Return to LanScape's home page Go back a page...       Active TopicsActive Topics   Display List of Forum MembersMember List   Knowledge Base SearchSearch   HelpHelp  RegisterRegister  LoginLogin

SIP Proxy and Media Proxy - Pre-Sales Technical Support
 LanScape Support Forum -> SIP Proxy and Media Proxy - Pre-Sales Technical Support
Subject Topic: Firewall configuration clarification Post ReplyPost New Topic
Author
Message << Prev Topic | Next Topic >>
outerringz
Intermediate
Intermediate


Joined: November 15 2007
Location: United States
Posts: 15
Posted: November 26 2007 at 6:08pm | IP Logged Quote outerringz

I’m having some issues getting my clients on remote NAT’d networks across the Internet to successfully establish Media connections with my NAT’d Centrex Proxy / Media Proxy server and I'm hoping you can clarify/confirm a few things for me.

My Setup:
When client and server are on the LAN, I am able to register with the SIP server and establish a Media proxy from the client, which happens to be establishing its connection with the server on port 8000, to the Media proxy on port 16001 and out to another SIP client on port 34026.

I am aware that a typical SIP voip call establishes the SIP registration on UDP port 5060 and the media stream on a dynamic UDP port range. Am I correct in my understanding of how the Centrex Proxy and Media Proxy assist in this NAT to NAT SIP registration and media stream by:

1. Altering the SIP registration packet header by replacing the Private IP with the Public IP of the remote network that is in front of the remote NAT’d SIP client?

2. Using a fixed range of UDP ports (16001-16200 default) to establish one media (call) stream per port.

3. The only ports that need to be opened in a firewall, are ports 5060 for SIP, and 16001 to however many concurrent media streams are needed, and only on the firewall that is in front of the Lanscape NAT’d products?

4. The media gets from one client to another by using symmetrical signaling and sending the stream down to the client down the dynamic port that was established by the client which is why the clients firewall does not need to be opened, because the software is re-using the open port that the client established?

If you can confirm or correct me on this information, it should give me enough to get my environment working.

Thank you for any information you can provide.
Back to Top View outerringz's Profile Search for other posts by outerringz
 
support
Administrator
Administrator


Joined: January 26 2005
Location: United States
Posts: 1666
Posted: November 27 2007 at 6:35am | IP Logged Quote support

Hi Mike,

Item 1:
When a SIP client (user agent, aka. UA) registers with the Centrex SIP proxy, the proxy will look at the published IP and port in the REGISTER SIP message and compare that with the actual IP address and port of where the SIP message came from. If IP:port in the REGISTER SIP message is different, then the proxy will flag the SIP UA as being behind NAT and use the real IP:port for all future SIP communications with the SIP client.

Item 2:
Yes, exactly.

For each SIP phone call, the Media Proxy will be instructed to use as many media streams (i.e. media ports) as required to allow media to flow between the call endpoints. The number of individual media streams is initially indicated in the SDP portion of the origination UA’s INVITE request. For most SIP calls, this is a single audio media stream. For other types of calls (like video collaboration), the call would have an audio stream and a video stream. The LanScape proxy producy currently allow up to 128 concurrent media streams per call.


Item 3:
Yes. The single SIP port and the full RTP port range must be forwarded to the server(s) that run the LanScape proxies. LanScape SIP proxies and media proxies can all be on the same server or on separate servers.


Item 4:
Yes, exactly.



Support
Back to Top View support's Profile Search for other posts by support Visit support's Homepage
 
outerringz
Intermediate
Intermediate


Joined: November 15 2007
Location: United States
Posts: 15
Posted: November 28 2007 at 3:21pm | IP Logged Quote outerringz

Thank you! I am now able to successfully register against the Centrex SIP registrar and stream media between two SIP clients at one remote site that are both behind NAT, and are connecting to the LanScape server on another network, also behind NAT.

