Solved

U520, Juniper firewall, SBS2008 with exchange

Posted on 2012-03-18
5
111 Views
Last Modified: 2014-12-21
Hello everyone,
i have a dsl connection which ends up on my juniper firewall (10/100).
i have a cisco uc520 device which i am running on my lan with ip phones, as well as sbs 2008, which has exchange 2007 with newest service packs.
The sbs 2008 box and other computers are all communicating through a gibabit switch to which the juniper firewall is connecting and distributing the internet connection.
My uc is connected from its wan side to the juniper firewall, and not connected to lan from the other.
i want to leverage the capabilities of exchange with the uc by installing third party softwares on the exchange server, so i am bit a lost. shouldn't the servers and pc's see the uc in the current config ? Also, i want to prevent the users from getting network connectivity in case they decide to plug their pc in the cisco uc lan side.
would appreciate the help.
0
Comment
Question by:sbs-mix
  • 3
  • 2
5 Comments
 
LVL 4

Expert Comment

by:ltsweb
ID: 37735077
If I understand your configuration, you have the UC plugged into the Juniper directly.  In other words, you have configured one of the ports as a DMZ as opposed to a switch.

You will either have to create a Juniper rule to allow traffic between the two ports or you can most likely hook the UC into the switch and give it a local IP.

On the firewall, you can restrict port traffic (ex. 80/443/ or everything) for the UC ip.

I would then configure the UC to hand out a different subnet on the lan port of the phone, say 10.2.10.x.  and a different gateway.  The firewall would block any traffic going out on the UC wan side (say 10.1.10.100).  The users would get an ip on the UC subnet, but have no place to go!

You can also use this configuration to allow users to use the phone lan switch and limit the traffic - you could allow them to hook a laptop in and only get to internal IP's.  The possibilities are endless.

You could also consider making the UC go into the Juniper DMZ port - but then don't forget to create custom routes to allow your exchange server to traverse to that port.

In summary,
If your Juniper is 10.1.10.1
Exchange is 10.1.10.10
Make your UC 10.1.10.15
Configure the UC to dhcp to it's phone lan port 10.2.10.x
In Juniper, configure firewall to block all outgoing traffic on 10.1.10.5

Results:
Exchange should see UC
Users going into phone port should not get anywhere


Hope this helps! Reply back if you are trying to do something else.
0
 
LVL 2

Author Comment

by:sbs-mix
ID: 37735145
at this time, no, i have not configured a dmz on the uc. i don't think i'd like to, since i want to use the security features of the uc to protect my voice network.
so u say i should assign a local ip adress to the wan side of my uc, which is on the same subnet as my exchange. i.e. 192.168.0.x
the phones would be on another, i.e 192.168.1.x, and enable dhcp on the uc to broadcast this ip range. but what would the gateway be ? the lan ip of the uc ? i.e. 192.168.1.xx ?  
you have to pay attention to the fact that the uc has to be able to connect to the net, but i want to prevent the users from plugging in their pc's in the phone jack and getting internet access. is it possible ? wouldn't that imply that juniper distinguishes between trafic generated by the uc itself and the phones/connected hardware?
in summary, the uc would communicate with the sbs machine over its wan port, right? do you know if it's possible to change the security features (open ports on the uc)? i heard it was pretty tough...
0
 
LVL 4

Expert Comment

by:ltsweb
ID: 37735665
Hi,
Yes, local ip on wan is same as subnet on exchange 0.x.  The gw would be the Juniper address, most likely 0.1.

DHCP would be 1.x and I am assuming the UC will route and therefore allow web.

You are right that the traffic would look the same.  I meant that you would restrict web traffic on that port so that the devices would not have access to the web.  You could allow ONLY web traffic to a particular IP address if your concern is that you want the UC box to communicate to some other location.

The firewall can block all UC traffic or allow only traffic to/from where you want.  Of course,, any PC would also have that capability, but they could easily plug into an existing Ethernet outlet or wireless so risk is minimal.

I will check the UC config options, but if you can modify the DHCP, push out to the data network a fake DNS server or bad Gateway.  That will lock out the PC from the Web.

It would not surprise me if you find a way to either a) turn off the data port on the phone or b) block ports 80/443/25/etc.  See: http://www.cisco.com/en/US/products/ps7287/index.html

It looks like fun system!

Regards!
0
 
LVL 2

Author Comment

by:sbs-mix
ID: 37763610
very interesting answer, tnx for the help. will wait or more input from you.
i actually have two groups of ip's on my juniper, one being allowed partial internet access and the other full internet access. i may have said that earlier.
so if we complicate things a bit, let's say i want to plug a pc belonging to the group of "limited internet ips" or "full internet" on the uc, would the rules of the juniper still function properly? my pc ips are in the .0.x range.
as far as i know, if data trafic is routed through the uc, the natting prevents the juniper on the wan side to identify the trafic...unless we can have the uc do it transparently, buti doubt it would work in this case. any thoughts ?
da guy who intalled is pushing for connecting the lan of the uc to the switch, and that i strongly disagree with.
0
 
LVL 4

Accepted Solution

by:
ltsweb earned 500 total points
ID: 37763663
Are devices plugged into the Uc directly?  If so, you will need to focus on whether the Uc can do bridge mode.  Bridge mode would allow you to use your two ranges and route to the LAN.  If not, you need a third ip range (handed out by the Uc) and would need to control them from the Uc and the juniper ip address (assigned to the Uc).

Start with what you can do on the Uc.  I hate to say this in this forum, but start with the manual and Config link I posted earlier.

Keep in mind if you connect LAN of Uc you may have dhcp problem.
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Join & Write a Comment

Suggested Solutions

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now