Snom 4S NAT Filter Admin Manual

Version 2.10

Hide thumbs Also See for 4S NAT Filter:

Admin manual (68 pages)

Admin manual (56 pages)

Admin manual (44 pages)

Table Of Contents

Table of Contents

Quick Links

Download this manual See also: Admin Manual

snom 4S NAT Filter

Admin Manual

snom 4S

NAT Filter

Version 2.10

Table of Contents

Need help?

Do you have a question about the 4S NAT Filter and is the answer not in the manual?

Questions and answers

Summary of Contents for Snom 4S NAT Filter

Page 1 4S NAT Filter Admin Manual snom 4S NAT Filter Version 2.10...
Page 2 © 2004-2005 snom technology Aktiengesellschaft. All Rights Reserved. This document is supplied by snom technology AG for information purposes only to licensed users of the snom 4S NAT ﬁlter and is supplied on an “AS IS” basis, that is, without any warranties whatsoever, express or implied.
Page 3: Table Of Contents
Deﬁning the Maximum Session Time ........21 Installation .............23 Windows ................. 23 Linux ................28 Conﬁguration ..........31 Logging In ..............31 Port Binding ..............31 System Settings .............. 34 4.3.1 Logging ......................................4.3.2 Preparing Recovery ..............................4.3.3 General Outound Proxy ............................snom technology AG • 3...
Page 4 4 S N A T F S N O M I L T E R 4.3.4 Media Ports ....................................4.3.5 Port Budgets ..................................4.3.6 Media Relay ..................................... 4.3.7 Controlling Routing ..............................4.3.8 Multiple 2xx Handling ............................4.3.9 Challenging ....................................4.3.10 Trusted Addresses ...............................
Page 5: Overview
VoIP services today and therefore must address the problem. The snom 4S NAT Filter is a SIP session border controller (SBC). It enables non-NAT aware devices to operate in private networks. It also allows operating the data center in a private network. It takes care about translation of SIP messages with private network identities into identities that can be addressed from the data center.
Page 6: Applications
4 S N A T F S N O M I L T E R 1.1 Applications The ﬁlter can be used in the following scenarios: • Corporations. Corporations which operate their infrastructure be- hind NAT and/or ﬁrewalls can talk to the public Internet through the ﬁlter.
Page 7 That means that the ﬁlter will not interfere with applications (instant messaging, presence, weather report, etc). There are three exceptions to this rule: snom technology AG • 7...
Page 8 4 S N A T F S N O M I L T E R • The ﬁrst exception is a REGISTER request. When a user agent tries to register and needs the support of the ﬁlter, the ﬁlter will set up a local data structure representing the user agents.
Page 9: Architecture
The SBC will not interfere with applications (instant messaging, presence, weather report, etc). There are three exceptions to this rule: • The ﬁrst exception is a REGISTER request. When a user agent tries snom technology AG • 9...
Page 10: Nat
However, in some recent RFC there have been useful proposals on how to deal with the problem. This document shows how the snom 4S NAT Filter can be used to solve the problems. Although snom also makes user agents, the snom 4S NAT Filter works with most SIP user agents from other companies.
Page 11: How Does Nat Work
2.2.3 Signalling SIP SIP trafﬁc is relatively unproblematic because SIP typically is not as time critical as media. Usually, it is ok to route SIP packets through a longer path than media. snom technology AG • 11...
Page 12: Media Rtp
4 S N A T F S N O M I L T E R In SIP it is legal to send from a different port than the receiving port. When this is being done, there is no way of supporting these de- vices behind NAT.
Page 13: Probing Media Paths
NAT Filter instead of the user agent when they want to deliver a message. The NAT Filter then forwards the message to the user agent using the connection which is kept open with the keep-alive messages. snom technology AG • 13...
Page 14: Optimizing The Media Path For Symmetrical Nat
4 S N A T F S N O M I L T E R When the NAT Filter sees a message that contains information about sending media (session description protocol, SDP), it opens a local globally routable port on behalf of the user agent and patches these mes- sages in a way that the destination will send media via this port.
