Example SIP messages

The following example SIP INVITE request message was sent by PhoneA to PhoneB. The first nine lines are the SIP headers. The SDP profile starts with v=0 and the media part of the session profile is the last line, starting with m=.

INVITE sip:PhoneB@172.20.120.30 SIP/2.0

Via: SIP/2.0/UDP 10.31.101.50:5060

From: PhoneA <sip:PhoneA@10.31.101.20> To: PhoneB <sip:PhoneB@172.20.120.30> Call-ID: 314159@10.31.101.20

CSeq: 1 INVITE

Contact: sip:PhoneA@10.31.101.20

Content-Type: application/sdp

Content-Length: 124 v=0

o=PhoneA 5462346 332134 IN IP4 10.31.101.20 s=Let’s Talk

t=0 0

c=IN IP4 10.31.101.20 m=audio 49170 RTP 0 3

The following example shows a possible 200 OK SIP response message in response to the previous INVITE request message. The response includes 200 OK which indicates success, followed by an echo of the original SIP INVITE request followed by PhoneB’s SDP profile.

SIP/2.0 200 OK

Via: SIP/2.0/UDP 10.31.101.50:5060

From: PhoneA <sip:PhoneA@10.31.101.20> To: PhoneB <sip:PhoneB@172.20.120.30> Call-ID: 314159@10.31.101.20

CSeq: 1 INVITE

Contact: sip:PhoneB@10.31.101.30

Content-Type: application/sdp

Content-Length: 107 v=0

o=PhoneB 124333 67895 IN IP4 172.20.120.30 s=Hello!

t=0 0

c=IN IP4 172.20.120.30 m=audio 3456 RTP 0

SIP can support multiple media streams for a single SIP session. Each media steam will have its own c= and m=

lines in the body of the message. For example, the following message includes three media streams:

INVITE sip:PhoneB@172.20.120.30 SIP/2.0

Via: SIP/2.0/UDP 10.31.101.20:5060

From: PhoneA <sip:PhoneA@10.31.101.20> To: PhoneB <sip:PhoneB@172.20.120.30> Call-ID: 314159@10.31.101.20

CSeq: 1 INVITE

Contact: sip:PhoneA@10.31.101.20

Content-Type: application/sdp

Content-Length: 124 v=0

o=PhoneA 5462346 332134 IN IP4 10.31.101.20 s=Let’s Talk

t=0 0

c=IN IP4 10.31.101.20 m=audio 49170 RTP 0 3 c=IN IP4 10.31.101.20 m=audio 49172 RTP 0 3 c=IN IP4 10.31.101.20 m=audio 49174 RTP 0 3

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

The SIP message body and SDP session profiles

Leave a reply

The SIP message body and SDP session profiles

The SIP message body describes the session to be initiated. For example, in a SIP phone call the body usually includes audio codec types, sampling rates, server IP addresses and so on. For other types of SIP session the body could contain text or binary data of any type which relates in some way to the session. The message body is included in request and response messages.

Two possible SIP message body types:

Session Description Protocol (SDP), most commonly used for SIP VoIP.
Multipurpose Internet Mail Extensions (MIME)

SDP is most often used for VoIP and FortiGate units support SDP content in SIP message bodies. SDP is a text- based protocol used by SIP to control media sessions. SDP does not deliver media but provides a session profile that contains media details, transport addresses, parameter negotiation, and other session description metadata for the participants in a media session. The participants use the information in the session profile to negotiate how to communicate and to manage the media session. SDP is described by RFC 4566.

An SDP session profile always contains session information and may contain media information. Session information appears at the start of the session profile and media information (using the m= attribute) follows.

SDP session profiles can include the attributes listed inthe following table.

