Hi Enky!
Please always Cc: to the list!
Setting up a dedicated outboundproxy (e.g. like Jasomi peerpoint or SNOM
NAT filter) is not trivial. Typical this applications do all the NAT
traversal and are transparent to SIP proxy. That means the SIP proxy
does not have knowledge of the existence of such an outboundproxy.
This is done by replacing the Contact: URI from the client with a URI
pointing to the outboundproxy, and a random username (which will be
mapped to the real client URI inside the outboundproxy). Some of them
are real B2BUAs, some of them are some kind of proxy. All of them have
in common, that they need to have a local "location table" to store the
mapping from the real SIP clients to the SIP clients presented to the
main SIP proxy.
Another approach is the Path extension in RFC 3327
(
http://ietf.org/rfc/rfc3327). This requires support by the main proxy,
which has to store the location of the client plus the path to the
client (i.e. the outbound proxy). Support for this extension is
currently under development in the experimental tree (search the mailing
list archive for more info).
Back to the former approach: for REGISTER: ser as outboundproxy has to
store the contact of the NATed client, and then replaces it with an
unique identifier and send the message upstream to the main proxy. If
the registration was sucessfull, the mapping will be valid. In the
response, ser has to change the "virtual user" in the Contact: header
back to the original Contact: header, as otherwise some clients get
confused and reject the 200 Ok response.
AFAIK there is no way to achieve this with ser without modifying code.
Maybe AVPs can help, but i'm not sure.
regards
klaus
asterisk(a)bgopentel.com wrote:
Dear Klaus,
thank you for your attention.
Unfortunately I do not know how to handle this issue. I use a mysql module in the main
proxy to store the user data. The main proxy is running on a preconfigured FC1 Linux with
a specialized software, installed on it. This software is not related to the SER and VoIP
at all, but I can not change the installed software versions and that's why the SER
version is rather old, but I can not upgrade it. So, I decided to run a separate proxy to
only handle the NAT issues.
Please tell me what I have to configure in the main and in the outbound proxy to have it
working? Thank you very much. I appreciate your help and attention.
Klaus Darilion wrote ..
>How do you make sure that the main proxy sends the INVITE to the
>outbound proxy, and the outbound proxy sends the request to the client?
>
>where do you store the contact information? in the main proxy or in the
>outbound proxy?
>
>regards
>klaus
>
>Enky wrote:
>
>>Hi,
>>I am trying to run the SER as an outbound proxy. Unfortunately I have
>>some problems. I have used the nathelper/rtpproxy with a customized
>>ser.conf and the result is that the clients behind NAT are making
>>outbound calls with no problems. The audio is two-way and all seems
>>best, but when I try to react a client behind NAT I can not. It is
>>registered in the SIP Proxy, but I can not dial it.
>>My scenario is: SER with MySQL authorization on the first PC and SER
>>with nathelper/rtpproxy for outbound proxy on second PC.
>>Could someone give me some hint as I can not solve this problem. The
>>Outbound Proxy SER version is:
>>version: ser 0.9.3 (i386/linux)
>>flags: STATS: Off, USE_IPV6, USE_TCP, DISABLE_NAGLE, USE_MCAST,
>>DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
>>ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
>>MAX_URI_SIZE 1024, BUF_SIZE 65535
>>@(#) $Id: main.c,v 1.197 2004/12/03 19:09:31 andrei Exp $
>>main.c compiled on 20:51:59 Jun 28 2005 with gcc 3.3
>>
>>The ser.cfg of the Outbound Proxy SER is:
>>#
>># $Id: nathelper.cfg,v 1.1 2003/11/10 14:15:36 janakj Exp $
>>#
>># simple quick-start config script including nathelper support
>>
>># This default script includes nathelper support. To make it work
>># you will also have to install Maxim's RTP proxy. The proxy is enforced
>># if one of the parties is behind a NAT.
>>#
>># If you have an endpoing in the public internet which is known to
>># support symmetric RTP (Cisco PSTN gateway or voicemail, for example),
>># then you don't have to force RTP proxy. If you don't want to enforce
>># RTP proxy for some destinations than simply use t_relay() instead of
>># route(1)
>>#
>># Sections marked with !! Nathelper contain modifications for nathelper
>>#
>># NOTE !! This config is EXPERIMENTAL !
>>#
>># ----------- global configuration parameters ------------------------
>>
>>debug=3 # debug level (cmd line: -dddddddddd)
>>fork=yes
>>log_stderror=no # (cmd line: -E)
>>
>>/* Uncomment these lines to enter debugging mode
>>fork=no
>>log_stderror=yes
>>*/
>>
>>check_via=no # (cmd. line: -v)
>>dns=no # (cmd. line: -r)
>>rev_dns=no # (cmd. line: -R)
>>port=5082
>>children=4
>>fifo="/tmp/ser_fifo"
>>
>># ------------------ module loading ----------------------------------
>>
>># Uncomment this if you want to use SQL database
>>#loadmodule "/usr/local/lib/ser/modules/mysql.so"
>>
>>loadmodule "/usr/local/lib/ser/modules/sl.so"
>>loadmodule "/usr/local/lib/ser/modules/tm.so"
>>loadmodule "/usr/local/lib/ser/modules/rr.so"
>>loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
>>loadmodule "/usr/local/lib/ser/modules/usrloc.so"
>>loadmodule "/usr/local/lib/ser/modules/registrar.so"
>>loadmodule "/usr/local/lib/ser/modules/textops.so"
>>
>># Uncomment this if you want digest authentication
>># mysql.so must be loaded !
