Author Topic: Securing a MAS  (Read 4429 times)

Offline PokerMunkee

  • Jr. Member
  • **
  • Posts: 33
  • Country: us
  • Karma: +1/-0
    • View Profile
Securing a MAS
« on: March 28, 2014, 12:10:45 AM »
Our MAS was installed with two NICs, one internal and one external.  It's in the Server-Gateway config.  Teleworker works fine, but I'm now concerned with the security of the built in Linux firewall.  I see there are other options where you can put the MBG on a different server in the DMZ, which is way better in my opinion.

Are there firewall settings for the MAS?  I can't find anything.  I can ping my external IP, which I'd like to disable.  I can also access the 'My Unified Communications' portal from the Internet, which I don't want. 

-PM.


Offline martyn

  • Hero Member
  • *****
  • Posts: 688
  • Country: au
  • Karma: +10/-0
    • View Profile
Re: Securing a MAS
« Reply #1 on: March 28, 2014, 12:38:44 AM »
The MBG component is it's own firewall in essence, so it only listens on the ports required, and in some instances from only the endpoints that are already registered with it, so really the appliance is as hardened as it needs to be, and is possibly better at firewalling than what some lower end routers out there would be.

Offline acejavelin

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 4100
  • Country: us
  • Karma: +133/-0
  • High-tech, heavy metal redneck!
    • View Profile
    • Like what I do and wanna help out? Send me a donation!
Re: Securing a MAS
« Reply #2 on: March 28, 2014, 09:17:13 AM »
There is no need to move the MBG into the DMZ, although that will work I have had much better experiences in Server-Gateway mode. It should be pingable from the public internet to function properly, even in a DMZ environment, and you can turn off the access to the My UCA portal in the MBG configuration if you don't want that to be available from the outside world.

Offline ralph

  • Mitel Forums Admin
  • Hero Member
  • *****
  • Posts: 5767
  • Country: us
  • Karma: +469/-0
  • Published Author: http://amzn.to/2dcYSY5
    • View Profile
Re: Securing a MAS
« Reply #3 on: March 28, 2014, 09:47:18 AM »
I understand your concerns.
At one time I did some security and I wanted control of what was coming in and out of the network.

I've attached an excerpt from the engineering docs that I think is what you're looking for.

Ralph

Offline PokerMunkee

  • Jr. Member
  • **
  • Posts: 33
  • Country: us
  • Karma: +1/-0
    • View Profile
Re: Securing a MAS
« Reply #4 on: March 28, 2014, 04:04:24 PM »
Thanks guys.

I went in and deleted the external NIC (logged into command and reconfig'd server).

I setup port forwarding in my firewall to the MAS and got teleworker to work.  I feel much better going this route.

Offline PokerMunkee

  • Jr. Member
  • **
  • Posts: 33
  • Country: us
  • Karma: +1/-0
    • View Profile
Re: Securing a MAS
« Reply #5 on: March 28, 2014, 04:15:36 PM »
I shouldn't have spoken so soon.  Now the phone is saying "Waiting for ACK..."

Hopefully just missing a port.  What a PITA.

Offline acejavelin

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 4100
  • Country: us
  • Karma: +133/-0
  • High-tech, heavy metal redneck!
    • View Profile
    • Like what I do and wanna help out? Send me a donation!
Re: Securing a MAS
« Reply #6 on: March 28, 2014, 04:22:51 PM »
You cannot "port forward" or NAT translate anything to MBG, it must be in a TRUE DMZ or have it's own public IP address connected to the public internet.

It can be behind an external firewall with the ports opened (not forwarded) to it, but it just cannot be firewalled with NAT.
« Last Edit: March 28, 2014, 04:24:38 PM by acejavelin »

Offline PokerMunkee

  • Jr. Member
  • **
  • Posts: 33
  • Country: us
  • Karma: +1/-0
    • View Profile
Re: Securing a MAS
« Reply #7 on: March 28, 2014, 04:55:49 PM »
You cannot "port forward" or NAT translate anything to MBG, it must be in a TRUE DMZ or have it's own public IP address connected to the public internet.

It can be behind an external firewall with the ports opened (not forwarded) to it, but it just cannot be firewalled with NAT.

Thanks for the quick reply.  I enabled the external NIC and have my test unit working again. 

I am trying to find where to disable the My UCA Portal.  Where do I find this at?  Everything under the Applications tab is disabled.

Offline johnp

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2202
  • Country: us
  • Karma: +66/-0
    • View Profile
Re: Securing a MAS
« Reply #8 on: March 28, 2014, 06:06:53 PM »
You may be able to change it using db commands to internal only. You could also custom template the landing page

Offline PokerMunkee

  • Jr. Member
  • **
  • Posts: 33
  • Country: us
  • Karma: +1/-0
    • View Profile
Re: Securing a MAS
« Reply #9 on: March 29, 2014, 12:48:45 AM »
I disabled port 80 and 443 (Portal) on my external IP.  I did this by creating port forwarding rules under Security --> Port Forwarding for ports 80 and 443 to bogus destination IP's.  Works! :D


 

Sitemap 1 2 3 4 5 6 7 8 9 10