snom 4S NAT Filter Admin Manual snom 4S NAT Filter Version 2.
snom 4S NAT Filter Version 2.11 © 2004-2005 snom technology Aktiengesellschaft. All Rights Reserved. This document is supplied by snom technology AG for information purposes only to licensed users of the snom 4S NAT filter and is supplied on an “AS IS” basis, that is, without any warranties whatsoever, express or implied. Information in this document is subject to change without notice and does not represent any commitment on the part of snom technology AG.
Table of Contents 1 Overview ..........................................................5 2 Architecture .....................................................9 3 Installation .....................................................23 4 Configuration ..................................................31 1.1 1.2 2.1 2.2 2.2.1 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.2.7 2.2.8 2.3 2.3.1 2.3.3 2.4 2.5 2.6 2.6.1 2.6.2 2.7 3.1 3.2 4.1 4.2 4.3 4.3.1 4.3.2 4.3.3 Applications ..............................................
[ S N O M 4S NAT FILT E R ] 4.3.4 4.3.5 4.3.6 4.3.7 4.3.8 4.3.9 4.3.10 4.3.11 4.3.12 4.3.13 4.3.14 4.3.15 4.3.16 4.3.17 4.4 4.4.1 4.4.2 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 Media Ports ..............................................................................................................................................................................35 Port Budgets ................................................................................................................................
Overview 1. 1 Network address translation (NAT) is a reality today. There have been many discussions about the evil and the good of this network topology and the replacement by IP version 6. However, operators and business want to offer VoIP services today and therefore must address the problem. The snom 4S NAT Filter is a SIP session border controller (SBC). It enables non-NAT aware devices to operate in private networks. It also allows operating the data center in a private network.
[ S N O M 4S NAT FILT E R ] 1. 1.1 Applications The filter can be used in the following scenarios: • Corporations. Corporations which operate their infrastructure behind NAT and/or firewalls can talk to the public Internet through the filter. • Operators. Operators offer the NAT traversal feature to their customers. Using the scalability feature of the filter, the operation of large networks becomes possible. • Record specific calls for legal purposes.
S N O M 4S NAT FILT E R ] • Both http and https as web interface for simple access from anywhere on the Internet. • The filter supports Interactive Connectivity Establishment (ICE). User agents that support this feature will optimize the media path for the shortest possible delay. • Media relay is established using connection-oriented media. Useragents that are not NAT-aware inherently support this feature. This makes the operation of the NAT filter backward-compatible. • Call-alive polling.
[ S N O M 4S NAT FILT E R ] The first exception is a REGISTER request. When a user agent tries to register and needs the support of the filter, the filter will set up a local data structure representing the user agents. It will make sure that the connection to the user agents stays alive. It will also make sure that requests destined to the user agents will be forwarded properly. • The second exception is an SDP attachment.
Architecture 2. 2 2.1 The NAT Filter and SIP In the SIP architecture, the SBC acts as the first proxy that is contacted by user agents. There are two ways to make sure that the relevant traffic gets routed trough the filter: • User agents can be set up to use the filter as outbound proxy. When using this method, all SIP traffic will flow through the SBC, whether it is destined to the operator or not. That means that service for calls outside of the operator’s domain may also be serviced by the SBC.
2. [ S N O M 4S NAT FILT E R ] to register and needs the support of the SBC, the SBC will set up a local data structure representing the user agents. It will make sure that the connection to the user agents stays alive. It will also make sure that requests destined to the user agents will be forwarded properly. • The second exception is an SDP attachment.
[ S N O M 4S NAT FILT E R ] 2.2.1 How does NAT work? The translation table is implicitly set up when a packet is sent from the private network to the public network. The association is kept alive for a certain time and is refreshed every time a new packet is sent from the same origin. This fact is used by STUN (RFC3489) to set up an association between a public IP address and a private IP address. In symmetrical NAT, the router stores the address where the packet was sent.
[ S N O M 4S NAT FILT E R ] 2. In SIP it is legal to send from a different port than the receiving port. When this is being done, there is no way of supporting these devices behind NAT. However, some phones offer an option that disables this mechanism so that the sending port is the same as the receiving port. Typically, the SIP proxy will run on a public IP address where it is possible to deal with all kinds of NAT.
S N O M 4S NAT FILT E R ] devices that have been designed without having NAT in mind. These devices can register only for a short period of time, so that the REGISTER messages keep the port association open (the SIP messages are used to keep the port association). Also, these devices need a NAT-aware media server or other device that forward the RTP packets of these devices. • Symmetrical NAT devices.
