Mitel Forums - The Unofficial Source
Mitel Forums => Mitel Software Applications => Topic started by: PokerMunkee on March 28, 2014, 12:10:45 AM
-
Our MAS was installed with two NICs, one internal and one external. It's in the Server-Gateway config. Teleworker works fine, but I'm now concerned with the security of the built in Linux firewall. I see there are other options where you can put the MBG on a different server in the DMZ, which is way better in my opinion.
Are there firewall settings for the MAS? I can't find anything. I can ping my external IP, which I'd like to disable. I can also access the 'My Unified Communications' portal from the Internet, which I don't want.
-PM.
-
The MBG component is it's own firewall in essence, so it only listens on the ports required, and in some instances from only the endpoints that are already registered with it, so really the appliance is as hardened as it needs to be, and is possibly better at firewalling than what some lower end routers out there would be.
-
There is no need to move the MBG into the DMZ, although that will work I have had much better experiences in Server-Gateway mode. It should be pingable from the public internet to function properly, even in a DMZ environment, and you can turn off the access to the My UCA portal in the MBG configuration if you don't want that to be available from the outside world.
-
I understand your concerns.
At one time I did some security and I wanted control of what was coming in and out of the network.
I've attached an excerpt from the engineering docs that I think is what you're looking for.
Ralph
-
Thanks guys.
I went in and deleted the external NIC (logged into command and reconfig'd server).
I setup port forwarding in my firewall to the MAS and got teleworker to work. I feel much better going this route.
-
I shouldn't have spoken so soon. Now the phone is saying "Waiting for ACK..."
Hopefully just missing a port. What a PITA.
-
You cannot "port forward" or NAT translate anything to MBG, it must be in a TRUE DMZ or have it's own public IP address connected to the public internet.
It can be behind an external firewall with the ports opened (not forwarded) to it, but it just cannot be firewalled with NAT.
-
You cannot "port forward" or NAT translate anything to MBG, it must be in a TRUE DMZ or have it's own public IP address connected to the public internet.
It can be behind an external firewall with the ports opened (not forwarded) to it, but it just cannot be firewalled with NAT.
Thanks for the quick reply. I enabled the external NIC and have my test unit working again.
I am trying to find where to disable the My UCA Portal. Where do I find this at? Everything under the Applications tab is disabled.
-
You may be able to change it using db commands to internal only. You could also custom template the landing page
-
I disabled port 80 and 443 (Portal) on my external IP. I did this by creating port forwarding rules under Security --> Port Forwarding for ports 80 and 443 to bogus destination IP's. Works! :D