Secure Multimedia Controller (SMC) 1.0.1.0 Release Notes
Revision 1.0.1.0 321048-A
Copyright 2006 Nortel Networks. All Rights Reserved.
Page 2
Secure Multimedia Controller Release Notes
1 Introduction...... 3 1.1 SMC Overview...... 3 1.2 SMC Documentation ...... 3 1.3 New Features and Issues Resolved in this Release...... 3 2 Known Issues ...... 3 2.1 Secure Multimedia Controller ...... 3 2.2 IP Clients ...... 6 3 Known Limitations ...... 7 3.1 Secure Multimedia Controller ...... 7 3.2 IP Client ...... 7 4 Additional Operational Procedures...... 8 4.1 Replace a Defective SMC Host within a Cluster ...... 8 5 IP Client Firmware ...... 9 6 Autogenerated Rules ...... 10 6.1 Introduction...... 10 6.2 ELAN ...... 10 6.3 TLAN...... 10 6.4 TLAN – Application Gateway...... 11 6.5 SLAN – Call Pilot ...... 12 6.6 SLAN – Symposium ...... 13 6.7 SLAN – OTM ...... 13 6.8 MCS...... 14 6.9 Additional Product-Specific Rule Configuration...... 14 7 Validated Products...... 15 8 Technical Support ...... 16 8.1 Nortel Technical Support Website...... 16 8.2 Nortel Solutions Center ...... 16
Version 1.0.1.0 321048-A
Page 3
Secure Multimedia Controller Release Notes
1 Introduction
1.1 SMC Overview
The Secure Multimedia Controller 2450 is a purpose-built application firewall, delivering an integrated inside threat security solution to protect Nortel’s IP phones and multimedia communication servers. The SMC 2450 creates a “Secure Multimedia Zone” around the converged infrastructure to defend against Denial of Service attacks and other security threats. Autogenerated policy settings simplify deployment and ensure integrity and availability.
Figure 1: Secure Multimedia Zone
1.2 SMC Documentation
Full details on the Secure Multimedia Controller can be found in the following guides:
Secure Multimedia Controller Implementation Guide (553-3001-225) Secure Multimedia Controller Command Reference (NN10300-091)
1.3 New Features and Issues Resolved in this Release
This is the first release of the SMC, and all features are described in the documentation.
2 Known Issues
2.1 Secure Multimedia Controller
Version 1.0.1.0 321048-A
Page 4
Secure Multimedia Controller Release Notes
Bug ID Description / Recommendation Infrequently, UNIStim phones fail to become secure when security is enabled the first time in the SMC. This is seen when IP phones initially establish insecure UNIStim sessions through the SMC firewall and then are redirected to the Secure UNIStim proxy after security is enabled and all signaling servers are added. At this point, phones communicating with signaling servers lose connectivity as they are redirected to the proxy. When this happens, these phones continue to send insecure packets for many minutes—well beyond the 3-5 minutes currently expected for a new installation.
Troubleshoot this scenario by examining the current client count in the Web UI after UNIStim security has been enabled. This number can be found in two locations:
System Administration > Monitor > UNIStim Security > Client
Recommendation: If all phones do not become secure within five minutes, one of Q01310522 the following procedures should be done:
1. Find the UNIStim rule in the inbound rule lists for the security zone containing the UNIStim signaling server (for example, the UDP rule containing port 4100). Disable it and apply. Then, enable it and apply. This will clear all current sessions and force the phones to establish connectivity through the transparent proxy. Or:
2. Reset phones using the Element Manager of the signaling server by disabling and enabling the TPS. This should be done to redirect any phones communicating with signaling servers that have not been added to the SMC server lists (this can be quite common due to CS 1000 UNIStim redirections—not all servers may be added automatically when the system is initially primed with Secure UNIStim phone calls).
These steps only need to be done the first time Secure UNIStim is enabled in a new environment. They will not be required on subsequent restarts. The TFTP ALG needs to be enabled to use TFTP to get/put configuration or to update an image. The SMC should not allow the choice of TFTP if it is disabled.
