Suppose a customer has a security policy to never expose an internal server directly to the internet and require all traffic to pass through a device/proxy/.... in the DMZ. How would this translate to CUPS/Jabber with XMPP federation?
The design guides only suggest NAT'ing the CUPS server XMPP port to the Internet . This violates the customers policy. I personally think the customer follows good security practice with his policy.
Sent from Cisco Technical Support iPad App
Are there any design guides out there for this? I found a list of ports that the presence server uses:
That list sould help, however I would prefer to see someone that has gotten this to work by possibly installing a CUP server in the DMZ and another CUP server in the Internal network so the DMZ server acts as a gateway/router... However if it needs the same insternal access to the Active Directory server, CUCM server, clients, it wouldn't seem to gain very much.
has anyone been able to manage a federation with external comanies / offers ?
What about the DMZ question ?
The guides in this part are not very clear.
And it somehow seems in opposition with other guidelines in security topics.
I managed to get the federation working, but not via a DMZ. Static NAT translations on the outside firewall to the Presence server(s).
Rumors exist that state the next or a next Expressway solution will solve this in the future. Currently nothing can be done, unfortunately.