Snom 4S NAT Filter Admin Manual
  1. Manuals
  2. Brands
  3. Snom Manuals
  4. VoIP
  5. 4S NAT Filter
  6. Admin manual
Snom 4S NAT Filter Admin Manual

Snom 4S NAT Filter Admin Manual

Version 2.09
Hide thumbs Also See for 4S NAT Filter:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Admin Manual
snom 4S NAT Filter
Admin Manual
snom 4S
NAT Filter
Version 2.09

Advertisement

Table of Contents
loading

Related Manuals for Snom 4S NAT Filter

Summary of Contents for Snom 4S NAT Filter

  • Page 1 4S NAT Filter Admin Manual snom 4S NAT Filter Version 2.09...
  • Page 2 © 2004 snom technology Aktiengesellschaft. All Rights Reserved. This document is supplied by snom technology AG for information purposes only to licensed users of the snom 4S NAT filter and is supplied on an “AS IS” basis, that is, without any warranties whatsoever, express or implied.

  • Page 3: Table Of Contents

    STUN/ICE-Aware User Agents ........................ Defining the Maximum Session Time ........22 Installation.............23 Windows................. 23 Linux ................28 Configuration..........31 Logging In ..............31 Port Binding ..............31 System Settings .............. 33 4.3.1 Logging ......................................4.3.2 Preparing Recovery ..............................snom technology AG • 3...
  • Page 4 4 S N A T F S N O M I L T E R 4.3.3 General Outound Proxy ............................4.3.4 Media Ports ....................................4.3.5 Media Relay ..................................... 4.3.6 Controlling Routing ..............................4.3.7 Multiple 2xx Handling ............................4.3.8 Trusted Addresses ...............................

  • Page 5: Overview

    Email to the users or authorities. The snom 4S NAT Filter is a session border controller. However, we do not like the term “session border”, because the program does not control sessions nor is it on the border of a call.

  • Page 6: Applications

    4 S N A T F S N O M I L T E R 1.1 Applications The filter can be used in the following scenarios: • Corporations. Corporations which operate their infrastructure be- hind NAT and/or firewalls can talk to the public Internet through the filter.
  • Page 7 The second exception is a SDP attachment. The filter checks if the user agent needs support (or must be recorded) and will in that case add a local contact to the SDP that can be used for media relay. snom technology AG • 7...
  • Page 8 4 S N A T F S N O M I L T E R • The third exception occurs when the filter queries a web server for routing information. In this case, it will send a provisional response to stop the UAC from repeating messages. These three exceptions make sure that all user agents will work behind NAT, no matter what NAT-type or how many NAT-levels are being used.

  • Page 9: Architecture

    That means, the filter will not interfere with applications (instant messaging, presence, weather report, etc). There are three exceptions to this rule: • The first exception is a REGISTER request. When a user agent tries snom technology AG • 9...

  • Page 10: Nat

    This document shows how the snom 4S filter can be used to solve the problems. Although snom also makes user agents, the snom 4S filter works with most SIP user agents from other companies. The requirements on these user agents are described below.

  • Page 11: How Does Nat Work

    (port spraying) and therefore implies a certain security risk. 2.2.3 Signalling SIP SIP traffic is relatively unproblematic because SIP typically is not as time critical as media. Usually, it is ok to route SIP packets through a longer path than media. snom technology AG • 11...

  • Page 12: Media Rtp

    4 S N A T F S N O M I L T E R In SIP it is legal to send from a different port than the receiving port. When this is being done, there is no way of supporting these devices behind NAT.

  • Page 13: Probing Media Paths

    NAT Filter instead of the user agent when they want to deliver a message. The NAT Filter then forwards the message to the user agent using the connection which is kept open with the keep-alive messages. snom technology AG • 13...

