In which network zone to place Elastix?

lautenbacher

Joined
Jan 3, 2011
Messages
2
Likes
0
Points
0
#1
Hello all!

I am maintaining a network with 4 zones, as shown in this picture: http://de.wikipedia.org/w/index.php?tit ... 0926142044

Here is some explanation:

Red Zone: The unprotected outside world of the internet to which my firewall is connected.

Green Zone: My internal network. Everybody from Green can access computers in all the other zones freely, but no computer from any other zone can access anything in Green.

Orange Zone: The so-called Demilitarized Zone (DMZ): It can not reach other computers in Green or Blue, only in Red. Some ports from Red might be opened to reach Orange, so that I can host internet servers in there which must be reachable from outside, e.g. a Webserver.

Blue Zone (WLAN): Can only reach computers in red. Only computers from Green have access to this zone.

And here is the question:
Where is the best place to place my Elastix-Telephony-Server, Orange or Green?

Szenario Green:
If I place it there, all soft- and hardphones would be in Green, too, what would make things very easy. They could reach the Elastix-server without any problem, since it is in the same zone. But: the Elastix-server is not reachable passively from outside! So the question is: Is it enough if the my Elastix opens a port to the outer world by registering at my SIP-provider, and then maintains this connection to my SIP-provider active for incoming calls?? Or does the SIP-provider need to be able to contact me, even if there is no open Connection? In this case it would not be possible to host Elastix in the Green Zone

Szenario Orange:
If I place Elastix in the orange zone, I could forward needed ports from Red to Organge. In this case, the "outside" world, e.g. my SIP-Provider can contact my Elastix-Server anytime, even if there is no active open connection between them. Since the needed network port is open and forwarded from Red to Orange, any communication attempt from outside will reach Elastix.
As far as for the soft/hardphones there would be two different szenarios for them:
a) I place them in the Orange Zone, too. This would make everything very easy in terms of communication between them and the Elastix-box. But it would make my general network setup very complicated, since it is much easyer for me to place the hardphones in Green and even impossible to place the softphones in Orange, since they run on computers located in the Green zone.
b) I place soft/hardphones in Green. Then we have again a quite similar question as before: Is it enough if the phones open a port from Green to Orange and keep it open? Do my telephones do something like that, e.g. when registering at my Elastix-Server? Or is the connection closed after registering so that the Elastix-box must be able to talk to the phones (e.g. incoming call) even if there is no open connection between them?

The whole problem distills to one general question:

If my phones register at Elastix and Elastix registers at my SIP-providers: Are this connections maintained acitve all over the time? Or are there cases in which my SIP-provider needs to talk to my Elastix - respectively my Elastix box to talk to my phones - without any prior open connection between those communication partners.

Thank you for any information about this!

Best regards
Tom
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#2
Your providers and external extensions need connections forwarded bi-directionally without port translation or other "helper" functions that sometimes don't help, these connections need to be maintained from the internet to your server without molestation, there should be no attempt from your firewall to curtail or impede them, as is attempted by some over eager firewalls.

Your internal extensions need the same courtesy from your firewall but these internal connections are usually less of a problem.

It really doesn't matter what "color" you call them. You really need your advise to come from the provider of your firewall, What's green to one vendor is purple-spotted to another. I'm not trying to be facetious, its just that there are no standards to what firewalls call their "zones" or even what a "zone" is, don't forget the internet is color-blind, it is your particular firewall that colors it to their own conceit.

regards

dicko
 

lautenbacher

Joined
Jan 3, 2011
Messages
2
Likes
0
Points
0
#3
Hello dicko,
thank you very much for your time that you spent to help me!

dicko said:
Your providers and external extensions need connections forwarded bi-directionally without port translation or other "helper" functions that sometimes don't help, these connections need to be maintained from the internet to your server without molestation, there should be no attempt from your firewall to curtail or impede them, as is attempted by some over eager firewalls.
If I understand you correctly, the Asterisk-server needs a direct connection from the outside world - so if I would make a plain port forward (1:1 NAT) from the firewall to Elastix in the DMZ ("orange" in my setup) then everything should be fine, isn't it?
Do you know which ports I need to forward?

Your internal extensions need the same courtesy from your firewall but these internal connections are usually less of a problem.
Do the extensions also need to be reachable on Elastix' initiative, or is it enough, if the extensions can reach Elastix (e.g. because they keep the connection alive once they registered at Elastix?). With other words: Do the extensions need to be in the same DMZ or can they be in the internal network?
I have been told elsewhere, that if I want to use the Endpoint Manager, the extensions have to be in the same zone as Elastix and that if I would go without Endpoint Manager, it is ok to place the extensions in the internal zone (when having Elastix in the DMZ (orange) zone). Can you confirm this?

It really doesn't matter what "color" you call them. You really need your advise to come from the provider of your firewall, What's green to one vendor is purple-spotted to another. I'm not trying to be facetious, its just that there are no standards to what firewalls call their "zones" or even what a "zone" is, don't forget the internet is color-blind, it is your particular firewall that colors it to their own conceit.
Yes, of course. Therefore I initially defined in my posting what I mean with each color, so that we have a common base of understanding in this thread.

Thank you very much!
Tom
 

fmvillares

Joined
Sep 8, 2007
Messages
1,785
Likes
0
Points
0
#4
every network admin is different so analyze your necesities and act in consecuence....in my case i always create in every vital system 2 servers...1 honeypot to attract all the scammers etc in direct internet no firewall connection with ids functions and in the dmz the protected but "internet open like" real asterisk server

hope it helps
 

Lee Sharp

Joined
Sep 28, 2010
Messages
332
Likes
0
Points
0
#5
One note of importance. The Endpoint Configurator will only work if the phone is on the same local network as the Elastix server. This is why mine has multiple nics. This does add a lot of routing complexity, however.
 

fmvillares

Joined
Sep 8, 2007
Messages
1,785
Likes
0
Points
0
#6
you need to use a real endpoint configurator like the colsogrp freepbx endpoint manager...
support all the networks you have of course one at a time...
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,887
Members
17,567
Latest member
achilont13
Top