Remote SIP Connectivity
If you are at a hotel or somewhere else where you find yourself behind a NAT-ing device that does not understand SIP, you will have use of the SIP Remote Connectivity of Ingate Firewall. This will help your client to traverse the NAT, even if the device doing the NAT does not understand SIP. The SIP Remote Connectivity is only available if you have installed the Remote Connectivity module.
If you have a STUN-capable SIP client, you need just turn on the STUN server of the firewall to make the client work behind NAT. If you have a SIP client that does not do STUN (or if the STUN-capable client is located behind a Symmetric NAT device), you have to use the Remote NAT Traversal feature. This is easier for the client, but generates more network traffic for the firewall.
STUN Server
Use the STUN server if you have STUN-aware SIP clients. You will need at least two public IP addresses to make it work with all client implementations of STUN.
STUN will not work properly if the NAT device uses Symmetric NAT (where the client's private IP/port pair translates to different public IP/port pairs depending on destination, and where other computers than the destination host are not allowed to reply on that IP/port pair).
The client also needs extra configuring for this; it must know which IP addresses and ports the STUN server has.
STUN server function
Select if the STUN server function should be switched On or Off.
IP addresses
When activated, the STUN server requires two IP addresses, and a pair of ports on these two IP addresses, on the firewall. STUN clients will then send test packets to these ports.
Select two IP addresses out of the ones assigned to the firewall under Directly connected networks and Alias on the interface pages.
Note: for the STUN server to work properly, you need to select IP addresses which the clients can reach. In normal circumstances, this means that only public IP addresses can be used.
Ports to use
Enter the ports to use for the STUN server. These ports, on the IP addresses selected, will not be available for anything else.
Remote NAT Traversal
If your SIP client is not STUN-capable, you can use the built-in Remote NAT traversal feature of the firewall. The client must register on the firewall (or through it).
The SIP client needs to re-REGISTER, or respond to OPTIONS packets, rather often for this to work. The exact period for this depends on the NAT-ing device, but 20 seconds should be enough to get across most NAT boxes.
The SIP URL encryption must be turned on for the Remote NAT traversal to work properly.
Remote NAT traversal
Turn this function on or off.
Re-REGISTER period for clients
Clients using this function will have to re-REGISTER very often, to keep the IP/port NAT binding. A re-REGISTER interval of 20 seconds should be enough to ensure this.
If some clients are unable to handle short re-REGISTER intervals, the firewall can send OPTIONS messages instead, see below.
Use OPTIONS for registered clients
Select if the firewall should use OPTIONS packets instead of short re-REGISTER intervals to keep the NAT binding.
OPTIONS interval
Enter the interval for the firewall to send OPTIONS packets to the client.
Save
Saves the Remote SIP Connectivity configuration to the preliminary configuration.
Undo
Reverts all of the above fields to their previous configuration.