Martin

Thanks for the reply

In regard to our VTC Infrastructure:

TMS 13.2.2. running Provisioning Extension

(2) VCS-Controls in a cluster (X7.2)

(2) VCS-Expressways in a cluster (X7.1)

Traversal zones created between all VCS-Cs and VCS-Es

MSE8000 with a Gateway Blade

8341 stand alone gateway

Thanks we will look into the Encry Key

Is there a Cisco document that breaks it down stepo be step like below?

OK so the basic steps are...

#1 - In the 3241 for "outbound address" enter the Cluster name for the VCS-C cluster ?

#2 - in the 3241 for the "outbound domain" enter "@mycompany.com"

#3 - In the 3241 - If we have the Encry key we would select TLS, without it we would leaver it at TCP

#4 - In the VCS-C - Create a new Zone called "SIP Gateway Calls" and select Neighbor type

#5 - In the VCS-C - Populate the SIP section of the new zone

#6 - In the VCS-C - Create a search rule based on the prefix selected for SIP calls (e.g. 009) and point it to the new zone

#7 - In the 3241 setup dial plan rule to strip the prefix

I am very concerned about the security and hacker calls.... our VCS Expressways get hammered all the time

We have done things to prevent the calls from going anywhere, but we still see them

We get calls "Stuck" in the active call status with no "Route"

We want to upgrade the VCS-Expressways to X7.2 so we can use the Firewall feature to block attemps at the IP level

Thanks Martin

Thanks for the thx, even better is if you use the stars below each posting, thats what me and

many people here motivates :-)

I do not see how the firewall functionality really helps. Its the VCS-E and you want to have

public connectivity. To get rid of most scans it can be handy to disable SIP/5060/UDP on the VCS

as most scans are hitting you by UDP.

Also if you have a VCS-E besides a local firewall I would always recommend also to block it via a

firewall in a DMZ.

Besides that the calls should be blocked via a combination of zones, search rules, CPLs

and authentication on the VCS.

Like I said as the ISDN GW is quite open you really should to have it behind a firewall if you allow outbound calls.

Thats also one thing, if you do not really really need outbound calls and you can get people to only

use inbound ISDN calls that can be helpful here as well. On our ISDN GW I simply do not allow

outbound calls at all.

I assume your ISDN GW is registered to the VCS-C, so you can also think of at least

blocking all calls from the traversal zone to the ISDN GW and I would block it on the VCS-E

as well as on the VCS-C.

The search rules became very powerfully I am not sure if that was recorded as a feature request

but what I would like to see is also a way to respond on a sucessfull match with an error code,

I made ma a CPL service as a workaround, but it could be quite easy to say, search rule answer:

reject: 403 Forbidden, ..

Depending on the software version there are some bugs where the vcs calls might not show

the zone or the destination, but thats most likely a bug and must not be a hacker attempt. :-)

Maybe a feature request for more security features and alerts by the isdn gw would be handy in addition.

Thx for rating (if it was you - which made my yellow forum ranking star blue :-)

And +5 for you, especially as you gave some basic steps!

Replys have been rated......

I agree on the SIP UDP disable..... I see that tip often

Have you heard of trouble with receiving adhoc from other VTC systems after disabling SIP/UDP.

I think its safe to assume that all the Cisco stuff including Jabber would be fine.

Yes, our VCS-S sit in the DMZ (FW between the Internet and a 2nd FW between the Companies inside network)

Getting the FW rules changes is a long and slow process...  not sure if it practical to add IPs to block

Yes we definitly need the ability to do outbound calls.... we do it today for H323... need to have that for SIP also

OK, I see ypour point.... we should not allow any calls that come from the Traversal Zone to the new SIP GW zone

What is the easist way to program that restriction?

Thanks

SIP UDP is mostly used for telephony systems.

The INVITE of a TelePresence call are way bigger causing it being >1500bytes

so it would have to be split in multiple UDP packets, which themselves often

keep haning in firewalls.

Its a decision what you want to do, we have many customers not using udp and

not complaining at all, or better did before about the 100@ip calls, ...

You have to make the decision: absolute reachability vs. scan attempts.

Regards sip, where do you really see the benefit or better the problems with the interworking?

If you do not have a firewall upfront the isdn gw I would not do it, there is always the chance

of missuse (we have even seen hacked mxp systems trying to dial out via multisite, ...

Also check for looping calls through a auto attended, which allow a dial out again, like on the MCU,

IPGW, ISDNGW, ...

As I do not know your deployment its hard to say what the easiest is. Its always the combination of all

and depends on the software versions running (like you said with the firewall option for example, or

the additional search rule capabilities, ...)

If you have the chance check with your Cisco partner or an external consultant to help you on a review.

Most of the time besides the security there will be something found which can be optimized in addition.