0% found this document useful (0 votes)

815 views

Ingate Siparator Getting Starting Guide PDF

Uploaded by

guesiero

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

815 views

Ingate Siparator Getting Starting Guide PDF

Uploaded by

guesiero

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 88

Ingate SIParator

Getting started Guide

Lisa Hallingstrm
Paul Donald
Bogdan Musat
Adnan Khalid
Per Johnsson
Rickard Nilsson

Ingate SIParator: Getting started Guide

by Lisa Hallingstrm
by Paul Donald
by Bogdan Musat
by Adnan Khalid
by Per Johnsson
by Rickard Nilsson

The contents of this documentation may not be duplicated, in whole or in part, without the express written permission
of Ingate Systems AB, according to copyright law. This includes all forms of duplications, including but not limited
to printing, photocopying, dittoing, recording on tape, etc.
Copyright 2016 Ingate Systems AB

Table of Contents
Part I. Installation of the Ingate SIParator ........................................................................i
1. Introduction................................................................................................................ 1
2. The exterior of Ingate SIParator 21/26/31/36 rev A .................................................. 5
3. The exterior of Ingate SIParator 21 rev B.................................................................. 7
4. The exterior of Ingate SIParator 51/56/66 ................................................................. 9
5. The exterior of Ingate SIParator 52/57/67 ............................................................... 11
6. The exterior of Ingate SIParator 9x-series, e.g. 95/96/97/98 ................................... 13
7. Overview of the Installation and Configuration....................................................... 15
8. Installing Ingate SIParator ....................................................................................... 19
Part II. Configuring Ingate SIParator ............................................................................. 29
9. Network Configuration ............................................................................................ 31
10. SIP Configuration .................................................................................................. 53
11. Administration of the SIParator ............................................................................. 63
12. Firewall and Client Configuration.......................................................................... 73
Index ............................................................................................................................ 79

Part I. Installation of the Ingate

SIParator
This document will help you to get started with your Ingate SIParator. It contains the
necessary information to configure your SIParator.
Additional information about managing your Ingate SIParator can be found in the
Reference Guide. The complete manual can be downloaded from
http://www.ingate.com/Login.php.
These chapters contain an introduction to the Ingate SIParator, descriptions of the various
models and information about how to install your SIParator.

Chapter 1. Introduction
What is a SIParator?
A SIParator is a device which processes traffic under the SIP protocol (see RFC 3261). The
SIParator receives SIP requests, processes them according to the rules you have set up, and
forwards them to the receiver.
The SIParator connects to an existing enterprise firewall through a DMZ port, enabling the
transmission of SIP-based communications without affecting firewall security. SIP
messages are then routed through the firewall to the private IP addresses of authorized users
on the internal network.
The SIParator can also be used as an extra gateway to the internal network without
connecting to the firewall, transmitting only SIP-based communications.

Configuration alternatives
The Ingate SIParator can be connected to your network in four different ways, depending
on your needs.
Note that if the Standalone type is used, the interface which should receive traffic from the
outside must have a public IP address (no NAT).
For a DMZ or DMZ/LAN type which uses a private IP address on the interface connected
to the DMZ of the firewall, its corresponding public IP address must be entered on the
Interoperability page.

DMZ Configuration
Using this configuration, the SIParator is located on the DMZ of your firewall, and
connected to it with only one interface. The SIP traffic finds its way to the SIParator using
DNS or by setting the SIParator as an outbound proxy on the clients.
This is the most secure configuration, since all traffic goes through both your firewall and
your SIParator. It is also the most flexible, since all networks connected to any of your
firewalls interfaces can be SIP-enabled.
The drawback is that the SIP traffic will pass the firewall twice, which can decrease
performance.

Chapter 1. Introduction

Fig 1. SIParator in DMZ configuration.

DMZ/LAN Configuration
Using this configuration, the SIParator is located on the DMZ of your firewall, and
connected to it with one of the interfaces. The other interfaces are connected to your
internal networks. The SIParator can handle several networks on the internal interface even
if they are hidden behind routers.
This configuration is used to enhance the data throughput, since the traffic only needs to
pass your firewall once.

Internet
Firewall

SIParator

Fig 2. SIParator in DMZ/LAN configuration.

Standalone Configuration
Using this configuration, the SIParator is connected to the outside on one interface and your
internal networks on the others.
Use this configuration only if your firewall lacks a DMZ interface, or for some other reason
cannot be configured for the DMZ or DMZ/LAN alternatives.

Chapter 1. Introduction

SIParator

Fig 3. SIParator in Standalone configuration.

WAN Configuration
Using this configuration, the SIParator is connected to the outside on one interface and your
firewall on another interface. Between these two interfaces (marked as a Data Interfaces on
the Topology page), only data will be sent. Other interfaces can be connected directly to
your LAN, DMZ or other networks, and here SIP traffic will be sent.

Internet
data/VoIP

SIParator
data

Firewall

VoIP

Fig 4. SIParator in WAN configuration.

Chapter 1. Introduction

Chapter 2. The exterior of Ingate

SIParator 21/26/31/36 rev A
1
E3

PWR

ALERT

ACTIVE

SIParator Firewall

LINK

1. Active / Link leds. These leds show link and active status. The active led is green
when there is link on the port and it flashes when there is network activity. The link led
indicate the speed of the network, amber led indicate 1000Mbit network, green led
indicate 100Mbit and when the led is off there is a 10 Mbit network.
2. Power LED. This LED is lit when the SIParator is connected to a power outlet and
switched on.
3. ALERT. The ALERT LED indicates that something prevents the SIParator from
working correctly. SIParator states are indicated thus:

The LED is continuously lit.

Indicates one of the following states:

The SIParator boots.

The SIParator applies a new configuration.

The SIParator warns about a minor error which affects the network traffic.

The LED blinks.

Indicates one of the following states:

The SIParator checks (during boot) if the Config button is pressed.

The SIParator is the standby unit of a failover team.

The SIParator warns about a major error, e.g. a hardware error.

The LED double blinks (two blinks followed by a short pause).

The SIParator waits for configuration through the installation program or magic
ping. See also chapter 7, Installing Ingate SIParator.

Chapter 2. The exterior of Ingate SIParator 21/26/31/36 rev A

If the SIParator indicates an error, you will find an error message when you log on the
configuration interface. At the top of each administration web page there will be a link
to a page where you find an explanation of the error.

2 3 4

Reset

DC7in

Console

USB

Config

SIParator7Firewall

1. Power button. Press this button to turn off or on the SIParator.

2. RESET button. Press this button (a bent steel paper clip or other thin device is
needed) to restart the SIParator.
3. Power connection. Connection for the power cord.
4. Serial port. Serial port for connecting the SIParator to a workstation. This is needed
when installing the SIParator (see also chapter 7, Installing Ingate SIParator).
5. Usb ports. USB 2.0/1.1 Ports. These ports are currently unutilized.
6. Ethernet ports. Ethernet ports with 10/100/1000 Mbit led on the right side of the
ethernet ports and link led on the left side of the ethernet ports. The link led is green
when there is link and it flashes when there is network activity on the port. The Mbit
led indicate the speed of the network, a unlit led indicate 10 Mbit network, a green led
indicate 100 Mbit network and amber led indicate 1000 Mbit network.
7. Config Button. Press this button (a pencil or other thin device is needed) during boot
to make the SIParator erase the current password and enter wait mode. In this mode, it
waits for a reconfiguration made by a magic ping or the installation program (see
chapter 7, Installing Ingate SIParator). Before one of these is performed, no traffic will
be let through the SIParator.
The SIParator logs when the button is pressed according to the Logclass for
administration and configuration set on the Logging Configuration page under
Logging and Tools.

Chapter 3. The exterior of Ingate

SIParator 21 rev B
1
E3

PWR

ALERT

ACTIVE

SIParator Firewall

LINK

The LED is continuously lit.

Indicates one of the following states:

The SIParator boots.

The SIParator applies a new configuration.

The SIParator warns about a minor error which affects the network traffic.

The LED blinks.

Indicates one of the following states:

The SIParator checks (during boot) if the Config button is pressed.

The SIParator is the standby unit of a failover team.

The SIParator warns about a major error, e.g. a hardware error.

The LED double blinks (two blinks followed by a short pause).

The SIParator waits for configuration through the installation program or magic
ping. See also chapter 7, Installing Ingate SIParator.

Chapter 3. The exterior of Ingate SIParator 21 rev B

1 2 3

DC in

Console

USB

Config

SIParator Firewall

1. Power button. Press this button once to turn off or on the SIParator. On power off it
will take about 10 seconds until the SIParator is off. When the SIParator is powered on
the Power button is red and when off its blue.
2. Power connection. Connection for the power cord.
3. Serial port. Serial port for connecting the SIParator to a workstation. This is needed
when installing the SIParator (see also chapter 7, Installing Ingate SIParator).
4. Usb ports. USB 2.0 Ports. These ports are currently unutilized.
5. Ethernet ports. Ethernet ports with 10/100/1000 Mbit led on the right side of the
ethernet ports and link led on the left side of the ethernet ports. The link led is green
when there is link and it flashes when there is network activity on the port. The Mbit
led indicate the speed of the network, a unlit led indicate 10 Mbit network, a green led
indicate 100 Mbit network and amber led indicate 1000 Mbit network.
6. Config Button. Press this button (a pencil or other thin device is needed) during boot
to make the SIParator erase the current password and enter wait mode. In this mode, it
waits for a reconfiguration made by a magic ping or the installation program (see
chapter 7, Installing Ingate SIParator). Before one of these is performed, no traffic will
be let through the SIParator.
The SIParator logs when the button is pressed according to the Logclass for
administration and configuration set on the Logging Configuration page under
Logging and Tools.

