Enabling Managed Devices Using Incoming DIP
Use an incoming DIP to enable the managed device to handle incoming Session Initiation Protocol (SIP) calls. SIP is an Internet Engineering Task Force (IETF)-standard protocol for initiating, modifying, and terminating multimedia sessions (such as conferencing, telephony, or multimedia) over the Internet. SIP is used to distribute the session description, to negotiate and modify the parameters of an existing session, and to terminate a multimedia session.
SIP is a predefined service that uses port 5060 as the destination port. To specify the SIP service in the Service column of a firewall rule, you must select the predefined service group VoIP, which includes the H.323 and SIP service objects.
To use SIP, a caller must register with the registrar before SIP proxies and location servers can identify where the caller wants to be contacted. A caller can register one or more contact locations by sending a REGISTER message to the registrar. The REGISTER message contains the address-of-record URI and one or more contact URIs. When the registrar receives the message, it creates bindings in a location service that associates the address-of-record with the contact addresses.
The security device monitors outgoing REGISTER messages from SIP users, performs NAT on these addresses, and stores the information in an incoming DIP table. When the device receives an INVITE message from the external network, it uses the incoming DIP table to identify which internal host to route the INVITE message to.
To enable the device to perform NAT on incoming SIP calls, you must configure an interface DIP or DIP pool on the egress interface of the device. A single interface DIP is adequate for handling incoming calls in a small office; a DIP pool is recommended for larger networks or an enterprise environment.
SIP uses UDP as its transport protocol. When using your managed device to handle SIP traffic, you might also want to enable UDP Flood Protection. For details on configuring UDP Flood Protection, see Configuring Flood Defense Settings for Preventing Attacks.