Secure AWS Mitel Architecture

Modified on Mon, 4 May at 2:24 PM

AWS High Level Architecture: Secure AWS Mitel Hosting - Design.vsdx

Firewall Selection: choice between FortiGate or pfSense

Consideration	FortiGate (VM)	pfSense (Netgate / Community)
Best Fit For	Enterprise environments requiring advanced security, compliance, and vendor-backed support	Cost-sensitive environments with standard firewalling and VPN requirements
Security Capability	Advanced (IPS, SSL inspection, application control, FortiGuard threat intelligence)	Solid core firewalling and VPN; advanced features require add-ons and manual tuning
Support Model	24/7 enterprise vendor support (Fortinet)	Community support or paid Netgate support (varies by subscription)
Ease of Management	Centralised management (FortiManager/FortiAnalyzer), consistent enterprise tooling	Web GUI is simple, but lacks native centralised enterprise management
Scalability (Multi-site / SD-WAN)	Strong, built for large, distributed environments and SD-WAN	Limited, suitable for smaller or less complex environments
Integration (Security Stack)	Seamless with Fortinet ecosystem (SASE, NAC, MDR, etc.)	Limited native ecosystem; relies on third-party integrations
Performance & Optimisation	Optimised with ASIC-backed design principles (even in VM context)	Good performance, but less optimised for high-throughput enterprise workloads
Cost	Higher upfront and ongoing licensing costs	Lower cost, minimal licensing (especially community edition)
Operational Overhead	Lower – more “out-of-the-box” enterprise features	Higher – requires more manual configuration and ongoing tuning
Risk Profile	Lower risk, vendor-backed, suitable for critical workloads (e.g. contact centres, councils)	Higher risk if not actively managed; better suited for non-critical or budget-constrained deployments

AWS Sizing: https://www.mitel.com/document-center/technology/virtualization/virtual-appliance-deployment-host-server-sizing/all-releases/en/virtual-appliance-deployment-host-server-sizing-html

Pricebook: TBC

Terms and Conditions: Terms and Conditions.docx

IPSec Tunnel Setup

Customer Public IP
eComms Public IP
Encryption Domain (Local Subnets – eComms side)
Encryption Domain (Remote Subnets – Customer side)
IKE Version (v1 or v2)
Phase 1: Encryption (AES256) Authentication (SHA256) DH Group (14 or higher) Lifetime
Phase 2: Encryption (AES256) PFS Group Lifetime
Pre-Shared Key (PSK)
NAT-T Required (Yes/No)
Dead Peer Detection (DPD)

DNS

Who manages Public DNS (e.g. GoDaddy, Cloudflare, Route53)?
Public DNS	micollab.customer.com.au → Public IP (Firewall VIP) ignite.customer.com.au → Public IP
Who manages Internal DNS (e.g. AD, Azure)?
Internal DNS	micollab.customer.com.au → Internal Private IP (MiCollab) ignite.customer.com.au → Internal IP

All public DNS records must resolve to the firewall and must not point directly to internal application servers.

Firewall

Security Zones

Internet
Customer LAN
IPSec Tunnel
Firewall
MBG DMZ
Internal (MiVB / MiCollab / MiCC)
All firewall rules must be defined between zones, not individual hosts where possible.

Approved Access Methods

IPSec Tunnel (Preferred)
MBG Proxy (Internet users)
VPN
Any access outside these methods is considered non-standard and carries risk.

Internal LAN

Voice VLAN (phones)
Server VLAN (MiVB, MiCollab, MiCC)
Management VLAN
Inter-VLAN routing via firewall
802.1X for device authentication (if supported)
Separate SSID for voice (Wi-Fi deployments)

Endpoint Security

Phone security
1. Admin passcode configured (69xx phones)
2. Disable unused ports (USB, PC port if not needed)
3. Disable Unused services on endpoints
4. Maintain current phone firmware versions
Softphones
1. Enforce VPN or MBG-only access

Risk Acceptance (Non-Standard Access)

Direct internet access to services bypassing IPSec or MBG introduces:
1. Increased attack surface
2. Reduced traffic inspection
3. Potential exposure to SIP-based attacks
eComms does not guarantee security posture for:
1. Customer-managed home networks
2. Public internet paths outside defined controls

Firewall NAT / VIP

Public IP to MBG-DMZ
No direct NAT to MiVB/MiCollab/MBG/MiCC etc.