Chapter 4. The exterior of Ingate

SIParator 51/56/66
11

ESC

CONSOLE

ENTER

USB

ETH0

ETH1

ETH2

ETH3

PWR

RESET
HDD

8
HDD

1. Serial port. Serial port for connecting the SIParator to a workstation. This is needed
when installing the SIParator (see also chapter 7, Installing Ingate SIParator).
2. Ethernet ports. Ethernet ports for connecting the SIParator to the network. Use
Ethernet cables only, with RJ-45 connectors.
3. Power LED. This LED is lit when the SIParator is connected to a power outlet and
switched on.
4. ESC button. When the SIParator is restarted, the display will show when to press the
ESC button to make the SIParator erase the current password and enter wait mode. In
this mode, it waits for a reconfiguration made by a magic ping or the installation
program (see chapter 7, Installing Ingate SIParator). Before one of these is performed,
no traffic will be let through the SIParator.
5. Up button. The Up button is used for going up in the menu on the display.
6. Down button. The Down button is used for going down in the menu on the display.
7. Enter button. The Enter button is used to select a setting in the menu shown on the
LCD display.
8. HDD LED. This LED indicates that the hard drive is written to or read from.
9. Activity LEDs. A blinking yellow LED indicates activity on the port.
10. 10/100/1000 MBit LEDs. The LEDs indicate what kind of network the port is
connected to. The LEDs light green for 10/100/1000 MBit.
11. Display. The display shows status for the SIParator and also indicates when to press
the ESC button during boot to enter wait mode. In wait mode, the SIParator waits for a
new password and can also receive a new IP address.
Via the LCD display and the buttons, simple configuration is also possible, when the
SIParator is in unconfigured mode. The settings available is to assign an IP address and
to make the SIParator the standby unit in a failover team, or to break it out from a
failover team.

Chapter 4. The exterior of Ingate SIParator 51/56/66

12. RESET button. Press this button (a pencil or other thin device is needed) for 3 sec in
order to reboot the SIParator.
13. USB 2.0/1.1 Ports. These ports are currently unutilized.

Chapter 5. The exterior of Ingate

SIParator 52/57/67
1

CONSOLE

ETH0

ETH1

ETH2

ETH3

ETH4

ETH5

ESC

USB
PWR
HDD

ENTER

RESET

1. Ethernet ports. Ethernet ports for connecting the SIParator to the network. Use
Ethernet cables only, with RJ-45 connectors.
2. LINK/ACT LED. The LED shows link and active status of the port. The LED is green
when the port is connected to a network and it flashes when there is network activity.
3. 10/100/1000 MBit LED. The LED indicates what kind of network the port is
connected to. An unlit LED indicate 10 Mbit network, a green LED indicate 100 Mbit
network and amber LED indicate 1000 Mbit network.
4. Usb ports. USB 2.0 Ports. These ports are currently unutilized.
5. Serial port. Serial port for connecting the SIParator to a workstation. This is needed
when installing the SIParator (see also chapter 7, Installing Ingate SIParator).
6. Power LED. This LED is lit when the SIParator is connected to a power outlet and
switched on.
7. HDD LED. This LED indicates that the hard drive is written to or read from.
8. RESET button. Press this button (a bent steel paper clip or other thin device is
needed) to restart the SIParator.
9. Display. The display shows status for the SIParator and also indicates when to press
the Enter and ESC buttons during boot to enter wait mode. In wait mode, the SIParator
waits for a new password and can also receive a new IP address.
Via the LCD display and the buttons, simple configuration is also possible, when the
SIParator is in unconfigured mode. The settings available is to assign an IP address and
to make the SIParator the standby unit in a failover team, or to break it out from a
failover team.
10. Up button. The Up button is used for going up in the menu on the display.
11. Down button. The Down button is used for going down in the menu on the display.

Chapter 5. The exterior of Ingate SIParator 52/57/67

12. ESC button. On an Ingate SIParator the ESC button is only used in combination with
the Enter button. When the SIParator is restarted, the display will show when to press
the buttons to make the SIParator erase the current password and enter wait mode. In
this mode, it waits for a reconfiguration made by a magic ping or the installation
program (see chapter 7, Installing Ingate SIParator). Before one of these is performed,
no traffic will be let through the SIParator.
13. Enter button. The Enter button is used to select a setting in the menu shown on the
LCD display.
On an Ingate SIParator the Enter button is also used in combination with the ESC
button. When the SIParator is restarted, the display will show when to press the buttons
to make the SIParator erase the current password and enter wait mode. In this mode, it
waits for a reconfiguration made by a magic ping or the installation program (see
chapter 7, Installing Ingate SIParator). Before one of these is performed, no traffic will
be let through the SIParator.

Optional variant with two 10Gbps Ethernet ports:

CONSOLE

ETH6

10 GBPS

ETH0

ETH7

ETH1

ETH2

ETH3

ETH4

ETH5

ESC

USB

LINK/ACT

PWR

1G/10G

HDD

ENTER

RESET

14. 10 Gbps Ethernet ports. 10 Gbps Ethernet ports for connecting the SIParator to the
network. Connect an SFP+ transceiver to adapt to your cables.
15. LINK/ACT LED. The LED shows link and active status of the port. The LED is green
when the port is connected to a network and it flashes when there is network activity.
16. 1/10 GBit LED. The LED indicates what kind of network the port is connected to. An
amber LED indicate 1 Gbit network and a blue LED indicates 10 GBit network.

Chapter 6. The exterior of Ingate

SIParator 9x-series, e.g. 95/96/97/98
The front side of the Ingate SIParator
9x-series, e.g. 95/96/97/98

1. Power. depress to start the unit. Hold to power off the unit.
2. System identification button. Press to illuminate the system ID light. The
identification buttons on the front and back panels can be used to locate a particular
system within a rack.
3. Hardware Status LCD. reports hardware specific system health and status messages.
Not used by the Ingate SIParator firmware.
4. Usb ports. USB 2.0 Ports. These ports are currently unutilized.
5. Video connector. Port for connection of a VGA display to the system. Currently not
used.
6. DVD drive. Only used to boot the factory-reset CD. Simply (re)boot the Ingate
SIParator with the factory-reset CD in the drive during boot sequence. The admin
password is erased and the unit is placed into an UNCONFIGURED state. Note: eject
the CD before next reboot.
7. RAID bay.

The back side of the Ingate SIParator

9x-series, e.g. 95/96/97/98
The back side of your Ingate SIParator looks like this

Chapter 6. The exterior of Ingate SIParator 9x-series, e.g. 95/96/97/98

eth0 eth1

eth2 eth3 eth4 eth5

or
eth0 eth1 eth2 eth3

iDRAC

eth4 eth5

1. System identification button. Press to illuminate the system ID light. The

identification buttons on the front and back panels can be used to locate a particular
system within a rack.
2. System identification connector. Connects the optional system status indicator
assembly through the optional cable management arm.
3. iDRAC port. Dedicated management port. Currently not used. On some hardware it is
not present.
4. Serial port. Serial port for connecting the SIParator to a workstation. This is needed
when installing the SIParator (see also chapter 7, Installing Ingate SIParator).
5. Video connector. Port for connection of a VGA display to the system. Currently not
used.
6. Usb ports. USB 2.0 Ports. These ports are currently unutilized.
7. Ethernet ports. Ethernet ports for connecting the SIParator to the network. Use
Ethernet cables only, with RJ-45 connectors.
8. 10/100/1000 MBit LED. The LED indicates what kind of network the port is
connected to. An unlit LED indicate 10 Mbit network, a green LED indicate 100 Mbit
network and amber LED indicate 1000 Mbit network.
9. LINK/ACT LED. The LED shows link and active status of the port. The LED is green
when the port is connected to a network and it flashes when there is network activity.
10. Power connection. Connection for the power cord.
11. Power supply status indicator. When the handle/LED indicator isnt lit the power is
not connected. When the handle/LED indicator lights green indicating that a valid
power source is connected to the power supply and that the power supply is
operational. When the handle/LED indicator is flashing amber it indicates a problem
with the power supply.

Chapter 7. Overview of the Installation

and Configuration
Installation Overview
The recommended way to install the SIParator is to:

Select an IP address for the SIParator on your network or use the default IP address set at
factory.

Plug in the power cord and turn on the SIParator.

Wait while the SIParator boots up.

Set the IP address of the SIParator and set a password.

This can be done in different ways:

Connect to the SIParator with the serial cable.

Use the default IP address.

Run the StartUp Tool TG.

Set the IP address with magic ping.

Connect the network cables to the network interfaces.

The network interfaces are marked with Eth0, Eth1, .... These are the names of the
physical interfaces and the ones which you should use in the installation program.

Run the StartUp Tool TG.

Register the product.

Activate purchased licenses. License codes are typically delivered by e-mail from Ingate
and come with instructions how to register and install.

Make extra configuration according to your requirements via the Web interface by
directing your web browser to the IP address of the SIParator. See next chapter for the
Configuration overview.

Save and backup the configuration.

Configuration Overview
This is an overview of the configuration needed to make your SIParator work.
Note that several of the steps below will be configured by StartUp Tool TG.

Enter the IP address of the SIParator in your web browser. If you have set the IP address
with magic ping you will be prompted to set a password for the SIParator admin user.

Chapter 7. Overview of the Installation and Configuration

Now you can see the main page of Ingate SIParator. Click on the SIParator Type link
and select the configuration for your SIParator. The types are described on the
corresponding help page.

Go to the Basic Configuration page and enter a DNS server. See also the Basic
Configuration section.

Go to the Access Control page and make settings for the configuration of the SIParator.
See also the Access Control section.

Go to the Eth0 page under Network and enter the necessary configuration. See also the
Interface section. Note that the SIParator must have at least one IP address which can be
reached from the Internet.

If one of the SIParator Types DMZ/LAN or Standalone was chosen, move on to the Eth1
page and give the SIParator at least one IP address on this interface and state the
networks connected to the interface. See also the Interface section.

Go to the Default Gateways page and enter a Default gateway. See also the Default
Gateways section.

Go to the Networks and Computers page. Define the networks that will send and
receive SIP traffic using the SIParator. Usually, you need at least one network per
interface of the firewall connected to the SIParator (or, for the Standalone type, per
interface of the SIParator). Some computers should be handled separately, and they
therefore need their own networks. See also the Networks and Computers section.

Go to the Topology page (for the DMZ SIParator Type) and state the networks connected
to the firewall. See also the Topology section in chapter , Network Configuration.

Press the SIP Services button and turn the SIP module on. Enter the port range to be
used by the SIParator for the media streams. See also the Basic section.

Go to the Filtering page under SIP Traffic to create Proxy rules for the SIP traffic from
different networks and allow the content types which should be allowed in the SIP media
streams. See also the Filtering section.

If the SIParator should work as a SIP registrar, go to the Local Registrar page and enter
the domains handled by the SIParator, and the users allowed to register. See also the
Local Registrar section.

If the SIParator should request that users authenticate themselves for various SIP
activities, go to the Authentication and Accounting page and make the authentication
active and enter a SIP realm. See also the Authentication and Accounting section.

