D-Link NetDefend DFL-210 User Manual page 237

6.2.8. The SIP ALG
• The IP address of the SIP proxy must be a globally routable IP address. The NetDefend Firewall
does not support hiding of the proxy on the DMZ.
• The IP address of the DMZ interface must be a globally routable IP address. This address can be
the same address as the one used on the external interface.
The setup steps are as follows:
1. Define a single SIP ALG object using the options described above.
2. Define a Service object which is associated with the SIP ALG object. The service should have:
• Destination Port set to 5060 (the default SIP signalling port)
• Type set to TCP/UDP
3. Define four rules in the IP rule set:
• A NAT rule for outbound traffic from the clients on the internal network to the proxy
located on the DMZ interface. The SIP ALG will take care of all address translation needed
by the NAT rule. This translation will occur both at the IP level and at the application level.
• An Allow rule for outbound traffic from the proxy behind the DMZ interface to the remote
clients on the Internet.
• An Allow rule for inbound SIP traffic from the SIP proxy behind the DMZ interface to the
IP address of the NetDefend Firewall. This rule will have core (in other words,
NetDefendOS itself) as the destination interface.
The reason for this is because of the NAT rule above. When an incoming call is received,
NetDefendOS automatically locates the local receiver, performs address translation and
forwards SIP messages to the receiver. This is done based on the SIP ALG's internal state.
• An Allow rule for inbound traffic from, for example the Internet, to the proxy behind the
DMZ.
4. If Record-Route is not enabled at the proxy, direct exchange of SIP messages must also be
allowed between clients, bypassing the proxy. The following additional rules are therefore
needed when Record-Route is disabled:
• A NAT rule for outbound traffic from the clients on the internal network to the external
clients and proxies on, for example, the Internet. The SIP ALG will take care of all address
translation needed by the NAT rule. The translation will occur both at the IP level and the
application level.
• An Allow rule for inbound SIP traffic from, for example the Internet, to the IP address of
the DMZ interface. The reason for this is because local clients will be NATed using the IP
address of the DMZ interface when they register with the proxy located on the DMZ.
This rule has core as the destination interface (in other words, NetDefendOS itself). When
an incoming call is received, NetDefendOS uses the registration information of the local
receiver to automatically locate this receiver, perform address translation and forward SIP
messages to the receiver. This will be done based on the internal state of the SIP ALG.
The IP rules needed with Record-Route enabled are:
Note
Clients registering with the proxy on the DMZ will have the IP address of the
DMZ interface as the contact address.
237
Chapter 6. Security Mechanisms