<--Back to [[General|<span style="color:#FF0000;">General</span>]]<hr />
<p>In the context of computer networking, an application-level gateway(also known as ALG or application layer gateway) is a security component that enhances a firewall or NAT employed in a computer network. An ALG sits between
the client(Polycom Phone) and real server(Stage2Networks), facilitating the exchange. We're talking about ALG at the CPREM Firewall or Router. Basically a NAT with a built-in ALG can rewrite information within the SIP messages and
can hold address translation tables until the session terminates.</p>
<br/>
== <div style="font-weight:bold; color:blue; font-size:10pt;">An ALG may offer the following functions:</div> ==
<ol>
<li>Converting the "network layer address information"(The phone's IP Address) found inside the SIP Message to an acceptable "IP Address and Ephemeral Port" accepted by the Firewall/Router.</li>
<li>Allowing client applications(ex. SIP signaling) to use "dynamic ephemeral TCP/ UDP ports"(made up ports with a short life-span, usually between 1025 to 65535) to communicate with the known ports used by the server applications
(HTTP:80; HTTPS:5060 and 5061), even though a firewall-configuration may allow only a limited number of known ports.(The port numbers in the range from 0 to 1023 are the well-known ports). In the absence of an ALG, either the ports
would get blocked or the network administrator would need to explicitly open up a large number of ports in the firewall; rendering the network vulnerable to attacks on those ports.</li>
</ol>
<p>SIP ALG can literally 'read' and 're-write' SIP messages.</p>
<p>The problem with SIP ALG is that it will often block or not allow incoming traffic to pass through the router/firewall, resulting in one way audio and/or dropped calls. Many of today's commercial routers implement SIP ALG; coming with
this feature enabled by default. While ALG could help in solving NAT related problems, the fact is that many routers' ALG implementations are wrong and break SIP.</p>
<br/>
== <div style="font-weight:bold; color:blue; font-size:10pt;">The Problems:</div> ==
<ol>
<li>Lack of incoming calls: When a phone is switched on it sends a REGISTER to the Server in order to be localizable and receive incoming calls. This REGISTER message is modified by the ALG feature (if not the user wouldn't be reachable by the Server since it indicated a private "NAT" IP in the REGISTER "Contact" header). Common routers just maintain the UDP "connection"(Pinhole)open for a while(30-60 seconds) so after that time the port forwarding is ended and incoming packets are discarded by the Router/Firewall. Many SIP Servers maintain the UDP keep-alive by sending OPTIONS or NOTIFY messages to the phone, but they just do it when the phone has been detected as Natted during the registration. A SIP ALG router rewrites the REGISTER request so the Server doesn't detect the NAT and doesn't maintain the keep-alive (so incoming calls will be not possible).</li>
<li>Breaking SIP signalling: Many of the common Routers/Firewalls with built-in SIP ALG modify SIP Headers and the SDP(Session Description Protocol) incorrectly, breaking SIP and making communication impossible. Some of them
perform the Message re-write by generically searching for a private address in all SIP Headers and Message body and replacing all the private IPs with the "acceptable" IP Address and Ephemeral port. (For example, replacing the
private address if it appears in "Call-ID" header, which makes no sense at all). Many SIP ALG routers corrupt the SIP message when re-writing into it (Ex. missed semi-colon ";" in Header). Writing incorrect port values greater than
65536 is also a common mistake in many of these routers.</li>
<li>Disallows Server side solutions: Even if you don't need a client side NAT solution (your SIP SBC gives you a server NAT solution), if your router has SIP ALG enabled that breaks SIP signaling, it will make communication with your Server impossible.</li>
</ol>
<br/>
== <div style="font-weight:bold; color:blue; font-size:10pt;">SBCs are greater than ALGs</div> ==
<p>SBCs replace the function of application-level gateways.</p>
<p>Ultimately, SBCs allow the network operators(Stage2Networks) to manage the calls that are made on their networks,fix or change protocols and protocol syntax to achieve inter-operability, and also overcome some of the problems
that firewalls and network address translators (NATs) present for VoIP calls.</p>
<p>In order to hide the network topology and protect the service provider, the SBC will terminate a received call and initiate a second call leg to the destination party. The effect of this behavior is that not only the signaling
traffic, but also the media traffic (voice, video) can be controlled by the SBC.</p>
<p>If the SIP proxy doesn't provide a server side NAT solution, then an ALG solution could have a place. However, our SBC's resolve the NAT Translation issue.</p>
== <div style="font-weight:bold; color:blue; font-size:10pt;">How to discern SIP ALG:</div> ==
http://www.voip-info.org/wiki/view/Routers+SIP+ALG<br />
IP address that it registeres as should not be the same as the phones register.<br />
IE: Phone registers to 75.127.166.13. and then the contact shows Line/Port@75.127.166.13:52226 (these last digits are the port that should not show)