cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
490
Views
0
Helpful
4
Replies

Call manager Cluster split with Firewall between servers

sdrennan
Level 1
Level 1

I have a large deployment with Call manager cluster split over two Data Centres, We however require Firewalls (FWSM) to protect the servers which means the servers will be seperated from each other by a firewall. I know this was not supported in older versions however the new SRND do not mention it and I will be using CM 4.1,

Does anybody know if this is supported and the port numbers needed to be allowed

4 Replies 4

wanman007
Level 1
Level 1

We are currently using a 3.3(3) CM Cluster that is spread over three locations. Each site is connected by a 100MB MAN terminating on CAT 6509's. We are a financial institution that requires FW's seemingly everywhere as well. The solution that we used was to create an IP Sec tunnel between the sites. The Call Managers and associated Application Servers are the only devices on the "CM Admin Subnets" everything else phones, gateways, etc are on seperate VLANS outside of the Sec tunnel. This has worked great for us because it gives a great layer of security while allowing all traffic between the CM's to be uninhibited. The only issue we have had since installing the CM Cluster was a key problem that brought down the tunnel. Hope this helps...

thisisshanky
Level 11
Level 11

This will probably be going to be a nightmare identifying all the ports. Probably a vpn between the two centers will make life easy...

Considering that phones may failover over to either of the servers, I can think of the following ports to open up,

a. TFTP (udp 69)

b. Bootp or DHCP (mostly this is not needed if DHCP can be kept local)

c. MGCP ports UDP and TCP - 2427 and 2428 and TCP 1720 if using H323.

d. SCCP for phones - TCP 2000

e. RTP - UDP 16384 to 32768

f. Secure SCCP (CM 4.0) - 2443

g. Attendant console - TCP port 1073 and 1099 through 1129

h. TAPI/JTAPI - TCP 2748

i. ICMP pings

j. XML/HTML access (port 80)

k. SQL replication ports (there are a bunch of these, i cant remember all of them)

l. Terminal services to reach the box - TCP 3389 or TCP 5900 - 5999 if using VNC.

There could bea lot of other ports that might need to be opened, usually using a sniffer to identify these ports will help!

Sankar.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

john.nield
Level 1
Level 1

This will currently not work reliably, unless you use the VPN approach. i would speak to your Cisco SE as there are some developments in this area.

identifying the ports is a nightmare!! there is no reliable documents that accruately state ports used between CCMs. reverse engineering of ports using a sniffer or Netstat will take a long time as i have observed new ports being opened weeks after the CCMs bootup.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: