Hi List,
We have a few local domains that we will be using SER act as a proxy and to protect our gateway. In the near future we will also be providing PSTN breakout for other SIP domains that are not on our proxy.
What is the best way to allow traffic from certain know SIP domains out through our gateways? I've thought about having users authenticate to our proxy, but this could get very complex and messy serving multiple local & remote domains. Other option is just to allow traffic through from the trusted domains I guess.
One last question, is any one familiar with the Cisco AS5300? How do you go about locking it down so that only authorised users can pass calls out onto the PSTN? We have a number of Vega 100's that have the option of only allow proxy invited calls. Is there something similar on the AS5300 or would that have to do authentication aswell, AAA ?
I know that this question is slightly off topic, but with it being related I thought someone my be able to answer my question.
Many Thanks,
Alan
------------------------------------------------------------------------------------------------------- This email, and any files transmitted with it, is copyright and may contain confidential information. The contents are intended for the use of the addressee(s) only. Unauthorized use may be unlawful. If you receive this email by mistake, please advise sender immediately. The views of the author may not necessarily constitute the views of Telco Electronics Limited. Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation.
Telco Electronics Limited 6-8 Oxford Court Brackley Northants NN13 7XY
Tel 07000 701999 Fax 07000 701777
On Wed, 11 Feb 2004, Alan Litster wrote:
Hi,
We have a few local domains that we will be using SER act as a proxy and to protect our gateway. In the near future we will also be providing PSTN breakout for other SIP domains that are not on our proxy.
What is the best way to allow traffic from certain know SIP domains out through our gateways? I've thought about having users authenticate to our proxy, but this could get very complex and messy serving multiple local & remote domains. Other option is just to allow traffic through from the trusted domains I guess.
You can use radius authentication. This way, you can authenticate your local users/domains and proxy the auth radius requests to a remote radius owned/managed by your customer for external users.
One last question, is any one familiar with the Cisco AS5300? How do you go about locking it down so that only authorised users can pass calls out onto the PSTN?
Set an access-list in your gateway that only accepts traffic to port 5060 from your ser proxy.
We have a number of Vega 100's that have the option of only allow proxy invited calls. Is there something similar on the AS5300 or would that have to do authentication aswell, AAA ?
Cisco AS5xxx can only do Microsoft Passport Authentication for SIP :(
Saludos JesusR.
------------------------------- Jesus Rodriguez VozTelecom Sistemas, S.L. jesusr@voztele.com http://www.voztele.com Tel. 902360305 -------------------------------
We have a few local domains that we will be using SER act as a
proxy and to
protect our gateway. In the near future we will also be providing PSTN breakout for other SIP domains that are not on our proxy.
What is the best way to allow traffic from certain know SIP domains out through our gateways? I've thought about having users authenticate to our proxy, but
this could
get very complex and messy serving multiple local & remote
domains. Other
option is just to allow traffic through from the trusted
domains I guess.
You can use radius authentication. This way, you can authenticate your local users/domains and proxy the auth radius requests to a remote radius owned/managed by your customer for external users.
We've really got three classes of domains. 1) local 2) partner domains that we have some input into the control over 3) other domains that we have a short dial code set up on; FWD.
I don't think that would then work in all cases, unless people like FWD have radius that they'll let other people authenticate to?
But it is a possibility for the other cases.
One last question, is any one familiar with the Cisco AS5300? How do you go about locking it down so that only authorised
users can pass
calls out onto the PSTN?
Set an access-list in your gateway that only accepts traffic to port 5060 from your ser proxy.
It's as simple as that? So the SIP user agent doesn't have to communicate via port 5060 with the gateway???
We have a number of Vega 100's that have the option of only allow proxy invited calls. Is there something similar on the AS5300 or
would that have
to do authentication aswell, AAA ?
Cisco AS5xxx can only do Microsoft Passport Authentication for SIP :(
So it's unable to radius authentication for SIP?
Thanks for your help.
Regards,
Alan
Saludos JesusR.
Jesus Rodriguez VozTelecom Sistemas, S.L. jesusr@voztele.com http://www.voztele.com Tel. 902360305
------------------------------------------------------------------------------------------------------- This email, and any files transmitted with it, is copyright and may contain confidential information. The contents are intended for the use of the addressee(s) only. Unauthorized use may be unlawful. If you receive this email by mistake, please advise sender immediately. The views of the author may not necessarily constitute the views of Telco Electronics Limited. Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation.
Telco Electronics Limited 6-8 Oxford Court Brackley Northants NN13 7XY
Tel 07000 701999 Fax 07000 701777
On Wed, 11 Feb 2004, Alan Litster wrote:
We have a few local domains that we will be using SER act as a
proxy and to
protect our gateway. In the near future we will also be providing PSTN breakout for other SIP domains that are not on our proxy.
What is the best way to allow traffic from certain know SIP domains out through our gateways? I've thought about having users authenticate to our proxy, but
this could
get very complex and messy serving multiple local & remote
domains. Other
option is just to allow traffic through from the trusted
domains I guess.
You can use radius authentication. This way, you can authenticate your local users/domains and proxy the auth radius requests to a remote radius owned/managed by your customer for external users.
We've really got three classes of domains.
- local
- partner domains that we have some input into the control over
- other domains that we have a short dial code set up on; FWD.
I don't think that would then work in all cases, unless people like FWD have radius that they'll let other people authenticate to?
Yes. I'm not sure how you could authenticate external users coming from external networks like FWD if you don't agree with them some auth mechanism...
But it is a possibility for the other cases.
Sure.
One last question, is any one familiar with the Cisco AS5300? How do you go about locking it down so that only authorised
users can pass
calls out onto the PSTN?
Set an access-list in your gateway that only accepts traffic to port 5060 from your ser proxy.
It's as simple as that? So the SIP user agent doesn't have to communicate via port 5060 with the gateway???
No if you force all signalling going through proxy.
We have a number of Vega 100's that have the option of only allow proxy invited calls. Is there something similar on the AS5300 or
would that have
to do authentication aswell, AAA ?
Cisco AS5xxx can only do Microsoft Passport Authentication for SIP :(
So it's unable to radius authentication for SIP?
Yes... but maybe there is some possibility to make auth using tcl scripts... not sure about this.
Saludos JesusR.
------------------------------- Jesus Rodriguez VozTelecom Sistemas, S.L. jesusr@voztele.com http://www.voztele.com Tel. 902360305 -------------------------------
-
Alan Litster -
Jesus Rodriguez