I will agree here with Martin. We have multiple (50+) VCS-C to VCS-E deployments in the public sector organisations throughout our country (as this is what we do). The point of the VCS-C to VCS-E deployments are to reduce the number of ports required to be opened so only a handfull of out bound ports (assuming established traffic is allowed back) need to be opened.
You could then either deploy the VCS-C internally, with the VCS-E ina DMZ, or the VCS-C in the DMZ with the VCS-E on the public internet.
They believes this are lot of ports to be opened on the Internet FW which can be a high security risk.
Is there any way we can use few ports instead of the large number of range?
How can we setup and what will be the implications
Have anyone encountered any security risk opening this port range?
Is there anyway I can convince the security team that this is a safe way and they will not have any security challenges with this approach.
Yes, tell them that you are only opening the port range to the single IP address of the expressway box - not multiple destinations.
All the ports are handled by the same application... so opening 1 vs 100 it doesn't really change the security exposure because it's all to the same service.
The reason the range is large is two fold
1) to support concurrent connections you need more ports
2) The standards for H323 and SIP require the use of dynamic ports in the unrestricted range. The port range is not the same for all implementations or vendors because it is not standardized on WHICH ports to use.. just that it should be the unreserved ports.
The safety comes because the Expressway works as your application level proxy... you expose IT to the outside world, so you don't expose your internal elements directly. Unlike a webserver, etc... H323/SIP traffic is not restricted to reserved, defined ports.
Efforts to narrow the port range expose you to potential interoperability or capacity issues
SIP traces provide key information in troubleshooting SIP Trunks, SIP
endpoints and other SIP related issues. Even though these traces are in
clear text, these texts can be gibberish unless you understand fully
what they mean. This document attempts to br...
Please find the attached HTML document, download and open it on your PC.
This provides an easy to use form where you simply answer a few
questions and it will render the proper jabber-config.xml file for you
to copy/paste. There is built in logic to verif...
CUCM Database Replication is an area in which Cisco customers and
partners have asked for more in-depth training in being able to properly
assess a replication problem and potentially resolve an issue without
involving TAC. This document discusses the bas...