MBG SIP teleworker and SIP Trunks all in one

[GZgidnick]

I was going through the documentation trying to find any info on running TW and Trunks on the same MBG.
The MBG will be deployed in DMZ clustered with the MBG blade on MiCollab.
Shoud I be concerned for running Trunk Proxy and Teleworker on the same device?

Also concerning AWV, do I still need 2 public IPs or is it possible to get away with single IP.

So far I was running both MBG and MiCollab on the network edge.
MiCollab with 2 public interfaces providing Teleworker abd AWV and the MBG with single public interface providing SIP Trunking.
Deployment works fine but as you may see to many public interfaces hence to many security issues.

Any input appreciated.

 

[kwbMitel]

Due to security issues, Mitel design strongly advises that you use an MBG on the network edge.

The MBG would be peered with the MAS/MiCollab

Your design will be functional but seriously flawed for security.

**********************************************
What's most important is that you realise ... There is no spoon.

 

[Miteltek]

I would suggest a 2nd MBG clustered to the MiCollab. I would not put the MiCollab on the network edge. You can then use the proxy service for applications. The SIP trunks and teleworkers on the same MBG is fine. You still need 2 Public IP's and DNS for AWV.

Good Luck

 

[GZgidnick]

Thanks boys youre priceless resource.
@kwbMitel - They do advise using MBG on the edge to avoid potential NAT traversal and other firewall issues. From security perspective DMZ is as secured if not more.
@Miteltek - Thanks for you answer. My previous deployments are not very secure admit that. Clustering and Remote Proxy Services shoud provide MiCollab access when deployed in LAN.
The only thing is AWV. I inderstand that the server is listening on port 443 for the connection point and redirecting to port 4443. Mitel could have easily done this on a different port to avoid using 2 IPs . Lets home for that in future releases.

 

[kwbMitel]

The majority of MiCollab applications are designed to run on the LAN (for example, NuPoint
Messenger). For this reason, [highlight #FCE94F]MiCollab is not supported in the DMZ[/highlight]. To support applications that have
clients on the web, such as AWV, you require a web proxy running on a second MBG server in the
DMZ to protect the MiCollab server in the LAN from Internet exposure.

MBG Teleworker with Web Proxy
To support Teleworkers use one of the following configurations:
 MiCollab in LAN Mode (server-only) with Web Proxy on a second MBG server in the DMZ,
 MiCollab in LAN Mode with Web Proxy on a second MBG server on the network edge, or
 MiCollab in Network Edge Mode with MiVoice Border Gateway (MBG) on the same server
(not the recommended deployment for security reasons).

**********************************************
What's most important is that you realise ... There is no spoon.

 

[GZgidnick]

Oh thanks.
What I was refering above was the MBG in DMZ rather than MiCollab.
I may have not made myself clear enough. Apologies.