Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


U520, Juniper firewall, SBS2008 with exchange

Posted on 2012-03-18
Medium Priority
Last Modified: 2014-12-21
Hello everyone,
i have a dsl connection which ends up on my juniper firewall (10/100).
i have a cisco uc520 device which i am running on my lan with ip phones, as well as sbs 2008, which has exchange 2007 with newest service packs.
The sbs 2008 box and other computers are all communicating through a gibabit switch to which the juniper firewall is connecting and distributing the internet connection.
My uc is connected from its wan side to the juniper firewall, and not connected to lan from the other.
i want to leverage the capabilities of exchange with the uc by installing third party softwares on the exchange server, so i am bit a lost. shouldn't the servers and pc's see the uc in the current config ? Also, i want to prevent the users from getting network connectivity in case they decide to plug their pc in the cisco uc lan side.
would appreciate the help.
Question by:sbs-mix
  • 3
  • 2

Expert Comment

ID: 37735077
If I understand your configuration, you have the UC plugged into the Juniper directly.  In other words, you have configured one of the ports as a DMZ as opposed to a switch.

You will either have to create a Juniper rule to allow traffic between the two ports or you can most likely hook the UC into the switch and give it a local IP.

On the firewall, you can restrict port traffic (ex. 80/443/ or everything) for the UC ip.

I would then configure the UC to hand out a different subnet on the lan port of the phone, say 10.2.10.x.  and a different gateway.  The firewall would block any traffic going out on the UC wan side (say  The users would get an ip on the UC subnet, but have no place to go!

You can also use this configuration to allow users to use the phone lan switch and limit the traffic - you could allow them to hook a laptop in and only get to internal IP's.  The possibilities are endless.

You could also consider making the UC go into the Juniper DMZ port - but then don't forget to create custom routes to allow your exchange server to traverse to that port.

In summary,
If your Juniper is
Exchange is
Make your UC
Configure the UC to dhcp to it's phone lan port 10.2.10.x
In Juniper, configure firewall to block all outgoing traffic on

Exchange should see UC
Users going into phone port should not get anywhere

Hope this helps! Reply back if you are trying to do something else.

Author Comment

ID: 37735145
at this time, no, i have not configured a dmz on the uc. i don't think i'd like to, since i want to use the security features of the uc to protect my voice network.
so u say i should assign a local ip adress to the wan side of my uc, which is on the same subnet as my exchange. i.e. 192.168.0.x
the phones would be on another, i.e 192.168.1.x, and enable dhcp on the uc to broadcast this ip range. but what would the gateway be ? the lan ip of the uc ? i.e. 192.168.1.xx ?  
you have to pay attention to the fact that the uc has to be able to connect to the net, but i want to prevent the users from plugging in their pc's in the phone jack and getting internet access. is it possible ? wouldn't that imply that juniper distinguishes between trafic generated by the uc itself and the phones/connected hardware?
in summary, the uc would communicate with the sbs machine over its wan port, right? do you know if it's possible to change the security features (open ports on the uc)? i heard it was pretty tough...

Expert Comment

ID: 37735665
Yes, local ip on wan is same as subnet on exchange 0.x.  The gw would be the Juniper address, most likely 0.1.

DHCP would be 1.x and I am assuming the UC will route and therefore allow web.

You are right that the traffic would look the same.  I meant that you would restrict web traffic on that port so that the devices would not have access to the web.  You could allow ONLY web traffic to a particular IP address if your concern is that you want the UC box to communicate to some other location.

The firewall can block all UC traffic or allow only traffic to/from where you want.  Of course,, any PC would also have that capability, but they could easily plug into an existing Ethernet outlet or wireless so risk is minimal.

I will check the UC config options, but if you can modify the DHCP, push out to the data network a fake DNS server or bad Gateway.  That will lock out the PC from the Web.

It would not surprise me if you find a way to either a) turn off the data port on the phone or b) block ports 80/443/25/etc.  See: http://www.cisco.com/en/US/products/ps7287/index.html

It looks like fun system!


Author Comment

ID: 37763610
very interesting answer, tnx for the help. will wait or more input from you.
i actually have two groups of ip's on my juniper, one being allowed partial internet access and the other full internet access. i may have said that earlier.
so if we complicate things a bit, let's say i want to plug a pc belonging to the group of "limited internet ips" or "full internet" on the uc, would the rules of the juniper still function properly? my pc ips are in the .0.x range.
as far as i know, if data trafic is routed through the uc, the natting prevents the juniper on the wan side to identify the trafic...unless we can have the uc do it transparently, buti doubt it would work in this case. any thoughts ?
da guy who intalled is pushing for connecting the lan of the uc to the switch, and that i strongly disagree with.

Accepted Solution

ltsweb earned 2000 total points
ID: 37763663
Are devices plugged into the Uc directly?  If so, you will need to focus on whether the Uc can do bridge mode.  Bridge mode would allow you to use your two ranges and route to the LAN.  If not, you need a third ip range (handed out by the Uc) and would need to control them from the Uc and the juniper ip address (assigned to the Uc).

Start with what you can do on the Uc.  I hate to say this in this forum, but start with the manual and Config link I posted earlier.

Keep in mind if you connect LAN of Uc you may have dhcp problem.

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
In this post, we will learn to set up the Group Naming policy and will see how it is going to impact the Display Name and the Email addresses of the Group.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question