How to Configure the SIP Proxy

Enable the SIP Proxy

The SIP proxy is disabled by default if the appliance is newly installed or updated from a firmware version that did not offer the feature.

Allowed Destinations

The IP addresses, IP ranges, and domain names that the user agents are allowed to contact. Alternatively, you can leave this field empty and restrict the destinations through forwarding rules.

For domain names, you can use wildcard characters such as asterisks (*), question marks (?), and square brackets ([ ]).

Entering 0.0.0.0/0 allows any IP address but no domain name. If you want to allow any domain name, add an entry with just an asterisk ( * ). If the list is empty, no restrictions are applied (this does not override the forwarding rules). If you want to forbid all destinations, block the SIP port (UDP+TCP 5060) in the forwarding rules instead.

Default Destination

SIP requests addressed to the SIP proxy will be redirected to the specified IP. If this field remains empty (which is the default), related requests will be discarded.

Trust Connection IP

Specifies whether the SIP proxy trusts the IP address in the connection IP field contained within the SDP header of SIP packets. This header field usually contains the source IP address for the packet. However, this IP address can be invalid in NAT'd networks, which would effectively block the SIP traffic. You can select one of the following modes:

• Yes – The IP address in the SDP header is always be trusted. Works only if the clients are not NAT'd.

• No – The IP address in the SDP header is not trusted. This can fix problems with NAT'd phone devices but might break traffic for devices with a public IP address residing behind another intermediate SIP proxy.

• Automatic – The mode is detected automatically for each client. However, the Automatic mode cannot always detect the correct setting. If you encounter connection problems with traffic through the SIP proxy, try the other Trust Connection IP modes. The following table lists the modes that you can use for some specific scenarios that do not work with Automatic mode:

  Scenario	Trust Connection IP Setting
  Phone ↔ Firewall + SIP Proxy #1 ↔ Firewall + SIP Proxy #2 ↔ Phone or Phone System	Yes in SIP Proxy #1
  Phone ↔ Router with Symmetric NAT but no SIP Proxy ↔ Barracuda SIP Proxy ↔ Phone or Phone System	No
  Phone ↔ External Vendor's SIP Proxy or Phone System without RTP Forwarding ↔ Barracuda SIP Proxy ↔ Phone or Phone System	Yes
  Phone ↔ Barracuda SIP Proxy ↔ Phone System ↔ Phone	Yes

Allow Registrations From WAN Addresses
(Advanced View)

Specifies if user agent clients (UACs) from WAN IP addresses are allowed to register on the SIP proxy.

For security reasons, Barracuda Networks recommends that you disable this feature.

Private Networks
(Advanced View)

Add all networks that should be handled by the SIP proxy to this list. By default, all SIP connections from 10.0.0.0/8, 192.168.0.0/16 and 172.16.0.0/16 are accepted by the SIP proxy.

No. of Child Processes
(Advanced View)

The number of SIP processes to be created for each available network port and interface.

For example, the Barracuda CloudGen Firewall F400 has seven network ports and the number of child processes is set to 4, so the SIP proxy starts four processes for each port. Because SIP requires TCP and UDP sessions for communication, there will be a total of 56 active SIP proxy processes (7 x 4 x 2 = 56).

Server Signature
(Advanced View)

The custom signature to be encapsulated into SIP packets.

Debug Log Level
(Advanced View)

race the SIP proxy's operations in one of three available granularity levels. If you encounter SIP proxy issues with VoIP communications, Barracuda Networks recommends that you increase the log level for further troubleshooting.

• 0: Notice – Basic log information.

• 1: Info – Medium log information.

• 2: Debug – Extensive log information.

The log output is written to LOGS > your firewall service > sipproxy.