How to configure specialist firewalls for use with VoIP

Getting Started

Some specialist firewalls require extra configuration in order to successfully pass SIP packets to and from your network - specific notes on these firewalls can be found below.

Advanced Configuration

Sonicwall Firewalls -

The problem with invite packets being dropped was due to an intrusion protection filter designed to protect against a vunerability known as "sipXtapi Remote Buffer overflow"
This vunerability affects unpatched sipXtapi software used in AOL Triton and can be caused by sending an INVITE to port 5060 which contains a CSeq number greater than 2^24.
The Gradwell system typically uses CSeq numbers in INVITE messages that are between 2^24 and 2^31 (the SIP maximum). Therefore any firewall that protects against the "sipXtapi Remote Buffer Overflow" vunerability will not be compatible with the Gradwell service.
You are able to disable this intrusion protection filter on the Sonicwall firewall - this is enabled by default.

Sonicwall TZ180 Security Appliance -

running SonicOS Standard. SIP equipment used is a Gradwell Branded Camrivox Flexor 151.  

1. Firewall setup
Under the "Firewall" heading on the left hand bar, choose Access Rules. 

Click "Rule Wizard..." at the top. Follow the wizard through to create a "Public Server Rule" to the Server IP address (the IP address of your ATA) and using the pre-defined service "SIP". 

The Destination interface should be LAN. 

I personally found that although the Flexor 151 allegedly requires several port ranges to be open, the predefined SIP (simply UDP 5060 only) works fine and calls inbound and outbound work fine.

I also went back into the Access Rules page, "Configured" the new rule and clicked on the Bandwidth tab. I ticked "Enable Outbound Bandwidth Management", and gave both Guaranteed and Maximum bandwidth as 256Kbps (should be plenty). I set the bandwidth priority to "0 Highest".

2. Security Services
Various security services interfere with the operation of the device such that in severe cases the ATA won't operate at all, and in some cases just not receive incoming calls. These are the important settings, under the "Security Services" heading on the left hand bar.

Client AV Enforcement: this should be disabled. By all means enable it temporarily to force a new client to download the antivirus software, but if it remains enabled, the ATA will be blocked from the firewall, because obviously it doesn't run the antivirus software!

Gateway Antivirus: this is safe to enable.

Intrusion Prevention: for safety's sake, it's good to enable this on all interfaces, but unless you Prevent only High Priority attacks, there is a problem with the VoiP category - specifically the following condition:

"VoIP sipXtapi Remote Buffer Overflow, SID: 3363, Priority: Medium". To disable this policy, in the list of IPS Policies, click Configure next to the VoiP Category, and set Prevention (and optionally detection) to "Disable".

Anti-Spyware: it is safe to enable both inbound and outbound anti-spyware