Now for Asterisk integration. Do you guys have, or know of, any good guides for running Asterisk as your PBX behind a LanScape Proxy/Media Proxy server either with Centrex or Asterisk as the SIP registar?
Back to Top View outerringz's Profile Search for other posts by outerringz
 
support
Administrator
Administrator


Joined: January 26 2005
Location: United States
Posts: 1666
Posted: November 29 2007 at 8:13am | IP Logged Quote support

Hi Mike,

Glad to hear that you are up and running. We run the exact same configuration here behind our outermost NAT router.

Regarding deploying Asterisk + LanScape proxies:
You will have to give us a bit more information on what you exactly want to do with the entire deployment. In other words, what Asterisk functionality do you want to use and how do you want to physically deploy Asterisk from a network standpoint with our proxies. Also, what overall VOIP “system” functionality are you shooting for in your deployment? Information like this will be helpful. Feel free to post your overall strategy to this thread.

For the majority of our customer applications, customers are using Asterisk as a PSTN gateway with our proxies as the “VOIP domain controller” in various deployment scenarios. Let us know what you want to do and we will help you figure it out as we go along.

I think we (LanScape) will have to start to publish documentation on various deployment scenarios as they are successfully figured out. This type of information will make for great “white papers” or “VOIP application notes” that we can then make available via the LanScape web site.

Keep posting and we will assist as much as possible.


Support
Back to Top View support's Profile Search for other posts by support Visit support's Homepage
 
outerringz
Intermediate
Intermediate


Joined: November 15 2007
Location: United States
Posts: 15
Posted: November 29 2007 at 1:59pm | IP Logged Quote outerringz

I think publishing deployment scenario guides would be a great help. I’ll post a document outlining my deployment once it’s done, and you guys can edit or add to it.

Below, is information pertaining to my deployment objectives.

Current Solution
We are a commercial real estate owner/management company. We have a T1 punched down to an Inter-Tel PBX at our headquarters and a combination of standard PSTN and limited VOIP delivery to our satellite locations. The current VOIP is delivered via an FXO router at our headquarters that is tied to an analog extension off of our existing PBX, and delivered to FXS routers at the remote locations over VPN tunnels.

The Problems
1. We typically have no more than 4-6 individuals at our headquarters at any given time, so the resources provided by the 24 channel T1 are drastic overkill.

2. Two of the remote locations are on dynamically assigned cable modem connection and anytime the IP changes, the gateway-to-gateway VPN tunnels breaks and the VOIP stops working until the tunnel is back online.

3. We have an opportunity to save money by removing the PSTN lines at our remote locations and replacing them with VOIP resources delivered over existing data lines from our headquarters.

4. We have a need to deliver VOIP to our users at random locations such as a hotel rooms or WIFI enabled coffee shop.

The Objective
We would like to replace our PBX with an Asterisk or Trixbox flavor of Asterisk PBX. The objective is to cancel our T1 line, and bring in BroadVoice VOIP lines at trunks into the Asterisk PBX. We will then replace our headquarters phone terminals with standard SIP business phones. I have this basic setup in place and functional in a test environment.

LanScape to the Rescue
Here the part where I want Centrex Proxy and VOIP Media Proxy to save the day.
I would like to deliver our voice resources out to all of our satellite offices without relying on the VPN tunnels to get the traffic through. I would like our remote users to be able to pick up a SIP phone and dial an extension at any of our locations to speak with a co-worker, or pick up a SIP phone and press 9 to grab one of our BroadVoice trunk resources to be able to make outbound calls through our headquarter resources. I would also like our headquarters employees to be able to bring their phone home with them for telecommuting. This allows me to keep all of our resources at our headquarters, and easily, and rapidly, make those resources available to remote locations.
Back to Top View outerringz's Profile Search for other posts by outerringz
 
outerringz
Intermediate
Intermediate


Joined: November 15 2007
Location: United States
Posts: 15
Posted: November 29 2007 at 2:47pm | IP Logged Quote outerringz

I think the main part of this objective that I don’t completely understand is in the extension assignment and SIP registration. I’m not clear on whether Centrex Proxy should be the SIP server and simply forward the call communication to the Asterisk PBX, or if Centrex Proxy should be the NAT solution only, and forward the SIP registration requests to the Asterisk PBX for processing.

