====== Advanced SIP Settings ====== Changing values on this page requires in-depth knowledge! Press **Get default values** to restore all settings on this page to factory defaults. :!: **The Internet Gate is pre-configured to be SIP-transparent**, allowing SIP traffic to effortlessly pass through the firewall. You do not need to tweak or configure the settings if all you want is getting simple SIP traffic through the firewall. Below settings are for //additional// functionality besides basic transparency. :!: **Turn off ICE, STUN, uPnP and other “tricks”** that your SIP clients try to use to get through ordinary firewalls. As the Internet Gate is SIP transparent such “tricks” are harmful and unnecessary - and might even actually stop SIP traffic from getting through the firewall! ===== Far End NAT Traversal (FENT) ===== {{ :web_gui:advanced_sip_settings.png?237|Advanced SIP Settings in rel 5.30}} The Internet Gate can enable SIP connectivity for remote users that use NAT devices without SIP support. It can adapt to characteristics of remote NAT devices. FENT sends keep-alive packets to remote SIP clients behind non-SIP-capable firewalls to keep the SIP communications channel free to them. | :!: Using Internet Gate's FENT feature might require purchase of a [[:license]]. | Read more about [[:SIP:FENT]]. ===== Authorized Users ===== Define rules for limiting what SIP users are allowed to do. When a SIP message is received, this table is scanned top to bottom and the first row defining a rule that matches the method, URI and direction of the SIP message is used. FIXME ===== TLS Settings ===== TLS (Transport Layer Security) encrypts SIP messages. | :!: Using Internet Gate's TLS feature might require purchase of a [[:license]]. | :!: **TLS is configured automatically** on every network interface if any [[:SIP:certificates]] has been installed in the unit. The default configuration uses the first server certificate installed in the unit and all trusted certificates. Interop is enabled and MTLS is not.\\ **Only if you want to override the default configuration you need to use the table on the SIP Advanced page.** You can configure different TLS settings for each interface, specifying what certificates to use and trust, what methods the TLS server shall use, and what methods clients are allowed to use. **MTLS** (Mutual TLS) requires all connecting clients to present a certificate that can be verified using trusted certificates. **Interop** - OpenSSL has some workarounds for common bugs in popular SSL implementations called [[ http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html|SSL_CTX_set_options(3)]]. By enabling Interop you activate those workarounds, allowing connection to SIP TLS clients who have buggy TLS implementations. Read more about [[:SIP:TLS]]. Read more about [[:SIP:certificates]]. ===== SIP proxy ===== Advanced settings for how Internet Gate forwards SIP messages. See Internet Gate's built-in pop-up help :?: for detailed information about the settings. The **maximum number of active sessions** ("simultaneous calls") Internet Gate is allowed to handle is limited by [[:license]]. To allow more, you need to purchase additional [[:license|licenses]]. ===== Static domain forwarding ===== Enter domains that should not be looked up using DNS. Use 127.0.0.1 as "Forward to" to specify a domain that should be handled by the Internet Gate. If a domain in DNS points at Internet Gate's IP address, but you want to use another SIP server you can enter it's IP address here. SIP messages addressed to that domain will then be forwarded to that IP address. For example if SIP domain %%mycalls.com%% is handled by a SIP server on your LAN you can enter %%mycalls.com%% as **Domain** and the SIP server's LAN IP address as **Forward to**. ===== Allowed Codecs ===== You can specify codecs (media coding format) you allow for SIP calls. When Internet Gate is used in B2BUA mode (with operator accounts or call transfer settings below) call transfers may not work unless only a single codec is allowed for all voice communcation. Recommended codecs for these cases are "pcmu" or "pcma", which are the most common codecs supported by SIP phones. ===== Proxy rules ===== Rules that limit access to the SIP server by matching the source IP address of the SIP message. With these rules you can black list users (or white list) based on source IP address. The list is scanned from top to bottom and the first match found is selected. ===== Advanced ===== Miscellaneous advanced settings affecting Internet Gate SIP proxy and server behavior. See Internet Gate's built-in pop-up help :?: for detailed information about the settings. ===== Trusted networks (RFC 3325) ===== Support for [[http://tools.ietf.org/html/rfc3325|RFC 3325]] P-Asserted-Identity header. SIP requests arriving from a trusted network will be regarded as properly authenticated if they contain P-Asserted-Identity header. P-Asserted-Identity will also be added to requests successfully authenticated by Internet Gate. 127.0.0.1 (internal address) is always regarded a trusted "network". ===== Call Transfer ===== In SIP, call transfers should be performed by the endpoints (SIP UA), but handling this is not a mandatory requirement according to the standard so some SIP UA:s may not support it. If you have problems with call transfers Internet Gate can perform the call transfer locally on behalf of an endpoint. Internet Gate achieves it using [[:SIP:B2BUA]] (Back-to-back user agents). You can filter out devices that cannot transfer calls to let Internet Gate help them. Other, call transfer capable, devices should perform call transfers themselves to reduce load on Internet Gate. ===== Quality of Service ===== To ensure high QoS (Quality of Service) for SIP calls SIP media stream packets should be prioritized over common data traffic. If your Internet Provider supports [[wp>DiffServ]] then Internet Gate can label media packets with DiffServ bits so your Internet Provider can recognize them and prioritize them. Check with your Internet Provider for suitable values. **Upstream prioritization** is prioritizing media stream packets inside the Internet Gate, by lowering throughput of common traffic so that media streams always have enough bandwidth to be sent. As the Internet Gate constantly tracks how much bandwidth media streams require it dynamically adapts the throttle-back of common data traffic. No media streams equals no throttle-back. :!: Upstream prioritization must know the exact send capacity of your WAN/Internet connection to work properly. The physical capacity of the link may be much higher than the actual subscribed rate. Measure and enter the true upstream capacity of your Internet connection. ===== Call Admission Control ===== To prevent Internet Gate (or your Internet connection) from being overloaded it can deny further SIP calls if there is already too heavy load on the unit.