Amer Networks E5Web GUI User Manual
Page 413
The SIP Proxy Record-Route Option
To understand how to set up SIP scenarios with cOS Core, it is important to first understand the
SIP proxy Record-Route option. SIP proxies have the Record-Route option either enabled or
disabled. When it is switched on, a proxy is known as a Stateful proxy. When Record-Route is
enabled, a proxy is saying it will be the intermediary for all SIP signalling that takes place
between two clients.
When a SIP session is being set up, the calling client sends an INVITE message to its outbound SIP
proxy server. The SIP proxy relays this message to the remote proxy server responsible for the
called, remote client's contact information. The remote proxy then relays the INVITE message to
the called client. Once the two clients have learnt of each other's IP addresses, they can
communicate directly with each other and remaining SIP messages can bypass the proxies. This
facilitates scaling since proxies are used only for the initial SIP message exchange.
The disadvantage of removing proxies from the session is that cOS Core IP rules must be set up
to allow all SIP messages through the Clavister Security Gateway, and if the source network of
the messages is not known then a large number of potentially dangerous connections must be
allowed by the IP rule set. This problem does not occur if the local proxy is set up with the
Record-Route option enabled. In this mode, all SIP messages will only come from the proxy.
The different rules required when the Record-Route option is enabled and disabled can be seen in
the two different sets of IP rules listed below in the detailed description of Scenario 1
Protecting local clients - Proxy located on the Internet.
IP Rules for Media Data
When discussing SIP data flows there are two distinct types of exchanges involved:
•
The SIP session which sets up communication between two clients prior to the exchange of
media data.
•
The exchange of the media data itself, for example the coded voice data which constitute a
VoIP phone call.
In the SIP setups described below, IP rules need only be explicitly defined to deal with the first of
the above, the SIP exchanges needed for establishing client-to-client communications. No IP
rules or other objects need to be defined to handle the second of the above, the exchange of
media data. The SIP ALG automatically and invisibly takes care of creating the connections
required (sometimes described as SIP pinholes) for allowing the media data traffic to flow
through the Clavister Security Gateway.
Tip
Make sure there are no preceding rules already in the IP rule set disallowing or allowing
the same kind of traffic.
SIP and Virtual Routing
SIP is a complex protocol that requires that cOS Core maintains state information regarding
active calls and registered users. The scope of a SIP state is uniquely defined by the SIP-service
and its connected SIP ALG. If multiple SIP domains are running concurrently but using different
Policy-based Routing Tables then one SIP ALG and one SIP service object should be created for
each table. Policy-based Routing Tables are described in detail in Section 4.5, “Virtual Routing”.
SIP Usage Scenarios
Chapter 6: Security Mechanisms
413