Can someone please clarify what ports I need open on my PIX firewall to allow me to have Call Managers and Gateway and phones on the inside and some phones in a DMZ.
Just for basic audio and signaling using CallManager 3.1, you would need TCP/2000, TCP/2427-2428 for MGCP signaling, UDP/16384-32767 for audio.
If you are going to be doing other things, like using the corporate directory or XML services, you would need to open TCP/80, SoftPhone you would need TCP/2748 and TCP/8404.
For CallManager 3.0 you would need TCP/2001 and TCP/2002 for Skinny based gateway signaling.
The list goes on and on.
That's great information! Are any additional ports needed for CallManager 3.1? Are any additional ports needed for Unity 3.0?
F C Wood
Just for my info, while we're on topic....
is there any way in the CCM / PIX to restrict the ports used for RTP / RTCP, or do you need to open up a large range of ports.
Thanks in advance.
In general the answer is no. However there are a very large number of variables involved as far as what is on the inside and outside of the firewall that could possibly add more holes to be poked. I can't generalize without knowing the specific requirements, that was just a sample.
Thanks for that.
Now for the obvious question. Do those ports need to be open from CM or GW or phone on inside to talk to phones in DMZ?
By the time you are done allowing your legitimate users access to resources on your network, you would have opened so many ports, it won't even be funny anymore. There is a better way to open theses ports and still maintain a high level of security: a VoIP Firewall that will open the needed ports dynamically, on a per-call basis, so you can relax and take care of other important tasks on your network. I can give you some leads on that, as well as the technology behind it. For what security is worth these days, this will give you the peace of mind you need.
my company has developed a VoIP Firewall that solves your problem. I can direct you to the appropriate people in my organisation to talk to in order to obtain more information if you want. in short the concept behind it is to cut back on all the trouble involving manually opening ports and monitoring their usage. Our solution does it for you dynamically and shuts them as soon as the call/connection is terminated. soon, we will even integrate advanced authentication with it as well. Let me know if you want to more.
Please forward me (firstname.lastname@example.org) contact information of someone within your organization that I can speak to about your VoIP Firewall. Thanks.
You might also want to check the "fixup" command if you are doing nat and have phones on one side and a CM on the other side. From the IPX 6.1 Command Summary "If Call Manager (CM) is configured for NAT and outside phones register to it via TFTP, the
connection will fail because PIX Firewall currently does not support NAT TFTP messages."