SDP session profile attributes

Attribute Description

a= Attributes to extend SDP in the form a=<attribute> or a=<a- ttribute>:<value>.

b= Contains information about the bandwidth required for the session or media in the form b=<bandwidth_type>:<bandwidth>.

c= Connection data about the session including the network type (usually IN for Internet), address type (IPv4 or IPv6), the connection source address, and other optional inform- ation. For example:

c=IN IPv4 10.31.101.20

A text string that contains information about the session. For example:

i=A audio presentation about SIP

k= Can be used to convey encryption keys over a secure and trusted channel. For example:

k=clear:444gdduudjffdee

Media information, consisting of one or more lines all starting with m= and containing details about the media including the media type, the destination port or ports used by the media, the protocol used by the media, and a media format description.

m=audio 49170 RTP 0 3 m-video 3345/2 udp 34

m-video 2910/2 RTP/AVP 3 56

Multiple media lines are needed if SIP is managing multiple types of media in one ses-

m= sion (for example, separate audio and video streams).

Multiple ports for a media stream are indicated using a slash. 3345/2 udp means UDP ports 3345 and 3346. Usually RTP uses even-numbered ports for data with the corresponding one-higher odd ports used for the RTCP session belonging to the RTP session. So 2910/2 RTP/AVP means ports 2910 and 2912 are used for RTP and 2911 and 2913 are used for RTCP.

Media types include udp for an unspecified protocol that uses UDP, RTP or RTP/AVP for standard RTP and RTP/SAVP for secure RTP.

Attribute Description

o= The sender’s username, a session identifier, a session version number, the network type (usually IN for Internet), the address type (for example, IPv4 or IPv6), and the sending device’s IP address. The o= field becomes a universal identifier for this ver- sion of this session description. For example:

o=PhoneA 5462346 332134 IN IP4 10.31.101.20

Repeat times for a session. Used if a session will be repeated at one or more timed intervals. Not normally used for VoIP calls. The times can be in different formats. For

r= example:

r=7d 1h 0 25h r=604800 3600 0 90000

s= Any text that describes the session or s= followed by a space. For example:

s=Call from inviter

The start and stop time of the session. Sessions with no time restrictions (most VoIP

t= calls) have a start and stop time of 0.

t=0 0

v= SDP protocol version. The current SDP version is 0 so the v= field is always:

v=0

Time zone adjustments. Used for scheduling repeated sessions that span the time

z= between changing from standard to daylight savings time.

z=2882844526 -1h 2898848070 0

SIP response messages

Leave a reply

SIP response messages

SIP response messages (often just called SIP responses) provide status information in response to SIP request messages. All SIP response messages include a response code and a reason phrase. There are five SIP response message classes. They are described below.

There are also two types of SIP response messages, provisional and final. Final response messages convey the result of the request processing, and are sent reliably. Provisional responses provide information on the progress of the request processing, but may not be sent reliably. Provisional response messages start with 1xx and are also called informational response messages.

Informational (or provisional)

Informational or provisional responses indicate that a request message was received and imply that the endpoint is going to process the request. Information messages may not be sent reliably and may not require an acknowledgement.

If the SIP implementation uses Provisional Response Acknowledgement (PRACK) (RFC 3262) then informational or provisional messages are sent reliably and require a PRACK message to acknowledge that they have been received.

Informational responses can contain the following reason codes and reason phrases:

100 Trying

180 Ringing

181 Call is being forwarded

182 Queued

183 Session progress

Success

Success responses indicate that a request message was received, understood, and accepted. Success responses can contain the following reason codes and reason phrases:

200 OK

202 Accepted

Redirection

Redirection responses indicate that more information is required for the endpoint to respond to a request message. Redirection responses can contain the following reason codes and reason phrases:

300 Multiple choices

301 Moved permanently

302 Moved temporarily

305 Use proxy

380 Alternative service

Client error

Client error responses indicate that a request message was received by a server that contains syntax that the server cannot understand (i.e. contains a syntax error) or cannot comply with. Client error responses include the following reason codes and reason phrases:

400 Bad request 401 Unauthorized

402 Payment required 403 Forbidden

404 Not found 405 Method not allowed

406 Not acceptable 407 Proxy authentication required

408 Request time-out 409 Conflict

410 Gone 411 Length required

413 Request entity too large 414 Request-URL too large

415 Unsupported media type 420 Bad extension

480 Temporarily not available

481 Call leg/transaction does not exist

482 Loop detected

484 Address incomplete 483 Too many hops

486 Busy here 485 Ambiguous

488 Not acceptable here 487 Request canceled

Server error

Server error responses indicate that a server was unable to respond to a valid request message. Server error responses include the following reason codes and reason phrases:

