Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 11545 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable SIP ALG

isoffice

Hi folks,

We have a pair of SG450 Hardware Appliances (Hot-Standby Mode) running UTM Version 9.705-3 acting as Web Proxy Firewalls at the edge of our internal network.

We are winding up a few loose ends from a recent VoIP implementation and I have been asked by our VoIP vendor to confirm that SIP ALG is disabled on our Sophos UTM installation. SIP Protocol Support is disabled globally. Does this mean SIP ALG is disabled? I see that there is a command (system system_modules sip unload) which takes care of this on XG appliances, but I cannot see a similar command for the UTM appliances.

Any assistance would be much appreciated.

Best regards,

John P



This thread was automatically locked due to age.
Parents
  • +1

    Hi John,

    If you have both SIP and H323 disabled, you shouldn't need to do anymore.  What problem is your vendor concerned about?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Good to hear from you and I hope you and yours are well.

    Thank you kindly for the verification, helps a lot.

    There seems to be an issue when a user 'pushes' a call from their 'hard' phone to their 'soft' phone. It has only recently been brought to my attention by our vendor and is part of their 'to do' list of outstanding issues.

    You may recall a previous post I'd submitted regarding our VoIP implementation. In that post (https://community.sophos.com/utm-firewall/f/management-networking-logging-and-reporting/122243/nat-ting-query) I included a diagram depicting our VoIP solution.

    The manufacturers (don't tell anyone, but it's Mitel) are troubleshooting the issue and as our Call Manager Servers are on the internal network and the Border Gateways sit outside the UTM, they are keen to rule out SIP ALG as a factor.

    I was almost certain that by disabling SIP Protocol Support, SIP ALG would also be disabled, but I thought it wise to ask the question.

    Best regards and thanks again,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • 0 in reply to isoffice

    Thanks for the well wishes, John - doing well and have just two weeks to my second Pfizer vaccine.  Hope you're all well, too.

    Speaking of the pandemic, is this a situation where the hard phones are pushing calls to an internal soft phone as in your diagram from 6 months ago?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    It is Bob.

    Can't believe it's been 6 months!!

    I have largely been on the periphery of this project, only really called upon for firewall and network infrastructure configuration. Therefore, I don't really know the 'nitty-gritty' of this particular issue. At the moment, I've been asked to verify if SIP ALG is operational on our UTM. I can now, with confidence, assure our contractors that it is not. We have a DMZ firewall outside the UTM (Forcepoint), which might be a factor, but that's a completely different forum!!

    Thanks again for your input, stay safe.

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

Reply
  • 0 in reply to BAlfson

    It is Bob.

    Can't believe it's been 6 months!!

    I have largely been on the periphery of this project, only really called upon for firewall and network infrastructure configuration. Therefore, I don't really know the 'nitty-gritty' of this particular issue. At the moment, I've been asked to verify if SIP ALG is operational on our UTM. I can now, with confidence, assure our contractors that it is not. We have a DMZ firewall outside the UTM (Forcepoint), which might be a factor, but that's a completely different forum!!

    Thanks again for your input, stay safe.

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

Children
No Data
Unfiltered HTML