  • Page 14: Optimizing The Media Path For Symmetrical Nat

    4 S N A T F S N O M I L T E R When the NAT Filter sees a message that contains information about sending media (session description protocol, SDP), it opens a local globally routable port on behalf of the user agent and patches these messages in a way that the destination will send media via this port.

  • Page 15: Filter Behaviour

    Max-Forwards: 70 Contact: <sip:denny@203.145.183.113:12975;line=lhynyb3y>;q=1.0 User-Agent: snom200-2.03w Supported: gruu Expires: 86400 Content-Length: 0 REGISTER sip:snomag.de SIP/2.0 Via: SIP/2.0/UDP 217.115.141.99:5082;branch=z9hG4bK-e8d1feb8138c3d85 0637ced821ef40a3;ua=c9b140ab598290e5bb491e9c3aaca440 Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bK- abx3au3mxb01;rport=17401 From: “denny” <sip:denny@snomag.de>;tag=k9p6fmeg7h To: “denny” <sip:denny@snomag.de> Call-ID: 3c26701d7cb9-pady07b5783t@203-145-183-113 CSeq: 14 REGISTER Max-Forwards: 69 snom technology AG • 15...

  • Page 16: Registering With Ua Support

    From: “denny” <sip:denny@snomag.de>;tag=k9p6fmeg7h To: “denny” <sip:denny@snomag.de>;tag=epuy85kzm5 Call-ID: 3c26701d7cb9-pady07b5783t@203-145-183-113 CSeq: 14 REGISTER Contact: <sip:217.115.141.99:5082;ua=c9b140ab598290e5bb491e9c3aaca44 0>;expires=3600;gruu=”sip:denny@snomag.de;gruu=hobiv52b” Date: Wed, 26 May 2004 16:03:33 GMT Server: snom proxy (Unix) 2.42.6 Content-Length: 0 SIP/2.0 200 Ok Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bK- abx3au3mxb01;rport=17401 From: “denny” <sip:denny@snomag.de>;tag=k9p6fmeg7h To: “denny” <sip:denny@snomag.de>;tag=epuy85kzm5...
  • Page 17 A user agent that supports this way of refreshing the bindings includes a “P-NAT-Refresh” header in the REGISTER message: REGISTER sip:snom.com SIP/2.0 Via: SIP/2.0/UDP 192.168.1.10:5060;branch=z9hG4bK-fozdn9kbolfw From: “Karl Klammer” <sip:kk@snom.com>;tag=9e9mynnnwa To: “ Karl Klammer” <sip:kk@snom.com> Call-ID: 10f2c240790b-cj4sy7drgp6q@192-168-1-10 CSeq: 2 REGISTER Max-Forwards: 70 Contact: <sip:kk@192.168.1.10:5060;line=5zy4hsui>;q=0.7 User-Agent: snom200-2.05h...

  • Page 18: Rtp Relay

    4 S N A T F S N O M I L T E R 2.3.3 RTP Relay When initiating a call, user agents usually include a Session Description Protocol (SDP) attachment that describes where they expect media. If the user agent operates on a public Internet address, there is no need to interfere in this process.
  • Page 19 19387 19387 IN IP4 217.115.141.99 s=call c=IN IP4 217.115.141.99 t=0 0 m=audio 49170 RTP/AVP 0 8 3 18 2 101 a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:3 gsm/8000 a=rtpmap:18 g729/8000 a=rtpmap:2 g726-32/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv snom technology AG • 19...

  • Page 20: Scaling And Redundancy

    4 S N A T F S N O M I L T E R a=silenceSupp:off - - - - The NAT Filter changes the private address to a globally routable address and inserts the local port. It also inserts a hint that tells the other user agent that it should not do silence suppression.

  • Page 21: Detecting The Right Nat Filter

    The snom 4S NAT Filter includes a STUN server that operates on the SIP UDP port. User agents should send their test packets to the SIP port.