2. [ S N O M 4S NAT FILT E R ] When the NAT Filter sees a message that contains information about sending media (session description protocol, SDP), it opens a local globally routable port on behalf of the user agent and patches these messages in a way that the destination will send media via this port. The NAT Filter will relay the media to the user agent like it relays SIP messages.
[ S N O M 4S NAT FILT E R ] 2.3 SBC Behaviour When a user agent registers, it puts its IP address in the top Via. If the user agent is on public Internet or properly supports NAT, this Via will match the perceived IP address. In this case the SBC does not interfere with the registering process and just forwards this packet to the registrar. If the top Via does not contain the perceived address, the SBC will take care of the request.
2. [ S N O M 4S NAT FILT E R ] 0637ced821ef40a3;ua=c9b140ab598290e5bb491e9c3aaca440 Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bKabx3au3mxb01;rport=17401 From: ;tag=k9p6fmeg7h To: ;tag=epuy85kzm5 Call-ID: 3c26701d7cb9-pady07b5783t@203-145-183-113 CSeq: 14 REGISTER Contact: ;expires=3600;gruu=”sip:denny@snomag.de;gruu=hobiv52b” Date: Wed, 26 May 2004 16:03:33 GMT Content-Length: 0 SIP/2.
[ S N O M 4S NAT FILT E R ] The media filter supports the “interactive connectivity establishment” (ICE) method that has been published recently in the IETF. Using this method, user agents may probe several addresses and decide which address they use for communication. In this case, the SBC will just add another contact to the ICE list. Table 1 shows the cases when the SBC needs to interfere if STUN and ICE support are available from the user agents.
2. [ S N O M 4S NAT FILT E R ] a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:3 gsm/8000 a=rtpmap:18 g729/8000 a=rtpmap:2 g726-32/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv a=silenceSupp:off - - - - The NAT Filter changes the private address to a globally routable address and inserts the local port. It also inserts a hint that tells the other user agent that it should not do silence suppression.
S N O M 4S NAT FILT E R ] The distribution of user agents to a server is performed using DNS SRV (RFC 2782). This means that you need to list the available servers on DNS level; the user agents must perform DNS SRV look ups and pick one of the servers (possible using the detection algorithms described below). The following table shows an example configuration for Linux named(8): _sip._udp _sip._udp _sip._udp _sip._udp _sip._udp _sip.
[ S N O M 4S NAT FILT E R ] 2. The snom 4S NAT Filter includes a STUN server that operates on the SIP UDP port. User agents should send their test packets to the SIP port. 2.6 Requirements on User Agents Generally, there are two categories of user agents: The non NAT aware user agents and the STUN/ICE capable user agents. 2.6.1 Non NAT-Aware User Agents tures: Non-NAT aware user agents must have at least the following fea- 1.
[ S N O M 4S NAT FILT E R ] There are a couple of timeout-related settings that terminate a call when certain events fire (see below). However, when prepaid cards are being used, operators want to limit the call duration to a certain time. The SBC has a mechanism to terminate calls anyway. It does not only send BYE messages to both sides of the call, it also cuts media relaying which in practice will be used in most cases when the call is terminated via PSTN.
2.
Installation If you want to install the product on your own, this chapter will provide you with the necessary information. 3.1 Windows The Windows version of the NAT Filter comes with an InstallShield application that should make the installation very simple for you. Before you start the installation, you might want to make sure that the necessary ports are available on your machine. Please use the snom technology AG • 23 3.
[ S N O M 4S NAT FILT E R ] netstat command to check which ports are being used on that machine. You can change the ports later; however you should at least make sure that you can access the administration web interface of the NAT Filter with an open port. 3. Also, please make sure that you have the necessary administrator rights to run Windows services. To start the installation, simply double-click on the installation executable. You will see the Welcome screen of the installation dialog.
[ S N O M 4S NAT FILT E R ] If you agree to the license agreement, the next screen will ask you to enter the license code and to select the ports of the NAT Filter. You will receive the license code from the company where you bought the product. Please make sure that the code is correct (copy & paste).If you don’t have a license key, NAT Filter will automatically generate a trial license key for you for a limited period of time.
S N O M 4S NAT FILT E R ] 3. [ forget the port number, you need to look it up later, using the netstat command. After entering the license information and the port numbers, the InstallShield program will ask you for the installation directory. Typically it proposes a reasonable directory; however you may change the directory using the Change button in this installation dialog. After you have entered the necessary information, the last dialog will ask you to start the installation.
