Interoperability
The SIP standard is still young and under considerable development. As an effect, several implementations of the standard omits parts of it, or makes guesses as to what will be accepted.
Ingate Firewall adheres rather well to the standard (RFC 3261) per default, but you can also adjust the configuration to make more allowing for known issues in various SIP implementations.
On this page, you also configure timeout and retransmission values for SIP signaling.
Loose routing
The firewall uses the parameter "lr" in its SIP signaling to announce to other SIP devices that it uses loose routing. Some other SIP implementations incorrectly expect the lr parameter to be followed by a value, i.e. "lr=true". If you select that the firewall should add this value to its SIP signaling, it will work with these implementations, too. This could affect its interaction with other SIP devices that conform to the SIP standard very strictly.
Select to use "lr=true" (On) or not (Off).
Relaxed Refer-To
The SIP standard requires that a Refer-To header with a question mark in it must be contained within angle brackets. Some clients do not honor this.
Select whether the firewall should accept Refer-To headers without angle brackets, but containing question marks. The recommended setting is Off; not to accept them.
Remove VIA headers
Some SIP servers won't accept requests with more than one Via header. To be able to communicate via these servers, you can select to remove all Via headers but one in requests to those servers. The Via headers are added again when the reply passes the firewall.
Here, list servers that won't accept more than one Via header in SIP requests.
SIP server
Enter the DNS name or IP address for a SIP server that won't accept more than one Via header.
Delete row
If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.
Add new rows
Enter the number of new rows you want to add to the table, and then click on Add new rows.
Preserve username
When registering a SIP client on one side of the firewall to a SIP server on the other side, the Contact header is normally rewritten. By doing this, we make it possible for the SIP server to track when the same user is registering multiple times from different places. It is possible to turn this rewriting off and preserve the username in Contact headers passing through the firewall, but that makes it impossible for the SIP server to tell if registrations for a certain user belong to one or several clients (if a user has two registrations from different clients and deregisters one of them, the SIP server will delete its only registration for him).
Select if usernames should be preserved (On) or not (Off). It is recommended to keep this setting off.
Translation exceptions
Usually, the firewall rewrites IP addresses in the SIP signaling to hide it for the receiver. For some reasons, you might want to except certain IP addresser from being rewritten. Enter those IP addresses in the table.
Note: This feature is experimental and may be removed in future versions.
Except this from translation
Enter the DNS name or IP address to be excepted from IP address translation. If you enter a DNS name, the corresponding IP address will be excepted from translation.
Delete row
If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.
Add new rows
Enter the number of new rows you want to add to the table, and then click on Add new rows.
Loose username check
Normally, the firewall checks that the authentication username equals the username in the From header. Some clients use their whole address as authentication username (ie: user@host.com), which means that the username "user" in the From header is compared with the authentication username "user@host.com". This authentication will fail. With this function, "@host.com" is stripped from the authentication username.
Select if usernames should be checked loosely (On) or strictly (Off).
SIP URL encryption
In some situations some SIP URLs are encrypted and signed. When an invitation to a call is sent out, the address that the callee is to send its answer to is encrypted, if the outgoing packet is NAT:ed. When the answer from the callee comes in, the firewall checks that the encryption and signing is correct before the address is used to send the information onwards.
The encryption and signing makes the SIP packets slightly larger. This might lead to SIP packets being fragmented. By turning encryption off, fragmentation can be avoided in some cases, and since some equipment has trouble with fragmented packets this can sometimes be necessary.
Please note that when encryption is turned off, the firewall maked no checks of incoming SIP URLs. It becomes possible in theory to trick the firewall to send SIP packets anywhere, which means that security is drastically reduced if encryption is turned off.
If Remote NAT Traversal is used, the URL encryption must be turned on.
Here, you select to turn SIP URL encryption On or Off.
Expires header
Some SIP clients don't understand the expires: parameter in the Contact header. To set the expiration time for those clients, you can make the firewall add to REGISTER request replies an Expires header with the expires value in it.
Select to Always add Expires header, Never add Expires header, or Add Expires header if the request contained one. The last means that the firewall will add an Expires header to the response if the request from the client contained one.
Allow RFC 2069 authentication
Some SIP units can't handle Digest authentication as described in RFC 2617, but they still do authentication. Ingate Firewall can allow the simpler form of authentication described in RFC 2069 to be able to interoperate with these units.
To allow this can decrease security. Use it only if units in your system need it.
