In the SIP Settings section, choose whether to enable SIP transformation globally or by firewall rule:
Use global control to enable SIP Transformations. This option is selected by default.
Use firewall Rule-based control to enable SIP Transformations. Be sure to configure a firewall rule to control SIP transformations as described in SonicOS/X Policies.
If you are not configuring SIP transformations, go to Step 12.
Enable SIP Transformations is not selected by default. Select this option to:
Transform SIP messages between LAN (trusted) and WAN/DMZ (untrusted).
You need to check this setting when you want the Security Appliance to do the SIP transformation. If your SIP proxy is located on the public (WAN) side of the Security Appliance and SIP clients are on the LAN side, the SIP clients by default embed/use their private IP address in the SIP/Session Definition Protocol (SDP) messages that are sent to the SIP proxy; hence, these messages are not changed and the SIP proxy does not know how to get back to the client behind the Security Appliance.
Enable the Security Appliance to go through each SIP message and change the private IP address and assigned port.
Control and open up the RTP/RTCP ports that need to be opened for SIP session calls to happen.
NAT translates Layer 3 addresses, but not Layer 7 SIP/SDP addresses, which is why you need to select Enable SIP Transformations to transform the SIP messages.
In general, you should select Enable SIP Transformations unless there is another NAT traversal solution that requires this feature to be turned off. SIP Transformations works in bi-directional mode, meaning messages are transformed going from LAN to WAN and vice versa.
When Enable SIP Transformations is selected, the other options become available.
To perform SIP transformations on TCP-based SIP sessions, select Enable SIP Transformation on TCP connections. This option is selected by default.
Select a Service Object from Perform transformations to TCP/UDP port(s) in Service Object. The default is SIP.
Selecting Permit non-SIP packets on signaling port enables applications such as Apple iChat and MSN Messenger, which use the SIP signaling port for additional proprietary messages. This option is not selected by default.
Enabling this checkbox might open your network to malicious attacks caused by malformed or invalid SIP traffic.
If the SIP Proxy Server is being used as a B2BUA, enable the Enable SIP Back-to-Back User Agent (B2BUA) support setting. This option is disabled by default and should be enabled only when the Security Appliance can see both legs of a voice call (for example, when a phone on the LAN calls another phone on the LAN).
If there is no possibility of the firewall seeing both legs of voice calls (for example, when calls are only made to and received from phones on the WAN), the Enable SIP Back-to-Back User Agent (B2BUA) support setting should be disabled to avoid unnecessary CPU usage.
Use the SIP Signaling inactivity time out (seconds) and SIP Media inactivity time out (seconds) options to define the amount of time a call can be idle (no traffic exchanged) before the firewall blocks further traffic. A call goes idle when placed on hold. Specify the maximum idle time when:
There is no signaling (control) message being exchanged in SIP Signaling inactivity time out. The minimum time is 30 seconds, the maximum time is 1000000 seconds (~1.2 days) and the default is 3600 seconds (60 minutes).
No media (for example, audio or video) packets are being exchanged in the SIP Media inactivity time out. The minimum time is 30 seconds, the maximum time is 3600 seconds (1 hour), and the default time is 120 seconds (2 minutes).
Use the Additional SIP signaling port (UDP) for transformations setting to specify a non-standard UDP port to carry SIP signaling traffic. Normally, SIP signaling traffic is carried on UDP port 5060. However, a number of commercial VOIP services use different ports, such as 1560. When this setting is non zero (0 is the default; the maximum value is 65535), the Security Appliance performs SIP transformation on these non-standard ports.
Vonage’s VoIP service uses UDP port 5061.
To track SIP endpoint registration anomalies, select the Enable SIP endpoint registration anomaly tracking option. This option is not selected by default. When it is selected, these options become available:
Registration tracking interval (seconds) – Specify the interval between checking for anomalies. The default is 300 seconds (5 minutes).
Failed registration threshold – Specify the number of failed registrations before checking for anomalies. The default is 5 failures.
Endpoint block interval (seconds) – The default is 3600 (60 minutes).