Fortinet white logo
Fortinet white logo

FortiVoice Cookbook

Configuring FortiGate for SIP over TLS

Configuring FortiGate for SIP over TLS

After Configuring FortiFone softclient settings on FortiVoice, perform the following procedures to configure a FortiGate device for SIP over TLS:

If your FortiVoice deployment is using SIP over TCP or UDP instead, go to Configuring FortiGate for SIP over TCP or UDP.

Import the downloaded FortiVoice server certificate for SIP over TLS

Perform the following steps to import the downloaded FortiVoice server certificate. The downloaded certificate is from Export the FortiVoice server certificate for SIP over TLS.

  1. On FortiGate, go to System > Certificates.
  2. Click Import and select Local Certificate.

  3. Update the following fields in the Import Certificate dialog:
    1. In Type, click PKCS #12 Certificate.
    2. In Certificate with key file, click Upload.
    3. Locate the FortiVoice server certificate. This is the file from Export the FortiVoice server certificate for SIP over TLS.
    4. Click Open.
    5. In Password, enter the password associated with the FortiVoice server certificate.
    6. Click OK.

  4. Verify that the list of certificates now includes the newly imported FortiVoice server certificate.

Configure system settings for SIP over TLS

  1. On FortiGate, go to System > Feature Visibility.
  2. Under Additional Features, enable Multiple Security Profiles and VoIP.
  3. Click Apply.

Create virtual IP addresses for SIP over TLS

  1. On FortiGate, go to Policy & Objects > Virtual IPs.
  2. Click Create New and select Virtual IP.
  3. Create virtual IPs for the following services that map to the IP address of the FortiVoice:
    • External SIP TLS port of FortiVoice
    • External HTTPS port of FortiVoice. The HTTPS port is used for the softclient login, call logs, and contacts download from the FortiVoice phone system.
  4. To create a virtual IP group, click Create New and select Virtual IP Group.
  5. Add the two newly created virtual IPs.

Configure VoIP profile and NAT traversal settings for SIP over TLS

  1. On FortiGate, open the CLI Console from the GUI banner.
  2. Create a VoIP protection profile and enable hosted NAT traversal (HNT) and restricted HNT source address. If the FortiVoice softclient is behind a non-SIP-aware firewall, HNT addresses the SDP local address problem. Enable SSL full inspection and refer to the imported FortiVoice server certificate for example, FortiVoiceSIPServer.

    This VoIP protection policy with hosted NAT traversal enabled will be added to the inbound firewall policy to prevent potential one way audio issues caused by NAT.

      VoIP profile command example for SIP over TLS

      config voip profile

      edit "SIP_IN"

      config sip

      set hosted-nat-traversal enable

      set ssl-mode full

      set ssl-server-certificate "FortiVoiceSIPServer"

      end

      next

      end

  3. For SIP over TLS, the recommendation is to use the default SSL port for SIP (TCP 5061). Enter the following commands:
  4. config system settings

    set sip-tcp-port 5061

    end

  5. Edit the FortiGate interface connecting to the internet and set it to external. The SIP application layer gateway (ALG) with hosted NAT traversal requires an external port to work. Enter the following commands:
  6. config system interface

    edit wan1

    set external enable

    next

    end

Create an inbound firewall policy for SIP over TLS

  1. On FortiGate, go to Policy & Objects > Firewall Policy and click Create New.
  2. Set Incoming Interface to the internet-facing interface.
  3. Set Outgoing Interface to the internal/LAN interface.
  4. Set Source to all.
  5. Set Destination to the virtual IP group created in Create virtual IP addresses for SIP over TLS.
  6. Set Schedule to always.
  7. Set Service to ALL.
  8. Disable NAT.
  9. Enable VoIP and select the VoIP profile created in Configure VoIP profile and NAT traversal settings for SIP over TLS.

Create an outbound firewall policy for FortiVoice to access the Android or iOS push server

FortiVoice requires outbound access to the Android and iOS push servers.

If FortiGate has an outbound firewall policy that allows FortiVoice to access everything on the internet, then you do not need to create an additional firewall policy. You have completed the FortiGate configuration for SIP over TLS. Go to Installing and configuring the FortiFone softclient for mobile.

If FortiGate does not have an outbound firewall policy that allows FortiVoice to access everything on the internet, perform the steps to create the FQDN addresses and the specific outbound firewall policies to allow FortiVoice to access the Android and iOS push servers.

To create FQDN addresses for Android and iOS push servers

  1. On FortiGate, go to Policy & Objects > Addresses and click Create New.
  2. In Name, enter a name for the Android push server address.
  3. In Type, select FQDN.
  4. In FQDN, enter fcm.googleapis.com.
  5. Click OK.
  6. Click Create New.
  7. In Name, enter a name for the iOS push server address.
  8. In Type, select FQDN.
  9. In FQDN, enter gateway.push.apple.com.
  10. Click OK.

To use the Android and iOS push server addresses in an outbound firewall policy

  1. On FortiGate, go to Policy & Objects > Firewall Policy and click Create New.
  2. In Incoming interface, enter the port connected to FortiVoice.
  3. In Outgoing interface, enter the WAN port.
  4. In Source, select all.
  5. In Destination, select the FQDN addresses that you created for the Android and iOS push servers.
  6. Configure the rest of the policy, as needed.
  7. Click OK.

    You have completed the configuration of FortiGate for SIP over TLS.

