Solved

Remote teleworkers with CME

Posted on 2010-09-22
15
757 Views
Last Modified: 2012-05-10
Hi,

We have a Cisco 2811 ISR running CME 7.0. We do not use it as a router, only for voice.
Is there any *safe* way to allow remote teleworkers over the WAN? e.g. SIP clients securely authenticating to CME.
I know a possible solution is using VPN, but that creates a lot of overhead and is especially problematic on mobile platforms, so I'm wondering if it's possible to open some ports to CME and have clients connect directly (similar to public SIP providers).

Thanks in advance!
0
Comment
Question by:dilberty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
15 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33742587
Hi,

I advise to use VPN, becouse it is easy to crack the MD5 hashes of SIP!

0
 
LVL 9

Accepted Solution

by:
Alex Bahar earned 500 total points
ID: 33746650
You can always create an ACL to allow ports 5060 and 5061 from your teleworker IP addresses. So non-teleworker IP addresses won't be able to register CME.
You can also use GRE tunnels, which will provide a very lightweight point to point VPN tunnels. It will make your life much easier. GRE tunnels can even carry routing updates if you're planning to run dynamic routing protocols on your remote sites.
0
 
LVL 2

Expert Comment

by:xReaper
ID: 33768324
>> I advise to use VPN, becouse it is easy to crack the MD5 hashes of SIP!

Yes ? heh and how do you do that with complex password ?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33768493
HI,

Please try cain for hacking sip:

http://www.oxid.it/cain.html

it is working...
0
 
LVL 2

Expert Comment

by:xReaper
ID: 33769086
Looks like you have no idea what are you are talking about here, this is such time when you better say nothing if you are not sure.
Do you have any idea how hash is used ?
You can bruteforce for ages, good luck.
0
 

Author Comment

by:dilberty
ID: 33769102
Are you sure 5060 and 5061 are sufficient? don't I need UDP ports for voice?
0
 
LVL 2

Expert Comment

by:xReaper
ID: 33769237
>Are you sure 5060 and 5061 are sufficient? don't I need UDP ports for voice?

Sure, but he talks about ACL, i think what he wanted to say thay you can use ACL for 5060, and open udp ports for averyone, anywas if sip dialog do not pass there is not point to add ACL to the rtp(udp) ports for voice.
And you dont need to use 5060 5061, use only one where your cme is binded to.
0
 

Author Comment

by:dilberty
ID: 33769350
Thanks guys. Is there any way to allow this only for specific users? Most of my users use simple passwords and besides I wouldn't want to allow them this functionality.
0
 
LVL 2

Expert Comment

by:xReaper
ID: 33769375
Thats why you need ACL based on ip of your users. (external)
0
 

Author Comment

by:dilberty
ID: 33769465
Users at home don't have a static IP address. It is assigned dynamically from the ISP, so I probably won't be able to achieve that...
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 33769480
For simplicity, you can assign an "allowed range of IP addresses/subnet" to the VOIP teleworkers. Let's call it white-list. You can then create a simple ACL that allows only that white-list ip address range access to the CME 5060 5061 ports.
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 33769511
Static IP addresses for home broadband cost only 2-3 dollars a month. It is worth getting it.
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 33769577
Another option is to use 2 different VPN groups which assigns IP addresses from 2 different pools> white-list and black-list IP address pools...
Thus, you can differentiate users even if they use dynamic IP addresses on their internet broadband.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33771565
HI,

I advise VPN.... it give more secure, and if you use g.728 or g.729 codec you able to use it without any problems! We use it over VPN...
0
 
LVL 9

Expert Comment

by:Alex Bahar
ID: 33776974
IPSEC VPN is not bed of roses though. It introduces delay and bandwidth overhead.

Processing delay can be considerable if the WAN devices do not have hardware compression modules.

A single G729 voice stream over IPSEC VPN over DSL consumes about 67 kbps! Only 8kbps is the G729 payload. IPSEC VPN adds about 21kbps to a single voice stream.


0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Free PBX 3 93
MItel 3300 Forward Voicemail to Office 365 1 244
Skype for Business - SIP/PSTN Trunk Configuration 38 96
Simple Phone Dialer for Win10 2 82
In my office we had 10 Cisco 7940G IP phones that were useless as they were showing PROTOCOL APPLICATION INVALID when started. I searched through Google and worked for a week continuously on those phones, and finally got them working. This is a di…
Hey there Heard about jingle, the add on for XMPP that enables point to point audio between two XMPP clients. No server config necessary. Actually quite a cool feature. However, how good is it if you can not use those voice capabilities to do a P…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question