Install guide

ManualsBrandsAllied Telesis ManualsComputer equipmentRapier 16Fi-FX

Software Version 2.9.1 65

Software Version 2.9.1

C613-10486-00 REV C

Firewall Enhancements

This Software Version includes the following enhancements to Firewall:

■ Using Automatic Client Management to Manage SIP Sessions

■ Setting a Trigger for Automatic Client Management

■ Limiting Firewall Sessions from a Device

■ Monitoring Firewall Sessions using SNMP

■ Dynamic Renumbering of Firewall Rules

This section describes the enhancements. The new and modified commands to

implement them are described in Command Reference Updates.

Using Automatic Client Management to Manage SIP

Sessions

This Software Version allows you configure the SIP ALG to dynamically

manage SIP clients using the new automatic client management mode.

Automatic client management mode allows the SIP ALG to dynamically

manage SIP clients and reserve firewall sessions for registered SIP clients. The

SIP ALG does this by monitoring the messages sent by private SIP clients to

SIP Registrars, and creating sessions that match the registration details. The SIP

ALG also provides NAT when this is configured on the firewall.

For a VoIP phone to send and receive calls, it must register on the wider

network with a SIP Registrar. When a SIP client registers, the SIP Registrar

sends a response back to the SIP client informing the client of the expiry time

limit for the registration. The SIP ALG looks for these messages and records the

expiry time. It then makes sure that the firewall session created is retained until

the registration expires. This means that the client is reachable through the

firewall with the registered IP address and port for the entire duration of the

registration. This is different to normal firewall session behaviour, where

sessions are timed out and deleted if no traffic is seen for a certain time period.

Once registered, a SIP client can send and receive calls through a SIP Proxy

Server. Often the proxy server is on the same device as the SIP Registrar, and

uses the same firewall session created for the SIP Registrar. However, SIP

clients can send and receive calls from proxy servers that are independent from

the SIP Registrar.

When a proxy server is initiating a call to a SIP client, it uses the client’s IP

address and port details listed with the SIP Registrar. If the proxy server is on a

different device from the Registrar, and you have configured the SIP ALG

client management to allow calls from unknown proxy servers, then the SIP

ALG creates a new firewall session for the proxy server. This new session uses

the same global IP and port translation for the client that the firewall has

assigned for the Registrar session. When the client initiates a session with any

independent proxy server, the SIP ALG can also assign to the new session the

same global IP and port that the Registrar session has. This gives the client a

consistent identity on the public network.

Note that a private device may use the same global IP address and port

number to send registration messages for more than one SIP URI. If this occurs,

then the SIP ALG keeps the session open until all the registrations have

expired.