Go to the Save/Load Configuration page under Administration. Select Apply

configuration. Now you can test your new configuration and save it permanently if you
are satisfied with it. If the configuration is not satisfactory, select Revert or restart the
SIParator. The old configuration will remain.

When the configuration has been applied, you should save a backup to file. Press Save to
local file to save the configuration.

When the SIParator is configured, the firewall connected to it must also be reconfigured (for
the DMZ and DMZ/LAN SIParator Types).

Chapter 7. Overview of the Installation and Configuration

Allow UDP and TCP traffic in the port interval used for media streams by the SIParator,
and port 5060. This traffic must be allowed to all networks which should be reached by
SIP traffic.

See also chapter , Firewall and Client Configuration, for information on configuring the
firewall and the SIP clients, and chapter of the How To Guide for SIParator configuration
examples.

About the settings in Ingate SIParator

Ingate SIParator uses two sets of SIParator configurations: preliminary and permanent
configuration. The permanent configuration is what is used in the active SIParator. The
preliminary configuration is where you change and set the configuration. See chapter 3 of
the Reference Guide for instructions.
The changes you make in the preliminary configuration are not stored in the permanent
configuration until you click on Apply configuration on the Save/Load Configuration
page under Administration.
The password configuration and time setting are the exceptions to this rule; they are saved
immediately. Change the administrator passwords and create more administrator users on
the User Administration page under Administration.
Ingate SIParator displays serious errors in red, e.g., if mandatory information is not entered.
Blank fields are shown in red. Fields that you correct remain red until you select Save, Add
new rows or update the page in some other way.
If you have a web session with the SIParator that is inactive for 10 minutes, it will ask for a
password again.
Always log out from the SIParator administration interface when you are not using it. Press
the Log out button on the top right to log out.
The terms used in the book are explained in appendix J of the Reference Guide.
For a general description of how to configure and administer the SIParator, see chapter 3 of
the Reference Guide

License Conditions
To fulfill the license conditions, we must either attach the source code with the software, or
send a written offer, valid at least three years, to give a copy of the source code to anyone
who wants it. According to 3b) of the license, we are entitled to charge for the distribution
of the source code.
To make the distribution easier and cheaper, both for Ingate Systems AB and you, we have
an FTP server where you can download the GPL:ed source code. You find the FTP server at
ftp://ftp.ingate.com/pub/fuego/firewall/src/.
We also have this offer:
Ingate Systems AB offer the source code for all third party software included in Ingate
SIParator and licensed under GPL. This offer is valid for this version of Ingate SIParator
and is valid for three years after deliverance of your Ingate SIParator unit. Deliverance in

Chapter 7. Overview of the Installation and Configuration

Sweden C.O.D. The charge is 200 SEK, plus postage and C.O.D. fee, for CDROM. Ingate
Systems AB reserves the right to change charge or medium without previous notice.
Contact Ingate Systems AB for current information.

Chapter 8. Installing Ingate SIParator

Installation
The recommended way to install an Ingate SIParator is to use a serial cable connected to the
serial console at the SIParator and via it set the IP address and password for the SIParator.
Installation with a serial cable requires being at the same place as the SIParator, this will
give most options for the start configuration and it will always work.
A new alternative from SW version 5.0.6 is to use the default IP address, connect to the
SIParator with a web browser, and set the password as first action when connected.
Installation using the default IP address does not require being on the same place as the
SIParator (but the computer has to be connected to the same logical network as the
SIParator).
Any of the two ways above is followed by running the StartUP Tool TG, that gives help
with network and SIP configuration for the combination of IP-PBX and ITSP that will be
used.
Installation with the StartUp Tool TG does not require being on the same place as the
SIParator (but the computer has to be connected to the same logical network as the
SIParator). This tool includes also the possibility to set the IP address and password for the
SIParator.
Finally further configurations are done through the web GUI.
One more alternative way to set the IP Address of the SIParator is to perform a magic ping
followed by creating all configuration manually via the web interface.
Installation with magic ping does not require being on the same place as the SIParator (but
the computer has to be connected to the same logical network as the SIParator), but restricts
the start configuration.

Installation with a serial cable

Connect the SIParator to your workstation with the enclosed serial cable, plug in the power
cord and turn the SIParator on. You will have to wait a few minutes while the SIParator
boots up.

You need a serial cable (one was included with the product), a serial adapter cable, and a
terminal program on your workstation.
Connect the serial port at the SIParator to your workstation with the serial cable, using a
serial adapter suiting your workstation.
When communicating via serial links with Ingate products, use 19200bps, 8N1 (i.e. 8
data, No parity, 1 stop bit), VT100.

If you use a Windows workstation, connect like this: Start PUTTY (of course other
terminal programs can be used, however only PUTTY is described here).

Chapter 8. Installing Ingate SIParator

Check which Serial Port that is used by checking in the Device manager, for example
it can be COM3.
Write in Serial line: COM3 (use the port that is in use, in this example COM3)
Select Connection Type: Serial
Among the port settings make sure that the Speed is 19200 bit/s.
Use the default values for all other settings.
Connect by clicking Open.
Wait for a login prompt. (In some cases you have to press Return to get the login
prompt.)

If you use a Linux workstation, connect like this:

1. Plug in your USB serial converter.
2. Determine the tty port the converter is on.
dmesg | grep tty
You should get something like this:
usb 2-1.5: pl2303 converter now attached to ttyUSB0
That means you should use /dev/ttyUSB0.
3. Use minicom to access the console.
minicom -8 -b 19200 -D /dev/ttyUSB0
You have to press Return to get the login prompt.
If you get the following error:
minicom: cannot open /dev/ttyUSB0: Permission denied
You need to make sure you have permission to access the ttyUSB0 device. Consult the
manual of your particular distribution.

If you use a MAC workstation, connect like this: Start Screen (of course other
terminal programs can be used, however only Screen is described here).
1. Plug in your USB-serial adapter.
2. Find the right TTY device.
ls /dev/tty*
You should get something like this:

Chapter 8. Installing Ingate SIParator

/dev/tty
/dev/tty.Bluetooth-Incoming-Port
/dev/tty.Bluetooth-Modem
/dev/tty.usbserial
Look for something like usbserial (or similar).
That means you should use /dev/tty.usbserial.
Alternatively use :
dmesg | grep tty
You should get something like this:
usb 2-1.5: pl2303 converter now attached to ttyUSB0
That means you should use /dev/ttyUSB0.
3. Use Screen to access the console.
screen /dev/tty.usbserial 19200
You have to press Return to get the login prompt.

Log on from your workstation as the user admin. The first time you log on, no password is
required. You set the password when you run the 1. Basic configuration from the menu,
that is presented when you have logged on.
Each network interface is marked with a name (Eth0, Eth1, ...), which corresponds to a tab
under Network. All eth interfaces belong to ethernet cards and should only be connected
using ethernet cables.
Decide which computer(s) are allowed to configure Ingate SIParator and enter the name of
the network interface to which they are connected, for example, eth0. You must use the
physical device name (eth0, eth1, ...).
Enter the IP address of the SIParator on this interface and the network mask for the
network.
A network mask can be written in two ways in Ingate SIParator:

The first looks just like an IP address, for example 255.255.192.0 or 255.255.254.0.

The other way is as a number between 0 and 32. An IP address has 32 bits, where
network mask number indicates how many bits are used in the networks addresses. The
rest of the bits identifies the computer on the network.

Now, you can select to deactivate any network interfaces. Select y to deactivate all
interfaces but the one you just configured. The remaining network interfaces can be
activated later when you complete the configuration via the web interface from your work

Chapter 8. Installing Ingate SIParator

station. This only applies to interfaces which was previously active; you cant activate
interfaces with this setting.
Now enter the computer or computers from which the SIParator may be configured (the
configuration computers).
Then enter a password for the SIParator. This is the password you use in your web browser
to access and change the SIParators configuration. Finally, you can reset all other
configuration if you want to.
Following is a sample run of the installation program.
Administration
==============
(Navigation tip: You may use Ctrl-d to skip back to this menu.)
1.
Basic configuration
2.
Download/Upload
3.
Become a failover team member
4.
Leave failover team and become standalone
5.
Wipe email logs
6.
Set password
7.
Command line interface
a. About
reboot. Reboot
reset. Factory reset
q.
Exit admin
==>
Select 1 to install your Ingate SIParator.
Basic unit installation program version 5.0.11

Press return to keep the default value

Network configuration inside:
Physical device name[eth0]:
IP address [0.0.0.0]: 10.47.2.242
Netmask/bits [255.255.255.0]: 255.255.0.0
Deactivate other interfaces? (y/n) [n]
Computers from which configuration is allowed:
You can select either a single computer or a network.
Configure from a single computer? (y/n) [y]

Chapter 8. Installing Ingate SIParator

If you choose to allow only one computer to configure the SIParator, you are asked for the
IP address (the mask is set automatically).
IP address [0.0.0.0]: 10.47.2.240
If this IP address is not on the same network as the IP address of the SIParator, you are
asked for the router. Enter the IP address of the router on the network where the SIParator
is connected. Then enter the network address and mask of the network containing the
configuring computer.
Static routing:
The computer allowed to configure from is not on a network local to
this unit. You must configure a static route to it. Give
the IP address of the router on the network the unit is on.
The IP address of the router [0.0.0.0]: 10.47.3.1
Network address [10.47.0.0]: 10.10.0.0
Netmask [255.255.255.0]:
You can choose to allow several computers to configure the SIParator, by answering no to
the question:
Configure from a single computer? (y/n) [y] n
The installation program then asks for the network number. The configuration computers
must be entered as a complete subnet, i. e. a range which can be written as a network
number and a netmask (like 10.47.2.128 with netmask 255.255.255.128, which means the
computers 10.47.2.128-10.47.2.255). All computers on this subnet will be allowed to
configure the SIParator. For more information about network numbers and netmasks, see
chapter 3 of the Reference Guide.
Network number [0.0.0.0]: 10.47.2.0
Netmask/bits [255.255.255.0]: 255.255.255.0
If the network or partial network is not directly connected to the SIParator, you must enter
the IP address of the router leading to that network. Then enter the networks address and
mask.
Static routing:
The network allowed to configure from is not on a network local to this
unit. You must configure a static route to it. Give the
IP address of the router on the network this unit is on.
The IP address of the router [0.0.0.0]: 10.47.3.1
Network address [10.47.0.0]: 10.10.0.0
Netmask [255.255.255.0]:
Then enter a password.