Q01323630 Recommendation: Use other more secure alternatives available in the CLI, such as SCP and SFTP, to store configuration and update images. The Web UI is also not affected. If TFTP is needed, enable the TFTP ALG. When running the SMC in an environment with a full configuration file and heavy traffic, the SMC may not adequately validate the configuration parameters prior to applying them to the running system, especially if major configuration changes are made quickly (for example, adding and deleting Security Zones in quick succession). This could lead to invalid data storage in the cluster registry and intermittent failure of SMC services. This scenario is not expected in customer Q01324595 sites.
Recommendation: Make important changes to a configuration during low traffic time and allow six minutes for the SMC to reach a steady state after the major update of adding/deleting security zones with full configuration. Minor modifications, such as with firewall rules and Secure UNIStim proxy updates, do not have this same limitation and generally take effect within one minute.
Version 1.0.1.0 321048-A
Page 5
Secure Multimedia Controller Release Notes
Rarely, one SMC device in a cluster configuration will intermittently freeze during a package upgrade/downgrade. This device will have a telltale "L"-shaped display of internal LED lights visible from the front of the box behind the grille. The SMC will be unresponsive until rebooted, at which point, it will rejoin the cluster and execute with the correct image. This behavior has been seen once during alpha Q01325091 testing and again during long runs of upgrading/downgrading the SMC. It appears to happen less than 5% of the time.
Recommendation: Package upgrades/downgrades should be performed during a maintenance window and on-site, so hardware issues can be handled quickly. In the above situation, a hard reset of the box will allow it to start normally. The SMC prints out values for fan and temperature statistics gathered from the kernel. At times, the process fails and will be seen as empty values by the user, but otherwise it will have no untoward effects (such as alerting errors that do not Q01325094 exist). This problem is under investigation and is targeted to be fixed in a later release.
Recommendation: Ignore sensor values when they are 0. When an IP phone is denied access because the license limit is reached and security is required, it will display a “Server Unreachable” message instead of printing to the IP Client screen “License Limit Reached” or “Security Error.”
Recommendation: In environments where exceeding the license limit for secure UNIStim is a possibility, and secure UNIStim is a requirement for all phones, one can troubleshoot these issues using the following methodologies:
Secure UNIStim Log: “Client (10.10.10.10:5000) denied. License limit reached (50).” Web UI: Logs > UNIStim Proxy Log CLI: /info/host/usecplog
Q01326525 Alarm Table: Web UI: o System page o Administration > Monitor > Alarms CLI o /info/alarms
SNMP: A SNMP trap will be generated for every client that exceeds the license limit.
This issue may be resolved by ordering a license for additional Secure UNIStim users. If the license number is already at its maximum, make sure the Client policy allows insecure connections, so overflow calls will continue to function, even though they do not have security. Secure UNIStim fingerprint update does not always work on Phase 2 and 1100 series IP phones (with session caching turned off) when they initially connect. Keeping session caching turned on for these phones (which is the default value) allows them to function correctly and update their keys accordingly.
Q01326781 Recommendation 1: Maintain the default value for session caching for Phase 2 and 1100 series phones. In environments that also have Phase 0/1 phones, enable firmware checking on the Client Policy to work around individual firmware restrictions.
Version 1.0.1.0 321048-A
Page 6
Secure Multimedia Controller Release Notes
Recommendation 2: Make sure all phones on the network have had ample time to update their fingerprint before removing the secondary key. Generally, connected phones will update their fingerprint within a few minutes, but IP clients that are for some reason offline at the time of the update will need to reconnect through the SMC to have their fingerprint overwritten.
Recommendation 3: Key updates should be a rare occurrence. IP Wireless sets get blocked by SMC. This issue is fixed by turning on firmware checking for the phone policy.
