Federation and security / DMZ

etamminga · ‎06-27-2012

Hi,

Design question;

Suppose a customer has a security policy to never expose an internal server directly to the internet and require all traffic to pass through a device/proxy/.... in the DMZ. How would this translate to CUPS/Jabber with XMPP federation?

The design guides only suggest NAT'ing the CUPS server XMPP port to the Internet . This violates the customers policy. I personally think the customer follows good security practice with his policy.

Regards,

Erik

Sent from Cisco Technical Support iPad App

Todd Volz · ‎06-28-2012

Are there any design guides out there for this? I found a list of ports that the presence server uses:

http://www.cisco.com/en/US/docs/voice_ip_comm/cups/8_0/english/port/cupsportusage.html#wp40778

That list sould help, however I would prefer to see someone that has gotten this to work by possibly installing a CUP server in the DMZ and another CUP server in the Internal network so the DMZ server acts as a gateway/router... However if it needs the same insternal access to the Active Directory server, CUCM server, clients, it wouldn't seem to gain very much.

-Todd

ipvoiipvoi · ‎09-13-2012

Hello All,

has anyone been able to manage a federation with external comanies / offers ?

What about the DMZ question ?

The guides in this part are not very clear.

And it somehow seems in opposition with other guidelines in security topics.

Regards

MARTIN STREULE · ‎03-21-2014

Hi Erik

Did you ever solve this problem?

Cheers

Martin

etamminga · ‎03-21-2014

Hi Martin,

I managed to get the federation working, but not via a DMZ. Static NAT translations on the outside firewall to the Presence server(s).

Rumors exist that state the next or a next Expressway solution will solve this in the future. Currently nothing can be done, unfortunately.

Regards,

Erik