Chapter 8. Installing Ingate SIParator

Password []:
Finally, you are asked if you want to reset other configuration.
Other configuration
Do you want to reset the rest of the configuration? (y/n) [n]
If you answer n, nothing is removed. If you answer y, you have three alternatives to select
from:
1. Clear as little as possible. This is the alternative that is used if you answer n to the
question above. Both the preliminary and the permanent configurations will be updated
with the configuration specified above.
2. Revert to the factory configuration and then apply the configuration specified above.
This will affect the permanent but not the preliminary configuration.
3. Revert to the factory configuration and empty all logs and then apply the configuration
specified above. Both the preliminary and the permanent configurations will be
affected.
Select the update mode, which is what you want to remove.
Update mode (1-3) [1]:
All configuration is now complete. The installation program shows the configuration and
asks if it is correct.
yes saves the configuration.
no runs the installation program over again.
abort ends the installation program without saving.
You have now entered the following configuration
Network configuration inside:
Physical device name: eth0
IP address: 192.168.150.2
Netmask: 255.255.255.0
Deactivate other interfaces: no
Computer allowed to configure from:
IP address: 192.168.128.3
Password: eeyore
The rest of the configuration is kept.
Is this configuration correct (yes/no/abort)? yes

Chapter 8. Installing Ingate SIParator

Now, finish configuration of the SIParator from the computer/computers specified in the
installation program by log on to the web interface as admin, using the new password.
Connect the network cables to the network interfaces.

Installation using the default IP address

A new alternative from SW version 5.0.6 is to use the default IP address, connect to the
SIParator with a web browser, and set the password as first action when connected.
The default IP address is 192.168.1.1 with netmask 255.255.255.0 .
The configuration computer has to be connected to the same logical network as the
SIParator).
There is no default password set from factory. You will be asked to set a password via the
web user interface when you connect the first time.

Installation with the Startup Tool

The Ingate StartUp Tool TG is delivered on the CD you got with the SIParator. You can
also download the latest Startup Tool version from
http://www.ingate.com/Startup_Tool_TG.php.
The Startup Tool helps you to set the initial IP address, and with network and SIP
configuration including SIP Trunking for the combination of IP-PBX and ITSP that will be
used.

Installation with magic ping

You can use the magic ping to set an IP address for the SIParator. This is how to perform a
magic ping:

Plug in the power cord and turn the SIParator on.

Wait while the SIParator boots up.

Connect the network cables to the network interfaces.

Find out the MAC address of the SIParator (printed on the SIParator label). This is the
MAC address of Eth0.

Add a static entry in your local ARP table consisting of the SIParators MAC address and
the IP address it should have on eth0.

This is how to add a static ARP entry if you use a Windows 8 or Windows 7 computer:

Start a command (or cmd) window as administrator.

In the command window, enter the command:

netsh interface ipv4 show addresses
by this you get the network adaptor name for which you want to add the route/static
MAC mapping

Chapter 8. Installing Ingate SIParator

Then enter the command:

netsh interface ip add neighbors "networkadaptor" "ipaddress" "macaddress"
where networkadaptor is the network adaptor name that you just read out in previous
step, ipaddress is the new IP address for the eth0 interface, and macaddress is the
MAC address printed on the SIParator, but with all colons (:) replaced with dashes (-).
For example:
netsh interface ip add neighbors "USBEth" "10.10.10.1" "00-90-fb-3c-83-16"

This is how to add a static ARP entry if you use an older Windows version:

Start a command (or cmd) window as administrator.

In the command window, enter the command:

arp -s ipaddress macaddress
where ipaddress is the new IP address for the eth0 interface, and macaddress is the
MAC address printed on the SIParator, but with all colons (:) replaced with dashes (-).

Perform the magic ping:

Ping this IP address to give the SIParator its new IP address. You should receive one
ping reply if the address distribution was successful.

The magic ping will not set any password. Set a password immediately via the web user
interface. Before any configuration has been made, only the computer which performed the
magic ping will be able to configure the Ingate SIParator.

Turning off an Ingate SIParator

Backup the SIParator configuration (just in case something should happen). You do this on
the Save/Load Configuration page under Administration. Once this is done, just turn the
computer off. The computer that runs Ingate SIParator is specially designed so that you can
switch it off without causing any problems in the file structure.

Remember to lock up the SIParator

The SIParator is a computer with special software, and must be protected from
unauthorized physical access just as other computers performing critical tasks. A locked up
SIParator protects against:

connecting to the console

changing the administrator password using a reboot and the SIParator buttons.

Chapter 8. Installing Ingate SIParator

For more information about the necessary configuration, see chapter 3 of the Reference
Guide.

Chapter 8. Installing Ingate SIParator

Part II. Configuring Ingate

SIParator
These chapters contain information about how to configure your Ingate SIParator, once it
has been installed. All configuration is made through the web interface of the SIParator.
The configuration described in these chapters is basic for making the SIParator work. For
descriptions of more advanced SIParator functions, please refer to the User Manual.

Chapter 9. Network Configuration

First, the SIParator must be configured to be aware of the network in which it operates.
This is performed on the Network pages. The important pages for getting started are
SIParator Type, Interface (Eth0, Eth1, ...), Default Gateways, Networks and
Computers and (for the DMZ SIParator Type) Topology.
You will also need to add DNS configuration on the Basic Configuration page under Basic
Configuration

SIParator Type
The SIParator can be connected to your network in different ways, depending on your
needs. On this page, you state what configuration you have.

On your firewall, you need to open the SIP port (normally UDP port 5060) and a range of
UDP ports for RTP traffic between the SIParator and the Internet as well as between the
SIParator and your internal networks. The SIP traffic finds its way to the SIParator using
DNS or by setting the SIParator as an outbound proxy on the clients.
The firewall mustnt use NAT for the traffic between the SIParator and your internal
networks or for the traffic between the SIParator and the Internet. However, the SIParator
can itself use NAT for traffic to the Internet.
You need to declare your internal network topology on the Topology page.

Chapter 9. Network Configuration

Internet
Firewall

SIParator

On your firewall, you need to open the SIP port (normally UDP port 5060) and a range of
UDP ports for RTP traffic between the SIParator and the Internet. The other interface is
connected to your internal network. The SIParator can handle several networks on the
internal interface even if they are hidden behind routers. No networks on other interfaces on
the firewall can be handled.
Internal users have to configure the SIParator as outbound proxy, or an internal proxy has to
use the SIParator as outbound proxy.
The SIParator derives information about your network topology from the interface
configuration.

SIParator

Chapter 9. Network Configuration

Internal users have to configure the SIParator as outbound proxy, or an internal proxy has to
use the SIParator as outbound proxy. No change in the firewall configuration is needed.
The SIParator derives information about your network topology from the interface
configuration.

Internet
data/VoIP

SIParator
data

Firewall

VoIP

SIParator Type configuration

Current SIParator Type

Shows which type is currently active.

Change SIParator Type to

Select a new SIParator Type here.

Chapter 9. Network Configuration

Change type
Press the Change type button to set the new SIParator Type. This setting, like others, must
be applied on the Save/Load Configuration page before it affects the SIParator
functionality.

Change Operational Mode

Check the Change Operational mode box, then press the button to set the new mode. This
product can operate in two different operational modes: Firewall or SIParator. In Firewall
mode all traffic (both SIP and data traffic) is going through this unit. In SIParator mode this
unit only deals with SIP traffic - normal data traffic is handled by another firewall. There
are several different SIParator modes available. NOTE: When pressing the button to switch
operational mode the change is instant and the unit is immediately rebooted! The unit shall
be in factory default mode when performing the operational mode change.

Interface (Eth0, Eth1, ...)

There is a page for each network interface (Eth0, Eth1, ...) on the SIParator. Select a page to
make configuration for that interface. There is also a page where configuration for all
interfaces can be viewed and changed.
Here, you set the interface name, whether the interface is on or off, the IP address, alias,
and static routing.
For each interface, go to Directly Connected Networks and state the IP address of the
SIParator and the size of the network connected to this interface.

Chapter 9. Network Configuration

General

Physical device
Physical device tells the physical device name of the network interface.

This interface is
Specify if this network interface is On or Off. If the interface is off, all configuration on
this page is ignored, and the SIParator will behave as if this interface wasnt present (except
when used for failover).
If the interface should be used for failover, you should select Off. In this case, it wont be
available for other traffic than the synchronizing within the failover team. Read more about
failover in chapter 11 of the Reference Guide.

Interface name
The network Interface name is only used internally in the SIParator, e. g. when
configuring Networks and Computers.

Obtain IP Address Dynamically

Specify if this network interface should obtain its IP address from a DHCP or PPPoE server
instead of an address entered on this page. If DHCP client ON is selected, the SIParator
will send out a DHCP request when you apply the configuration and at boot. The request is
sent out to the network connected to this interface. If no IP address is obtained, the
SIParator will keep on sending requests until an address lease is received.
The SIParator will accept an IP address and a netmask via DHCP. It will also accept a
default gateway, if you configured for that in the Main Default Gateways table on the
Default Gateways page.
If PPPoE client ON is selected, the SIParator will send out a PPPoE request both when
you apply the configuration, and also at boot time. To obtain an IP address via PPPoE, you
also need to enter the configuration on the PPPoE page.
More than one interface can obtain its IP address dynamically.

Chapter 9. Network Configuration

Speed and Duplex

The SIParator can negotiate interface speed and duplex automatically for Gbit interfaces,
this setting must be set to Automatic negotiation to achieve Gbit speed.
Note that link partner must also be set to Automatic negotiation.

Directly Connected Networks

The SIParator must have an IP address on every network to which it is directly connected.
This applies to all networks on the same physical network to which this interface is
connected.
When the DHCP client is on, there must be a directly connected network with "*" as the
DNS name/IP address, and where the Netmask/bits field is left empty. No other directly
connected networks are allowed for this interface.

Name
A name for this IP address. You can use this name when configuring VPN. This name is
only used internally in the SIParator.

DNS Name or IP Address

The name/IP address of the SIParator on this network interface on this directly connected
network. If a name is entered, you must enter the IP address for a name server on the Basic
Configuration page.

IP Address
Shows the IP address of the DNS Name or IP Address you entered in the previous field.