It seems like I should be able to use the MySQL Registrar and Authentication databases that I setup for Centrex Proxy as a common database for both the LanScape products and Asterisk, but I don’t know enough about it to fully understand what the best practice deployment method would be in this scenario.
Back to Top View outerringz's Profile Search for other posts by outerringz
 
support
Administrator
Administrator


Joined: January 26 2005
Location: United States
Posts: 1666
Posted: November 30 2007 at 10:37am | IP Logged Quote support

Hi Mike,

Good job and excellent explanation. We understand your scenario and what you want to accomplish. We may have to tweak a few things but it is absolutely possible to do this deployment and would be great to get it up and running.

Your point regarding the SIP client REGISTER operations are well taken. I think what we want to do here is to get the Centrex SIP proxy + media proxies to act as the NAT solution for the privately located PBX. As you mentioned, using this scenario will completely remove your current VPN dependencies, period.

Why the PBX needs to be the focus:
The Centrex SIP proxy + Media proxy solution has most often been deployed in a network only VOIP model. This basically means that it works well to tie individual SIP UAs together no matter where they reside in the network. It works great for this application but does not allow for full fledged PBX like capabilities (trunking, auto attendant, voicemail etc). That being said, if you want real PSTN trunking, we need to allow Asterisk to do whatever it does normally and get “all” SIP and RTP media to only flow through the LanScape layer. We have to think a bit more on how we will actually do all of this and it will depend on the complete list of capabilities you want to squeeze out of the Asterisk PBX platform.

I think our CTO talked with your CTO in the last few months regarding assisting your team with co-developoment. We would do this under a support contract agreement. It this true? If so, we could get that started right away and work with you on the overall solution.


Thanks,

Support
Back to Top View support's Profile Search for other posts by support Visit support's Homepage
 
outerringz
Intermediate
Intermediate


Joined: November 15 2007
Location: United States
Posts: 15
Posted: December 04 2007 at 2:24pm | IP Logged Quote outerringz

I believe you may be confusing me with someone else as I have not spoken with your CTO.

It seems as though your comment about allowing all of the "SIP and RTP media to only flow through the LanScape layer" is exactly how I need to configure this software to meet my objectives.

Can you clarify "co-development." Are you saying that Centrex Proxy and Media Proxy are not capable of this type of configuration out-of-the-box, but could be made to support this configuration with custom modifications, or that the LasScape products can perform this function out-of-the-box, but would require a more involved configuration of the existing version?

The reason I'm asking, is that I'm aware of open source software that accomplishes this task by design. The reason I'm looking for a commercial solution, is that I'm trying to find a solution that not only accomplishes the task, but can do so in an easier to manage, more refined manner than the open source alternative.

Thank you,

Mike
Back to Top View outerringz's Profile Search for other posts by outerringz
 
outerringz
Intermediate
Intermediate


Joined: November 15 2007
Location: United States
Posts: 15
Posted: December 06 2007 at 12:50pm | IP Logged Quote outerringz

I don't mean to be impatient, but I have end of year funds I need to allocate. Do you have an answer to my previous post?

Thanks,

Mike
Back to Top View outerringz's Profile Search for other posts by outerringz
 
support
Administrator
Administrator


Joined: January 26 2005
Location: United States
Posts: 1666
Posted: December 06 2007 at 6:32pm | IP Logged Quote support

Hi Mike,

We wanted to take time to set up an example deployment here in the lab so that we could give you definitive answers. Its just very busy here. We will try to get to it in the morning.

