Maximum Sessions per ID
The number of simultaneous sessions that a single client can
be involved with is restricted by this value. The default
number is 5.
Maximum Registration Time
The maximum time for registration with a SIP Registrar. The
default value is 3600 seconds.
SIP Signal Timeout
The maximum time allowed for SIP sessions. The default
value is 43200 seconds.
Data Channel Timeout
The maximum time allowed for periods with no traffic in a
SIP session. A timeout condition occurs if this value is
exceeded. The default value is 120 seconds.
Allow Media Bypass
If this option is enabled then data. such as RTP/RTCP
communication, may take place directly between two clients
without involving the NetDefend Firewall. This would only
happen if the two clients were behind the same interface and
belong to the same network. The default value is Disabled.
The SIP Proxy Record-Route Option
To understand how to set up SIP scenarios with NetDefendOS, it is important to first understand the
SIP proxy Record-Route option. SIP proxies have the Record-Route option either enabled or
disabled. When it is switched on, a proxy is known as a Stateful proxy. When Record-Route is
enabled, a proxy is saying it will be the intermediary for all SIP signalling that takes place between
two clients.
When a SIP session is being set up, the calling client sends an INVITE message to its outbound SIP
proxy server. The SIP proxy relays this message to the remote proxy server responsible for the
called, remote client's contact information. The remote proxy then relays the INVITE message to the
called client. Once the two clients have learnt of each other's IP addresses, they can communicate
directly with each other and remaining SIP messages can bypass the proxies. This facilitates scaling
since proxies are used only for the initial SIP message exchange.
The disadvantage of removing proxies from the session is that NetDefendOS IP rules must be set up
to allow all SIP messages through the NetDefend Firewall, and if the source network of the
messages is not known then a large number of potentially dangerous connections must be allowed
by the IP rule set. This problem does not occur if the local proxy is set up with the Record-Route
option enabled. In this mode, all SIP messages will only come from the proxy.
The different rules required when the Record-Route option is enabled and disabled can be seen in
the two different sets of IP rules listed below in the detailed description of Scenario 1
Protecting local clients - Proxy located on the Internet.
IP Rules for Media Data
When discussing SIP data flows there are two distinct types of exchanges involved:
•
The SIP session which sets up communication between two clients prior to the exchange of
media data.
•
The exchange of the media data itself, for example the coded voice data which constitute a VoIP
phone call.
In the SIP setups described below, IP rules need only be explicitly defined to deal with the first of
the above, the SIP exchanges needed for establishing client-to-client communications. No IP rules
or other objects need to be defined to handle the second of the above, the exchange of media data.
The SIP ALG automatically and invisibly takes care of creating the connections required
6.2.8. The SIP ALG
Chapter 6. Security Mechanisms
272
Summary of Contents for DFL-1600 - Security Appliance
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27 ...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79 ...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146 ...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227 ...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241 ...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339 ...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360 ...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382 ...
Page 386: ... The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386 ...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439 ...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450 ...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488 ...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503 ...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510 ...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533 ...