Howto13r1:Firewall Settings: Difference between revisions
No edit summary |
|||
Line 14: | Line 14: | ||
*Before you can setup your Firewall you have to read the book [[Course13:IT_Connect_-_10.0_Reverse_Proxy|Reverse Proxy]] in the [[Special:Prefixindex/Course13:|V13 IT Connect Training]]. | *Before you can setup your Firewall you have to read the book [[Course13:IT_Connect_-_10.0_Reverse_Proxy|Reverse Proxy]] in the [[Special:Prefixindex/Course13:|V13 IT Connect Training]]. | ||
* If you already have used some of the port forwards from the | * If you already have used some of the port forwards from the column ''WAN ⇒ DMZ'' for other Systems you have to combine all forwards in the reverse Proxy or use a separate ip address | ||
{| class="wikitable" border="1" cellspacing="0" cellpadding="10" | {| class="wikitable" border="1" cellspacing="0" cellpadding="10" | ||
! style="background-color: #EAECF0;text-align:center"|WAN ⇒ DMZ ( | ! style="background-color: #EAECF0;text-align:center"|WAN ⇒ DMZ !! style="background-color: #EAECF0;text-align:center"|DMZ ⇒ inside (Endpoints) !! style="background-color: #EAECF0;text-align:center"|DMZ ⇒ inside (PBX) !! style="background-color: #EAECF0;text-align:center"|DMZ ⇒ inside (AP) !! style="background-color: #EAECF0;text-align:center"|inside ⇒ DMZ !! style="background-color: #EAECF0;text-align:center"|DMZ ⇒ WAN | ||
|- | |- | ||
| STUN/TURN (udp/tcp/3478) || / || / || STUN/TURN (udp/tcp/3478) || / | | STUN/TURN (udp/tcp/3478) || / || / || / || STUN/TURN (udp/tcp/3478)<br /> | ||
''• <span style="font-size:11px;">needed to talk to the TURN Server if you have blocked RTP traffic</span>'' | |||
|| / | |||
|- | |- | ||
| LDAPS (tcp/636)<br> | | LDAPS (tcp/636)<br> | ||
''• <span style="font-size:11px;">optionally LDAP (tcp/389) if you need plaintext</span>''<br> | ''• <span style="font-size:11px;">optionally LDAP (tcp/389) if you need plaintext</span>''<br> | ||
''• <span style="font-size:11px;">needed if you want to offer LDAP lookups</span>'' | ''• <span style="font-size:11px;">needed if you want to offer LDAP lookups</span>'' | ||
|| / | |||
|| LDAPS (tcp/636)<br> | || LDAPS (tcp/636)<br> | ||
''• <span style="font-size:11px;">optionally LDAP (tcp/389) if you need plaintext</span>''<br> | ''• <span style="font-size:11px;">optionally LDAP (tcp/389) if you need plaintext</span>''<br> | ||
Line 38: | Line 41: | ||
''• <span style="font-size:11px;">needed if you want to offer myApps</span>''<br> | ''• <span style="font-size:11px;">needed if you want to offer myApps</span>''<br> | ||
''• <span style="font-size:11px;">please also allow wss/ws (websocket) connections</span>'' | ''• <span style="font-size:11px;">please also allow wss/ws (websocket) connections</span>'' | ||
|| / | |||
|| HTTPS (tcp/443)<br> | || HTTPS (tcp/443)<br> | ||
''• <span style="font-size:11px;">optionally HTTP (tcp/80) if you need plaintext</span>''<br> | ''• <span style="font-size:11px;">optionally HTTP (tcp/80) if you need plaintext</span>''<br> | ||
Line 53: | Line 57: | ||
''• <span style="font-size:11px;">optionally H.323 (tcp/1720) if you need plaintext</span>''<br> | ''• <span style="font-size:11px;">optionally H.323 (tcp/1720) if you need plaintext</span>''<br> | ||
''• <span style="font-size:11px;">needed if you want to offer Phone registrations</span>'' | ''• <span style="font-size:11px;">needed if you want to offer Phone registrations</span>'' | ||
|| / | |||
|| H.323 (tcp/1300)<br> | || H.323 (tcp/1300)<br> | ||
''• <span style="font-size:11px;">optionally H.323 (tcp/1720) if you need plaintext or username/password auths with invalid certificates</span>''<br> | ''• <span style="font-size:11px;">optionally H.323 (tcp/1720) if you need plaintext or username/password auths with invalid certificates</span>''<br> | ||
Line 63: | Line 68: | ||
''• <span style="font-size:11px;">optionally SIP (tcp/5060) if you need plaintext</span>''<br> | ''• <span style="font-size:11px;">optionally SIP (tcp/5060) if you need plaintext</span>''<br> | ||
