06-30-2022 08:55 AM
We have two distinct companies that occupy different FW segmented networks. We have a single UCM cluster with a single HA IMP cluster. Company A and B are different financial entities so network segmentation is very important. Up until this point Company B only had desk phones so media traffic traversed a dedicated Voice VLAN, keeping my security team quiet about open media ports over the FW. Company B now is requesting use of Jabber SW phones. This will require the media ports to be opened, across the FW, between the data networks of the two companies. I'm currently combing through the collab architecture guide, SRND and some FW options to better manage this media traversal between the two data networks (besides just stating "open UDP 16384–32766 ports on the FW").
The two companies occupy two separate domains, both tied to the same IMP cluster. Has anyone ever had experience with this? I'm not very familiar with FW settings but I've had bad experiences (way in the past) with SIP ALG/Fix up solutions but I don't honestly know enough to confirm if those settings could help this. I can't see a way to federate traffic with a single IMP cluster and I don't believe multiple IMP clusters are supported on a single UCM cluster. My preference would be to use an Eway to push traffic between the two companies' networks but again, not seeing that possible with a single cluster, thus single SRV records.
My guess is, to avoid just opening ports between the two networks, is a fully new UCM/IMP cluster. Not my preferred solution just for media port control.
Solved! Go to Solution.
06-30-2022 03:06 PM
Hi, @ leonardjam1 ,
I'm not as familiar with the IM&P server, but I'm assuming you've already accounted for the multiple domain logon considerations I found outlined here. I'm more familiar with Expressway and I hope this is helpful.
You can publish SRV records for two domains and point them to the same Expressway pair/cluster. In the Expressway-C, you configure the allowed domains and services for each domain. When the user is authenticated against CUCM, the user's UC service profile will direct them to the single CUCM and IM&P server you already have in your environment.
You would need to stop publishing UDS records internally (see section Dual Domain without Split DNS ) and register the collab_edge SRV records both internally and externally (unless you do not want to allow external access), forcing the registration to use the collab_edge SRV records and hence route registration and media over the expressway that sits in its own DMZ. This would isolate softphone traffic on the data networks to communication with Expressway only. A ton of UDP ports still need to be opened, but you can then narrow the scope to the Expressways and the DMZ they are in.
Also note that it is advised (and I've found necessary in three separate organizations) to disable SIP Inspection/ALG on the context for the firewalls handling Expressway traffic, else you end up having issues with call setup/signaling/state changes.
06-30-2022 03:06 PM
Hi, @ leonardjam1 ,
I'm not as familiar with the IM&P server, but I'm assuming you've already accounted for the multiple domain logon considerations I found outlined here. I'm more familiar with Expressway and I hope this is helpful.
You can publish SRV records for two domains and point them to the same Expressway pair/cluster. In the Expressway-C, you configure the allowed domains and services for each domain. When the user is authenticated against CUCM, the user's UC service profile will direct them to the single CUCM and IM&P server you already have in your environment.
You would need to stop publishing UDS records internally (see section Dual Domain without Split DNS ) and register the collab_edge SRV records both internally and externally (unless you do not want to allow external access), forcing the registration to use the collab_edge SRV records and hence route registration and media over the expressway that sits in its own DMZ. This would isolate softphone traffic on the data networks to communication with Expressway only. A ton of UDP ports still need to be opened, but you can then narrow the scope to the Expressways and the DMZ they are in.
Also note that it is advised (and I've found necessary in three separate organizations) to disable SIP Inspection/ALG on the context for the firewalls handling Expressway traffic, else you end up having issues with call setup/signaling/state changes.
06-30-2022 03:10 PM
Since I'm a bit long in the deployment tooth, mentioning @Jaime Valencia to see if he might take a peek to validate my thoughts or add any further advise.
07-01-2022 06:36 AM
Hi Stephanie,
Thank you, interesting, just do all registrations/functionality (for company B) over the Eways. That's helpful, thanks. I'll spend a few minutes considering if there are drawback. I may be in a small bind as company B wanted to continue having screen share/file sharing between Jabber users on their network. We currently have that disabled from company A to company B by blocking those specific ports between the two companies over the FW. I'll have to see if there's a creative way to keep that working within the one company but block between the two. Much appreciated.
07-01-2022 07:54 AM
Just a short follow up. My security leapt at the idea of all traffic going over the expressways (and leaving the FWs locked down between the networks). Because company B has its own dedicated DNS and its own domain, it should be easy to push all through the Eways. Thanks again for the help.
09-15-2022 06:59 AM
A final follow up for anyone who's in a similar boat. Using the Eways to force all traffic off the one business network may have worked but a contractor offered a much simpler solution (after we built/config the eways). We're just setting the Jabber softphones on Company B to require an MTP. Since we have no issues opening ports to the UC server network, all RTP will traverse back in there and not directly across the data networks between the two companies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide