Note
Clients registering with the proxy on the DMZ will have the IP address of the
DMZ interface as the contact address.
•
An
Allow
rule/policy for outbound traffic from the proxy behind the DMZ interface to the
remote clients on the Internet.
•
An
Allow
rule/policy for inbound SIP traffic from the SIP proxy behind the DMZ interface
to the IP address of the NetDefend Firewall. This will have core (in other words,
NetDefendOS itself ) as the destination interface.
The reason for this is because of the
NAT
rule/policy above. When an incoming call is
received, NetDefendOS automatically locates the local receiver, performs address
translation and forwards SIP messages to the receiver. This is done based on the SIP
ALG's internal state.
•
An
Allow
rule/policy for inbound traffic from, for example the Internet, to the proxy
behind the DMZ.
4.
If
Record-Route
is not enabled at the proxy, direct exchange of SIP messages must also be
allowed between clients, bypassing the proxy. The following additional rules/policies are
therefore needed when
Record-Route
is disabled:
•
A
NAT
rule/policy for outbound traffic from the clients on the internal network to the
external clients and proxies on, for example, the Internet. The SIP ALG will take care of all
address translation needed by the
NAT
rule. The translation will occur both at the IP level
and the application level.
•
An
Allow
rule/policy for inbound SIP traffic from, for example the Internet, to the IP
address of the DMZ interface. The reason for this is because local clients will be NATed
using the IP address of the DMZ interface when they register with the proxy located on
the DMZ.
This rule/policy has core as the destination interface (in other words, NetDefendOS
itself ). When an incoming call is received, NetDefendOS uses the registration information
of the local receiver to automatically locate this receiver, perform address translation
and forward SIP messages to the receiver. This will be done based on the internal state
of the SIP ALG.
The IP rules/policies needed with
Record-Route
enabled are:
Action
Src Interface
Src Network
Dest Interface
Dest Network
OutboundToProxy
NAT
lan
lannet
dmz
ip_proxy
OutboundFromProxy
Allow
dmz
ip_proxy
wan
all-nets
InboundFromProxy
Allow
dmz
ip_proxy
core
dmz_ip
InboundToProxy
Allow
wan
all-nets
dmz
ip_proxy
With
Record-Route
disabled, the following IP rules/policies must be added to those above:
Action
Src Interface
Src Network
Dest Interface
Dest Network
OutboundBypassProxy
NAT
lan
lannet
wan
all-nets
InboundBypassProxy
Allow
wan
all-nets
core
ipdmz
Chapter 6: Security Mechanisms
477
Summary of Contents for NetDefendOS
Page 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Page 32: ...Chapter 1 NetDefendOS Overview 32 ...
Page 144: ...Chapter 2 Management and Maintenance 144 ...
Page 284: ...Chapter 3 Fundamentals 284 ...
Page 392: ...Chapter 4 Routing 392 ...
Page 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Page 420: ...Chapter 5 DHCP Services 420 ...
Page 573: ...Chapter 6 Security Mechanisms 573 ...
Page 607: ...Chapter 7 Address Translation 607 ...
Page 666: ...Chapter 8 User Authentication 666 ...
Page 775: ...Chapter 9 VPN 775 ...
Page 819: ...Chapter 10 Traffic Management 819 ...
Page 842: ...Chapter 11 High Availability 842 ...
Page 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Page 879: ...Chapter 13 Advanced Settings 879 ...