SIP is used mainly for VOIP telephony but is also used for multimedia communication including video and instant messaging.
The figure below shows how the SIP Proxy service on the Barracuda CloudGen Firewall helps establish a VOIP call with an external SIP provider.
SIP Proxy Overview
SIP clients and servers use TCP or UDP port 5060 to connect with each other for signaling, as well as setting up, modifying, and tearing down connections. If SIP packets must traverse a NAT, they are only partially rewritten, creating problems with headers containing local IP addresses that are unreachable from the Internet. The audio and video of a call is carried over an RTP session that starts on a dynamically assigned port. If the RTP session is blocked because the firewall only forwards or allows specific ports, the audio and video for the call is not transmitted properly.
The SIP proxy poses as a client to the destination server and as a server to the local client. It intercepts and redirects the traffic between the VOIP client and the server. It also dynamically opens the ports that are required by the call.
A SIP proxy is always required if the RTP ports are blocked by the firewall or if NAT is used. If the ports required for the RTP connection are open, an SIP proxy is needed only if the SIP provider does not detect NAT'd clients correctly.
Encrypting SIP with TLS
Increase the security of SIP connections by configuring TLS with the SIP proxy. TLS secures the last hop from the proxy to the target domain of the user agent. It only encrypts one hop at a time. TLS does not encrypt voice or video traffic, which is handled by the RTP session. To encrypt voice or video traffic, you must use SRTP.
Configuring the SIP Proxy
For instructions on how to configure the SIP proxy, see the following articles: