D-Link DFL-2500 User Manual

Maximum Sessions per ID

The number of simultaneous sessions that a single peer can be
involved with is restricted by this value. The default number
is 5.

Maximum Registration Time

The maximum time for registration with a SIP Registrar. The
default value is 3600 seconds.

SIP Request-Response Timeout

The maximum time allowed for responses to SIP requests. A
timeout condition occurs after this wait. The default is 180
seconds.

SIP Signal Timeout

The maximum time allowed for SIP sessions. The default
value is 43200 seconds.

Data Channel Timeout

The maximum time allowed for periods with no traffic in a
SIP session. A timeout condition occurs if this value is
exceeded. The default value is 120 seconds

SIP Setup Summary

For setup we will assume a scenario where there is an office with VOIP users on a private internal
network and the network's topology will be hidden using NAT. This scenario is illustrated below.

The SIP proxy in the above diagram could alternatively be located remotely across the Internet. The
SIP proxy server should be configured with the feature Record-Route Enabled to insure all SIP
traffic to and from the office peers will be sent through the SIP Proxy. This is recommended since
the attack surface is minimimized by allowing only SIP signalling from the SIP Proxy to enter the
local network. The steps to follow are:

Note

SIP User Agents and SIP Proxies should not be configured to employ NAT Traversal
in a setup. For instance the Simple Traversal of UDP through NATs (STUN) technique
should not be used. The NetDefendOS SIP ALG will take care of all traversal issues
with NAT in a SIP setup.

1.

Define a SIP ALG object using the options described above.

2.

A Service object is used for the ALG which has the above SIP ALG associated with it. The
Service should have:

•

Destination Port set to 5060

•

Type set to UDP

3.

Define two rules in the IP rule set:

6.2.7. SIP

Chapter 6. Security Mechanisms

154