We are working with a telephone vendor who has a SIP phone switch installed at two of their customer offices: let's call them Headquarters and Branch. In order to facilitate work-from-home the phone company wants the IP phones to first connect to Headquarters phone switch, but also have the ability to connect to the Branch phone switch. The phone system manufacturer (NEC) provided a sample network diagram, which I posted here: https://imgur.com/a/YTCGqGX
In the "real world" case, there is only one router/firewall at Headquarters, not two as shown in the proposed diagram. The single WatchGuard Firebox provides HQ with both its internet connection and establishes the site-to-site VPN between HQ and the Branch. The Branch also has a WatchGuard Firebox.
The vendor tells us that they need UDP ports 20020-20051 and UDP ports 20052-20083 forwarded to the HQ gateway that does the VPN between the two sites. I have two concerns about this:
1) How will the network get those UDP packets to the Branch office phone switch (pictured on the right side of the diagram) ? They aren't asking us to set up any port forwarding on the Branch router.
Does it make sense that these packets will magically end up in the Branch office phone switch?
2) Are we creating a potential security hole by accepting those UDP packets from the internet and sending those packets to the LAN side gateway in the HQ internet router?
We had originally configured the HQ router to send the incoming UDP packets directly to the Branch office phone switch (destination IP 192.18.2.10) but the vendor says that isn't working and we have to do what the diagram says.
Any insight would be appreciated.
No comments:
Post a Comment