VoIP Media Admission Control

Media admission control refers to how a VoIP Server lets one endpoint send media directly to a different endpoint. In earlier VoIP versions, Media Admission Control was known as handover.

To understand VoIP Media Admission Control, it is important to examine a typical flow for establishing a VoIP call.

Endpoint A initiates with endpoint B, using VoIP server C.

When Endpoint A wants to open a VoIP call with Endpoint B:

1. Endpoint A sends control signals to VoIP Server C. The signaling messages include details about the media capabilities of Endpoint A.
2. VoIP Server C sends control signals to Endpoint B.

   The signals are sent directly if it knows its physical location, (as shown in the diagram), or through a different VoIP Server.

3. If Endpoint B accepts the call, and the endpoints agree on the parameters of the media communication, the call is established.

Endpoints send the control signals to their designated VoIP Server, not to each other. The media (voice or video) can be sent through the endpoints designated VoIP servers or directly to each other. For the endpoints to send media directly to each other, each endpoint must first learn the physical location of the other endpoint. Physical location is contained in the control signals the endpoint receives from its designated VoIP Server.

Control signals must pass through the gateway. The gateway allows control signals through only if they are allowed by the Rule Base. According to the information the gateway derives from its inspection of allowed control signals, the gateway dynamically opens pinholes for media connections.

If no limitations are placed on VoIP Media Admission Control, attackers can craft control signals that:

• Open pinholes for unauthorized access
• Cause internal endpoints to send media to IP addresses of their choice
• Eavesdrop, modify, or disrupt communications

Media admission control protection is available for:

• SIP
• H.323
• SCCP
• MGCP

Media Admission Control is configured on each VoIP Server.

Configuring VoIP Media Admission Control

1. Create a Host object for the VoIP Server
2. Create a Host or a Network Object for VoIP endpoints.
3. Create a Group for VoIP endpoints:

   Network Objects > New > Groups > Simple Group.

4. Create a VoIP Domain:

   Network Objects > New > Others > VoIP Domains

   1. Select one of the following:
      • SIP Proxy
      • H.323 Gatekeeper or gateway

      Note - For H.323 Media admission control, you can configure a VoIP Domain H.323 gateway or a VoIP Domain H.323 Gatekeeper. There is no difference between the two types of domain. The routing mode tab on these domains can be safely ignored.

      • MGCP Call Agent
      • SCCP CallManager
   2. In the Related endpoints domain section, select the group you created for the VoIP endpoints.
   3. In the VoIP Gateway installed at section, select the VoIP Server Host you created.
5. In the Rule Base, add the VoIP Domain object to the Source and Destination columns of the VoIP rule.

   Note - VoIP domains disable SecureXL templates. If you are using SecureXL, move rules with VoIP Domains in them to the end of the Rule Base. Enable the related Inspection Settings according to the VoIP protocol:

   • SIP > SIP Media Admission Control
   • H.323 > H.323 Media Admission Control
   • MGCP > MGCP Media Admission Control
   • SCCP > SCCP Media Admission Control