SIP server in the firewall, PSTN gateway inside
You might want to have most SIP functions in one box. Ingate Firewall can manage most common SIP functions, like user registration, SIP traffic routing and rewriting of NATed packets.
A function not included in the firewall is to connect to the PSTN network. If you want to do this, you must use a PSTN gateway.
Here are the settings needed for this. It is assumed that the firewall already has a network configuration. Only the additional SIP settings are listed.
Basic
Go to the Basic page under SIP and turn the SIP module on. Here you also select log classes for SIP event logging.
Authentication and TLS
If the firewall should handle user registration, it should require that users authenticate themselves. Go to the Authentication and TLS page and turn SIP authentication on. Enter your SIP domain as the Realm.
Create a SIP group for the functions that should require authentication. You should require authentication of the REGISTER method for local domains. This means that if a user tries to register on your SIP domain, the firewall will ask for authentication. Calls and instant messages can then be sent without further authentication.
Registrar and Users
On the Registrar and Users page, you define which SIP domains are managed by the firewall, and if SIP users are listed in a local database or an external RADIUS server.
Create a new row in the Locally handled domains , table and enter your SIP domain.
Then, select where the SIP user database is. If you run a RADIUS server, you can let the firewall use that for user authentication. Usually a local database is used.
Then, create the local SIP user database. Enter all user names, passwords, SIP groups and from which network they are allowed to register.
If you selected to use a RADIUS server, you don't need to fill in the local database.
RADIUS
If you selected to use an external RADIUS server for the SIP user authentication, you must instead enter the name or IP address of that server. This is done on the RADIUS page under Basic Configuration. See also RADIUS for more information on how the RADIUS server should be configured for SIP authentication.
Filtering
On the Filtering page, you set Proxy rules. If the firewall should process all SIP traffic regardless of sender or receiver, you only need to set the Default policy for requests under Proxy rules to Process all.
Usually, you want to assign different privileges to different groups of users. One fairly standard configuration is to allow users on the local network to communicate with users on any SIP domain, but SIP traffic from the outside should only be processed if it bound to a local SIP domain.
There should be no SIP requests originating from the DMZ network (if there are, it is fairly safe to suppose that a server on the network was used by a cracker). Set the policy for the DMZ network to Reject all.
Create rules for traffic from the inside (Process all) and the DMZ (Reject all). Let the Default policy for requests be Local only, which means that SIP traffic from other networks will only be processed if it is bound to a local domain.
Routing
To redirect traffic to the PSTN network, you can use Static domain modification. You can state that all SIP traffic to user names that consist of digits only (that is, the user names are phone numbers) to be redirected to the local PSTN gateway. You can also direct different numbers to different gateways.
In the example below, all phone numbers beginning with 01146 or +46 are redirected to a server in Sweden, numbers beginning with 01144 or +44 are redirected to a server in England, and calls to all other phone numbers are directed to the local PSTN gateway. Note that the table is read from the top and down, and the first matching row is used to route the call.
To prevent unauthorized use of your PSTN gateway, you should require authentication for all these redirections. Select On in the Require authentication column.
If there are SIP clients which can't use authentication for INVITE (the method used to start calls), you can except these from authentication when calling to PSTN. Create a new row in the Require authentication exceptions table and select the network containing the clients.
You should also restrict the redirections to only calls for local domains. Select Off in the Global column.
Interoperability
If Windows Messenger is used for SIP communication, you need to set a parameter on the Interoperability page. Set lr=true status to On under Loose routing.
Basic Configuration
The firewall must be able to look up SIP domains in DNS. DNS servers are entered on the Basic Configuration page under Basic Configuration.
Save/Load Configuration
Finally, go to the Save/Load Configuration page under Administration and apply the new settings by pressing Apply configuration.
