become compromised in the past due to a software update, and this model where the inside wasn’t properly secured – and given our current VMWare topology, creating another zone to hairpin traffic around to separate that
inside interface wasn’t in the cards. Not to mention the annoyance of trying to setup split routes on this device to allow some traffic to go in, some to go out, in an environment that is MRA only.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">If you trust the E enough never to be a bad actor, then you could put that interface in the same zone as your other collaboration appliances, like the Expressway
C, but, we didn’t want to do that either really.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Given that, we did have a call with Cisco to discuss this, and with representation from the Expressway group they recommended that we stick with the single interface
design. That was based on the public addressing (so we could avoid NAT reflection) and that despite the pipe dream of everyone wanting HD video calling and mobile client access, we didn’t see that we’d be pushing that much traffic.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">As it is, the E clusters sit in a collaboration DMZ, where they are independent from any of our other appliances and treated like any other host on our network.
Our application firewalls do not allow anything in from the Expressway E since the C tunnels to it, so really the only thing lacking from a security standpoint there could be containment of that host, but, we chose to guard from it instead.
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Since we installed it back on X8.8 or whatever, I’d noted that rebooting the appliance does not reapply the internal rules, which can easily be forgotten, and
would need to be remembered if you run a VMWare HA policy that restarts the guest.
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">That all being said the worst that we have seen are various SSH attempts (on any port, the zone tunnel, administrative SSH, doesn’t matter) until the rules are
put back up. We could tighten them on the border once that becomes available to do so.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The B2BUA is invoked on calls within the appliances sometimes which can cause some confusion with attempting to read logging if need be, but it hasn’t otherwise
caused us any trouble.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Adam</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="xmsonormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Ryan Huff <</span><a href="mailto:ryanhuff@outlook.com"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">ryanhuff@outlook.com</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">>
<br>
<b>Sent:</b> Tuesday, April 30, 2019 10:13 AM<br>
<b>To:</b> Pawlowski, Adam <</span><a href="mailto:ajp26@buffalo.edu"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">ajp26@buffalo.edu</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">><br>
<b>Cc:</b> </span><a href="mailto:cisco-voip@puck.nether.net"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">cisco-voip@puck.nether.net</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><br>
<b>Subject:</b> Re: [cisco-voip] Expressway E Firewall Rule Activation<o:p></o:p></span></p>
</div>
</div>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
<p class="xmsonormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">That seems odd and not been my experience. Let me ask; why are you using the application firewall rather than the actual firewall (another reason
all our edge’s should be using dual interfaces with LAN1 and LAN2 in their own separate security zones)? Is there a reason you have to, in other words?<o:p></o:p></span></p>
<div>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Ryan<o:p></o:p></span></p>
</div>
<div>
<p class="xmsonormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><br>
On Apr 30, 2019, at 08:49, Pawlowski, Adam <</span><a href="mailto:ajp26@buffalo.edu"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">ajp26@buffalo.edu</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">> wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Figured I’d also ask this question<o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">I note that it seems like any time I reboot an Expressway E, I have to go and re-activate all the firewall rules. They don’t seem to activate automatically.
<o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Is there something I missed or is this really what’s necessary?<o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Adam<o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="xmsonormal">_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7C%7C53c6d0eb53664c52fa1f08d6cd818e07%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636922353647552666&sdata=1IXxZp8QQ0FzhW3GAGY%2F1k2nnUSYA3QlKHlEABhE5PY%3D&reserved=0">https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7C%7C3fcc9eb351fe41b70dfc08d6cd6a4a65%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636922253726465693&sdata=72kYzwChhoFD14H6a6mRTn4TdHUcMDcFWrMSXpRo%2Btw%3D&reserved=0</a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>