If you use Voice-over-IP (VoIP) in your organization, you can add a SIP (Session Initiation Protocol) or H.323 ALG (Application Layer Gateway) to open the ports necessary to enable VoIP through your XTM device. An ALG is created in the same way as a proxy policy and offers similar configuration options. These ALGs have been created to work in a NAT environment to maintain security for privately-addressed conferencing equipment behind the XTM device.
H.323 is commonly used on videoconferencing equipment. SIP is commonly used with IP phones. You can use both H.323 and SIP-ALGs at the same time, if necessary. To determine which ALG you need to add, consult the documentation for your VoIP devices or applications.
For supported deployment configurations, see Example VoIP Network Diagrams.
It is important to understand that you usually implement VoIP with either:
In a peer-to-peer connection, each of the two devices knows the IP address of the other device and connects to the other directly without the use of a proxy server to route their calls.
Connections managed by a call management system (PBX). The call management system can be self-hosted, or hosted by a third-party service provider.
In the SIP standard, two key components of call management are the SIP Registrar and the SIP Proxy. Together, these components manage connections hosted by the call management system. The WatchGuard SIP-ALG opens and closes the ports necessary for SIP to operate. The WatchGuard SIP-ALG supports SIP trunks. It can support both the SIP Registrar and the SIP Proxy when used with a call management system that is external to the XTM device.
It can be difficult to coordinate the many components of a VoIP installation. We recommend you make sure that VoIP connections work successfully before you add an H.323 or SIP-ALG. This can help you to troubleshoot any problems.
The SIP-ALG supports page-based instant messaging (IM) as part of the default SIP protocol. You do not have to complete any additional configuration steps to use IM with the SIP-ALG.
When you use a SIP-ALG, your XTM device:
Many VoIP devices and servers use NAT (Network Address Translation) to open and close ports automatically. The H.323 and SIP-ALGs also perform this function. You must disable NAT on your VoIP devices if you configure an H.323 or SIP-ALG.
For instructions to add the SIP-ALG to your XTM device configuration, see Add a Proxy Policy to Your Configuration.
If you must change the proxy definition, from the
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional description of the policy. You can use the settings on this tab to set logging, notification, automatic blocking, and timeout preferences.
If Application Control is enabled on your device, you can set the action this proxy uses for Application Control.
For more information, see Enable Application Control in a Policy.
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can also create a new Traffic Management action. For more information about Traffic Management actions, see Define a Traffic Management Action in v11.8.x and Lower and Add a Traffic Management Action to a Policy.
To apply a Traffic Management action in a policy:
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, see About Proxy Actions.
To configure the proxy action:
For the SIP-ALG, you can configure these categories of settings for a proxy action:
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an existing schedule or create a new schedule.
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text box.
For more information on the options for this tab, see:
About Proxy Policies and ALGs
About the H.323-ALG