The Smoothwall supports a proxy to manage SIP traffic. SIP is often used to set up calls in Voice over Internet Protocol (VoIP) systems. SIP normally operates on port 5060 and is used to set up sessions between two parties. In the case of VoIP, it's a Real-Time Protocol (RTP) session that's set up, and it's the RTP stream that carries voice data. RTP operates on random unprivileged ports, and, as such, isn't NAT friendly. For this reason, the Smoothwall’s SIP proxy ensures that RTP is also proxied, allowing VoIP products to work correctly. The Smoothwall’s SIP proxy is also able to proxy RTP traffic, solving some of the problems involved in setting up VoIP behind NAT.
Types
There are two types of SIP proxy: a registering SIP proxy, and a pass-through proxy. A registering proxy or registrar means that SIP clients can register so that they might be looked up and contacted by external users. A pass-through proxy merely rewrites the SIP packets such that the correct IP addresses are used and the relevant RTP ports can be opened. Some clients allow users to configure one SIP proxy – this is invariably the registering proxy, others allow for two proxies, one to which the client registers, and one to which the client users for access, a pass-through.
As with many types of proxy, the SIP proxy can be used in transparent mode. In transparent mode, the proxy is only useful as a pass-through. This mode is useful for those clients that don't support a second proxy within their configuration. If all your clients can be properly configured with a second proxy, you don't need transparent mode. If the proxy is operating in transparent mode, the nontransparent proxy is still available, so you can have a mixture of operation.
Note: If a client is using the proxy when the transparent proxy is turned on, the existing users might fail to use the transparent proxy until the Smoothwall Firewall is rebooted. This is due to the in-built connection tracking of the Smoothwall Firewall’s NAT.
Procedure
- On the SERVICES menu, under the Proxies submenu, click SIP.
- To turn on the SIP proxy service, select the Enabled option.
- From the SIP client internal address and SIP client external address lists, choose the interface to listen for internal and external connections on.
- Choose the Logging level:
- Normal -Logs just warning, and error messages.
- Detailed -The same as Normal, plus informational messages.
- Very detailed -The same as Normal, plus debugging messages.
- Choose the Maximum number of clients that can use the proxy.
- From the Diffserv mark for RTP packets list, choose the Diffserv mark to apply to SIP RTP packets. This is useful because it's otherwise quite tricky to define RTP traffic, because it might occur on a wide range of ports. Prioritizing SIP traffic on port 5060 would not make any difference to VoIP calls. The standard mark is BE and is the equivalent to doing nothing. Other marks might be interpreted by upstream networking equipment, such as that at your ISP.
- If you don't want to use the SIP proxy as a registrar but want to allow internal SIP devices to communicate properly with an external registrar, select the Transparent option.
- If you want to log individual calls, select the Log calls option.
- For Exception IPs, use the hosts that should not be forced to use the transparent SIP proxy. Each entry must be on a new line. You can either list individual IP addresses, or enter a range using a hyphen “-” as the delimiter.
- To implement the SIP proxy, click Save.