What open source software are you referring to?


Support
Back to Top View support's Profile Search for other posts by support Visit support's Homepage
 
outerringz
Intermediate
Intermediate


Joined: November 15 2007
Location: United States
Posts: 15
Posted: December 07 2007 at 11:49am | IP Logged Quote outerringz

The software is openSER with either the newer Media Proxy module, or the older RTP Proxy Module. It can apparently solve the SIP over NAT issue but it's a bear to configure. I played with it until my eyes glazed over, and then started looking for a better solution.

openSER
--------
http://www.openser.org/

MediaProxy Module
------------------
http://www.openser.org/docs/modules/devel/mediaproxy.html
http://voip-info.org/wiki/view/OpenSER+And+Mediaproxy

RTPProxy
---------
http://voip-info.org/wiki/view/RTPProxy
http://voip-info.org/wiki/view/OpenSER+And+RTPProxy
Back to Top View outerringz's Profile Search for other posts by outerringz
 
support
Administrator
Administrator


Joined: January 26 2005
Location: United States
Posts: 1666
Posted: December 07 2007 at 12:12pm | IP Logged Quote support

We thought it might have been a SER based solution you were talking about.

We are working this weekend so be patient as we get your info.

Support
Back to Top View support's Profile Search for other posts by support Visit support's Homepage
 
outerringz
Intermediate
Intermediate


Joined: November 15 2007
Location: United States
Posts: 15
Posted: December 07 2007 at 12:18pm | IP Logged Quote outerringz

Great!

Thank you,

Mike
Back to Top View outerringz's Profile Search for other posts by outerringz
 
support
Administrator
Administrator


Joined: January 26 2005
Location: United States
Posts: 1666
Posted: December 11 2007 at 8:59am | IP Logged Quote support

Mike,

We have not forgotten you. Its very busy here.

Support
Back to Top View support's Profile Search for other posts by support Visit support's Homepage
 
support
Administrator
Administrator


Joined: January 26 2005
Location: United States
Posts: 1666
Posted: December 12 2007 at 5:47am | IP Logged Quote support

Hi Mike,

Its 5:30 in the morning and we are working on this again. Hang in there. Its busy here. Unfortunately this free support takes a back seat to customers with paid support.

One thing you can do for us is to post the basic call situations you want the overall deployment to handle. If you want basic call flows with hold/unhold thats what we are shoting for. If thats it for the moment – great.

If you want more complicated interaction , let us know. The more info the better. Right now we are looking at basic call flows to tie your remote offices into your corporate facility using LanScape Centrex proxy/Media proxy combos as the “head proxies” to a VOIP PBX.

Note:
We have other customers who are already doing this with the product. However, they have developed their own custom plug-in DLL that helps handle some of the SIP message details. Your deployment situation has been asked numerous times. We are looking into this because if we put this basic “in front of VOIP PBX” functionality in the core product, then many may benefit in the future.

In the mean time, keep playing with the Centrex proxy and the C++ plug in stuff. You may be able figure out your solution just as quickly.


Support
Back to Top View support's Profile Search for other posts by support Visit support's Homepage
 
outerringz
Intermediate
Intermediate


Joined: November 15 2007
Location: United States
Posts: 15
Posted: December 12 2007 at 12:32pm | IP Logged Quote outerringz

Thank you for the reply. Because of my fast approaching deadlines, I brought in an Asterisk consultant who has shown me native Asterisk capabilities I was not previously aware of. Thank you for your effort and for helping me evaluate your solution. At this time however, I am going to begin my implementation using the native Asterisk methods.
Back to Top View outerringz's Profile Search for other posts by outerringz
 

If you wish to post a reply to this topic you must first login
If you are not already registered you must first register

  Post ReplyPost New Topic
Printable version Printable version

Forum Jump
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum






Contact LanScape Hear what the Lawyers have to say How youm may use this site Read your privacy rights