Pinhole Creation In Screenos Devices Overview - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual
Configuring screenos devices guide
Hide thumbs
Also See for NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01:
- Manual (340 pages) ,
- Administration manual (1026 pages) ,
- Installation manual (244 pages)
Table of Contents
Advertisement
Related
Documentation
Pinhole Creation in ScreenOS Devices Overview
Table 72: Information for Pinhole Creation
Field
Protocol
Source IP
Source port
Destination IP
Copyright © 2010, Juniper Networks, Inc.
Therefore, whenever a media stream uses RTP, the SIP ALG must reserve ports (create
pinholes) for both RTP and RTCP traffic. By default, the port number for RTCP is one
higher than the RTP port number.
In this configuration, the following connections are logged:
Any connections into eth4 from any IP address except the database server IP address
are logged with an alert.
Any connections into eth2 from any IP address except the Web server are logged. In
addition, if the database server IP address appears in eth2, the sensor logs that event.
SCCP Support in ScreenOS Devices Overview on page 279
SIP ALG Overview on page 281
ALG Overview on page 286
Both pinholes for the RTP and RTCP traffic share the same destination IP address. The
IP address comes from the c= field in the SDP session description. Because the c= field
can appear in either the session-level or media-level portion of the SDP session
description, the parser determines the IP address based on the following rules (in
accordance with SDP conventions):
First, the SIP ALG parser verifies if there is a c= field containing an IP address in the
media level. If there is one, the parser extracts that IP address, and the SIP ALG uses
it to create a pinhole for the media.
If there is no c= field in the media level, the SIP ALG parser extracts the IP address from
the c= field in the session level, and the SIP ALG uses it to create a pinhole for the
media. If the session description does not contain a c= field in either level, this indicates
an error in the protocol stack, and the security device drops the packet and logs the
event.
Table 72 on page 289 displays the information the SIP ALG needs to create a pinhole. This
information comes from the SDP session description and parameters on the security
device:
Description
UDP.
Unknown.
Unknown.
The parser extracts the destination IP address from the c= field in the media or session level.
Chapter 9: Voice Over Internet Protocol
289
Advertisement
Table of Contents