Logging

Log all:
1. Denied traffic
2. SIP attempts
3. Geo-block hits
4. Audit logs (logins, config changes)
5. Registration failures

DDoS / Rate Limiting

Add:

SIP rate limiting
UDP flood protection
IPS enabled

Mitel Rules

Note:

The firewall rules listed below are indicative only.
Any rules containing “Any” source/destination, broad port ranges (e.g. 1024–65535), or undefined IP ranges MUST be refined and validated by a network engineer prior to implementation.
These rules are NOT to be deployed as-is in production.
SIP access must be restricted to: NetSIP IP ranges ONLY
TLS (TCP 5061) is preferred over UDP 5060
1. TLS 1.2 / 1.3 only (no legacy)
2. Disable weak ciphers (SHA1, legacy RSA)
Unauthenticated SIP traffic must be blocked
SIP rate limiting and intrusion protection must be enabled
Replace all self-signed certs with CA-signed certs
1. Expiry dates
2. Renewal process
3. certificate lifecycle management

COMPONENT	SOURCE IP	SOURCE PORT	DESTINATION IP	PORT OR RANGE	PROTOCOL
MiCollab	MiCollab	Any	Mitel AMC (216.191.234.91)	22	TCP
MiCollab	Customer Site Subnets	Any	MiCollab	443	TCP
MiCollab	Customer Site Subnets	Any	MiCollab	36008	TCP
MiCollab	Customer Site Subnets	Any	MiCollab	5500-10280	UDP
MiCollab	MiCollab	Any	Customer Site Subnets	5500-10280	UDP
MiCollab	MiCollab	Any	Customer Site Subnets	18100	TCP/UDP
MiCollab	MiCollab	Any	Customer Site Subnets	18101	TCP/UDP
MiCollab	MiCollab	Any	Customer Site Subnets	18102	TCP/UDP
MiCollab	MiCollab	Any	Customer Site Subnets	18105	TCP/UDP
MiCollab	MiCollab	Any	Customer Site Subnets	18103	TCP/UDP
MiCollab	MiCollab	Any	Customer Site Subnets	18104	TCP/UDP
MiCollab	MiCollab	Any	Customer Site Subnets	18106	TCP
MiCollab	MiCollab	Any	Customer Site Subnets	6070	TCP
MiCollab	MiCollab	Any	Customer Site Subnets	5106	TCP
MiCollab	MiCollab	Any	Customer Site Subnets	1099	TCP
MiCollab	MiCollab	Any	Customer Site Subnets	5269, 5347	TCP
MiCollab	MiCollab	Any	Customer Site Subnets	36008-36009	TCP
MiVoice Business	MiVB	UDP 5060	Customer Site Subnets	5060	UDP
MiVoice Business	MiVB	UDP 5061	Customer Site Subnets	5061	UDP
SIP Service	Customer Site Subnets	UDP 5060	MiVB	5060	UDP
SIP Service	Customer Site Subnets	UDP 5061	MiVB	5061	UDP
MiVoice Business	MiVB	UDP 50000-50511	Customer Site Subnets	Any	Any
SIP Service	Customer Site Subnets	Any	MiVB	50000-50511	UDP
MiVoice Business	MiVB	Any	Mitel AMC (216.191.234.91)	22	TCP
MiVoice Business	MiVB	Any	Mitel AMC (216.191.234.91)	443	TCP
MiVoice Business	MiVB	Any	MiVB	4001	TCP
MiVoice Business	MiVB	Any	MiVB	389, 636	TCP
MiVoice Business	MiVB	Any	MiVB	7001	TCP
MiVoice Business	MiVB	Any	MiVB	49500-49599	TCP
MiVoice Business	MiVB	Any	MiVB	7050	TCP
MiVoice Business	MiVB	Any	MiVB	1066-1067	TCP
MiVoice Business	MiVB	Any	MiVB	10990	TCP
MiVoice Business	MiVB	UDP 50000-50511	MiVB	50000-50511	UDP
MiCC Client	Customer Site Subnets	Any	MiCC	80	TCP
MiCC Client	Customer Site Subnets	Any	MiCC	443	TCP
MiCC Client	Customer Site Subnets	Any	MiCC	5024	TCP
MiCC Client	Customer Site Subnets	Any	MiCC	5025	TCP
MiCC Client	Customer Site Subnets	Any	MiCC	5026	TCP
MiCC Client	Customer Site Subnets	Any	MiCC	7000-7003	TCP
