Alg Overview - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide
Table 71: SIP Responses (continued)
Class
Global Failure
Related
Documentation

ALG Overview

286
Response Code-Reason
Phrase
600 Busy everywhere
606 Not acceptable
SCCP Support in ScreenOS Devices Overview on page 279
SIP ALG Overview on page 281
SIP Request Methods Supported in ScreenOS Devices on page 282
ALG Overview on page 286
SDP Session Description Overview on page 288
There are two types of SIP traffic, the signaling and the media stream. SIP signaling traffic
consists of request and response messages between client and server and uses transport
protocols such as User Datagram Protocol (UDP) or Transmission Control Protocol
(TCP). The media stream carries the data (audio data, for example) and uses Application
Layer protocols such as Real-Time Transport Protocol (RTP) over UDP.
Juniper Networks security devices support SIP signaling messages on port 5060. You
can simply create a policy that permits SIP service, and the security device filters SIP
signaling traffic like any other type of traffic, permitting or denying it. The media stream,
however, uses dynamically assigned port numbers that can change several times during
the course of a call. Without fixed ports, it is impossible to create a static policy to control
media traffic. In this case, the security device invokes the SIP ALG. The SIP ALG reads
SIP messages and their SDP content and extracts the port-number information it needs
to dynamically open pinholes and let the media stream traverse the security device.
NOTE: We refer to a pinhole as the limited opening of a port to allow exclusive
traffic.
The SIP ALG monitors SIP transactions and dynamically creates and manages pinholes
based on the information it extracts from these transactions. The Juniper Networks SIP
ALG supports all SIP methods and responses (see "SIP Request Methods Supported in
ScreenOS Devices" on page 282 and "Types of SIP Response Classes Supported in
ScreenOS Devices" on page 284). You can allow SIP transactions to traverse the Juniper
Networks firewall by creating a static policy that permits SIP service. This policy enables
the security device to intercept SIP traffic and do one of the following actions: permit or
deny the traffic or enable the SIP ALG to open pinholes to pass the media stream. The
SIP ALG needs to open pinholes only for the SIP requests and responses that contain
Response Code-Reason
Phrase
603 Decline
Copyright © 2010, Juniper Networks, Inc.
Response Code-Reason Phrase
604 Does not exist anywhere