SIP Server
(This page was called SIP Settings in releases older than 5.33.)
There are several pages that control Internet Gate's SIP capabilities. This is the main SIP Settings page. There are links to the other SIP configuration pages at the bottom of the page.
The Internet Gate is pre-configured to be SIP-transparent, allowing SIP traffic to effortlessly pass through the firewall. You do not need to tweak or configure the settings if all you want is getting simple SIP traffic through the firewall. Below settings are for additional functionality besides basic transparency.
Turn off ICE, STUN, uPnP and other “tricks” that your SIP clients try to use to get through ordinary firewalls. As the Internet Gate is SIP transparent such “tricks” are harmful and unnecessary - and might even actually stop SIP traffic from getting through the firewall!
General SIP Server Settings
The Internet Gate can act as your own SIP server. Simply enter the name of your domain and enable checkbox. Read more here.
| Enabling Internet Gate's built-in SIP server might require purchase of a license. |
If needed you can specify a different realm for client authentication than the client's own domain name.
You can also specify what users are allowed to register to your Internet Gate's SIP server. Inside users are SIP clients on your LAN, Outside users are SIP clients on the Internet.
Security risks
Allowing users on the Internet to register on your server is always a security risk!
Fortunately Internet Gate has some powerful filtering available for its SIP server: you can limit who is allowed to connect and who is allowed to make outgoing calls.
SIP clients registering are divided into inside users (on your LAN) and outside users (on the Internet).
You can allow anyone on your LAN to register, with or without authentication (password). Select Inside users: All to allow anyone on your LAN to register without authentication, or -if you have a wireless access point- select Inside users: Authenticate.
Wireless
If you have a wireless access point then remember that wireless clients are also on the LAN! Anyone connecting to your wireless access point -even from outside your walls- are considered to be “inside users”. Therefore it is a security risk to allow wireless users register without authentication!
Outside users on the other hand should not allowed to be registered (select “None”), except if you must allow remote users (e.g. distance workers) to register to your server. In such case select “Authenticate”. Never select “Outside users: All” as that would allow anyone on the Internet to register to your server and make calls!
Allow outgoing calls only for users calling from inside (your LAN). Once again, never select “All” as that would allow anyone on the Internet to make calls.
To allow outside (from Internet) SIP clients to make outgoing (to Internet) calls is always a security risk, even if you select “and from others after authentication”, as there are many Internet attacks trying to guess passwords.
For best security you should select Allow to register: Inside users: Authenticate, Outside users: None, Allow outgoing calls from: Inside, and disable “an from others after authentication”. If this configuration is too limited for your needs then you can ease it up, but remember the security risks you are facing then. You are strongly recommended to force all users to use strong passwords.
Outbound Proxy
Internet Gate also acts as an outbound proxy by itself for SIP clients on LAN. If your SIP provider requires usage of an outbound proxy, this is the place it should be configured.
This table lets you control how outbound SIP requests are routed. You can set outbound proxies, QoS classes and diffserv bits based on the identity of the caller and the SIP URI called. Leave this table empty to get standard SIP processing for outbound requests.
- Send to - Enter the domain name or IP address of the SIP proxy to which outbound SIP requests will be sent. Use the word “this” to mean the request should be routed by this unit.
- for Request from Domains - The SIP proxy in the previous column will only be used if the callers SIP URI (SIP address) matches the pattern specified here. You can use wildcards to match the callers URI. ? represents any single character while * represents a string of characters of any length. * is only allowed first, last and just before or after @. ! is allowed only as the first character of a pattern and means that a potential match has the inverse effect, that is the match makes the SIP proxy not be used and searching continues with next row of the table. If this field is left blank it matches all URI:s. Several space and/or comma separated patterns may be specified.
- and with Destinations - The SIP proxy will only be used if the SIP URI (Request-URI) of the called party matches the pattern specified here. Wildcards (*?!) allowed like the previous column. Leave blank to match all destinations.
- WAN interface - Your broadband provider may use a separate WAN interface with higher quality (QoS) for SIP services, in addition to the ordinary Internet WAN interface. With this setting you can classify SIP traffic which should use the WAN interface with special SIP QoS (The special SIP QoS WAN interface is configured at the Advanced Network Settings page).
- Diffserv bits - Set diffserv bits (DSCP) for the media streams created by a call matching the row.
Export/Import Settings
You can save the settings on this page as a file on you hard disk by pressing Export. When Importing settings from a previously stored file, you can select which parts of the settings you want to restore.
Please notice that you only export/import settings of this page only. For full backup and restore of all settings use backup files.
Other SIP configuration pages
At the bottom of the page there are links to other SIP configuration pages: