Forefront TMG is SIP-aware


Voice over IP (VoIP) communications are transmitted via the internet and therefore need to be allowed to pass through your firewall.

A basic VoIP call is based on Session Initiation Protocol (SIP), which is the most common protocol used today. A SIP VoIP call is carried out using User Datagram Protocol (UDP), and incorporates two protocols: Session Initiation Protocol (SIP) for call establishment and termination, and Real Time Protocol (RTP) for media (audio and/or video). SIP can also be carried out using Transmission Control Protocol (TCP) but for the purpose of this post I will refer to SIP carried out using UDP.



Every RTP stream uses two connections, one for media and one for control data. The control data protocol is called RTP Control Protocol (RTCP) and is used to provide feedback on QoS in the media stream by periodically sending statistical information.

Basic SIP deployments supported by the SIP filter

A VoIP call requires a minimum of three opened connections, one for SIP and two or more for media. Since the media ports are usually selected dynamically by the phone, the firewall needs to understand SIP in order to open and close the media connections.

In Forefront TMG, we have developed a SIP filter to manage the opening and closing of the media connections automatically, based on the SIP transactions between allowed endpoints. The filter also checks quota, thus preventing DoS attacks by ensuring that only a configurable number of calls or registrations is allowed by the firewall.

Configuring VoIP with the Forefront TMG SIP filter is very easy and straightforward. We have divided the VoIP deployments into two main scenarios:

1. Centrex – In the diagram below we see a deployment where the organization doesn’t own a PBX.The phones in the organization are connected to the VoIP service provider. This scenario is most commonly referred to as a SIP Centrex.


Centrex deployment requires the filter to ensure that all the phones in the organization can access the VoIP provider and vice versa.

2. SIP trunk – In the diagram below we see a deployment where the organization does own a PBX, which is located in a different segment than the phones, and the organization’s phones are connected directly to the PBX. You can also see that the PBX is connected to a VoIP service provider for long distance calls termination.


SIP Trunk deployment requires the filter to ensure that all the phones in and out of the organization can access the PBX, and that the PBX can access the SIP Trunk proxy.

Obviously the deployments are different in most offices but when you break them down you will see that the base is one of the two deployments I mentioned here.

To start configuring your VoIP deployments using the VoIP wizard click the “configure VoIP” button



Yariv Trabelsi

Senior Software Development Engineer

Reviewers: Gabriel Koren, Shimon Yannay, Nir Katz

Comments (1)

  1. Crand says:

    Yes, it is aware. While it blocks RTP traffic, it is aware you are trying to make a phone call.