500 Server internal error

501 Not implemented

502 Bad gateway

502 Service unavailable

504 Gateway time-out

505 SIP version not supported

Global failure

Global failure responses indicate that there are no servers available that can respond to a request message. Global failure responses include the following reason codes and reason phrases:

600 Busy everywhere

603 Decline

604 Does not exist anywhere

606 Not acceptable

SIP message start line

The first line in a SIP message is called the start line. The start line in a request message is called the request- line and the start line in a response message is called the status-line.

Request-line The first line of a SIP request message. The request-line includes the SIP message type, the SIP protocol version, and a Request URI that indicates the user or service to which this request is being addressed. The following example request-line specifies the INVITE message type, the address of the sender of the message (inviter-@example.com), and the SIP version:

INVITE sip:inviter@example.com SIP/2.0

Status–line

The first line of a SIP response message. The status-line includes the SIP protocol ver- sion, the response code, and the reason phrase. The example status-line includes the SIP version, the response code (200) and the reason phrase (OK).

SIP/2.0 200 OK

SIP headers

Following the start line, SIP messages contain SIP headers (also called SIP fields) that convey message attributes and to modify message meaning. SIP headers are similar to HTTP header fields and always have the following format:

<header_name>:<value>

SIP messages can include the SIP headers listed in the following table:

SIP headers

SIP Header Description

Allow Lists the set of SIP methods supported by the UA generating the message. All meth- ods, including ACK and CANCEL, understood by the UA MUST be included in the list of methods in the Allow header field, when present. For example:

Allow: INVITE, ACK, OPTIONS, CANCEL, BYE

Call–ID

A globally unique identifier for the call, generated by the combination of a random string and the sender’s host name or IP address. The combination of the To, From, and Call-ID headers completely defines a peer-to-peer SIP relationship between the sender and the receiver. This relationship is called a SIP dialog.

Call-ID: ddeg45e793@10.31.101.30

Contact Included in SIP request messages, the Contact header contains the SIP URI of the sender of the SIP request message. The receiver uses this URI to contact the sender. For example:

Contact: Sender <sip:sender@10.31.100.20>t

Content-Length

The number of bytes in the message body (in bytes).

Content-Length: 126

SIP Header Description

Content-Type In addition to SIP headers, SIP messages include a message body that contains information about the content or communication being managed by the SIP session. The Content-Type header specifies what the content of the SIP message is. For example, if you are using SIP with SDP, the content of the SIP message is SDP code.

Content-Type: application/sdp

CSeq

The command sequence header contains a sequence integer that is increased for each new SIP request message (but is not incremented in the response message). This header also incudes the request name found in the request message request- line. For example:

CSeq: 1 INVITE

Expires Gives the relative time after which the message (or content) expires. The actual time and how the header is used depends on the SIP method. For example:

Expires: 5

From

Identifies the sender of the message. Responses to a message are sent to the address of the sender. The following example includes the sender’s name (Sender) and the sender’s SIP address (sender@10.31.101.20.):

From: Sender <sip:sender@10.31.101.20>

Max-forwards An integer in the range 0-255 that limits the number of proxies or gateways that can forward the request message to the next downstream server. Also called the number of hops, this value is decreased every time the message is forwarded. This can also be useful when the client is attempting to trace a request chain that appears to be failing or looping in mid-chain.

For example: Max-Forwards: 30

P–Asserted–Iden– tity

The P-Asserted-Identity header is used among trusted SIP entities to carry the identity of the user sending a SIP message as it was verified by authentication. See RFC

3325. The header contains a SIP URI and an optional display-name, for example:

P-Asserted-Identity: “Example Person” <sip:10.31.101.50>

RAck Sent in a PRACK request to support reliability of information or provisional response messages. It contains two numbers and a method tag. For example:

RAck: 776656 1 INVITE

SIP Header Description

Record–Route

Inserted into request messages by a SIP proxy to force future requests to be routed through the proxy. In the following example, the host at IP address 10.31.101.50 is a SIP proxy. The lr parameter indicates the URI of a SIP proxy in Record-Route head- ers.