S N O M 4S NAT FILT E R ] 3. [ may manually start the application using the services manager. The last InstallShield dialog offers you the option to start the NAT Filter. If you choose this option, you don’t have to go to the services manager. To see the NAT Filter service, go to the Control Panel, select “Administrative Tools” and double-click on “Services”. You will see the list of services, including the snom 4S NAT Filter.
S N O M 4S NAT FILT E R ] 3. [ 3.2 Linux After you downloaded the RPM from our web site you can either install it via the graphical administration frontend of your Linux distribution or you can use the command line interface (CLI). For the graphical installation please consult the documentation of your Linux distribution for details how to install 3rd party software. If you use the CLI you need to be root to install the software. Please go the directory where you saved the RPM after downloading.
[ S N O M 4S NAT FILT E R ] this is the first installation of the snom 4S proxy on this host from a RPM package please use the following command to install the software: rpm -ihv snomnatf-2.10.*.rpm rpm -Uhv snomnatf-2.10.*.rpm The output of both commands will just show some hashes (#) and then return to the command prompt without any message if no error occurred.
3.
4 Configuration First of all, you need to log in to the server (see figure 2). The default login name is “admin” and there is no password set (you should change this if it has not already been done for you). The login creates a session. This session will timeout after a certain time (by default, one hour). 4.2 Port Binding You need to tell the server on what ports it should listen. snom technology AG • 31 4. 4.
[ S N O M 4S NAT FILT E R ] 4. For http and https, you need to know the port numbers when you want to log in. We recommend not using the standard ports. Operating a server on the public internet usually leads to a lot of denial of service attacks on the standard ports. For sip, you must decide if you want to run the server on a standard port or a random port.
[ S N O M 4S NAT FILT E R ] 4.3 System Settings 4.3.1 Logging 4. The Log Level defines the granularity with which messages are written into the log.
[ S N O M 4S NAT FILT E R ] messages are written, a log level of 9 means that all possible log messages are written. 4. If the Log Filename is set, all log messages are also written to the indicated file. If the file name contains a dollar character, the dollar will be replaced with the current date. Using this method, the NAT Filter will write a log file for every day.
[ S N O M 4S NAT FILT E R ] NAT Filter. Because the NAT Filter itself can be operated in a server farm, you can set up a completely redundant server setup. Please see also the list of explicit outbound proxies. The Media Port Begin and Media Port End indicate the range of ports that are used for media relaying. Be sure to have enough ports allocated for the number of calls that you wish to route through the NAT Filter. This is a setting you may have to coordinate with your firewall. 4.3.
[ S N O M 4S NAT FILT E R ] 4. The Hide Routing flag will replace route sets with a unique route index when requests or responses are sent to a registered user agent. Via headers are also replaced with one Via header. This feature has several advantages. First of all, it will reduce the packet size significantly, especially when your core network uses several proxies or when it loops requests through the proxy several times.
[ S N O M 4S NAT FILT E R ] 4.3.9 Challenging Challenging inside a dialog may be problematic when the call destination does not have any credentials for the system. In this case, it may for example not be able to disconnect a call (BYE gets challenged). Therefore, the SBC may omit the challenging if the setting Challenge Inside Dialog is set to off. Challenging every request may cause almost double packet traffic on the SBC for registrations.
[ S N O M 4S NAT FILT E R ] 4. If you set this variable, the NAT filter will attempt to compress the message until it fits into the size. By default, it will use the short names (e.g. “l” instead of “Content-Length”). If this should not be enough, it will start to remove headers. These headers are: “User-Agent”, “Accept-Language”, “P-Key-Flags”, “Allow”, and “Allow-Events”. If the packet is still too big, it will stop compressing the packet and send it as it is.
[ S N O M 4S NAT FILT E R ] packet. This setting does not only help you in making the packets shorter, it can also help you to keep some parts of the SIP message secret. For example, you might want to remove P-Asserted-Identity headers from all SIP messages, because you don’t want others to see which identities you already checked. Codec Control In many environments, you want to exclude codecs from being used, although both communication partners could agree on them.
[ S N O M 4S NAT FILT E R ] 4.4 Timeout Settings 4. In contrast to previous versions, the time related settings have been summarized on this new management web page. The filter differentiates between registration related settings and call related settings. 4.4.1 Register Timeouts The Refresh Interval for the UA is the number of seconds between NAT refreshes from the NAT Filter. The NAT Filter keeps track of registered user agents and keeps their NAT port binding alive with packets.
