headers
Soo Wei Kang | 15 Aug 11:18

sipx redundancy firewall/NAT issue

Hi,

 

I’m using latest sipx build 3.10.2-013143 and I’ve installed it in 2 machines for redundancy, namely sip1 and sip2. So, some SIP client will login to “sip1” and some will login to “sip2” based on DNS SRV query.

 

For example, we have a client with username “alice <at> example.com” registering to sip1 and another client with username “bob <at> example.com” to sip2. The Domain is “example.com”. When alice make a call to bob, an INVITE message is sent from alice to sip1. Then, sip1 will send an INVITE message directly to bob instead of sip2 (note that bob is registered to sip2). This may not be an issue if the client and server are on the same network. But, in a firewall/NAT environment, this could pose some problem because bob is connected to sip2 and not sip1. Any message from sip1 to bob will be rejected.

 

Is there a way to configure sipx such that if sip1 knows that bob is registered to sip2, it should forward the INVITE to sip2 first and let sip2 send the INVITE to bob?

 

Thanks.

 

Regards,

WK

<div>

<div class="Section1">

<p class="MsoNormal"><span>Hi,<p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>I&rsquo;m using latest sipx build 3.10.2-013143 and I&rsquo;ve
installed it in 2 machines for redundancy, namely sip1 and sip2. So, some SIP
client will login to &ldquo;sip1&rdquo; and some will login to &ldquo;sip2&rdquo;
based on DNS SRV query.<p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>For example, we have a client with username &ldquo;alice <at> example.com&rdquo;
registering to sip1 and another client with username &ldquo;bob <at> example.com&rdquo;
to sip2. The Domain is &ldquo;example.com&rdquo;. When alice
make a call to bob, an INVITE message is sent from alice to sip1. Then, sip1 will send an INVITE
message directly to bob instead of sip2 (note that bob is registered to sip2). This
may not be an issue if the client and server are on the same network. But, in a
firewall/NAT environment, this could pose some problem because bob is connected
to sip2 and not sip1. Any message from sip1 to bob will be rejected.<p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>Is there a way to configure sipx such that if sip1 knows
that bob is registered to sip2, it should forward the INVITE to sip2 first and
let sip2 send the INVITE to bob?<p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>Thanks.<p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>Regards,<p></p></span></p>

<p class="MsoNormal"><span>WK<p></p></span></p>

</div>

</div>
Permalink | Reply |
headers
Scott Lawrence | 15 Aug 13:11

Re: sipx redundancy firewall/NAT issue


On Fri, 2008-08-15 at 17:23 +0800, Soo Wei Kang wrote:
> Hi,
> 
>  
> 
> I’m using latest sipx build 3.10.2-013143 and I’ve installed it in 2
> machines for redundancy, namely sip1 and sip2. So, some SIP client
> will login to “sip1” and some will login to “sip2” based on DNS SRV
> query.
> 
>  
> 
> For example, we have a client with username “alice <at> example.com”
> registering to sip1 and another client with username “bob <at> example.com”
> to sip2. The Domain is “example.com”. When alice make a call to bob,
> an INVITE message is sent from alice to sip1. Then, sip1 will send an
> INVITE message directly to bob instead of sip2 (note that bob is
> registered to sip2). This may not be an issue if the client and server
> are on the same network. But, in a firewall/NAT environment, this
> could pose some problem because bob is connected to sip2 and not sip1.
> Any message from sip1 to bob will be rejected.
> 
>  
> 
> Is there a way to configure sipx such that if sip1 knows that bob is
> registered to sip2, it should forward the INVITE to sip2 first and let
> sip2 send the INVITE to bob?

No - putting a NAT between systems in a cluster is not supported.
There's no way to support redundancy when there's a NAT there,
specifically because of the problem you describe.

If what you have is multiple sites with separate NATed networks, then
you should make each its own domain.  Each domain will need an SBC to
traverse the NAT, and then you can use dial rules to route calls between
them as a SIP Trunk.

