Does SCN require a VPN? 9

[raist3001]

Hello all, I am new to Small community networking. I have been searching the net for information on installation and configuration.

Does SCN require a VPN between locations? I have public IP's for both locations. Can I use this information to communicate between IP Offices?

What I see in my license menu is:
IP500 VNC 4

I have seen the following posted here in these forums:

Create an IP line and set it to SCN. [highlight #FCE94F](IS THIS A NEW H323 LINE?)[/highlight]
Give it a unique line id
Set the number of channels that the trunk must have.
This cannot be more then VCM channels and you need to be sure you have enough bandwidth.
Skip the shortcodes field because mostly you do not need them there.
Go to voip settings and set the IP address of the remote IPO
Set the right codec and set IPOffice SCN
Be sure that direct media path is turned on.

Then build an iproute
Basic is:

0.0.0.0
0.0.0.0
gateway IP address

You could create a more specific route.

Do the same on the other IPO.

 

[holdmusic34]

Somewhere in the world a Gunnar shudders.

How are you going to secure it? Use a dedicated ip route on lan 2.
Firewall.

I'm clear but my fighter is down.

 

[raist3001]

I would be building an IP route per the instructions I listed.

I am getting mixed responses. Some tell me a VPN is needed. My distributor is telling me I can do this with Public IP's, and no VPN is needed.

From what I understand, there are netgear routers at both locations.

 

[holdmusic34]

Vpn is certainly preferred for security and dedicated qos.
Systems on the open internet. The hackers'll be like seagulls after a hot chip. If you can discover it, someone else will too.

I'm clear but my fighter is down.

 

[IPGuru]

Indeed although strictly speaking a VPN is not necessary exposing the IPO to the public internet is never* a good idea.


* sometimes it is a necessary evil in which case the firewall and IP office passwords should be tied down as secure as possible.

if you are unsure if your system is 100% secure then it almost certainly is not.
If you are certain it is 100% secure you are probably mistaken

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[raist3001]

So once a VPN is in place, I would be using local LAN IP's for each IP office as opposed to the public IP addresses?

Site A: 192.168.20.xxx
Site B: 192.168.30.xxx

 

[derfloh]

SCN without VPN is not a good idea. If you are on R9.1 you can create a SCN line inside a HTTPS tunnel. So you have to forward just only one port in every firewall and the connection is encrypted. But if it is the better idea...

 

[Westi]

0.0.0.0 route means anybody can access it.
VPN is a good thing why?

- your voice traffic is encrypted on the Internet and nobody with a bit more than basic Wireshark skills can listen to your conversations
- your phone system is not on the open Internet waiting for some hacker to figure out how to create a huge phone bill for you or lock you out of your own system
- you can sleep better knowing that the above 2 points are not applying to your setup
- WE all feel better not to have another system on the Internet, there are plenty already out there getting hacked and people don't know it until it is too late

Joe W.

FHandw, ACSS (SME)


"This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[Gunnaro]

There was just a little earthquake just south of Oslo right now...Clearly your Distri has no idea of what they are talking about.

The SCN itself does not require VPN to work, and that's one of the main reasons for why there are so many unprotected IPO's connected to the cat database (internet). The most insane thing to do would be to top it off with 0.0.0.0 routes, it's absolute madness!
Never use those routes for anything else than internal routing to a dead endpoint.

IPO's have a tiny little built-in firewall, which in the second worst case scenario, can act as your only protection against hackers.
(You would need to build custom FW rules for it to work. I made a calculator for this once, can find it here: thread940-1739002 )

That said, you will be better off buying two decent VPN firewalls, because if you make a mistake and the hackers exploit that, it will cost you a lot more than two top notch firewalls. A VPN connection will also provide easier maintenance, you (usually) don't have to worry about ISP changing their configuration or blocking certain ports. You'll also benefit from adding some QoS to it, and you'll sleep better at night.

So, in short: Don't do it without protection!


Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[raist3001]

Thanks for the great advice.

So once a VPN is in place, I would be using local LAN IP's for each IP office as opposed to the public IP addresses?

