List of recommended ports to expose to the outside world?

[cholzhauer]

Can someone link me to a list of ports that I should allow through my firewall?  I've found http://blog.denwa.uk.com/mitel-5000-firewall-ports-guide-setting-remote-phones/ but wasn't sure how accurate it is.

Thanks

[akuhn]

frequent question.  Here is a previous post.

http://mitelforums.com/forum/index.php?topic=2508.msg9658#msg9658

[Tech Electronics]

Cholzhauer,

What would be the purpose for this? We do not want to open ports up just to be opening them up for the possible future for all applications.

Thanks,

TE

[cholzhauer]

Here's a quick background:

We followed the recommendations from our Mitel vendor when we first installed the system about two years ago.  It turns out that one of those recommendations was to allow SIP traffic (even though we weren't using SIP at the time) and we ended up getting hacked.   I have a bunch of ports still open (for teleworkers to connect) and I want to make sure I"m not opening myself up to too much.

[Tech Electronics]

Cholzhauer,

Well, it really depends on your setup on which ports you would need open and which ones should be closed. In both links, Denwa and Mitel Forums, there are ports to be open based on certain criteria and not necessarily needed for your setup to work properly. If all you are worried about are remote phones that are 52XX/53XX style phones then you only need a certain subset of the ones shown on both links for them to work properly.

Take for instance Denwa's site. They are providing you with ports for DHCP to be opened which would not be necessary since you are not requesting DHCP most likely from your network for the phones to work properly. They also show you the ports needed for 86XX series phones to work which would not be necessary if you are not using those style phones. As for the Mitel Forums link they are telling you about UCA SIP Softphones which require a few more ports to be opened up for the UCA portion. If you are not using UCA then you do not need those ports opened up either.

In the end you should be able to get the exact ports you need opened up from the vendor who setup your system and knows how and why you need certain ports opened up for the applications you are using. I hate handing out a bunch of ports for someone to open up or close if they are not needed which in the end could cause a security issue on your network or the loss of functionality if ports for other functions that were unknown to be on the site were shut down.

If you could give us some very specific applications then we could most definitely provide you with the proper ports to be opened up for those applications to work.

Thanks,

TE

[cholzhauer]

All we're doing on the outside is SIP (I have that under control) and a multitude of 5340 IP phones

[Tech Electronics]

Cholzhauer,

Alright, so if all you have are SIP and Mitel 52xx/53xx style phones then all you would need open are the following ports.

UDP - Bidirectional
69 or 20001   TFTP
50098-50508   Phone Audio RTP
6004-6261   Base Processor Audio Receive RTP
6604-7039   Expansion Processor Audio Receive RTP
5567      Processor Call Control - General Purpose
5060      SIP

TCP - Bidirectional
6800-6802   MiNet
3998-3999   Switch Application Communication [SAC]
5566      Processor Call Control
5060      SIP

If you do not have an Expansion Card [PEC-1] on your Base Processor then you do not need the ports opened up for that. If you do have an Expansion Card, which would have to have its own Public IP address, then you would open those ports up for it. Keep in mind that you have to do this for both Public IP addresses.

If you need Database Programming and/or System Administration and Diagnostics [SA&D] to work as well then open the following ports.

TCP
44000      Secure Database Programming
443      Secure SA&D Web Interface <- I don't recommend opening this up for remote use
22      SSH  <- I do not recommend opening this up without shutting it off in the system

If you have a networked system going through your firewall then you  would need to open up the following ports as well.

UDP
6004      Base Processor Audio Receive RTP <- If you have remote phones this is already opened

TCP
5570      Processor Call Control Port

Thanks,

TE

[cholzhauer]

Thank you for the detailed response.  I've edited my ports to reflect what you've posted. (I have SIP allowed, but only to four specific IP addresses)

This is what I had before

tcp/3998-4000, tcp/44000, tcp/5566, tcp/6800-6802, tcp/6880, udp/20001, udp/5004-5007, udp/6004-6261, udp/tftp

[Tech Electronics]

This is what I had before

tcp/3998-4000, tcp/44000, tcp/5566, tcp/6800-6802, tcp/6880, udp/20001, udp/5004-5007, udp/6004-6261, udp/tftp

Cholzhauer,

Port 4000 [TCP] is used for non-secure database programming and should definitely be shut down once you are on a version that has port 44000 available; which apparently you do.

Other than that you should be good with the ports I listed and be able to remove any other PAT programming that is pointed to the Mitel 5000 controller.

Thanks,

TE