--

-- 
Scott Lawrence  tel:+1.781.229.0533;ext=162 or sip:slawrence <at> pingtel.com
  sipXecs project coordinator - SIPfoundry http://www.sipfoundry.org/sipXecs
  CTO, Voice Solutions   - Bluesocket Inc. http://www.bluesocket.com/ 
                                           http://www.pingtel.com/

_______________________________________________
sipx-users mailing list
sipx-users <at> list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
Permalink | Reply |
headers
Soo Wei Kang | 18 Aug 12:01

Re: sipx redundancy firewall/NAT issue

Hi,

Let me re-phrase my question. In a cluster environment with 1 master (sip1)
and 1 distributed server (sip2), which sits side-by-side on the same
network, I have 1 client with username "alice <at> example.com" registering to
sip1 and another client with username "bob <at> example.com" to sip2. alice and
bob are behind different firewalls with NAT.

Public IP:1.2.3.4           Public IP:1.2.3.5
+---------+                 +---------+               
|   sip1  |                 |   sip2  |                              
+---------+                 +---------+
     ^                           ^
     |                           |
     |REGISTER                   |REGISTER
     |                           |
+---------+                 +---------+               
|   fw1   |                 |   fw2   |                              
+---------+                 +---------+
     ^                           ^
     |                           |
     |REGISTER                   |REGISTER
     |                           |
alice <at> example.com          bob <at> example.com
Private IP:                Private IP:
10.0.0.1                   192.168.1.1

Currently, in sipxecs, when alice make a call to bob, an INVITE message is
sent from alice to sip1. Then, sip1 will send an INVITE message directly to
bob instead of sip2 (note that bob is registered to sip2). But, because bob
is registered to sip2 and not sip1, it's not able to receive the INVITE
message from sip1.

Public IP:1.2.3.4          Public IP:1.2.3.5
+---------+                +---------+               
|   sip1  | -------        |   sip2  |                              
+---------+         \      +---------+
     ^                \             
     |                  \         
     |2:INVITE           \ 3:INVITE
     |                    V (firewall blocked)     
+---------+               +---------+               
|   fw1   |               |   fw2   |                              
+---------+               +---------+
     ^                         
     |                         
     |1:INVITE                 
     |                         
alice <at> example.com          bob <at> example.com
Private IP:                Private IP:
10.0.0.1                   192.168.1.1

Is there a way to configure sipxecs such that if sip1 knows that bob is
registered to sip2, it should forward the INVITE to sip2 first and let sip2
send the INVITE to bob?
Public IP:1.2.3.4          Public IP:1.2.3.5
+---------+    3:INVITE    +---------+               
|   sip1  | -------------->|   sip2  |                              
+---------+                +---------+
     ^                         |     
     |                         |   
     |2:INVITE                 |4:INVITE
     |                         V                    
+---------+                +---------+               
|   fw1   |                |   fw2   |                              
+---------+                +---------+
     ^                         |
     |                         |5:INVITE
     |1:INVITE                 |
     |                         V
alice <at> example.com          bob <at> example.com
Private IP:                Private IP:
10.0.0.1                   192.168.1.1

Since bob is registered to sip2, all SIP messages to bob should be from sip2
in order to avoid any problem with Firewall/NAT, something like what
symmetric response routing does(?).

Regards,
WK

-----Original Message-----
From: Scott Lawrence [mailto:slawrence <at> pingtel.com] 
Sent: 15 August 2008 19:12
To: soowk <at> ngc.com.my
Cc: sipx-users <at> list.sipfoundry.org
Subject: Re: [sipx-users] sipx redundancy firewall/NAT issue

