STUN/ICE-Aware User Agents ........................ Defining the Maximum Session Time ........22 Installation.............23 Windows................. 23 Linux ................28 Configuration..........31 Logging In ..............31 Port Binding ..............31 System Settings .............. 33 4.3.1 Logging ......................................4.3.2 Preparing Recovery ..............................snom technology AG • 3...
Page 4
4 S N A T F S N O M I L T E R 4.3.3 General Outound Proxy ............................4.3.4 Media Ports ....................................4.3.5 Media Relay ..................................... 4.3.6 Controlling Routing ..............................4.3.7 Multiple 2xx Handling ............................4.3.8 Trusted Addresses ...............................
Email to the users or authorities. The snom 4S NAT Filter is a session border controller. However, we do not like the term “session border”, because the program does not control sessions nor is it on the border of a call.
4 S N A T F S N O M I L T E R 1.1 Applications The filter can be used in the following scenarios: • Corporations. Corporations which operate their infrastructure be- hind NAT and/or firewalls can talk to the public Internet through the filter.
Page 7
The second exception is a SDP attachment. The filter checks if the user agent needs support (or must be recorded) and will in that case add a local contact to the SDP that can be used for media relay. snom technology AG • 7...
Page 8
4 S N A T F S N O M I L T E R • The third exception occurs when the filter queries a web server for routing information. In this case, it will send a provisional response to stop the UAC from repeating messages. These three exceptions make sure that all user agents will work behind NAT, no matter what NAT-type or how many NAT-levels are being used.
That means, the filter will not interfere with applications (instant messaging, presence, weather report, etc). There are three exceptions to this rule: • The first exception is a REGISTER request. When a user agent tries snom technology AG • 9...
This document shows how the snom 4S filter can be used to solve the problems. Although snom also makes user agents, the snom 4S filter works with most SIP user agents from other companies. The requirements on these user agents are described below.
(port spraying) and therefore implies a certain security risk. 2.2.3 Signalling SIP SIP traffic is relatively unproblematic because SIP typically is not as time critical as media. Usually, it is ok to route SIP packets through a longer path than media. snom technology AG • 11...
4 S N A T F S N O M I L T E R In SIP it is legal to send from a different port than the receiving port. When this is being done, there is no way of supporting these devices behind NAT.
NAT Filter instead of the user agent when they want to deliver a message. The NAT Filter then forwards the message to the user agent using the connection which is kept open with the keep-alive messages. snom technology AG • 13...
4 S N A T F S N O M I L T E R When the NAT Filter sees a message that contains information about sending media (session description protocol, SDP), it opens a local globally routable port on behalf of the user agent and patches these messages in a way that the destination will send media via this port.
Page 17
A user agent that supports this way of refreshing the bindings includes a “P-NAT-Refresh” header in the REGISTER message: REGISTER sip:snom.com SIP/2.0 Via: SIP/2.0/UDP 192.168.1.10:5060;branch=z9hG4bK-fozdn9kbolfw From: “Karl Klammer” <sip:kk@snom.com>;tag=9e9mynnnwa To: “ Karl Klammer” <sip:kk@snom.com> Call-ID: 10f2c240790b-cj4sy7drgp6q@192-168-1-10 CSeq: 2 REGISTER Max-Forwards: 70 Contact: <sip:kk@192.168.1.10:5060;line=5zy4hsui>;q=0.7 User-Agent: snom200-2.05h...
4 S N A T F S N O M I L T E R 2.3.3 RTP Relay When initiating a call, user agents usually include a Session Description Protocol (SDP) attachment that describes where they expect media. If the user agent operates on a public Internet address, there is no need to interfere in this process.
4 S N A T F S N O M I L T E R a=silenceSupp:off - - - - The NAT Filter changes the private address to a globally routable address and inserts the local port. It also inserts a hint that tells the other user agent that it should not do silence suppression.
I L T E R In any case, customers are asked to contact their vendor in case of problems and explanations. As a general remark, snom recommends to use NAT-aware user agents to reduce the network overhead and support overhead.
Page 23
If the proxy wants to provide information about how long the call can stay up, it should use AOC information. snom can help on implementing this feature in networks on demand. snom technology AG • 23...
Page 24
4 S N A T F S N O M I L T E R 24 • Architecture...
The Windows version of the NAT Filter comes with an InstallShield application that should make the installation very simple for you. Before you start the installation, you might want to make sure that the necessary ports are available on you machine. Please use the snom technology AG • 25...
Page 26
4 S N A T F S N O M I L T E R netstat command to check which ports are being used on that machine. You can change the ports later; however you should at least make sure that you can access the administration web interface of the NAT Filter with an open port.
Page 27
The http and the https ports are important for you at it is the only way to administer the NAT Filter. Please select a port number that suits your needs. The default ports are 80 (http) and 443 (https). If you snom technology AG • 27...
Page 28
4 S N A T F S N O M I L T E R forget the port number, you need to look it up later using the netstat command. After entering the license information and the port numbers, the InstallShield program will ask you for the installation directory.
Page 29
To see the NAT Filter service, go to the Control Panel, Select the Administrative Tools and double click on Services. You will see the list of services, including the snom 4S NAT Filter. If you select the properties menu entry, you will see the Properties dialog for the NAT Filter.
