MyCallPilot in the DMZ - Can it work?

[Andras888]

We wanted to allow MyCallPilot server to be used from the Internet, so users could get to it from their homes. The Network Security Officer was only willing to put MyCallPilot on the Internet if it was in the DMZ. Because MyCallPilot and Symposium server both need to communicate with CallPilot server, all 3 servers needed to be placed in the DMZ.

Now the Symposium Real-Time Display will not work from any PC that is on the network (CLAN). It worked fine before the server was placed in the DMZ. We tried both unicast and multicast.

I am looking for a way to either make MyCallPilot work from the DMZ without the other 2 servers being in the DMZ, or for Symposium to work from the DMZ if all 3 servers are in the DMZ. Is it possible to make this work? Please help.

 

[djwht]

Sure, but you're going to have to punch some holes in the firewall to allow communication.

I don't have my CP doc with me to tell you specific ports, but I know that 1 of the post in this forum has the ports listed. Search the forum for ports.

 

[djwht]

Here is the infromation from the NTP.

Desktop Client to CallPilot Server
IMAP = 143, SSL = 993
SMTP = 25, SSL = 465
LDAP = 389, SSL = 636
Others
My CallPilot Web Client to CallPilot Server: HTTP, FTP and IMAP Ports
My CallPilot Web Client to Stand-Alone web server: HTTP, FTP, and IMAP Ports
CallPilot Manager to CallPilot server: LDAP, FTP and RPC Ports
CallPilot Manager to stand-alone web server: HTTP Port
Reporter to stand-alone web server: HTTP Port
CallPilot to Groupware server (for Email by Phone or Desktop): IMAP Port
AppBuilder client to CallPilot server: LDAP, FTP, RPC Ports and AOS

HTTP: Unencrypted = 80, SSL = 443
IMAP: Unencrypted = 143, SSL = 993
SMTP: Unencrypted = 25, SSL = 465
LDAP: Unencrypted = 389, SSL = 636
FTP: 20, 21
RPC: 135
SNMP: 60, 61
AOS DCOM uses port 135, but may dynamically used any port between 1024 and 65535

Firewall information:

If the Firewall is between My CallPilot and the user’s browser, the following ports must be open: HTTP, FTP, IMAP (for audio player telset)

If the Firewall is between the CallPilot Server and the My CallPilot server, then the following ports must be open: FTP, IMAP, SMTP and LDAP.

CallPilot Reporter Requirements:

If a firewall is implemented, you must ensure that all required services are up and operational on both CallPilot and Reporter server and the ports are “open” in the firewall for two-way communications between servers. Ports include the following:

HTTP: Unencrypted = 80, SSL = 443
LDAP: Unencrypted = 389, SSL = 636
FTP: 20, 21
RPC: 135
ODBC: 1499

 

[Andras888]

djwht, Thank you for your prompt reply. I showed a printout of the ports you listed to our Network Security Officer, and he suggested we don't do this. We took all 3 servers out of the DMZ today. Now everything works again, but without Internet access to MyCallPilot. It is a question of risk vs. benefit.

Thanks again,

Andras

 

[MagnaRGP]

Why not implement VPN? Your users can access fine then.

 

[Andras888]

Hi MagnaRGP, We are looking into BIG-IP, as it handles the rest of the organization's web needs. I will explore the VPN idea as well. Thanks for your suggestion. Andras