SIP-Specific services

These preconfigured SIP services are available for Security Gateways of version R80.10 or higher.

Services

Port

Protocol Type

Description

sip

UDP 5060

SIP_UDP

This service enforces signal routing. Use a VoIP Domain in the source or destination of a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., together with this service. When you use this service, registration messages are tracked and a database is maintained that includes the details of the IP phones and the users. If an incoming call is made to a Hide NATed address, the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. confirms the user exists in the SIP registration database. This can prevent DoS attacks.

sip_tcp

TCP 5060

SIP_TCP_PROTO

Used for SIP over TCP.

sip_dynamic_ports

Not set

Not set

This service allows a SIP connection to be opened on a dynamic port and not on the SIP well-known port.

sip_tls_not_inspected

TCP 5061

None

Allows SIP over TLS to pass without inspection. It requires that you open the media ports manually.

sip_tls_authentication

TCP 5061

SIP_TCP_PROTO

SIP over non-encrypted TLS and authenticated only.

NAT is not supported for connections of this type.

These legacy SIP services are used for Security Gateways R75.40 and below, if not enforcing handover. Do not use these services for Security Gateways R80.10 or higher.

Services

Purpose

sip_any

 

Use sip_any for VoIP equipment that uses SIP UDP.

Do not place a VoIP Domain in the Source or Destination of a rule. Instead, use * Any or a Network ObjectClosed Logical object that represents different parts of corporate topology - computers, IP addresses, traffic protocols, and so on. Administrators use these objects in Security Policies., together with one of these services.

 

Note - If a VoIP Domain is used with this service, the packet is dropped.

Important - Do not use this service in the same rule with the sip service because they contradict each other.

sip-tcp_any

Use sip-tcp_any for VoIP equipment that uses SIP TCP.

Use this service if you do not enforce signal routing. In that case, do not place a VoIP Domain in the Source or Destination of a rule. Instead, use * Any or a Network Object together with the sip_any-tcp service.

Note - If a VoIP Domain is used with this service, the packet is dropped.

Important -Do not use this service in the same rule with the sip-tcp service because they contradict each other.

Legacy Solution for SIP TLS Support

If you are not able to use the sip_tls_authentication service, add these two rules instead:

  • A rule that uses the udp-high-ports service to open all high UDP ports for the entities sending dat

    AND

  • A rule that uses the sip_tls_not_inspected service to open TCP port 5061 for the entities sending signaling

This can happen if connections are encrypted by TLS, or NAT must be done on the connections.

Important - SIP signaling and data is not inspected if you open all high UDP ports. The connection is not-secured.

To configure support for SIP TLS in environments where a secure solution is not available:

  1. Configure Network Objects in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. for the SIP phones.

  2. Configure a Network Object for the SIP proxy.

  3. Configure a rule that opens all high UDP ports and TCP port 5061.

The rule below shows that the phones send data directly to each other, and not through the proxy.

No

Name

Source

Destination

VPN

Services & Applications

Action

Track

1

Transmit through proxy

SIP Proxy

SIP Phones

SIP Phones

SIP Proxy

* Any

TCP: sip_tls_not_inspected

Accept

Log

2

Transmit directly

SIP Phones

SIP Phones

* Any

UDP: udp-high-ports

Accept

Log

Supported SIP Topologies and NAT Support

Below is a list of supported SIP topologies. The table also lists NAT that you can configure with each topology. it with. SIP can use a Proxy (or Registrar). If there is more than one proxy device, signaling passes through one or more of them. After the call is set up, the media can pass from endpoint to endpoint directly, or through one or more of the proxies.

Deployment

Supports No-NAT

Supports

NAT for Internal Phones - Hide/Static NAT

Supports

NAT for Proxy - Static NAT

Description

SIP Endpoint to Endpoint

(see Sample SIP Rules for an Endpoint-to-Endpoint Network)

Yes

Static NAT only

Not applicable

  • Phones communicate directly without a proxy.

  • Static NAT can be configured for the phones on the internal side of the Security Gateway.

SIP Proxy in External Network

(see Sample SIP Rules for a Proxy in an External Network)

Yes

Yes

Not applicable

  • IP phones use the services of a proxy on the external side of the Security Gateway.

  • Enables the use of a proxy that is maintained by another organization.

  • Configure Hide NAT, Static NAT, or no-NAT for the phones on the internal side of the Security Gateway.

SIP Proxy to SIP Proxy

(see Sample SIP Rules for a Proxy-to-Proxy Topology)

Yes

Yes

Yes

  • Each proxy controls a separate endpoint domain.

  • Configure Static NAT for the internal proxy.

  • Configure Hide NAT or Static NAT for the internal phones.

SIP Proxy in DMZ

(see Sample SIP Rules for a Proxy in DMZ Topology)

Yes

Yes

Yes

  • The same proxy controls both endpoint domains. This makes it possible to provide proxy services to other organizations.

  • Static NAT or no-NAT can be configured for the proxy.

  • Hide NAT, Static NAT, or no NAT can be configured for the phones on the internal side of the Security Gateway.

For complete information on NAT configuration, see the R81 Security Management Administration Guide.

Below are some exceptions when you use SIP with NAT:

  • NAT is not supported on IP addresses behind an external Check Point Security Gateway interface.

  • Calls cannot be made from an external source to two endpoints on the trusted side of a Security Gateway if only one of the endpoints is NAT enabled.

  • You can use Automatic NAT for other deployments.