Activating SSG (ScreenOS) SIP ALG – OnSIP Support

EDIT: AS OF SCREENOS 6.3.0r7.0, OnSIP DOES NOT RECOMMEND THE SIP ALG BE ENABLED FOR USE WITH OnSIP. THESE INSTRUCTIONS ARE KEPT HERE FOR LEGACY PURPOSES BUT WE DO NOT SUGGEST YOU ENABLE THE SIP ALG AT THIS TIME

Setting the SIP ALG for the SSG device is easily done in just a few steps.

You will need the administrative log in and the ability to telnet into the router in addition to WebUI access. The administrative credentials are the same for both points of entry.

1) Activate the SIP ALG.

Log into the WebUI for the SSG. At the Navigation bar on the left hand side, click on Security, then ALG. From there select the SIP radial and select "Apply"

2)Set Inbound Nat (DIP)

The next step is to set inbound NAT (DIP) on your interface, you'll need to telnet into your SSG. From what we could find, there was no way to enable or disable this entry through the WebUI. Mac Users can just use Terminal, while Windows Users may need a separate program like PuTTY.

At the Command Prompt, type:

set interface ethernet0/0 dip interface-ip incoming

This will activate DIP for that interface which will allow you tie the interface to the SIP ALG you've enabled.

You can ensure that this has been enabled by either typing

get config | include dip

Where you'll see the command you just entered, or you can double check it through the WebUI.

Select DIP from the list of properties and double check that Incoming NAT is checked.

3) Define an Inbound SIP Policy

The next step is to define a policy to tie the two together.

Select Policy, then Policies on the right hand side.

At the top you'll see two drop downs labelled "From" and "To." Set From to Untrust and To to Trust as we're setting this policy to affect traffic from the Internet (Untrust Zone) to go to your LAN (Trust Zone) and then click New.

From here you'll need to Need to define the policy.

Give it a name for easy reference, set the Source Address to "Any-IPv4" and set the destination address to "DIP(ethernet0/0)." Set the Service and Application to "SIP" and then select Advanced.

Scroll down to Traffic Shaping, enable it and then you can either set a specific guaranteed portion of your LAN's bandwidth to the SIP traffic, OR you may simply set a Traffic Priority to enable QoS. You can read up on this section in detail in Chapter 7 "Traffic Shaping" in the Juniper Concepts and Examples ScreenOS Reference Guide document provided by Juniper Networks. Then click OK.

This will take you back to your Policies screen where you can then arrange where you'd like the policy to rank in your policy list. The more specific the policy, the higher it should be, so we'd suggest placing it first, but your own needs may be different.

4) Define an Outbound SIP Policy

At the top you'll see two drop downs labelled "From" and "To." Set From to Trust and To to Untrust as we're setting this policy to affect traffic from your LAN (Trust Zone) to going to the Internet (Untrust Zone). Then click New.

In this new policy, you'll use the address book entries of "Any-IPv4" for both source and destination addresses. Then scroll down to Advanced and click that.

For the NAT section, select Source Translation "None (Use Egress Interface IP)" and then scroll down to OK.

From here, you will be able to register your devices and they should now be routing through the SIP ALG. You can easily check by logging into your OnSIP account at http://admin.onsip.com and clicking on users. Click a user to expand their name, then select Show Details. Your internal network should now be masked.

Your phones should now be behind the activated ALG.

Optimize your network for business VoIP with the right router

Comments