Q01327152 Recommendation: In mixed environments of Phase 0/1 IP phones, i2050 softphones, IP Wireless sets, Polycom sets, and/or IP sets that do not fully support Secure UNIStim, firmware checking should be enabled on the policy to completely separate phones that correctly support UNIStim security. SMC does not perform Network address validation check. In certain situations, the SMC will not recognize when the network of an interface is a subnet of another interface. Q01329887
Recommendation: Make sure that all interfaces (management, intranet, and security zones) are on their own individual subnets. After host IP address was changed, SMC was not working. Changes to the IP address of an interface may lead to stale sessions in the firewall and errors generated when traffic matches these sessions. Q01329952
Recommendation: Reboot the SMC cluster after changing the IP address/netmask of an interface Cannot access ITG cards residing behind the SMC using OTM. This issue was solved by adding a rule to allow ICMP traffic between the OTM Standalone Server and the Call Server / ITG cards. A wizard to do this can be found in the Web UI at: Wizards > Firewall > OTM ICMP The issue remains open because the wizard directions are unclear in two areas: Q01337293 1. On the third wizard page, a user must click the Add New Server(s) button prior to clicking Finish to include the servers. If this is not done, an unclear error message is printed. 2. On the third wizard page, the Call Server Network is the name of the network that will be created containing the specified device IP addresses. It may include call server and ITG card addresses.
2.2 IP Clients
Description / Recommendation Phase 2 phones hang after clear S2 action byte if you enter 16 f’s and one more Q01293843 letter. Phase 2 phones fail to do a fingerprint update with MCS. This occurs even when session caching is on. This is the client side of CR Q01326781 detailed above. Q01331053 Generally these phones will update both fingerprints the first time the fingerprint is set. However, if a fingerprint is set a second time within a period that is less than the session cache timeout, the key set will fail.
Version 1.0.1.0 321048-A
Page 7
Secure Multimedia Controller Release Notes
3 Known Limitations
3.1 Secure Multimedia Controller
Description Notes Spanning Tree protocol not A race condition exists between VRRP, used for SMC High supported on SMC interfaces. Availability, and the Spanning Tree protocol. When Spanning Tree is enabled on one of the SMC subnets, the SMC may failover twice if one of the devices stops functioning: once when the primary SMC goes down and again when it is brought back up.
Recommendation: Spanning Tree should not be present on any subnets interfacing with the SMC. Cutting-and-pasting from the CLI Recommendation: Configuration should be saved/restored command /cfg/dump is not a using the standard methodologies in the CLI and Web UI: supported way to store and restore CLI: /cfg/gtcfg, /cfg/ptcfg the configuration. Web UI: Operation > Configuration The subnet mask of the The mask of the management network (which is a secure management network is static. subnet that contains the clustering and synchronization traffic) is static and cannot be changed once it is configured in the SMC. The flow control for UNIStim traffic The flow value includes the size of the UDP/IP header as appears to be off by a factor of 2. well as the UNIStim packet. This makes it appear as CLI at : /maint/unistim/adv/flow though the total bandwidth is less than it actually is. Web UI: Diagnostics > Maintenance > Generally, this advanced bandwidth rate-limiting feature of UNIStim the Secure UNIStim proxy is not modified by customers.
Rapid upgrading/downgrading of When the SMC image is changed in the CLI or Web UI, the SMC images is not supported. system will reboot and start up using the new image. CLI: /boot/software/activate Web UI: Operation > Image Update > Packages The new image will be validated during this time, and if an error exists, the system will roll back to the previous version. During this period, another package upgrade should not be attempted, since it could lead to corruption of internal data structures.
Recommendation: Wait until you see the status of “permanent” next to the running image in the CLI/Web UI before starting another upgrade. This clearly marks that the image has completely and successfully started. Rarely, the Web UI fails to load This occurs when the clustering subsystem resets itself to pages due to a registry restart, but work around an issue. When this happens, the Web UI when this does occur, the icon (which maintains a reference to a clustering structure) below is displayed along with a needs to be restarted to refresh the reference. message. Recommendation: Log off the Web UI and log on again. You do not need to close the Web browser.
