|
|
|
|
|
|
|
 |
| Author |
Messages |
|
Mike Cahn
Posts:6
 |
| 28-07-2008 03:38 PM |
 Alert
|
| i have a customer with sbs2003, no ISA installed (tho i think they have a license for it). i want to forward ports 10000-20000 to an internal phone system. the only way i think this i spossible in RRAS is to run a batch file and add eachport in one at a time. I'm doing this now but i am wondering if this very long list of ports is going to affect server performance when it has to check each incoming packet? |
|
|
|
|
David Houston
Posts:265
|
| 31-07-2008 07:20 PM |
Alert
|
That is a lot of ports to open to the wild, are you sure you want to do that?
What is the phone system? There may be alternatives to opening up the network that much. |
|
David Houston |
|
|
Chad Gross
Posts:10
|
| 31-07-2008 08:13 PM |
Alert
|
I'm betting the phone system is Asterisk under the hood? (trixbox, Fonality, etc.) If so, the 10000-20000 range is going to be for rtp, which handles the voice traffic once the call is built. The phone server dynamically picks a port to use for rtp traffic for each separate call. The good news is that the rtp port range is customizable within asterisk. Depending on the number of users and simultaneous calls you are going to have, you can trim this range down. This can be adjusted by editing the rtp.conf file in /etc/asterisk with a stock text editor such as nano. Change your rtpstart and rtpend values to specify the port range you want. Best practices recommend having rtp start at 10001 instead of 10000 since webmin listens on TCP 10000. I've adjusted an rtp port range down as much as 10001-10200 before without noticing any ill effects.
If you really want to secure this, then I would recommend installing & configuring ISA server. This way you can specify your primary sip inbound protocol (TCP 5060-5084) and then specify your UDP rtp range as a secondary connection. This way, the UDP ports for the rtp range aren't always open, but are only dynamically opened to traffic that has initiated a sip connection first.
To answer your primary question - no, I am not aware of any easy way to specify a port range within the RRAS firewall without doing a batch file / vbscript to add separate individual rules.
Chad |
|
Chad A. Gross - SBS MVP |
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|
|