  8. Go to Installing and configuring the FortiFone softclient for mobile.

Configuring FortiGate for SIP over TLS

Configuring FortiGate for SIP over TLS

After Configuring FortiFone softclient settings on FortiVoice, perform the following procedures to configure a FortiGate device for SIP over TLS:

If your FortiVoice deployment is using SIP over TCP or UDP instead, go to Configuring FortiGate for SIP over TCP or UDP.

Import the downloaded FortiVoice server certificate for SIP over TLS

Perform the following steps to import the downloaded FortiVoice server certificate. The downloaded certificate is from Export the FortiVoice server certificate for SIP over TLS.

  1. On FortiGate, go to System > Certificates.
  2. Click Import and select Local Certificate.

  3. Update the following fields in the Import Certificate dialog:
    1. In Type, click PKCS #12 Certificate.
    2. In Certificate with key file, click Upload.
    3. Locate the FortiVoice server certificate. This is the file from Export the FortiVoice server certificate for SIP over TLS.
    4. Click Open.
    5. In Password, enter the password associated with the FortiVoice server certificate.
    6. Click OK.

  4. Verify that the list of certificates now includes the newly imported FortiVoice server certificate.

Configure system settings for SIP over TLS

  1. On FortiGate, go to System > Feature Visibility.
  2. Under Additional Features, enable Multiple Security Profiles and VoIP.
  3. Click Apply.

Create virtual IP addresses for SIP over TLS

  1. On FortiGate, go to Policy & Objects > Virtual IPs.
  2. Click Create New and select Virtual IP.
  3. Create virtual IPs for the following services that map to the IP address of the FortiVoice:
    • External SIP TLS port of FortiVoice
    • External HTTPS port of FortiVoice. The HTTPS port is used for the softclient login, call logs, and contacts download from the FortiVoice phone system.
  4. To create a virtual IP group, click Create New and select Virtual IP Group.
  5. Add the two newly created virtual IPs.

Configure VoIP profile and NAT traversal settings for SIP over TLS

  1. On FortiGate, open the CLI Console from the GUI banner.
  2. Create a VoIP protection profile and enable hosted NAT traversal (HNT) and restricted HNT source address. If the FortiVoice softclient is behind a non-SIP-aware firewall, HNT addresses the SDP local address problem. Enable SSL full inspection and refer to the imported FortiVoice server certificate for example, FortiVoiceSIPServer.

    This VoIP protection policy with hosted NAT traversal enabled will be added to the inbound firewall policy to prevent potential one way audio issues caused by NAT.

      VoIP profile command example for SIP over TLS

      config voip profile

      edit "SIP_IN"

      config sip

      set hosted-nat-traversal enable

      set ssl-mode full

      set ssl-server-certificate "FortiVoiceSIPServer"

      end

      next

      end

  3. For SIP over TLS, the recommendation is to use the default SSL port for SIP (TCP 5061). Enter the following commands:
  4. config system settings

    set sip-tcp-port 5061

    end

  5. Edit the FortiGate interface connecting to the internet and set it to external. The SIP application layer gateway (ALG) with hosted NAT traversal requires an external port to work. Enter the following commands:
  6. config system interface

    edit wan1

    set external enable

    next

    end

Create an inbound firewall policy for SIP over TLS

  1. On FortiGate, go to Policy & Objects > Firewall Policy and click Create New.
  2. Set Incoming Interface to the internet-facing interface.
  3. Set Outgoing Interface to the internal/LAN interface.
  4. Set Source to all.
  5. Set Destination to the virtual IP group created in Create virtual IP addresses for SIP over TLS.
  6. Set Schedule to always.
  7. Set Service to ALL.
  8. Disable NAT.
  9. Enable VoIP and select the VoIP profile created in Configure VoIP profile and NAT traversal settings for SIP over TLS.

Create an outbound firewall policy for FortiVoice to access the Android or iOS push server

FortiVoice requires outbound access to the Android and iOS push servers.

If FortiGate has an outbound firewall policy that allows FortiVoice to access everything on the internet, then you do not need to create an additional firewall policy. You have completed the FortiGate configuration for SIP over TLS. Go to Installing and configuring the FortiFone softclient for mobile.

If FortiGate does not have an outbound firewall policy that allows FortiVoice to access everything on the internet, perform the steps to create the FQDN addresses and the specific outbound firewall policies to allow FortiVoice to access the Android and iOS push servers.

To create FQDN addresses for Android and iOS push servers

  1. On FortiGate, go to Policy & Objects > Addresses and click Create New.
  2. In Name, enter a name for the Android push server address.
  3. In Type, select FQDN.
  4. In FQDN, enter fcm.googleapis.com.
  5. Click OK.
  6. Click Create New.
  7. In Name, enter a name for the iOS push server address.
  8. In Type, select FQDN.
  9. In FQDN, enter gateway.push.apple.com.
  10. Click OK.

To use the Android and iOS push server addresses in an outbound firewall policy

  1. On FortiGate, go to Policy & Objects > Firewall Policy and click Create New.
  2. In Incoming interface, enter the port connected to FortiVoice.
  3. In Outgoing interface, enter the WAN port.
  4. In Source, select all.
  5. In Destination, select the FQDN addresses that you created for the Android and iOS push servers.
  6. Configure the rest of the policy, as needed.
  7. Click OK.

    You have completed the configuration of FortiGate for SIP over TLS.

  8. Go to Installing and configuring the FortiFone softclient for mobile.