I am looking for best practices or a document on how best to configure both the UCM62xx, the firewall, and the remote devices. I assume the most secure way is to use the VPN server built-into the UCM.
The UCM does not have a VPN server, only a client.
However, for remote devices, a VPN is the more secure way whenever possible, Presumably the router you are using can accommodate the desired tunnel.
A few things off the top:
Make sure to turn on and configure Fail2Ban
Use a dedicated firewall; while the UCM does have functionality in this area, it is generally agreed here that using a dedicated device for the firewall function is preferred, It also lets the UCM do what it’s best at doing; providing telephony vs security functions.
Don’t open your firewall up to allow anyone to connect via VoIP
Restrict extensions to the local network unless they are remote; and if they are remote, use a VPN to provide the connection as @lpneblett suggested above.
If VPN is not an option. At minimum, do not use port 5060. Use a custom port.
Use complex passwords. Every external extension on all my systems uses a minimum 16 character password. Every other extensions is configured to only allow registration from the local lan.
External extensions cannot dial international.
No VPN in the UCM, VERY short sighted if you ask me (Cisco had VPN server in theirs), however there we have it.
I am testing openVPN with Granstream at the moment, and so far it (the endpoints) do not work with a standard openVPN server… so tickets are open and people have many handsets and openVPN servers setup trying to get the endpoints to work