[ S N O M 4S NAT FILT E R ] 4.4.2 Call Timeouts Even more unfortunate, there is no way this problem can be addressed. Therefore, the filter uses several mechanisms to check if the call is still alive. The first way to find out if the call is still alive is to send OPTIONS requests to the user agents directly connected to the filter. The OPTIONS are sent outside of the dialog, because sending them inside the dialog would cause a sequence numbering problem.
[ S N O M 4S NAT FILT E R ] 4. is not answered after a certain timeout, the filter assumes that the call is over and will not start again. The setting Timeout for Unestablished Calls addresses this problem. Please keep in mind that the ringing phone also falls into this category. Therefore, you should pick a value significantly higher than sixty seconds for this setting. On the other hand, every call attempt will stay in memory until this time is over.
S N O M 4S NAT FILT E R ] 4. [ To restrict the login, you should set a username („admin“ is the default) and a password. You need to enter the password twice, so that typing mistakes do not block your NAT Filter. The Session Timeout is the number of seconds after which the NAT Filter web server deletes the session. If you access the web server after this time, you need to log on again. If you change the password during a session, you do not have to enter the new password for the existing session.
[ S N O M 4S NAT FILT E R ] 4.6 Outbound Proxy List In addition to the previously mentioned outbound proxy you may specify a number of dedicated outbound proxies. This feature is typically being used in the following scenarios: Integration of PSTN gateway. If you set the outbound proxy of the PSTN gateway to the filter, it can easily redirect all requests to the proxy. However, when the proxy wants to route a call back through the filter, it must know that the request must be routed to the PSTN gateway.
[ S N O M 4S NAT FILT E R ] 4. The algorithm for searching the outbound proxy is simple. The filter first goes through to the list of outbound proxies and tries to match the hostname in the request-URI of the request to the provided Domain. If it does not find a match, it will take the outbound proxy in the general settings (if provided). If it does find a match, it will replace the hostname part of the request-URI with the Replacement and then send it to the Outbound Proxy.
4. [ S N O M 4S NAT FILT E R ] 4.9 Trace The NAT Filter keeps a list of the last trace entries in memory. You may view this list by selecting the trace link. The handling of the page is similar to the handling of the log page. Each line contains an abstract of the received or sent packet. The Time column shows you when the packet has been sent or received.
[ S N O M 4S NAT FILT E R ] The Source/Destination indicates the IP address where the packet was sent or received. The Header column contains the abstract. By clicking on the header link, you may see the complete packet. 4.10 Call History 4. The call history should help you understand what’s going on on your system. It is not intended to be an AAA feature. The call history lists the last 32 calls. Each entry lists the to and from header (only the URI part).
[ S N O M 4S NAT FILT E R ] was terminated because the maximum session time has been reached. This time is indicated by the P-Session-Timeout header. 4. 4.11 Current Ports It is important to see which calls are active on the filter. The Current Ports web page lists the calls where the filter performs relaying on media. The from and to-field show which participants are involved in this media relay. The start column shows you when the port was created.
[ S N O M 4S NAT FILT E R ] 4.12 Currently Handled UA User agents may have more than one entry. In this case, they might have dangling registrations on the registrar; this typically happens when the call-id is changed during a re-registration. From the NAT Filter point of view, this is no reason for concern. It is ok if user agents show up several times. This typically indicates that the user agent tries to register several times, possibly on different proxies or after rebooting.
4.
Web Server Integration The SBC can use a web server as application server. This way you can use PHP, ASP and anything you like to implement the logic for your SIP traffic. For example, if you want to redirect a call to a specific gateway, you can do this easily on the web server. The SBC will just use the results that come from the web server to the further processing of the SIP request. areas: The SBC divides the interface to the application server into three • Authentication.
[ S N O M 4S NAT FILT E R ] 5.1 Interface to the Web Server The interface to the web server is built upon http. The communication is a request/response protocol. The SBC requests information from the application server, and the application server answers. The reverse communication direction is neither possible not necessary. 5. All requests are formulated as GET requests. The parameters are URL-encoded. The typical request has the form: GET /post.htm?action=register&from=123@test.com HTTP/1.
S N O M 4S NAT FILT E R ] • If the packet was already authenticated or internally generated, the further processing of the packet can start. • If the request is a register request and the registration is still valid, the packet forwarded to the further processing. This behaviour can be disabled with the “Challenge Refresh Registrations” setting. • If the packet belongs to an existing call and is not the initial INVITE, the packet is forwarded to the further processing.
