×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Avaya SBCE behind corporate Firewall?

Avaya SBCE behind corporate Firewall?

Avaya SBCE behind corporate Firewall?

(OP)
Hey guys... So we have an Avaya SBCE installed and up and working using a separate public internet connection from our corporate network. In looking at most of the deployment methods for the ASBCE they show the asbce being deployed behind the corporate firewall? Is this a requirement? What benefit does it give? The Avaya IPO systems are on our same local lan, but again the sbce is on a seperate public internet connection. It would involve some pretty significate re-IP ing and re-design to move behind our firewall, and just not sure what the benefit would be. Isnt the SBC a firewall in itself? Just wanted to get everyone's input and suggestions.

Thanks,

RE: Avaya SBCE behind corporate Firewall?

Yes, it's a firewall itself.

Read the security guide. Nothing is locked down by default. Someone can always try registering a thousand times a minute unless you set limits relative to number of people you have.

The SBC does have a config parameter where you put in how many remote workers you have and it dynamically generates best guesses around how many messages of each type should be allowed.

You're more than welcome to plug in a wire with a public IP on it. That's fine.

Enterprise deployments typically have all the public IPs hitting a firewall and some of those IPs are NATted to the SBC where the untrusted SBC interfaces have DMZ IPs. That's where in the Network Configuration part of the SBC for A1, B1, etc that you have a public IP you can map to each A1 or B1 IP to pleasantly work behind a NAT.

But that isn't required. You can still get a DSL modem with 1 WAN port out of it, plug it to your SBC and assign the public IP on the SBC's B1 interface and go on your merry way. There's no security risk there. The only security risk is if you don't lock down the SIP protocol stuff and that's true whether it's behind a firewall or not.

RE: Avaya SBCE behind corporate Firewall?

Putting the Avaya SBCE behind the customer firewall is always my recommendation. Besides all the technical points I advice it just to have a clear demarcation point.

Freelance Certified Avaya Aura Engineer

RE: Avaya SBCE behind corporate Firewall?

(OP)
Thanks guys... We currently do not have it behind our firewall; but have implemented routing based on URI Groups & User Agents. Also blacklisting unpermitted IP blocks as we see them. Also turned on "Use preferred ports" & "Avaya HTTP Agents Only" on our IP Office systems. Then i have also whitelisted only the URLs & files needed on my Reverse Proxy entries for the 46xxsettings file & certificates. Hopefully this is enough good measures to prevent unauthorized access.

RE: Avaya SBCE behind corporate Firewall?

Read the security guide.

DDoS Protection lets you define how many remote workers you have and it guesstimates how many SIP messages of each type should be allowed within a given interval.
Domain DDoS settings

Scrubber packages. Use 2 - it's for trunks/remote workers and 4 - it's for Avaya Remote Workers. Stops stuff if funny business is happening.

RE: Avaya SBCE behind corporate Firewall?

(OP)
Thanks Kyle.

We have very few remote workers <40. The minimum you can define on the DDOS Protection is 100 so i will go with that. I have not enabled scrubber packages, but will definitely look into it!

RE: Avaya SBCE behind corporate Firewall?


Some Avaya documents show a firewall before and after the SBCE and others connected direct to the internet.

RE: Avaya SBCE behind corporate Firewall?

Here is how mine is configured. Wondering if I should do something different.

ACSS

RE: Avaya SBCE behind corporate Firewall?


This is from the manual so I assume that the firewalls are only a demarcation point as the SBCE is behind a DMZ.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close