ShoreTel SIP, Mobility Router & the Firewall (Part 1)
This is not a SIP tutorial, only an overview on the issues that impact remote SIP phones on any iPBX. When you set up a SIP call between two end points, there are upwards of four “holes” that might need to be punched in your firewall for the phone call to work properly. Clearly, there is the entire process of registering a remote phone and the process of setting up a phone. Once these events have been negotiated, we then have the issue of the media stream between the two phones. Generally the registration and call setup are taking place through TCP/UDP port 5060 on a public IP address that terminates on your firewall. Generally, your Firewall will have these ports forwarded to your SIP Proxy or iPBX which lives on your internal private network. (Take note: Public and Private IP, we will talk more about that later).
Once the call is setup, there is a “mouth to ear” path setup for each leg of the call. These “dial peers” are really just media streams. These media streams take place over UDP ports using RTP protocol, one for each “mouth to ear” stream, so that is two more ports open on the firewall. Each of the RTP streams has a UDP cRTP protocol port requirement as well, so we need to open two more ports your firewall. So to summarize, you will have TCP/UDP port 5060 open on your Firewall all the time, and four UDP ports open for each active phone call. Your firewall is starting to look like a sponge?
You don’t have to be a network security guru to figure out this strategy has some obvious challenges! 12 year old Elementary school kids run port scanners looking for open 5060 and then run Sipvicious in hopes of registering a rouge phone. Through in the fact that your ISP may or may not block 5060, and or refuse to use the same ports and you have the making of a SIP nightmare! SIP was never expected to traverse from public to private IP addresses either! So we have SIP savvy firewalls and border controllers to help us out. These devices, among other features they provide, can police ports, opening and closing them as required when a legitimate connection is required between an inside phone and an outside phone. They also translate between the public IP address and the internal private address keeping an internal scratch list of who is using what, closing ports when done to increase security.
Is there a better way? What if we could create a secure “tunneling strategy”? Not a VPN, but a strategy for getting the SIP call control and Media Stream to move through a single firewall port? Sound like a winner? This SIP Proxy Tunnel can combine all SIP (signaling) and RTP (media) VoIP Packets from one location (typically a remote office) and deliver them to and from another location (typically the PBX Server) using a custom TCP protocol. This simple concept allows us to exploit the SIP Proxy Tunnel to overcome difficult situations, or to simplify a network scenario.
The SIP Proxy Tunnel can be used for the following reasons:
Resolve issues of NAT Traversal at both the remote and the PBX location
Simplify Firewall configuration at both the remote and the PBX location
Overcome difficulties with ISPs that block VoIP Traffic based on port numbers
Allows VoIP-over-WiFi in some restricted locations, such as Hotel rooms
“Fixes” Firewalls that cannot handle VoIP traffic correctly or which are very difficult or problematic to configure correctly, such as:
Microsoft ISA Server
What if “remote” also means a mobile phone? When you have a user who is roaming around with a SIP soft phone extension on their cell phone, we have no idea what IP address they will be connecting from! The answer (excuse the pun) is an android or iPhone application that enables you to create the tunnel from you mobile phone, bring up your iPBX extension and move your desk outside, down the hall or across the globe. At the end of the day this would be a true Mobility router. Last year ShoreTel acquired Agito Networks and obtained this very same technology and it is an outstanding solution. The ShoreTel Mobility Router and Roam Anywhere cell phone client can do all this SIP magic and even move your call seamlessly between WiFI and Cellular while your walking out to the parking lot. How great is that?