Record-Route: <sip:10.31.101.50;lr>

Route Forces routing for a request message through one or more SIP proxies. The following example includes two SIP proxies:

Route: <sip:172.20.120.10;lr>, <sip:10.31.101.50;lr>

RSeq

The RSeq header is used in information or provisional response messages to support reliability of informational response messages. The header contains a single numeric value. For example:

RSeq: 33456

To Identifies the receiver of the message. The address in this field is used to send the message to the receiver. The following example includes the receiver’s name (Receiver) and the receiver’s SIP address (receiver@10.31.101.30.):

To: Receiver <sip:receiver@10.31.101.30>

Via

Indicates the SIP version and protocol to be used for the SIP session and the address to which to send the response to the message that contains the Via field. The fol- lowing example Via field indicates to use SIP version 2, UDP for media com- munications, and to send the response to 10.31.101.20 using port 5060.

Via: SIP/2.0/UDP 10.31.101.20:5060

SIP request messages

Leave a reply

SIP request messages

SIP sessions always start with a SIP request message (also just called a SIP request). SIP request messages also establish, maintain, and terminate SIP communication sessions. The following table lists some common SIP request message types.

Common SIP request message types

Message Type Description

INVITE A client sends an INVITE request to invite another client to participate in a multimedia session. The INVITE request body usually contains the description of the session.

ACK

The originator of an INVITE message sends an ACK request to confirm that the final response to an INVITE request was received. If the INVITE request did not contain the session description, it must be included in the ACK request.

PRACK In some cases, SIP uses provisional response messages to report on the progress of the response to a SIP request message. The provisional response messages are sent before the final SIP response message. Similar to an ACK request message, a PRACK request message is sent to acknowledge that a provisional response message has been received.

OPTIONS

The UA uses OPTIONS messages to get information about the capabilities of a SIP proxy. The SIP proxy server replies with a description of the SIP methods, session description protocols, and message encoding that are supported.

BYE A client sends a BYE request to end a session. A BYE request from either end of the SIP session terminates the session.

CANCEL

A client sends a CANCEL request to cancel a previous INVITE request. A CANCEL request has no effect if the SIP server processing the INVITE sends a final response to the INVITE before receiving the CANCEL.

REGISTER A client sends a REGISTER request to a SIP registrar server with information about the current location (IP address and so on) of the client. A SIP registrar server saves the information it receives in REGISTER requests and makes this information avail- able to any SIP client or server attempting to locate the client.

Info For distributing mid-session signaling information along the signaling path for a SIP call. I

Subscribe For requesting the current state and state updates of a remote node.

Notify Informs clients and servers of changes in state in the SIP network.

Refer Refers the recipient (identified by the Request-URI) to a third party according to the contact information in the request.

Message Type Description

Update Opens a pinhole for new or updated SDP information.

Response codes (1xx, 202, 2xx, 3xx, 4xx, 5xx, 6xx)

Indicates the status of a transaction. For example: 200 OK, 202 Accepted, or 400 Bad Request.

SIP messages and media protocols

Leave a reply

SIP messages and media protocols

This section provides an overview of SIP messages and how they communicate information about SIP sessions and how SDP, RTP, and RTCP fits in with SIP communications.

SIP uses clear text messages to start, maintain, and end media sessions between SIP user agent clients (UACs) and user agent servers (UASs). These messages form a SIP dialog. A typical SIP dialog begins with an INVITE request message sent from a UAC to another UAC or to a UAS. The first INVITE request message attempts to start a SIP call and includes information about the sending UAC and the receiving UAC as well as information about the communication session.

If only two UACs are involved as shown below, the receiving UAC (Phone B) responds with a 180 Ringing and then a 200 OK SIP response message that informs Phone A that Phone B received and accepted the request. Phone A then sends an ACK message to notify Phone B that the SIP response was received. Phone A and Phone B can then participate in the RTP media session set up by the SIP messages.