Page 15: Sbc Behaviour
REGISTER sip:snomag.de SIP/2.0 Via: SIP/2.0/UDP 217.115.141.99:5082;branch=z9hG4bK-e8d1feb8138c3d85 0637ced821ef40a3;ua=c9b140ab598290e5bb491e9c3aaca440 Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bK- abx3au3mxb01;rport=17401 From: <sip:denny@snomag.de>;tag=k9p6fmeg7h To: <sip:denny@snomag.de> Call-ID: 3c26701d7cb9-pady07b5783t@203-145-183-113 CSeq: 14 REGISTER Max-Forwards: 69 Contact: <sip:217.115.141.99:5082;ua=c9b140ab59829bb491e9c3aaca440> Supported: gruu Expires: 86400 Content-Length: 0 SIP/2.0 200 Ok Via: SIP/2.0/UDP 217.115.141.99:5082;branch=z9hG4bK-e8d1feb8138c3d85 snom technology AG • 15...
Page 16: Rtp Relay
4 S N A T F S N O M I L T E R 0637ced821ef40a3;ua=c9b140ab598290e5bb491e9c3aaca440 Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bK- abx3au3mxb01;rport=17401 From: <sip:denny@snomag.de>;tag=k9p6fmeg7h To: <sip:denny@snomag.de>;tag=epuy85kzm5 Call-ID: 3c26701d7cb9-pady07b5783t@203-145-183-113 CSeq: 14 REGISTER Contact: <sip:217.115.141.99:5082;ua=c9b140ab598290e5bb491e9c3aaca44 0>;expires=3600;gruu=”sip:denny@snomag.de;gruu=hobiv52b” Date: Wed, 26 May 2004 16:03:33 GMT Content-Length: 0 SIP/2.0 200 Ok Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bK- abx3au3mxb01;rport=17401...
Page 17 It will forward the request with changed SDP: o=root 19387 19387 IN IP4 217.115.141.99 s=call c=IN IP4 217.115.141.99 t=0 0 m=audio 49170 RTP/AVP 0 8 3 18 2 101 snom technology AG • 17...
Page 18: Scaling And Redundancy
4 S N A T F S N O M I L T E R a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:3 gsm/8000 a=rtpmap:18 g729/8000 a=rtpmap:2 g726-32/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv a=silenceSupp:off - - - - The NAT Filter changes the private address to a globally routable address and inserts the local port.
Page 19: Detecting The Right Nat Filter
(the servers with the lowest priority in the SRV list). The user agent picks the server that responds ﬁrst. Alternatively, the user agent could send more test packets and take the mean response time for making the decision. snom technology AG • 19...
Page 20: Requirements On User Agents
4 S N A T F S N O M I L T E R The snom 4S NAT Filter includes a STUN server that operates on the SIP UDP port. User agents should send their test packets to the SIP port.
Page 21: Deﬁning The Maximum Session Time
SBC removes it from the packet so that the user agent will not see this header. If the proxy wants to provide information about how long the call can stay up, it should use AOC information. snom technology AG • 21...
Page 22 4 S N A T F S N O M I L T E R 22 • Architecture...
Page 23: Installation
The Windows version of the NAT Filter comes with an InstallShield application that should make the installation very simple for you. Before you start the installation, you might want to make sure that the necessary ports are available on your machine. Please use the snom technology AG • 23...
Page 24 4 S N A T F S N O M I L T E R netstat command to check which ports are being used on that machine. You can change the ports later; however you should at least make sure that you can access the administration web interface of the NAT Filter with an open port.
Page 25 The http and the https ports are important for you as it is the only way to administer the NAT Filter. Please select a port number that suits your needs. The default ports are 80 (http) and 443 (https). If you snom technology AG • 25...
Page 26 4 S N A T F S N O M I L T E R forget the port number, you need to look it up later, using the netstat command. After entering the license information and the port numbers, the InstallShield program will ask you for the installation directory.
Page 27 To see the NAT Filter service, go to the Control Panel, select “Ad- ministrative Tools” and double-click on “Services”. You will see the list of services, including the snom 4S NAT Filter. If you select the properties menu entry, you will see the Properties dialog for the NAT Filter.
Page 28: Linux
4 S N A T F S N O M I L T E R 3.2 Linux After you downloaded the RPM from our web site you can either install it via the graphical administration frontend of your Linux distribu- tion or you can use the command line interface (CLI).
Page 29 4 S N A T F S N O M I L T E R this is the ﬁrst installation of the snom 4S proxy on this host from a RPM package please use the following command to install the software: rpm -ihv snomnatf-2.10.*.rpm...
