D-Link NetDefend DFL-210 User Manual page 220
Network security firewall
Hide thumbs
Also See for NetDefend DFL-210:
- User manual (495 pages) ,
- Log reference manual (476 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
6.2.7. The SIP ALG
The SIP proxy in the above diagram could alternatively be located remotely across the Internet. The
proxy should be configured with the Record-Route feature enabled to insure all SIP traffic to and
from the office clients will be sent through the SIP Proxy. This is recommended since the attack
surface is minimized by allowing only SIP signalling from the SIP Proxy to enter the local network.
This scenario can be implemented in two ways:
•
Using NAT to hide the network topology.
•
Without NAT so the network topology is exposed.
The setup steps for this scenario are as follows:
1.
Define a SIP ALG object using the options described above.
2.
Define a Service object which is associated with the SIP ALG object. The Service should have:
•
Destination Port set to 5060 (the default SIP signalling port).
•
Type set to TCP/UDP.
3.
Define two rules in the IP rule set:
•
A NAT rule for outbound traffic from clients on the internal network to the SIP Proxy
Server located externally. The SIP ALG will take care of all address translation needed by
the NAT rule. This translation will occur both on the IP level and the application level.
Neither the clients or the proxies need to be aware that the local users are being NATed.
•
An Allow rule for inbound SIP traffic from the SIP proxy to the IP of the D-Link Firewall.
This rule will use core (in other words, NetDefendOS itself) as the destination interface.
The reason for this is due to the NAT rule above. When an incoming call is received,
NetDefendOS will automatically locate the local receiver, perform address translation and
forward SIP messages to the receiver. This will be executed based on the ALGs internal
state.
A SAT rule for translating incoming SIP messages is not needed since the ALG will
automatically redirect incoming SIP requests to the correct internal user. When a SIP client
behind a NATing D-Link Firewall registers with an external SIP proxy, NetDefendOS sends its
own IP address as contact information to the SIP proxy. NetDefendOS registers the client's
Note
SIP User Agents and SIP Proxies should not be configured to employ NAT Traversal
in a setup. For instance the Simple Traversal of UDP through NATs (STUN) technique
should not be used. The NetDefendOS SIP ALG will take care of all NAT traversal
issues in a SIP scenario.
220
Chapter 6. Security Mechanisms
- Quick Links:
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
