Requirements on User Agents..........19 2.6.1 Non NAT-Aware User Agents ..................................................2.6.2 STUN/ICE-Aware User Agents Installation.............21 Windows................. 21 Linux ................29 Configuration..........31 Logging In ..............31 Port Binding ..............31 System Settings .............. 33 snom technology AG • 3...
Page 4
4 S N A T F S N O M I L T E R Security Settings ............. 35 System Information ............36 Server Log ..............36 Trace................37 Currently Ports ..............38 Currently Handled UA ............38 4.10 Memory Statistics ............39 Checklist for Installation ........41 Linux ................
Overview The snom 4S NAT Filter enables non-NAT aware devices to operate in private networks. The filter operates typically on a public IP address. Non-NAT aware devices are automatically refreshed; NAT-aware devices that operate behind symmetrical NAT may self-refresh their bindings using the built-in STUN server of the filter.
4 S N A T F S N O M I L T E R tomers. Using the scalability feature of the filter, the operation of large networks becomes possible. • Record specific calls for legal purposes. In many countries, opera- tors must provide the possibility to record certain calls on request.
There are two exceptions to this rule: • The first exception is a REGISTER request. When a user agent tries to register and needs the support of the filter, the filter will set up a snom technology AG • 7...
This document shows how the snom 4S filter can be used to solve the problems. Although snom also makes user agents, the snom 4S filter works with most SIP user agents from other companies. The requirements on these user agents are described below.
Typically, the SIP proxy will run on a public IP address where it is possible to deal with all kinds of NAT. Keep-Alive messages may keep the NAT binding open (for example, short registration periods or non-SIP messages). snom technology AG • 9...
4 S N A T F S N O M I L T E R 2.2.4 Media RTP Media is much more problematic than SIP because users are sensitive to delay in a voice conversation. When the delay is too long, the speakers need to be disciplined not to interrupt the other person when starting to speak.
For example, when a user A in Tokyo is registered with a operator in New York and wants to call his colleague B (which is registered to a service provider in Sydney and who is sitting in the same snom technology AG • 11...
4 S N A T F S N O M I L T E R office in a private network), the media would have to flow first from Tokyo via New York then via Sydney and then back to Tokyo. Considering the speed of light, the delay would at least be around one second;...
4 S N A T F S N O M I L T E R 0>;expires=3600;gruu=”sip:denny@snomag.de;gruu=hobiv52b” Date: Wed, 26 May 2004 16:03:33 GMT Server: snom proxy (Unix) 2.42.6 Content-Length: 0 SIP/2.0 200 Ok Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bK- abx3au3mxb01;rport=17401 From: “denny” <sip:denny@snomag.de>;tag=k9p6fmeg7h To: “denny”...
To: “Karl Klammer” <sip:cs@snom.com>;tag=996wctfnen Call-ID: 2605c340c91d-cj4sy7drgp6q@192-168-1-10 CSeq: 2 REGISTER Contact: <sip:kk@192.168.1.10:5060;line=5zy4hsui>;expires=3600;gruu= ”sip:kk@snom.com;gruu=5npko91p” Server: snom proxy (Unix) 2.42.7 Date: Sun, 06 Jun 2004 11:50:22 GMT P-NAT-Refresh: 15 Content-Length: 0 2.3.3 RTP Relay When initiating a call, user agents usually include a Session Description Protocol (SDP) attachment that describes where they expect media.
Page 16
4 S N A T F S N O M I L T E R media filter supports “interactive connectivity establishment” (ICE) method that has been published recently in the IETF. Using this method, user agents may probe several addresses and decide which address they use for communication.
DNS SRV (RFC 2782). That means, you need to list the available servers on DNS level; the user agents must perform DNS SRV look ups and pick one of the servers (possible using the detection algorithms described below). snom technology AG • 17...
In any case, customers are asked to contact their vendor in case of problems and explanations. As a general remark, snom recommends to use NAT-aware user agents to reduce the network overhead and support overhead.
Page 20
4 S N A T F S N O M I L T E R 20 • Architecture...
Also, please make sure that you have the necessary administrator rights to run Windows services. To start the installation, simple double-click on the installation executable. You will see the Welcome screen of the installation dialog. snom technology AG • 21...
