Fiberme FAP26 Series, Manual

Page: 17 / 18

P a g e 16
SECURITY GUIDELINES FOR FAP DEPLOYMENT
Often the FAP are deployed behind NAT. The network administrator can consider following security
guidelines for the FAP to work properly and securely.
•
Turn off SIP ALG on the router
On the
customer’s router, it’s recommended to turn off SIP ALG (Application Layer Gateway). SIP ALG
is common in many routers intending to prevent some problems caused by router firewalls by
inspecting VoIP packets and modifying it if necessary. Even though SIP ALG intends to prevent
issues for VoIP devices, it can be implemented imperfectly causing problems, especially in some
cases SIP ALG modifies SIP packets improperly which might cause VoIP devices fail to register or
establish calls.
•
Use TLS and SRTP for SIP calls
On the FAP
, it’s recommended to use TLS for SIP transport with “sips” in SIP URL scheme for SIP
signaling encryption and use SRTP for media encryption.
Below the SIP ports and RTPs port used on the FAP if the network administrator needs to create
firewall rules.
➢
Under web UI
→
Account x
→
SIP Settings
→
Basic Settings,
the feature “Local SIP Port” defines the
local SIP port used to listen and transmit. The default value when using SIP transport protocol UDP/TCP
is 5060 for Account 1, 5062 for Account 2, 5064 for Account 3, 5066 for
Account 4… When using TLS as
SIP transport protocol the default value is 5061 for Account 1, 5063 for Account 2, 5065 for Account 3,
… The valid range is from 1 to 65535.
➢
Under web UI
→
Settings
→
General Settings , the feature
“Local RTP Port” defines the local RTP port
used to listen and transmit. Local RTP port ranges from 1024 to 65400 and must be even. It is the base
RTP port for channel 0. When configured channel 0 will use this port_value for RTP, and por1
for RTCP. Channel 1 will use por2 for RTP and so on, until reaching the limit and then it will be
reset to first port_value. The default value is 5004 for RTP and 5005 for RTCP.
For the FAP26XX phones, it is possible to select a range for the Local RTP port from 48 to 10000.
Default setting is 200.
Note : On the customer’s firewall, it’s recommended to ensure SIP port is opened for the SIP accounts on the FAP. It’s
not necessary to use the default port 5060/5062/… on the firewall. Instead, the network administrator can consider
mapping a different port on the firewall for FAP SIP port 5060 for security purpose.