Forum Discussion
CCE - Internal firewall
Good day all,
We have a CCE configured in our test environment. My role is to provide a secure network connectivity to the internal network.
Following the link below I configured the internal firewall.
https://technet.microsoft.com/en-us/library/mt605227.aspx
Below you find the table that is mentioned on the page regarding to the mediant server and internal clients
Source IP | Destination IP | Source Port | Destination Port |
Cloud Connector Mediation component | Internal clients | TCP 49 152 – 57 500* | TCP 50,000-50,019 (Optional) |
Cloud Connector Mediation component | Internal clients | UDP 49 152 – 57 500* | UDP 50,000-50,019 |
Internal clients | Cloud Connector Mediation component | TCP 50,000-50,019 | TCP 49 152 – 57 500* |
Internal clients | Cloud Connector Mediation component | UDP 50,000-50,019 | UDP 49 152 -57 500* |
In our test environment I configured the rules as in the table and it works. (tested with a test call) I also configured it without the rules from mediation to client and it also works. I verified the streams with packet captures, internal client to mediation server. Is the rule from mediation to client needed? Because if the client intitiated the traffic, return traffic is allowed.
We want to use the CCE solution for more customers but with this firewall rules it’s not secure. Because due the rule from mediation to internal clients it’s a security leak from internet via the CCE appliance to the internal network.
Looking forward to an anwser.
Thanks in advance!
5 Replies
- A short answer is:
The traffic from the Internet relayed through Edge server never comes to the internal client network "Directly".
Detailed ref:
https://enablingtechcorp.com/Blog/TabId/777/ArtMID/2450/ArticleID/493/REALLY-IMPORTANT-Skype-for-Business-Edge-Server-Configuration-Note.aspx
Yes, you need firewall rules to allow certain ports and protocols between mediation server the client subnet(s) assuming that the client subnet(s) are on different network(s).Thanks for you answer.
What does not work if you don't configure the rule?Regarding to you answer:
The traffic from the Internet relayed through Edge server never comes to the internal client network "Directly".
I understand this. But if you don't need the rules from mediant to client why should we configure it? In security world the rule is, the least privilige to do the job. If I don't configure the rule and everything still works i don't see the benefit of configuring it.
Yes, you don't need to configure it.
However, some organizations we deployed the CCE had a firewall (traffic filtering/blocking) between CCE Mediation server network, for example, 192.168.0.0 and the internal client network, 10.10.10.0. Therefore, we asked them to allow certain ports and protocols between CCE mediation server network and the client network.