  • Page 22: Stun/Ice-Aware User Agents

    I L T E R In any case, customers are asked to contact their vendor in case of problems and explanations. As a general remark, snom recommends to use NAT-aware user agents to reduce the network overhead and support overhead.
  • Page 23 If the proxy wants to provide information about how long the call can stay up, it should use AOC information. snom can help on implementing this feature in networks on demand. snom technology AG • 23...
  • Page 24 4 S N A T F S N O M I L T E R 24 • Architecture...

  • Page 25: Installation

    The Windows version of the NAT Filter comes with an InstallShield application that should make the installation very simple for you. Before you start the installation, you might want to make sure that the necessary ports are available on you machine. Please use the snom technology AG • 25...
  • Page 26 4 S N A T F S N O M I L T E R netstat command to check which ports are being used on that machine. You can change the ports later; however you should at least make sure that you can access the administration web interface of the NAT Filter with an open port.
  • Page 27 The http and the https ports are important for you at it is the only way to administer the NAT Filter. Please select a port number that suits your needs. The default ports are 80 (http) and 443 (https). If you snom technology AG • 27...
  • Page 28 4 S N A T F S N O M I L T E R forget the port number, you need to look it up later using the netstat command. After entering the license information and the port numbers, the InstallShield program will ask you for the installation directory.
  • Page 29 To see the NAT Filter service, go to the Control Panel, Select the Administrative Tools and double click on Services. You will see the list of services, including the snom 4S NAT Filter. If you select the properties menu entry, you will see the Properties dialog for the NAT Filter.

  • Page 30: Linux

    RPM is stored should install the RPM into your system. The process is not started automatically after the installation, like it was with the old snom software packages, because RPM’s can not be 30 • Installation...
  • Page 31 Thus the software is installed with default values for the HTTP and SIP ports. Please verify first if the default values in /etc/syconfig/snom* match with your local requirements, before you start the process as usual with /etc/init.d/snom* (or rcsnom* under SuSE). snom technology AG • 31...
  • Page 32 4 S N A T F S N O M I L T E R 32 • Installation...

  • Page 33: Configuration

    The login creates a session. This session will timeout after a cer- tain time (by default, one hour). 4.2 Port Binding You need to tell the server on what ports it should listen. snom technology AG • 33...
  • Page 34 4 S N A T F S N O M I L T E R For http and https, you need to know these port numbers when you want to log in. We recommend not using the standard ports. Operat- ing a server on the public internet usually leads to a lot of denial of service attacks on the standard ports.

  • Page 35: System Settings

    This way you can keep a certain history of log files and remove them from the file system as soon as you think the information contained there is not relevant any more. snom technology AG • 35...

  • Page 36: Preparing Recovery

    4 S N A T F S N O M I L T E R The Log Length number indicated how many log entries the NAT Filter should keep in internal memory. The NAT Filter writes log messages in the first-in-first-out principle, so that there is no memory leak caused by log messages.

  • Page 37: Snom Technology Ag

    It is much easier to protect only the filter against attacks than you whole SIP network. The third big advantage is that is solves many problems with poor SIP implementations. Typically, immature SIP implementations can not snom technology AG • 37...

  • Page 38: Multiple 2Xx Handling

    4 S N A T F S N O M I L T E R deal properly with strict and loose routing which results in complicated routing problems. The filter will take care about the routing problems, the user agent just has to route the request to the filter, which even the poorest implementations are able to do.

  • Page 39: Maximum Packet Size

    By turning the Add comedia flag feature on, you will make the filter add a suitable flag to SDP to indicate that this behaviour is desired. The disadvantage of this snom technology AG • 39...

  • Page 40: Removing Headers

    4 S N A T F S N O M I L T E R flag is again that it makes the messages bigger and this increases the probability that you will have problems with UDP fragmentation. 4.3.12 Removing Headers As stated before, you may want to remove some headers to make messages shorter.
  • Page 41 The parameter to_uri is set to the URI in the to header. • The parameter uri is set to the value of the request-URI. All parameters are URL-encoded according to the rules of the http protocol. A possible request might look like this: http://snom.com/ post.htm?action=start&from_uri=sip:abc@snom.com&to_uri=sip: def@snom.com&uri=sip:abc@proxy.snom.com (possible escape characters are not shown here for simplicity).