''• <span style="font-size:11px;">needed '''only''' if you want to accept SIP registrations, i.e. for 3rd. Party SIP phones but not for SIP-Trunks</span>'' | ''• <span style="font-size:11px;">needed '''only''' if you want to accept SIP registrations, i.e. for 3rd. Party SIP phones but not for SIP-Trunks</span>'' | ||
|| / | |||
|| SIPS (tcp/5061)<br> | || SIPS (tcp/5061)<br> | ||
''• <span style="font-size:11px;">optionally SIP (tcp/5060) if you need plaintext</span>''<br> | ''• <span style="font-size:11px;">optionally SIP (tcp/5060) if you need plaintext</span>''<br> | ||
Line 69: | Line 75: | ||
|| / | || / | ||
|| SIPS (tcp/5061)<br> | || SIPS (tcp/5061)<br> | ||
''• <span style="font-size:11px;">optionally SIP (tcp/5060) if you need plaintext | ''• <span style="font-size:11px;">optionally SIP (tcp/5060) if you need plaintext</span>'' | ||
|- | |- | ||
| / || / || / || RTP (udp/16384-32767)<br> | | / | ||
''• <span style="font-size:11px;">needed if you want to | || RTP (udp/16384-32767, udp/50000-50299)<br> | ||
''• <span style="font-size:11px;">needed if you want to use RTP instead of TURN to inside. (eg. SIP Trunk with Media-Relay, TURN Server in DMZ)</span>'' | |||
|| / || / | |||
|| RTP (udp/16384-32767, udp/50000-50299)<br> | |||
''• <span style="font-size:11px;">needed if you want to use RTP instead of TURN to DMZ. (eg. SIP Trunk with Media-Relay, TURN Server in DMZ)</span>'' | |||
|| RTP (udp/xxx)<br> | || RTP (udp/xxx)<br> | ||
''• <span style="font-size:11px;">negotiated in context of the outgoing sip/udp | ''• <span style="font-size:11px;">xxx are the negotiated ports in context of the outgoing sip/udp connection. The ports depend on your SIP Provider</span>''<br> | ||
''• <span style="font-size:11px;">needed if | ''• <span style="font-size:11px;">not needed if RTP from inside to WAN is allowed directly and no media-relay is enabled)</span>'' | ||
|} | |} | ||
Revision as of 11:36, 20 October 2020
Applies To
This information applies to
V13 and up
Scenario: Reverse Proxy in a DMZ
Here we would like to give an overview of the necessary ports and protocols for a reverse proxy in a DMZ.
The scenario would be that a reverse proxy is used in a DMZ. The DMZ has a link to the WAN and LAN.
Configuration
- Before you can setup your Firewall you have to read the book Reverse Proxy in the V13 IT Connect Training.
- If you already have used some of the port forwards from the column WAN ⇒ DMZ for other Systems you have to combine all forwards in the reverse Proxy or use a separate ip address
WAN ⇒ DMZ | DMZ ⇒ inside (Endpoints) | DMZ ⇒ inside (PBX) | DMZ ⇒ inside (AP) | inside ⇒ DMZ | DMZ ⇒ WAN |
---|---|---|---|---|---|
STUN/TURN (udp/tcp/3478) | / | / | / | STUN/TURN (udp/tcp/3478) • needed to talk to the TURN Server if you have blocked RTP traffic |
/ |
LDAPS (tcp/636) • optionally LDAP (tcp/389) if you need plaintext |
/ | LDAPS (tcp/636) • optionally LDAP (tcp/389) if you need plaintext |
LDAPS (tcp/636) • optionally LDAP (tcp/389) if you need plaintext |
/ | / |
HTTPS (tcp/443) • optionally HTTP (tcp/80) if you need plaintext |
/ | HTTPS (tcp/443) • optionally HTTP (tcp/80) if you need plaintext |
HTTPS (tcp/443) • optionally HTTP (tcp/80) if you need plaintext |
HTTPS (tcp/<your custom port>) • Advanced UI admin access |
/ |
H.323 (tcp/1300) • optionally H.323 (tcp/1720) if you need plaintext |
/ | H.323 (tcp/1300) • optionally H.323 (tcp/1720) if you need plaintext or username/password auths with invalid certificates |
/ | / | / |
SIPS (tcp/5061) • optionally SIP (tcp/5060) if you need plaintext |
/ | SIPS (tcp/5061) • optionally SIP (tcp/5060) if you need plaintext |
/ | / | SIPS (tcp/5061) • optionally SIP (tcp/5060) if you need plaintext |
/ | RTP (udp/16384-32767, udp/50000-50299) • needed if you want to use RTP instead of TURN to inside. (eg. SIP Trunk with Media-Relay, TURN Server in DMZ) |
/ | / | RTP (udp/16384-32767, udp/50000-50299) • needed if you want to use RTP instead of TURN to DMZ. (eg. SIP Trunk with Media-Relay, TURN Server in DMZ) |
RTP (udp/xxx) • xxx are the negotiated ports in context of the outgoing sip/udp connection. The ports depend on your SIP Provider |