The SIP ALG creates pinhole 2 to allow this media traffic to pass through the FortiGate. The 200 OK response sent from Phone B indicates that Phone B is expecting to receive a media stream sent to its IP address using ports 80. When Phone B receives the INVITE request from Phone A, Phone B will know to send media streams to Phone A using destination IP address 10.31.101.20 and ports 40. Pinhole 1 is opened on the Port2 interface and will accept media traffic sent from Phone B to Phone A. The SIP ALG creates pinhole 1 to allow this media traffic to pass through the FortiGate. You can see from this diagram that the SDP profile in the INVITE request from Phone A indicates that Phone A is expecting to receive a media stream sent to its IP address using port 4000 for RTP and port 4001 for RTCP. The FortiGate does not require an RTP security policy, just the SIP policy. The FortiGate includes a security policy that accepts SIP sessions from port1 to port2 and from port2 to port1.
Phone A and Phone B are on the same subnet. Phone A and Phone B are installed on either side of a FortiGate operating in transparent mode. The figure below shows a simplified call setup sequence that shows how the SIP ALG opens pinholes. When the associated SIP session is terminated by the SIP ALG or the SIP phones or servers participating in the call, the RTP pinhole is closed. The SIP ALG keeps RTP pinholes open as long as the SIP session is alive. When the lifetime ends, the SIP ALG removes the pinhole. The length of time during which the pinhole will be open. The SIP ALG extracts the destination port number for RTP from the m= field and adds 1 to this number to get the RTCP port number. Pinholes for RTP and RTCP sessions share the same destination IP address. If the session part of the profile doesn’t contain a c= line the packet is dropped. If the media part does not contain a c= line, the SIP ALG checks the c= line in the session part of the SDP profile. The SIP ALG uses the IP address in the c= line of the media part of the SDP profile first. The c= line can appear in either the session or media part of the SDP profile. The SIP ALG extracts the destination IP address from the c= line in the SDP profile. UDP (Extracted from SIP messages by the SIP ALG.) The SIP ALG finds this information in SIP messages and some is provided by the SIP ALG: Protocol The SIP ALG requires the following information to create a pinhole. In the SIP response message the RTP port number is 3456 so the RTCP port number would be 3457. In the example above, the SIP INVITE message includes RTP port number is 49170 so the RTCP port number would be 49171. The RTP port number is included in the m= part of the SDP profile. By default, the RTCP session port number is one higher than the RTP port number. SIP control messages that start a call and that are sent during the call inform callers of the port number to use and of port number changes during the call.ĭuring a call, each RTP session will usually have a corresponding Real Time Control Protocol (RTCP) session. RTP uses dynamically assigned port numbers that can change during a call. FortiGates support the Real Time Protocol (RTP) application layer protocol for the VoIP call audio stream.
0 kommentar(er)