MiCC Client	Customer Site Subnets	Any	MiCC	5053	TCP
MiCC Client	Customer Site Subnets	Any	MiCC	8083	TCP
MiCC Client	Customer Site Subnets	Any	MiCC	8084	TCP
MiNet Device	Customer Site Subnets	Any	MiVB	69, 20001	UDP
MiNet Device	Customer Site Subnets	Any	MiVB	3998	TCP
MiNet Device	Customer Site Subnets	Any	MiVB	3999	TCP
MiNet Device	Customer Site Subnets	Any	MiVB	6800-6802	TCP
MiNet Device	MiVB	Any	Customer Site Subnets	6800-6802,6900-6999	TCP
MiNet Device	Customer Site Subnets	UDP 9000,9002, 50000-50511	MiVB	50000-50511	UDP
MiNet Device	MiVB	UDP 50000-50511	Customer Site Subnets	9000,9002, 50000-50511	UDP
MiNet Device	Customer Site Subnets	UDP 9000,9002, 50000-50511	Customer Site Subnets	Any	Any
MiNet Device	Customer Site Subnets	Any	Customer Site Subnets	9000,9002, 50000-50511	UDP
MiNet Device (Via MBG)	Customer Site Subnets	Any	MBG DMZ	20001	UDP
MiNet Device (Via MBG)	Customer Site Subnets	Any	MBG DMZ	20000-30999	UDP
MiNet Device (Via MBG)	Internet	Any	MBG DMZ	20001	UDP
MiNet Device (Via MBG)	Internet	Any	MBG DMZ	20000-30999	UDP
MiNet Device (Via MBG)	MBG DMZ	UDP 20000-30999	Customer Site Subnets	Any	Any
MiVoice Conf Phone	Customer Site Subnets	Any	Customer Site Subnets	123	TCP
MiVoice Conf Phone	Customer Site Subnets	Any	MiVB	50,605,061	UDP
MiVoice Conf Phone	Customer Site Subnets	UDP 50000-50511	MiVB	50000-50511	UDP
MiVoice Conf Phone	Customer Site Subnets	UDP 50000-50511	Customer Site Subnets	Any	Any
MiCollab Softphone	Customer Site Subnets	Any	MiVB	6800-6802	TCP
MiCollab Softphone	Customer Site Subnets	Any	MiVB	50000-50511	UDP
MiCollab Softphone	MiVB	Any	Customer Site Subnets	50098-50508	UDP
MiCollab Softphone (Via MBG)	Customer Site Subnets	Any	MBG DMZ	6801-6802	TCP
MiCollab Softphone (Via MBG)	Customer Site Subnets	UDP 50098-50508	MBG DMZ	20000-30999	UDP
MiCollab Softphone (Via MBG)	MiCollab	UDP 20000-30999	Customer Site Subnets	50098-50508	UDP
MBG	MBG DMZ	Any	Mitel AMC (216.191.234.91)	22	TCP
Softphone	Internet	Any	MBG DMZ	36008	UDP
MiVoice Business	MiVB	Any	Customer Site Subnets	1024-65535	UDP
MiNet Device	Customer Site Subnets	Any	MiVB	1024-65535	UDP
MBG	MBG DMZ	Any	MiCollab	6800-6802,6809	TCP
MBG	MBG DMZ	Any	MiCollab	5060-5061	TCP/UDP
MBG	MBG DMZ	Any	MiCollab	1024-65535	UDP
MBG	MBG DMZ	Any	MiCollab	36008	TCP
MBG	MiCollab	Any	MBG DMZ	6800-6802,6809	TCP
MBG	MiCollab	Any	MBG DMZ	5060-5061	TCP/UDP
MBG	MiCollab	Any	MBG DMZ	1024-65535	UDP
MBG	MiCollab	Any	MBG DMZ	36008	TCP
MBG	MBG DMZ	Any	MiCC	6800-6802,6809	TCP
MBG	MBG DMZ	Any	MiCC	5060-5061	TCP/UDP
MBG	MBG DMZ	Any	MiCC	1024-65535	UDP
MBG	MBG DMZ	Any	MiCC	36008	TCP
MBG	MiCC	Any	MBG DMZ	6800-6802,6809	TCP
MBG	MiCC	Any	MBG DMZ	5060-5061	TCP/UDP
MBG	MiCC	Any	MBG DMZ	1024-65535	UDP
MBG	MiCC	Any	MBG DMZ	36008	TCP
MiCC	MBG DMZ	Any	MiCC	6800-6802,6809	TCP
MiCC	MBG DMZ	Any	MiCC	5060-5061	TCP/UDP
MiCC	MBG DMZ	Any	MiCC	1024-65535	UDP
MiCC	MBG DMZ	Any	MiCC	36008	TCP
MiCC	MiCollab	Any	MBG DMZ	6800-6802,6809	TCP
MiCC	MiCollab	Any	MBG DMZ	5060-5061	TCP/UDP
MiCC	MiCollab	Any	MBG DMZ	1024-65535	UDP
MiCC	MiCollab	Any	MBG DMZ	36008	TCP
Preview Dialer	Customer Site Subnets	Any	MiCC	8866 and 8877	TCP
Preview Dialer	MiCC	8866 and 8877	Customer Site Subnets	any	TCP