[ S N O M 4S NAT FILT E R ] correctly. 5. The web requests that the SBC sends to the application server has the following parameters: • The parameter “action” is set to “auth”. By looking at this parameter, the application server can easily find out that it should do a password lookup. • The parameter “from” contains the user/host pain. It has the format user@host, there is no scheme and no parameters included in this parameter. The authentication cache is written with every web response.
[ S N O M 4S NAT FILT E R ] is authenticated. • If realm, username and password are set, the request is regularly processed. 5.3 Registration If the “Http URL for registration” setting is set in the system settings and a register request does not refresh an existing binding, the SBC sends a request to the application server with the following parameters. • The parameter “action” is set to “register”.
5. [ S N O M 4S NAT FILT E R ] • The parameter “explanation” contains the explaining text that is added behind the code in the SIP response. Typical values are “Ok” or “Not Found”. • The parameter “contact” contains the contact that should be returned by the registration response. This parameter contains the expiry time that this contact will have. Typical values look like “;expires=3600”.
[ • S N O M 4S NAT FILT E R ] The parameter “to_ua” is set to “true” if the SBC believes that the call will go to a client endpoint. Note that this may change during the processing of the request. • The parameter “from” contains the value of the From-header as is should look like. The SBC will change the From-header accordingly, however it will leave the parameters of the From-header unchanged (for example, the tag). You may include the display name and the URI as you like.
[ S N O M 4S NAT FILT E R ] ter, the From-header will be set to the value that you pass here. 5. Please note that requests may loop through several SBC. This will typically happen in data centres that use a SBC server farm. In this environment, the application server must be able to handle several call initiation requests for the same call as the SBC do not exchange information about web requests. A simple implementation just passes an empty response.
[ S N O M 4S NAT FILT E R ] • “BYE” means that the call was terminated by a regular BYE message. • “No 200 Ok” is used when the call did not establish (4xx code or other final error codes). • “OPTIONS” is used when the call was terminated because there was no response to an OPTIONS refresh request of the SBC. • “media timeout” indicates that the call was terminated because the SBC detected that the media flows was disrupted.
S N O M 5.
6. SNMP The simple network management protocol (SNMP) is a widely used protocol for checking what’s going on in your network. When you run the SBC, you probably also want to see statistics about the usage and get alarms when something goes wrong. The setup of SNMP on the SBC side is very simple. Essentially, you have to perform two steps: • Select the port on which the SNMP server should listen.
[ S N O M 4S NAT FILT E R ] space etc.), the setup is a little bit more difficult that the setup of a standard sensor. A readable parameter is described by its object identifier (OID). The object identifies are described in the next paragraph. Please enter the OID in your tool and select appropriate names for them. Also make sure that the IP address of the host running the SNMP tool matches the setup that you gave the SBC in the “Trusted IP Addresses” setting. 6.
[ S N O M 4S NAT FILT E R ] For the SIP packets, the SBC measure only the received packets. It measures the number of packets as well as the total number of bytes received on the SBC SIP ports. The information does not include IP header like the UDP header. 6. The number of successful and unsuccessful calls is incremented after the call has finished. The counting corresponds to the logging of the call result which is described in a different part of this document.
6.
7 Checklist for Installation When snom or one of their partners perform the installation for you, the following information is necessary: • Please provide secure shell login to the system that can be accessed at least from the snom.com host (currently at IP address 217.115.141.99). • Please tell us the login address (host and port), user name and password. We need root permissions on that host. • Please tell us for which domains you plan to use the server.
[ S N O M 4S NAT FILT E R ] 7. tion tool. • Please tell us the login address (host and port), user name and password. We need administrative rights on that host. • Please tell us for which domains you plan to use the server. Please also tell us where you want to process the requests (which outbound proxy to use for NAT Filter). • Please don’t run too many other services on the host that can degrade the performance of the server. We recommend using the server only for NAT Filter.
Reader‘s Feedback snom technology AG welcomes your evaluation of this manual and any suggestions you may have. These help us to improve the quality and usefulness of our documentation. Please send your comments and suggestions to: snom technology AG Attention: Marketing Department Pascalstr. 10B, 10587 Berlin, Germany Fax: +49 (30) 39833-111 Manual Name: snom 4S NAT Filter Admin Manual 2.
snom technology Aktiengesellschaft Gradestr. 46, 12347 Berlin, Germany Phone: +49 (30) 39833-0 mailto:info@snom.com http://www.snom.com sip:info@snom.com © 2004-2005 snom technology AG All rights reserved.