Page 30 4 S N A T F S N O M I L T E R 30 • Installation...
Page 31: Conﬁguration
The login creates a session. This session will timeout after a cer- tain time (by default, one hour). 4.2 Port Binding You need to tell the server on what ports it should listen. snom technology AG • 31...
Page 32 4 S N A T F S N O M I L T E R For http and https, you need to know the port numbers when you want to log in. We recommend not using the standard ports. Operating a server on the public internet usually leads to a lot of denial of service at- tacks on the standard ports.
Page 33: System Settings
S N O M I L T E R 4.3 System Settings 4.3.1 Logging The Log Level deﬁnes the granularity with which messages are written into the log. A log level 0 means that only the most urgent snom technology AG • 33...
Page 34: Preparing Recovery
4 S N A T F S N O M I L T E R messages are written, a log level of 9 means that all possible log mes- sages are written. If the Log Filename is set, all log messages are also written to the indicated ﬁle.
Page 35: Media Ports
SIP packets. Loose routing is the routing mechanism proposed in the latest SIP document; however there are devices which are not able to deal properly with these routing headers (the new stan- dard is not backward compatible with the old standard). snom technology AG • 35...
Page 36: Multiple 2Xx Handling
4 S N A T F S N O M I L T E R The Hide Routing ﬂag will replace route sets with a unique route index when requests or responses are sent to a registered user agent. Via headers are also replaced with one Via header. This feature has sev- eral advantages.
Page 37: Challenging
Typically, on Ethernet networks, packets with more than 1492 bytes payload cannot be transported without splitting them up into several packets. As described in the hide routing feature, this can lead to big problems in today’s DSL networks. snom technology AG • 37...
Page 38: Maximum Packet Size
4 S N A T F S N O M I L T E R If you set this variable, the NAT ﬁlter will attempt to compress the message until it ﬁts into the size. By default, it will use the short names (e.g.
Page 39: Codec Control
The setting Outbound Addresses (for CLIR) lists the IP addresses that also trigger a hiding of the identity. The format for this setting is the same as for the trusted IP addresses. snom technology AG • 39...
Page 40: Timeout Settings
4 S N A T F S N O M I L T E R 4.4 Timeout Settings In contrast to previous versions, the time related settings have been summarized on this new management web page. The ﬁlter differentiates between registration related settings and call related settings.
Page 41: Call Timeouts
In SIP, it is possible to challenge a request and wait for a relatively long time until the challenge is answered (for example, if the user has to answer the challenge by entering some data). If the challenged request snom technology AG • 41...
Page 42: Security Settings
4 S N A T F S N O M I L T E R is not answered after a certain timeout, the ﬁlter assumes that the call is over and will not start again. The setting Timeout for Unestablished Calls addresses this problem.
Page 43 Otherwise, the server will use a default certiﬁcate which causes you to trigger a security warning popup when you enter the web page. However, as the server is not open to public access, we think this is not so important. snom technology AG • 43...
Page 44: Outbound Proxy List
4 S N A T F S N O M I L T E R 4.6 Outbound Proxy List In addition to the previously mentioned outbound proxy you may specify a number of dedicated outbound proxies. This feature is typically being used in the following scenarios: •...
Page 45: System Information
NAT Filter to clear the log again. To refresh, you should press the link for refreshing the log. For your convenience, these links are available at the top and the bottom of the page. snom technology AG • 45...
Page 46: Trace
4 S N A T F S N O M I L T E R 4.9 Trace The NAT Filter keeps a list of the last trace entries in memory. You may view this list by selecting the trace link. The handling of the page is similar to the handling of the log page.
Page 47: Call History
The reason “media timeout” indicates that the call was terminated because of a media timeout. • The reason “OPTIONS” indicates that there was no response to an OPTIONS request. • The reason “Maximum Session Duration” indicates that the session snom technology AG • 47...
