PBX on a DMZ or not?

Tags: #<Tag:0x00007f24c1bf2da8>


I have successfully updated our PBX from version 12 to the latest version via a restore and have configured the server to run in a VM.
I have 25 Cisco endpoints and 5 remote workers and the old live version 12 server is currently sitting on our LAN in our standard IP range.

I intend on moving the endpoints onto the new server and changing from 3 x PSTN lines to 4 SIP trunks and wanted to know the best network solution. I have a linux firewall with multiple zones so i could put the PBX on a dedicated zone and not on the general IP range on a DMZ and use the built in firewall.
I have a TFTP server also on our normal range which i guess ill have to move to the new range?

I have read various opinions but wanted to get an exsperienced persons point of view.

(Michael Jones) #2

Built in firewall and fail2ban works GREAT (my experience). Should wait to hear from others.

(Paul Hadley) #3

Just had a few issues with my system coming under attack and I only has port 5060 (now moved to an off standard solution) exposed with the required RTP ports to the internet.

I assume your standard

is then supported through forwarding and firewall entries in your router? why would you want to expose the PBX to any more security risk than necessary?


Im concerned if the server was compromised then the complete network is visable. If it sits on the LAN as it is now ill have to open up a port for the SIP trunks to use (not 5060 though) and therefore exposing the LAN. If it was on a different range it would make it harder to see the LAN if it was compromised.
It does mention setting the server up on a DMZ when you set the server up initially but i will never do that on a company LAN.
My concern is really the exposure via the SIP trunks.

(Simon Telephonics) #5

DMZ means different things to different people.

(Paul Hadley) #6

I have run three FPBX installation’s with a local IP address and a signalling port (was 5060) as the only open port and fail2ban as a block to hackers who tried to crack a extension login, that has proved fine for five years, I have now moved my signalling port from 5060 for additional peace of mind.

My Vigor Router allows me to set a second LAN isolated from the main one that I could use for the PBX and phones only but I haven’t felt the need to go that far.


If SIP trunks are your only public traffic, I wouldn’t lose any sleep opening the SIP ports just for my provider IPs.

But generally, a properly configured “DMZ” is wise. The DMZ<->LAN and DMZ<->WAN firewalling needs to be about as restrictive as the WAN<->LAN firewalling. I’ve seen many issues where the DMZ is effectively just a subnet wide open to the LAN, WAN or worse, both.

(Paul Hadley) #8

I would understand DMZ as setting one LAN IP address that all WAN requests without a clear destination through the NAT by either internal request or pre-set port forwarding go to? In other words a node inside the LAN more or less completely exposed to the internet?


I would call that the “home router” definition.

(Paul Hadley) #10

The only reason I open my signalling port is because I have trunks between the three PBX’s for extension to extension calls that do not login, they simply forward to the FQDN, if I only had ISP trunks I wouldn’t open up that port and would probably never have had an attack on my PBX?

(Simon Telephonics) #11

On the networks where I operate, any host that has an inbound path from the internet is DMZ.


So Sitting the PBX on the normal range,as i have it at the momment, and lock down the incomming IP’s for the SIP trunks would be the best solution rather than put the PBX on its own range ?

(Paul Hadley) #13

What incoming IP’s will you have for the trunks? are you registering with all your SIP Trunk providers or do you have PBX to PBX / Providers like I do? do you have external extensions that need to register to your PBX?

(system) closed #14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.