Configuring the Firewall Rules on AudioCodes SBC for Microsoft Teams

Introductions

A few years ago, I wrote a blog on configuring the firewall on an AudioCodes Session Border Controller (SBC). That article covered the rules needed by one of our clients for a Session Border Controller with connections to: 

  • A pair of Lync 2013 pools. 
  • Two (2) Avaya Session Managers. 
  • Three (3) on premises Microsoft Exchange Unified Messaging Servers. 
  • A vendor SIP Trunk. 
  • A set of AudioCodes MediaPack Analog Transfer Agents (ATAs). 
  • AudioCodes One Voice Operations Center (OVOC). 

 

At the time of the writing of the original article, Microsoft Teams Direct Routing was not even available. This blog is an update to the original focusing on the rules needed in a Microsoft Teams Direct Routing deployment on an AudioCodes SBC with an interface to a typical SIP trunk. 

Bibliography?

AudioCodes has written documents addressing security on their Session Border Controllers and Gateways. There are versions for the 7.2 and 7.4 firmware in which they discuss the importance of setting up the SBC’s firewall rules:

The AudioCodes Teams Direct Routing Configuration guides contain the rules needed for an integration with Teams Direct Routing. These guides apply to both firmware versions 7.2 and 7.4:

Firewall Rule Guidelines

The instructions for adding firewall rules to an AudioCodes SBC can be found in the latest version of the SBC’s user manuals. These manuals can be found in the “Library” on the AudioCodes web site.  There are a few items to note about the SBC firewall:

  • Each model of SBC has a different number of firewall rules that can be created. The Mediant 800, for example, supports up to fifty (50) rules. Check the SBCs user manual to find out how many rules you can create.
  • The firewall rules table has buttons to move rules up and down in the list. It does not have an “Insert” button like some of the other SBC tables.
  • Rules are applied at a very low-level network layer on the SBC and override all other security related configuration. For example, if you have enabled Telnet or SSH administration, you must have complementary firewall rules that will allow the traffic into the SBC. Keep in mind, security can be further tightened up with Classification, Message Condition rules and other built-in mechanisms on the SBC.
  • Firewall rules are inbound only. They affect traffic coming into the SBC.
  • The SBC supports dynamic firewall pinholing for RTP/RTCP media traffic negotiated in the SDP of SIP calls. 
    • If the SBC and the remote device decide that the SBC will listen on port 55123 for RTP/RTCP traffic during a specific call, the SBC will open that port on the firewall for the duration of the call then close it.  
    • Firewall rules to allow RTP/RTCP traffic through specific ports are not required.
  • Be careful with the manual’s guidance stating that you must “Save” the configuration after adding or changing firewall rules and you must reset the SBC to implement them. When you click the “OK” button when creating a rule, it will likely go “live” immediately. 
  • First set the “Action on Match” to “Allow” for your rules where you want to block traffic. Test the rules above these in the table prior to switching the “Action on Match” to “Block.” A rule’s statistics will indicate if the rule is being applied.
  • You must be signed on to the SBC as a user with “Security Administrator” or “Master” access level to configure the firewall. 
  • You must add firewall rules if the device is communicating with a AudioCodes One Voice Operations Center server(s).
  • You must configure rules to permit traffic on the MAINTENANCE interface of a highly available pair of SBCs if you are including a blocking rule for that interface. These rules must be listed before the blocking rule. 
  • Firewall rules can be managed through both the web interface and client line interface (CLI) through Telnet or SSH.

Adding Firewall Rules to the SBC

Before adding firewall rules to your SBC, backup it’s configuration file! If you accidentally lock yourself out of the SBC with a blocking rule, you will thank me for this piece of advice! 

From the SBC’s web interface:

  1. Click on “Setup”
  2. Then “IP Network”
  3. Then “Security”
  4. Click on “Firewall”
  5. Click on the “New” button to add rules
  6. Click on “New” to add a rule

 

The form is split into three (3) sections:

