Note
Clients registering with the proxy on the DMZ will have the IP address of the
DMZ interface as the contact address.
• An Allow rule/policy for outbound traffic from the proxy behind the DMZ interface to the
remote clients on the Internet.
• An Allow rule/policy for inbound SIP traffic from the SIP proxy behind the DMZ interface
to the IP address of the NetDefend Firewall. This will have core (in other words,
NetDefendOS itself) as the destination interface.
The reason for this is because of the NAT rule/policy above. When an incoming call is
received, NetDefendOS automatically locates the local receiver, performs address
translation and forwards SIP messages to the receiver. This is done based on the SIP
ALG's internal state.
• An Allow rule/policy for inbound traffic from, for example the Internet, to the proxy
behind the DMZ.
4. If Record-Route is not enabled at the proxy, direct exchange of SIP messages must also be
allowed between clients, bypassing the proxy. The following additional rules/policies are
therefore needed when Record-Route is disabled:
• A NAT rule/policy for outbound traffic from the clients on the internal network to the
external clients and proxies on, for example, the Internet. The SIP ALG will take care of all
address translation needed by the NAT rule. The translation will occur both at the IP level
and the application level.
• An Allow rule/policy for inbound SIP traffic from, for example the Internet, to the IP
address of the DMZ interface. The reason for this is because local clients will be NATed
using the IP address of the DMZ interface when they register with the proxy located on
the DMZ.
This rule/policy has core as the destination interface (in other words, NetDefendOS
itself). When an incoming call is received, NetDefendOS uses the registration information
of the local receiver to automatically locate this receiver, perform address translation
and forward SIP messages to the receiver. This will be done based on the internal state
of the SIP ALG.
The IP rules/policies needed with Record-Route enabled are:
Action Src Interface Src Network Dest Interface Dest Network
OutboundToProxy NAT lan lannet dmz ip_proxy
OutboundFromProxy Allow dmz ip_proxy wan all-nets
InboundFromProxy Allow dmz ip_proxy core dmz_ip
InboundToProxy Allow wan all-nets dmz ip_proxy
With Record-Route disabled, the following IP rules/policies must be added to those above:
Action Src Interface Src Network Dest Interface Dest Network
OutboundBypassProxy NAT lan lannet wan all-nets
InboundBypassProxy Allow wan all-nets core ipdmz
Chapter 6: Security Mechanisms
477
To Next Page
Loading...
