About the SIP-ALG

If you use Voice-over-IP (VoIP) in your organization, you can add a SIP (Session Initiation Protocol) or H.323 ALG (Application Layer Gateway) to open the ports necessary to enable VoIP through your Firebox. An ALG is created in the same way as a proxy policy and offers similar configuration options. These ALGs have been created to work in a NAT environment to maintain security for privately-addressed conferencing equipment behind the Firebox.

H.323 is commonly used on videoconferencing equipment. SIP is commonly used with IP phones. You can use both H.323 and SIP-ALGs at the same time, if necessary. To determine which ALG you need to add, consult the documentation for your VoIP devices or applications.

There is no default policy for SIP-ALG traffic. Before you configure SIP-ALG, you must create a proxy policy to handle the traffic. For instructions to add the SIP-ALG to your Firebox configuration, go to Add a Proxy Policy to Your Configuration.

For supported deployment configurations, go to Example VoIP Network Diagrams.

VoIP Components

It is important to understand that you usually implement VoIP with either:

Peer-to-peer connections

In a peer-to-peer connection, each of the two devices knows the IP address of the other device and connects to the other directly without the use of a proxy server to route their calls.

Host-based connections

Connections managed by a call management system (PBX). The call management system can be self-hosted, or hosted by a third-party service provider.

In the SIP standard, two key components of call management are the SIP Registrar and the SIP Proxy. Together, these components manage connections hosted by the call management system. The WatchGuard SIP-ALG opens and closes the ports necessary for SIP to operate. The WatchGuard SIP-ALG supports SIP trunks. It can support both the SIP Registrar and the SIP Proxy when used with a call management system that is external to the Firebox.

It can be difficult to coordinate the many components of a VoIP installation. We recommend you make sure that VoIP connections work successfully before you add an H.323 or SIP-ALG. This can help you to troubleshoot any problems.

Instant Messaging Support

The SIP-ALG supports page-based instant messaging (IM) as part of the default SIP protocol. You do not have to complete any additional configuration steps to use IM with the SIP-ALG.

ALG Functions

When you use a SIP-ALG, your Firebox:

  • Routes traffic for VoIP applications
  • Opens the ports necessary to make and receive calls, and to exchange audio and video media
  • Makes sure that VoIP connections use standard SIP protocols
  • Generates log messages for auditing purposes
  • Supports SIP presence through the use of the SIP Publish method. This allows softphone users to see peer status.

Many VoIP devices and servers use NAT (Network Address Translation) to open and close ports automatically. The H.323 and SIP-ALGs also perform this function. You must disable NAT on your VoIP devices if you configure an H.323 or SIP-ALG.

Configure the SIP-ALG

Related Topics

About Proxy Policies and ALGs

About the H.323-ALG