Security Considerations

OMniLeads is a web application, designed to operate under the protection of at least one perimeter firewall or cloud firewall in an environment of cloud computing.

Ideally it is recommended to deploy OMniLeads together with an HTTP Proxy or Edge Cloud Load Balancer for HTTPS requests and a Session Border Controller for VoIP edge management. This makes the security deployment more robust.

Considering the scenario where users are going to access the application both from the local network and also from the Internet, the following list of ports should be exposed:

  • UDP 5161: Tráfico SIP proveniente de la PSTN, se debe validar por IP de origen. Esta puerto es el indicado si la instancia que aloja OML posee una dirección IPV4 pública a nivel tarjeta de red.
  • UDP 5162: SIP traffic coming from the PSTN, it should be validated by source IP. This port is the main one if the instance that hosts OML owns a public IPV4 address behind NAT.
  • UDP 40000 a 50000: Tráfico RTP proveniente de la PSTN. se debe validar por IP de origen. Esta puerto es el indicado si la instancia que aloja OML posee una dirección IPV4 pública detrás de NAT.
  • UDP 20000 a 30000: Tráfico WebRTC proveniente de los usuarios. En este caso los usuarios se suponen en modalidad home-office, por lo que se deja abierto a Internet.
  • HTTPS 443: Web traffic and WebRTC coming from users. In this case the users are supposed to be in home-office scenario, so they are set to open.

All In One Deployment:

_images/install_oml_nat.png

Cluster deployment on a cloud-computing scheme:

_images/cluster_A.png

Important

In case you need to expose the VoIP ports to ALL internet, we strongly recommend managing VoIP security using a Session Border Controller or an Asterisk or Freeswitch configured as a SIP component edge so that OMniLeads is not exposed to all IP addresses. As minimum, it will start to receive garbage from SIP of multiple origins.