Site A: 192.168.20.xxx
Site B: 192.168.30.xxx

The gateway for Site A would be configured with the actual gateway from Site B
The gateway for Site B would be configured with the actual gateway from Site A

Do I need any IP routes then?

 

[Gunnaro]

Here's an example, phones are on the same LAN port as the VPN box.

Site A
IPO: 192.168.20.3
Switch: 192.168.20.2
VPN FW: 192.168.20.1
Mask: 255.255.255.0
IP route: 192.168.30.0/24 GW: 192.168.20.1


Site B:
IPO: 192.168.30.3
Switch: 192.168.30.2
VPN FW: 192.168.30.1
Mask: 255.255.255.0
IP route: 192.168.20.0/24 GW: 192.168.30.1

- Pick a side for the VMPro server, pref the one with most traffic/trunks.
- Make a choice for who's in charge of DHCP (I would try to avoid using the IPO)
- Setup one or more file servers for the phones (can ofc be the IPO, but I like to have that separate).
- Est. remote access to the systems. I try to get two ways in, using both LAN's on the IPO's - Very convenient if main site/VPN goes down.



Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[raist3001]

Thank you Gunnaro.

Would I still be creating an H.232 line to use with SCN?

Or is this strictly IP routes?

 

[Gunnaro]

You still need the SCN lines. The IP of those will be the addr of the oposite IPO.
Make the Line ID's unique and make sure there are no overlapping extn numbers or equal names.

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[raist3001]

Thank you again Gunnaro and to all who have helped with their advice. I am very grateful.

 

[Westi]

we are grateful if you implement these solutions and we don't have to see your systems on the Internet

Gunnaro: well done have some pink

Joe W.

FHandw, ACSS (SME)


"This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[Gunnaro]

Westi is indeed right, we do like seeing systems disappear from the

http://www:)

I can't think of any good reason for letting them be exposed.

One should also consider the possibility of an inside attack.
Remember that many firewalls by default allows all ports being utilized if the traffic initializes from the inside
The built-in firewall could be made useful if LAN2 connects to the data network.
Block Manager, Monitor, SSA, and so on, except for those IP's that must have that kind of access.

Thanks for the pink, West


Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[raist3001]

Hey Guys,

I built the VPN and the tunnel is active. I can ping either gateway from both sides, and I can ping either IPO from either side. I can also log into both IPO units from either side.

I created an H323 Trunk in both units and am having some issues.

If I go into system Status, I can see my trunk as idle (on both sides)
If I go into Monitor/Status/Small community Networking, I can see the trunk. It has a blue circle and the status says quiet.
If I click on the Network Data tab, I see
Status: Green
Remote Table=28: Green
Generated BLF=34: Green

Problem is, no one is able to hear each other when they dial an extension on the remote side. I can see the call being connected in System status, but the phone on the other end does not ring.

Here is my set up:

Site A (300 series Extensions)
Voip Line 200
Outgoing Group ID 201

VoIP settings:
Gateway IP: IP address of remote IPO
Supplementary Services: IP Office SCN
Allow Direct Media Path: Unchecked

System Short codes
Code: 4xx
Feature: Dial
Telephone Number: .
Line Group ID: 201


Site B (400 series Extensions)
Voip Line 202
Outgoing Group ID 203

VoIP settings:
Gateway IP: IP address of remote IPO
Supplementary Services: IP Office SCN
Allow Direct Media Path: Unchecked

System Short codes
Code: 3xx
Feature: Dial
Telephone Number: .
Line Group ID: 203

I created an internal Firewall rule to allow ports 49152-53247 to pass freely.

Any thoughts as to what I am missing?

 

[Gunnaro]

My best guess would be missing/faulty IP routes, H323 inspection, or still blocking firewall.
And there's no need to make short codes for reaching the other side in SCN, the systems exchange that kind of information.




Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[raist3001]

The IP routes I have configured are as follows:

IP Address: 0.0.0.0
IP Mask: 0.0.0.0
Gateway IP address: Gateway IP of local Firewall
Destination: LAN 1

Internal traffic on Firewall is wide open.

 

[Gunnaro]

I don't like 0.0.0.0 routes, but as long as your communication with the other side is on LAN1, it should work.

What kind of firewalls do you have?


Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam