In this section:

Configuring the VoIP ALG Settings

This section outlines how to configure the VoIP ALG settings.

To Configure VoIP ALG Settings

Note

VoIP ALG requires that a SIP server is configured on the system. Refer to Configuring SIP Settings for support information.

  1. Choose VoIP from the Configuration menu.

  2. Configure settings using the information in the following table as a guide. When you have finished configuring settings, click Submit to make your changes take effect.

    VoIP ALG Parameters

    ItemDescription

    Enable ALG Multi-VLAN support

    Select the Enable ALG Multi-VLAN support checkbox to supporting Multiple VLANs with certificate for VLANs.

    ALG LAN using VLAN ID

    If VLAN support is enabled, you must select a VLAN for the ALG to support. Choose an option from the ALG LAN using VLAN ID drop-down list.

    The ALG can only support one VLAN. This feature allows the system to recognize and register a network appliance before it presents the IP telephone or data device through its public WAN port.

    Enable LLDPSelect the Enable LLDP checkbox to allow the Application Layer Gateway (ALG) to use the Link Layer Discovery Protocol (LLDP) to send periodic broadcasts to advertise information about the sending device.

    LLDP Broadcast Interval

    Enter the interval in seconds between each LLDP frame information broadcast.

    TFTP server IP address

    Enter the TFTP IPv4 server address to allow the system to act as a TFTP server providing subsequent configuration information to other VoIP phones or devices.

    ALG Settings

    Use ALG Alias IP Address

    Select the Enable ALG IP Addressing checkbox and choose one of the following based on your system configuration:

    ALG LAN Interface IP Address (IPv4)

    ALG LAN Interface IPv6 Address

    ALG WAN Interface IP Address (IPv4)

    ALG WAN Interface IPv6 Address

    Note: In some cases, the ALG addresses do not correspond to the addresses of the LAN or the WAN ports. The addresses are alias addresses that have been configured on the ports. In general, you should leave this feature disabled.

    ALG LAN Interface IP Address

    Enter the IPv4 address on the LAN that endpoints communicate with. Generally, this is the same as the LAN IP address.

    ALG LAN Interface IPv6 Address

    Enter the IPv6 address on the LAN that endpoints communicate with.

    ALG WAN Interface IP Address

    Enter the IPv4 address on the WAN that communicates with the softswitch. Generally, this is the same as the WAN IP address.

    ALG WAN Interface IPv6 Address

    Enter the IPv6 address on the WAN that communicates with the softswitch.

    NAT Addressing

    Configure public and private NAT addressing.

    Public NAT WAN IP address

    Enter the public IPv4 address the perimeter security appliance provides for static one-to-one mapping:

    Public NAT Subscriber IP address—The public IPv4 address that the perimeter security appliance provides for static one-to-one mapping.

    This allows incoming traffic to the public IP to be translated to the system internal IP. This is typically called a private demilitarized zone (DMZ) which allows devices in this DMZ to be configured with a private RFC 1918 address.

    The NAT configuration must be a Public IPv4 address configured for a one-to-one NAT translation without any port-mapping to the Video Border Proxy (VBP)-E internal DMZ WAN IPv4 address.

    Private NAT LAN IP address

    Enter the private IPv4 address the perimeter security appliance provides for static one-to-one mapping.

    This allows incoming traffic to the private IP to be translated to the system internal IP. This is typically called a private DMZ which allows devices in this DMZ to be configured with a specific DMZ internal address.

    The NAT configuration must be an IPv4 address configured for a one-to-one NAT translation to the VBP-E internal DMZ LAN IPv4 address. Typically, this interface is not placed in a NAT environment but can be used in advanced security scenarios.

    Do strict RTP source check

    Select the Do Strict RTP Source Check checkbox to protect against specific Real-time Transport Protocol (RTP)-based denial-of-service attacks and controls address network based gateways that periodically continue to send an RTP stream after a call ends.

    If the source of an inbound RTP stream does not match the IP address and port for an existing outbound RTP stream, it is assumed that the inbound stream is “rogue RTP.” When rogue RTP is detected, a syslog message is generated and the inbound stream is dropped.

    Enable Client List lockdown

    Select the Enable Client List Lockdown checkbox to prevent new clients from registering.

    Note: You must first configure the Client List. Choose VoIP > Client List and refer to Configure the Clients List.

    Caution: Do not use Client List Lockdown and Allow Shared Usernames at the same time.

    Allow Shared Usernames

    Select the Allow Shared Username checkbox to allow multiple clients to register using the same username. A new entry and a unique contact field are generated for each client.

    Caution: Do not use Client List Lockdown and Allow Shared Usernames at the same time; new phones using an existing username will not be added to the Clients List and will fail to work.

