I'm going to ask the technical questions first and then get in to our design in case it doesn't take all the details to get the answers =) Here they are: - When working with an internet VoIP provider, do you need a SIP proxy at the edge or can it reside behind NAT? - Does the SIP proxy (the I3 one) also handle routing RTP, or is it only SIP? Ok, so fairly typical design .. we have a firewall at the edge that acts as a router and NAT. IC server in a private network segment with media servers and gateways. If I wanted to receive a VoIP call from XYZ SIP Carrier on the internet and they send a call to X public IP I have, then I need that call to end up on my IC & Media Servers. Since I need something to transform my SIP packets (destination & Source IPs need re-writing), I either need a smart Firewall (SIP ALG) or a smart Proxy, right? So, let's say I give a new public IP to a firewall and make ACLs that route everything to that new IP (which I'll direct the SIP carrier's traffic to) to the Proxy, then RTP audio would go to the proxy too. Is the I3 proxy smart enough to take the SIP message AND the RTP and route it to the IC Server? Or, is it going to send a SIP message back to the carrier updating the "contact" address with the internal IP address of the phone system server, of which, of course, the carrier has no idea how to reach since it just sent a private IP? If my hunch is correct and the SIP proxy doesn't do RTP routing, then that means the only way this will work is if the firewall becomes involved in the actual routing of SIP & RTP, meaning that it can see the SIP packets coming in, be aware that an incoming RTP stream will be coming in, and route that directly to the IC Server. However, blind routing isn't good enough. If you create an ACL to route all of it to Triumph, then you would never take advantage of the media servers. So, at that point, a smart firewall that actually works as a proxy is better because it could handle different contact addresses such as a specific media server sent in the SIP message would be better, right? So, the question is .. do we need an intelligent firewall with solid SIP ALG, or does the SIP Proxy do all of it in one neat package? Thanks if you know the answer!

No the SIP proxy does do RTP proxying nor NAT transversal. You need an edge device like the Audiocodes 800 with MSBG. ININ is working on this, but not now. If your ALG can only support one IP, then you need the SIP proxy in a switchover environment.

I've also used Cisco 2800/2900 series routers as SBC at the edge.

I talked to AudioCodes. The 800 doesn't offer the scalability we need, but they have a 4000 that does. Sadly, it runs $10,000 MSRP and was just released. Alternately, they have a 3000 for $15,000 that has been around for awhile. These might be a bit higher than I was hoping, especially since I prefer to have redundancy for something as critical as this. We run Fortinet in house, which offer a SIP ALG feature but no one that we've spoken to has used it and the configuration looks cumbersome. It seems that most routers/firewalls have something like this now, but I prefer to go with something tested and something we can get support on.

Try looking at InGate or Patton Electronics Co. They make 'SIP Aware' firewalls that are more affordable.