Hello Mr. Ken,
I hope your problem has been resolved properly. Actually there are 3 things that I forgot when my client tried this port forward system.
First, I forgot to set “static defense” on the ucm firewall but I set it on my client UCM a few days ago
Secondly, I forgot to set the “ip address access control strategy” in the extension number on the client as mentioned by Mr. Oliver in his second post.
Third, I forgot to set an “outbound blacklist”. After I observe, these hackers try to contact foreign numbers where we have never been in contact with that country.
I know that my client’s ucm is an “eol” product, but my client is very happy with this product because my client is free from very expensive telephone charges before using this product and this product is still running smoothly.
I have got the conclusion about the port forward system. This port forward system is very easy to implement but has security vulnerabilities. Therefore the VPN system is very suitable for grandstream. I hope Grandstream’s technical support team can add this feature to UCM like they have added this VPN feature to GVC3200. If you want to use a secure port forward system, then there must be very strict security that must be made from both the ucm side and the router side used.
On the ucm side, what has been mentioned by @tiennk above is absolutely right, update the firmware and set the firewall on ucm. There are 3 firewall systems, but the main thing is static defense. This is what should have been made first, then set F2B and finally dynamic defense. For dynamic defense, this is adjusted to the network mode interface used (route mode). And set the “ip address access control strategy” in the extension number then set an “outbound blacklist”
Then for the router side, a secure port forward system must be made that can only be accessed by certain people (by using MAC Address). I have seen this system on a mikrotik router. I am not a seller of this mikrotik router and my office does not use it but my client uses it. Unfortunately, I can’t access my client’s mikrotik router because it’s private and confidential. But I did not give up, I tried to find a demo of mikrotik software like that owned by UCM and I got it, and with the additional assistance of information from google about this mikrotik, then I have found a way for the system I mentioned above. But unfortunately I have not met with their I.T staff who handles the mikrotik to discuss whether my system can be successful or not on the mikrotik because they are so busy. I hope you has this system on your router.