Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VOIP using SIPS Protocol
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VOIP using SIPS Protocol - 23.Aug.2005 8:12:00 AM
|
|
|
SanjivR
Posts: 11
Joined: 23.Aug.2005
Status: offline
|
Hello, hope this is the right forum to ask my question?
I have been asked to install a VOIP phone using the SIPS protocol in our network consisting of SBS 2003 with ISA 2004 and all the latest service packs and patches.
I tried by just connecting the unit to the switch and getting an IP address via DHCP, however no luck. Then I created rules to try and allow the IP address of the VOIP unit free access to the internet, however again no luck.
Having done some research I found out that ISA 2004 does not support the SIPS protocol as it involves leaving certain ports, UDP I think, open all the time, which is not possible in ISA 2004.
Having spoken to the suppliers, I was told that the unit "will not work behind a firewall. It will work behind NAT but incase of a firewall it MUST be in the DMZ, i.e., unfirewalled".
Not having that much experience with ISA 2004, I wish to know if there is an easy way to make such a VOIP unit work without too many problems.
All help will be appreciated.
|
|
|
|
|
RE: VOIP using SIPS Protocol - 24.Aug.2005 5:56:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Stump,
Yes, if its using SIP, then it won't work behind an ISA firewall.
However, there are MANY different implementations of SIP.
What kind of rule did you create to allow the device Internet access and where is that rule on the list of rules?
Thanks!
Tom
|
|
|
|
|
RE: VOIP using SIPS Protocol - 24.Aug.2005 4:01:00 PM
|
|
|
SanjivR
Posts: 11
Joined: 23.Aug.2005
Status: offline
|
Thanks for the prompt response.
FYI, the VOIP unit is a SIPURA SPA-2000. Technical information can be found at http://www.sipura.com.
Regarding the rules - I had tried to setup the unit before upgrading to SBS 2003 SP1 and ISA 2004. At that time in ISA 2000 (from memory), I had created a client set with the specific IP of the unit as given by DHCP and I had tried to create a rule which allowed this particular client set complete access to all protocols and traffic in both directions. I also tried keeping ports 5060 and 5061 (ports, I believe are used by SIP) both in TCP and UDP open, but again no luck.
Sorry for the rather vague description, but I tried this about a month ago and then too not in a very logical way, it was more a case of trial and error.
I have not yet got round to trying again after upgrading to ISA 2004 as I do not want to mess up in a production setup. So if there is any way I can get the unit to work without worrying about setting up a DMZ, etc., would be brilliant.
Hope this rather long winded explanation helps along with the technical information from the site itself.
|
|
|
|
|
RE: VOIP using SIPS Protocol - 25.Aug.2005 2:30:00 AM
|
|
|
SanjivR
Posts: 11
Joined: 23.Aug.2005
Status: offline
|
Thanks again for the swift reply. Do you mean something like Microsoft Communications Server?
How about setting up a tri-homed DMZ, but using an internal IP on the DMZ NIC. Then I set up rules to allow traffic to and from the DMZ. Reason for this comment is it is very difficult and expensive for us to get a bank of IP's from our ISP?
Again, looking forward to your comment.
|
|
|
|
|
RE: VOIP using SIPS Protocol - 25.Aug.2005 6:20:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Stump,
It might be better to put together a setup where there is a NAT device with a SIP proxy in front of the SBS/ISA firewall computer and putting the VoIP box in that DMZ.
HTH,
Tom
|
|
|
|
|
RE: VOIP using SIPS Protocol - 16.Sep.2005 7:07:00 AM
|
|
|
SanjivR
Posts: 11
Joined: 23.Aug.2005
Status: offline
|
Tom,
Hello, sorry to have disappeared but had to try to get this unit to work.
I am pleased to say that I finally got it to work as follows:
1) Installed a third NIC into the SBS2K3 box and configured it using a private IP 172.16.0.x with Subnet of 255.255.0.0.
2) Created a Firewall Policy Rule with
Action = Allow
Protocols = All outbound traffic
From = 172.16.0.0 to 172.16.255.255
To = External
This rule is placed just above the SBS Internet Access Rule and Last Default Rule
3) Under Configuration/Networks/Networks tab created a Perimeter Network with IPs as above in 'From', all other settings as default.