Netmask/Bits
Enter the mask of the network where the DNS Name or IP Address applies.

Network Address
The IP address of the network where the DNS Name or IP Address applies.

Broadcast Address
Shows the broadcast address of the network in the Network address field.

Chapter 9. Network Configuration

VLAN Id
VLANs are used for clustering IP ranges into logical networks. A VLAN id is simply a
number, which identifies the VLAN uniquely within your network.
Enter a VLAN id for this network. You dont need to use a named VLAN (defined on the
VLAN page).

VLAN Name
If you entered the VLAN id of a named VLAN, the name will show here.

Delete
If you select this box, the row is deleted when you click on Add new rows, Save, or Look
up all IP addresses again.

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.
If the interface should obtain its IP address from a DHCP server, the settings should be like
in the image below. With a DHCP IP, no aliases can be defined for the interface.

Alias
Ingate SIParator can use extra IP addresses, aliases, on its interfaces. All alias IP addresses
must belong to one of the Directly Connected Networks you have specified.

Chapter 9. Network Configuration

Aliases are necessary for setting up a STUN server.
If the interface obtains its IP address dynamically, no aliases can be defined.

Name
Enter the name of your alias. This name is only used internally in the SIParator.

DNS Name or IP Address

Enter the IP address of this alias, or a name in the DNS. If you enter a DNS name instead of
an IP address, you must enter the IP address of a DNS server on the Basic Configuration
page.

IP Address
Shows the IP address of the DNS Name or IP Address you entered in the previous field.

Delete
If you select this box, the row is deleted when you click on Add new rows, Save, or Look
up all IP addresses again.

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Chapter 9. Network Configuration

Proxy ARP

You can use parts of the same network on several interfaces.

This is especially useful if you want to split your public IP addresses, and use one part on
the outside, and the rest on your DMZ.
Under Get Network From, you select from which directly connected network you want to
use IP addresses. The network you select should not be located on this interface. Then enter
the Proxy ARPed Network that you want to use on this interface.

Delete
If you select this box, the row is deleted when you click on Add new rows, Save, or Look
up all IP addresses again.

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Static Routing
If there is a router between the SIParator and a computer network which the SIParator is
serving, you must name the router and the network here. The table is sorted by network
number and network mask.
The Default gateway, configured on the Default Gateways page, will automatically be
entered in this table on the corresponding interface page, when added to the Main Default
Gateways table.
If the interface obtains its IP address dynamically, no other static routes can be defined.

Routed network
Enter the DNS name or IP address of the routed network under DNS Name or Network
Address.

Chapter 9. Network Configuration

The IP address of the routed network is shown under Network Address.
In the Netmask/Bits field, enter the netmask of the network.

Router
The name or IP address of the router that will be used for routing to the network. If there
are several routers between the SIParator and the network, fill in the router closest to the
SIParator.
If an interface will receive its IP address from a DHCP server, the SIParator will get its
default gateway from the server. In this case, select the corresponding IP address under
Dynamic.

Delete
If you select this box, the row is deleted when you click on Add new rows, Save, or Look
up all IP addresses again.

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Save
Saves all Interface configuration to the preliminary configuration.

Undo
Clears and resets all fields in new rows and resets changes in old rows.

Look up all IP addresses again

Looks up the IP addresses for all DNS names on this page in the DNS servers you entered
on the Basic Configuration page.
This button will only be visible if a DNS server has been configured.

Default Gateways
Main Default Gateways
The Default gateway is the IP address of the router that is used to contact the outside
world. This IP address is usually the firewall. Default gateway must be an IP address from
one of the Directly Connected Networks of the SIParators interfaces. See appendix J of the
Reference Guide, for further description of routers/gateways.
The SIParator must have at least one default gateway to work.
You can enter more than one default gateway. The SIParator will use one of them until it
stops responding, and then switch to the next one.

Chapter 9. Network Configuration

Priority
If you entered more than one default gateway, you can assign a priority to each of them.
The SIParator will use the gateway with the highest priority (lowest number) when it
works. If it stops working, the SIParator will switch to the next in priority, while checking
the first for availability. When the first gateway works again, the SIParator will switch back
to using that.

Dynamic
If an interface will receive its IP address from a DHCP server, the SIParator will get its
default gateway from the server. In this case, select the corresponding IP address here.

DNS Name or IP Address

Enter the DNS name or IP address for the default gateway. If an interface will receive its IP
address from a DHCP server, the SIParator will get its default gateway from the server. In
this case, leave this field empty.

IP Address
Shows the IP address of the DNS Name or IP Address you entered in the previous field.

Interface
Select the interface connected to the SIParator default gateway.

Delete
If you select this box, the row is deleted when you click on Add new rows, Save, or Look
up all IP addresses again.

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Chapter 9. Network Configuration

Additional Default Gateways

You can list additional default gateways to be used for SIP traffic.
If an interface gets its IP address dynamically, the default gateway can also be assigned by
the DHCP/PPPoE server. In this case, select the corresponding IP address under Dynamic.

Dynamic
If an interface will receive its IP address from a DHCP server, the SIParator can also get its
default gateway from the server. In this case, select the corresponding IP address here.

DNS Name or IP Address

Enter the DNS name or IP address for the default gateway. If an interface will receive its IP
address from a DHCP server, the SIParator can also get its default gateway from the server.
In this case, leave this field empty.

IP Address
Shows the IP address of the DNS Name or IP Address you entered in the previous field.

Interface
Select the interface connected to the SIParator default gateway.

Delete
If you select this box, the row is deleted when you click on Add new rows, Save, or Look
up all IP addresses again.

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Policy For Packets From Unused Gateways

This policy controls how packets from the currently unused gateway(s) should be treated.
The packet can be allowed (subject to the rest of the configuration) or discarded.

Chapter 9. Network Configuration

The Discard IP packets selection means that the SIParator ignores the IP packets without
replying that the packet did not arrive.
The Allow IP packets selection makes the SIParator use the rest of the configuration to
decide if the packet should be allowed.

Gateway Reference Hosts

The gateway reference hosts are used by the SIParator to check if the gateways are alive.
For each reference host, test ping packets are sent, using the different gateways.
Reference hosts are not needed if you have entered a single default gateway.

DNS Name or IP Address

Enter the DNS name or IP address for the reference host. The reference host must be
located on the other side of the default gateway.

IP Address
Shows the IP address of the DNS Name or IP Address you entered in the previous field.

Delete
If you select this box, the row is deleted when you click on Add new rows, Save, or Look
up all IP addresses again.

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Save
Saves the Default Gateways configuration to the preliminary configuration.

Chapter 9. Network Configuration

Undo
Clears and resets all fields in new rows and reset changes in old rows.

Networks and Computers

Here, you name groups of computers and networks. Sometimes it can be useful to give a
group of computers a network name, such as Administration. If you want to group some
computers, this can be done here, even if they do not have consecutive IP addresses. You
can also include a subgroup when defining a new network group.
The names are used when you configure Topology, Filtering and Local Registrar.
Every group of computers which can reach each other without having to pass through the
firewall needs a separate network group.
The rows are sorted in alphabetical order, except that all upper case letters are sorted before
lower case letters (B comes before a).
When using an already defined group as a subgroup, select the name of the group under
Subgroup. Set Interface/VLAN to - and leave the other fields empty.

Name
Enter a name for the group of computers. You can use this name when you change
configuration on the pages mentioned above. A group can consist of several rows of IP
addresses or series of IP addresses. By clicking on the plus sign beside the name, you add
more rows where you can specify more IP addresses for this group.

Chapter 9. Network Configuration

Subgroup
An already defined group can be used as a subgroup to new groups. Select the old group
here and leave the fields for DNS name empty. Select - as Interface. If you dont want to
use a subgroup, select - here.

Lower Limit
DNS Name or IP Address
Enter the DNS name or IP address of the network or computer. For computers in an IP
range that you want to give a network name, enter the first IP address in the range. DNS
Name or IP Address must not be empty if you are not using a subgroup.

IP Address
The IP address of the object you entered in the DNS Name or IP Address field is
displayed here. This field is not updated until you click on Look up all IP addresses again
or make changes in the DNS Name or IP Address field.

Upper Limit
DNS Name or IP Address
Here, enter the last DNS name/IP address of the network or group. For computers in an IP
range that you want to give a network name, enter the last IP address in the seriesrange.
The IP address in Upper Limit must be at least as high as the one in Lower Limit. If this
field is left empty, only the IP address in Lower Limit is used. If you use a subgroup, leave
this field empty.

Interface/VLAN
Here, you can select an interface or a VLAN to restrict the IP range.
If - is chosen, the group will consist of all IP addresses in the interval between Lower
Limit and Upper Limit, regardless of what interface they are connected to. By selecting an
interface or a VLAN, you constrain the group to consist only of the IP addresses in the
interval that really are connected to the selected interface/VLAN.
For example, if 10.20.0.0 - 10.20.0.255 are IP addresses behind the interface DMZ-1 and
the lower and upper limits are 10.10.10.20 and 255.255.255.255 respectively, choosing
DMZ-1 as Interface will cause the group to consist of the IP addresses 10.20.0.0 10.20.0.255, being the IP addresses in the interval actually connected to the selected
interface.

Chapter 9. Network Configuration

If you have selected a subgroup, the Interface/VLAN should be -. If you want to define a
network group at the remote side of a VPN connection, the Interface/VLAN should be -.

Delete
If you select this box, the row is deleted when you click on Add new rows, Save, or Look
up all IP addresses again.

Add new rows

Enter the amount of new groups and rows you want to add to the table, and then click on
Add new rows.

Save
Saves the Networks and Computers configuration to the preliminary configuration.

Undo
Clears and resets all fields in new rows and reset changes in old rows.

Topology
State the topology around the SIParator on this page. Which type of topology is needed
depends on which SIParator Type was selected.

Surroundings
Settings in the Surroundings table are only required when the SIParator has been made the
DMZ type.
The SIParator must know what the networks around it look like. On this page, you list all
networks which the SIParator should serve and which are not reached through the default
gateway of the firewall.
All computers that can reach each other without having to go through the firewall connected
to the SIParator should be grouped in one network. When you are finished, there should be
one line for each of your firewalls network connections (not counting the default gateway).
One effect of this is that traffic between two users on different networks, or between one of
the listed networks and a network not listed here, is NAT:ed.
Another effect is that for connections between two users on the same network, or on
networks where neither is listed in Topology, no ports for RTP sessions will be opened,
since the SIParator assumes that they are both on the same side of the firewall.
For DMZ and LAN SIParators, at least one network should be listed here. If no networks
are listed, the SIParator will not perform NAT for any traffic.

