locked
SIP/TLS traffic via port 443? RRS feed

  • Question

  • We are going to deploy an OCS2007 enterprise consolidated environment for one of our customers. In this case we are offering Video and VOIP to several departments who are responsible for their own infrastructure, IP network (with different IP ranges) and firewall administration. The departments are connected to a private ring network. The OCS environment is connected to this ring network. Since the Edge Server is a STUN server this will be a required component to enable multipoint (audio/video) conferencing between the clients in different departments. Next to that the Edge Server(s) can form the single entry point for authentication, federation and audio/video conferencing accessible via the common 443 ports.

     

    Because of long change procedures we would like to prevent firewall changes on the department side as much as possible. Therefore we would prefer to let the SIP traffic run over port 443 instead of 5061. 

     

    In the whitepapaer "Designing Your Perimeter Network for Office Communications Server 2007" Micorosft advises to seperate the AV Edge servers from the Access/Webconferencing Edge servers. Then if we combine the webconferencing and acces edge server we have to configure the the sip port on 5061 and the webconferencing server on 443. In this case I need to split up the three Edge roles to configure all the external interfaces on port 443 (except for the fedration port that will still be on 5061). On the client side we will need to configure the communicator clients to use port 443 instead (that will be no problem as far as we have tested).

     

    What are the pro's and contra's for this scenario? Any things that I need to take into account? Will there be any challenges by using VOIP equipment in the near future if we don not follow the standard ports configuration? 

     

     

    /Thomas

    Monday, October 20, 2008 12:29 PM

Answers

  • hi Thomas,

     

    Generally we find most deployments running the remote access service on 443 and federation on 5061 (as you stated above). This should not cause any issues as long as your DNS (A and SRV) records are configured accordingly. Any client attempting to connect (or other OCS platform attempting to federate) will query those DNS records for how to connect to your platform as part of the DNS response includes the port number.

     

    Here's the result of checking system showing I am running remote access on 443 (a similar query for the SRV record _sipfederationtls._tcp.voicelab.org.uk would return the federation port of 5061).

     

    Non-authoritative answer:
    _sip._tls.voicelab.org.uk       SRV service location:
              priority       = 0
              weight         = 0
              port           = 443
              svr hostname   = sip.voicelab.org.uk

    voicelab.org.uk nameserver = ns48.domaincontrol.com
    voicelab.org.uk nameserver = ns47.domaincontrol.com
    sip.voicelab.org.uk     internet address = 217.36.62.66
    >

     

    So as long as your DNS records match the port/IP configuration of your edge servers you should be fine.

     

    -Dave

    Monday, October 20, 2008 2:52 PM

All replies

  • hi Thomas,

     

    Generally we find most deployments running the remote access service on 443 and federation on 5061 (as you stated above). This should not cause any issues as long as your DNS (A and SRV) records are configured accordingly. Any client attempting to connect (or other OCS platform attempting to federate) will query those DNS records for how to connect to your platform as part of the DNS response includes the port number.

     

    Here's the result of checking system showing I am running remote access on 443 (a similar query for the SRV record _sipfederationtls._tcp.voicelab.org.uk would return the federation port of 5061).

     

    Non-authoritative answer:
    _sip._tls.voicelab.org.uk       SRV service location:
              priority       = 0
              weight         = 0
              port           = 443
              svr hostname   = sip.voicelab.org.uk

    voicelab.org.uk nameserver = ns48.domaincontrol.com
    voicelab.org.uk nameserver = ns47.domaincontrol.com
    sip.voicelab.org.uk     internet address = 217.36.62.66
    >

     

    So as long as your DNS records match the port/IP configuration of your edge servers you should be fine.

     

    -Dave

    Monday, October 20, 2008 2:52 PM
  • Thanks for your reply!

     

    /Thomas

     

    Tuesday, October 21, 2008 7:47 AM