Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1541
Views
5
Helpful
4
Replies

VCS firewall rules VCSE trasversal

Go to solution
Marco
Level 1
Level 1

‎07-21-2015 04:19 AM - edited ‎03-18-2019 04:44 AM

Hello community,

We have a VCS Controll Cluster and 2 VCSE one in the private DMZ the other one in the public DMZ with public IP.

At the Moment we want to implement SIP and add the Firewall rules to route this calls inbound and outbound.

I Have a question to the trasversal Zone. I look at the Firewall deployment guide to add the Firewall rules but I don´t see rules for the direction trasversal calls from VCSE to VCS.

 

Not Need the same rules for the direction back? From VCSE to VCS trough the Firewall? What about with the inbound traffic?

 

 

Don´t Need the same ports from direction VCSE to VCS? Or are this Connection all cleard with the trasversal Zone?

Thanks for Help

 

Attachment our SIP Firewall rules.

Labels:
Preview file
102 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Patrick Sparkman
VIP Alumni
VIP Alumni
In response to Marco

‎07-21-2015 08:46 AM

As Patrick has mentioned, you don't have to open any ports between the VCS-C and E, not even 7001.  Because the VCS-C will send an outbound keep alive periodically to the VCS-E, and it will respond on that already open port in the firewall.  If for some reason you do deny all inbound traffic no matter what and 7001 does get blocked for whatever reason, you would have to allow it.

View solution in original post

0 Helpful

Go to solution
Martin Koch
VIP Alumni
VIP Alumni
In response to Marco

‎07-21-2015 09:00 AM

It is interesting that you use the images that you use, where did you get them?

 

They are from the VCS firewall guide, which exactly explains the questions about the ports you have.

(I recommend to use the latest VCS Version (x8.5.3), if you use an older version or you have upgraded you might need to look at an older guide, or better on the used ports website from the VCS to see which ports are used):

https://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/Cisco-VCS-IP-Port-Usage-for-Firewall-Traversal-Deployment-Guide-X8-5.pdf

 

As Patrick said, the Traversal Client (VCS-C) will connect to the Traversal Server (VCS-E),

all new communication will be done in this direction.

7001 is the TCP connection, so as long as you allow the establishment you are fine with it

and the VCSs will keep that alive. This is not enough, you also need the media ports

they will use UDP, initiated by the -C and the -E will answer on it (symmetric RTP)

(please check your VCS which ports you have configured)
 

Besides that you did not describe your deployment. For a VCS as the call control with

standard Cisco/Tandberg/3rd party endpoints it might make sense to deploy it dual with h.323.

And at least for business to business calls which are often still h323 or more rarely ip, at

least the external VCS-E should have h323 enabled, interworking on and the firewall

properly configured.

 

If you deny any and this also counts for established connections on your firewall you would kill all. if the deny any is only for new connections from the -E to the -C you still might need to check how UDP communication is handled. That will be dependent on your firewall.

The VCS-C will work fine behind NAT and firewalls which will just allow the communication out to the VCS-E and established/related TCP&UDP back in.

 

As you wrote Public DMZ, if you use NAT for the public IP address of the VCS-E, like if you have an outside PublicIP which is NATed to a private IP on the VCS-E you will need a 

dual-interface/enhanced networking option.

 

Please rate messages with the stars below and set the thread to answered if it is.

 

 

Please rate messages with the stars below and set the thread to answered if it is.

 

Please remember to rate helpful responses and identify

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Patrick McCarthy
Cisco Employee
Cisco Employee

‎07-21-2015 06:29 AM

That's the beauty of Expressway - you don't need to open ports from the Expressway to the control, all of the communications between the two is initiated by the VCSC, the other direction is return traffic. 

Go to solution
Marco
Level 1
Level 1
In response to Patrick McCarthy

‎07-21-2015 06:59 AM

Thank you for answer.

So it´s return traffic on wich ports? It´s like a vpn?

In this cause I have to open just the trasversal ports 7001 as example ?

If we deny any from the Firewall between vcse and vcs there would be no traffic transmitted.

Thanks

0 Helpful

Go to solution
Patrick Sparkman
VIP Alumni
VIP Alumni
In response to Marco

‎07-21-2015 08:46 AM

As Patrick has mentioned, you don't have to open any ports between the VCS-C and E, not even 7001.  Because the VCS-C will send an outbound keep alive periodically to the VCS-E, and it will respond on that already open port in the firewall.  If for some reason you do deny all inbound traffic no matter what and 7001 does get blocked for whatever reason, you would have to allow it.

0 Helpful

Go to solution
Martin Koch
VIP Alumni
VIP Alumni
In response to Marco

‎07-21-2015 09:00 AM

It is interesting that you use the images that you use, where did you get them?

 

They are from the VCS firewall guide, which exactly explains the questions about the ports you have.

(I recommend to use the latest VCS Version (x8.5.3), if you use an older version or you have upgraded you might need to look at an older guide, or better on the used ports website from the VCS to see which ports are used):

https://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/Cisco-VCS-IP-Port-Usage-for-Firewall-Traversal-Deployment-Guide-X8-5.pdf

 

As Patrick said, the Traversal Client (VCS-C) will connect to the Traversal Server (VCS-E),

all new communication will be done in this direction.

7001 is the TCP connection, so as long as you allow the establishment you are fine with it

and the VCSs will keep that alive. This is not enough, you also need the media ports

they will use UDP, initiated by the -C and the -E will answer on it (symmetric RTP)

(please check your VCS which ports you have configured)
 

Besides that you did not describe your deployment. For a VCS as the call control with

standard Cisco/Tandberg/3rd party endpoints it might make sense to deploy it dual with h.323.

And at least for business to business calls which are often still h323 or more rarely ip, at

least the external VCS-E should have h323 enabled, interworking on and the firewall

properly configured.

 

If you deny any and this also counts for established connections on your firewall you would kill all. if the deny any is only for new connections from the -E to the -C you still might need to check how UDP communication is handled. That will be dependent on your firewall.

The VCS-C will work fine behind NAT and firewalls which will just allow the communication out to the VCS-E and established/related TCP&UDP back in.

 

As you wrote Public DMZ, if you use NAT for the public IP address of the VCS-E, like if you have an outside PublicIP which is NATed to a private IP on the VCS-E you will need a 

dual-interface/enhanced networking option.

 

Please rate messages with the stars below and set the thread to answered if it is.

 

 

Please rate messages with the stars below and set the thread to answered if it is.

 

Please remember to rate helpful responses and identify

0 Helpful
Customers Also Viewed These Support Documents