Chapter 9. Network Configuration

Network
Select a network. The alternatives are the networks you defined on the Networks and
Computers page.

Additional Negotiators
Sometimes you have SIP devices on a different network that needs to negotiate for this
network. This happens when there is a SIP server on one network, and SIP-unaware phones
on another. In this case, select the phone network under Network, and the SIP server as an
Additional Negotiator. Select from the networks defined on the Networks and Computers
page.

Delete
If you select this box, the row is deleted when you click on Add new rows or Save.

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Data Interfaces
Settings in the Data Interfaces table are only required when the SIParator has been made
the WAN type.
Between the Data Interfaces listed here, the SIParator will act as a plain router, and only
forward traffic, with the exception that QoS will be performed if configured for the traffic in
question.
The traffic sent between Data Interfaces will not be logged by the SIParator.
The SIParator will only send SIP traffic between the other interfaces.

Chapter 9. Network Configuration

Interface
Select a data interface here.

Delete
If you select this box, the row is deleted when you click on Add new rows or Save.

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Save
Saves all Topology configuration to the preliminary configuration.

Undo
Clears and resets all fields in new rows and resets changes in old rows.

Basic Configuration
On the Basic Configuration page, general settings for the SIParator are made. The most
important one for getting started is the DNS server.

Chapter 9. Network Configuration

General

Name of this SIParator

Here, you can give your Ingate SIParator a name. The name of the SIParator is displayed in
the title bar of your web browser. This can be a good idea if you administer several
SIParators. The name is also used if you use SNMP and when you export log files into the
WELF format.

Default domain
Here, you can enter a default domain for all settings. If a default domain is entered, the
SIParator will automatically assume that an incomplete computer name should be
completed with the default. If, for example, Default domain contains company.com, you
could as the name of the computer axel.company.com use only axel. If no default domain
should be used, the Default domain field should contain a single dot (.).

IP Policy
Here, you specify what will happen to IP packets which are neither SIP packets, SIP
session media streams, or SIParator administration traffic. Discard IP packets means that
the SIParator ignores the IP packets without replying that the packet did not arrive. Reject
IP packets makes the SIParator reply with an ICMP packet telling that the packet did not
arrive.

Version of Ingate SIParator

You can choose to turn the SIParators version checker On or Off at Check for new
versions of Ingate SIParator. You must enter a Default gateway to enable the version
checker. If a new version exists, the text "A new Ingate SIParator version exists. Check here
for upgrades." will appear at the top of each configuration web page.
Ingate SIParator checks for new versions every 24 hours and at reboot. Date of last
successful version check shows when the last check was made.

Chapter 9. Network Configuration

Policy For Ping To Your Ingate SIParator

Here, you specify how the SIParator should reply to ping packets to its IP addresses. You
can choose between Never reply to ping, Only reply to ping from the same interface
and Reply to ping to all IP addresses. Only reply to ping from the same interface
means that the ping request should originate from a network which is directly-connected to
the pinged interface of the SIParator or from a network to which there exists a static route
from the pinged interface, or the request will be ignored.
Ping is a way of finding out whether a computer is working. See appendix J of the
Reference Guide for further information on ping.

DNS Servers
Here, you configure DNS servers for the SIParator. The servers are used in the order they
appear in this table, which means that the SIParator uses the top server to resolve DNS
records until it doesnt reply. Only then is server number two contacted.

No.
The DNS servers are used in the order they are presented in the table. To move a server to a
certain row, enter the number on the row to which you want to move it. You need only
renumber servers that you want to move; other servers are renumbered automatically. When
you click on Save, the DNS servers are re-sorted.

Dynamic
If an interface will receive its IP address from a DHCP server, the SIParator can also get
information about its DNS server from that server. In this case, select the corresponding IP
address here and leave the other fields empty.

DNS Name or IP Address

The DNS name/IP address of the DNS server which the SIParator should use. Note that to
use DNS names here, there must exist a DNS server in the SIParators permanent
configuration.

Chapter 9. Network Configuration

IP Address
Shows the IP address of the DNS Name or IP Address you entered in the previous field.

Delete
If you select this box, the row is deleted when you click on Add new rows, Save, or Look
up all IP addresses again.

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Save
Saves the Basic Configuration configuration to the preliminary configuration.

Undo
Reverts all the above fields to their previous configuration.

Look up all IP addresses again

Looks up the IP addresses for all DNS names on this page in the DNS servers you entered
above.

Chapter 9. Network Configuration

Chapter 10. SIP Configuration

SIP (Session Initiation Protocol) is a protocol for creating and terminating various media
stream sessions over an IP network. It is for example used for Internet telephone calls and
distribution of video streams.
SIP takes care of the initiation, modification and termination of a session with one or more
participants. The protocol makes it possible for the participants to agree on what media
types they should share. You can find more information about SIP in appendix D of the
Reference Guide and in RFC 3261.
Basic SIP configuration is made on the Basic, Local Registrar, and possibly also Sessions
and Media pages. If you want to use an external SIP proxy, you must state this on the
Routing page.

Basic
Here, you make basic settings for the SIParator SIP management.

SIP Module

Here, select whether the SIP module should be enabled or disabled. If you select to Disable
SIP module, no other SIP settings will have any effect.

SIP Signaling Access Control

Specify the networks and computers from which the firewall accepts SIP Signaling.

If specified, only SIP signaling originating from any of the specified networks/computers
will be accepted by the firewall. Packets that are not accepted will either be "discarded" or
"rejected" depending on the setting "IP Policy" specified under basic configuration. In the
default setting ("-") the firewall will accept SIP signaling from any client.

Chapter 10. SIP Configuration

SIP Media Port Range

State a port interval which the SIParator should use for SIP media streams. You can use any
high ports except 4500 (reserved for NAT-T) and 65097-65200 (reserved for RADIUS).
Note! A change in the port interval will make the SIP module restart when the
configuration change is applied.
When the SIP module is restarted, all active SIP sessions (SIP calls, video conferences etc)
will be torn down and all SIP user registrations will be removed.

Enter the lower and upper limit of the port range that the SIParator should use for media
streams. The upper limit must be at least as high as the lower limit.

Additional SIP Signaling Ports

Normally, the SIParator listens for SIP signaling on ports 5060 (UDP and TCP) and 5061
(TLS). You can make it listen for SIP signaling on additional ports. When ports are added
here, they are reserved for SIP signaling on all the SIParator IP addresses.

Port
Enter an additional port on which the SIParator should listen for SIP signaling. The
SIParator will then receive SIP signaling on this port for all its IP addresses.
SIP signaling over TLS cannot be received on a SIParator port which is used for something
else, like configuration of the SIParator.

Transport
Select which SIP signaling transports should be allowed on this port.

Comment
Enter a comment to remind yourself why you added the port.

Chapter 10. SIP Configuration

Delete
If you select this box, the row is deleted when you click on Add new rows or Save.

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Public IP address for NATed SIParator

Sometimes, the SIParator is located behind a NAT box that is not SIP-aware. This will
make signaling go awry, with the result that in many cases there will be voice in only one
direction.
This can be corrected by entering the public IP address that the SIParator will appear to
have. When sending SIP signaling towards its default gateway, the SIParator will use that
IP address instead of its private one, which will get media to the right place.
Note that the NATing device must also be configured to forward SIP signaling on that IP
address to the SIParator.
If nothing is entered here, the SIParator will use its own IP addresses.
This setting is not supported for the Standalone configuration.

SIP Logging
The same settings can also be found on the Logging Configuration page under Logging
and Tools.

Chapter 10. SIP Configuration

Log class for SIP signaling

For each SIP packet, the SIParator generates a message, containing the sender and receiver
of the packet and what type of packet it is. Select a log class for these log messages.

Log class for SIP packets

The SIParator logs all SIP packets (one SIP packet is many lines). Select a log class for the
SIP packets.

Log class for SIP license messages

The SIParator logs license messages. Select a log class for these messages.

Log class for SIP errors

The SIParator sends a message if there are any SIP errors. Select a log class for these log
messages.

Log class for SIP media messages

The SIParator creates log messages about when media streams are set up and torn down.
Select a log class for these messages.

Log class for SIP debug messages

The SIParator logs a lot of status messages, for example the SIP initiation phase of a
reboot. Select a log class for these messages.

SIP Servers To Monitor

Your SIParator can monitor SIP servers, to check that they are alive. The information is
used by the SIParator when SIP signaling should be passed on to the server in question.

Chapter 10. SIP Configuration

This is useful when a domain resolves to several individual hosts; the SIParator will know
immediately if one of them is down, which will speed up the call connection.
The monitoring is done by that the firewall sends SIP OPTIONS packets to the SIP server
and the SIP server responds to them. In case the SIP server responds with an ICMP type 3
packet (Destination unreachable message) or when the other SIP server does not respond at
all to previous SIP signaling, the firewall will blacklist the SIP server. For the latter event,
you can avoid the blacklisting by setting the SIP blacklist interval on the Sessions and
Media page to zero(0). If the interval is set to zero (0) neither blacklisting nor monitoring
will be done.
The monitoring interval (same as blacklist interval) can be set with the SIP blacklist
interval option on the SIP Services > Sessions and Media page.

Server
Enter the host name, domain name, or IP address of the server to be monitored.

Port
Enter the port to be monitored on that host. This should be the port to use for SIP signaling.

Transport
Select the transport to be monitored on that host. This should be the transport to use for SIP
signaling.

Delete
If you select this box, the row is deleted when you click on Add new rows or Save.

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Chapter 10. SIP Configuration

Save
Saves the Basic configuration to the preliminary configuration.

Undo
Clears and resets all fields in new rows and resets changes in old rows.

Local Registrar
The SIP registrar keeps track of where a user is right now. The registrar receives
registrations from the SIP user clients and discards them when they become obsolete. A
user can register from several computers.
Here, you enter the SIP domains the SIParator should manage and set up the SIP user
database. If authentication should be used, you also need to do some settings on the
Authentication and Accounting page, and select which SIP methods should be
authenticated on the SIP Methods page.
If you want to use a RADIUS server for SIP users instead of a local database, you select
that on the Authentication and Accounting page.

