Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPO Security 1

Status
Not open for further replies.
xlntech

xlntech

IS-IT--Management
May 20, 2013
12
US
IP 500v2 running 11.0.4.3.
I would like to setup an IPO so that J179's at users homes will connect to it over the Internet. In the past I've used VPN featureset on the older handsets but since the J179's running SIP don't do that I think my only option is to use TLS and connect directly. I've configured the phones to pull their configs prior to shipping them so I was only going to open SIP ports (5061 and UDP range) inbound to the IPO for the phones to connect. Are there other ports they should need for normal voice comms?
I have configured the extensions with unique passwords and set the pw policy to 8 chars, medium complexity, lockout on 3rd attempt. What else can I do to secure the system? Does anyone have any suggestions on better ways to do this? I am just trying to sanity check myself before deploying something accessible over the Internet.
 
Sort by date Sort by votes
You will need to open HTTP & HTTPS so the phone can pull the settings files.

Also if possible lock down the port forwarding down to just the IP addresses of the remote workers which will mean getting static IP addresses for them. If that can't be done I would look at IX Workplace over VPN or a Session Border Controller. I'm not a fan of opening SIP ports to the world for obvious reasons!

“Some humans would do anything to see if it was possible to do it.
If you put a large switch in some cave somewhere, with a sign on it saying 'End-of-the-World Switch. PLEASE DO NOT TOUCH'.
The paint wouldn't even have time to dry.”

Terry Pratchet
 
Upvote 0 Downvote
I was only going to allow HTTP/S open for the static IP the phones will be provisioned from. I don't see any reason the phones will need to pull those files all the time and would be able to open those ports if I needed to roll out changes/upgrades. You see any problem with that?
 
Upvote 0 Downvote
When the phone reboots, the first thing it asks the phone system for is the settings and upgrade text files.
 
Upvote 0 Downvote
I'm pretty sure that if the phone can't get the text files it will default to the previous settings. If that IS the case then it should be fine to block http(s). Easy enough to test in-house; just remove the file server address(es) after getting connected the first time.

Assuming all other security issues of port forwarding SIP traffic is dealt with.

- Qz
 
Upvote 0 Downvote
You can leave open ports 443/411 and 5061. You will need ports 443/411 for presence if using the IX Workplace Application. If using J100 series phones you can open 80/8411 and 443/411 to pull the settings and firmware, when this is done you can block these ports.

If you are worried about having these ports opened put a firewall in front of them and put a Geo IP Filter and/or just lock them down to known Public IP's
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

eaglepromopro
  • Question
ATA device for IPO 3
Replies
4
Views
279
AvayaRed
AvayaRed
hibroth
  • Question
IPO R11.1 is still supported?
Replies
2
Views
283
nnaarrnn
nnaarrnn
DTGMI
  • Locked
  • Question
IPO VMPRO R4.2 SW
Replies
4
Views
314
DTGMI
DTGMI
atcphone
  • Locked
  • Helpful tip
Avaya IPO Virtualization
Replies
1
Views
498
derfloh
derfloh
John Tel
  • Question
IPO shared phone calling restrictions help.
Replies
2
Views
141
John Tel
John Tel

Part and Inventory Search

Sponsor

Back
Top