Avatar of sbs-mix
Flag for Lebanon asked on

U520, Juniper firewall, SBS2008 with exchange

Hello everyone,
i have a dsl connection which ends up on my juniper firewall (10/100).
i have a cisco uc520 device which i am running on my lan with ip phones, as well as sbs 2008, which has exchange 2007 with newest service packs.
The sbs 2008 box and other computers are all communicating through a gibabit switch to which the juniper firewall is connecting and distributing the internet connection.
My uc is connected from its wan side to the juniper firewall, and not connected to lan from the other.
i want to leverage the capabilities of exchange with the uc by installing third party softwares on the exchange server, so i am bit a lost. shouldn't the servers and pc's see the uc in the current config ? Also, i want to prevent the users from getting network connectivity in case they decide to plug their pc in the cisco uc lan side.
would appreciate the help.
ExchangeVoice Over IPNetwork Architecture

Avatar of undefined
Last Comment

8/22/2022 - Mon

If I understand your configuration, you have the UC plugged into the Juniper directly.  In other words, you have configured one of the ports as a DMZ as opposed to a switch.

You will either have to create a Juniper rule to allow traffic between the two ports or you can most likely hook the UC into the switch and give it a local IP.

On the firewall, you can restrict port traffic (ex. 80/443/ or everything) for the UC ip.

I would then configure the UC to hand out a different subnet on the lan port of the phone, say 10.2.10.x.  and a different gateway.  The firewall would block any traffic going out on the UC wan side (say  The users would get an ip on the UC subnet, but have no place to go!

You can also use this configuration to allow users to use the phone lan switch and limit the traffic - you could allow them to hook a laptop in and only get to internal IP's.  The possibilities are endless.

You could also consider making the UC go into the Juniper DMZ port - but then don't forget to create custom routes to allow your exchange server to traverse to that port.

In summary,
If your Juniper is
Exchange is
Make your UC
Configure the UC to dhcp to it's phone lan port 10.2.10.x
In Juniper, configure firewall to block all outgoing traffic on

Exchange should see UC
Users going into phone port should not get anywhere

Hope this helps! Reply back if you are trying to do something else.

at this time, no, i have not configured a dmz on the uc. i don't think i'd like to, since i want to use the security features of the uc to protect my voice network.
so u say i should assign a local ip adress to the wan side of my uc, which is on the same subnet as my exchange. i.e. 192.168.0.x
the phones would be on another, i.e 192.168.1.x, and enable dhcp on the uc to broadcast this ip range. but what would the gateway be ? the lan ip of the uc ? i.e. 192.168.1.xx ?  
you have to pay attention to the fact that the uc has to be able to connect to the net, but i want to prevent the users from plugging in their pc's in the phone jack and getting internet access. is it possible ? wouldn't that imply that juniper distinguishes between trafic generated by the uc itself and the phones/connected hardware?
in summary, the uc would communicate with the sbs machine over its wan port, right? do you know if it's possible to change the security features (open ports on the uc)? i heard it was pretty tough...

Yes, local ip on wan is same as subnet on exchange 0.x.  The gw would be the Juniper address, most likely 0.1.

DHCP would be 1.x and I am assuming the UC will route and therefore allow web.

You are right that the traffic would look the same.  I meant that you would restrict web traffic on that port so that the devices would not have access to the web.  You could allow ONLY web traffic to a particular IP address if your concern is that you want the UC box to communicate to some other location.

The firewall can block all UC traffic or allow only traffic to/from where you want.  Of course,, any PC would also have that capability, but they could easily plug into an existing Ethernet outlet or wireless so risk is minimal.

I will check the UC config options, but if you can modify the DHCP, push out to the data network a fake DNS server or bad Gateway.  That will lock out the PC from the Web.

It would not surprise me if you find a way to either a) turn off the data port on the phone or b) block ports 80/443/25/etc.  See: http://www.cisco.com/en/US/products/ps7287/index.html

It looks like fun system!

All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck

very interesting answer, tnx for the help. will wait or more input from you.
i actually have two groups of ip's on my juniper, one being allowed partial internet access and the other full internet access. i may have said that earlier.
so if we complicate things a bit, let's say i want to plug a pc belonging to the group of "limited internet ips" or "full internet" on the uc, would the rules of the juniper still function properly? my pc ips are in the .0.x range.
as far as i know, if data trafic is routed through the uc, the natting prevents the juniper on the wan side to identify the trafic...unless we can have the uc do it transparently, buti doubt it would work in this case. any thoughts ?
da guy who intalled is pushing for connecting the lan of the uc to the switch, and that i strongly disagree with.

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.