About the SIP ALG

If you use Voice-over-IP (VoIP) in your organization, you can add a SIP (Session Initiation Protocol) or H.323 ALG (Application Layer Gateway) to open the ports necessary to enable VoIP through your Firebox or XTM device. An ALG is created in the same way as a proxy policy and offers similar configuration options. These ALGs have been created to work in a NAT environment to maintain security for privately-addressed conferencing equipment behind the Firebox or XTM device. H.323 is commonly used on videoconferencing equipment. SIP is commonly used with IP phones. You can use both H.323 and SIP ALGs at the same time, if necessary. To determine which ALG you need to add, consult the documentation for your VoIP devices or applications.

VoIP Components
It is important to understand that you usually implement VoIP with either: Peer-to-peer connections In a peer-to-peer connection, each of the two devices knows the IP address of the other device and connects to the other directly without the use of a proxy server to route their calls. If both peers are behind the Firebox or XTM device, the Firebox or XTM device can route the call traffic correctly. Hosted connections Connections hosted by a call management system (PBX) In the SIP standard, two key components of call management are the SIP Registrar and the SIP Proxy. Together, these components manage connections hosted by the call management system. The WatchGuard SIP ALG opens and closes the ports necessary for SIP to operate. The WatchGuard SIP ALG supports SIP trunks. It can support both the SIP Registrar and the SIP Proxy when used with a call management system that is external to the Firebox or XTM device. It can be difficult to coordinate the many components of a VoIP installation. We recommend you make sure that VoIP connections work successfully before you add a H.323 or SIP ALG. This can help you to troubleshoot any problems.

Instant Messaging Support

 
There are no configuration steps necessary to use instant messaging (IM) with the SIP ALG. We support these types of IM: Page-based IM Supported as part of the default SIP protocol. Session-based IM Available through our support of MSRP (Messaging Session Relay Protocol) over TCP.

ALG Functions
   
When you enable a SIP ALG, your Firebox or XTM device: Automatically responds to VoIP applications and opens the appropriate ports Makes sure that VoIP connections use standard SIP protocols Generates log messages for auditing purposes Supports SIP presence through the use of the SIP Publish method. This allows softphone users to see peer status. Many VoIP devices and servers use NAT (Network Address Translation) to open and close ports automatically. The H.323 and SIP ALGs also perform this function. You must disable NAT on your VoIP devices if you configure an H.323 or SIP ALG. To add the SIP ALG to your Firebox or XTM device configuration, see Add a Proxy Policy to Your Configuration. To change the ALG definition, you can use the New/Edit Proxy Policies dialog box. This dialog box has three tabs: Policy, Properties, and Advanced. On the Properties tab, you can also edit the default rulesets for proxy actions. For more information, see About proxy actions.

Policy Tab
  
SIP-ALG connections are Specify whether connections are Allowed, Denied, or Denied (send reset), and define who appears in the From and To list (on the Policy tab of the ALG definition). For more information, see Set Access Rules for a Policy. Use policy-based routing To use policy-based routing in your ALG definition, see Configure Policy-Based Routing. You can also configure static NAT or configure server load balancing. For more information, see About Static NAT and Configure Server Load Balancing.

Properties Tab
  
In the Proxy action drop-down list, select whether you want to define an action for a client or server. For information about proxy and ALG actions, see About Proxy Actions. To define logging for a policy, click Logging and Set Logging and Notification Preferences. If you set the Connections are drop-down list (on the Policy tab) to Denied or Denied (send reset), you can block sites that try to use SIP. For more information, see Block Sites Temporarily with Policy Settings.

If you want to use an idle timeout other than the one set by the Firebox or XTM device, or authentication server, see Set a Custom Idle Timeout. WatchGuard ALGs have predefined rulesets that provide a good balance of security and accessibility for most installations. You can add, delete, or modify rules as necessary. To modify the settings and rulesets for a proxy action: Click . Select a category: SIP-ALG: General Settings SIP ALG: Access Control SIP ALG: Denied Codecs

1. 2.

  

Advanced Tab
     
You can use several other options in your ALG definition: Set an Operating Schedule Add a Traffic Management Action to a Policy Set ICMP Error Handling Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.) Enable QoS Marking or Prioritization Settings for a Policy Set the Sticky Connection Duration for a Policy

See Also
About Proxy Policies and ALGs About the H.323 ALG