3.2 IP Client
Version 1.0.1.0 321048-A
Page 8
Secure Multimedia Controller Release Notes
Description Notes Newer IP Softphone 2050 phones More recent versions of i2050 software allow you to use must be configured to support a any port as a listener port (rather than a standard port, such unique listener port (such as the as 5000 or 6000). This use causes the UNIStim connection default port of 5000) rather than to fail when it traverses the SMC. any listener port. Recommendation: Use a single, static listener port in the i2050 configuration. This is the default setting.
Warning: In some environments, approximately 5% of both i2004 Phase 0 Internet Telephones and i2002/i2004 Phase 1 Internet Telephones traversing the SMC may freeze after an SMC package upgrade. This occurs if the phones are running insecure UNIStim through a server proxied by the SMC. To resolve this issue, manually reset the IP phones.
Recommendation: Only Phase 2 and 1100 series IP Clients should be used with UNIStim servers proxied by the SMC. This issue will not be present for IP Clients communicating with signaling servers not proxied by the SMC.
4 Additional Operational Procedures
This section details supplementary procedures that are currently omitted from the documentation.
4.1 Replace a Defective SMC Host within a Cluster
The following procedure details the steps to replace a SMC device that is part of an existing high- availability cluster. This procedure consists of the following segments: 1) save the current configuration; 2) swap the VRRP IP address with the IP address of the remaining host; 3) remove the old host from the cluster; 4) add the new host to the cluster; and 5) restore the configuration.
This procedure should be performed during a maintenance window.
Step Description Save the current configuration 1 Web UI: go to Operation > Configuration and export the current configuration. 2 Save the configuration to a local file. Swap the VRRP IP address(es) with the IP address(es) of the host that will remain 3 Web UI: go to Multimedia Security > Security Zones > intranet > Interface Swap the Virtual IP with the IP address of the host that remains in the cluster (for example, the one not being replaced).
This allows you to access the standalone SMC using the VRRP IP address (which is used externally to route packets to the SMC, but is not present in a standalone 4 cluster). This configuration is temporary and is used to maintain routing through the SMC during the swap. Note that this is not required for the management interface (the MIP will automatically move to the remaining host).
Warning: Swapping IP addresses is recommended. Otherwise, routing could be affected if one of the hosts is restarted later and cannot reach its default gateway. For each Security Zone (for example, elan, tlan), swap the Virtual IP with the IP 5 address of the remaining host. Remove the old host from the cluster
Version 1.0.1.0 321048-A
Page 9
Secure Multimedia Controller Release Notes
Web UI: go to Network > VRRP and disable High Availability. This must be turned 6 off to delete a host from the cluster. Web UI: go to Operation > SMC Host(s) and delete the host from the cluster. Select 7 the correct host based upon the IP address of the host to be replaced. Web UI: apply the changes.
8 Now, the cluster has a single host. You may need to restart the Web UI session after this operation is complete. To validate host deletion, go to the System page in the Web UI to make sure that only one host remains. Add the new host to the cluster Use that standard “join” procedure to add the new host to the standalone cluster. This integrates the new physical SMC device into the network and correctly connects all of 9 its ports to their respective subnets. The SMC software image on the new host must be the same version as that currently in use within the cluster. Once the host has been integrated, launch the Console CLI and choose join. Provide a device IP address for the new host on the management network (which could be the same as the host that was deleted), the Management IP address of the cluster, and the cluster password. 10
The new host will join the cluster and pull over the current configuration. Once the join process is complete, validate that two hosts exist in the System page of the Web UI. Restore the SMC configuration 11 Web UI: go to Operation > Configuration and import the saved configuration. 12 Web UI: go to Operation > SMC Host(s) and reboot both hosts.
5 IP Client Firmware
The following IP Client firmware versions are supported by the SMC:
Model Phase Firmware IP Phone 2001 2 0604D9I IP Phone 2002 2 0604D9I IP Phone 2004 2 0604D9I IP Phone 2007 2 0621C2C IP Phone 1120E N/A 062xC1F IP Phone 1140E N/A 062xC1F
Phase 0/1 IP clients are not supported by the SMC.
The IP Softphone 2050 does not currently support secure UNIStim; it needs to traverse the SMC insecurely using a policy that does not require security and has firmware checking turned on.