Select if authentication according to RFC 2069 should be allowed (On) or not (Off). It is recommended to keep this setting off.
Force remote TLS connection reuse
Enter SIP servers to which the firewall connects using TLS. For the listed servers, the firewall will use the actual source port for the TLS connection instead of port 5061.
This is useful in the SIP signaling, where port numbers are used in Via and Route headers.
DNS name or IP address
Enter the DNS name or IP address for a SIP server for which the firewall should reuse TLS ports.
IP address
Shows the IP address of the DNS name or IP address you entered in the previous field.
Delete row
If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.
Add new rows
Enter the number of new rows you want to add to the table, and then click on Add new rows.
Force Record-Routing of outbound requests
Here, you select if the firewall should add a Record-Route header to all requests received by the firewall, but whose Request-URI indicates another SIP device;.
The Record-Route header makes all subsequent SIP signaling for this session to be routed via the firewall even if it is not the shortest route.
Here, you select to turn Force Record-routing On or Off.
Open port 6891 for file transfer
Messenger clients do not always use the ports that are negotiated in the SIP signaling. In particular, the File Transfer function always uses the same port, regardless of what is negotiated. To make File Transfer work through the firewall you must open port 6891, the Messenger File Transfer port.
You only need to do this if File Transfers are made between clients on different networks; if transfers are always only made between clients on the same network, no extra ports need to be opened.
Note: If more than one Messenger client performs file transfer through the firewall at the same time, they could end up sending to each other's peers instead of their own. An attacker could possibly use this to intercept transfered files; don't use this mechanism to transfer sensistive data.
Here, you select to turn Open port 6891 On or Off. Recommended setting is Off.
Timeout and retransmission values
You can configure timeouts for the different functions of the firewall SIP module here. It is not recommended to change from the default values unless you really know what you're doing.
Timeout for SIP over TCP/TLS
The Timeout for SIP over TCP/TLS decides how long a SIP connection over TCP with the firewall may exist without having received a complete SIP request.
"0" or an empty field means that SIP over TCP or TLS cannot be used to the firewall.
Default timeout for requests
When sending a SIP request you can specify a timeout, telling how long you can wait before getting an answer.
If no timeout is given when a SIP request is sent, the firewall sends the default timeout entered here.
Maximum timeout for requests
Here, enter the maximum timeout to allow for a SIP request. If a higher timeout is given, the firewall changes it to the value entered here.
Base retransmission timeout for SIP requests
When the firewall sends out a SIP request, it will expect a reply within a certain time. If no reply has been received within the Base retransmission timeout, the firewall will start resending the request.
Maximum number of retransmissions for INVITE requests
When the firewall sends out an INVITE request, it will wait for a reply until the Base retransmission timeout and then start to retransmit the request. The time intervals between retransmissions will double for each new retransmission.
Example: If the Base retransmission timeout is 0.5 seconds and the Maximum number of retransmissions is 6, the INVITE requests will be sent with intervals of 0.5 s, 1 s, 2 s, 4 s, 8 s, and 16 s.
Maximum number of retransmissions for non-INVITE requests
When the firewall sends out a request which is not an INVITE request, it will wait for a reply until the Base retransmission timeout and then start to retransmit the request. The time intervals between retransmissions will double for each new retransmission until the interval reaches 4 seconds. After that, retransmissions will be made with a 4-second interval.
Example: If the Base retransmission timeout is 0.5 seconds and the Maximum number of retransmissions is7, the requests will be sent with intervals of 0.5 s, 1 s, 2 s, 4 s, 4 s, 4 s, and 4 s.
SIP blacklist interval
When the firewall sends out a SIP request and no reply is received, the SIP peer (say, a SIP server or an IP phone) will be blacklisten for the given time interval. This blacklisting means that no new SIP requests will be sent to the unit, even if requests that should be routed to this unit is received by the firewall.
If the SIP request which caused the blacklisting, or a subsequent SIP request for that unit, can be routed to another device instead, the firewall will keep on sending those requests to the next known IP address for the domain/user in question. When the blacklist ends, the firewall will go back to sending requests to the previously blacklisted unit again.
If a 0 is entered into this field, the SIP blacklisting will not be used by the firewall.
Save
Saves the Interoperability configuration to the preliminary configuration.
Undo
Reverts all of the above fields to their previous configuration.
Look up all IP addresses again
Looks up the IP addresses for all DNS names on this page in the DNS servers you entered on the Basic Configuration page.