When the phone call is complete, one of the UACs (in the example Phone B) hangs up sending a BYE request message to Phone A. Phone A then sends a 200 OK response to Phone B acknowledging that the session has ended.

Basic SIP dialog between two UACs

SIP Phone A (Sending UAC PhoneA@10.31.101.20)

SIP Phone B (Receiving UAC PhoneB@10.31.101.30)

1. INVITE (SIP request message to invite SIP Phone B to start a SIP session)

2. 180 Ringing (SIP ringing response to the INVITE request)

3. 200 OK (SIP response to the INVITE request to inform SIP Phone A that the request is accepted)

4. ACK (SIP request message to confirm that SIP Phone A received the response from SIP Phone B)

5. RTP Media session between Phone A and Phone B.

6. BYE (SIP request message from SIP Phone B to end the SIP session)

7. 200 OK (SIP response to the BYE request to end the SIP session)

If a UAS in the form of a SIP proxy server is involved, similar messages are sent and received, but the proxy server participates as an intermediary in the initial call setup. In the example below the SIP proxy server receives the INVITE request from Phone A and forwards it to Phone B. The proxy server then sends a 100 Trying response to Phone A. Phone B receives the INVITE request and responds with a 180 Ringing and then a 200 OK SIP response message. These messages are received by the proxy server and forwarded to Phone A to notify Phone A that Phone B received and accepted the request. Phone A then sends an ACK message to notify Phone B that the SIP response was received. This response is received by the proxy server and forwarded to Phone B. Phone A and Phone B can then participate in the media session independently of the proxy server.

When the phone call is complete Phone B hangs up sending a BYE request message to Phone A. Phone A then sends a 200 OK response to Phone B acknowledging that the session has ended.

Basic SIP dialog between UACs with a SIP proxy server UAS

SIP Phone A (Sending UAC PhoneA@10.31.101.20)

SIP Proxy Server

(UAS

10.31.101.40)

SIP Phone B (Receiving UAC PhoneB@10.31.101.30)

1. INVITE (SIP request message to invite SIP Phone B to start a SIP session)

3. 100 Trying (UAS informs Phone A of trying to contact Phone B)

2. INVITE (Forwarded by the UAS to Phone B)

5. 180 Ringing (Forwarded by the UAS to Phone A)

4. 180 Ringing (SIP ringing response to the INVITE request)

7. 200 OK (Forwarded by the UAS to Phone A)

6. 200 OK (SIP response to the INVITE request to inform SIP Phone A that the request is accepted)

8. ACK (SIP request message to confirm that SIP Phone A received the response from SIP Phone B)

9. RTP Media session between Phone A and Phone B.

10. BYE (SIP request message from SIP Phone B to end the SIP session)

11. 200 OK (SIP response to the BYE request to end the SIP session)

The SIP messages include SIP headers that contain names and addresses of Phone A, Phone B and the proxy server. This addressing information is used by the UACs and the proxy server during the call set up.

The SIP message body includes Session Description Protocol (SDP) statements that Phone A and Phone B use to establish the media session. The SDP statements specify the type of media stream to use for the session (for example, audio for SIP phone calls) and the protocol to use for the media stream (usually the Real Time Protocol (RTP) media streaming protocol).

Phone A includes the media session settings that it would like to use for the session in the INVITE message. Phone B includes its response to these media settings in the 200 OK response. Phone A’s ACK response confirms the settings that Phone A and Phone B then use for the media session.

Hardware accelerated RTP processing

FortiGate units can offload RTP packet processing to network processor (NP) interfaces. This acceleration greatly enhance the overall throughput and resulting in near speed RTP performance.

SIP with a FortiGate unit

Leave a reply

SIP with a FortiGate unit

Depending on your security requirements and network configuration FortiGate units may be in many different places in a SIP configuration. This section shows a few examples.

