Hi all,

To your knowledge, is it possible to place a SIP phone behind a firewall and make it communicate with a SIP server (gateway, PBX) somewhere on Internet, while encrypting the SIP traffic by TLS (let's say, SIP control channel is over TCP)? Given that FW also works as a NAT gateway?

As I understand from VoIP Administration Guide, it's not possible. Unlike FortiGate, Checkpoint FW doesn't support TLS inspection (full man-in-the-middle) for SIP.
And without inspection, FW won't be able to interpret SIP signaling and open ports for outgoing or, most significantly, incoming RTP connections from the PBX to the phone.

The ďLegacy Solution for SIP TLS SupportĒ section describes solution, where all high ports are open for incoming traffic (so security is sacrificed for ability to use SIP signalling over TLS without inspection) Ė but how itís supposed to work in NAT environment?
Letís say, some phone behind the FW signalled to PBX that itís ready to accept traffic on UDP port 12345 Ė but this signalling occurred over TLS, so itís opaque for the FW.
When PBX will send RTP packets to public IP of the firewall and to port 12345 Ė how can FW know, to which internal IP to forward these packets to?
The guide doesnít explain this.

Is my understanding correct? Has someone tried such configuration?