Skype for Business and Sonus–Part 6–Getting around NAT
In Part 5 we discussed how to handle encrypted signalling and media. In this article we will be discussing how to configure the Sonus SBC to work behind a NAT firewall. If you have been following this blog series, in part 1 we discussed the recommended connectivity setup. This was to connect the SBC directly to your WAN by public IP address. However, there are some (actually majority) of customers who have a network configuration that is not optimised for this type of connectivity. In these scenarios, the SBC usually sits behind the network edge firewall and services are passed through from the outside world to the SBC using NAT.
The problem with using NAT becomes evident while trying the establish media using SDP. As the external interface of the SBC will in this instance be configured with a private IP address inside your network, this will be used as a possible media candidate.
Therefore, when SDP is negotiated between your service provider and the SBC the service provider will see something like 192.168.1.130:16454 as the media candidate.
There are a couple of problems with this. Problem 1 is that 192.168.1.130 is a private IP address and therefore, the service provider endpoint cannot directly connect to this IP to establish media. Problem 2 is that the service provider usually authenticates a connection using the public IP of your SBC service as a source.
What we need to perform is some kind of NAT traversal mechanism that allows SDP to negotiate media establishment using the public IP address of the SBC service. This usually involves replacing the private IP with the public IP in the SDP negotiation message.
Luckily Sonus have a nice little configuration object to handle this sort of scenario, so you don’t have to go into message manipulation and replacement regex strings etc… phew.
Configuring NAT Traversal
To configure NAT traversal, connect to the SBC admin panel and click on the settings tab to begin
- Go to signalling groups and expand your service provider signalling group e.g. Tailspin Telecom SG
- Scroll down the settings until you come across SIP IP Details section
- Now we need to enable Outbound NAT traversal, set this to Static NAT
- Enter the public IP of the SBC service that the firewall is configured to use e.g. 184.108.40.206
- Then choose the interface to apply this NAT traversal configuration to e.g. interface 2 (as it is the external one)
- Apply the configuration
When SDP occurs now between the SBC and the service provider, the public IP will be used as a possible media candidate. Viewing the logs will show the candidate list similar to this: 220.127.116.11:16485 and media will establish properly.
Mark is an Independent Microsoft Teams Consultant with over 15 years experience in Microsoft Technology. Mark is the founder of Commsverse, a dedicated Microsoft Teams conference and former MVP. You can follow him on twitter @UnifiedVale