Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

Using SIP-over-TLS phones behind CheckPoint firewall

Hi all,

To your knowledge, is it possible to place a SIP phone behind a firewall and make it communicate with a SIP server (gateway, PBX) somewhere on Internet, while encrypting the SIP traffic by TLS (let's say, SIP control channel is over TCP)? Given that FW also works as a NAT gateway?

As I understand from VoIP Administration Guide, it's not possible. Unlike FortiGate, Checkpoint FW doesn't support TLS inspection (full man-in-the-middle) for SIP. But I may be wrong.

And without inspection, FW won't be able to interpret SIP signaling and open ports for outgoing or, especially, incoming RTP connections from the PBX to the phone.

Is my understanding correct? Has someone tried such configuration?

Thanks,

Vladimir.

Tags (3)
0 Kudos
Reply
2 Replies
Highlighted
Participant

The “Legacy Solution for SIP TLS Support” section describes solution, where all high ports are open for incoming traffic (so security is sacrificed for ability to use SIP signalling over TLS without inspection) – but how it’s supposed to work in NAT environment?

Let’s say, some phone behind the FW signalled to PBX that it’s ready to accept traffic on UDP port 12345 – but this signalling occurred over TLS, so it’s opaque for the FW.

When PBX will send RTP packets to public IP of the firewall and to port 12345 – how can FW know, to which internal IP to forward these packets to?

The guide doesn’t explain this.

0 Kudos
Reply
Highlighted
Participant

We got a response from CheckPoint support that such configuration isn't possible.
CheckPoint FW can't inspect (by "lawful" MITM) SIP-over-TLS traffic, and without such inspection SIP won't work.

0 Kudos
Reply