RPM is stored should install the RPM into your system. The process is not started automatically after the installation, like it was with the old snom software packages, because RPM’s can not be 30 • Installation...
Page 31
Thus the software is installed with default values for the HTTP and SIP ports. Please verify first if the default values in /etc/syconfig/snom* match with your local requirements, before you start the process as usual with /etc/init.d/snom* (or rcsnom* under SuSE). snom technology AG • 31...
Page 32
4 S N A T F S N O M I L T E R 32 • Installation...
The login creates a session. This session will timeout after a cer- tain time (by default, one hour). 4.2 Port Binding You need to tell the server on what ports it should listen. snom technology AG • 33...
Page 34
4 S N A T F S N O M I L T E R For http and https, you need to know these port numbers when you want to log in. We recommend not using the standard ports. Operat- ing a server on the public internet usually leads to a lot of denial of service attacks on the standard ports.
This way you can keep a certain history of log files and remove them from the file system as soon as you think the information contained there is not relevant any more. snom technology AG • 35...
4 S N A T F S N O M I L T E R The Log Length number indicated how many log entries the NAT Filter should keep in internal memory. The NAT Filter writes log messages in the first-in-first-out principle, so that there is no memory leak caused by log messages.
It is much easier to protect only the filter against attacks than you whole SIP network. The third big advantage is that is solves many problems with poor SIP implementations. Typically, immature SIP implementations can not snom technology AG • 37...
4 S N A T F S N O M I L T E R deal properly with strict and loose routing which results in complicated routing problems. The filter will take care about the routing problems, the user agent just has to route the request to the filter, which even the poorest implementations are able to do.
By turning the Add comedia flag feature on, you will make the filter add a suitable flag to SDP to indicate that this behaviour is desired. The disadvantage of this snom technology AG • 39...
4 S N A T F S N O M I L T E R flag is again that it makes the messages bigger and this increases the probability that you will have problems with UDP fragmentation. 4.3.12 Removing Headers As stated before, you may want to remove some headers to make messages shorter.
Page 41
The parameter to_uri is set to the URI in the to header. • The parameter uri is set to the value of the request-URI. All parameters are URL-encoded according to the rules of the http protocol. A possible request might look like this: http://snom.com/ post.htm?action=start&from_uri=sip:abc@snom.com&to_uri=sip: def@snom.com&uri=sip:abc@proxy.snom.com (possible escape characters are not shown here for simplicity).
(usually, “sip”) and no corner brackets. Example: uri: sip: 1234@route1.snom.com For programming your web server, please consult your web server manual. Samples and advice are available from snom on demand. 4.4 Timeout Settings In contrast to previous versions, the time related settings have been summarized on this new management web page.
NAT. This is important in some NAT types as they do not allow refreshing NAT bindings from the outside. If you turn the flag off, the filter will send short white space packets to the registered user agent. snom technology AG • 43...
4 S N A T F S N O M I L T E R The value directly influences the keep-alive traffic caused by the NAT Filter. The Registration Logging Time is the time after which it moves the backup file to the primary location. See preparing recovery above. 4.4.2 Call Timeouts Unfortunately, in SIP little attention has been put on the problem when a user agent just disconnects from the network without further...
Filter, you may select the https radio button in the Web Access setting. If you don’t care, you can leave the setting to http/https. If you want ex- clude https access (for example, to save performance), select http. snom technology AG • 45...
Page 46
4 S N A T F S N O M I L T E R To restrict the login, you should set a username („admin“ is the default) and a password. You need to enter the password twice, so that typing mistakes do not block your NAT Filter.
This approach is limited to maximum ten domains per filter; for more domains you need to use the web server integration mentioned above. snom technology AG • 47...
4 S N A T F S N O M I L T E R The algorithm for searching the outbound proxy is simple. The filter first goes through to the list of outbound proxies and tries to match the hostname in the request-URI of the request to the provided Domain. If it does not find any match, it will take the outbound proxy in the general settings (if provided).
Filter, “Tr” means the packet has been sent as message repetition, “Td” means the packet was sent to a UA behind NAT, “Rx” means the packet was received normally, “Rr” means the packet was received as a message repetition. snom technology AG • 49...
4 S N A T F S N O M I L T E R The Source/Destination indicates the IP address where the packet was sent or received. The Header column contains the abstract. By clicking on the header link, you may see the complete packet. 4.10 Call History The call history should help you to understand what’s going on on your system.
SDP. If the destination has not been locked, that address is shown in brackets and the list of learned addresses is shown after it. An address is locked when the NAT Filter received a packet on this port from the location indicated in the SDP. snom technology AG • 51...
4 S N A T F S N O M I L T E R 4.12 Currently Handled UA This table shows the currently handled UA with their SIP URI and their associated IP address. The third column shows the SIP request type that this binding is using.
Checklist for Installation When snom or one of their partners perform the installation for you, the following information is necessary: 5.1 Linux • Please provide secure shell login to the system that can be ac- cessed at least from the snom.com host (currently at IP address 217.115.141.99).
Page 54
4 S N A T F S N O M I L T E R tion tool. • Please tell us the login address (host and port), user name and password. We need administrative rights on that host. • Please tell us for what domains you plan to use the server. Please also tell us where you want to process the requests (which outbound proxy to use for NAT Filter).