On Fri, 2008-08-15 at 17:23 +0800, Soo Wei Kang wrote:
> Hi,
> 
>  
> 
> I'm using latest sipx build 3.10.2-013143 and I've installed it in 2
> machines for redundancy, namely sip1 and sip2. So, some SIP client
> will login to "sip1" and some will login to "sip2" based on DNS SRV
> query.
> 
>  
> 
> For example, we have a client with username "alice <at> example.com"
> registering to sip1 and another client with username "bob <at> example.com"
> to sip2. The Domain is "example.com". When alice make a call to bob,
> an INVITE message is sent from alice to sip1. Then, sip1 will send an
> INVITE message directly to bob instead of sip2 (note that bob is
> registered to sip2). This may not be an issue if the client and server
> are on the same network. But, in a firewall/NAT environment, this
> could pose some problem because bob is connected to sip2 and not sip1.
> Any message from sip1 to bob will be rejected.
> 
>  
> 
> Is there a way to configure sipx such that if sip1 knows that bob is
> registered to sip2, it should forward the INVITE to sip2 first and let
> sip2 send the INVITE to bob?

No - putting a NAT between systems in a cluster is not supported.
There's no way to support redundancy when there's a NAT there,
specifically because of the problem you describe.

If what you have is multiple sites with separate NATed networks, then
you should make each its own domain.  Each domain will need an SBC to
traverse the NAT, and then you can use dial rules to route calls between
them as a SIP Trunk.

--

-- 
Scott Lawrence  tel:+1.781.229.0533;ext=162 or sip:slawrence <at> pingtel.com
  sipXecs project coordinator - SIPfoundry http://www.sipfoundry.org/sipXecs
  CTO, Voice Solutions   - Bluesocket Inc. http://www.bluesocket.com/ 
                                           http://www.pingtel.com/
Permalink | Reply |
headers
Scott Lawrence | 18 Aug 19:28

Re: sipx redundancy firewall/NAT issue


On Mon, 2008-08-18 at 18:01 +0800, Soo Wei Kang wrote:
> 
> Let me re-phrase my question. In a cluster environment with 1 master (sip1)
> and 1 distributed server (sip2), which sits side-by-side on the same
> network, I have 1 client with username "alice <at> example.com" registering to
> sip1 and another client with username "bob <at> example.com" to sip2. alice and
> bob are behind different firewalls with NAT.

At present, registering phones from behind a NAT is not supported -
whether or not the system is HA.

Supporting this is a goal of the 4.0 release.

--

-- 
Scott Lawrence  tel:+1.781.229.0533;ext=162 or sip:slawrence <at> pingtel.com
  sipXecs project coordinator - SIPfoundry http://www.sipfoundry.org/sipXecs
  CTO, Voice Solutions   - Bluesocket Inc. http://www.bluesocket.com/ 
                                           http://www.pingtel.com/
Permalink | Reply |
headers
Raymund Nones | 19 Aug 01:43

Re: sipx redundancy firewall/NAT issue

you could use opensbc

phone ---> opensbc --> sipx

just download it at http://www.opensipstack.org

raymund

On 8/18/08, Scott Lawrence <slawrence <at> pingtel.com> wrote:
>
> On Mon, 2008-08-18 at 18:01 +0800, Soo Wei Kang wrote:
> >
> > Let me re-phrase my question. In a cluster environment with 1 master (sip1)
> > and 1 distributed server (sip2), which sits side-by-side on the same
> > network, I have 1 client with username "alice <at> example.com" registering to
> > sip1 and another client with username "bob <at> example.com" to sip2. alice and
> > bob are behind different firewalls with NAT.
>
> At present, registering phones from behind a NAT is not supported -
> whether or not the system is HA.
>
> Supporting this is a goal of the 4.0 release.
>
> --
> Scott Lawrence  tel:+1.781.229.0533;ext=162 or sip:slawrence <at> pingtel.com
>  sipXecs project coordinator - SIPfoundry http://www.sipfoundry.org/sipXecs
>  CTO, Voice Solutions   - Bluesocket Inc. http://www.bluesocket.com/
>                                           http://www.pingtel.com/
>
> _______________________________________________
> sipx-users mailing list
> sipx-users <at> list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users
> Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
>
Permalink | Reply |

Gmane