Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SSG-5 as a SIP-outbound-proxy

    Posted 04-07-2011 06:50

    Hello everyone,

    I want to use an SSG5 in my trusted network (1.1.1.0) as an ALG for SIP-messages, but there is already a dhcp-server, dns-server and default gateway installed. So the SSG5 shall be used as an outbound proxy and redirect SIP-messages received on it's trusted interface (1.1.1.5:5060) to the SIP-Server in the Untrusted zone (10.10.10.10). As you can see with my (example IP-Adresses), there is NATing between the trusted and the untrusted zone. So again, my setup looks like this:


    SIP-Client (1.1.1.30)---------->(1.1.1.5:5060)==SSG5-ALG==(10.10.10.1)--------->SIP-Server(10.10.10.10:5060)

     

    I could accomplish to have the SIP-Messages forwarded to the SIP-Server by using a VIP on the trusted interface, which forwarded the SIP-Messages to the SIP-Server. After that i referenced the VIP in a policy. The SIP-Header where correctly re-written, with the IP-Adress of the Untrust-Interface. First step accomplished!

     

    The problem is: how can I forward the SIP-messages from the SIP-server, received on the untrust interface, back to my SIP-client (incoming call)? I can't use a VIP on the untrust interface, as there are several SIP-clients and therefor several ip-adresses. This is pretty similar to the examples "Incoming Call" and "Proxy in the public zone" in the C&E, VOL. 6, Page 35 and 44

    respectively. Except for the fact, that I am using a VIP on the trust interface.

     

    Any idea would be appreciated!

     

    Regards, JP

     

     

     



  • 2.  RE: SSG-5 as a SIP-outbound-proxy

    Posted 04-08-2011 02:29

    Hi,

     

    I am not sure I totally understand your set-up but can't you set the UNTRUST interface as the default gateway for the Proxy?

     

    If not can you add a little more detail, diagram etc because as you say yor setup is only similar to C&E, VOL. 6, Page 35 and 44.

     

    Gavrilo



  • 3.  RE: SSG-5 as a SIP-outbound-proxy

    Posted 04-08-2011 05:49
      |   view attached

    Hi Gavrilo,

    I attached a .jpg visualizing the setup. Sorry for the trash-look :). When SIP-UAC's use an outbound proxy, it is necessary to forward the SIP-messages to the SIP-Server, as they adress the messages to the outbondproxy (192.168.1.100), not to the SIP-Server directly (10.10.10.10). I realized this with an VIP on the trust interface (192.168.1.100->10.10.10.10). SIP-messages are forwarded correctly and the LAN-IP of the phone (192.168.1.23) is replaced  with the IP of the untrust interface (10.10.10.100) within the SIP-messages. Everything fine so far.

     

    But when the SIP-Server answers the SIP-UAC, the SSG5 removes the "VIA: 10.10.10.100" from the SIP-Message, so the UAC is not using the SSG5 trust interface (192.168.1.100) as a gateway for the media-data. This causes the loss of the media data from the SIP-UAC (192.168.1.23) to the SIP-Client in the "untrust network". Is this a bug? Or do i have to add something to my settings?

     

    Any idea? Or maybe there is a totally different solution for this?

     

    Regards, JP



  • 4.  RE: SSG-5 as a SIP-outbound-proxy

    Posted 04-08-2011 05:52

    I've just noticed, I changed the IP-adresses in the example... hope this is not too confusing.



  • 5.  RE: SSG-5 as a SIP-outbound-proxy
    Best Answer

    Posted 04-12-2011 06:16

    Hi everyone,

    I could solve the problem myself. If you want to use the SSG5 as an SIP-outboundproxy, you have to use an VIP for your TRUST-Interface (Forwarding: TRUST-Interface->SIP-Server) , combined with a SIP-only policy and source-adress translation from TRUST->UNTRUST-Zone. In addition, you have to create a SIP-only policy from UNTRUST->TRUST-Zone, again with source-addess-translation.

     

    Greetz, JP