01-21-2005 08:29 AM - edited 03-13-2019 07:44 AM
I have a large deployment with Call manager cluster split over two Data Centres, We however require Firewalls (FWSM) to protect the servers which means the servers will be seperated from each other by a firewall. I know this was not supported in older versions however the new SRND do not mention it and I will be using CM 4.1,
Does anybody know if this is supported and the port numbers needed to be allowed
01-21-2005 09:48 AM
We are currently using a 3.3(3) CM Cluster that is spread over three locations. Each site is connected by a 100MB MAN terminating on CAT 6509's. We are a financial institution that requires FW's seemingly everywhere as well. The solution that we used was to create an IP Sec tunnel between the sites. The Call Managers and associated Application Servers are the only devices on the "CM Admin Subnets" everything else phones, gateways, etc are on seperate VLANS outside of the Sec tunnel. This has worked great for us because it gives a great layer of security while allowing all traffic between the CM's to be uninhibited. The only issue we have had since installing the CM Cluster was a key problem that brought down the tunnel. Hope this helps...
01-21-2005 11:48 AM
This will probably be going to be a nightmare identifying all the ports. Probably a vpn between the two centers will make life easy...
Considering that phones may failover over to either of the servers, I can think of the following ports to open up,
a. TFTP (udp 69)
b. Bootp or DHCP (mostly this is not needed if DHCP can be kept local)
c. MGCP ports UDP and TCP - 2427 and 2428 and TCP 1720 if using H323.
d. SCCP for phones - TCP 2000
e. RTP - UDP 16384 to 32768
f. Secure SCCP (CM 4.0) - 2443
g. Attendant console - TCP port 1073 and 1099 through 1129
h. TAPI/JTAPI - TCP 2748
i. ICMP pings
j. XML/HTML access (port 80)
k. SQL replication ports (there are a bunch of these, i cant remember all of them)
l. Terminal services to reach the box - TCP 3389 or TCP 5900 - 5999 if using VNC.
There could bea lot of other ports that might need to be opened, usually using a sniffer to identify these ports will help!
Sankar.
01-21-2005 07:08 PM
This will currently not work reliably, unless you use the VPN approach. i would speak to your Cisco SE as there are some developments in this area.
identifying the ports is a nightmare!! there is no reliable documents that accruately state ports used between CCMs. reverse engineering of ports using a sniffer or Netstat will take a long time as i have observed new ports being opened weeks after the CCMs bootup.
01-24-2005 01:06 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: