hmm.. looks like I should of searched a little better. Thanks for the references.

No worries, even if you search for something, you might not get the results you want right away.  I knew what to search and look for, but there are many other discussions out there on this.

Before it was just SIP, that was easy to prevent, just block port 5060.  However, recently these incoming call attempts starting coming in on H323, and well, you can't block them without breaking H323 dialing all together.  With a VCS it gets easier to work around and you're able to block them using a CPL script.

If you have any more questions, let us know.  Don't forget to mark replies as answered to help others that have the same question.

thanks for the response. I've posted another email that might clear up what I've got going now

Hey Douglas,

When you say that you have an Expressway, generally these devices are used as the single point of entry for video calls. If you want to use H.323, you could always register the endpoint with the VCS-E too, and use a dial plan to route the calls.

Just a thought.

Cheers

Chris

Just to clear things up.

The expressway is at our corporate office. The EX90 is overseas and is registered via SIP to the expressway. (No expressway or VCS at the remote site)

In the past the issue I had was configuring H.323 and SIP authentication at the same time so that (I'll have to look up what the problem was exactly..it was a while back) only authenticated devices could register with the expressway.

I don't really care about native H.323 functionality at the overseas office. Our expressway can do the translation if they really need to make an H.323 outbound call. 

how would you do this? What I want is that EX90 to be SIP only to our expressway (achieved) and I don't want incoming H.323 IP calls to the unit over there. (they get annoyed and end up turning the unit off and forgetting to turn it back on)

for clarity purposes and due to CISCO's confusing marketing.. :) when I say "Expressway" what I mean is VCS-E

thanks!

It sounds as if the IP that the EX90 is using is open to the public, if you want to prevent the incoming H323 calls, close the firewall and use the Expressway to communicate to the endpoint.  If for some reason after you close the firewall, and SIP dialing just doesn't work inbound and outbound, you could selectively open up the SIP ports.

We have a similar setup here, where an endpoint is in a hospital where they block all incoming traffic, we couldn't dial into it.  So we registered it to our Expressway and we're able to connect to it without issue now, and nothing was changed on the hospital firewall.

That's the easy solution..if I had access to the firewall at the remote site. :(

The ISP over in France we are dealing with seems to not really know what to do or understand anything complicated so as a result I'm stuck with the EX90 being open to the Internet. 

Now...if I had root on the device LIKE CISCO USED TO LET US ;) I could configure iptables to block H.323 on the device itself. 

Maybe I should put that in as a feature request to our account manager..the ability to craft local firewall rules right on the device.