AudioCodes Mediant 4000 SBC User Manual page 570

CHAPTER 25 Routing SBC
If classification based on Proxy Set fails (or classification based on Proxy Set is disabled), the
device proceeds to classification based on the Classification table.
●
●
●
The flowchart below illustrates the classification process:
For security, it is recommended to classify SIP dialogs based on Proxy Set only if
the IP address of the Server-type IP Group is unknown. In other words, if the
Proxy Set associated with the IP Group is configured with an FQDN. In such
cases, the device classifies incoming SIP dialogs to the IP Group based on the
DNS-resolved IP address. If the IP address is known, it is recommended to use a
Classification rule instead (and disable the Classify by Proxy Set feature), where
the rule is configured with not only the IP address, but also with SIP message
characteristics to increase the strictness of the classification process. The reason
for preferring classification based on Proxy Set when the IP address is unknown is
that IP address forgery (commonly known as IP spoofing) is more difficult than
malicious SIP message tampering and therefore, using a Classification rule without
an IP address offers a weaker form of security. When classification is based on
Proxy Set, the Classification table for the specific IP Group is ignored.
If multiple IP Groups are associated with the same Proxy Set, use Classification
rules to classify the incoming dialogs to the IP Groups (do not use the Classify by
Proxy Set feature).
The device saves incoming SIP REGISTER messages in its registration database.
If the REGISTER message is received from a User-type IP Group, the device
sends the message to the configured destination.
- 537 -
Mediant 4000 SBC | User's Manual