- Products
- Learn
- Local User Groups
- Partners
-
More
This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
- Products
- Learn
- Local User Groups
- Upcoming Events
- Americas
- EMEA
- Czech Republic and Slovakia
- Denmark
- Netherlands
- Germany
- Sweden
- United Kingdom and Ireland
- France
- Spain
- Norway
- Ukraine
- Baltics and Finland
- Greece
- Portugal
- Austria
- Kazakhstan and CIS
- Switzerland
- Romania
- Turkey
- Belarus
- Belgium & Luxembourg
- Russia
- Poland
- Georgia
- DACH - Germany, Austria and Switzerland
- Iberia
- Africa
- Adriatics Region
- Cloud Mates
- Eastern Africa
- Israel
- APAC
- Partners
- More
- ABOUT CHECKMATES & FAQ
- Sign In
- Leaderboard
- Events
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Using SIP-over-TLS phones behind CheckPoint fi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Vladimir_Ostrov
Participant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-04-07
09:33 AM
Using SIP-over-TLS phones behind CheckPoint firewall
Hi all,
To your knowledge, is it possible to place a SIP phone behind a firewall and make it communicate with a SIP server (gateway, PBX) somewhere on Internet, while encrypting the SIP traffic by TLS (let's say, SIP control channel is over TCP)? Given that FW also works as a NAT gateway?
As I understand from VoIP Administration Guide, it's not possible. Unlike FortiGate, Checkpoint FW doesn't support TLS inspection (full man-in-the-middle) for SIP. But I may be wrong.
And without inspection, FW won't be able to interpret SIP signaling and open ports for outgoing or, especially, incoming RTP connections from the PBX to the phone.
Is my understanding correct? Has someone tried such configuration?
Thanks,
Vladimir.
Reply
2 Replies
Vladimir_Ostrov
Participant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-04-08
01:31 AM
The “Legacy Solution for SIP TLS Support” section describes solution, where all high ports are open for incoming traffic (so security is sacrificed for ability to use SIP signalling over TLS without inspection) – but how it’s supposed to work in NAT environment?
Let’s say, some phone behind the FW signalled to PBX that it’s ready to accept traffic on UDP port 12345 – but this signalling occurred over TLS, so it’s opaque for the FW.
When PBX will send RTP packets to public IP of the firewall and to port 12345 – how can FW know, to which internal IP to forward these packets to?
The guide doesn’t explain this.
Reply
Vladimir_Ostrov
Participant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-05-08
01:59 AM
We got a response from CheckPoint support that such configuration isn't possible.
CheckPoint FW can't inspect (by "lawful" MITM) SIP-over-TLS traffic, and without such inspection SIP won't work.
Reply
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY
©1994-2020 Check Point Software Technologies Ltd. All rights reserved.
Copyright
Privacy Policy
Facts at a Glance
User Center