The Session Initiation Protocol (SIP) is a signalization protocol for the setup, modification, and termination of sessions between two or several communication partners. It is primarily used in setting up and tearing down voice or video calls. To use SIP, you first have to register your IP address and URLs at your ISP. SIP uses UDP or TCP on port 5060 to indicate which IP addresses and port numbers are to be used between the endpoints to exchange media data (video or voice). Since opening all ports for all addresses would cause a severe security issue, the gateway is able to handle SIP traffic on an intelligent basis. This is achieved by means of a special connection tracking helper monitoring the control channel to determine which dynamic ports are being used and then only allowing these ports to pass traffic when the control channel is busy. For that purpose you must specify both a SIP server network and a SIP client network definition in order to create appropriate firewall rules enabling the communication via the SIP protocol.
To enable support for the SIP protocol, proceed as follows:
On the SIP tab, enable SIP protocol support.
Click the toggle switch.
The toggle switch turns amber and the Global SIP Settings area becomes editable.
Make the following settings:
SIP Server Networks: Here you can add or select the SIP servers (provided by your ISP) the SIP clients should be allowed to connect to; for security reasons, do not select Any. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
SIP Client Networks: Add or select the hosts/networks of the SIP clients that should be allowed to initiate or respond to a SIP communication. A SIP client is an endpoint in the LAN that participates in real-time, two-way communications with another SIP client. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
Expectation mode: Select how strict the initializing of communication sessions should be:
Strict: Incoming calls are only allowed from the ISP's registrar, i.e. the IP address the REGISTER SIP message was sent to. Additionally, Sophos UTM on AWS only accepts media (voice or video) data sessions from signaling endpoints, i.e., the devices that exchanged the SIP message. Some providers send the media data from another IP address than the SIP message, which will be rejected by Sophos UTM on AWS.
Client/server networks: Incoming calls are allowed from all clients of the defined SIP server or client networks. Media data is accepted from another sender IP address than the one that sent the SIP message, provided that the address belongs to the defined SIP server or client networks.
Any: Incoming calls as well as media data are permitted from anywhere.
Caution – Using the expectation mode Any without the necessary firewall rules (Network Protection > Firewall > Rules), introduces a serious security risk and opens your appliance up to abuse from the Internet.
Your settings will be saved.
The toggle switch turns green.