Page 22
4 S N A T F S N O M I L T E R To continue the installation read the text and click the Next button. It will guide you to the license agreement page. 22 • Installation...
Page 23
Cancel button. If you agree with the license agreement, the next screen will ask you to enter the license conditions and select the ports of the NAT Filter. snom technology AG • 23...
Page 24
4 S N A T F S N O M I L T E R The hostnames are a list of host identifications that identify this installation. Typically, it is the list of DNS FQHN names for the used host. You will receive the license code from the company where you bought the product.
Page 25
After entering the license information and the port numbers, the InstallShield program will ask you for the installation directory. Typically it proposes a reasonable directory; however you may change the directory using the Change button in this installation dialog. snom technology AG • 25...
Page 26
4 S N A T F S N O M I L T E R After you have entered the necessary information, the last dialog will ask you to start the installation. You will see a progress indication. The installation typically takes only a few seconds. 26 •...
Page 27
The last InstallShield dialog offers you to start the NAT Filter. If you choose this option, you don’t have to go to the services manager. snom technology AG • 27...
Page 28
To see the NAT Filter service, go to the Control Panel, Select the Administrative Tools and double click on Services. You will see the list of services, including the snom 4S NAT Filter. If you select the properties menu entry, you will see the Properties dialog for the NAT Filter.
NAT Filter is started automatically, you can modify the Startup type to manual. 3.2 Linux After you downloaded the desired RPM you may install it either with graphical front end of your distribution for installing additional software or as root via the command line. snom technology AG • 29...
Page 30
The process is not started automatically after the installation, like it was with the old snom software packages, because RPM’s can not be installed with user interaction. Thus the software is installed with default values for the HTTP and SIP ports. Please verify first if the default values in /etc/syconfig/snom* match with your local requirements, before you start the process as usual with /etc/init.d/snom* (or rcsnom* under SuSE).
The login creates a session. This session will timeout after a cer- tain time (by default, one hour). 4.2 Port Binding You need to tell the server on what ports it should listen. snom technology AG • 31...
Page 32
4 S N A T F S N O M I L T E R For http and https, you need to know these port numbers when you want to log in. We recommend not using the standard ports. Operat- ing a server on the public internet usually leads to a lot of denial of service attacks on the standard ports.
The log messages written to the log file are not affected by this setting. You should specify a file name, so that the NAT Filter can Save Registrations to File. This file is written each Registration Save snom technology AG • 33...
Page 34
4 S N A T F S N O M I L T E R Interval (is seconds). It is used when the server is restarted and allows the continuation of the service without waiting for the user agents to reregister.
The Session Timeout is the number of seconds after which the NAT Filter web server deletes the session. If you access the web server after this time, you need to log on again. If you change the password dur- snom technology AG • 35...
4 S N A T F S N O M I L T E R ing a session, you do not have to enter the new password for the existing session. If you have bought a certificate, you may upload that certificate from the web page.
Filter, “Tr” means the packet has been sent as message repetition, “Td” means the packet was sent to a UA behind NAT, “Rx” means the packet was received normally, “Rr” means the packet was received as a message repetition. snom technology AG • 37...
4 S N A T F S N O M I L T E R The Source/Destination indicates the IP address where the packet was sent or received. The Header column contains the abstract. By clicking on the header link, you may see the complete packet. 4.8 Currently Ports It is important to see which calls are active on the SBC.
This web page shows information about the current memory usage. The primary goal is to identify situations when the process grows more than expected. Usually, the NAT Filter process should not take more than five megabytes. snom technology AG • 39...
Page 40
4 S N A T F S N O M I L T E R 40 • References...
Checklist for Installation When snom or one of their partners perform the installation for you, the following information is necessary: 5.1 Linux • Please provide secure shell login to the system that can be ac- cessed at least from the snom.com host (currently at IP address 217.115.141.99).
Page 42
4 S N A T F S N O M I L T E R • Please tell us for what domains you plan to use the server. Please also tell us where you want to process the requests (which outbound proxy to use for NAT Filter).
Need help?
Do you have a question about the 4S NAT Filter and is the answer not in the manual?
Questions and answers