====== SIP Settings ====== (This page is called SIP Server in release 5.33 and later.) ====== SIP Server====== (This page was called SIP Settings in releases older than 5.33.) There are several pages that control Internet Gate's SIP capabilities. This is the main SIP Settings page. There are links to the other SIP configuration pages at the bottom of the page. :!: **The Internet Gate is pre-configured to be SIP-transparent**, allowing SIP traffic to effortlessly pass through the firewall. You do not need to tweak or configure the settings if all you want is getting simple SIP traffic through the firewall. Below settings are for //additional// functionality besides basic transparency. :!: **Turn off ICE, STUN, uPnP and other “tricks”** that your SIP clients try to use to get through ordinary firewalls. As the Internet Gate is SIP transparent such “tricks” are harmful and unnecessary - and might even actually stop SIP traffic from getting through the firewall! {{ :web_gui:sip_page.png?245|SIP page in rel 5.30}} ===== General SIP Server Settings ===== The Internet Gate can act as your own SIP server. Simply enter the name of your domain and enable checkbox. Read more [[:SIP:set up a SIP server|here]]. | :!: Enabling Internet Gate's built-in SIP server might require purchase of a [[:license]]. | If needed you can specify a different **realm** for client authentication than the client's own domain name. You can also specify what users are allowed to register to your Internet Gate's SIP server. **Inside users** are SIP clients on your LAN, **Outside users** are SIP clients on the Internet. ==== Security risks ==== :!: Allowing users on the Internet to register on your server is **always** a security risk! Fortunately Internet Gate has some powerful filtering available for its SIP server: you can limit who is allowed to connect and who is allowed to make outgoing calls. SIP clients registering are divided into **inside users** (on your LAN) and **outside users** (on the Internet). You can allow anyone on your LAN to register, with or without authentication (password). Select **Inside users: All** to allow anyone on your LAN to register without authentication, or -if you have a wireless access point- select **Inside users: Authenticate**. === Wireless === If you have a wireless access point then remember that **wireless clients are also on the LAN!** Anyone connecting to your wireless access point -even from outside your walls- are considered to be "inside users". Therefore it is a **security risk** to allow wireless users register without authentication! ==== ==== **Outside users** on the other hand should //not// allowed to be registered (select "None"), except if you //must// allow remote users (e.g. distance workers) to register to your server. In such case select "Authenticate". //Never// select "Outside users: All" as that would allow //anyone on the Internet// to register to your server and make calls! Allow outgoing calls only for users calling from inside (your LAN). Once again, never select "All" as that would allow anyone on the Internet to make calls. :!: To allow outside (from Internet) SIP clients to make outgoing (to Internet) calls is **always** a security risk, even if you select "**and from others after authentication**", as there are many Internet attacks trying to guess passwords. For best security you should select **Allow to register: Inside users: Authenticate**, **Outside users: None**, **Allow outgoing calls from: Inside**, and **disable "an from others after authentication"**. If this configuration is too limited for your needs then you can ease it up, but remember the security risks you are facing then. You are **strongly recommended to force all users to use [[wp>strong password]]s**. ===== Outbound Proxy ===== Internet Gate also acts as an outbound proxy by itself for SIP clients on LAN. If your SIP provider requires usage of an outbound proxy, this is the place it should be configured. This table lets you control how outbound SIP requests are routed. You can set outbound proxies, QoS classes and diffserv bits based on the identity of the caller and the SIP URI called. Leave this table empty to get standard SIP processing for outbound requests. * **Send to** - Enter the domain name or IP address of the SIP proxy to which outbound SIP requests will be sent. Use the word "this" to mean the request should be routed by this unit. * **for Request from Domains** - The SIP proxy in the previous column will only be used if the callers SIP URI (SIP address) matches the pattern specified here. You can use wildcards to match the callers URI. ? represents any single character while * represents a string of characters of any length. * is only allowed first, last and just before or after @. ! is allowed only as the first character of a pattern and means that a potential match has the inverse effect, that is the match makes the SIP proxy not be used and searching continues with next row of the table. If this field is left blank it matches all URI:s. Several space and/or comma separated patterns may be specified. * **and with Destinations** - The SIP proxy will only be used if the SIP URI (Request-URI) of the called party matches the pattern specified here. Wildcards (*?!) allowed like the previous column. Leave blank to match all destinations. * **WAN interface** - Your broadband provider may use a separate WAN interface with higher quality (QoS) for SIP services, in addition to the ordinary Internet WAN interface. With this setting you can classify SIP traffic which should use the WAN interface with special SIP QoS (The special SIP QoS WAN interface is configured at the Advanced Network Settings page). * **Diffserv bits** - Set [[wp>diffserv]] bits (DSCP) for the media streams created by a call matching the row. ===== Export/Import Settings ===== You can save the settings on this page as a file on you hard disk by pressing Export. When Importing settings from a previously stored file, you can select which parts of the settings you want to restore. :!: Please notice that you only export/import settings of **this page only**. For full backup and restore of all settings use [[:settings and administration:backup files]]. ===== Other SIP configuration pages ===== At the bottom of the page there are links to other SIP configuration pages: [[SIP Switch]] [[SIP Trunk]] [[Advanced SIP Settings]] [[sip:Certificates]] [[SIP switch overview page|SIP Switch Overview]]