The following section contains information regarding specific firewall configurations that we have encountered in the field, and will be updated as more information is gained. Again, this is not an all-encompassing list; many other firewall models are likely to share very similar configuration options.
Some SonicWall firewalls offer "port scan protection" features. This should be disabled where possible, as when the hub starts up, it immediately creates several local sessions on consecutively-numbered ports, and sometimes the firewall will mistakenly detect this activity as a port scan.
Juniper SRX firewalls allow an "inactivity-timeout" setting to be specified per application; for the UIM hub traffic this timeout should be set to "never" in order to avoid the firewall expiring sessions that the hub was intending to re-use.
Palo Alto firewalls are stateful/state-aware firewalls and should be configured as follows:
Idle connection timeout: 7200 -- this should be considered a minimum, higher is always better
Max connection timeout: 7200 -- this should be considered a minimum, higher is always better
TCP Connection only : No application awareness (very important!)
Stonesoft firewalls are similar to Palo Alto firewalls in this regard and should be configured as described in the Palo Alto section above.
"Stateful Packet Inspection" should be disabled for the UIM hub traffic. This is likely to apply to other firewall types as well, as Stateful Packet Inspection is a common configuration option on many firewalls.
A note on SSL Decryption:
SSL Decryption is an option on many firewalls; it works by creating separate encrypted connections to the client and server so that the encrypted traffic can be decrypted and scanned before being re-encrypted and passed on. This option will cause UIM tunnels to fail and must be disabled. If this option is enabled, you will see a very specific "NO SHARED CIPHER" error related to the tunnel failure, either in the UIM hub logs or in the Tunnel Status section of the hub GUI.