SIP is mainly used for VOIP telephony but is also used for multimedia communication including video and instant messaging. SIP clients and servers use TCP or UDP port 5060 to connect with each other for signaling, as well as setting up, modifying, and tearing down connections. If SIP packets must traverse a NAT, they are only partially rewritten, creating problems with headers containing local IP addresses that are unreachable from the Internet. The audio and video of a call is carried over an RTP session that starts on a dynamically assigned port. If the RTP session is blocked because the firewall only forwards or allows specific ports, the audio and video for the call is not transmitted properly.
The following example shows how the SIP Proxy service on the Barracuda firewall helps establish a VOIP call with an external SIP provider.
Configuring the SIP Proxy
The SIP Proxy poses as a client to the destination server and as a server to the local client. It intercepts and redirects the traffic between the VOIP client and the server. It also dynamically opens the ports that are required by the call. A SIP proxy is always required if the RTP ports are blocked by the firewall or NAT is used. If the ports required for the RTP connection are open, a SIP proxy is only needed if the SIP provider does not detect NAT'd clients correctly.
For instructions on how to configure the SIP proxy, see How to Configure the SIP Proxy.
Encrypting SIP with TLS
Increase the security of SIP connections by configuring TLS with the SIP Proxy. TLS secures the last hop from the proxy to the target domain of the user agent. It only encrypts one hop at a time. TLS does not encrypt voice or video traffic, which is handled by the RTP session. To encrypt voice or video traffic, you must use SRTP.
For more information, see How to Configure the SIP Proxy.