Howto13r1:Firewall Settings: Difference between revisions

From innovaphone wiki
Jump to navigation Jump to search
No edit summary
Line 14: Line 14:


*Before you can setup your Firewall you have to read the book [[Course13:IT_Connect_-_10.0_Reverse_Proxy|Reverse Proxy]] in the [[Special:Prefixindex/Course13:|V13 IT Connect Training]].
*Before you can setup your Firewall you have to read the book [[Course13:IT_Connect_-_10.0_Reverse_Proxy|Reverse Proxy]] in the [[Special:Prefixindex/Course13:|V13 IT Connect Training]].
* If you already have used some of the port forwards from the collumn ''WAN ⇒ DMZ'' for other Systems you have to combine all forwards in the reverse Proxy or use a separate ip address
* If you already have used some of the port forwards from the column ''WAN ⇒ DMZ'' for other Systems you have to combine all forwards in the reverse Proxy or use a separate ip address




{| class="wikitable" border="1" cellspacing="0" cellpadding="10"
{| class="wikitable" border="1" cellspacing="0" cellpadding="10"
! style="background-color: #EAECF0;text-align:center"|WAN ⇒ DMZ (Reverse Proxy) !! style="background-color: #EAECF0;text-align:center"|DMZ (Reverse Proxy) ⇒ inside (PBX) !! style="background-color: #EAECF0;text-align:center"|DMZ (Reverse Proxy) ⇒ inside (Application Platform) !! style="background-color: #EAECF0;text-align:center"|inside ⇒ DMZ (Reverse Proxy) !! style="background-color: #EAECF0;text-align:center"|DMZ (Reverse Proxy) ⇒ WAN
! style="background-color: #EAECF0;text-align:center"|WAN ⇒ DMZ !! style="background-color: #EAECF0;text-align:center"|DMZ  ⇒ inside (Endpoints) !! style="background-color: #EAECF0;text-align:center"|DMZ ⇒ inside (PBX) !! style="background-color: #EAECF0;text-align:center"|DMZ ⇒ inside (AP) !! style="background-color: #EAECF0;text-align:center"|inside ⇒ DMZ !! style="background-color: #EAECF0;text-align:center"|DMZ ⇒ WAN
|-
|-
| STUN/TURN (udp/tcp/3478) || / || / || STUN/TURN (udp/tcp/3478) || /
| STUN/TURN (udp/tcp/3478) || / || / || / || STUN/TURN (udp/tcp/3478)<br />
''&bull; <span style="font-size:11px;">needed to talk to the TURN Server if you have blocked RTP traffic</span>''
|| /
|-
|-
| LDAPS (tcp/636)<br>
| LDAPS (tcp/636)<br>
''&bull; <span style="font-size:11px;">optionally LDAP (tcp/389) if you need plaintext</span>''<br>
''&bull; <span style="font-size:11px;">optionally LDAP (tcp/389) if you need plaintext</span>''<br>
''&bull; <span style="font-size:11px;">needed if you want to offer LDAP lookups</span>''
''&bull; <span style="font-size:11px;">needed if you want to offer LDAP lookups</span>''
|| /
|| LDAPS (tcp/636)<br>
|| LDAPS (tcp/636)<br>
''&bull; <span style="font-size:11px;">optionally LDAP (tcp/389) if you need plaintext</span>''<br>
''&bull; <span style="font-size:11px;">optionally LDAP (tcp/389) if you need plaintext</span>''<br>
Line 38: Line 41:
''&bull; <span style="font-size:11px;">needed if you want to offer myApps</span>''<br>
''&bull; <span style="font-size:11px;">needed if you want to offer myApps</span>''<br>
''&bull; <span style="font-size:11px;">please also allow wss/ws (websocket) connections</span>''
''&bull; <span style="font-size:11px;">please also allow wss/ws (websocket) connections</span>''
|| /
|| HTTPS (tcp/443)<br>
|| HTTPS (tcp/443)<br>
''&bull; <span style="font-size:11px;">optionally HTTP (tcp/80) if you need plaintext</span>''<br>
''&bull; <span style="font-size:11px;">optionally HTTP (tcp/80) if you need plaintext</span>''<br>
Line 53: Line 57:
''&bull; <span style="font-size:11px;">optionally H.323 (tcp/1720) if you need plaintext</span>''<br>
''&bull; <span style="font-size:11px;">optionally H.323 (tcp/1720) if you need plaintext</span>''<br>
''&bull; <span style="font-size:11px;">needed if you want to offer Phone registrations</span>''  
''&bull; <span style="font-size:11px;">needed if you want to offer Phone registrations</span>''  
|| /
|| H.323 (tcp/1300)<br>
|| H.323 (tcp/1300)<br>
''&bull; <span style="font-size:11px;">optionally H.323 (tcp/1720) if you need plaintext or username/password auths with invalid certificates</span>''<br>
''&bull; <span style="font-size:11px;">optionally H.323 (tcp/1720) if you need plaintext or username/password auths with invalid certificates</span>''<br>
Line 63: Line 68:
''&bull; <span style="font-size:11px;">optionally SIP (tcp/5060) if you need plaintext</span>''<br>
''&bull; <span style="font-size:11px;">optionally SIP (tcp/5060) if you need plaintext</span>''<br>
''&bull; <span style="font-size:11px;">needed '''only''' if you want to accept SIP registrations, i.e. for 3rd. Party SIP phones but not for SIP-Trunks</span>''
''&bull; <span style="font-size:11px;">needed '''only''' if you want to accept SIP registrations, i.e. for 3rd. Party SIP phones but not for SIP-Trunks</span>''
|| /
|| SIPS (tcp/5061)<br>
|| SIPS (tcp/5061)<br>
''&bull; <span style="font-size:11px;">optionally SIP (tcp/5060) if you need plaintext</span>''<br>
''&bull; <span style="font-size:11px;">optionally SIP (tcp/5060) if you need plaintext</span>''<br>
Line 69: Line 75:
|| /
|| /
|| SIPS (tcp/5061)<br>
|| SIPS (tcp/5061)<br>
''&bull; <span style="font-size:11px;">optionally SIP (tcp/5060) if you need plaintext</span>''<br>
''&bull; <span style="font-size:11px;">optionally SIP (tcp/5060) if you need plaintext</span>''
''&bull; <span style="font-size:11px;">needed if you want to register a SIP Trunk from the RP to Provider and your Provider doesn't support TURN</span>''
|-
|-
| / || / || / || RTP (udp/16384-32767)<br>
| /
''&bull; <span style="font-size:11px;">needed if you want to register a SIP Trunk from the RP to Provider and your Provider doesn't support TURN</span>''  
|| RTP (udp/16384-32767, udp/50000-50299)<br>
''&bull; <span style="font-size:11px;">needed if you want to use RTP instead of TURN to inside. (eg. SIP Trunk with Media-Relay, TURN Server in DMZ)</span>''
|| / || /
|| RTP (udp/16384-32767, udp/50000-50299)<br>
''&bull; <span style="font-size:11px;">needed if you want to use RTP instead of TURN to DMZ. (eg. SIP Trunk with Media-Relay, TURN Server in DMZ)</span>''  
|| RTP (udp/xxx)<br>
|| RTP (udp/xxx)<br>
''&bull; <span style="font-size:11px;">negotiated in context of the outgoing sip/udp connecxtion</span>''<br>
''&bull; <span style="font-size:11px;">xxx are the negotiated ports in context of the outgoing sip/udp connection. The ports depend on your SIP Provider</span>''<br>
''&bull; <span style="font-size:11px;">needed if you want to register a SIP Trunk from the RP to Provider and your Provider doesn't Support TURN</span>''
''&bull; <span style="font-size:11px;">not needed if RTP from inside to WAN is allowed directly and no media-relay is enabled)</span>''
|}
|}