The WLAN handset 2210 and 2211 do not support secure UNIStim; they need to traverse the SMC insecurely using a policy that does not require security and has firmware checking turned on.
The PolyCom sets do not support secure UNIStim; they need to traverse the SMC insecurely using a policy that does not require security and has firmware checking turned on. Note that these sets are currently listed in the Secure UNIStim firmware table but with an invalid firmware version. When security in these sets is fully
Version 1.0.1.0 321048-A
Page 10
Secure Multimedia Controller Release Notes
operational, the firmware table can be updated to hold the correct version string, and thereby enable Secure UNIStim.
6 Autogenerated Rules
6.1 Introduction
This section lists the SMC autogenerated rules, which are created when the SMC is first configured, or generated later in CLI or Web UI wizards.
Warning: Application Gateway TLAN rules require that HTTP be opened for general users. This allows the HTTP protocol into the TLAN, where it also can be used to access Element Manager (which is a security issue).
Recommendation: You should disable the Application Gateway rules in the TLAN if they are not in use, or configure the TLAN without the Application Gateway using the Automatic Rule Generation Wizard in the Web UI: Multimedia Security > Security Zones > zone name > Automatic Rule Generation
6.2 ELAN
Services Name Port(s) Protocol Description ftp 21 tcp File transfer protocol telnet 23 tcp Telnet http 80 tcp HTTP protocol snmp 161-162 udp SNMP query rlogin 513 tcp Rlogin protocol
Inbound Rules Source Destination Service Comment administrators zone ftp ELAN File Transfer Protocol administrators zone telnet ELAN Telnet administrators zone http ELAN Element Management administrators zone rlogin ELAN Rlogin administrators zone 1929 (UDP) ELAN Database Admin for OTM administrators zone 5001, 5002 (UDP) ELAN Call Server SNMP administrators zone snmp ELAN SNMP
6.3 TLAN
Services Name Port(s) Protocol Description ftp 21 tcp File transfer protocol telnet 23 tcp Telnet tftp 69 udp Trivial file transfer protocol http 80 tcp HTTP protocol snmp 161-162 udp SNMP query https 443 tcp HTTPS protocol
Version 1.0.1.0 321048-A
Page 11
Secure Multimedia Controller Release Notes
rlogin 513 tcp Rlogin protocol unistim_cs1000 4100, 5100, 7300 udp UNIStim signaling for CS1000 sip_tcp 5060 tcp SIP TCP signaling sip_udp 5060 udp SIP UDP signaling
Inbound Rules Source Destination Service Comment administrators zone ftp TLAN FTP administrators zone telnet TLAN Telnet administrators zone http TLAN Element Management administrators zone rlogin TLAN Rlogin administrators zone snmp TLAN SNMP users zone 1720 (TCP) TLAN H.323 TCP Signaling users zone 1718-1719 (UDP) TLAN H.323 UDP Signaling users zone sip_tcp TLAN SIP TCP Signaling users zone sip_udp TLAN SIP UDP Signaling TLAN Trivial File Transfer users zone tftp Protocol users zone unistim_cs1000 TLAN i200x UNIStim Signaling users zone 5105 (UDP) TLAN i200x UNIStim FTP users zone 10000 (UDP) TLAN Port Mapping Discovery users zone 12800 (TCP) TLAN Remote Office Signaling users zone 16500-16501 (TCP) TLAN Virtual Office Signaling users zone 16500-16501 (UDP) TLAN Virtual Office Signaling users zone 20480 (UDP) TLAN Remote Office RTP users zone 20482 (UDP) TLAN Remote Office RTP users zone SVP TLAN SVP Wireless Protocol
6.4 TLAN – Application Gateway
Services Name Port(s) Protocol Description http 80 tcp HTTP protocol https 443 tcp HTTPS protocol
