We have Cisco Expressway-Edge devices handling videoconferencing traffic with the outside world. This all goes through a Checkpoint firewall. The intention is that the inside endpoints can initiate meetings with outside endpoints but, for security reasons, outside endpoints cannot initiate meetings with inside endpoints. So the firewall has outbound rules to allow traffic on various TCP and UDP ports, but has no inbound rules.
With one external party, we can begin a meeting that works fully for 3-4 minutes. But then the room is shown as "leaving", and the meeting drops. The external party thinks it has sent a SIP UPDATE message on TCP 5061, and has received no reply. If we set a rule to allow inbound traffic the the Expressway-Edge, the meeting stays up.
Why would the external party initiate new inbound connections in this context? Are inbound rules required, or is there something else going wrong? We don't have a full packet capture. I am looking to understand what the expected direction of traffic flows would be, if inbound connections initiated externally are deliberately not allowed.
