Difference between revisions of "UCoIP DNS/firewall configuration"

From wiki.IPBRICK.COM
Jump to: navigation, search
(DNS configuration)
(Firewall/Router configuration)
 
(53 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
=DNS configuration=
 
=DNS configuration=
  
In order to get the full UCoIP concept working from the Internet, it's necessary to configure some DNS records at the public DNS zone.
+
In order to get the full UCoIP concept working at LAN/Internet it's necessary to configure some DNS records at internal and external DNS servers of the company domain.  
  
In that example lets suppose that:  
+
Next is given an example for the public DNS zone configuration. In that example lets suppose that:  
  
 
<pre>
 
<pre>
 
DNS domain: domain.com
 
DNS domain: domain.com
IPBrick FQDN: voip.domain.com
+
IPBrick FQDN: srv001.domain.com
Public IP associated to IPBrick: 88.88.88.88
+
Public IP associated to IPBrick: 85.86.87.88
 
User UCoIP page to create: jsmith.domain.com  
 
User UCoIP page to create: jsmith.domain.com  
 
</pre>
 
</pre>
 +
 +
So in this case we need to configure the following DNS records:
  
 
A records:
 
A records:
  
 
<pre>
 
<pre>
voip      A    88.88.88.88
+
srv001.domain.com.            IN A    85.86.87.88
webrtc   A    88.88.88.88
+
voip.domain.com.              IN A    85.86.87.88
 +
webrtc.domain.com.            IN A    85.86.87.88
 +
cafe.domain.com.              IN A    85.86.87.88
 +
ucoip.domain.com.            IN A    85.86.87.88
 +
im.domain.com.                IN A    85.86.87.88
 +
iportaldoc.domain.com.        IN A    85.86.87.88
 
</pre>
 
</pre>
  
Line 22: Line 29:
  
 
<pre>
 
<pre>
im                CNAME  voip
+
contacts.domain.com.          IN CNAME  srv001.domain.com.
jwchat            CNAME  voip
+
jwchat.domain.com.             IN CNAME  srv001.domain.com.
webphone          CNAME  voip
+
light.domain.com.       IN CNAME  srv001.domain.com.
groupware   CNAME  voip
+
webphone.domain.com.           IN CNAME  srv001.domain.com.
cafe              CNAME  voip
+
groupware.domain.com.       IN CNAME  srv001.domain.com.
jsmith            CNAME  voip
+
webmail.domain.com.       IN CNAME  srv001.domain.com.
 +
webrtcproxy.domain.com.        IN CNAME  srv001.domain.com.
 +
autoconfig.domain.com.        IN CNAME  srv001.domain.com.
 +
autodiscover.domain.com.      IN CNAME  srv001.domain.com.
 +
*.domain.com.                  IN CNAME  ucoip.domain.com.
 
</pre>
 
</pre>
  
Line 41: Line 52:
  
 
<pre>
 
<pre>
_jabber._tcp.domain.com. 86400      IN SRV 5 0 5269 voip.domain.com.
+
_jabber._tcp.domain.com.       IN SRV 5 0 5269 im.domain.com.
_xmpp-server._tcp.domain.com. 86400 IN SRV 5 0 5269 voip.domain.com.
+
_xmpp-server._tcp.domain.com. IN SRV 5 0 5269 im.domain.com.
_xmpp-client._tcp.domain.com. 86400 IN SRV 5 0 5222 voip.domain.com.
+
_xmpp-client._tcp.domain.com. IN SRV 5 0 5222 im.domain.com.
 +
</pre>
 +
 
 +
SRV record for UCoIP:
 +
 
 +
<pre>
 +
_ucoip._tcp.domain.com.        IN SRV 1 0 80  ucoip.domain.com.
 +
</pre>
 +
 
 +
SRV record for CAFE:
 +
 
 +
<pre>
 +
_cafe._tcp.domain.com.        IN SRV 1 0 443  cafe.domain.com.
 +
</pre>
 +
 
 +
SRV record for WebRTC:
 +
 
 +
<pre>
 +
_webrtc._tcp.domain.com.      IN SRV 1 0 8888 webrtc.domain.com.
 +
</pre>
 +
 
 +
 
 +
If IPBrick will be the email server, we need to modify/add the MX record:
 +
 
 +
<pre>
 +
domain.com.        IN MX      5    srv001.domain.com.
 +
</pre>
 +
 
 +
SPF - Sender Policy Framework
 +
<pre>
 +
domain.com          IN TXT      "v=spf1 mx ip4:85.86.87.88 -all"
 +
</pre>
 +
 
 +
Costumer ISP must add this PTR record at reverse DNS zone:
 +
<pre>
 +
88.87.86.85.in-addr.arpa.    IN PTR      srv001.domain.com.
 
