×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

IPO Security

IPO Security

IPO Security

(OP)
IP 500v2 running 11.0.4.3.
I would like to setup an IPO so that J179's at users homes will connect to it over the Internet. In the past I've used VPN featureset on the older handsets but since the J179's running SIP don't do that I think my only option is to use TLS and connect directly. I've configured the phones to pull their configs prior to shipping them so I was only going to open SIP ports (5061 and UDP range) inbound to the IPO for the phones to connect. Are there other ports they should need for normal voice comms?
I have configured the extensions with unique passwords and set the pw policy to 8 chars, medium complexity, lockout on 3rd attempt. What else can I do to secure the system? Does anyone have any suggestions on better ways to do this? I am just trying to sanity check myself before deploying something accessible over the Internet.

RE: IPO Security

You will need to open HTTP & HTTPS so the phone can pull the settings files.

Also if possible lock down the port forwarding down to just the IP addresses of the remote workers which will mean getting static IP addresses for them. If that can't be done I would look at IX Workplace over VPN or a Session Border Controller. I'm not a fan of opening SIP ports to the world for obvious reasons!

“Some humans would do anything to see if it was possible to do it.
If you put a large switch in some cave somewhere, with a sign on it saying 'End-of-the-World Switch. PLEASE DO NOT TOUCH'.
The paint wouldn't even have time to dry.”

Terry Pratchet

RE: IPO Security

(OP)
I was only going to allow HTTP/S open for the static IP the phones will be provisioned from. I don't see any reason the phones will need to pull those files all the time and would be able to open those ports if I needed to roll out changes/upgrades. You see any problem with that?

RE: IPO Security

When the phone reboots, the first thing it asks the phone system for is the settings and upgrade text files.

RE: IPO Security

I'm pretty sure that if the phone can't get the text files it will default to the previous settings. If that IS the case then it should be fine to block http(s). Easy enough to test in-house; just remove the file server address(es) after getting connected the first time.

Assuming all other security issues of port forwarding SIP traffic is dealt with.

- Qz

RE: IPO Security

You can leave open ports 443/411 and 5061. You will need ports 443/411 for presence if using the IX Workplace Application. If using J100 series phones you can open 80/8411 and 443/411 to pull the settings and firmware, when this is done you can block these ports.

If you are worried about having these ports opened put a firewall in front of them and put a Geo IP Filter and/or just lock them down to known Public IP's

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close