Inspecting VoIP Traffic
Introduction
Voice over Internet Protocol (VoIP) is a technology to deliver voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. There are two primary delivery methods: private or on-premises solutions, or externally hosted solutions delivered by third-party providers.
Inspection of VoIP traffic is supported on all Quantum Spark appliances.
To configure VoIP inspection in the WebUI:
-
Go to Access Policy > VoIP.
-
Click On.
If VoIP is already configured, you can edit the current configuration.
-
For the next sections, click the downward arrow to expand.
-
Click the Off-premise SIP Provider Service heading to expand the section.
Configure the applicable settings:
-
Click the checkbox for Use SIP Provider – The available network objects are shown in a table with a Group name. You can select a single IP or a range of servers with external IP address.
-
To add a new IP address, click New. To remove an IP address, select it and click Remove.
-
Select whether to Log traffic from this provider.
-
Select whether to Disable SIP traffic inspection. When this setting is enabled, application level inspection and NAT of the SIP Protocol is allowed.
When you disable SIP inspection:
-
You must define the RTP ports manually.
-
The SIP service timeout is extended (see Advanced Settings - VoIP Extend SIP service timeout).The SIP_UDP service's timeout is set to the default TCP connection timeout.
-
-
Select to Enable bidirectional traffic when the SIP provider is defined. This allows bidirectional traffic with the SIP service provider.
If the service does not accept replies, bidirectional traffic is not established. A popup window opens and asks if you want to continue.
-
-
Click the On-premise Devices heading to expand the section.
The network objects appear in a table, with a Group name.
Click New to add an item.
Select an item and click Remove to delete it.
Configure the applicable settings.
-
Use on-premise phones without SIP server (PBX).
When no SIP Server Provider is defined, you do not need to define IP addresses for on-premise phones.
-
Allow access to PBX management portal from the Internet.
-
-
Click the Off-premise phones to expand the section.
Note - The relevant topology shows automatically for each selection.
Select one or more of these options:
-
Phones are connected via VPN Site to Site.
-
Phones are connected by VPN Remote Access.
-
Phones are configured with public IP.
The network objects appear in a table, with a Group name.
Click New to add an item.
Select an item and click Remove to delete it.
-
-
Click the SIP Service heading to expand the section.
Select the SIP UDP/TCP ports, which by default are 5060.
All phones should be configured to use the configured ports.
Click New to add a new SIP service.
Click Remove to delete a service.
After you apply these settings, rules are automatically created in the Firewall Access Policy page for Outgoing access to the Internet and Incoming, Internal and VPN traffic.
|
|
Notes:
|
Forwarding rules are automatically created in the Access Policy > NAT Rules page.
|
|
Note - For external phones with remote access, the Office Object is automatically created in the Network Objects section and the " |
Follow these configuration procedures to allow SIP traffic to pass through the gateway when:
-
The SIP server is located on external networks. For more advanced topologies, refer to sk113573.
-
The gateway's NAT configuration is set to its default settings (with internal networks hidden behind its external IP address).
Configuration
To allow the SIP server to connect to internal phones from the Internet:
-
Go to Access Policy > Policy.
-
Add a rule to the Incoming, Internal and VPN traffic Rule Base that allows SIP traffic:
For more information, see Working with the Firewall Access Policy.