General Rule

All traffic not explicitly permitted is denied by default.
No direct access to MiVoice Business (MiVB), MiCollab, or MiContact Center (MiCC) from the Internet is permitted. All inbound and outbound traffic must terminate at the Firewall and be inspected and proxied via MBG where applicable.
Internet-originating traffic must be restricted to approved geographic regions (Australia by default).
Additional countries may be permitted based on documented customer requirements.
All denied traffic, including geo-blocked traffic, must be logged and monitored.
MiVB_R10.5_ Data_Protection_v1.0.pdf
MiVB_Security Guidlines_ R10.5-v1.1.pdf

Authentication Hardening

Add:

Strong SIP passwords
Disabled unused extensions
Lockout policies

Identity Hardening

Add:

MFA for admin access
Restrict admin interfaces (IP allow list)
Disable default accounts
Enforce strong password policy (15+ chars, complexity)
Password expiry aligned to customer policy
Account lockout after failed attempts (default = 3)
Define Admin / Support / Read-only roles
No shared accounts
Temporary support accounts
Login banner (legal/security notice)

MBG-DMZ

When designing the MBG-DMZ layer, ensure the following:

Provision a dedicated MBG virtual appliance within the DMZ network segment (separate from internal application subnets).
Size the MBG appropriately based on:
1. Number of concurrent SIP trunk channels
2. Number of remote users (softphone and handset registrations)
Ensure SIP Trunk Proxy capacity is sufficient to handle peak concurrent sessions, including headroom for failover scenarios.
Configure MBG as the only externally exposed voice access point (no direct exposure of MiVB, MiCollab, or MiCC).
Ensure all external voice and softphone traffic is anchored and proxied through MBG.

Miscellaneous

Ensure the MBG SIP Trunk Proxy configuration aligns with the provisioned NetSIP trunk channel capacity
MIR Server A = single instance
MIR Server B = resilient instance
MIR Server B = screen recording
MIR Server C = database server
MIR Server D or E = integrated reporting and additional SQL databases