Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SIP Access Filter

214 views
Skip to first unread message

ale...@nospam.nospam

unread,
Mar 12, 2010, 2:04:15 PM3/12/10
to
Hello,

anybody tried to setup rules with the SIP protocol in Forefront TMG?

I tried to publish a SIP Server with the predefined "SIP Server" protocol.
"SIP Access Filter" is checked for that protocol, but it does not work as
expected:

The SIP Access Filter changes incoming packets the following way:

If the incoming packet from an external IP contains a SDP payload, The SDP
ConnectionInfo IP address (expected address of RTP stream) is replaced with
the local address of the TMG server.

e.g.: ConnectionInfo: IN IP4 172.30.170.225


I would expect to not touch incoming SDP messages as external addresses can
be reached by internal servers?


Is there a documentation out how exactly SIP packets are changed by the SIP
Access Filter, or does anybody know how to publish a SIP server with
Forefront TMG?

Best regards,

Alex

Phillip Windell

unread,
Mar 16, 2010, 11:26:07 AM3/16/10
to
Making the changes is what the Filter is for. *Not* making the changes is
what breaks the SIP communication process in firewalls without such a
filter.

I have no specific documentation.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


<ale...@nospam.nospam> wrote in message
news:%239Q4Rbh...@TK2MSFTNGP05.phx.gbl...

Alex

unread,
Mar 16, 2010, 3:23:58 PM3/16/10
to
Thanks for your answer.

But have you tried to publish a SIP server? In my opinion the SIP Filter
should only replace internal addresses with the external address of the
Forefront TMG server, but it also replaces external addresses with the local
internal address of the Forefront TMG server.

Then the internal SIP server sends its RTP traffic to the internal interface
of Forefront TMG? This is not correct in my opinion...

Seems I have to find another software to publish a SIP server.....

Regards,

Alex


"Phillip Windell" <philw...@hotmail.com> schrieb im Newsbeitrag
news:OhE%23fzRxK...@TK2MSFTNGP05.phx.gbl...

Phillip Windell

unread,
Mar 17, 2010, 1:30:21 PM3/17/10
to
"Alex" <al...@nospam.de> wrote in message
news:eE5g94Tx...@TK2MSFTNGP02.phx.gbl...

> Then the internal SIP server sends its RTP traffic to the internal
> interface of Forefront TMG? This is not correct in my opinion..

It is correct in my opinion. The ISA then "knows" what to do with it after
that,...that is what the Filter is for.

ale...@nospam.nospam

unread,
Mar 17, 2010, 3:17:33 PM3/17/10
to

"Phillip Windell" <philw...@hotmail.com> schrieb im Newsbeitrag

news:uy5cmdfx...@TK2MSFTNGP05.phx.gbl...


> "Alex" <al...@nospam.de> wrote in message
> news:eE5g94Tx...@TK2MSFTNGP02.phx.gbl...
>
>> Then the internal SIP server sends its RTP traffic to the internal
>> interface of Forefront TMG? This is not correct in my opinion..
>
> It is correct in my opinion. The ISA then "knows" what to do with it
> after that,...that is what the Filter is for.
>
>

Although I have an outgoing rule to allow RTP, ISA does not forward the RTP
traffic which is sent to its local address....

Regards,

Alex

Tomer Schwaitzer

unread,
Apr 28, 2011, 6:38:24 AM4/28/11
to
Any luck with that ?

> On Friday, March 12, 2010 2:04 PM <alex11 wrote:

> Hello,
>
> anybody tried to setup rules with the SIP protocol in Forefront TMG?
>
> I tried to publish a SIP Server with the predefined "SIP Server" protocol.
> "SIP Access Filter" is checked for that protocol, but it does not work as
> expected:
>
> The SIP Access Filter changes incoming packets the following way:
>
> If the incoming packet from an external IP contains a SDP payload, The SDP
> ConnectionInfo IP address (expected address of RTP stream) is replaced with
> the local address of the TMG server.
>
> e.g.: ConnectionInfo: IN IP4 172.30.170.225
>
>
> I would expect to not touch incoming SDP messages as external addresses can
> be reached by internal servers?
>
>
> Is there a documentation out how exactly SIP packets are changed by the SIP
> Access Filter, or does anybody know how to publish a SIP server with
> Forefront TMG?
>
> Best regards,
>
> Alex


>> On Tuesday, March 16, 2010 11:26 AM Phillip Windell wrote:

>> Making the changes is what the Filter is for. *Not* making the changes is
>> what breaks the SIP communication process in firewalls without such a
>> filter.
>>
>> I have no specific documentation.
>>

>> --
>> Phillip Windell
>>
>> The views expressed, are my own and not those of my employer, or Microsoft,
>> or anyone else associated with me, including my cats.
>> -----------------------------------------------------


>>> On Tuesday, March 16, 2010 3:23 PM Alex wrote:

>>> Thanks for your answer.
>>>
>>> But have you tried to publish a SIP server? In my opinion the SIP Filter
>>> should only replace internal addresses with the external address of the
>>> Forefront TMG server, but it also replaces external addresses with the local
>>> internal address of the Forefront TMG server.
>>>

>>> Then the internal SIP server sends its RTP traffic to the internal interface

>>> of Forefront TMG? This is not correct in my opinion...
>>>
>>> Seems I have to find another software to publish a SIP server.....
>>>
>>> Regards,
>>>
>>> Alex


>>>> On Wednesday, March 17, 2010 1:30 PM Phillip Windell wrote:

>>>> It is correct in my opinion. The ISA then "knows" what to do with it after
>>>> that,...that is what the Filter is for.
>>>>
>>>>

>>>> --
>>>> Phillip Windell
>>>>
>>>> The views expressed, are my own and not those of my employer, or Microsoft,
>>>> or anyone else associated with me, including my cats.
>>>> -----------------------------------------------------

0 new messages