4) Under Configuration/Networks/Network Rules tab created a Rule with
Source Networks = Network created in point 3
Destination Network = External
Network Relationship = NAT
This rule is placed last.
All seems to be working, except two issues:
1) Everytime a DHCP broadcast is made, the VOIP unit reverts to DHCP mode, i.e., it resets to look for an IP from a DHCP server rather than the fixed IP, 172.16.0.x given by me? Is there a way to assign IPs via DHCP to a DMZ and is it advisable?
2) Though I have not given any explicit reference to linking the interal 192.168.16.x network to the DMZ, I just want to be sure that the internal network is safe.
I know I got it to work, but am not too sure about the security and relaibility of this setup.
BTW, your articles on ISA 2004 in SBS2K3 are timely and very informative, look forward to reading more about ISA 2004 in SBS2K3.
|
|
|
|
|
RE: VOIP using SIPS Protocol - 19.Sep.2005 9:23:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Stump,
There should be some way to assign a static IP adress to your device. I can do that for Vonage and Lingo boxes behind ISA firewalls, so you should be able to do that for your VoIP adapter box as well.
Tom
|
|
|
|
RE: VOIP using SIPS Protocol - 1.Oct.2005 5:17:00 PM
|
|
|
nrausch
Posts: 8
Joined: 17.Feb.2002
From: New York
Status: offline
|
Hello,
I've got a Sipura 2000 also and I have it working perfectly behind my ISA 2004 Server - NO SIP Proxy and NO DMZ. I have just 2 NICs (One External, One Internal). What I had to do was simply create 2 protocol definitions. The ISA box is also on a DHCP assigned cable modem. Definitions are below.
1a.) UDP | Recieve/Send | 5060-5061 (Primary)
1b.) UDP | Send/Recieve | 5060-5061 (Secondary)
2a.) UDP | Recieve/Send | 16384-16482 (Primary)
2b.) UDP | Send/Recieve | 16384-16482 (Secondary)
Also, the Sipura can remain DHCP on my Internal LAN and needs no publishing rules back to it from ISA. Might I add, I also run "Bandwidth Controller" on the ISA Box to give all VOIP traffic the highest priority. I've had this whole setup running for about 4 months now and it works just flawless!
Hope it helps some....
Thanks,
Nathan E. Rausch
Network Engineer
MCP, NTCIP, MCSE, CCNA
|
|
|
|
|
RE: VOIP using SIPS Protocol - 2.Oct.2005 9:19:00 PM
|
|
|
vaiguy
Posts: 17
Joined: 2.Oct.2005
From: Baltimore
Status: offline
|
So Nathan, you're saying you created the Protocols, but then you didn't enabled them with an access policy? I thought you had to enable them.
So for hits and giggles, I called MS Support about a very similar issue of getting Video Conferencing with Polycom PVX and also a Vonage system working on behind ISA. The vendors also told me it wouldn't work. In the end, we created 1 Protocol rule for each port, then in Access Policies, I binded them to the device like I was publishing a server.
Ie: I created 2 protocols for Vonage of let's say 5025 (1 for TCP and 1 for UDP) then I created 2 Server Publishing rules (1TCP 1UDP), selecting the protocols and putting in the IP address of the Vonage box.
|
|
|
|
|
RE: VOIP using SIPS Protocol - 5.Oct.2005 2:42:00 PM
|
|
|
SanjivR
Posts: 11
Joined: 23.Aug.2005
Status: offline
|
OOPS, sorry for the double post, working on a not so hot dial-up connection.
|
|
|
|
RE: VOIP using SIPS Protocol - 5.Oct.2005 8:31:00 PM
|
|
|
nrausch
Posts: 8
Joined: 17.Feb.2002
From: New York
Status: offline
|
Hi,
When you take it down to 2 NIC's do u have ISA setup to allow "ALL" traffic on the inside interface? (Network Rule - From Local Host to internal subnet) Also, who is your provider? (Mine is voicepulse and thier RTP ports are 16384-16482, hence my Protocol Definitions)
Might I add, that I'm also running ISA 2004 Enterprise Edition (although I think that does not matter)
Do you have ISA 2004 at SP1 also?