Inbound Rules Source Dest Service Comment administrators zone http Application Gateway HTTP administrators zone 9001 (TCP) Application Gateway Administration Tool (HTTPS) administrators zone 9005 (TCP) Application Gateway Design Studio Configuration administrators zone 9014 (TCP) Application Gateway Cluster Communication (HTTP) administrators zone 9025 (TCP) Application Gateway Cluster Communication (HTTP) users zone 5000 (UDP) Application Gateway UNIStim Signaling users zone 50005 (UDP) Application Gateway RTCP Receive users zone 44443 (TCP) Application Gateway GXAS Service users zone http Application Gateway Broadcast Server Push users zone 20480-20511 (UDP) Application Gateway / Remote Gateway Audio users zone https Application Gateway Smart Agent
Version 1.0.1.0 321048-A
Page 12
Secure Multimedia Controller Release Notes
6.5 SLAN – Call Pilot
Services Name Port(s) Protocol Description ssh 22 tcp SSH protocol ftp 21 tcp FTP protocol http 80 tcp HTTP protocol smtp 25 tcp SMTP protocol imap2 143 tcp IMAP2 protocol snmp 161-162 udp SNMP protocol ldap 389 tcp LDAP protocol https 443 tcp HTTPS protocol ssmtp 465 tcp Secure SMTP ldapssl 636 tcp LDAP over SSL
Inbound Rules Source Destination Service Comment users zone 20 (TCP) CallPilot Application Builder FTP users zone ftp CallPilot FTP users zone smtp CallPilot SMTP users zone http CallPilot HTTP Element Management users zone 135 (UDP) CallPilot Location Service users zone 135 (TCP) CallPilot Location Service users zone 137 (UDP) CallPilot NETBIOS users zone 137-139 (TCP) CallPilot NETBIOS users zone imap2 CallPilot IMAP2 administrators zone snmp CallPilot SNMP users zone ldap CallPilot LDAP users zone https CallPilot HTTPS users zone ssmtp CallPilot Secure SMTP users zone ldapssl CallPilot LDAP over SSL users zone 993 (TCP) CallPilot Application Builder IMAP users zone 1025-1026 (TCP) CallPilot msdtc users zone 1027-1028 (TCP) CallPilot Microsoft Distribute COM users zone 1029-1032 (TCP) CallPilot Dialogic CTMS users zone 1036 (TCP) CallPilot Middleware Maintenance Service users zone 1037 (TCP) CallPilot Call Channel Resource users zone 1038 (TCP) CallPilot Multimedia Resource users zone 1039-1041 (TCP) CallPilot MCE Notification Service users zone 1042 (TCP) CallPilot MTA users zone 1045 (TCP) CallPilot Access Protocol users zone 1046 (TCP) CallPilot SLEE users zone 1047-1048 (TCP) CallPilot IIS users zone 1095-1096 (TCP) CallPilot Blue Call Router users zone 1148 (TCP) CallPilot TAPI users zone 1499 (TCP) CallPilot Reporting ODBC users zone 2019-2020 (TCP) CallPilot Dialogic CTMS users zone 5631 (TCP) CallPilot pcAnyware Data users zone 5632 (UDP) CallPilot pcAnyware Stat
Version 1.0.1.0 321048-A
Page 13
Secure Multimedia Controller Release Notes
users zone 7934 (TCP) CallPilot IIS users zone 8000 (TCP) CallPilot Dialogic CTMS users zone 10008 (TCP) CallPilot Access Protocol users zone 38037 (TCP) CallPilot msgsys Intel CBA-Message System users zone 56325 (TCP) CallPilot SLEE
6.6 SLAN – Symposium
Services Name Port(s) Protocol Description snmp 161-162 udp SNMP protocol
Inbound Rules Source Destination Service Comment administrators zone snmp Symposium SNMP administrators zone 1550 (TCP) Symposium HDX CAPI administrators zone 3000 (TCP) Symposium MSLM (MLink) administrators zone 4422 (TCP) Symposium HDX Name Service administrators zone 5000-5003 (TCP) Symposium SQL Server administrators zone 5631 (TCP) Symposium pcAnywhere administrators zone 5632 (UDP) Symposium pcAnywhere elan zone 8888 (TCP) Symposium AML Communication
Note: AML communication is disabled by default. If needed, it should be enabled by the user after the ELAN network has been set appropriately.
