U520, Juniper firewall, SBS2008 with exchange
Hello everyone,
i have a dsl connection which ends up on my juniper firewall (10/100).
i have a cisco uc520 device which i am running on my lan with ip phones, as well as sbs 2008, which has exchange 2007 with newest service packs.
The sbs 2008 box and other computers are all communicating through a gibabit switch to which the juniper firewall is connecting and distributing the internet connection.
My uc is connected from its wan side to the juniper firewall, and not connected to lan from the other.
i want to leverage the capabilities of exchange with the uc by installing third party softwares on the exchange server, so i am bit a lost. shouldn't the servers and pc's see the uc in the current config ? Also, i want to prevent the users from getting network connectivity in case they decide to plug their pc in the cisco uc lan side.
would appreciate the help.
i have a dsl connection which ends up on my juniper firewall (10/100).
i have a cisco uc520 device which i am running on my lan with ip phones, as well as sbs 2008, which has exchange 2007 with newest service packs.
The sbs 2008 box and other computers are all communicating through a gibabit switch to which the juniper firewall is connecting and distributing the internet connection.
My uc is connected from its wan side to the juniper firewall, and not connected to lan from the other.
i want to leverage the capabilities of exchange with the uc by installing third party softwares on the exchange server, so i am bit a lost. shouldn't the servers and pc's see the uc in the current config ? Also, i want to prevent the users from getting network connectivity in case they decide to plug their pc in the cisco uc lan side.
would appreciate the help.
ASKER
at this time, no, i have not configured a dmz on the uc. i don't think i'd like to, since i want to use the security features of the uc to protect my voice network.
so u say i should assign a local ip adress to the wan side of my uc, which is on the same subnet as my exchange. i.e. 192.168.0.x
the phones would be on another, i.e 192.168.1.x, and enable dhcp on the uc to broadcast this ip range. but what would the gateway be ? the lan ip of the uc ? i.e. 192.168.1.xx ?
you have to pay attention to the fact that the uc has to be able to connect to the net, but i want to prevent the users from plugging in their pc's in the phone jack and getting internet access. is it possible ? wouldn't that imply that juniper distinguishes between trafic generated by the uc itself and the phones/connected hardware?
in summary, the uc would communicate with the sbs machine over its wan port, right? do you know if it's possible to change the security features (open ports on the uc)? i heard it was pretty tough...
so u say i should assign a local ip adress to the wan side of my uc, which is on the same subnet as my exchange. i.e. 192.168.0.x
the phones would be on another, i.e 192.168.1.x, and enable dhcp on the uc to broadcast this ip range. but what would the gateway be ? the lan ip of the uc ? i.e. 192.168.1.xx ?
you have to pay attention to the fact that the uc has to be able to connect to the net, but i want to prevent the users from plugging in their pc's in the phone jack and getting internet access. is it possible ? wouldn't that imply that juniper distinguishes between trafic generated by the uc itself and the phones/connected hardware?
in summary, the uc would communicate with the sbs machine over its wan port, right? do you know if it's possible to change the security features (open ports on the uc)? i heard it was pretty tough...
Hi,
Yes, local ip on wan is same as subnet on exchange 0.x. The gw would be the Juniper address, most likely 0.1.
DHCP would be 1.x and I am assuming the UC will route and therefore allow web.
You are right that the traffic would look the same. I meant that you would restrict web traffic on that port so that the devices would not have access to the web. You could allow ONLY web traffic to a particular IP address if your concern is that you want the UC box to communicate to some other location.
The firewall can block all UC traffic or allow only traffic to/from where you want. Of course,, any PC would also have that capability, but they could easily plug into an existing Ethernet outlet or wireless so risk is minimal.
I will check the UC config options, but if you can modify the DHCP, push out to the data network a fake DNS server or bad Gateway. That will lock out the PC from the Web.
It would not surprise me if you find a way to either a) turn off the data port on the phone or b) block ports 80/443/25/etc. See: http://www.cisco.com/en/US/products/ps7287/index.html
It looks like fun system!
Regards!
Yes, local ip on wan is same as subnet on exchange 0.x. The gw would be the Juniper address, most likely 0.1.
DHCP would be 1.x and I am assuming the UC will route and therefore allow web.
You are right that the traffic would look the same. I meant that you would restrict web traffic on that port so that the devices would not have access to the web. You could allow ONLY web traffic to a particular IP address if your concern is that you want the UC box to communicate to some other location.
The firewall can block all UC traffic or allow only traffic to/from where you want. Of course,, any PC would also have that capability, but they could easily plug into an existing Ethernet outlet or wireless so risk is minimal.
I will check the UC config options, but if you can modify the DHCP, push out to the data network a fake DNS server or bad Gateway. That will lock out the PC from the Web.
It would not surprise me if you find a way to either a) turn off the data port on the phone or b) block ports 80/443/25/etc. See: http://www.cisco.com/en/US/products/ps7287/index.html
It looks like fun system!
Regards!
ASKER
very interesting answer, tnx for the help. will wait or more input from you.
i actually have two groups of ip's on my juniper, one being allowed partial internet access and the other full internet access. i may have said that earlier.
so if we complicate things a bit, let's say i want to plug a pc belonging to the group of "limited internet ips" or "full internet" on the uc, would the rules of the juniper still function properly? my pc ips are in the .0.x range.
as far as i know, if data trafic is routed through the uc, the natting prevents the juniper on the wan side to identify the trafic...unless we can have the uc do it transparently, buti doubt it would work in this case. any thoughts ?
da guy who intalled is pushing for connecting the lan of the uc to the switch, and that i strongly disagree with.
i actually have two groups of ip's on my juniper, one being allowed partial internet access and the other full internet access. i may have said that earlier.
so if we complicate things a bit, let's say i want to plug a pc belonging to the group of "limited internet ips" or "full internet" on the uc, would the rules of the juniper still function properly? my pc ips are in the .0.x range.
as far as i know, if data trafic is routed through the uc, the natting prevents the juniper on the wan side to identify the trafic...unless we can have the uc do it transparently, buti doubt it would work in this case. any thoughts ?
da guy who intalled is pushing for connecting the lan of the uc to the switch, and that i strongly disagree with.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You will either have to create a Juniper rule to allow traffic between the two ports or you can most likely hook the UC into the switch and give it a local IP.
On the firewall, you can restrict port traffic (ex. 80/443/ or everything) for the UC ip.
I would then configure the UC to hand out a different subnet on the lan port of the phone, say 10.2.10.x. and a different gateway. The firewall would block any traffic going out on the UC wan side (say 10.1.10.100). The users would get an ip on the UC subnet, but have no place to go!
You can also use this configuration to allow users to use the phone lan switch and limit the traffic - you could allow them to hook a laptop in and only get to internal IP's. The possibilities are endless.
You could also consider making the UC go into the Juniper DMZ port - but then don't forget to create custom routes to allow your exchange server to traverse to that port.
In summary,
If your Juniper is 10.1.10.1
Exchange is 10.1.10.10
Make your UC 10.1.10.15
Configure the UC to dhcp to it's phone lan port 10.2.10.x
In Juniper, configure firewall to block all outgoing traffic on 10.1.10.5
Results:
Exchange should see UC
Users going into phone port should not get anywhere
Hope this helps! Reply back if you are trying to do something else.