Using SIP-over-TLS phones behind CheckPoint firewa...

Vladimir_Ostrov · ‎2019-04-07

Hi all,

To your knowledge, is it possible to place a SIP phone behind a firewall and make it communicate with a SIP server (gateway, PBX) somewhere on Internet, while encrypting the SIP traffic by TLS (let's say, SIP control channel is over TCP)? Given that FW also works as a NAT gateway?

As I understand from VoIP Administration Guide, it's not possible. Unlike FortiGate, Checkpoint FW doesn't support TLS inspection (full man-in-the-middle) for SIP. But I may be wrong.

And without inspection, FW won't be able to interpret SIP signaling and open ports for outgoing or, especially, incoming RTP connections from the PBX to the phone.

Is my understanding correct? Has someone tried such configuration?

Thanks,

Vladimir.

Vladimir_Ostrov · ‎2019-04-08

The “Legacy Solution for SIP TLS Support” section describes solution, where all high ports are open for incoming traffic (so security is sacrificed for ability to use SIP signalling over TLS without inspection) – but how it’s supposed to work in NAT environment?

Let’s say, some phone behind the FW signalled to PBX that it’s ready to accept traffic on UDP port 12345 – but this signalling occurred over TLS, so it’s opaque for the FW.

When PBX will send RTP packets to public IP of the firewall and to port 12345 – how can FW know, to which internal IP to forward these packets to?

The guide doesn’t explain this.

Vladimir_Ostrov · ‎2019-05-08

We got a response from CheckPoint support that such configuration isn't possible.
CheckPoint FW can't inspect (by "lawful" MITM) SIP-over-TLS traffic, and without such inspection SIP won't work.

Are you a member of CheckMates?

Using SIP-over-TLS phones behind CheckPoint firewall