CCE - Internal firewall

Copper Contributor

Good day all,

 

We have a CCE configured in our test environment. My role is to provide a secure network connectivity to the internal network.


Following the link below I configured the internal firewall.

https://technet.microsoft.com/en-us/library/mt605227.aspx

Below you find the table that is mentioned on the page regarding to the mediant server and internal clients

Source IP

Destination IP

Source Port

Destination Port

Cloud Connector Mediation component

Internal clients

TCP 49 152 – 57 500*

TCP 50,000-50,019

(Optional)

Cloud Connector Mediation component

Internal clients

UDP 49 152 – 57 500*

UDP 50,000-50,019

Internal clients

Cloud Connector Mediation component

TCP 50,000-50,019

TCP 49 152 – 57 500*

Internal clients

Cloud Connector Mediation component

UDP 50,000-50,019

UDP 49 152 -57 500*


In our test environment I configured the rules as in the table and it works. (tested with a test call) I also configured it without the rules from mediation to client and it also works. I verified the streams with packet captures, internal client to mediation server. Is the rule from mediation to client needed? Because if the client intitiated the traffic, return traffic is allowed.

 

We want to use the CCE solution for more customers but with this firewall rules it’s not secure. Because due the rule from mediation to internal clients it’s a security leak from internet via the CCE appliance to the internal network.

 

Looking forward to an anwser.

 

Thanks in advance!

5 Replies
A short answer is:

The traffic from the Internet relayed through Edge server never comes to the internal client network "Directly".


Detailed ref:
https://enablingtechcorp.com/Blog/TabId/777/ArtMID/2450/ArticleID/493/REALLY-IMPORTANT-Skype-for-Bus...

Yes, you need firewall rules to allow certain ports and protocols between mediation server the client subnet(s) assuming that the client subnet(s) are on different network(s).

Thanks for you answer.


What does not work if you don't configure the rule?

 

Regarding to you answer:

The traffic from the Internet relayed through Edge server never comes to the internal client network "Directly".

 

I understand this. But if you don't need the rules from mediant to client why should we configure it? In security world the rule is, the least privilige to do the job. If I don't configure the rule and everything still works i don't see the benefit of configuring it.

 

Yes, you don't need to configure it.

 

However, some organizations we deployed the CCE had a firewall (traffic filtering/blocking) between CCE Mediation server network, for example, 192.168.0.0 and the internal client network, 10.10.10.0. Therefore, we asked them to allow certain ports and protocols between CCE mediation server network and the client network.

My firewall will also block the traffic from mediant to clients. But, if the client initiates the traffic to mediant server, return traffic from mediant to client is allowed.

So summary, the rules from mediant to client are not needed as long as return traffic from client to mediant is allowed? Is this correct?

Yes, exactly right.