</pre>
 
</pre>
  
 
=Firewall/Router configuration=
 
=Firewall/Router configuration=
  
If the eth1 IPBrick IP is not a public one (ie: 88.88.88.88), so IPBrick is behind a NAT at Router/Firewall, its necessary to forward the following traffic to eth1:
+
UCoIP concept uses many services running on their standard ports. IPBrick firewall is prepared to accept all this traffic at public interface (eth1).
 +
 
 +
But if IPBrick public interface is behind a NAT at Router/Firewall, its necessary to forward the necessary traffic to IPBrick. The list is:
  
 
<pre>
 
<pre>
80 TCP
+
HTTP          - 80 TCP
443 TCP
+
HTTPS          - 443 TCP
5060 UDP/TCP
+
SMTP          - 25 TCP
5061 TCP
+
SIP            - 5060 UDP/TCP
40000:45000 UDP
+
SIPS          - 5061 TCP
50000:55000 UDP
+
RTP            - 40000:45000 UDP (RTP Fax T38 - when the IP PBX is connected to the Internet using eth0 as gateway)
60000:65000 UDP
+
RTP            - 50000:55000 UDP (RTP Audio - when the IP PBX is connected to the Internet using eth0 as gateway)
5222 TCP
+
RTP            - 55000:60000 UDP  (CAFE Phone webRTC2SIP)
5223 TCP
+
RTP            - 60000:65000 UDP (RTP Audio - when the IP PBX is connected to the Internet using eth1 or other interface rather than eth0
8888 TCP
+
as gateway - rtpproxy utilization)
 +
XMPP-client    - 5222 TCP
 +
XMPP-server    - 5269 TCP
 +
XMPPS          - 5223 TCP
 +
WebRTC        - 8888 TCP
 +
Webphone      - 10060 UDP/TCP
 +
Webphone      - 10062 TCP
 
</pre>
 
</pre>
 +
 +
 +
It's mandatory ensure that IPBrick can access the local addresses, so coud be necessary configure the DNS hosts.
 +
 +
If IPBrick public interface '''is behind a NAT''' and:
 +
 +
''- IPBrick have 2 network interfaces (ETH0 and ETH1) configured with private IPs''
 +
 +
''- The communication between IPBrick and the router is done by ETH1
 +
 +
''- Public IP is on the router
 +
 +
''- Public DNS zone configured in IPBrick and all registers are resolved to public IP''
 +
 +
''- IPBrick resolves local addresses in your local DNS (public zone)''
 +
 +
 +
Then, requests made from IPBRICK to any of their addresses are always going to be routed to the public IP.
 +
 +
As these orders leave and re-enter, they are blocked, so you need configure the IPBrick DNS hosts to '''resolve the local addresses to the internal IP'''.
 +
 +
 +
On IPBrick interface ("DNS -> Name Resolution -> Local names resolution") add the following entries:
 +
<pre>
 +
  - cafe.<domain>      ->  Internal IP
 +
  - contacts.<domain>  ->  Internal IP
 +
  - groupware.<domain>  ->  Internal IP
 +
  - im.<domain>        ->  Internal IP
 +
  - iportaldoc.<domain> ->  Internal IP
 +
  - ucoip.<domain>      ->  Internal IP
 +
  - voip.<domain>      ->  Internal IP
 +
  - webrtc.<domain>    ->  Internal IP
 +
</pre>
 +
 +
 +
 +
NOTE: With update04_6.1, it's crucial too to have a Wildcard SSL Certificate. More information here:
 +
 +
[http://eshop.ipbrick.com/eshop/software_info.php?cPath=7_74_16&products_id=907&language=en Update04 security guide]
 +
 +
[https://wiki.ipbrick.com/index.php/How_to_buy_and_configure_a_SSL_certificate_at_IPBrick_6.1 How to buy and configure a SSL certificate at IPBrick]

Latest revision as of 10:43, 24 January 2019

DNS configuration

In order to get the full UCoIP concept working at LAN/Internet it's necessary to configure some DNS records at internal and external DNS servers of the company domain.

Next is given an example for the public DNS zone configuration. In that example lets suppose that: 

DNS domain: domain.com
IPBrick FQDN: srv001.domain.com
Public IP associated to IPBrick: 85.86.87.88
User UCoIP page to create: jsmith.domain.com

So in this case we need to configure the following DNS records:

A records: 

srv001.domain.com.            IN A     85.86.87.88
voip.domain.com.              IN A     85.86.87.88
webrtc.domain.com.            IN A     85.86.87.88
cafe.domain.com.              IN A     85.86.87.88
ucoip.domain.com.             IN A     85.86.87.88
im.domain.com.                IN A     85.86.87.88
iportaldoc.domain.com.        IN A     85.86.87.88

CNAME records: 

contacts.domain.com.           IN CNAME   srv001.domain.com.
jwchat.domain.com.             IN CNAME   srv001.domain.com.
light.domain.com. 	       IN CNAME   srv001.domain.com.
webphone.domain.com.           IN CNAME   srv001.domain.com.
groupware.domain.com.	       IN CNAME   srv001.domain.com.
webmail.domain.com. 	       IN CNAME   srv001.domain.com.
webrtcproxy.domain.com.        IN CNAME   srv001.domain.com.
autoconfig.domain.com.         IN CNAME   srv001.domain.com.
autodiscover.domain.com.       IN CNAME   srv001.domain.com.
*.domain.com.                  IN CNAME   ucoip.domain.com.

