MiCollab Security

[jnickrand]

We just recently put in a Mitel 3300 and have many users using the MiCollab software phones.  We had to open up a lot of ports via the documentation to make this work.  Just wondering how big of a security risk this is and what others might be doing differently.

[lundah]

For basic MiCollab and softphone, you only need 2 TCP ports and the RTP ports. Pretty standard for any softphone. It can be locked down enough that it passes PCI scans, how much more secure do you need it to be?

[jnickrand]

Right now we have the following ports open:

https, http, 20000-30999(udp), 32000-32500(udp),50000-50999(udp), 5060(udjp), 4443, 36008, 5060, 5063, 6801,5061.

This is what our business partner gave us and said we had to open.

[acejavelin]

MiCollab has a wide variety of ports to open... I really, REALLY dislike putting this in LAN or DMZ mode... Use two connections, one for LAN and one for WAN and put a public IP directly on it. It is designed to work in this way and will only allow authorized traffic though it and it's easier to manage.

[lundah]

Right now we have the following ports open:

https, http, 20000-30999(udp), 32000-32500(udp),50000-50999(udp), 5060(udjp), 4443, 36008, 5060, 5063, 6801,5061.

This is what our business partner gave us and said we had to open.

Depending on the details of your setup, all of those ports may be required. Either way, all traffic is authenticated, so what's the concern here? Ports need to be open for machines to talk to each other, you can't avoid that.

[Dogbreath]

The server is designed specifically to be internet-facing. The admin interface accepts connections only from specific IPs by default [they will presumably have asked you where you want to manage it from in order to populate the list]. So long as you keep on top of updates then I don't think you've anything to worry about.