Howto13r1:Firewall Settings: Difference between revisions

From innovaphone wiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
Line 5: Line 5:
V13 and up
V13 and up


==Scenario: Reverse Proxy in a DMZ==
==Scenario: Reverse Proxy, TURN and SBC in a DMZ==


Here we would like to give an overview of the necessary ports and protocols for a reverse proxy in a DMZ.
Here we would like to give an overview of the necessary ports and protocols for Reverse Proxy, TURN and SBC in the DMZ.
 
The scenario would be that a reverse proxy is used in a DMZ. The DMZ has a link to the WAN and LAN.


===Configuration===
===Configuration===

Revision as of 10:38, 20 October 2020

Applies To

This information applies to

V13 and up

Scenario: Reverse Proxy, TURN and SBC in a DMZ

Here we would like to give an overview of the necessary ports and protocols for Reverse Proxy, TURN and SBC in the DMZ.

Configuration

  • Before you can setup your Firewall you have to read the book Reverse Proxy in the V13 IT Connect Training.
  • If you already have used some of the port forwards from the column WAN ⇒ DMZ for other Systems you have to combine all forwards in the reverse Proxy or use a separate ip address


WAN ⇒ DMZ DMZ ⇒ inside (Endpoints) DMZ ⇒ inside (PBX) DMZ ⇒ inside (AP) inside ⇒ DMZ DMZ ⇒ WAN
STUN/TURN (udp/tcp/3478) / / / STUN/TURN (udp/tcp/3478)

needed to talk to the TURN Server if you have blocked RTP traffic

/
LDAPS (tcp/636)

optionally LDAP (tcp/389) if you need plaintext
needed if you want to offer LDAP lookups

/ LDAPS (tcp/636)

optionally LDAP (tcp/389) if you need plaintext
needed if you want to offer LDAP lookups

LDAPS (tcp/636)

optionally LDAP (tcp/389) if you need plaintext
needed if you want to offer LDAP lookups

/ /
HTTPS (tcp/443)

optionally HTTP (tcp/80) if you need plaintext
needed if you want to offer myApps
please also allow wss/ws (websocket) connections

/ HTTPS (tcp/443)

optionally HTTP (tcp/80) if you need plaintext
needed if you want to offer myApps
please also allow wss/ws (websocket) connections

HTTPS (tcp/443)

optionally HTTP (tcp/80) if you need plaintext
needed if you want to offer myApps
please also allow wss/ws (websocket) connections

HTTPS (tcp/<your custom port>)

Advanced UI admin access

/
H.323 (tcp/1300)

optionally H.323 (tcp/1720) if you need plaintext
needed if you want to offer Phone registrations

/ H.323 (tcp/1300)

optionally H.323 (tcp/1720) if you need plaintext or username/password auths with invalid certificates
needed if you want to offer Phone registrations

/ / /
SIPS (tcp/5061)

optionally SIP (tcp/5060) if you need plaintext
needed only if you want to accept SIP registrations, i.e. for 3rd. Party SIP phones but not for SIP-Trunks

/ SIPS (tcp/5061)

optionally SIP (tcp/5060) if you need plaintext
needed only if you want to accept SIP registrations, i.e. for 3rd. Party SIP phones but not for SIP-Trunks

/ / SIPS (tcp/5061)

optionally SIP (tcp/5060) if you need plaintext

/ RTP (udp/16384-32767, udp/50000-50299)

needed if you want to use RTP instead of TURN to inside. (eg. SIP Trunk with Media-Relay, TURN Server in DMZ)

/ / RTP (udp/16384-32767, udp/50000-50299)

needed if you want to use RTP instead of TURN to DMZ. (eg. SIP Trunk with Media-Relay, TURN Server in DMZ)

RTP (udp/xxx)

xxx are the negotiated ports in context of the outgoing sip/udp connection. The ports depend on your SIP Provider
not needed if RTP from inside to WAN is allowed directly and no media-relay is enabled)

The complete Workload Picture

Related Articles

Retrieved from "https://wiki.innovaphone.com/index.php?title=Howto13r1:Firewall_Settings&oldid=57371"