Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Call Manager Secure Subnet

Status
Not open for further replies.
AJ1982

AJ1982

Technical User
Jun 13, 2001
644
GB
Good Afternoon All,

Our test lab has its own low end Call Manager server, it is planned that in the next few months the test environment will have increased usage inclusive of the Call Manager server.

What would the implications be of placing the CCM server into its own secure subnet and only allowing a specific set pof ports (Remote Admin, VoIP) into it. The CCM server is standalone, is not connected to a PSTN and is only for a test usage.

Main reason for idea is to block out RPC ports to prevent RPC vunerability attacks. My understanding is that a CCM server cannot be patched as MS patches are released, so I am concerned about vunerabilities. The subnet its currently resides on hosts some MS ActiveDir services, so blocking out RPC ports would not be an option. So give its own subnet where it can be done :p

Any ideas greatly appreciated, including how you guys roll out your CCM environment.

Thanks

AJ

===

Fatman Superstar (Andrew James)

CCNA,
(CCNA Cisco Academy Instructor Trained)
 
Sort by date Sort by votes
Normally in most deployments that i have seen, which are a few at this time,
people normally place the CCM in its own vlan. The phones in one the ccm in another with no other servers other than other ccms or unity or call related stuff. then they use private vlans to limit the servers access to each other within the vlan. essentially the private vlans are vlans inside of vlans. but they enable you to limit a server to accessing only its default gateway and the port it is connected to. that way even if all the servers are in a common vlan they have to reach each other by passing through a router first and then being subject to access lists. rpc broadcast messages will never reach them in this fashion.

what you are proposing is a good design. i would just add the private vlan feature limiting access to the gateway and access port only.
 
Upvote 0 Downvote
Thanks for the info, I was sure this was what was practiced in industry but just wanted to make sure.

Thanks

AJ

===

Fatman Superstar (Andrew James)

CCNA,
(CCNA Cisco Academy Instructor Trained)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

wolf8963
  • Locked
  • Question
Grandstream HT841 with call manager
Replies
3
Views
397
wolf8963
wolf8963
mikedphones
  • Locked
  • Question
MASS - Looking for a Cisco Call Manager support tech to move and reconfigure
Replies
0
Views
366
mikedphones
mikedphones
Gnjiro
  • Locked
  • Question
Cisco Ip Phone 7841, 7821 Delay when making call both inbound and outbound in sip protocol
Replies
3
Views
416
thepfy
thepfy
Lccarter
  • Locked
  • Question
Telemanagement System for Cisco Call Manager
Replies
0
Views
125
Lccarter
Lccarter
drew41238
  • Locked
  • Question
Cisco Call Manager Partition Character Limits
Replies
3
Views
218
gnrslash4life
gnrslash4life

Part and Inventory Search

Sponsor

Back
Top