D-Link NetDefendOS User Manual page 466

In both the cases of using IP Rule objects or IP Policy objects, the predefined Service object called
sip-udp could be used. However, it is recommended to create a new Service object and the
examples in this section do this.
SIP ALG Options
The following options can be configured for a SIP ALG object:
• Maximum Sessions per ID
The number of simultaneous sessions that a single client can be involved with is restricted by
this value. The default number is 5.
• Maximum Registration Time
The maximum time for registration with a SIP Registrar. The default value is 3600 seconds.
• SIP Signal Timeout
The maximum time allowed for SIP sessions. The default value is 43200 seconds.
• Data Channel Timeout
The maximum time allowed for periods with no traffic in a SIP session. A timeout condition
occurs if this value is exceeded. The default value is 120 seconds.
• Allow TCP data channels
TCP data channels can be used during a SIP session.
• Maximum number of TCP channels per call
If Allow TCP data channels is enabled this option is available to specify the maximum time
number of TCP channels allowed in a SIP session.
• Allow clients to exchange media directly when possible
If this option is enabled then data, such as RTP/RTCP communication, may take place directly
between two clients without involving the NetDefend Firewall. This would only happen if the
two clients were behind the same interface and belong to the same network. The default
value is Disabled.
The SIP Proxy Record-Route Option
To understand how to set up SIP scenarios with NetDefendOS, it is important to first understand
the SIP proxy Record-Route option. SIP proxies have the Record-Route option either enabled or
disabled. When it is switched on, a proxy is known as a Stateful proxy. When Record-Route is
enabled, a proxy is saying it will be the intermediary for all SIP signaling that takes place between
two clients.
When a SIP session is being set up, the calling client sends an INVITE message to its outbound SIP
proxy server. The SIP proxy relays this message to the remote proxy server responsible for the
called, remote client's contact information. The remote proxy then relays the INVITE message to
the called client. Once the two clients have learnt of each other's IP addresses, they can
communicate directly with each other and remaining SIP messages can bypass the proxies. This
facilitates scaling since proxies are used only for the initial SIP message exchange.
The disadvantage of removing proxies from the session is that NetDefendOS IP rules (or IP
policies) must be set up to allow all SIP messages through the NetDefend Firewall, and if the
466
Chapter 6: Security Mechanisms