D-Link DFL-260E User Manual for DFL-260E - Page 294
The SIP Proxy, Option, IP Rules for Media Data, Record-Route
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 294 highlights
6.2.8. The SIP ALG Chapter 6. Security Mechanisms Data Channel Timeout Allow Media Bypass value is 43200 seconds. The maximum time allowed for periods with no traffic in a SIP session. A timeout condition occurs if this value is exceeded. The default value is 120 seconds. If this option is enabled then data. such as RTP/RTCP communication, may take place directly between two clients without involving the NetDefend Firewall. This would only happen if the two clients were behind the same interface and belong to the same network. The default value is Disabled. The SIP Proxy Record-Route Option To understand how to set up SIP scenarios with NetDefendOS, it is important to first understand the SIP proxy Record-Route option. SIP proxies have the Record-Route option either enabled or disabled. When it is switched on, a proxy is known as a Stateful proxy. When Record-Route is enabled, a proxy is saying it will be the intermediary for all SIP signalling that takes place between two clients. When a SIP session is being set up, the calling client sends an INVITE message to its outbound SIP proxy server. The SIP proxy relays this message to the remote proxy server responsible for the called, remote client's contact information. The remote proxy then relays the INVITE message to the called client. Once the two clients have learnt of each other's IP addresses, they can communicate directly with each other and remaining SIP messages can bypass the proxies. This facilitates scaling since proxies are used only for the initial SIP message exchange. The disadvantage of removing proxies from the session is that NetDefendOS IP rules must be set up to allow all SIP messages through the NetDefend Firewall, and if the source network of the messages is not known then a large number of potentially dangerous connections must be allowed by the IP rule set. This problem does not occur if the local proxy is set up with the Record-Route option enabled. In this mode, all SIP messages will only come from the proxy. The different rules required when the Record-Route option is enabled and disabled can be seen in the two different sets of IP rules listed below in the detailed description of Scenario 1 Protecting local clients - Proxy located on the Internet. IP Rules for Media Data When discussing SIP data flows there are two distinct types of exchanges involved: • The SIP session which sets up communication between two clients prior to the exchange of media data. • The exchange of the media data itself, for example the coded voice data which constitute a VoIP phone call. In the SIP setups described below, IP rules need only be explicitly defined to deal with the first of the above, the SIP exchanges needed for establishing client-to-client communications. No IP rules or other objects need to be defined to handle the second of the above, the exchange of media data. The SIP ALG automatically and invisibly takes care of creating the connections required (sometimes described as SIP pinholes) for allowing the media data traffic to flow through the NetDefend Firewall. Tip Make sure there are no preceding rules already in the IP rule set disallowing or allowing the same kind of traffic. 294