No announcement yet.
  • Filter
  • Time
  • Show
Clear All
new posts

  • SIP extensions behind firewall...

    Anybody currently using SIP extensions behind their firewall? I am having a great deal of trouble getting the phones to register. I can watch the registration come across my firewall (SonicWall TZ170) but it seems as if the registration process just wont happen. I am pulling my hair out over this. If anybody has done this or has any suggestions please let me know!!

  • #2

    Are you doing NAT at the firewall?


    • #3
      Don't you mean in front of the firewall, behind would be in your LAN. If you are conducting SIP through a firewall, you need to make sure your firewall supports SIP.


      • #4

        Most firewalls do not handle SIP at all, 99.9% of them don't handle it correctly.


        • #5
          Originally posted by eazeaz View Post
          Most firewalls do not handle SIP at all, 99.9% of them don't handle it correctly.


          • #6
            Its weird. Im using a SonicWall TZ170 which claims to have full SIP support. When i watch the logs on the firewall i see the request from the phone, i see the phone register at the firewall ex:[email protected] SIP endpoint added), i then see the translation for the phone to register at the ShoreTel SIP Proxy Virtual IP ([email protected] translated to [email protected]). Then the next log shows the termination of the endpoint. It looks like the traffic is making it to where it needs to go, just not registering. I didn't know if anybody else was trying to add SIP extensions in front of their firewall.
            Thanks for the replies guys. I will continue to adjust until I get there!


            • #7
              SIP Issues

              As another has already pointed out, most firewalls, particularly the low end sonicwall, are not truely sip aware. Registration takes place on a specific port; the media stream, however can be all over the RTP map! You would have to make so many ports open, that you would not have a firewall left! SIP aware firewalls are able to monitor the flow between registered end points looking at the source and destination ports to open/close RTP sessions as required. That takes a fairly sophisticated firewall. ShoreTel currently supports the Siperator by Ingate. CISCO ASA does a nice job, but I dont think they will be on the ShoreTel partner support page. Optionally, you can build a SIP tie line to a Linux box running Asterisk and let the askterisk box handle the interface to the SIP ISP. We have had great results with that strategy; it also enables us to handle 7920 SCCP wireles phones as Asterisk supports skinny.