In which network zone to place Elastix?

Discussion in 'General' started by lautenbacher, Jan 3, 2011.

  1. lautenbacher

    Joined:
    Jan 3, 2011
    Messages:
    2
    Likes Received:
    0
    Hello all!

    I am maintaining a network with 4 zones, as shown in this picture: http://de.wikipedia.org/w/index.php?tit ... 0926142044

    Here is some explanation:

    Red Zone: The unprotected outside world of the internet to which my firewall is connected.

    Green Zone: My internal network. Everybody from Green can access computers in all the other zones freely, but no computer from any other zone can access anything in Green.

    Orange Zone: The so-called Demilitarized Zone (DMZ): It can not reach other computers in Green or Blue, only in Red. Some ports from Red might be opened to reach Orange, so that I can host internet servers in there which must be reachable from outside, e.g. a Webserver.

    Blue Zone (WLAN): Can only reach computers in red. Only computers from Green have access to this zone.

    And here is the question:
    Where is the best place to place my Elastix-Telephony-Server, Orange or Green?

    Szenario Green:
    If I place it there, all soft- and hardphones would be in Green, too, what would make things very easy. They could reach the Elastix-server without any problem, since it is in the same zone. But: the Elastix-server is not reachable passively from outside! So the question is: Is it enough if the my Elastix opens a port to the outer world by registering at my SIP-provider, and then maintains this connection to my SIP-provider active for incoming calls?? Or does the SIP-provider need to be able to contact me, even if there is no open Connection? In this case it would not be possible to host Elastix in the Green Zone

    Szenario Orange:
    If I place Elastix in the orange zone, I could forward needed ports from Red to Organge. In this case, the "outside" world, e.g. my SIP-Provider can contact my Elastix-Server anytime, even if there is no active open connection between them. Since the needed network port is open and forwarded from Red to Orange, any communication attempt from outside will reach Elastix.
    As far as for the soft/hardphones there would be two different szenarios for them:
    a) I place them in the Orange Zone, too. This would make everything very easy in terms of communication between them and the Elastix-box. But it would make my general network setup very complicated, since it is much easyer for me to place the hardphones in Green and even impossible to place the softphones in Orange, since they run on computers located in the Green zone.
    b) I place soft/hardphones in Green. Then we have again a quite similar question as before: Is it enough if the phones open a port from Green to Orange and keep it open? Do my telephones do something like that, e.g. when registering at my Elastix-Server? Or is the connection closed after registering so that the Elastix-box must be able to talk to the phones (e.g. incoming call) even if there is no open connection between them?

    The whole problem distills to one general question:

    If my phones register at Elastix and Elastix registers at my SIP-providers: Are this connections maintained acitve all over the time? Or are there cases in which my SIP-provider needs to talk to my Elastix - respectively my Elastix box to talk to my phones - without any prior open connection between those communication partners.

    Thank you for any information about this!

    Best regards
    Tom
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Your providers and external extensions need connections forwarded bi-directionally without port translation or other "helper" functions that sometimes don't help, these connections need to be maintained from the internet to your server without molestation, there should be no attempt from your firewall to curtail or impede them, as is attempted by some over eager firewalls.

    Your internal extensions need the same courtesy from your firewall but these internal connections are usually less of a problem.

    It really doesn't matter what "color" you call them. You really need your advise to come from the provider of your firewall, What's green to one vendor is purple-spotted to another. I'm not trying to be facetious, its just that there are no standards to what firewalls call their "zones" or even what a "zone" is, don't forget the internet is color-blind, it is your particular firewall that colors it to their own conceit.

    regards

    dicko
     
  3. lautenbacher

    Joined:
    Jan 3, 2011
    Messages:
    2
    Likes Received:
    0
    Hello dicko,
    thank you very much for your time that you spent to help me!

    If I understand you correctly, the Asterisk-server needs a direct connection from the outside world - so if I would make a plain port forward (1:1 NAT) from the firewall to Elastix in the DMZ ("orange" in my setup) then everything should be fine, isn't it?
    Do you know which ports I need to forward?

    Do the extensions also need to be reachable on Elastix' initiative, or is it enough, if the extensions can reach Elastix (e.g. because they keep the connection alive once they registered at Elastix?). With other words: Do the extensions need to be in the same DMZ or can they be in the internal network?
    I have been told elsewhere, that if I want to use the Endpoint Manager, the extensions have to be in the same zone as Elastix and that if I would go without Endpoint Manager, it is ok to place the extensions in the internal zone (when having Elastix in the DMZ (orange) zone). Can you confirm this?

    Yes, of course. Therefore I initially defined in my posting what I mean with each color, so that we have a common base of understanding in this thread.

    Thank you very much!
    Tom
     
  4. fmvillares

    Joined:
    Sep 8, 2007
    Messages:
    1,785
    Likes Received:
    0
    every network admin is different so analyze your necesities and act in consecuence....in my case i always create in every vital system 2 servers...1 honeypot to attract all the scammers etc in direct internet no firewall connection with ids functions and in the dmz the protected but "internet open like" real asterisk server

    hope it helps
     
  5. Lee Sharp

    Joined:
    Sep 28, 2010
    Messages:
    332
    Likes Received:
    0
    One note of importance. The Endpoint Configurator will only work if the phone is on the same local network as the Elastix server. This is why mine has multiple nics. This does add a lot of routing complexity, however.
     
  6. fmvillares

    Joined:
    Sep 8, 2007
    Messages:
    1,785
    Likes Received:
    0
    you need to use a real endpoint configurator like the colsogrp freepbx endpoint manager...
    support all the networks you have of course one at a time...
     

Share This Page