Thanks,
|
|
|
|
|
RE: VOIP using SIPS Protocol - 6.Oct.2005 7:48:00 AM
|
|
|
SanjivR
Posts: 11
Joined: 23.Aug.2005
Status: offline
|
Hello Nathan,
I tried Vaiguy's method and then a combination of your suggestion and his, however no luck, again ![[Frown]](/image/smiles/frown.gif) .
I am using SBS2K3 which originally came with ISA 2000 and was upgraded to ISA 2004 SP 1 Standard Edition when I installed the SBS2K3 service pack 1. This means that a lot of the rules, access policies were carried forward from the orginal installation. In my case, not many custom rules, etc.
To answer your question about the "ALL" access, I found the following under Firewall Policy as number 18, "Allow traffic from Internal network to local host" and in Network Rules I found as number 1, "Local Host Access". Both of these seem to do what you mention.
The service provider I am with is On-NetAfrica, so far I have not managed to get them to give me their ports, however 16384-16482 covers them all, I think?
The implementation of ISA 2004 in SBS2K3 is different from the normal as in SBS2K3 all features, e.g., Exchange, IIS, etc., run on the same box, thus security needs are different. Tom has some excellent articles highlighting some of the differences. Some of the configurations in ISA 2004 "normal" edition cannot be effected on ISA 2004 in SBS2K3.
Your input has given me some ideas which I want to try out, though things are running very well in the DMZ, the bonus is that I can now allow "Guests" to use our bandwidth, via the DMZ without having to go through our network ![[Smile]](/image/smiles/smile.gif) .
|
|
|
|
|
RE: VOIP using SIPS Protocol - 18.Oct.2005 10:35:00 AM
|
|
|
SanjivR
Posts: 11
Joined: 23.Aug.2005
Status: offline
|
Hi Nathan,
Sorry, did not mean any disrespect regarding the differences in ISA 2004 in SBS 2003 and Windows Server 2003, had not seen the initials after your name [Embarrassed].
Regarding the ISA 2000 to 2004 upgrade, even before the upgrade I had made only 2 rules to allow some traffic for Windows Update and Symantec to get their respective updates. After upgrading to ISA 2004 I have not created any new rules, etc., apart from getting the VOIP unit to work.
One thing I need to mention is that when setting up the DMZ in ISA 2004, I did not use the tempaltes, i.e., the trihomed (three leg). All I did was create the rules using the default 2 NIC template as per the post and all started working.
Doing a clean install is a bit hard as I do not have any spare resources. Also, trying too many combinations is difficult as I am already experimenting on a live system. As you mentioned, I too have been doing a lot of research and that is how I eventually came up with the solution that I have. Surprising that there is so little information on such a topic.
Your offer for screen shots is appreciated as I will get a very good idea of how much different my "upgrade" has been from say a standard ISA 2004 setup in SBS 2003. Maybe I can try and manipulate my setup to a similar one as the screen shots and then try setting up the VOIP unit using your technique.
|
|
|
|
|
RE: VOIP using SIPS Protocol - 22.Oct.2005 7:31:00 PM
|
|
|
nrausch
Posts: 8
Joined: 17.Feb.2002
From: New York
Status: offline
|
Hi Stumpted,
Hey, I guess I should have re-worded my post a little better. I didn't take any offense to your post. I was just just saying "Ya, I'm familiar with the differences". NO offense at all man. My Bad...
Hey, just on another note: I was thinking there may have been a slight possibility it was working because I had Enterprise edition on. But, since then I have re-formatted the box, and put ISA 2004 Standard on. I re-created my packet filters again as before, and viola, it still works. So there seems to be no difference between the 2 flavors.
I've also upgraded Bandwidth Controller to the Enterprise Edition (and latest version) and now my VOIP service seems to be working better than ever! NO Drops, NO static, NO Echo! Sweet!
Where shall I send you my screenshots?
Thanks,
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Wink]](/image/smiles/wink.gif)
(Bandwidth is extremely expensive here). I have noted that it uses only about 12 to 16Kbps to provide the clarity.