Security Guidelines For Gxp Deployment - Grandstream Networks GXP21 Series Security Manual

SECURITY GUIDELINES FOR GXP DEPLOYMENT

Often times the GXP are deployed behind NAT. The network administrator can consider following security
guidelines for the GXP to work properly and securely.
•
Turn off SIP ALG on the router
On the customer's router, it's recommended to turn off SIP ALG (Application Layer Gateway). SIP ALG
is common in many routers intending to prevent some problems caused by router firewalls by inspecting
VoIP packets and modifying it if necessary. Even though SIP ALG intends to prevent issues for VoIP
devices, it can be implemented imperfectly causing problems, especially in some cases SIP ALG
modifies SIP packets improperly which might cause VoIP devices fail to register or establish calls.
•
Use TLS and SRTP for SIP calls
On the GXP, it's recommended to use TLS for SIP transport with "sips" in SIP URL scheme for SIP
signaling encryption and use SRTP for media encryption.
Below the SIP ports and RTPs port used on the GXP if the network administrator needs to create
firewall rules.
➢ Under web UI → Account x → SIP Settings → Basic Settings, the feature "Local SIP Port"
defines the local SIP port used to listen and transmit. The default value when using SIP transport
protocol UDP/TCP is 5060 for Account 1, 5062 for Account 2, 5064 for Account 3, 5066 for Account
4... When using TLS as SIP transport protocol the default value is 5061 for Account 1, 5063 for
Account 2, 5065 for Account 3, ... The valid range is from 1 to 65535.
➢ Under web UI → Settings → General Settings, the feature "Local RTP Port" defines the local RTP
port used to listen and transmit. Local RTP port ranges from 1024 to 65400 and must be even. It is
the base RTP port for channel 0. When configured channel 0 will use this port_value for RTP, and
port_value+1 for RTCP. Channel 1 will use port_value+2 for RTP and so on, until reaching the limit
and then it will be reset to first port_value. The default value is 5004 for RTP and 5005 for RTCP.
For both GXP21XX and GXP16XX series it is possible to select a range for the Local RTP port from 48
to 10000. Default setting is 200.
Note: On the customer's firewall, it's recommended to ensure SIP port is opened for the SIP accounts
on the GXP. It's not necessary to use the default port 5060/5062/... on the firewall. Instead, the network
administrator can consider mapping a different port on the firewall for GXP SIP port 5060 for security
purpose.
GXP Security Guide
P a g e | 15