CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 2 of 2

Thread: Using SIP-over-TLS phones behind CheckPoint firewall with NAT

  1. #1
    Join Date
    2019-04-07
    Posts
    2
    Rep Power
    0

    Default Using SIP-over-TLS phones behind CheckPoint firewall with NAT

    Hi all,

    To your knowledge, is it possible to place a SIP phone behind a firewall and make it communicate with a SIP server (gateway, PBX) somewhere on Internet, while encrypting the SIP traffic by TLS (let's say, SIP control channel is over TCP)? Given that FW also works as a NAT gateway?

    As I understand from VoIP Administration Guide, it's not possible. Unlike FortiGate, Checkpoint FW doesn't support TLS inspection (full man-in-the-middle) for SIP.
    And without inspection, FW won't be able to interpret SIP signaling and open ports for outgoing or, most significantly, incoming RTP connections from the PBX to the phone.

    The ďLegacy Solution for SIP TLS SupportĒ section describes solution, where all high ports are open for incoming traffic (so security is sacrificed for ability to use SIP signalling over TLS without inspection) Ė but how itís supposed to work in NAT environment?
    Letís say, some phone behind the FW signalled to PBX that itís ready to accept traffic on UDP port 12345 Ė but this signalling occurred over TLS, so itís opaque for the FW.
    When PBX will send RTP packets to public IP of the firewall and to port 12345 Ė how can FW know, to which internal IP to forward these packets to?
    The guide doesnít explain this.

    Is my understanding correct? Has someone tried such configuration?

    Thanks,

    Vladimir.

  2. #2
    Join Date
    2019-04-07
    Posts
    2
    Rep Power
    0

    Default Re: Using SIP-over-TLS phones behind CheckPoint firewall with NAT

    We got a response from CheckPoint support that such configuration isn't possible.
    CheckPoint FW can't inspect (by "lawful" MITM) SIP-over-TLS traffic, and without such inspection SIP won't work.

Similar Threads

  1. Avaya 96xx VPN Phones
    By Xoron in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2012-07-16, 13:38
  2. Moving configuration from Checkpoint R65 Firewall to new R75 firewall.
    By spooter in forum Installing And Upgrading
    Replies: 0
    Last Post: 2012-01-09, 08:30
  3. Wireless phones and Edge devices
    By PSUnitro in forum Check Point UTM-1 Edge Appliances
    Replies: 0
    Last Post: 2008-02-01, 10:41
  4. Checkpoint Firewall Vs Nokia Firewall
    By tdvit in forum Installing And Upgrading
    Replies: 6
    Last Post: 2006-05-29, 04:44
  5. VPN behind Checkpoint firewall
    By jabbott in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 22
    Last Post: 2006-03-31, 17:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •