Author |
|
mani Intermediate
Joined: May 10 2007 Posts: 4
|
Posted: May 10 2007 at 5:44pm | IP Logged
|
|
|
1. Will the combined SIP and Media proxy will support clients connecting across two enterprises A and B in the following configuration:
Clients in Ent A <->Proxy in Ent A <-> Ent A firewall <-> internet or private network <-> Ent B firewall <-> Proxy in Ent B <-> Clients in Ent B
2. In the above configuration can the Proxy in each enterprise be placed in the DMZ? Can the proxy have a single global ip address that is accessed by clients within each enterprise and from one enterprise to the other? What are requirements of the firewall?
3. In the above configuration can the Proxy in each enterprise by placed inside the private network? If so, for clients in the other enterprise A to access client in B should the firewall then have a global Mapped IP address to the private network and open relevant SIP and RTP ports?
Thanks
Mani
|
Back to Top |
|
|
support Administrator
Joined: January 26 2005 Location: United States Posts: 1666
|
Posted: May 11 2007 at 11:12am | IP Logged
|
|
|
Hi Mani,
Thanks for posting your VOIP questions to this support forum. You have asked very good questions.
Item 1 - Configuration:
Yes. The scenario you describe is exactly how we deploy the proxies. “Enterprise A” would be considered its own VOIP domain and “Enterprise B” would be another VOIP domain.
UDP Port forwarding:
The firewalls will need to forward the single UDP SIP port to the Centrex Proxy Server and also forward all UDP media ports that will be used by the VOIP media proxy.
One additional cool feature these servers support is to use a common registrar database. That way the whole deployment acts as a single VOIP domain as long as unique extensions are defined for all call endpoints.
Item 2:
can the Proxy in each enterprise be placed in the DMZ?
Yes the proxies can be placed in the DMZ but this is not required.
Item 3:
Can the proxy have a single global ip address that is accessed by clients within each enterprise and from one enterprise to the other?
Yes, exactly.
Item 4:
What are requirements of the firewall?
No special requirements for your firewall or NAT routers. However, see the “UDP Port forwarding” comments in Item 1 above.
Item 5:
In the above configuration can the Proxy in each enterprise by placed inside the private network?
Yes. All the proxies can reside in their own private IP address space or they can reside in the global IP address space. 99.998% of our customer’s deployments are in private networks. The servers are deployed immediately behind the outermost firewall or NAT router of the private network.
Item 6:
If so, for clients in the other enterprise A to access client in B should the firewall then have a global Mapped IP address to the private network and open relevant SIP and RTP ports?
Yes, exactly. You do not have to use static WAN IP addresses either. Using dynamic DNS to map a WAN IP address to each enterprise works equally as well.
Support
|
Back to Top |
|
|
mani Intermediate
Joined: May 10 2007 Posts: 4
|
Posted: May 15 2007 at 1:37pm | IP Logged
|
|
|
A few follow up questions:
1. Regarding Registrar you mention in Item 1: Configuration, can you please elaborate on common Registrar database? Does it mean that the Registrar is deployed in a global IP address space that both Enterprises use to register clients?
2. What about the case where there is not a single Registrar? I am assuming each Enterprise can have its own Registrar that clients inside that enterprise register with. Then the proxy in one enterprise will route calls to proxy in other enterprise, possibly finding the destination proxy via DNS_SRV records.
3. How is "Far End NAT traversaL" supported? Do all clients in each enterprise use your proxy as the outbound proxy? For e.g. if clients within enterprise A were to call clients in enterprise B how do you ensure that firewall ports on the far end are open for the entire duration of the call?
4. Also are the proxy functions a full B2BUA function or a stateful proxy?
Thanks very much
Mani
|
Back to Top |
|
|
support Administrator
Joined: January 26 2005 Location: United States Posts: 1666
|
Posted: May 15 2007 at 2:58pm | IP Logged
|
|
|
Hi mani,
<<< You
… can you please elaborate on common Registrar database? Does it mean that the Registrar is deployed in a global IP address space that both Enterprises use to register clients?
Support >>>
Yes, that it exactly. This capability simply allows users in each VOIP domain to call each other directly using either domain name. Deploying VOIP domains using a shared registrar database simplifies calling between the domains. For example, if I am extension 111 in domain #1 (call it MyCompany1.com) and I want to call extension 222 in domain #2 (call it MyCompany2.com), then extension 111 can simply dial 222 and the proxy in domain #1 will know that the registered user is in another remote domain and route the call as needed. This is useful when deploying SIP clients that cannot dial SIP URIs directly. Most individuals want to dial an extension number and not have to program their phones with full SIP URIs. Deploying this way removes this task.
<<< You
What about the case where there is not a single Registrar?
Support >>>
From your description, you understand completely. A shared registrar database makes certain things easier (like dialing between domains easier) but it is not required at all. Taking my example from your first question, if we are not using a shared registrar database between the 2 domains, then the SIP phone will have to dial the full SIP URI like “sip:222@MyCompany2.com:5060”. Full SIP URI dialing on most desktop IP phones is clunky at best – unless you can program the phone and map the full SIP URI to a (speed dial?) number.
<<< You
How is "Far End NAT traversaL" supported? Do all clients in each enterprise use your proxy as the outbound proxy?
Support >>>
Yes.
<<< You
For e.g. if clients within enterprise A were to call clients in enterprise B how do you ensure that firewall ports on the far end are open for the entire duration of the call?
Support >>>
If the LanScape SIP and media proxies are deployed in the outermost subnet of a private network, then the outermost firewall or NAT router must port forward the single SIP UDP port to the Centrex Proxy Server and port forward RTP UDP media ports to the appropriate VOIP Media Proxy. This must be the case for each VOIP domain. Port forwarding must be used when deploying the servers in the private network so that outside external incoming call requests can be received and routed to the appropriate destination.
<<< You
Also are the proxy functions a full B2BUA function or a stateful proxy?
Support >>>
Stateful.
Support
|
Back to Top |
|
|
mani Intermediate
Joined: May 10 2007 Posts: 4
|
Posted: May 16 2007 at 1:26pm | IP Logged
|
|
|
1. DMZ deployment scenario
In Enterprise A
Soft phone (Alice) <-> WAN <-> Router <-> Corporate Firewall and NAT --| SIP and Media Proxy in DMZ <-> Internet
In Enterprise B
Soft phone (Bob) <-> WAN <-> Router <-> Corporate Firewall and NAT --| SIP and Media Proxy in DMZ <-> Internet
Also, soft phones will be deployed in the same ip network as other traffic.
Can I deploy the proxy with public ip address in the DMZ but with NAT enabled on the DMZ interface that connects the proxy to the firewall? For outbound requests from softphone, what router configuration is needed to route the SIP packets from the "inside interface" of corporate firewall to the proxy?
For inbound proxy requests since the proxy is in the NATed firewall DMZ space, how will it route messages to the "inside network"?
I also have couple of other scenarios to discuss with multiple NATs in a Managed service environment.
If we could chat on the phone that would be great.
Thanks very much for your help
Mani
|
Back to Top |
|
|
support Administrator
Joined: January 26 2005 Location: United States Posts: 1666
|
Posted: May 18 2007 at 9:59am | IP Logged
|
|
|
Hi mani,
<<< You
Can I deploy the proxy with public ip address in the DMZ but with NAT enabled on the DMZ interface that connects the proxy to the firewall?
Support >>>
Yes.
<<< You
For outbound requests from softphone, what router configuration is needed to route the SIP packets from the "inside interface" of corporate firewall to the proxy?
Support >>>
Not knowing the type of “Corporate Firewall and NAT” device or software you are talking about – this is only an educated guess: There should be no special router config required if the internal phones use the fully qualified domain name or the global IP address of your “Corporate Firewall and NAT” element. If there is a configuration to perform, you may have to port forward specific UDP ports to the proxy server machine in the DMZ. The UDP for SIP and RTP will then be forwarded to the DMZ machine. This network element may have to also support UDP “hair-pinning” to be able to forward the SIP and UDP media traffic coming from the private net to the DMZ host. Let’s assume that your “Corporate Firewall and NAT” element supports proper hair-pinning. As we mentioned, the only other thing you may have to configure is to set up port forwarding to the host machine in the DMZ that is running the SIP and media proxies. That should be it.
<<< You
For inbound proxy requests since the proxy is in the NATed firewall DMZ space, how will it route messages to the "inside network"?
Support >>>
Assuming your SIP User Agents (i.e. any SIP/RTP devices) were able to register with the LanScape Centrex SIP Proxy in the DMZ, the NAT will have a session open which will allow the proxy to communicate back into the private network when an incoming call arrives. Normally a NAT session remains open because the SIP device has the ability to send “keep-alive” data to the proxy or reregisters every 30 seconds or so to keep the NAT session binding from expiring.
<<< You
I also have couple of other scenarios to discuss with multiple NATs in a Managed service environment.
Support >>>
Unless this is sensitive information, please go ahead and post the information to this thread.
Mani, one of the best ways to test out all of these scenarios is to request from us trial proxy products and then test deploy in your specific network environments. That way you can directly see what works and what doesn’t.
If your company is thinking about using our proxy products to deploy to your customers along side your own voice or video products, that would be good. We would be very interested in working together with you and your group. Then maybe we can discuss deployment details via the phone.
These are all very good questions. Repost as needed.
Support
|
Back to Top |
|
|