Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
We'd love to hear about it! Click here to go to the product suggestion community
"Disclaimer: This information is posted as-is and the content should be referenced at your own risk”
This article provides basic network infrastructure recommendations, UTM configuration and debugging best-practices to ensure reliable VoIP and other real-time communications performance.
Applies to the following Sophos product(s) and version(s)
One of the first things to be aware of when planning a VoIP environment is that VoIP packets (or any real-time communication packets/codecs) are VERY sensitive to latency or variations in packet arrival times. Although most networks experience occasional packet latencies, these typically only present minor inconveniences such as a slight delay in loading a web page, or possibly a slightly longer file download time. However, on VoIP networks these latencies or variations in packet timings can result in dropped calls or poor call quality. VoIP codecs require a steady, dependable stream of packets to provide reasonable playback quality. Packets arriving too early, too late, or out of sequence result in jerky, jumbled playback. This phenomenon is called jitter. Therefore if reliable and high-quality VoIP or other real-time communications is the goal, careful planning and testing of your VoIP environment is crucial.
The two most important factors to consider which will ensure reliable VoIP operations and real-time communications on your network are:
If you are setting up a new VoIP environment, this is where you can make network architecture decisions to ensure a reliable and easily managed VoIP implementation.
1: (Conduct a Site Survey) The more you know about your network, the better prepared you are to properly integrate VoIP. Conduct a site survey to review current WAN bandwidth levels, traffic flows, and existing switches for bottlenecks and choke points. Then, identify or determine specific needs through testing and modeling.
2: (Segmenting VoIP Packets) Place all VoIP, SIP, PBX or trunking equipment on a separate network segment from your LAN, or on a VLAN. This will make it much easier to independently manage those time-sensitive VoIP packets, easier to implement the SIP Helper and either avoid the need for Quality of Service (QoS) rules, or simplify QoS configuration and security.
3: (IP’s, Ports and Protocols) Since each VoIP/PBX vendor may have their own set of ports and protocols required for their systems, ensure you obtain a complete list of all IP’s, network’s, ports and protocols involved in your particular VoIP solution.
4: (Exclude all Packet Inspection and Proxy Services) Ensure that all VoIP hardware, VoIP networks, phones, trunks etc are excluded from IPS, Application Control, Advanced Threat Protection or Web Protection (HTTP proxy). This is easiest to implement when all the traffic is on its own network segment or VLAN (#1).
5: (Use Fastest Uplink) If you have more than one uplink (WAN connection), and one has higher bandwidth, you should create a multipath rule for all VoIP traffic to use the faster of all your uplinks - especially if your PBX or phones connect to an upstream SIP/VoIP Trunk Server.
6: (Use the SIP Helper) First try to configure your VoIP environment using the SIP Helper (and H.323 if video phones/conferencing is needed). In many cases this will be all that is required and you will have a more secure and dynamically managed SIP/UDP/TCP connections.
7: (Manual Firewall/DNAT) If the SIP or H.323 Helpers do not work for your particular environment or VoIP solution, then you will need to refer to the information you collected in #2 above, and manually configure all necessary firewall and/or DNAT rules.
If you have an existing VoIP environment which is starting to drop calls or experience poor call quality and you can exclude any other network (LAN or WAN), routing or equipment issues, then first go through step #3 for a new configuration (Exclude all Packet Inspection & Proxy Services). If this does not resolve the dropped calls or poor call quality issue, and you suspect a network saturation issue since VoIP traffic is shared with LAN traffic, then try the following.
2: (Use Fastest Uplink) If you have more than one uplink (WAN connection), and one has higher bandwidth, you should create a multipath rule for all VoIP traffic to use the faster of all your uplinks - especially if your PBX or phones connect to an upstream SIP/VoIP Trunk Server.
3: (Allocated Bandwidth to VoIP) If you are unable to segment all VoIP traffic from the rest of the LAN, and/or after ensuring there are no packet inspection/interception services involved with VoIP traffic if you are experiencing dropped calls or poor call quality (and have excluded other possible configuration issues) then you can try allocating a set amount of bandwidth for VoIP traffic with Quality of Service (QoS) controls to address possible network saturation issues effecting VoIP packets (see the KBA’s below).
4: (Throttle High Bandwidth Applications) If you allow P2P, streaming media, Cloud Storage, FTP or other high-bandwidth services on the same network shared with VoIP traffic, you may also want to implement QoS to limit (throttle) the amount of bandwidth allowed by those services (see the KBA’s below).
5: (VoIP/SIP Network Testing) Consider testing your network for VoIP/SIP using a VoIP testing tool or testing sites available on the Internet, or through the example test/tool sites below.
If after going through all these configuration suggestions, ensured no IPS, Proxy or Application Controls’ are applied to VoIP traffic and implemented QoS, yet you are still experiencing jitter, dropped calls or other call quality issues which you believe may be related to the UTM, please call our support line we can investigate further.
Related information / See also:
VoIP/SIP Testing Tools
Have a suggestion for a new video? Please visit our User Assistance forum on the Community to share your idea! https://community.sophos.com/community-chat/f/user-assistance-feedback
Quoting from #1 in Rulz (last updated 2019-04-17):
"... when you disabled Intrusion Prevention, you only disabled Snort - you did not disable the items on the other tabs! (Many people are tripped up by UDP Flood Protection which is logged in the Intrusion Prevention log file. This is often the cause of bad voice-quality with VoIP and unreliable IPsec connections that don't terminate on the UTM.)"
Cheers - Bob
Maybe the links should be checked, because 0 of the 4 links in the section Implementing QoS are working. Or I’m doing something wrong.
In reply to Alexander Busch:
Hi Alexander Busch
Apologies for this error. Please try the links again.