Hello, we have the following Configuration for our kamailio installation (we are using TLS and not udp)
(1) F5 Firewall (configured as message fowarding), opening a TLS server on the outside (2) SIP proxy, with a TLS server accessed by the F5 . The SIP proxy doesnt see the F5 TLS server (3) SIP registrar
REGISTER works find
We have the following issue on INVITE: A sends an INVITE to B.
The Registrar patches the R-URI with the content of location, which contains the publi ip of the Device (because the device used stun) we force the routing from registrar to proxy by using t_relay (SIP_PROXY_IP) /The proxy tries to route to this R-URI, which is not visible/
I am not sure how to fix that:
Record Route is for a true sip proxy, but the Firewall does not have an server facing the SIP proxy: the sip proxy needs to find the proper client socket opened at register to route the INVITE
We have arranged for the Firewall to add its own Via, but if i understand correctly, this is used for replies, and here we are dealing with a request forwarding, and t_relay uses the r-ruri to route requests. IT might be why REGISTER works correctly (ie the 200 OK is routed correctly from proxy to firewall)
I could arrange for the location table to contain the private ip and port of the firewall connection (through the use of the received/rport info inserted in the Via by the proxy ) That would mean, however that the contact of the user will contain the private interface of the F5 which i found weird.
How do you think i should proceed ? any advices are welcome Thank you
-- View this message in context: http://sip-router.1086192.n5.nabble.com/kamailio-proxy-behind-firewall-tp155... Sent from the Users mailing list archive at Nabble.com.
Hello,
is Kamailio also listening on TLS? Or is the firewall converting to UDP or TCP?
Has Kamailio a private IP and only the firewall a public IP?
Cheers, Daniel
On 25/01/2017 17:23, JBF wrote:
Hello, we have the following Configuration for our kamailio installation (we are using TLS and not udp)
(1) F5 Firewall (configured as message fowarding), opening a TLS server on the outside (2) SIP proxy, with a TLS server accessed by the F5 . The SIP proxy doesnt see the F5 TLS server (3) SIP registrar
REGISTER works find
We have the following issue on INVITE: A sends an INVITE to B.
The Registrar patches the R-URI with the content of location, which contains the publi ip of the Device (because the device used stun) we force the routing from registrar to proxy by using t_relay (SIP_PROXY_IP) /The proxy tries to route to this R-URI, which is not visible/
I am not sure how to fix that:
Record Route is for a true sip proxy, but the Firewall does not have an server facing the SIP proxy: the sip proxy needs to find the proper client socket opened at register to route the INVITE
We have arranged for the Firewall to add its own Via, but if i understand correctly, this is used for replies, and here we are dealing with a request forwarding, and t_relay uses the r-ruri to route requests. IT might be why REGISTER works correctly (ie the 200 OK is routed correctly from proxy to firewall)
I could arrange for the location table to contain the private ip and port of the firewall connection (through the use of the received/rport info inserted in the Via by the proxy ) That would mean, however that the contact of the user will contain the private interface of the F5 which i found weird.
How do you think i should proceed ? any advices are welcome Thank you
-- View this message in context: http://sip-router.1086192.n5.nabble.com/kamailio-proxy-behind-firewall-tp155... Sent from the Users mailing list archive at Nabble.com.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello, yes, we kept TLS between kamailio and F5, and kamailio indeed have a private address, and doesnt see the firewall public address: the only way for the proxy to reply to the F5 is through the client socket opened by the F5 connection
-- View this message in context: http://sip-router.1086192.n5.nabble.com/kamailio-proxy-behind-firewall-tp155... Sent from the Users mailing list archive at Nabble.com.
Hello,
have you set the advertise address with public for listen socket (on private ip)?
Cheers, Daniel
On 06/02/2017 21:25, JBF wrote:
Hello, yes, we kept TLS between kamailio and F5, and kamailio indeed have a private address, and doesnt see the firewall public address: the only way for the proxy to reply to the F5 is through the client socket opened by the F5 connection
-- View this message in context: http://sip-router.1086192.n5.nabble.com/kamailio-proxy-behind-firewall-tp155... Sent from the Users mailing list archive at Nabble.com.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Daniel-Constantin Mierla -
JBF