The diagram below shows a FortiGate unit installed between a SIP proxy server and SIP phones on the same network. The FortiGate unit is operating in Transparent mode so both the proxy server and the phones are on the same subnet. In this configuration, called SIP inspection without address translation, the FortiGate unit could be protecting the SIP proxy server on the private network by implementing SIP security features for SIP sessions between the SIP phones and the SIP proxy server.

SIP network with FortiGate unit in Transparent mode

SIP phones register with SIP proxy server

SIP Phone A (PhoneA@10.31.101.20)

Phone A dials Phone B by sending an INVITE request to the SIP proxy server

RTP media session opens when Phone B answers

SIP Phone B (PhoneB@10.31.101.30)

FortiGate unit

in Transparent mode

SIP proxy server

10.31.101.50

Phone B is notified of incoming call by proxy server

– phone rings

The proxy server looks up the SIP address of Phone B and forwards the INVITE request to Phone B

The phones and server use the same SIP dialogs as they would if the FortiGate unit was not present. However, the FortiGate unit can be configured to control which devices on the network can connect to the SIP proxy server and can also protect the SIP proxy server from SIP vulnerabilities.

The following diagram shows a FortiGate unit operating in NAT/Route mode and installed between a private network and the Internet. Some SIP phones and the SIP proxy server are connected to the private network and some SIP phones are connected to the Internet. The SIP phones on the Internet can connect to the SIP proxy server through the FortiGate unit and communication between SIP phones on the private network and SIP phones on the Internet must pass through the FortiGate unit.

SIP network with FortiGate unit in NAT/Route mode

FortiGate-620B Cluster In NAT/Route mode

Port2

10.11.101.1

P rt1

172.20.

72.20 120.141

SIP proxy server

Virtual IP: 172.20.120.50

SIP Phone A (PhoneA@10.31.101.20)

SIP proxy server

10.31.101.50

SIP phone B registers with

SIP Phone B

SIP phone A registers with

SIP proxy server

using the SIP proxy server virtual IP

(PhoneB@172.20.120.30)

Phone A dials Phone B

by sending an INVITE request to the SIP proxy server

The proxy server looks up the SIP address of Phone B and forwards the INVITE request to Phone B

Phone B is notified of incoming call by proxy server – phone rings

RTP Media session opens when between Phone A and Phone B whe Phone B answers

The phones and server use the same SIP dialog as they would if the FortiGate unit was not present. However, the FortiGate unit can be configured to control which devices on the network can connect to the SIP proxy server and can also protect the SIP proxy server from SIP vulnerabilities. In addition, the FortiGate unit has a firewall virtual IP that forwards packets sent to the SIP proxy server Internet IP address (172.20.120.50) to the SIP proxy server internal network IP address (10.31.101.30).

Since the FortiGate unit is operating in NAT/Route mode it must translate packet source and destination IP addresses (and optionally ports) as the sessions pass through the FortiGate unit. Also, the FortiGate unit must translate the addresses contained in the SIP headers and SDP body of the SIP messages. As well the FortiGate unit must open SIP and RTP pinholes through the FortiGate unit. SIP pinholes allow SIP signalling sessions to pass through the FortiGate between phones and between phones and SIP servers. RTP pinholes allow direct RTP communication between the SIP phones once the SIP dialog has established the SIP call. Pinholes are opened automatically by the FortiGate unit. Administrators do not add security policies for pinholes or for RTP sessions. All that is required is a security policy that accepts SIP traffic.

Opening an RTP pinhole means opening a port on a FortiGate interface to allow RTP traffic to use that port to pass through the FortiGate unit between the SIP phones on the Internet and SIP phones on the internal network. A pinhole only accepts packets from one RTP session. Since a SIP call involves at least two media streams (one from Phone A to Phone B and one from Phone B to Phone A) the FortiGate unit opens two RTP pinholes. Phone A sends RTP packets through a pinhole in port2 and Phone B sends RTP packets through a pinhole in port1. The FortiGate unit opens the pinholes when required by the SIP dialog and closes the pinholes when the SIP call is completed. The FortiGate unit opens new pinholes for each SIP call.

