Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1583
Views
0
Helpful
4
Replies

VCS CPL rule filtering IP address

Go to solution
Guillaume BURG
Level 1
Level 1

‎03-28-2014 03:20 AM - edited ‎03-18-2019 02:48 AM

Hi all,

 

I have a CPL script that change every incoming alias from Internet to the alias of MCU auto-attendant.

But I would like to allow knwon sites, identified with their IP address, to directly call to internal endpoints.

 

I found I can check with an <address switch> but I coulnd find how to test IP Address. Only aliases are checked.

 

Do you know it is possible to filter endpoints with CPL, based on IP address?


Regards,

Guillaume

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Derek Ody
Level 1
Level 1
In response to Guillaume BURG

‎04-01-2014 10:11 AM

As far as I am aware, there is no way to filter by IP address in the reduced CPL that is implemented on the VCS/Expressway.

Is there a reason why you can't filter by alias instead of IP address? When it comes to hacking, spoofing IP addresses is just as easy as aliases, so that really does not provide any additional layer of security.

I would probably just add additional rules for each alias you want to have the ability to call inside, or if they are coming from a specific domain, the (.*)@domain will be a catch all to those from another expressway or equivalent.

Otherwise, if you must use IP address filtering, you would have to do it in the firewall, by making a set of rules to block all IP addresses, then making another rule for the desired IP address, set it to allow, and make it higher priority than the first rule. Then delete your CPL.

I would probably not go that direction, as it would be very limiting, and the firewall rules in the expressway are a pain to configure. (also would still leave you vulnerable to IP address spoofing)

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Derek Ody
Level 1
Level 1

‎03-31-2014 11:55 AM

Correct, but for H323 calls across the internet, their alias would normally be their public IP address

Replace 0.0.0.0 with the IP address

 

    <!-- allow calls originating from IP address 0.0.0.0 -->
    <taa:rule origin="0.0.0.0" destination=".*">
      <proxy />
    </taa:rule> 

 

If their incoming alias is not their public IP address, post up a network log from the expressway from one of these calls, so i can see what's going on

0 Helpful

Go to solution
Guillaume BURG
Level 1
Level 1
In response to Derek Ody

‎04-01-2014 09:13 AM

Hi Derek,

Thanks for your reply.

It seems the remote endpoint don't use its IP address as alias. I check the network/CPL debug logs, and could notice each CPL rules is tested and none works (every line ends with "no matched".

On each on these log lines testing the rules, I can see the IP address in "remote-IP" parameter... so the VCS has got the information, but I can't find the right way to exploit it.

 

Regards,

 

Guillaume

0 Helpful

Go to solution
Derek Ody
Level 1
Level 1
In response to Guillaume BURG

‎04-01-2014 10:11 AM

As far as I am aware, there is no way to filter by IP address in the reduced CPL that is implemented on the VCS/Expressway.

Is there a reason why you can't filter by alias instead of IP address? When it comes to hacking, spoofing IP addresses is just as easy as aliases, so that really does not provide any additional layer of security.

I would probably just add additional rules for each alias you want to have the ability to call inside, or if they are coming from a specific domain, the (.*)@domain will be a catch all to those from another expressway or equivalent.

Otherwise, if you must use IP address filtering, you would have to do it in the firewall, by making a set of rules to block all IP addresses, then making another rule for the desired IP address, set it to allow, and make it higher priority than the first rule. Then delete your CPL.

I would probably not go that direction, as it would be very limiting, and the firewall rules in the expressway are a pain to configure. (also would still leave you vulnerable to IP address spoofing)

0 Helpful

Go to solution
Guillaume BURG
Level 1
Level 1
In response to Derek Ody

‎04-02-2014 01:05 AM

Hi Derek,

 

You confirm what I tought.

The IP-based filtering was specifically requested from the customer, even after we had seen the H323 alias would be an (at least) equivalent solution.

Regards,

Guillaume

0 Helpful
Customers Also Viewed These Support Documents