Firewall Ports for ShoreTel SA-100

Deploying the ShoreTel Service Appliance (SA -100) in the demilitarized zone (DMZ) is the preferred method to

facilitate external traffic.

 
In the scenario where a service appliance is deployed in the DMZ, the following requirements apply:

 

Enable routable traffic between the DMZ and LAN. Network Address Translation (NAT) can not be

used for network traffic between these points.

 

Adequate bandwidth between DMZ and LAN with a minimum of voice latency and jitter.

DNS (Domain Name System) configuration to resolve both internal and external addresses. A

DNS configured to external addressing only, with a host file configured to handle traffic internally,

may be used as an alternative.

 

If a Service Appliance is made available from the Internet, all other Service Appliances need to be

accessible and addressable from the Internet.

 

The network requires port-forwarding through the firewall which is restricted to web ports (80-

unsecure HTTP and 443-secure HTTPS).

 

 

In the scenario where a Service Appliance is deployed on the trusted internal network, the following

requirements apply:

 

The network requires port-forwarding through the firewall which is restricted to web ports (80-

unsecure & 443-HTTPS). Alternatively, a reverse-proxy server can be used instead of portforwarding

but this requires the provision of an additional server.

 
The network requires DNS configuration both internally to resolve internal addresses and

externally to resolve to external addresses.

 
Alternatively, a network can be configured with DNS configured for external addressing only and a

host file configurated to handle traffic internally.