Each RTP pinhole actually includes two port numbers. The RTP port number as defined in the SIP message and an RTCP port number, which is the RTP port number plus 1. For example, if the SIP call used RTP port 3346 the FortiGate unit would create a pinhole for ports 3346 and 3347.

Common SIP VoIP configurations

Leave a reply

Common SIP VoIP configurations

This section describes some common SIP VoIP configurations and simplified SIP dialogs for these configurations. This section also shows some examples of how adding a FortiGate unit affects SIP processing.

Peer to peer configuration

In the peer to peer configuration shown below, two SIP phones (in the example, FortiFones) communicate directly with each other. The phones send SIP request and response messages back and forth between each other to establish the SIP session.

SIP peer to peer configuration

Phone A dials Phone B by sending an INVITE request

Phone B is notified of incoming call – phone rings SIP Phone A (PhoneA@10.31.101.20)

RTP Media session opens when Phone B answers SIP Phone B (PhoneB@10.31.101.30)

Peer to peer configurations are not very common because they require the SIP phones to keep track of the names and addresses of all of the other SIP phones that they can communicate with. In most cases a SIP proxy or re- direct server maintains addresses of a large number of SIP phones and a SIP phone starts a call by contacting the SIP proxy server.

SIP proxy server configuration

A SIP proxy server act as intermediary between SIP phones and between SIP phones (for example, two FortiFones) and other SIP servers. As shown below, SIP phones send request and response messages the SIP proxy server. The proxy server forwards the messages to other clients or to other SIP proxy servers. Proxy servers can hide SIP phones by proxying the signaling messages. To the other users on the VoIP network, the signaling invitations look as if they come from the SIP proxy server.

SIP in proxy mode

SIP Proxy Server

The proxy server looks up the SIP address of Phone B and forwards the INVITE request to Phone B
Phone A dials Phone B by sending an INVITE request to the SIP proxy server SIP phones register with SIP proxy server
RTP Media session opens when Phone B answers
Phone B is notified of incoming call by proxy server – phone rings

SIP Phone A SIP Phone B

(PhoneA@10.31.101.20) (PhoneB@10.31.101.30)

A common SIP configuration would include multiple networks of SIP phones. Each of the networks would have its own SIP server. Each SIP server would proxy the communication between phones on its own network and between phones in different networks.

SIP redirect server configuration

A SIP redirect server accepts SIP requests, maps the addresses in the request into zero or more new addresses and returns those addresses to the client. The redirect server does not initiate SIP requests or accept calls. As shown below, SIP clients send INVITE requests to the redirect server, which then looks up the destination address. The redirect server returns the destination address to the client. The client uses this address to send the INVITE request directly to the destination SIP client.

SIP in redirect model

SIP Redirect Server

The redirect server looks up the SIP address of Phone B and sends Phone B’s address back to Phone A

Phone A dials Phone B by sending an INVITE request to the redirect server
SIP phones register with SIP redirect server
Phone A sends the INVITE request to Phone B
RTP Media session opens when Phone B answers
Phone B is otified of incoming call by Phone A – phone rings

SIP Phone A SIP Phone B

(PhoneA@10.31.101.20) (PhoneB@10.31.101.30)

SIP registrar configuration

A SIP registrar accepts SIP REGISTER requests from SIP phones for the purpose of updating a location database with this contact information. This database can then become a SIP location service that can be used by SIP proxy severs and redirect servers to locate SIP clients. As shown below, SIP clients send REGISTER requests to the SIP registrar.

SIP registrar and proxy servers

SIP Proxy Server

Phone A dials Phone B

by sending an INVITE request to the SIP proxy server

The SIP proxy server looks up Phone A and Phone B on the registrar

Phone B is notified of incoming call by proxy server – phone rings

RTP Media session opens when Phone B answers

SIP Phone A SIP Phone B

(PhoneA@10.31.101.20)

(PhoneB@10.31.101.30)

SIP phones register with the SIP registrar

Chapter 29 – VoIP Solutions: SIP

Leave a reply

Chapter 29 – VoIP Solutions: SIP

This FortiOS Handbook chapter contains the following sections: FortiGate VoIP solutions–SIP describes FortiGate SIP support.