Local SIP Domains

Here, you enter the domains that the SIP registrar should handle. Only users in these
domains can register on the SIParator.
Note that you should only list domains for which the users are expected to register on the
SIParator itself. SIP requests for other domains will be forwarded by the SIParator to the
server managing the domain in question.

Domain
Enter the name of the domain, such as ingate.com. Sometimes you have to use an IP
address (of the SIParator) as the domain as well, when the SIP client substitutes the domain
for the IP address noted in DNS.

Delete
If you select this box, the row is deleted when you click on Add new rows or Save.

Chapter 10. SIP Configuration

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Filtering
On the Filtering page you select the MIME types you want to let through, if the SIParator
should forward any other SIP traffic than just IP telephony or instant messages.
On that page, you can also select filtering of SIP signaling based on several conditions.

Sender IP Filter Rules

Here, you set all the rules for SIP requests from different networks. Requests that do not
match any rule are handled according to the Default Policy For SIP Requests.

No.
The No. field determines the order of the rules. Rules are used in the order in which they
are displayed in the table; rule number 1 is first. The order is important if you used
networks which partly contain the same IP addresses. To change order for a rule, enter the
new number in the field and press Save.

From Network
The network name that the SIP request originates from. You can select between the
networks defined on the Networks and Computers page under Network.

Action
Under Action, you select what to do with a SIP request from the selected network. The
choices are Process all, which handles all requests regardless of destination, Local only,
which only handles requests to Local SIP Domains (entered on the Local Registrar page),
and Reject all, which doesnt handle any requests at all.

Delete
If you select this box, the row is deleted when you click on Add new rows or Save.

Chapter 10. SIP Configuration

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Default Policy For SIP Requests

Select what to do with SIP requests that do not match any of the Proxy Rules. The choices
are Process all, which handles all requests regardless of destination, Local only, which
only handles requests to Local SIP Domains (entered on the Local Registrar page), and
Reject all, which doesnt handle any requests at all.

Content Types
The SIP packets present information in different ways, using content types (MIME types).
Enter here which types the SIP proxy should accept. The most common MIME types are
predefined and you only have to activate them.
The content types application/sdp (used for SIP requests), application/xpidf+xml (used for
Presence) and text/x-msmsgsinvite (used by Messenger) are always accepted - you dont
have to enter them into the table. You can find a complete list of MIME types at
ftp://ftp.isi.edu/in-notes/iana/assignments/media-types/media-types/.

Content Type
Enter the content type (only one in each row). The format is category/type, e.g.
text/plain. You can also allow all content types by entering */* in a row and allow it.

Allow
Select if the SIParator should allow (On) or reject (Off) this content type in SIP signaling.

Delete
If you select this box, the row is deleted when you click on Add new rows or Save.

Chapter 10. SIP Configuration

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Routing
DNS Override For SIP Requests
Here, you can register SIP domains to which the SIParator should be able to forward
requests, but which for some reason cannot be resolved in DNS. Enter an IP address and
port to which the requests should be forwarded. You can also select to use a specific
protocol.
The SIParator uses the Request-URI of the incoming SIP packet to match for the domains
in this table. When it matches a domain, the packet will be forwarded to the IP address
entered here. Note that the Request-URI will not be rewritten!
You can also enter subdomains to Local SIP Domains, if you want the subdomain to be
handled by a separate SIP proxy. This table has a higher priority than Local SIP Domains,
which means that if you register a subdomain to a domain registered under Local SIP
Domains, the SIParator will forward SIP requests to the subdomain instead of processing
them itself.
You can enter more than one IP address or host name for a domain, and set weights and
priorities for these.

Domain
Enter the domain name of the SIP domain. This domain is compared to the domain in the
Request-URI of the incoming SIP packet.
You cant enter a domain that was entered in the Local SIP Domains table.

Chapter 10. SIP Configuration

Relay To
DNS Name or IP Address
Enter the IP address for the SIP server handling the domain. You can also enter a DNS
name for the SIP server, if it has a DNS-resolvable host name, even if the SIP domain is not
possible to look up in DNS.
IP Address
Shows the IP address of the DNS Name or IP Address you entered in the previous field.
Port
Here, enter the port on which the SIP server listens for SIP traffic. The standard port is
5060 (5061 for TLS).
Transport
You can select which transport protocol to use between the SIParator and the SIP server.
Under Transport, select from UDP, TCP and TLS.
Priority
If you entered more than one IP address/host name for the same domain, you should also
assign them Priority and Weight. A low Priority value means that the unit should have a
high priority.
Weight
If more than one unit has the same Priority, the signaling sent to them is distributed
between them according to their Weight. If two units have the same priority, and Unit 1 has
weight 4, and Unit 2 has weight 9, 4/13 of the signaling will be sent to Unit 1, and 9/13 will
be sent to Unit 2.
Auth
The firewall asks the requestor for authentication.

Delete
If you select this box, the row is deleted when you click on Add new rows, Save, or Look
up all IP addresses again.

Add new rows

Enter the amount of new groups and rows you want to add to the table, and then click on
Add new rows.

Chapter 11. Administration of the

SIParator
You also need to configure who can access the SIParator web interface. This is done on the
Access Control page under Basic Configuration.
Remember that the configuration you see in the web interface (preliminary configuration)
isnt necessarily the work configuration (permanent configuration) of the SIParator. When
all configuration is made in the web interface, it must be applied. This is done on the
Save/Load Configuration page under Administration.

Access Control
On the Access Control page, settings are made which controls the access to the SIParator
administration interfaces. The SIParator can be configured via the web (http and https) and
via ssh or the serial cable (using the CLI, see chapter 15 of the Reference Guide).
Select one or more configuration IP addresses for the SIParator. The configuration address
is the IP address to which you direct your web browser to access the web interface of the
SIParator, or connect your ssh client to.
For each network interface, you also specify whether or not the SIParator can be configured
via this network interface.
You also select what kind of authentication will be performed for the users trying to access
the administration interfaces.
To further increase security, the SIParator can only be configured from one or a few
computers that are accessed from one of these interfaces. Enter the IP address or addresses
that can configure the SIParator. The IP addresses can belong to one or more computers. For
each IP address or interval of addresses, select which configuration protocols are allowed.

Configuration Transport
Select SIParator IP addresses for the allowed configuration protocols. The SIParator web
server will listen for web traffic on the IP addresses and ports selected under HTTP and
HTTPS.
This is the IP address and port which should be entered in your web browser to connect to
the SIParator.
For configuration via ssh, you need an ssh client to log on to the SIParator.

Chapter 11. Administration of the SIParator

Configuration via HTTP

Select which IP address and port the SIParator administrator should direct her web browser
to when HTTP is used for SIParator configuration. You can select from the SIParator IP
addresses configured on the Interface pages under Network.
You can use different IP addresses for HTTP, HTTPS, and SSH configuration.

Configuration via HTTPS

Select which IP address and port the SIParator administrator should direct her web browser
to when HTTPS is used for SIParator configuration. You can select from the SIParator IP
addresses configured on the Interface pages under Network.
You can use different IP addresses for HTTP, HTTPS, and SSH configuration.
You also need to select an X.509 certificate, which works as an ID card, identifying the
SIParator to your web browser. This will ensure that you are really communicating with
your SIParator and not somebody elses computer. HTTPS uses an encryption method
using two keys, one secret and one public. The secret key is kept in the SIParator and the
public key is used in the certificate. If any of the keys are changed, the HTTPS connection
wont work.

Chapter 11. Administration of the SIParator

All local certificates for the SIParator are created on the Certificates page under Basic
Configuration.

Configuration via SSH

Select which IP address and port the SIParator administrator should direct her ssh client to
when SSH is used for SIParator configuration. You can select from the SIParator IP
addresses configured on the Interface pages under Network.
For SSH configuration, the Command Language Interface is used. See also chapter 15 of
the Reference Guide.
You can use different IP addresses for HTTP, HTTPS, and SSH configuration.

Configuration Allowed Via Interface

This setting specifies whether configuration traffic is allowed via this interface. If you only
allow configuration via eth1, configuration traffic will only be allowed from computers
connected to the eth1 interface, regardless of which IP address the configuration traffic is
directed to or which IP addresses the computers have.
The choices for each interface are On and Off. This configuration is a complement to the
Configuration Computers setting below.

User Authentication For Web Interface Access

Select the mode of administrator authentication for logins via the web interface: Local
users, via a RADIUS database, or a choice between the two alternatives at login (Local
users or RADIUS database).

Chapter 11. Administration of the SIParator

Local administrator users and their passwords are defined on the User Administration
page under Administration. If the authentication should be made by help of a RADIUS
server, you must enter one on the RADIUS page.
When connecting to the administration interface via SSH, you can only log in as admin.

Configuration Computers
Enter the IP address or addresses that can configure the SIParator. The IP addresses can
belong to one or more computers.
Note that you must also allow configuration via the SIParator interface that the computers
are connected to. See Configuration Allowed Via Interface above.

No.
The No. field determines the order of the lines. The order is important in deciding what is
logged and warned for. The SIParator uses the first line that matches the configuration
traffic.
Perhaps you want to configure the SIParator so that configuration traffic from one specific
computer is simply logged while traffic from the rest of that computers network is both
logged and generates alarms.
The rules are used in the order in which they are listed, so if the network is listed first, all
configuration traffic from that network is both logged and generates alarms, including the
traffic from that individual computer. But if the individual computer is listed on a separate
line before the network, that line will be considered first and all configuration traffic from
that computer is only logged while the traffic from the rest of the computers network is
both logged and generates alarms.

DNS Name or Network Address

Enter the DNS name or IP address of the computer or network from which the SIParator
can be configured. Avoid allowing configuration from a network or computer on the
Internet or other insecure networks, or use HTTPS or IPsec to connect to the SIParator
from these insecure networks.

Network Address
Shows the network address of the DNS Name or Network Address you entered in the
previous field.

Chapter 11. Administration of the SIParator

Netmask/Bits
Netmask/Bits is the mask that will be used to specify the configuration computers. See
chapter 3 of the Reference Guide for instructions on writing the netmask. To limit access so
that only one computer can configure, use the netmask 255.255.255.255. You can also
specify the netmask as a number of bits, which in this case would be 32. To allow
configuration from an entire network, you must enter the network address under Network
Address, and a netmask with a lower number here. To allow configuration from several
computers or networks, create several lines for the information.

