Planning and Installation Guide Chapter 9: Network Requirements and Preparation
from trying to keep up with the denial-of-service attack traffic. They also prevent this
traffic from reaching the valuable web, application, and database servers that create your
Internet presence and service your customers.
By using firewalls in conjunction with the DMZ design technique, many businesses and
service providers are striving to present as much information without permitting unwanted
access to the corporate resources.
One way to keep your mission-critical resources as private as possible, while still allowing
for a strong Internet presence, is to use Network Address Translation (NAT). NAT offers the
outside world one, or a few, IP addresses. This allows a manager to set up whatever internal
IP addressing scheme may be required by corporate policies and business needs. An
internal resource’s IP address (source IP) is changed as it passes through the NAT function
to one of the “outside” IP addresses. Thus, the external world does not know any of the
enterprise’s internal IP addresses. Only the NAT device presents an IP address that is
known, and used by external devices. The NAT device keeps track of these conversations
and performs the IP address translation as needed.
Extending the private network of the corporate LAN to remote sites via VPN is a proven
method of deploying a ShoreTelShoreTel system across multiple sites. All IP telephony
endpoints (such as ShoreWare server(s), ShoreGear switches, and IP telephones) should
participate in the same private network, with firewalls between ShoreTel equipment and
the public Internet. If needed, you can elect to open access to the ShoreWare server(s) to
access ShoreWare Director via HTTP, using the same precautions you would when
exposing any critical server’s web services to the public network.
Configuring firewalls to function correctly with VoIP traffic is very difficult. ShoreTel does
not recommend deploying ShoreTel equipment across firewalls.
Figure 9-2 Firewalls