FortiGate VoIP solutions–SIP

The Session Initiation Protocol (SIP) is an IETF application layer signaling protocol used for establishing, conducting, and terminating multiuser multimedia sessions over TCP/IP networks using any media. SIP is often used for Voice over IP (VoIP) calls but can be used for establishing streaming communication between end points.

SIP employs a request and response transaction model similar to HTTP for communicating between endpoints. SIP sessions being with a SIP client sending a SIP request message to another client to initiate a multimedia session. The other client responds with a SIP response message. Using these request and response messages, the clients engage in a SIP dialog to negotiate how to communicate and then start, maintain, and end the communication session.

SIP commonly uses TCP or UDP port 5060 and/or 5061. Port 5060 is used for non-encrypted SIP signaling sessions and port 5061 is typically used for SIP sessions encrypted with SSL or TLS.

Devices involved in SIP communications are called SIP User Agents (UAs) (also sometimes called a User Element (UE)). UAs include User Agent Clients (UACs) that communicate with each other and User Agent Servers (UASs) that facilitate communication between UACs. For a VoIP application, an example of a UAC would be a SIP phone and an example of a UAS would be a SIP proxy server.

A SIP message contain headers that include client and server names and addresses required for the communication sessions. The body of a SIP message contains Session Description Protocol (SDP) statements that establish the media communication (port numbers, protocols and codecs) that the SIP UAs use. SIP VoIP most commonly uses the Real Time Protocol (RTP) and the Real Time Control Protocol (RTCP) for voice communication. Once the SIP dialog establishes the SIP call the VoIP stream can run independently, although SIP messages can affect the VoIP stream by changing port numbers or addresses and by ending it.

Once SIP communication and media settings are established, the UAs communicate with each using the established media settings. When the communication session is completed, one of the UAs ends the session by sending a final SIP request message and the other UA sends a SIP response message and both UAs end the SIP call and stop the media stream.

FortiGate units provide security for SIP communications using the SIP session helper and the SIP ALG:

The SIP session-helper provides basic high-performance support for SIP calls passing through the FortiGate unit by opening SIP and RTP pinholes and performing source and destination IP address and port translation for SIP and RTP packets and for the IP addresses and port numbers in the SIP headers and the SDP body of the SIP messages. For more about the SIP session helper, see The SIP session helper on page 2753.
The SIP Application Layer Gateway (ALG) provides the same features as the session helper plus additional advanced features such as deep SIP message inspection, SIP logging, SIP IPv6 support, SIP message checking, HA failover of SIP sessions, and SIP rate limiting. For more about the SIP ALG, see The SIP ALG on page 2759.

All SIP traffic is processed by the SIP ALG by default. You can change the default setting using the following command:

config system settings

set default-voip-alg-mode {proxy-based | kernel-helper-based}

end

The default is proxy-based, which means the SIP ALG is used. If set to kernel-helper-based, the SIP session helper is used. If a SIP session is accepted by a firewall policy with a VoIP profile, the session is processed using the SIP ALG even if default-voip-alg-mode is set to kernel-helper-based.

If a SIP session is accepted by a firewall policy that does not include a VoIP profile:

If default-voip-alg-mode is set to proxy-based, SIP traffic is processed by the SIP ALG using the default VoIP profile.
If default-voip-alg-mode is set to kernel-helper-based, SIP traffic is processed by the SIP session helper. If the SIP session help has been removed, then no SIP processing takes place.

On a FortiGate unit with multiple VDOMs, whether to use the ALG or the session helper is set per-VDOM.

There are a large number of SIP-related Internet Engineering Task Force (IETF) documents (Request for Comments) that define behavior of SIP and related applications. FortiGate units provide complete support of RFC 3261 for SIP, RFC 4566 for SDP and RFC 3262 for Provisional Response Acknowledgment (PRACK). FortiGate units also provide support for other SIP and SIP-related RFCs and performs Deep SIP message inspection on page 2808 for SIP statements defined in other SIP RFCs.