SIP-Specific services

These predefined SIP services are available:

Services	Purpose
UDP:sip	Used for SIP over UDP.
TCP:sip-tcp	Used for SIP over TCP.
Other: sip_dynamic_ports	Enables the dynamic opening of ports for SIP signaling.
TCP:sip_tls_authentication	Used for unencrypted SIP over TLS that is authenticated only. NAT is not supported for connections of this type.
TCP:sip_tls_not_inspected	Unsecure way of allowing SIP over TLS to pass without inspection.

These legacy SIP services are available for gateways of version R75.40 and below:

Services	Purpose
UDP:sip_any TCP:sip-tcp_any	Used for gateways of version R75.40 and below, if not enforcing handover. Do not use for R.80.xx (or higher). Do not place a VoIP domain in the source or destination of the rule. Instead, use *() Any or a network object, together with one of these services. If a VoIP domain is used with these services, it is equivalent to the SIP service. For VoIP equipment that uses SIP TCP, use the sip-tcp_any service. For VoIP equipment that uses SIP UDP, use the sip_any** service.

Services

Purpose

UDP:sip_any

TCP:sip-tcp_any

Used for gateways of version R75.40 and below, if not enforcing handover.

Do not use for R.80.xx (or higher).

Do not place a VoIP domain in the source or destination of the rule. Instead, use (*) Any or a network object, together with one of these services. If a VoIP domain is used with these services, it is equivalent to the SIP service.

For VoIP equipment that uses SIP TCP, use the sip-tcp_any service.

For VoIP equipment that uses SIP UDP, use the sip_any service.

Important - These services conflict with one another and cannot be used in the same rule:

sip and sip_any
sip-tcp and sip-tcp_any

Legacy Solution for SIP TLS Support

If you are not able to use the TCP:sip_tls_authentication service, add these two rules instead:

A rule that uses the udp-high-ports service to open all high UDP ports for the entities sending data
AND
A rule that uses the sip_tls_not_inspected service to open TCP port 5061 for the entities sending signaling

This can happen if connections are encrypted by TLS, or NAT must be done on the connections.

Important - Opening all high UDP ports is very insecure. SIP signaling and data is not inspected.

To configure support for SIP TLS in environments where a secure solution is not available:

Define network objects in SmartConsole for the SIP phones.
Define a network object for the SIP proxy.
Configure a rule that opens all high UDP ports and TCP port 5061.

The rule below shows that the phones send data directly to each other, and not through the proxy.

Source	Destination	Service
SIP Proxy SIP Phones	SIP Phones SIP Proxy	TCP: sip_tls_not_inspected
SIP Phones	SIP Phones	UDP: udp-high-ports

Using SIP for UDP or TCP

By default, SIP for uses port 5060. However, SIP phones and SIP proxies can be configured to use a different port. The gateway enforces security on the port specified for SIP.

To configure a new port, a new UDP service must be defined in SmartConsole. You can use the newly defined service and the predefined SIP service in the same Security Rule Base rule.

To configure a new SIP service on Port 5060:

Open SmartConsole.
From the Objects explorer, click More object types > Service.
- For UDP, select New UDP
- For TCP, select New TCP
In the General tab, type the object name.
In Protocol, select:
- For UDP, select SIP_UDP.
- For TCP, select a Protocol.
In Match By, use either the Standard Port (5060).
Click OK.

To configure a new SIP service for a non-default port:

Open SmartConsole.
From the Objects explorer, click More object types > Service.
- For UDP, select New UDP
- For TCP, select New TCP
In the General tab, type the object name.
In Protocol, select:
- For UDP, select SIP_UDP.
- For TCP, select a Protocol.
In Match By, select Customize and add the port number.
Click OK.