  • Match
    • Index
      • Keep in mind that you cannot insert rules into this table when specifying an Index number for this rule. 
      • You can move rules up and down in the table or by directly editing the configuration file.
    • Description
      • Enter a name or useful information about this rule.
    • Source IP
      • IP address or DNS name of a specific host on one of the SBC’s “IP Interfaces” where it receives the incoming packet 
      • The default is 0.0.0.0 
    • DNS Query Type
      • This field is only currently available in the 7.4 firmware.
      • Defines the DNS query type used by the SBC to query the DNS server to resolve a fully qualified domain name (FQDN) entered in the “Source IP” field into an IP address.
      • For DNS resolution, if you select an “IP Interface” (see below) for the rule, the SBC will use the DNS servers configured for the interface. You can also use the SBC’s built in DNS table or Internal SRV table to configure DNS resolution.
    • Source Port
      • A single UDP or TCP source port in the range 0 to 65535.
      • You cannot enter a range of ports in this field.
      • Source ports for outgoing TCP and TLS connections are not configurable. They are dynamically determined by the SBC in the range of 32,768 through 61,000.
    • Prefix Length
      • This field is mandatory.
      • This subnet mask is applied to the Source IP.
      • A value of 0 applies to all packets and will allow any traffic into the designated “IP Interface.”
      • Use values between 1 and 32. Use 32 for a specific host.
      • Even if you are using a DNS name, you should specify a value for this parameter.
    • Start Port
      • Defines the first port in a range of ports on the SBC on which the incoming traffic is received.
      • This range should cover the destination port in the incoming packet.
      • If the “Protocol” (see below) is anything other than “TCP” or “UDP” the entire range, 0-65535, must be specified.
    • End Port
      • Defines the last port in a range of ports on the SBC on which the incoming traffic is received.
      • This range should cover the destination port in the incoming packet.
    • Protocol
      • Specify a protocol type, i.e., UDP, TCP, ICMP, HTTP, ESP, etc.
      • The use of HTTP implies selection of the TCP or UDP protocols and their port numbers on the SBC.
      • TLS is not a supported type in this field.
      • If you specify “Any”, then your port range must be defined as 0-65535.
      • You can also use any of the IANA protocol numbers between 0 and 225.
      • If you are specifying SIP ports, you must add rules with the UDP and TCP protocols for the “IP Interfaces” associated with the “SIP Interfaces.”
    • Use Specific Interface
      • Whether to apply this rule to a specific network interface.
    • Interface Name
      • If you have previously chosen to limit this rule to a specific network interface, specify the name of the interface here.
  • Action
    • Action Upon Match
      • Allow or Block (reject) traffic
    • Packet Size
      • The range is 9 to 65,535.
    • Byte Rate
      • Expected traffic rate (bytes per second), i.e. the allowed bandwidth for the specified protocol.
    • Byte Burst
      • Allowing for momentary busts of data that exceeds the expected traffic rate.
    • Statistics
      • This is a read-only field that displays the number of packets that matched this rule. This counter is reset when the SBC is restarted, or the rule is updated.

Typical Rules for an SBC with Teams Direct Routing

In the AudioCodes Teams Direct Routing configuration guides, they have firewall rules that permit inbound traffic from:

  • A Public DNS Server to the WAN interface. 
  • The two (2) ranges for Teams endpoints to the Teams interface:
    • 52.112.0.0/14
    • 52.120.0.0/14
  • The signaling IP address of the SIP Trunk into the WAN interface. This rule allows traffic from any Source port to any destination port.
  • It also has a rule that blocks all other traffic to the WAN interface.

The Security Guidelines documents include a rule to block ICMP traffic on all interfaces. 

Following our Security mantras: 

  1. Trust no one! 
  2. Harden everything!

We can add some additional rules to further harden the SBC: 

  • Rules to block all traffic not previously permitted on all interfaces. These rules are at the end of the list of rules.
  • Rules to allow some network traffic we would need on the Management (LAN) interface:
    • Inbound HTTPs/443 traffic.
    • Inbound Secure Shell (SSH)/22 traffic.
    • Inbound Network Time Protocol (NTP)/123 traffic typically from an Active Directory Domain Controller.
    • Inbound Secure Lightweight Directory Access Protocol (LDAPS)/636 from an Active Directory Domain Controller. This is required to allow the use of LDAPS authentication when signing into the SBC. There is a future article in the works on how to set this up.
  • The sample SIP Trunk rule can be further tightened up by specifying port 5060 as the Start and End destination ports.
    • AudioCodes’ sample rule allows traffic from the SIP Trunk into the SBC on any port. 
    • This rule is overkill. The SIP Trunk will only be sending SIP Signaling and Media traffic.
    • We know the SBC will be expecting the signaling traffic on port 5060/UDP (the port on your SIP Trunk may vary).
    • We also know that the media port(s) needed between the SIP Trunk and the SBC for individual calls will be dynamically negotiated and that the SBC will open the needed pinholes to allow that media traffic for the duration of the call. 
    • This allows us to harden up the sample rule for the SIP Trunk setting the Start and End ports to 5060/UDP.

 

Now we can see what a typical starter set of rules might look like for an AudioCodes Teams Direct Routing SBC (some IP addresses are fictional):

Summary

  • Creating firewall rules on your Session Border Controllers is inline with Enabling’s general guidance to “Trust No One and Harden Everything.” This is a simple task that increases the hardness of your SBCs.
  • Make sure that you have rules that allow the inbound traffic you need to manage the SBC and use LDAP or RADIUS authentication. Either of these methods would be much more secure than using the built-in user authentication on the SBC. You can further harden these rules by adding specific Source IP addresses. Just keep in mind that you can only create fifty (50) rules on a Mediant 800.
  • Test your rules before you turn your blocking rules on! You can easily lock yourself out of your SBC.
Picture of John Miller

John Miller

Cloud Solutions Architect - Enabling Technologies