Configuration Aid To Ingate Firewall/SIParator - Using Your Own SIP Domain Lisa Hallingström Paul Donald
Table of Contents Managing Your Own SIP Domain...3 Configuring the Ingate Firewall/SIParator...3 Configuring the PBX...8 Configuring the DNS Server...8 Configuring the SIP Clients...9 ii
Ingate Firewall/SIParator version: 4.6.2 Document version: 1.1 Managing Your Own SIP Domain If you want to use your own SIP domain, there are some things you need to configure in order to make everything work nicely. The firewall/siparator needs to be configured to handle the SIP domain. If you use a separate PBX/registrar, this must also be configured to handle the SIP domain. The DNS server managing your main domain should be updated with records for the SIP domain. The SIP clients used by users on this domain need to be configured. Configuring the Ingate Firewall/SIParator The firewall/siparator needs configuration regardless of if it is used as registrar or not, although it needs more configuration when used as the registrar for your domain. Firewall Not Used As Registrar When the firewall/siparator is not used as the registrar for your domain, it only needs configuration to forward SIP requests to your registrar. This configuration guide assumes that the PBX is located on your LAN. You can do this by using the Ingate Startup Tool, which can be downloaded from http://www.ingate.com/startup_tool.php. Below you find the configuration that should be made manually if you do not use the Tool. Go to the Basic page under SIP Services and switch the SIP module on. Go to the Routing page under SIP Traffic. In the DNS Override For SIP Requests table, add a row where you enter your SIP domain as the Domain, and enter your PBX/registrar IP address and port. You can also select which transport should be used when forwarding SIP requests to the PBX. 3
If you have remote users behind NAT boxes, you also need to configure Remote SIP Connectivity under SIP Services. Use the built-in STUN server and/or the Remote NAT Traversal. It is recommended to use the Remote NAT Traversal, as it works for more clients and more NAT types. Finally, go to the Save/Load Configuration page under Administration and apply the new settings by pressing Apply configuration. 4
Firewall Used As Registrar When you use the firewall/siparator itself as the registrar, there are more settings to be made. Go to the Basic page under SIP Services and switch the SIP module on. Go to the Local Registrar page under SIP Traffic and enter the name of your SIP domain in the Local SIP Domains table. There are two ways of listing your SIP users for this domain; either you enter them in the Local SIP User Database table on the same page, or you use a RADIUS server for keeping the user database. If you use the Local SIP User Database table, it can look like this: 5
The firewall/siparator should be configured to require authentication for all users trying to register. You do this on the Authentication and Accounting page. If you use a RADIUS server for the user database, you select this on the Authentication and Accounting page. When you do this, you must also select a network from which the users are allowed to register. If they will register from different networks, you need to select a network group (from the Networks and Computers page) which contains all IP addresses. If you use a RADIUS server, you also need to configure which server to use on the RADIUS page under Basic Configuration. You need to select which SIP methods should be authenticated. This is done on the SIP Methods page under SIP Traffic. It is recommended that you only authenticate REGISTER messages for the local domain - the domain that this firewall/siparator handles. If you allow REGISTER messages to other domains to pass through without autentication, users will be able to register to other domains 6
if they need to. You can also select to use authentiaction for INVITE requests to other domains. This means that your registered users can call anyone (as they can authenticate), and anyone can call users on your domain, but people from other domains can t use your firewall/siparator to call to other domains. If you have remote users behind NAT boxes, you also need to configure Remote SIP Connectivity under SIP Services. Use the built-in STUN server and/or the Remote NAT Traversal. It is recommended to use the Remote NAT Traversal, as it works for more clients and more NAT types. 7
Finally, go to the Save/Load Configuration page under Administration and apply the new settings by pressing Apply configuration. Configuring the PBX The PBX must be configured to accept registrations for your SIP domain. How you do this depends on the PBX you are using. Some PBX:s accept all domains. Configuring the DNS Server To make other SIP users find your SIP domain, you need to configure your DNS (or rather, the DNS managing the domain). 8
One way of doing this is to add an A record for the domain, and point it to the firewall/siparator. With this solution, you need to have a SIP domain that is not used for anything else. An example of a SIP-specific domain would be sip.ingate.com. If you want to use the same domain for all your communication (like ingate.com), you need to add an SRV record to the DNS server instead, and point it to the firewall/siparator. The SRV record is used specifically by SIP devices. This is an example of an SRV record: _sip._udp SRV 100 0 5060 tess _sip._tcp SRV 100 0 5060 tess _sips._tcp SRV 100 0 5061 tess This SRV record is entered into the zone file for the SIP domain. It points to the host tess, which is supposed to be a computer under the same domain (tess.ingate.com) - in this case the firewall/siparator. If you don t want to use all transports, you can enter just the lines for the transport you want to allow (like only the TCP line). Configuring the SIP Clients SIP clients that can be configured to use a domain name only need to use the DNS which handles the domain. SIP clients that need to be configured with an (additional) IP address should use the IP address of the registrar when located on the LAN, and the outside IP address of the firewall/siparator when located anywhere else. 9