SIP port on Checkpoint firewalls

By -
So here is another issue I have come across twice this week alone.
When setting up the TCP 5061 rules on firewalls between DMZ Internal and LAN on Checkpoint Firewalls, the default SIP rule being chosen by admins is SIP_TLS_AUTHENTICATION. However while a simple telnet will work between the servers (it may take 7-8 seconds extra) and it will look like it works but no logs in the Logger or errors about certificates.

What I found is that if you change the rule to SIP_TLS_NOT_INSPECTED this resolved the issue. We could then see traffic coming completely through.
Here is some information from checkpoint directly:

Source: https://sc1.checkpoint.com/documents/R76/CP_R76_VoIP_WebAdmin/87769.htm

Comments

Post a Comment

Popular posts from this blog

Teams Device Health Monitoring and Reporting

By -
Image
 Microsoft have snuck in a nice new feature into the Teams Admin Center (TAC). We now see a new Notifications and Alerts  menu tree and below this Rules. When we go in here, we find only a single Default  Device State Rule with no option to create any new rules (yet at least...) When we edit this rule, we can see that we now have an option to monitor specific devices (think meeting room devices, collaboration bars etc.. here) Under Device users  we click on +ADD  then enter the name of the account, or accounts if you are monitoring multiple devices, associated with the device, such as the resource account. Then under Actions  we can choose either Channel alert  - to have a nice alert sent to our Teams Channel   OR Webhook  to use webhooks for alerting. Finally ensure to select Active  then Save. Once set up this will take maybe 15 mins to replicate and set up. Then once a device has gone offline, the alert will be sent "Immediately", however it seems to take between 5-10 mins
Read more

Unassigned Numbers in Microsoft Teams using Audiocodes SBC

By -
Image
Unlike Skype for Business, Microsoft Teams does not natively support the handling of Unassigned numbers in the system. So if someone leaves your organisation and you remove the number from them and someone tries to call it, the call will drop. Technically, Teams will return a "404 Not Found" back to the SBC and back on to the telco. What we can do here is to then assign the 404 error to a Route, change the Destination Number (to a call queue or to your main Reception number for example) and route it back to Teams. To do this there are a few simple steps: Step 1 – Create an Alternative Reasons Set Step 2 – Configure existing Teams IP Group to use the SBC Alternative Routing Reason Set Step 3 - Create new IPG Step 4 – Create a new route in IP-to-IP Routing Step 5 - Manipulate Numbers Step 6 – Test  Step 1 – Create an Alternative Reasons Set The first thing we need to do is create an " Alternative Routing Set ", we find this under Setup >> Signaling & Media &
Read more

Skype for Business Edge Server replication troubleshooter

By -
Image
Many times in Skype for Business/Lync the main issue I come across is the deployment is that the edge server(s) fails to replicate. We see this when we run the command in Skype for Business Management Shell : Get-CsManagementStoreReplicationStatus and we see that the edge servers have False and no LastStatusReport or ProductVersion is shown as below. There are a number of things which can cause this and I am going to list them here. Try them in order here as this will contain the most common to the least common issues I found. Ø   Routing Ø   Firewall rules Ø   DNS suffix Ø   DNS (Local and LAN) Ø   Registry entries for SCHANNEL Ø   Certificates A check we can use to see if the replication is working can be done by trying to connect to the following URL from the Front End Server whish hosts the CMS: https://edgeinternalfqdn.domain.ie:4443/Replicationwebservice You should get the following screen: Without this response there is an issue,
Read more