Firewall settings to allow remote IP phones and Softphones


#1

I am looking for best practices or a document on how best to configure both the UCM62xx, the firewall, and the remote devices. I assume the most secure way is to use the VPN server built-into the UCM.


#2

The UCM does not have a VPN server, only a client.

However, for remote devices, a VPN is the more secure way whenever possible, Presumably the router you are using can accommodate the desired tunnel.


#3

A few things off the top:

  • Make sure to turn on and configure Fail2Ban

  • Use a dedicated firewall; while the UCM does have functionality in this area, it is generally agreed here that using a dedicated device for the firewall function is preferred, It also lets the UCM do what it’s best at doing; providing telephony vs security functions.

  • Don’t open your firewall up to allow anyone to connect via VoIP

  • Restrict extensions to the local network unless they are remote; and if they are remote, use a VPN to provide the connection as @lpneblett suggested above.


#4

If VPN is not an option. At minimum, do not use port 5060. Use a custom port.

Use complex passwords. Every external extension on all my systems uses a minimum 16 character password. Every other extensions is configured to only allow registration from the local lan.

External extensions cannot dial international.


#5

No VPN in the UCM, VERY short sighted if you ask me (Cisco had VPN server in theirs), however there we have it.

I am testing openVPN with Granstream at the moment, and so far it (the endpoints) do not work with a standard openVPN server… so tickets are open and people have many handsets and openVPN servers setup trying to get the endpoints to work