Download Presentation
Upcoming SlideShare
Loading in...5

Download Presentation






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Sign6 (upper part)
  • Sign 6 lower part
  • LARS! Kolla och uppdatera länkar mm!!

Download Presentation Download Presentation Presentation Transcript

  • Intertex Data AB, Sweden
    • Firewall Traversal
    • Bringing SIP to the LAN
    • Prepared for: Session Initiation Protocol 2002
    • By: Karl Erik Ståhl
    • President Intertex Data AB
    • Chairman Ingate Systems AB
    • [email_address]
    © 2002 Intertex Data AB
  • VoIP as we have seen it… Internet PC PC Wanna talk to me? Do we want the PC as a phone? Gateway Internet Gateway STO LA Are cheaper phone bills all we want?
  • VoIP as we have seen it…
    • VoIP between branch offices
    PSTN Europe IP - But NOT globally to others! Gateway Internet VPN VPN US Gateway IP
  • Hmm, didn’t we pass this stage…
    • Paper was a very compatible media - So is POTS today…
    • But we need to move beyond!
    email printer fax Organization 1 Email system 1 email Organization 2 Email system 2 fax PSTN fax fax
  • What about universal connectivity?
    • Wouldn’t that be fine?
    Black Phone RJ45 LAN Intranet Internet IP Phone PSTN RJ11
  • VoIP and SIP Services Out to the Edge Firewall/NAT problems! Status until now: SIP is the Protocol for IP Communication Person-to-Person, BUT IT DOES NOT REACH THE EDGE! IAP IP Phone IP Phone IP Phone IP Phone SIP Server PSTN SIP /PSTN Gateway Internet Home LAN Business LAN DSL Cable MTU Operator network with NAT NAT FirewallNAT XP PIM
    • An extension to SIP in progress
    • See:
    • rosenberg-impp-presence-00.txt
    • A single, extended standard instead
    • of today's players
      • ICQ
      • AOL Instant Messenger
      • Yahoo! Messenger
      • MSN Messenger
      • And more
    Presence and Instant Messaging Used in Windows XP  SIP  SIP
  • What Microsoft Has Done So Far
    • Progressed embedded
      • End-to-end platform
    • Announced update
      • PC-to-phone provider choice & new UI
    • Released Windows XP
      • Windows Messenger and rich APIs
    • 10:s of miljons of RTC (SIP) users within a year
  • Windows XP: ECS (Exchange Conferencing Server) SIP based whiteboard, chat, video, audio, app sharing…
  • SIP Firewall Problems
    • Firewall Problems:
    • Sessions initiated from outside the firewall
    • - OK, open port 5060, but…
    • Media streams on dynamically allocated port numbers
    • - Ooops…  !
    Even with public IP addresses inside
  • SIP NAT/PAT Problems
    • NAT & PAT Problems:
    • Where is the device?
    • - Registration/location function
    • Private IP addresses and ports in SIP messages
    • - Rewrite with globally routable addresses
    • IP address and port of media stream has to be modified
    • - NAT engine has to be dynamically controlled
    Worse with private IP addresses inside
  • Suggested Solutions
    • Dynamically controlled Firewall/NATs [Aravox, …]
    • Midcom: By Firewall Control Proxy [Dynamicsoft…]
    • uPnP: By the client (Windows) [Microsoft]
    • SIP aware Firewall/NATs (SIP Proxy + Registrar)
    • [Intertex (SOHO), Ingate (enterprise), …]
    • SIP aware Firewall/NATs (SIP ALG)
    • [Cisco,… TLS not possible]
    • Making SIP NAT friendly , Drafts in progress:
      • draft-rosenberg-sipping-nat-scenarios-00.txt
      • draft-rosenberg-midcom-stun-01.txt
      • draft-ietf-sip-nat-01.txt
  • Adding SIP Support to a Firewall
    • Important components:
    Firewall & NAT
    • Dynamic Firewall Engine
    SIP Proxy
    • SIP Proxy Server, controlling the firewall
    User Location