Page 48: Current Ports
4 S N A T F S N O M I L T E R was terminated because the maximum session time has been reached. This time is indicated by the P-Session-Timeout header. 4.11 Current Ports It is important to see which calls are active on the ﬁlter. The Current Ports web page lists the calls where the ﬁlter performs relaying on media.
Page 49: Currently Handled Ua
This web page shows information about the current memory usage. The primary goal is to identify situations when the process grows more than expected. Usually, the NAT Filter process should not take more than ﬁve megabytes. snom technology AG • 49...
Page 50 4 S N A T F S N O M I L T E R 50 • Conﬁ guration...
Page 51: Web Server Integration
Please use the complete form for the server settings, including the “http://” in front of the host name. The ﬁlter supports only DNS A resolution for locating the web server; no http proxy is allowed. snom technology AG • 51...
Page 52: Interface To The Web Server
Accept-Language: en-us Connection: Keep-Alive Keep-Alive: 5 User-Agent: Mozilla/4.0 (compatible; snom) The responses contain the answer in the body. The SBC checks the response code, and if the code is 2xx, it processes the attachment. The attachment is encoded using a simple line-based protocol.
Page 53 The nonce represents a question that can only be answered by the shared secret, the password of that user/host pair. The nonce will expire after one hour and is deleted when the question is answered snom technology AG • 53...
Page 54 4 S N A T F S N O M I L T E R correctly. The web requests that the SBC sends to the application server has the following parameters: • The parameter “action” is set to “auth”. By looking at this parameter, the application server can easily ﬁnd out that it should do a pass- word lookup.
Page 55: Registration
The parameter “code” contains the SIP response code for the re- quest. If the registration is ok, this typically will be a 200. If the user does not exist in the registrar, the code will typically be 404. snom technology AG • 55...
Page 56: Call Initiation
4 S N A T F S N O M I L T E R • The parameter “explanation” contains the explaining text that is added behind the code in the SIP response. Typical values are “Ok” or “Not Found”. •...
Page 57 • If the parameter “anonymous” is present, the SBC will insert a Pri- vacy header into the request. When the request leaves the data cen- snom technology AG • 57...
Page 58: Call Termination
4 S N A T F S N O M I L T E R ter, the From-header will be set to the value that you pass here. Please note that requests may loop through several SBC. This will typically happen in data centres that use a SBC server farm. In this environment, the application server must be able to handle several call initiation requests for the same call as the SBC do not exchange informa- tion about web requests.
Page 59 • “Maximum Session Duration” is used when the SBC closes the call because the maximum duration (provided in the “expires” param- eter in the action=start result) has been reached. snom technology AG • 59...
Page 60 4 S N A T F S N O M I L T E R 60 • Web Server Integration...
Page 61: Checklist For Installation
Checklist for Installation When snom or one of their partners perform the installation for you, the following information is necessary: 6.1 Linux • Please provide secure shell login to the system that can be ac- cessed at least from the snom.com host (currently at IP address 217.115.141.99).
Page 62 4 S N A T F S N O M I L T E R tion tool. • Please tell us the login address (host and port), user name and password. We need administrative rights on that host. • Please tell us for which domains you plan to use the server. Please also tell us where you want to process the requests (which outbound proxy to use for NAT Filter).
Page 63 Reader‘s Feedback snom technology AG welcomes your evaluation of this manual and any sugges- tions you may have. These help us to improve the quality and usefulness of our documentation. Please send your comments and suggestions to: snom technology AG Attention: Marketing Department Pascalstr.

Snom 4S NAT Filter Admin Manual

1 Overview

2 Architecture

3 Installation

4 Conﬁguration

5 Web Server Integration

6 Checklist for Installation

Quick Links

Need help?

Questions and answers

Related Manuals for Snom 4S NAT Filter

Summary of Contents for Snom 4S NAT Filter

Table of Contents