01-05-2012 06:53 AM
Recently came along an unexpected issue with CMA + RMX + VBP-ST.
VBP-ST is used as supposed to be for CMAD clients working outside corp. network. And also some owners of home-office based HDX systems are willing to have the same service as internal ones. And it's working, BUT couldn't find any way to block/conrtrol anyone else to use the same service from the Internet. In other words anyone outside using any other than provisioned CMAD H.323 client (software or hardware, doesn't matter) can register with VBP-ST and dial into corp. VC network without restrictions if they know aliases, prefixes, etc. I cannot block this w/o disabling VBP-ST functionality for legitimite clients.
And I cannot control this either, all external endpoints registered on VBP-ST (it's working in WAN/Provider-side gatekeeper mode) are visible in CMA only inside VBP-ST object and only as information. White/black list is not the answer with mobile users (and what else CMAD clients are for?)
Polycom support answer was that this is "feature request".
I also learned that CMA does not support H.323 authentication which means that any rouge H.323 client inside the corp. network can register with CMA as gatekeeper, though at least I can restrict it by IP there (net very convinient when having more than 100 units, but feasable).
I'm quite impressed so I want to recheck it again before I pass it to our DE and sales team:
what is secure design for using CMA and VBP-ST in corp. VC environment Polycom can recommend?
Solved! Go to Solution.
01-11-2012 09:24 AM
You are correct - feature request - however, we can give you some options.
Option 1: Use the security in the VBP-ST unit to block/allow IP addresses. check out the following tech tip for more information about setting this up: Restricting Registrations to a V2IU S or ST Series
The downside is what you have already mentioned, this will block mobile users who are using hotspots anywhere in the world. There is no mechanism which will allow you to dynamically allow an IP address through the ST unit.
Option 2: wait until the VBP dev team implements dynamic mode checkbox on the VBP. This will only allow endpoints which are dynamic mode access to the CMA. dynamic mode includes any endpoint that can register with a user name and password, like the CMAD or HDX series. This of course will block all other endpoints not capable of dynamic mode or have not been configured for it.
Option 3: Use VPN technology to provide remote access. You could either deploy VBP everywhere and create site to site VPN tunnel to provide access or do it with some other technology. Aruba is one that comes to mind. A software VPN connection could be used for mobile users. However, this option is not cheap as it would require additional purchases.
I hope this helps.
01-11-2012 01:15 PM
Option 2 could be the real answer.
As for VPN solution - doesn't make any sense spending money on VBP-ST in this case, isn't it? And even more - doesn't make any sense to use VBP-ST as all the VC clients will be local to CMA and RMX.
Good whitepaper on the firewal commands.
But at least now I know that we should lok for something else to protect corp. VC environment.
Thank you Simon.