    • SIP Registrar, user location information
    Firewall Control Protocol
    • Communication between SIP Proxy and firewall
  • NAT Friendly SIP Mods to SIP, SDP SIP clients need upgrade New servers on the net SIGNALLING
    • Route new signalling through this open path
    • For some NATs, if both parties are behind firewalls, RTP streams must bounce through a server
    LAN RTP IP Phone FirewallNAT RTP Proxy NAT IP Phone LAN SIP Registrar INTERNET
    • Use STUN to find out “looks” from outside
    STUN Server
    • Keep registrar NAT path (TCP or UDP) always open by frequent registration s
    • RTP media streams always start from insid e + symmetric
  • SIP Enabling the Private Networks Firewall/NAT problems! Firewall/NAT SIP transparency! IAP IP Phone IP Phone IP Phone IP Phone SIP Server PSTN SIP /PSTN Gateway Operator network with NAT Internet Home LAN NAT FirewallNAT Business LAN DSL Cable MTU DMZ in G ate SIParator in G ate Firewall IP Phone IP Phone IP Phone IX66
  • Just Another Internet Service… Internet IX66 Home User USA Sweden IX66 IAP Home LAN Enterprise LAN XP in G ate Firewall SOHO LAN IX66 XP Helsinki PSTN SIP /PSTN Gateway DNS SRV DMZ in G ate SIParator XP Ingate Linköping LAN IX66 Intertex Stockholm LAN Sweden
  • IP Communications Using IP Networks
    • Intranet IP VPN with IP communications
    • Domestic and global IP communications
    • PBX and PSTN – E.164 resolution
    Customer Premises PBX PSTN Phone Managed Services Router Vmail OSS SIP Phone WorldCom PSTN Dialing Plans Network GWY Conf PSTN Phone IM IN Enterprise Gateway SIP Routing Firewall SIP Server IP VPN Global IP Comm Intranet IP Comm … other…
    • Many call routing options:
    • Private/Public IP address
    • DNS and DNS SRV records
    • SIP aware NAT/PAT servers
    • Henry Sinnreich 4/10/2002
    WorldCom Public IP Network
  • IP Communications Using IP Networks PBX PSTN Phone Managed Services Router Vmail OSS SIP Phone WorldCom PSTN Dialing Plans Network GWY Conf PSTN Phone IM IN Enterprise Gateway SIP Routing Firewall SIP Server IP VPN Global IP Comm Intranet IP Comm … other… Customer Premises WorldCom Public IP Network Integration with existing phones SIP Capable Firewall Ingate and Intertex First through SIT No IP PBX Needed! Enhanced Functionality Enterprise LAN
  • Product Examples – Ingate Systems AB
    • A Complete Firewall
    • An add-on to an Existing Firewall
    • Firewall & NAT/PAT
    • SIP Proxy
    • SIP Registrar
    Enterprise Products Firewall 1400 SIParator 40 DMZ Existing Firewall
  • The Ingate SIParator Internet IP Phone DMZ in G ate SIParator IP Phone Existing Firewall
  • The Ingate SIParator Existing Firewall Internet LAN Private IP Addresses SIP traffic (5060 UDP/TCP) RTP traffic (UDP port interval) SIParator RTP Proxy NAT/PAT Engine SIP Proxy DMZ SIP Registrar
  • Product Examples – Intertex Data AB
    • OEM as: Telia SurfinBird Gate PowerBit SafeGate
    • Review at:
    IX66 Internet Gate with or without ADSL modem built-in SOHO Products
  • The Intertex IX66 Internet Gate
    • A closer look
    • Firewall & NAT/PAT
    • SIP Proxy and Registrar
    • DHCP Server and Client
    • WEB Server for configuration
    • Smart Card Reader for security applications
    • SIP Appliance Control, LAC via expansion port
    Optional ADSL and Splitter Built-in
  • Internet Appliances Control http://www.
    • SIP Capable Firewalls!
    Ingate Systems AB Box 10013, Slakthusplan 4 SE- 121 26 Stockholm , Sweden CEO Olle Westerberg Tel +46 8 6007750 Intertex Data AB www. Rissneleden 45 SE- 1 74 44 S undbyberg, Sweden President Karl Erik Ståhl karl.stahl @in Tel +46 8 6282828