    Strip G.729 from calls

    Select the Strip G.729 From Calls checkbox to improve codec compatibility for legacy and newer networks by removing all references to the G.729 in codec lists for calls made using SIP. The codecs in the signaling protocols are listed in the session description protocol (SDP). When you enable the G.729 feature, the codecs are removed from the SDP.

    SIP Port Settings

    Configure UDP, TCP and TLS related parameters for SIP. Refer to Configure SIP Port Settings.

    UDP System Port

    Specifies the ports on which the system listens for SIP over UDP messages from SIP clients. 

    To specify multiple UDP ports, separate each port with a comma. Default is “5060,5070,5075.”

    REGISTER restricted to port

    Specifies that REGISTER requests will only be processed on the specified port if set to a non-zero port number that matches one of the specified UDP Inbound ports. REGISTER messages sent to other SIP ports are logged and discarded without further processing.

    When set to zero, REGISTER requests are processed normally on all configured SIP ports and connections. Default is 0.

    UDP System Source Port

    Specifies the source port to use when sending SIP over UDP messages to the SIP Server. The system also listens for SIP messages on this port, similar to the Client Listening Ports. 

    Default value is 5060. 

    TCP System Port

    Specifies the port on which this device will listen for SIP over TCP connection requests. Enter any valid TCP port.

    Default value is 5060. 

    TCP Connection Timeout (m)

    Sets the amount of inactive time.

    The system monitors all TCP connections and if there is no activity on any connection for a specified amount of time, that connection is closed. Minimum value is 4 minutes.

    TLS System Port

    Specifies the port on which this device will listen for SIP over TLS connection requests.

    Enter any valid TCP port. The TLS port cannot be the same as the TCP port.

    TLS Protocol

    Allows you to choose a TLS protocol. The following options are available:

    • TLSv1.0: Allows only TLS protocol version 1.0 (RFC 2246)
    • TLSv1.2: Allows only TLS protocol version 1.2 (RFC 5246)
    • TLSv1.3: Allows only TLS protocol version 1.3 (RFC 8446)
    Ciphers StringAdds or restricts the cipher suites offered by this device during a TLS handshake. See Ciphers for detailed description of the format for this string.
    LAN CertificateThe X.509 certificate for the interface in PEM format. The certificates are loaded using the Security > Certificates page. Make sure that the common name (CN) in the certificate matches the domain name or IP of the interface.
    Policy

    Peer certificate verification policy:

    • No check — The peer certificate is not verified.
    • Verify if provided — Send a client certificate request to clients but continue handshake if the client does not return a certificate. Fail if certificate is returned and the verification fails.
    • Require and Verify — Send a client certificate request to clients and continue only if the client sends a certificate and the certificate verification succeeds.
    • Require and Verify Once — Same as Require and Verify except that client certificate requests are not sent during renegotiation.
    WAN CertificateThe X.509 certificate for the interface in PEM format. The certificates are loaded using the Security > Certificates page. Make sure that the common name (CN) in the certificate matches the domain name or IP of the interface.
    Policy

    Peer certificate verification policy:

    • No check — The peer certificate is not verified.
    • Verify if provided — Send a client certificate request to clients but continue handshake if the client does not return a certificate. Fail if certificate is returned and the verification fails.
    • Require and Verify — Send a client certificate request to clients and continue only if the client sends a certificate and the certificate verification succeeds.
    • Require and Verify Once — Same as Require and Verify except that client certificate requests are not sent during renegotiation.
    Exclude sips headers for TLS TransportWhen enabled 'sip' uri scheme will be used in translated SIP message. This option is available only for TLS transport.

    NAT Traversal:

    This feature is only available on 2900, 4700, 4800, 4552v2 and 6000 platforms.

    DisabledNAT Traversal for SIP will be disabled.
    RFC-3581

    With RFC-3581 support, the system will insert report in the outbound SIP messages to the softswitch.

    RFC-3581 is to resolve failed SIP response problem in a NAT environment. It is recommended that “Use RFC3581 UAS response for signaling modification” should be checked when RFC-3581 is selected. For media to work properly, it requires symmetric RTP support on the media server or one to one port mapping on the NATing router. When RFC-3581 is selected, user should configure keep-alive logic in Survivability page. Recommended keep-alive interval is 30 seconds. The interval may vary for different NATing routers.

    STUNThe System will enable STUN to support NAT traversal for both SIP signaling (UDP only) and media. When STUN is selected, user should configure the “STUN Server” settings and keep-alive logic in Survivability page. Recommended keep-alive interval is 30 seconds. The interval may vary for different NATing routers.

    B2BUA Options

    Configure B2BUA options.

    Route all SIP signalling through B2BUA

    This option enables all SIP messages to be processed by B2BUA.

    Enable Microsoft FeatureSelecting this setting enables all Microsoft related feature logics. For example, Allow WAN side B2BUA trunking device, Response OPTIONS messages from MSFT servers, Insert PTime attribute in SDP body, and so on.
    Enable Comfort Noise Generation (CNG)This option enables the Comfort Noise Generation (CNG) engine to stay in the RTP media path and perform the translation of comfort noise packets between the two end points.

    Enable User-Agent header pass-through

    Select this option to pass the User-Agent header from ingress SIP message to the egress SIP message when routed via B2BUA. When disabled, B2BUA inserts a system generated custom string in the User-Agent header of the egress SIP request message. This has no effect on SIP messages processed via ALG.

    B2BUA Redirect Support (302)If enabled, EdgeMarc processes the 302 Response and sends an INVITE request to the number obtained from the Contact header (except for FQDN in the Contact header). When this is disabled, EdgeMarc translates 302 Response back to the caller. By default, it is enabled.

    PANI Header

    Refer to Configure PANI Header Settings.

    Enable PANI Header SupportIf enabled, EdgeMarc will add PANI (P-Access-Network-Info) header in all requests and response (except ACK and CANCEL requests and response). By default it is disabled.
    Access TypeSpecifies information about the access network used and its value is updated as per the RFC 7315. Default value is "IEEE-802.11".
    Access InfoAditional information about the access network used. Access Info is selected as location-info. The location-info is then updated with EdgeMarc LAN/WAN IP. Note: Format for PANI header with location info is: P-Access-Network-Info: Access Type;"location-info=EdgeMarc LAN/WAN IP";"ue-ip=EdgeMarc LAN/WAN IP";"ue-port=5060".
    Access Info StringThis string is updated according to the value of Access Info. Access Info String field is not configurable when user selects access info as "np" or "location-info". If Access info is selected as "np", then Access Info String is automatically set to "network-provided".

    Session Timer

    SIP provides a mechanism by which both user agents and proxies can determine whether a given SIP session is still active.

    Session Timer Support

    This option is to enable session timer support. When this support is enabled, if the calling party doesn't support Session Timer, EdgeMarc will add Session Timer headers while forwarding to the called party and vice versa. If the calling party (UAC) sets the refresher as “UAS” and the called party (UAS) doesn't support session timer, then the system will be responsible for sending refresh requests.

    Session Refresh Interval (s)System sends refresh INVITE on this configured session expiry interval for keeping the session alive. System uses this value only when it acts as a refresher. The default value is 90 seconds.

    Media Security:

    Configure SRTP and MKI support.

    Enable SRTP supportThis option enables SRTP support globally in the device.
    Enable MKI supportThis option enables support for Master Key Identifier (MKI) parameter in SRTP crypto attribute. This option is available only when Enable SRTP support is enabled.
    H.225 and H.245 Port Range

    Configure the range of TCP ports to use for handling H.225 and H.245 TCP connections.

    Specifies the range of Transmission Control Protocol (TCP) ports to use for handling H.225 and H.245 TCP connections.

    If there is a firewall in front of the system, that firewall must allow TCP connections to this range to reach this system. A smaller range means that less ports must be opened on the firewall; however, each H.323 call may require up to 3 ports each and if the range is too small, the number of H.323 calls that the system can process may be restricted.

    Port numbers specified are inclusive: Range is 10000 to 65535, default values are 14085 to 15084. The range must contain a minimum of 999 ports.

    RTP Port Range

    Configure an RTP port range for non-translated RTP MOS scoring and traffic shaping.

    This licensed option allows you to MOS score a non-SIP call and prioritize traffic over these ports to the far end. Without this setting, voice traffic over the IPsec VPN tunnel will not be prioritized and you may experience choppy audio.

    Port numbers specified are inclusive and are limited and checked against the platform the licensed number of calls allowed. The minimum number of ports required is two times the number of licensed streams or the Call Admission Control (CAC) value from the Traffic Shaping page, whichever is smaller.

    Choose Network > Traffic Shaper and refer to Configuring Traffic Shaping.

    While the minimum number of ports is two per stream, some endpoints may open multiple streams. For H.323 calls, the number of ports per call depends on the number of individual RTP streams the endpoints may use. In some cases, an H.323 client may request a separate stream for video, audio, content sharing, and data/camera control. In that case, eight ports are needed per H.323 endpoint.

    Enter ports to be scored as comma-separated port numbers or ranges of port numbers. For example: 2000,30000-32000,40002,45000-46000.

    Note: This option is available only on some versions of VOS with a special license.

    RTP Packetization Time (ms)

    When this setting is configured, the system inserts the attribute a=ptime: value in the SDP messages with a default setting of 20(ms) if ptime attribute does not exist in the SDP body.

    Note: This is a Microsoft Feature. It takes effect when Enable Microsoft Feature is enabled.