6.7 SLAN – OTM
Services Name Port(s) Protocol Description http 80 tcp HTTP protocol https 443 tcp HTTPS protocol
Inbound Rules Source Destination Service Comment administrators zone http OTM Web Client HTTP administrators zone https OTM Web Client HTTPS administrators zone 4789-5045 (TCP) OTM Web Client Virtual System Terminal administrators zone 135 (TCP) OTM Windows Client Login administrators zone 135 (UDP) OTM Windows Client Login administrators zone 139 (TCP) OTM Windows Client NetBEUI File Sharing OTM Windows Client Btrieve Station administrators zone 1583 (TCP) Administration OTM Windows Client Btrieve Station administrators zone 3351 (TCP) Administration administrators zone 162 (UDP) OTM SNMP Traps administrators zone 1929 (UDP) OTM DBA Configuration administrators zone 1930-1939 (UDP) OTM DBA Signalling administrators zone 2176-2185 (UDP) OTM DBA Data
Version 1.0.1.0 321048-A
Page 14
Secure Multimedia Controller Release Notes
administrators zone 5099 (TCP) OTM RMI OTMDECT
6.8 MCS
Services Name Port(s) Protocol Description ssh 22 tcp SSH protocol http 80 tcp HTTP protocol https 443 tcp HTTPS protocol unistim_mcs 5000 udp i200x UNIStim signaling for MCS sip_udp 5060 udp SIP UDP signaling 2100,2200,2300, 2400,2500,2600, mcs_lom 2700,2800 tcp Terminal server LOM 3100,3200,3300, 3400,3500,3600, mcs_serial 3700,3800 tcp Terminal server serial
Inbound Rules Source Destination Service Comment administrators zone http MCS HTTP Element Management administrators zone https MCS HTTPS Element Management administrators zone ssh MCS SSH administrators zone 11111 (TCP) MCS Management Console administrators zone 5631 (TCP) MCS PcAnyWhere (TCP) administrators zone 5632 (UDP) MCS PcAnyWhere (UDP) administrators zone 3389 (TCP) MCS Windows Terminal Services administrators zone 3339 (TCP) MCS HTTP Provisioning administrators zone 5040 (TCP) MCS Terminal Server administrators zone mcs_lom MCS Terminal Server LOM administrators zone mcs_serial MCS Terminal Server Serial administrators zone 3900 (TCP) MCS Terminal Server SMDI users zone http MCS Personal Agent and Web Client users zone sip_udp MCS Session Initiation Protocol users zone unistim_mcs MCS UNIStim protocol for i200x phones users zone 1719 (UDP) MCS H.323 Gatekeeper RAS users zone 1720 (TCP) MCS H.323 Gatekeeper H.225 users zone 50020 (UDP) MCS i2004 firmware download users zone 3090 (TCP) MCS WCM Session Control Protocol
6.9 Additional Product-Specific Rule Configuration
Besides the baseline rules added when the SMC is configured, extra configuration may be necessary for individual features. These additional configurations are listed below.
