Ingate Firewall 4.2: User Manual
Prev	Chapter 14. SIP	Next

Routing

Here, you configure routing of the SIP signaling received by the firewall The options are: to forward all SIP requests to a server, regardless of what they concern (Outbound Proxy), to replace the domain in a SIP request, based on the receiver user name (Static domain modification), to forward requests to a specific user to other users as well (Static registrations), and to forward all requests addressed to a specific SIP domain to a SIP server (Static forwarding). You can also select to process class 3xx messages in the firewall or pass them on to the client.

Static domain modification

You can forward requests matching certain criteria to another domain. This could be useful, e.g. for rewriting phone numbers to an Internet SIP domain. The firewall looks at the SIP URL, which is formed like username@domain, and, if the username matches the search pattern, replaces the domain.

The firewall will use the first row with matching criteria. Use the row numbers to list the rows in the desired order.

In the example above, 555-40937@ingate.com will be forwarded to 555-40937@sip.newyork.ingate.com, but 555-4040alex@ingate.com will not be forwarded, since it contains letters after the prefix, but the search pattern only allows digits, #, *, - and +.

The second row will make all telephone numbers (user names with only digits) to be routed to the company PSTN gateway, using the transport protocol UDP, regardless of which protocol was used to send the request to the firewall. To prevent unauthorized use of the gateway, authentication is required for this.

No.

The modification rules are used in the order they are presented in the table. To move a certain rule, enter the number on the row to which you want to move it. You need only renumber rules that you want to move; other rows are renumbered automatically. When you click on Save, the rules are re-sorted.

Username pattern

Enter the pattern matching the SIP user name which should be modified.

Prefix is the first part of the user name, where there should be an exact match. This could be an area code, a company name or something else to indicate that it should be redirected to another domain.

Rest is the rest of the user name, when the Prefix has been removed. For this part, no exact match is required, just that it contains only characters from the chosen set. Select from 0..9 (only digits), 0..9, -, + (digits, minus and plus), a..z, A..Z (only letters), a..f, A..F, 0..9 (only hexadecimal numbers), a..z, A..Z, 0..9 (letters and digits but no other characters) and any character.

Domain replacement

Enter here the new domain/IP address and port for the user names matching the pattern under User search pattern. You can also select a transport protocol for the requests.

Require authentication

If On is selected, the firewall will require authentication for all requests matching the username pattern - except requests from the network listed under Require authentication exceptions below. One use for this is if you want to restrict the access to your PSTN gateway; redirect the calls in this table, require authentication authentication for the domain modification and add your internal networks as exceptions.

All SIP clients do not support authentication of other methods than REGISTER, which can make it hard to establish calls that are negotiated with authentication according to this setting.

If Off is selected, the domain is modified for all users without any authentication.

Global

Select if this domain modification should be made for all incoming requests, not just requests to local domains. Select On to modify all requests, and Off to modify only requests to local domains.

Delete row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Add new rows

Enter the number of new rows you want to add to the table, and then click on Add new rows.

Require authentication exceptions

You can exclude SIP requests from specified IP addresses, transported via specified protocols, from the authentication requirements you made in the Static domain modification table above. However, if authentication is required by the settings on the Authentication and TLS page, it will still be performed.

Source

Select a network for which no authentication should be made. The options are the networks configured on the Networks and Computers page under Network.

Protocol

Select for which protocol or protocols no authentication should be made.

Note: it is relatively easy for an attacker to fake his source address using UDP, so we recommend that only TLS or TCP is allowed here.

Delete row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Add new rows

Enter the number of new rows you want to add to the table, and then click on Add new rows.

Static registrations

You can specify that calls to a certain user address should also be redirected to another address, or that calls to a non-person user name (like support@company.com) should be redirected to one or more other addresses.

Static registrations only affect SIP requests addressed to Locally handled domains.

Even if a call should be forwarded, the firewall will try to put it through to the original addressee.

Request to user

Enter the user address. Calls to this user are sent to the user, but also forwarded to users listed under Also forward to. The address should be entered on the form user@domain.

Also forward to

User

Enter the address to which the calls should be forwarded. The address should be entered on the form user@domain. You can forward to more than one address by creating several rows for the same Request to user name.

sip/sips

Select if the request to this address should be sent by SIP or SIPS (SIP Secure). With SIPS, you require that the request is sent over TLS all the way to the addressee.

Transport

Select the protocol to use when sending the request.

Delete row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Add new rows

Enter the number of new groups and rows you want to add to the table, and then click on Add new rows.

Outbound Proxy

Here, you can enter an external SIP proxy to which all or part of the SIP requests should be sent. This could be useful e.g. if the firewall separates two local departments of a company, and all SIP requests should be processed by the main firewall connected to the Internet.

Use this SIP proxy for all requests

Enter the IP address/DNS name and port number of an external SIP proxy if you don't want to use the internal SIP server of Ingate Firewall.

Host/IP address

Enter the host name or IP address of the external SIP proxy.

Port

Enter the port number of the external SIP proxy.

If no port number is entered, the firewall will make a DNS query for an SRV record. If a port number is entered, it will query for an A record.

Class 3xx message processing

Sometimes during negotiation for a connection, status messages about this process will be sent. Here you select whether to forward these to the client or process them in the firewall.

A class 3xx message from a server means that the connection attempt was terminated, but no connection was established, e.g. due to use of the wrong address or service. The firewall as well as some clients can use this information to make new attempts which might have a better chance to succeed.

Forward class 3xx messages

The choices are Forward all, which forwards all class 3xx messages to the client (which might be able to use this information), and Follow redirects, which means that the firewall itself uses the information and might make new connection attempts. In this case, it will only inform the client when the connection finally is established or the attempt has failed totally.

Static forwarding

Here, you can register SIP domains to which the SIP relay should be able to forward requests, but which for some reason cannot be resolved in DNS. Enter an IP address and port to which the requests should be forwarded. You can also select to use a specific protocol.

You can also enter subdomains to Locally handled domains, if you want the subdomain to be handled by a separate SIP proxy. This table has a higher priority than Locally handled domains, which means that if you register a subdomain to a domain registered under Locally handled domains, the firewall will forward SIP requests to the subdomain instead of processing them itself.

You can enter more than one IP address or host name for a domain, and set weights and priorities for these.

Domain

Enter the domain name of the SIP domain.

Relay to

Enter the IP address for the SIP registrar handling the domain. You can also enter a DNS name for the SIP registrar, if it has a DNS-resolvable host name, even if the SIP domain is not possible to look up in DNS.

Under Port, enter the port on which the SIP registrar listens for SIP traffic. The standard port is 5060 (5061 for TLS).

You can select which transport protocol to use between the firewall and the registrar. Under Transport, select from UDP, TCP and TLS. You can also select "-", which means that the signaling is passed on using the same transport as was used to reach the firewall.

If you entered more than one IP address/host name for the same domain, you should also assign them Priority and Weight. A low Priority value means that the unit should have a high priority. If more than one unit has the same Priority, the signaling sent to them is distributed between them according to their Weight. If two units have the same priority, and Unit 1 has weight 4, and Unit 2 has weight 9, 4/13 of the signaling will be sent to Unit 1, and 9/13 will be sent to Unit 2.