I'm going to ask the technical questions first and then get in to our design in case it doesn't take all the details to get the answers =) Here they are:
- When working with an internet VoIP provider, do you need a SIP proxy at the edge or can it reside behind NAT?
- Does the SIP proxy (the I3 one) also handle routing RTP, or is it only SIP?
Ok, so fairly typical design .. we have a firewall at the edge that acts as a router and NAT. IC server in a private network segment with media servers and gateways.
If I wanted to receive a VoIP call from XYZ SIP Carrier on the internet and they send a call to X public IP I have, then I need that call to end up on my IC & Media Servers. Since I need something to transform my SIP packets (destination & Source IPs need re-writing), I either need a smart Firewall (SIP ALG) or a smart Proxy, right? So, let's say I give a new public IP to a firewall and make ACLs that route everything to that new IP (which I'll direct the SIP carrier's traffic to) to the Proxy, then RTP audio would go to the proxy too. Is the I3 proxy smart enough to take the SIP message AND the RTP and route it to the IC Server? Or, is it going to send a SIP message back to the carrier updating the "contact" address with the internal IP address of the phone system server, of which, of course, the carrier has no idea how to reach since it just sent a private IP?
If my hunch is correct and the SIP proxy doesn't do RTP routing, then that means the only way this will work is if the firewall becomes involved in the actual routing of SIP & RTP, meaning that it can see the SIP packets coming in, be aware that an incoming RTP stream will be coming in, and route that directly to the IC Server. However, blind routing isn't good enough. If you create an ACL to route all of it to Triumph, then you would never take advantage of the media servers. So, at that point, a smart firewall that actually works as a proxy is better because it could handle different contact addresses such as a specific media server sent in the SIP message would be better, right?
So, the question is .. do we need an intelligent firewall with solid SIP ALG, or does the SIP Proxy do all of it in one neat package?
Thanks if you know the answer!