Watchguard Firebox X15 User Manual page 162

Proxy Settings
About the SIP proxy
If you use Voice-over-IP (VoIP) in your organization, you can add a SIP (Session Initiation Protocol) or H.323
proxy policy to open the ports necessary to enable VoIP through your Firebox. These proxy policies have been
created to work in a NAT environment to maintain security for privately-addressed conferencing equipment
behind the Firebox.
H.323 is used commonly on older videoconferencing equipment and voice installations. SIP is a newer
standard that is more common in hosted environments, where only endpoint devices such as phones are
hosted at your business location and a VoIP provider manages the connectivity. You can use both H.323 and
SIP proxy policies at the same time if necessary. To determine which proxy policy you need to add, consult the
documentation for your VoIP devices or applications.
It is important to understand that you usually implement VoIP by using either:
Peer-to-peer connections
In a peer-to-peer connection, each of the two devices knows the IP address of the other device and
connect to each other directly.
Hosted connections
Connections hosted by a call management system (PBX)
In the SIP standard, two key components of call management are the SIP Registrar and the SIP Proxy. Together,
these components provide the functionality of the H.323 Gatekeeper, and work together to manage
connections hosted by the call management system. The WatchGuard SIP proxy and the standard SIP Proxy
are different. The WatchGuard SIP proxy is a transparent proxy that opens and closes ports necessary for SIP
to operate. The WatchGuard SIP proxy can support both the SIP Registrar and the SIP Proxy when used with a
call management system that is external to the Firebox. In this release, we do not support SIP when your call
management system is protected by the Firebox.
Coordinating the many components of a VoIP installation can be difficult. We recommend you make sure
thatVoIP connections work successfully before you try to use the system with the Firebox proxy policies. The
can help you to troubleshoot any problems you have.
Some manufacturers use the TFTP protocol to send periodic updates to the VoIP equipment under
management. If your equipment requires TFTP for updates, make sure you add a TFTP policy to your
Firebox configuration to allow these connections.
When you enable a SIP proxy policy, your Firebox:
Automatically responds to VoIP applications and opens the appropriate ports
Ensures that VoIP connections use standard SIP protocols
Generates log messages for auditing purposes
You can create both incoming and outgoing SIP proxy policies. To create a custom SIP proxy policy, see
a proxy. Then, if you choose, edit the proxy definition as described in
150
Add or Edit a proxy policy.
Firebox X Edge e-Series
Enable