  • Page 42: Timeout Settings

    (usually, “sip”) and no corner brackets. Example: uri: sip: 1234@route1.snom.com For programming your web server, please consult your web server manual. Samples and advice are available from snom on demand. 4.4 Timeout Settings In contrast to previous versions, the time related settings have been summarized on this new management web page.

  • Page 43: Register Timeouts

    NAT. This is important in some NAT types as they do not allow refreshing NAT bindings from the outside. If you turn the flag off, the filter will send short white space packets to the registered user agent. snom technology AG • 43...

  • Page 44: Call Timeouts

    4 S N A T F S N O M I L T E R The value directly influences the keep-alive traffic caused by the NAT Filter. The Registration Logging Time is the time after which it moves the backup file to the primary location. See preparing recovery above. 4.4.2 Call Timeouts Unfortunately, in SIP little attention has been put on the problem when a user agent just disconnects from the network without further...

  • Page 45: Security Settings

    Filter, you may select the https radio button in the Web Access setting. If you don’t care, you can leave the setting to http/https. If you want ex- clude https access (for example, to save performance), select http. snom technology AG • 45...
  • Page 46 4 S N A T F S N O M I L T E R To restrict the login, you should set a username („admin“ is the default) and a password. You need to enter the password twice, so that typing mistakes do not block your NAT Filter.

  • Page 47: Outbound Proxy List

    This approach is limited to maximum ten domains per filter; for more domains you need to use the web server integration mentioned above. snom technology AG • 47...

  • Page 48: System Information

    4 S N A T F S N O M I L T E R The algorithm for searching the outbound proxy is simple. The filter first goes through to the list of outbound proxies and tries to match the hostname in the request-URI of the request to the provided Domain. If it does not find any match, it will take the outbound proxy in the general settings (if provided).

  • Page 49: Trace

    Filter, “Tr” means the packet has been sent as message repetition, “Td” means the packet was sent to a UA behind NAT, “Rx” means the packet was received normally, “Rr” means the packet was received as a message repetition. snom technology AG • 49...

  • Page 50: Call History

    4 S N A T F S N O M I L T E R The Source/Destination indicates the IP address where the packet was sent or received. The Header column contains the abstract. By clicking on the header link, you may see the complete packet. 4.10 Call History The call history should help you to understand what’s going on on your system.

  • Page 51: Current Ports

    SDP. If the destination has not been locked, that address is shown in brackets and the list of learned addresses is shown after it. An address is locked when the NAT Filter received a packet on this port from the location indicated in the SDP. snom technology AG • 51...

  • Page 52: Currently Handled Ua

    4 S N A T F S N O M I L T E R 4.12 Currently Handled UA This table shows the currently handled UA with their SIP URI and their associated IP address. The third column shows the SIP request type that this binding is using.

  • Page 53: Checklist For Installation

    Checklist for Installation When snom or one of their partners perform the installation for you, the following information is necessary: 5.1 Linux • Please provide secure shell login to the system that can be ac- cessed at least from the snom.com host (currently at IP address 217.115.141.99).
  • Page 54 4 S N A T F S N O M I L T E R tion tool. • Please tell us the login address (host and port), user name and password. We need administrative rights on that host. • Please tell us for what domains you plan to use the server. Please also tell us where you want to process the requests (which outbound proxy to use for NAT Filter).
  • Page 56 Aktiengesellschaft Pascalstr. 10B, 10587 Berlin, Germany Phone: +49 (30) 39833-0 mailto:info@snom.com http://www.snom.com sip:info@snom.com © 2004 snom technology AG All rights reserved.

Table of Contents