Specifications

ManualsBrandsAcard ManualsMusical equipmentARS-2051F

MBG Engineering Guidelines, Release 8.0

15 Appendix A: Firewall Configuration Reference

The information in this section is provided to allow configuration of a customer's firewall for the Mitel Border

Gateway in DMZ deployment. This configuration is automatic in the "MBG server as the gateway" deployment. In

all cases below, "server" refers to the Mitel Border Gateway server (that is, the MSL server). In the Direction

column, the direction of the arrow indicates permission to initiate new connections in that direction. These rules

assume a firewall that will permit return traffic on an existing established connection.

Port Range Direction Purpose and Description

TCP 22

(SSH)

Server -> Internet

AMC Communications. Allow outbound packets (and replies) on TCP port

22 between the MBG Server and the Internet to enable server registration,

software and license key downloads, alerts, and reporting.

TCP 22

(SSH)

Internet -> Server

Remote SSH access (Optional). If the admin wishes to administer the MBG

server remotely via the command line over the Internet, this rule is required.

TCP 22

(SSH)

LAN -> Server

Remote SSH access (Optional). If the admin wishes to administer the MBG

server remotely via the command line from the LAN, this rule is required.

UDP 53

(DNS)

Server -> Internet

DNS. The server requires DNS to look up the IP address of the Mitel AMC

and for correct operation of SIP. Alternatively, the server can be configured

to forward all DNS requests to another DNS server. See the MSL

Installation and Administration Guide for details.

TCP 443

(HTTPS)

Internet -> Server

Remote Server Management (Optional). Allow inbound and outbound

packets on TCP port 443 between the MBG server and the Internet to allow

remote management of the server, if required. HTTPS access to the man-

ager on the external interface must also be explicitly enabled from the

server manager interface. The firewall should be configured to limit HTTPS

access to desired manage- ment hosts.

TCP 443

(HTTPS)

Internet -> Server

Web Proxy client connections (Optional). If using the Web Proxy

application, traffic must be permitted between the Internet and the proxy in

the DMZ.

TCP 443

(HTTPS)

LAN -> Server

Local Server Management. Allow inbound and outbound packets on TCP

port 443 between the MBG Server and the LAN to allow for management of

the server. HTTPS access to the manager on the external interface must

also be explicitly enabled from the server-manager interface. The firewall

should be configured to limit HTTPS access to desired management hosts.

UDP 20000

configured

upper bound

in Advanced

tab (SRTP)

Internet -> Server

LAN -> Server

Voice Communications. Allow incoming SRTP on UDP ports 20000 to the

configured upper bound from all streaming devices on the LAN and the

Internet. Misconfiguration here is a common cause of one-way audio

problems. Note that as of release 7.0, MBG defaults to using even-

numbered ports for RTP, leaving the odd-numbered ports for RTCP. The

Internet portion of this rule can be safely omitted in the absence of Internet

traffic.