Example 5. SIP Configuration
Here is a complete SIP configuration for an Ingate Firewall with three active interfaces. The network looks like this:
First, make sure that IP addresses for a Default gateway and a DNS server are entered on the Basic Configuration page. These are needed when the SIP requests are processed.
On the Basic page under SIP, you make the firewall SIP-aware.
SIP registrar handled by the firewall
Go to the Filtering page. SIP requests from the internal network should always be processed. Enter a Proxy rule for this. All other requests should only be processed if they are directed to a local domain. To ensure this, select Local only as the Default policy for requests.
Enter the SIP domain handled by the firewall on the Registrar and Users page. Usually, the SIP domain looks just like the ordinary Internet domain for the company.
Some IP telephones register on IP addresses (their own or that of the registrar) instead of domains. If you use this type of telephones, add the IP address of the registrar as a Locally handled domain.
Select to use a local SIP user database (as opposed to a RADIUS database). To enable the internal SIP clients to receive SIP requests, they must be allowed to register. Add one row for each domain, where all users in the domains are allowed to register. This is possible because the SIP authentication is not active. Note that with the settings shown in the image, users who use the IP address of the firewall as their SIP domain can only register from the Internal network.
The recommended setting is to let all SIP proxies perform authentication. Go to the Authentication and TLS page to turn authentication on. If you want the firewall to authenticate users you must also select the methods to authenticate. When a method is explicitly authenticated for some users, users who aren't authenticated for this method will not be permitted to use it. For this reason, it might be unwise to authenticate the INVITE method, as this would prevent you from receiving calls from users who are not entered on this page.
To perform authentication, you first need a SIP group containing the methods you want to authenticate.
Then go to the Registrar and Users page and list the SIP users. You must enter all users on separate lines.
This is all configuration needed for the firewall to manage SIP traffic. Apply the configuration on the Save/Load Configuration page.
The name server entered on the Basic Configuration page must be able to look up other SIP domains if the users should be able to communicate with users on other domains.
The SIP clients must have the firewall as their SIP proxy and registrar.
5 b. SIP server outside the firewall
If you don't want to use the built-in SIP registrar in the firewall, you will have to do some other settings. Maybe you also want to use an external SIP server, and use the firewall just as a SIP proxy.
On the Filtering page, all SIP requests must be processed, as the firewall does not have any Locally handled domains. If any of the other options are selected, no requests will be processed.
On the Routing page, enter the SIP server (IP address and port) you want to send your SIP requests to.
Some SIP server do not accept SIP elements between themselves and the SIP clients. The SIP server deduce that other SIP elements are involved by counting Via headers in the received SIP packet.
On the Interoperability page, you can make the firewall remove all Via headers for certain servers, to trick them to believe that there are no other elements involved.
These are the SIP settings needed. Apply the configuration on the Save/Load Configuration page.