Feature Notes Symposium uses multicast to send Real Time Data (RTD) to Symposium Multicast the Symposium Web Client (SWC) Server, and the SWC Server uses multicast to send RTD to Web Clients. To allow
Version 1.0.1.0 321048-A
Page 15
Secure Multimedia Controller Release Notes
these multicast packets to traverse the SMC, a multicast bypass must be created. This can be done in the Web UI using a wizard or by adding the bypass directly: Multicast Wizard: o Web UI: Wizards > Symposium Multicast Multicast Bypass o Web UI: Multimedia Security > Security Settings > Multicast Bypass o CLI: /cfg/smc/settings/multicast In Contact Center – Manager, if both ELAN and Server LAN are Symposium Contact Center connected to the SMC, an additional rule needs to be enabled – Manager in the Server LAN inbound rule list to allow AML traffic to flow between the ELAN and the Server LAN. CallPilot Desktop Messaging requires ICMP packets to be exchanged between the Desktop Messaging Client and the CallPilot Desktop Messaging CallPilot Server. A wizard is provided to help configure this exchange, as well as to provide flow control: Web UI: Wizards > Firewall > CallPilot Desktop Messaging This product requires two large port ranges be opened for DCOM traffic: 1024-65525 (UDP) 1024-65535 (TCP) CallPilot Application Builder This is not currently done in the CallPilot autogenerated rules because it poses a security risk. If you are using Application Builder, add these ranges and limit the source network to only those who are using the application. Optivity Telephony Manager (OTM) requires that ICMP packets are exchanged between the OTM Standalone Server and the Call Server or ITG Card. SMC rule autogeneration does not Optivity Telephony Manager include an explicit ICMP rule for these packets because it is a security hole. Instead, this support must be added manually using the OTM ICMP wizard: Wizards > Firewall > OTM ICMP A firewall rule for Remote Desktop Agent (RDA) is not added by Server LAN default to the Server LAN autogenerated rules. To add it manually, create an inbound rule for port 3389 (TCP). To add an MCS 5100 RTP Portal, a required rule for the RTP Portal must be added to the mcslan inbound rules if the RTP RTP Portal portal is on the mcslan. In most configurations, the RTP portal would be in a DMZ elsewhere on the network.
7 Validated Products
Product Location Notes IP Clients IP Phone 2002 Intranet Phase 2 (secure) IP Phone 2004 Intranet Phase 2 (secure) IP Phone 2007 Intranet Phase 2 (secure) IP Phone 1120E, 1140E Intranet (secure) IP Softphone 2050 Intranet Phone supports insecure UNIStim only WLAN Handset 2210, 2211 Intranet Phone supports IPsec, not Secure UNIStim
CS 1000
Version 1.0.1.0 321048-A
Page 16
Secure Multimedia Controller Release Notes
Release 4.0 ELAN, TLAN Basic features Release 4.5 ELAN, TLAN Basic features Converged Desktop TLAN Redirection TLAN TAT / TRO TLAN Branch / Virtual Office TLAN IP Trunk TLAN
CS 2100 Release SE08 ELAN, TLAN Basic features
MCS 5100 Release 3.0 MCS LAN Basic features MAS MCS LAN Chat MCS LAN Instant Messaging MCS LAN Music On Hold MCS LAN Ad Hoc Conferencing MCS LAN
CallPilot Release 2.0.2 Server LAN Basic features Desktop Messaging Server LAN
Symposium Release 5.0 Server LAN Basic features
Optivity Telephony Manager Release 2.20.78 Server LAN Basic Features
Application Gateway Release TLAN
8 Technical Support
8.1 Nortel Technical Support Website
The best way to get technical support for Nortel products is from the Nortel Technical Support website: http://www.nortel.com/support. To address issues with Nortel products, this site provides quick access to software, documentation, bulletins, and tools.
8.2 Nortel Solutions Center
If you do not find the information you require on the Nortel Technical Support website, and you have a Nortel support contract, you can get help over the telephone from a Nortel Solutions Center. In North America, call 1-800-4NORTEL (1-800-466-7835).
Outside North America, go to the following Web site to obtain the telephone number for your region: http://www.nortel.com/callus.
When engaging Nortel Technical Support, access to the equipment is often required. Be prepared to provide VPN, RAS, or WebEx access to the system. Also, be ready with a network diagram
Version 1.0.1.0 321048-A
Page 17
Secure Multimedia Controller Release Notes that clearly shows the network addressing and connections to the SMC, as well as the IP address of the equipment in the Secure Zones.
Version 1.0.1.0 321048-A
Page 18
Secure Multimedia Controller Release Notes
Secure Multimedia Controller (SMC) 1.0.1.0 Release Notes
Copyright © 2006 Nortel Networks. All Rights Reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.
Nortel, Nortel (Logo), the Globemark, SL-1, Meridian 1, and Succession are trademarks of Nortel Networks.
Version 1.0.1.0 321048-A