    Enable Multi-portsWith this option enabled, EdgeMarc will allocate unique source port for each client from the configured range when it is translated through the WAN interface. The following functionalities will not be supported with this feature.
    • B2BUA calls
    • TLS Transport between SIP Server and EM WAN
    • IPv6 between SIP Server and EM WAN
    • High Availability

    Note: This feature is currently restricted to just hosted clients.

    Multi-port Port RangeSpecifies range of ports from which the device will assign unique WAN source port for each hosted clients. The range should be between 22000 and 65535 (including both) and the total number of ports should be less than or equal to maximum phones supported on the device. This value should also not overlap with RTP and H.225/H.245 port range.

    Prioritize Microsoft Teams

    Selecting this settings allows Microsoft Teams traffic to be prioritized and MoS scored, so that calls are not hampered by bandwidth. Default ports provided by Microsoft are taken into consideration for the shaping and scoring.

    Allow non-translated RTP to be MOS scored
    RTP range to MOS score

    If RTP for a non-translated protocol should be MOS scored and traffic-shaped, enter the RTP port range in which the system should listen for RTP. Enter ports to be scored as comma-separated port numbers or ranges of port numbers.

    For example: 2000,30000-32000,40002,45000-46000

    Note: This option is available only on some versions of VOS.

    Calculate Round-Trip-Time

    Enables Round-Trip-Time (RTT) calculation. RTCP packets, LSR, and DLSR values are used to calculate an RTT value for each RTP stream. RTCP packets can be sent on behalf of phones if they do not send RTCP themselves.

    Calculate Round-Trip-Time

    Select the Calculate RTT checkbox to enable the feature.

    RTCP MUX Support

    This option enables RTCP multiplexing on inbound calls. This helps to establish bi-directional audio calls.

    Bandwidth Settings for H.323

    The maximum bandwidth to be used. The total bandwidth is counted as RTP payload plus IP header overhead, for example, the actual link bandwidth set aside for RTP streams. The per-call bandwidth is the RTP payload bandwidth only, for example, the value used in the client to specify the bandwidth of the call. See Configuring Bandwidth Settings for H.323.

    NoteOnly EdgeProtect supports H.323. Please note that EdgeMarc does not support H.323.

    ALG registration

    Displays current ALG registration status.

    The registration status for the ALG feature is displayed to ensure that the feature is enabled. If the feature is not registered, no calls will be allowed to pass.

    Note: The ALG registration code is available on a sticker on the bottom of the device or from your service provider.

    To view your license key, click the license key link provided to access the License page or choose Admin from the Configuration Menu and click the license key link in Registration Status. Refer to Manage the License Key.

  3. Proceed to Configuring Bandwidth Settings for H.323.

Configuring Bandwidth Settings for H.323

This section outlines how to configure the bandwidth settings for H.323.

Note

Only EdgeProtect supports H.323. Please note that EdgeMarc does not support H.323.

To Configure Bandwidth Settings for H.323

  1. Choose VoIP from the Configuration Menu.
  2. Scroll to Bandwidth Settings for H.323.

  3. Configure bandwidth settings using the information in the following table as a guide.

    VoIP ALG Parameters - H.323 Bandwidth Settings

    ItemDescription

    Bandwidth Settings for H.323

    Maximum total bandwidth (kbps)

    Enter the maximum available bandwidth. Bandwidth includes the RTF payload plus the IP header overhead. If the bandwidth is set to 0, bandwidth management is not enforced.

    Only calls with media traversing the system is counted towards the bandwidth maximum. This number applies to the total bandwidth maximum (payload + overhead); the actual payload amount allowed through is 20% lower than this number. For example, if Maximum Bandwidth is set to 1000k, only 800k of actual voice/video is allowed through.

    Maximum per-call bandwidth (kbps)

    Enter the maximum available per call bandwidth, which is the bandwidth available for the RTP payload (value that the client uses to specify call bandwidth). The IP overhead is not specified here, but rather the value used in an H.323 endpoint when making a call.

    Default audio stream bandwidth (kbps)

    Enter the bandwidth available for streaming audio traffic when an endpoint does not specify the call bandwidth in the SDP.

    Default video stream bandwidth (kbps)

    Enter the bandwidth available for streaming video traffic when an endpoint does not specify the call bandwidth in the SDP.

    VoIP ALG Licensed Bandwidth In Use

    Displays the sum of RTP payloads of all current calls.

    For example, if two 384k calls are present, this field displays 768. The system uses the field to subtract against the system licensed value as Video Bandwidth in the license key page.

    Current Total Bandwidth With IP Overhead

    Displays the RTP payload of current calls and add the estimated IP overhead.

    Use this value to budget the requirements for video traversing the customer WAN connection. The value is calculated by the RTP payload divided by .8 to add the IP overhead use to the total. For example, 384k/.8 = 480k of estimated bandwidth usage.

  4. Click Submit to apply your changes. For more information on submitting your changes, refer to Submit Configuration Changes.