Pardon ... “the E’s search rule” ... I said traversal zone. Email needs a delete like WebEx Teams ...
Sent from my iPhone On Sep 13, 2018, at 11:53, Ryan Huff <ryanh...@outlook.com<mailto:ryanh...@outlook.com>> wrote: The source for the E’s traversal zone only needs to be ‘ANY’, if it truly needs to be. I’ve deployed several scenarios where the business only wanted to receive B2B calls from other things on it’s own domain (or a few domains strung together in Regex). Also, using the Call Policy engine (under the Configuration menu) or the more in depth CPL (Call Processing Language) is a great way to block obviously fraudulent dials by source, target or zone (Ex. source URI: deny cl...@nose.com<mailto:cl...@nose.com>). I prefer to use the standard Call Policy rules in the GUI .... which is more akin to a prioritized Allow / Deny ACL. CPL on the other hand (located in the same GUI menu section) is a more robust way of using call policies and is really only needed for advanced Call handling. Call Processing Language is referenced on page 324: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fvoice_ip_comm%2Fexpressway%2Fadmin_guide%2FCisco-Expressway-Administrator-Guide-X8-11.pdf&data=02%7C01%7C%7C3f8b4ba419f64dbbdc0e08d619910237%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724507923515580&sdata=NeldWVTphyDQ9YlAwTUf1uxQgZZ0Ce80X6G0pssBf4Y%3D&reserved=0> Call Policy is referenced on page 168: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fvoice_ip_comm%2Fexpressway%2Fadmin_guide%2FCisco-Expressway-Administrator-Guide-X8-11.pdf&data=02%7C01%7C%7C3f8b4ba419f64dbbdc0e08d619910237%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724507923515580&sdata=NeldWVTphyDQ9YlAwTUf1uxQgZZ0Ce80X6G0pssBf4Y%3D&reserved=0> The Firewall rules are useful for only allowing administrative services to a particular subnet (System / Protection / Firewall Rules) if you need to leave HTTPS and SSH exposed to a non secure network (this is less about toll fraud than it is general security). The firewall rules are referenced on page 28: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fvoice_ip_comm%2Fexpressway%2Fadmin_guide%2FCisco-Expressway-Administrator-Guide-X8-11.pdf&data=02%7C01%7C%7C3f8b4ba419f64dbbdc0e08d619910237%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724507923515580&sdata=NeldWVTphyDQ9YlAwTUf1uxQgZZ0Ce80X6G0pssBf4Y%3D&reserved=0> As with any system exposed to the Internet, turn off any services and protocols not in use (Ex. Turn off UDP support if you’re not using it ... etc). Thanks, Ryan On Sep 13, 2018, at 11:12, Lelio Fulgenzi <le...@uoguelph.ca<mailto:le...@uoguelph.ca>> wrote: Curious – what are people doing with their search rules? I’ve got a search rule for calls coming from the ‘net into E and then to C all good, but just wondering, I know the search rule on E has to be source:ANY because it’s coming from the net, but what about the search rule on C? Shouldn’t it be source:named zone (and pick C-to-E traversal zone) to be sure that nothing else hits it? Same goes for say rules that I use to send calls all the way from CUCM to C to E to DNS Zone. Shouldn’t my rules be as specifically configured as possible? Including the source zone? I understand that if I start registering devices on either the C or E I will need to create additional rules, but I’m fine with that, that way I know exactly what’s going to hit. What are others doing? What’s the best practice? --- Lelio Fulgenzi, B.A. | Senior Analyst Computing and Communications Services | University of Guelph Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1 519-824-4120 Ext. 56354 | le...@uoguelph.ca<mailto:le...@uoguelph.ca> www.uoguelph.ca/ccs<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.uoguelph.ca%2Fccs&data=02%7C01%7C%7C308d306aa7304a99862d08d6198b5f80%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724483721747900&sdata=PcG0pzWOqlGi%2FZSWYRBV75zlCq0aXpYiJdoLn62bqrI%3D&reserved=0> | @UofGCCS on Instagram, Twitter and Facebook <image001.png> _______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7C%7C308d306aa7304a99862d08d6198b5f80%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724483721747900&sdata=xBfVzgyQ2V610hNW94%2BivvkD7BWXVdzEElfonKucDaU%3D&reserved=0 _______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7C%7C3f8b4ba419f64dbbdc0e08d619910237%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724507923515580&sdata=jdOzGK47WmW%2F38w2rtvox42%2BQNDhcqnJ3UYEcUZX2kA%3D&reserved=0
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
