Endpoint Provisioning & Redirection
DNS lookup: ipv4list-provisioning.univoip.net
General Service Edge
DNS lookup: ipv4list-service.univoip.net
New customers will be provided unique URLs and IP addresses. These unique address are in addition to the General Service Edge list above. Enterprise customer addresses will be provided during the on boarding process.
Example Outbound Configuration Options
Examples below are possible outbound configuration methods to support voice services on your network. These are examples and should be reviewed and implemented as required for your specific environment by an IT professional. Every network is different, and the specific configuration implementation complexity must be weighted against the overall security concern of the business along with the maintenance overhead required to implement them.
The access requirements below assume outbound source NAT from the internal LAN voice network to the public IP address of the site firewall. This is the only NAT requirement. There is no requirement to setup any inbound destination NAT rules.
Example 1 - Allow All Outbound Connections
Example 2 - Allow UniVoIP Specific Voice Services
Permit all outbound connections to Provisioning and Services addresses
The UniVoIP Networks and any specific TCP and UDP port requirements will change over time. TCP and UDP specific ports are available upon request. Any firewall configurations with static definition of those networks or ports will be subject to change over time. The customer will be responsible to manage those changes.
UDP Flood Protection
UDP flooding protection and VoIP applications utilizing RTP do not work well together. It is recommended that UDP flooding protection on firewalls in the voice path be disabled.
Many firewall devices today understand the SIP protocol and include some type of NAT traversal or rewriting of SIP packets. When connecting SIP clients to UniVoIP, we recommend turning off any SIP features on your firewall. Our gateways handle any required NAT traversal. At best it is simply redundant to have two devices performing the same job. In worse cases, they interfere with each other, causing call-handling issues. These firewall services are often referred to as “SIP ALG”, “SIP Application Layer Gateway", "SIP Inspect" and “SIP Fix-Up”, among others. Our recommendation is to turn any SIP ALG off. That said, if you are not having any issues with SIP device connectivity, it can likely be left alone. SIP ALGs have no affect on the signaling for MiNet based devices such as the Mitel 5300 and 6900 series desk phones.
Cisco ASA Firewall
- Disable SIP Inspect
ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# no inspect sip
- Disable SIP ALG -
VOIP => Settings:
- Turn off Consistent NAT
- Turn off SIP Transformation
- Every vendor has a different term for the process of automatically deleting potentially stale timed out connections.
- On ASA devices, Cisco refers to this as setting the connection timeout.
- pfSense refers to this as : Set to Conservative
Firewall State Table Sizing