| Scope | SIP is the most widely used signaling protocol when it comes to VOIP traffic, however there are a few other protocols for example, H323(mainly for video) and MGCP(voice gateways) responsible for the VOIP based on the phone make and model. In a typical SIP or H.323 installation, administrators are required to configure both the IP PBX and the voice gateway individually. MGCP delivers a deeper integration that allows administrators to configure the gateways from the interface of the IP PBX itself.
In this way, an MGCP gateway ceases to function independently and rather is instructed, controlled, and operated by the IP PBX in much the same way that an IP phone is configured and controlled.
|
| Solution | By default, FortiGate is using SIP ALG to process SIP-related traffic, however some SIP providers recommend disabling SIP ALG in the firewall. The way it works is as follows: - If proxy-based is selected, which is the default mode, then no matter if the session helper is configured, ALG mode supersedes and the session helper does nothing.
- If kernel-helper-based is configured, then it means that the initiating session helper is to assist the VOIP traffic.
If the session helper number 13 is deleted and do not change it to ALG mode(proxy-based) then basically it is relying on IPv4 policy only, as for VOIP traffic, which means that ALG is not configured,d and session helper is also not going to kick in since number 13 is deleted. - Proxy-based – default SIP ALG mode.
- Kernel-helper-based – SIP session helper.
Even after removing entry number 13 for SIP under session helper, does not resolve the issue, so it' i worth trying the below:
config system session-helper
show full-config <----- Find the entry number related to MGCP and H.323 delete X <----- Wwhere X is the number for MGCP and H.323 end - External phone registration scenario: It is recommended that if the goal is to register Panasonic phones externally while the phone server is behind the firewall, that:
- VIP address objects are to be created with port forwarding for UDP ports: 2727, 9300, and 16000 to 16511 (default RTP stream is 16000 to 16511). For reference on creating a VIP with port forwarding, check the following KB article: Technical Tip: Virtual IP (VIP) port forwarding configuration
- Make sure the VIPs are assigned to an incoming firewall policy where NAT is 'disabled'. The reason is that if NAT is enabled, the Panasonic phone server would try to send its private ip address as the gateway for VOIP calls instead of using the VIP external address in the return traffic.
|