>>#loadmodule "/usr/local/lib/ser/modules/auth.so"
>>#loadmodule "/usr/local/lib/ser/modules/auth_db.so"
>>
>># !! Nathelper
>>loadmodule "/usr/local/lib/ser/modules/nathelper.so"
>>
>># ----------------- setting module-specific parameters ---------------
>>
>># -- usrloc params --
>>
>>modparam("usrloc", "db_mode", 0)
>>
>># Uncomment this if you want to use SQL database
>># for persistent storage and comment the previous line
>>#modparam("usrloc", "db_mode", 2)
>>
>># -- auth params --
>># Uncomment if you are using auth module
>>#
>>#modparam("auth_db", "calculate_ha1", yes)
>>#
>># If you set "calculate_ha1" parameter to yes (which true in this
config),
>># uncomment also the following parameter)
>>#
>>#modparam("auth_db", "password_column", "password")
>>
>># -- rr params --
>># add value to ;lr param to make some broken UAs happy
>>modparam("rr", "enable_full_lr", 1)
>>
>># !! Nathelper
>>modparam("registrar", "nat_flag", 6)
>>modparam("nathelper", "natping_interval", 60) # Ping interval
60 s
>>modparam("nathelper", "ping_nated_only", 1) # Ping only
clients behind
>
>NAT
>
>>
>># ------------------------- request routing logic -------------------
>>
>># main routing logic
>>
>>route{
>>
>> # initial sanity checks -- messages with
>> # max_forwards==0, or excessively long requests
>> if (!mf_process_maxfwd_header("10")) {
>> sl_send_reply("483","Too Many Hops");
>> break;
>> };
>> if (msg:len >= max_len ) {
>> sl_send_reply("513", "Message too big");
>> break;
>> };
>>
>> # !! Nathelper
>> # Special handling for NATed clients; first, NAT test is
>> # executed: it looks for via!=received and RFC1918 addresses
>> # in Contact (may fail if line-folding is used); also,
>> # the received test should, if completed, should check all
>> # vias for rpesence of received
>> if (nat_uac_test("3")) {
>> # Allow RR-ed requests, as these may indicate that
>> # a NAT-enabled proxy takes care of it; unless it is
>> # a REGISTER
>>
>> if (method == "REGISTER" || ! search("^Record-Route:")) {
>> log("LOG: Someone trying to register from private IP,
rewriting\n");
>>
>> # This will work only for user agents that support symmetric
>> # communication. We tested quite many of them and majority is
>> # smart enough to be symmetric. In some phones it takes a
>>configuration
>> # option. With Cisco 7960, it is called NAT_Enable=Yes, with
>>kphone it is
>> # called "symmetric media" and "symmetric signalling".
>>
>> fix_nated_contact(); # Rewrite contact with source IP of signalling
>> if (method == "INVITE") {
>> fix_nated_sdp("1"); # Add direction=active to SDP
>> };
>> force_rport(); # Add rport parameter to topmost Via
>> setflag(6); # Mark as NATed
>> };
>> };
>>
>> # we record-route all messages -- to make sure that
>> # subsequent messages will go through our proxy; that's
>> # particularly good if upstream and downstream entities
>> # use different transport protocol
>> if (!method=="REGISTER") record_route();
>>
>> # subsequent messages withing a dialog should take the
>> # path determined by record-routing
>> if (loose_route()) {
>> # mark routing logic in request
>> append_hf("P-hint: rr-enforced\r\n");
>> route(1);
>> break;
>> };
>>
>> if (!uri==myself) {
>> # mark routing logic in request
>> append_hf("P-hint: outbound\r\n");
>> route(1);
>> break;
>> };
>>
>> # if the request is for other domain use UsrLoc
>> # (in case, it does not work, use the following command
>> # with proper names and addresses in it)
>> if (uri==myself) {
>>
>> if (method=="REGISTER") {
>>
>> save("location");
>> break;
>> };
>>
>> lookup("aliases");
>> if (!uri==myself) {
>> append_hf("P-hint: outbound alias\r\n");
>> route(1);
>> break;
>> };
>>
>> # native SIP destinations are handled using our USRLOC DB
>> if (!lookup("location")) {
>> sl_send_reply("404", "Not Found");
>> break;
>> };
>> };
>> append_hf("P-hint: usrloc applied\r\n");
>> route(1);
>>}
>>
>>route[1]
>>{
>> # !! Nathelper
>> if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)"
&&
>>!search("^Route:")){
>> sl_send_reply("479", "We don't forward to private IP
addresses");
>> break;
>> };
>>
>> # if client or server know to be behind a NAT, enable relay
>> if (isflagset(6)) {
>> force_rtp_proxy();
>> };
>>
>> # NAT processing of replies; apply to all transactions (for example,
>> # re-INVITEs from public to private UA are hard to identify as
>> # NATed at the moment of request processing); look at replies
>> t_on_reply("1");
>>
>> # send it out now; use stateful forwarding as it works reliably
>> # even for UDP2TCP
>> if (!t_relay()) {
>> sl_reply_error();
>> };
>>}
>>
>># !! Nathelper
>>onreply_route[1] {
>> # NATed transaction ?
>> if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") {
>> fix_nated_contact();
>> if (!search("^Content-Length:\ 0")) {
>> force_rtp_proxy();
>> };
>> # otherwise, is it a transaction behind a NAT and we did not
>> # know at time of request processing ? (RFC1918 contacts)
>> } else if (nat_uac_test("1")) {
>> fix_nated_contact();
>> };
>>}
>>
>>
>>
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>Serusers mailing list
>>serusers(a)lists.iptel.org
>>http://lists.iptel.org/mailman/listinfo/serusers