H.323 – D-Link DFL-2500 User Manual
Page 155
•
A NAT rule for outbound traffic from user agents on the internal network to the SIP Proxy
Server located externally. The SIP ALG will take care of all address translation needed by
the NAT rule. This translation will occur both on the IP level and the application level.
Neither the user agents or the proxies need to be aware that the local users are being
NATed.
•
An Allow rule for inbound SIP traffic from the SIP proxy to the IP of the D-Link Firewall.
This rule will use core (in other words NetDefendOS itself) as the destination interface.
The reason for this is due to the NAT rule above. When an incoming call is received,
NetDefendOS will automatically locate the local receiver, perform address translation and
forward SIP messages to the receiver. This will be executed based on the ALGs internal
state.
A SAT rule is not needed since the ALG takes care of the mapping of the individual user IP
address behind the gateway to the public Internet address. When a user behind a D-Link
Firewall registers with a SIP proxy it sends its SIP URI (to uniquely identify it) to the firewall's
public IP address. When an exernal user then initiates a call, the SIP traffic arrives at the public
IP address and the ALG performs the necessary translation to the user's internal IP address.
4.
Ensure the peers are correctly configured. The SIP Proxy Server plays a key role in locating the
current location of the other peer for the session. The proxy's IP address is not specified
directly in the ALG. Instead its location is either entered directly into the client software used
by the peer or in some cases the peer will have a way of retrieving the proxy's IP address
automatically such as through DHCP.
Handling Data Traffic
The setup steps above take care of the SIP communication for establishing peer-to-peer
communications. The two IP rules are always needed so that peers can access the SIP proxy but no
rules are needed to handle the actual data traffic involved in, for example, a VOIP call. The SIP
ALG automatically takes care of establishing the NetDefendOS objects required for allowing the
data traffic to traverse the D-Link Firewall and these are invisible to the administrator.
Tip
Make sure there are no preceding rules already in the IP rule set disallowing or
allowing the same kind of traffic.
Depending on the SIP environment, the NetDefendOS SIP ALG can operate in hidden-topology
environments with private IP addresses, as well as open environments with public IP addresses. SIP
is a highly configurable protocol and the following describes the configuration required.
6.2.8. H.323
H.323 is a standard approved by the International Telecommunication Union (ITU) to allow
compatibility in video conference transmissions over IP networks. It is used for real-time audio,
video and data communication over packet-based networks such as the Internet. It specifies the
components, protocols and procedures for providing such multimedia communication, including
Internet phone and voice-over-IP (VoIP). (For VOIP see also Section 6.2.7, “SIP”.)
H.323 Components
H.323 consists of four main components:
Terminals
Devices used for audio and optionally video or data
communication, such as phones, conferencing units, or
"software phones" such as the product "NetMeeting").
6.2.8. H.323
Chapter 6. Security Mechanisms
155