VoIP
522
SonicOS Enhanced 4.0 Administrator Guide
Configuring SIP Settings
By default, SIP clients use their private IP address in the SIP Session Definition Protocol (SDP)
messages that are sent to the SIP proxy. If your SIP proxy is located on the public (WAN) side
of the SonicWALL security appliance and SIP clients are on the private (LAN) side behind the
firewall, the SDP messages are not translated and the SIP proxy cannot reach the SIP clients.
Selecting Enable SIP Transformations transforms SIP messages between LAN (trusted) and
WAN/DMZ (untrusted). You need to check this setting when you want the SonicWALL security
appliance to do the SIP transformation. If your SIP proxy is located on the public (WAN) side
of the SonicWALL and SIP clients are on the LAN side, the SIP clients by default embed/use
their private IP address in the SIP/Session Definition Protocol (SDP) messages that are sent to
the SIP proxy, hence these messages are not changed and the SIP proxy does not know how
to get back to the client behind the SonicWALL. Selecting Enable SIP Transformations
enables the SonicWALL to go through each SIP message and change the private IP address
and assigned port. Enable SIP Transformation also controls and opens up the RTP/RTCP
ports that need to be opened for the SIP session calls to happen. NAT translates Layer 3
addresses but not the Layer 7 SIP/SDP addresses, which is why you need to select Enable SIP
Transformations to transform the SIP messages.
Tip In general, you should check the Enable SIP Transformations box unless there is another
NAT traversal solution that requires this feature to be turned off. SIP Transformations works
in bi-directional mode, meaning messages are transformed going from LAN to WAN and
vice versa.
Selecting Permit non-SIP packets on signaling port enables applications such as Apple
iChat and MSN Messenger, which use the SIP signaling port for additional proprietary
messages. Enabling this checkbox may open your network to malicious attacks caused by
malformed or invalid SIP traffic. This checkbox is disabled by default.
The Enable SIP Back-to-Back User Agent (B2BUA) support setting should be enabled when
the SonicWALL security appliance can see both legs of a voice call (for example, when a phone
on the LAN calls another phone on the LAN). This setting should only be enabled when the SIP
Proxy Server is being used as a B2BUA.
Tip If there is not the possibility of the SonicWALL security appliance seeing both legs of voice
calls (for example, when calls will only be made to and received from phones on the WAN),
the Enable SIP Back-to-Back User Agent (B2BUA) support setting should be disabled to
avoid unnecessary CPU usage.
SIP Signaling inactivity time out (seconds) and SIP Media inactivity time out (seconds)
define the amount of time a call can be idle (no traffic exchanged) before the SonicWALL
security appliance denying further traffic. A call goes idle when placed on hold. The default time
value for SIP Signaling inactivity time out is 1800 seconds (30 minutes). The default time
value for SIP Media inactivity time out is 120 seconds (2 minutes).