SRV records for VoIP (SIP): 

_sips._tcp.domain.com.     IN     SRV   1   0   5061   voip.domain.com.
_sip._tcp.domain.com.      IN     SRV   1   0   5060   voip.domain.com.
_sip._udp.domain.com.      IN     SRV   1   0   5060   voip.domain.com.

SRV records for chat (Jabber/XMPP): 

_jabber._tcp.domain.com.       IN SRV 5 0 5269 im.domain.com.
_xmpp-server._tcp.domain.com.  IN SRV 5 0 5269 im.domain.com.
_xmpp-client._tcp.domain.com.  IN SRV 5 0 5222 im.domain.com.

SRV record for UCoIP: 

_ucoip._tcp.domain.com.        IN SRV 1 0 80   ucoip.domain.com.

SRV record for CAFE: 

_cafe._tcp.domain.com.         IN SRV 1 0 443  cafe.domain.com.

SRV record for WebRTC: 

_webrtc._tcp.domain.com.       IN SRV 1 0 8888 webrtc.domain.com.


If IPBrick will be the email server, we need to modify/add the MX record: 

domain.com.         IN MX       5     srv001.domain.com.

SPF - Sender Policy Framework 

domain.com          IN TXT      "v=spf1 mx ip4:85.86.87.88 -all"

Costumer ISP must add this PTR record at reverse DNS zone: 

 88.87.86.85.in-addr.arpa.     IN PTR      srv001.domain.com.

Firewall/Router configuration

UCoIP concept uses many services running on their standard ports. IPBrick firewall is prepared to accept all this traffic at public interface (eth1).

But if IPBrick public interface is behind a NAT at Router/Firewall, its necessary to forward the necessary traffic to IPBrick. The list is: 

HTTP           - 80 TCP
HTTPS          - 443 TCP
SMTP           - 25 TCP
SIP            - 5060 UDP/TCP
SIPS           - 5061 TCP
RTP            - 40000:45000 UDP  (RTP Fax T38 - when the IP PBX is connected to the Internet using eth0 as gateway)
RTP            - 50000:55000 UDP  (RTP Audio - when the IP PBX is connected to the Internet using eth0 as gateway)
RTP            - 55000:60000 UDP  (CAFE Phone webRTC2SIP)
RTP            - 60000:65000 UDP  (RTP Audio - when the IP PBX is connected to the Internet using eth1 or other interface rather than eth0 
as gateway - rtpproxy utilization)
XMPP-client    - 5222 TCP
XMPP-server    - 5269 TCP
XMPPS          - 5223 TCP
WebRTC         - 8888 TCP
Webphone       - 10060 UDP/TCP
Webphone       - 10062 TCP


It's mandatory ensure that IPBrick can access the local addresses, so coud be necessary configure the DNS hosts.

If IPBrick public interface is behind a NAT and:

- IPBrick have 2 network interfaces (ETH0 and ETH1) configured with private IPs

- The communication between IPBrick and the router is done by ETH1

- Public IP is on the router

- Public DNS zone configured in IPBrick and all registers are resolved to public IP

- IPBrick resolves local addresses in your local DNS (public zone)


Then, requests made from IPBRICK to any of their addresses are always going to be routed to the public IP.

As these orders leave and re-enter, they are blocked, so you need configure the IPBrick DNS hosts to resolve the local addresses to the internal IP.


On IPBrick interface ("DNS -> Name Resolution -> Local names resolution") add the following entries: 

   - cafe.<domain>       ->   Internal IP
   - contacts.<domain>   ->   Internal IP
   - groupware.<domain>  ->   Internal IP
   - im.<domain>         ->   Internal IP
   - iportaldoc.<domain> ->   Internal IP
   - ucoip.<domain>      ->   Internal IP
   - voip.<domain>       ->   Internal IP
   - webrtc.<domain>     ->   Internal IP


NOTE: With update04_6.1, it's crucial too to have a Wildcard SSL Certificate. More information here:

Update04 security guide

How to buy and configure a SSL certificate at IPBrick

Retrieved from "https://wiki.ipbrick.com/index.php?title=UCoIP_DNS/firewall_configuration&oldid=1066"