Revision as of 11:36, 20 October 2020

Applies To

This information applies to

V13 and up

Scenario: Reverse Proxy in a DMZ

Here we would like to give an overview of the necessary ports and protocols for a reverse proxy in a DMZ.

The scenario would be that a reverse proxy is used in a DMZ. The DMZ has a link to the WAN and LAN.

Configuration

  • Before you can setup your Firewall you have to read the book Reverse Proxy in the V13 IT Connect Training.
  • If you already have used some of the port forwards from the column WAN ⇒ DMZ for other Systems you have to combine all forwards in the reverse Proxy or use a separate ip address


WAN ⇒ DMZ DMZ ⇒ inside (Endpoints) DMZ ⇒ inside (PBX) DMZ ⇒ inside (AP) inside ⇒ DMZ DMZ ⇒ WAN
STUN/TURN (udp/tcp/3478) / / / STUN/TURN (udp/tcp/3478)

needed to talk to the TURN Server if you have blocked RTP traffic

/
LDAPS (tcp/636)

optionally LDAP (tcp/389) if you need plaintext
needed if you want to offer LDAP lookups

/ LDAPS (tcp/636)

optionally LDAP (tcp/389) if you need plaintext
needed if you want to offer LDAP lookups

LDAPS (tcp/636)

optionally LDAP (tcp/389) if you need plaintext
needed if you want to offer LDAP lookups

/ /
HTTPS (tcp/443)

optionally HTTP (tcp/80) if you need plaintext
needed if you want to offer myApps
please also allow wss/ws (websocket) connections

/ HTTPS (tcp/443)

optionally HTTP (tcp/80) if you need plaintext
needed if you want to offer myApps
please also allow wss/ws (websocket) connections

HTTPS (tcp/443)

optionally HTTP (tcp/80) if you need plaintext
needed if you want to offer myApps
please also allow wss/ws (websocket) connections

HTTPS (tcp/<your custom port>)

Advanced UI admin access

/
H.323 (tcp/1300)

optionally H.323 (tcp/1720) if you need plaintext
needed if you want to offer Phone registrations

/ H.323 (tcp/1300)

optionally H.323 (tcp/1720) if you need plaintext or username/password auths with invalid certificates
needed if you want to offer Phone registrations

/ / /
SIPS (tcp/5061)

optionally SIP (tcp/5060) if you need plaintext
needed only if you want to accept SIP registrations, i.e. for 3rd. Party SIP phones but not for SIP-Trunks

/ SIPS (tcp/5061)

optionally SIP (tcp/5060) if you need plaintext
needed only if you want to accept SIP registrations, i.e. for 3rd. Party SIP phones but not for SIP-Trunks

/ / SIPS (tcp/5061)

optionally SIP (tcp/5060) if you need plaintext

/ RTP (udp/16384-32767, udp/50000-50299)

needed if you want to use RTP instead of TURN to inside. (eg. SIP Trunk with Media-Relay, TURN Server in DMZ)

/ / RTP (udp/16384-32767, udp/50000-50299)

needed if you want to use RTP instead of TURN to DMZ. (eg. SIP Trunk with Media-Relay, TURN Server in DMZ)

RTP (udp/xxx)

xxx are the negotiated ports in context of the outgoing sip/udp connection. The ports depend on your SIP Provider
not needed if RTP from inside to WAN is allowed directly and no media-relay is enabled)

The complete Workload Picture

V13-workload.jpg

Related Articles

Retrieved from "https://wiki.innovaphone.com/index.php?title=Howto13r1:Firewall_Settings&oldid=57370"