INDEX   TOC
Introduction
  About
  Package Details
  User Assistance
  System Requirements
  How to use Help
Product Overview
Settings and Administration
ADSL
SIP Support
Security
Firewall Administration
Troubleshooting

SIP Implementation in Internet Gate

The relays SIP traffic and keep track of which ports should be used for NAT, enabling machines on different sides of a firewall to send and receive media streams just as if there was no firewall at all. They implement the SIP protocol as described in RFC 2543 including:

SIP user registration

For outgoing SIP requests, only a SIP proxy is needed. Incoming SIP requests however, need some device that keeps track of the local users so that the request can be relayed to the right machine and user. This is particularly important when NAT is used, since no SIP registrar on the outside will know the IP addresses on the internal networks.

The manages user registrations, allowing the SIP module to keep track of where to send incoming session requests. It is also possible to make restrictions on which users are allowed to register and/or from where they can register. You can also monitor which users are currently registered.

The integrated registrar can be the main registrar or only be a passive registrar, monitoring and storing information from registration done at an outside registrar. In both cases, the registrar keeps the required information to locate users inside the firewall.

Each registration has a timeout after which it is removed unless the client extends it.

SIP header rewriting for NAT addresses

The SIP proxy server in the handles the SIP-NAT combination by rewriting the SIP headers to give them the right IP addresses. This can be done, as it is the firewall itself that provides the NAT addresses.

SIP request relaying

The relays SIP requests for a user through the firewall to the device (computer, telephone, etc) from which the user has registered. In this way other SIP users behind other interfaces of the firewall can contact the user. If no registration exists for a user, the firewall returns a SIP error message when someone tries to contact him.

The firewall rules are temporarily changed to let the media streams through. The user can monitor which sessions are currently active.

A SIP session media stream can consist of many different MIME types. The clients agree on what MIME types they both understand and can handle. On top of this, the user can choose what MIME types the firewall should forward. Common MIME types like text/plain and text/html should probably be forwarded, but you can block types that you don't want to allow through. The user can also restrict the number of concurrent media streams for a session.

Users can choose whether to process SIP requests in the firewall or forward them to an external, outbound SIP proxy. This can be useful if you want the firewall to keep a registry of local users only, and forward (and NAT if needed) all requests for external users to the external proxy (which in turn probably forwards requests to other proxies).

SIP user authentication

Digest Access Authentication like in HTTP can perform SIP user authentication. This is an authentication method that uses checksums, which means that the required Shared Secret is never sent in the clear. The Digest method used is auth, which allows for NAT as it does not use the IP addresses in the headers of the message as part of the checksum.

More information:

Incoming SIP Requests
Outbound SIP Requests