Range
The Range shows all IP addresses from which the SIParator can be configured. The range
is calculated from the configuration under DNS Name or Network Address and
Netmask/Bits. Check that the correct information was entered in the DNS Name or
Network Address and Netmask/Bits fields.

Via IPsec Peer

Here, you can select an IPsec Peer from which this connection must be made. If an IPsec
peer is selected, you will only be able to configure the SIParator from this IP address
through an IPsec tunnel.

SSH
Check the check box if this computer/network should be allowed to configure the SIParator
via SSH.

HTTP
Check the check box if this computer/network should be allowed to configure the SIParator
via HTTP.

HTTPS
Check the check box if this computer/network should be allowed to configure the SIParator
via HTTPS.

Log Class
Here, you enter what log class the SIParator should use to log the configuration traffic to
the SIParators web server. Log classes are defined on the Log Classes page under Logging
and Tools. See also chapter 8 of the Reference Guide.

Delete
If you select this box, the row is deleted when you click on Add new rows, Save, or Look
up all IP addresses again.

Chapter 11. Administration of the SIParator

Add new rows

Enter the amount of new rows you want to add to the table, and then click on Add new
rows.

Save
Saves the Access Control configuration to the preliminary configuration.

Undo
Reverts all the above fields to their previous configuration.

Look up all IP addresses again

Looks up the IP addresses for all DNS names on this page in the DNS servers you entered
on the Basic Configuration page.
This button will only be visible if a DNS server has been configured.

Save/Load Configuration
Here, you work with the preliminary and permanent configurations, save them and load
new configurations from previously saved configurations.

Test Run and Apply Conf

The settings you make in the web GUI will not be used automatically, but you must apply
them first. When there are settings which are not yet applied, a warning about this will be
shown on the web pages.
When Apply configuration is pressed, the SIParator will test the configuration before you
make it permanent.
During test, the SIParator waits for you to press one of the three buttons displayed. If you
never see the three buttons, something in your preliminary configuration (now tested) is
wrong, which makes it impossible for you to access the configuration web interface.

Chapter 11. Administration of the SIParator

Duration of limited test mode

Here, you enter the time limit for the testing. If you do not press any button within this
time, the SIParator will assume that some part of your preliminary configuration makes
connecting impossible. When the timeout is reached, the SIParator automatically reverts to
the old permanent configuration. If this occurs, you will be informed when trying to press a
button.

Apply configuration
Saves the preliminary configuration to the permanent configuration and puts it into use.
You can test your preliminary configuration before finalizing it.
Three buttons are displayed during the test:

Save configuration saves your preliminary configuration to the permanent configuration

and puts it into use.
Continue testing shows a new page with only the other two buttons.
Revert cancels this test of the preliminary configuration without saving.
If you do not press any button within the time limit, the SIParator will revert to the old
permanent configuration, just as if you had pressed Revert. This is useful if you happen to
configure your SIParator so it isnt accessible from your browser.
After the timeout, pressing either of the three buttons will show a new page which will
inform you that the test run was aborted.
Restarting the SIParator by cycling the power or pressing the RESET button also cancels
the test.

Show Message About Unapplied Changes

When there are settings which are not yet applied, a warning about this will be shown on
the web pages. Select here where this message should be shown. The options are On every
page, On the Save/Load Configuration page (this page) and Never.

Backup
All configurations can be saved to and loaded from file. This does not affect the permanent
configuration.

Chapter 11. Administration of the SIParator

Save to local file

Press Save to local file to save the preliminary configuration to the file you have selected. A
new window is opened where you enter the name of the file.

Load from local file

Press Load from local file to load a new preliminary configuration from the file you have
selected.

Browse
Browse is used to scan your local disk. The web browser opens a new window where you
can search among files and directories. Go to the right directory and select the file you want
to upload.

Save/Load CLI Command File

All configurations can be saved to and loaded from a CLI file (see chapter 15 of the
Reference Guide for more information about the CLI). You can also edit the CLI file before
it is uploaded again.
Uploading a CLI file might affect the permanent configuration, as the CLI file can contain
commands that applies the configuration.

Save config to CLI file

Press Save config to CLI file to save the preliminary configuration to the file you have
selected. A new window is opened where you enter the name of the file.

Load CLI file

Press Load CLI file to upload a CLI file to the SIParator.

Browse
Browse is used to scan your local disk. The web browser opens a new window where you
can search among files and directories. Go to the right directory and select the file you want
to upload.

Chapter 11. Administration of the SIParator

Revert to Old Configurations

You can revert to old configurations of the SIParator, either back to the last configuration
successfully applied, or to the configuration delivered with your SIParator from the factory.

Abort All Edits

Abort all edits copies the permanent configuration to the preliminary configuration. All
changes made in the preliminary configuration are deleted.

Reload Factory Configuration

The factory configuration is the standard configuration that is delivered with an Ingate
SIParator. Click on this button to load this configuration into the preliminary configuration.
The permanent configuration is not affected.

Chapter 11. Administration of the SIParator

Chapter 12. Firewall and Client

Configuration
Additional configuration for the firewall and the SIP clients is required to make the
SIParator work properly. The amount and nature of the configuration depends on which
SIParator Type was selected.

The DMZ type

Using the DMZ type, the network configuration should look like this:

The Firewall
The firewall to which the SIParator is connected should have the following configuration:
SIP over UDP

Let through UDP traffic between the Internet (all high ports) and the SIParator (port
5060). You must allow traffic in both directions.

Let through UDP traffic between the internal networks (all high ports) and the SIParator
(port 5060). You must allow traffic in both directions.

Let through UDP traffic between the Internet (all high ports) and the SIParator (the port
interval for media streams which was set on the Basic page). You must allow traffic in
both directions.

Let through UDP traffic between the internal networks (all high ports) and the SIParator
(the port interval for media streams which was set on the Basic page). You must allow
traffic in both directions.

Let through UDP traffic between the SIParator (all high ports) and the Internet (port 53).
You must allow traffic in both directions. This enables the SIParator to make DNS
queries to DNS servers on the Internet. If the DNS server is located on the same network
as the SIParator, you dont have to do this step.

NAT between the SIParator and the Internet must not be used.

NAT between the SIParator and the internal networks must not be used.

SIP over TCP/TLS

Chapter 12. Firewall and Client Configuration

Let through TCP traffic between the Internet (all high ports) and the SIParator (ports
1024-32767). You must allow traffic in both directions.

Let through TCP traffic between the internal networks (all high ports) and the SIParator
(ports 1024-32767). You must allow traffic in both directions.

Let through UDP traffic between the Internet (all high ports) and the SIParator (the port
interval for media streams which was set on the Basic page). You must allow traffic in
both directions.

NAT between the SIParator and the Internet must not be used.

NAT between the SIParator and the internal networks must not be used.

The SIP clients

SIP clients will use the SIParator as their outgoing SIP proxy and as their registrar (if they
cant be configured with the domain only). If you dont want to use the SIParator as the
registrar, you should point the clients to the SIP registrar you want to use.

Other
The DNS server used must have a record for the SIP domain, which states that the
SIParator handles the domain, or many SIP clients wont be able to use it (if you dont use
plain IP addresses as domains).

The DMZ/LAN type

Using the DMZ/LAN type, the network configuration should look like this:

Internet
Firewall

SIParator

The Firewall
The firewall to which the SIParator is connected should have the following configuration:

Chapter 12. Firewall and Client Configuration

SIP over UDP

Let through UDP traffic between the Internet (all high ports) and the SIParator (port
5060). You must allow traffic in both directions.

Let through UDP traffic between the Internet (all high ports) and the SIParator (the port
interval for media streams which was set on the Basic page). You must allow traffic in
both directions.

NAT between the SIParator and the Internet must not be used.

SIP over TCP/TLS

Let through TCP traffic between the Internet (all high ports) and the SIParator (ports
1024-32767). You must allow traffic in both directions.

Let through UDP traffic between the Internet (all high ports) and the SIParator (the port
interval for media streams which was set on the Basic page). You must allow traffic in
both directions.

NAT between the SIParator and the Internet must not be used.

SIP clients
The SIP clients on the internal network should have the SIParators IP address on that
network as their outgoing SIP proxy and registrar.

The Standalone type

Using the Standalone type, the network configuration should look like this:

Chapter 12. Firewall and Client Configuration

SIParator

The SIP clients

WAN type
Using the WAN type, the network configuration should be identical to Standalone type. The
SIParator is transparent and all data flows to the existing firewall as normal.

Internet
data/VoIP

SIParator
data

Firewall

VoIP

The SIP clients

Chapter 12. Firewall and Client Configuration

Index
apply configuration, 68
ARP, 39
authentication

of administrator, 65
back panel

Ingate SIParator 9x-series, e.g.

95/96/97/98, 13
backup, 69
Basic configuration

SIP, 53
CLI file

save to, 70
upload, 70
configuration

apply, 68
IP address, 63
permanent, 17
preliminary, 17
use protocol, 63
via HTTPS, 64
configuration computers, 66
configuration interface, 65
Content types, 60
default domain, 49
default gateway, 40
directly connected networks, 36
DMZ type, 31

configuration of DNS server, 74

configuration of firewall, 73
configuration of SIP clients, 74
DMZ/LAN type, 31

configuration of DNS server, 75

configuration of firewall, 74
configuration of SIP clients, 75
encryption

SIP, 61
factory configuration, 70
front panel

Ingate SIParator 21 rev B, 7

Ingate SIParator 21/26/31/36 rev A, 5
Ingate SIParator 51/56/66, 9
Ingate SIParator 52/57/67, 11
Ingate SIParator 9x-series, e.g.
95/96/97/98, 13
gateway, 40

HTTPS

for configuration, 64
installing Ingate SIParator, 19
interface, 34
interface name, 35
IP policy, 49
limited test mode, 68
logging

of configuration, 67
SIP, 55
magic ping, 25
MIME types, 60
monitor SIP servers, 56
network interface, 34
network topology, 46
networks and computers, 44
permanent configuration, 17
physical device name, 35
ping policy, 50
port interval for media streams, 54
preliminary configuration, 17
Proxy, 39
Proxy ARP, 39
router, 39
save configuration, 69
SIP, 53

content types, 60
encryption, 61
signaling ports, 54
SIP basic configuration, 53
SIP domains, 58

static, 61
SIP filtering, 59
SIP license, 58
SIP registration, 58
SIP servers

monitored, 56
SIP users, 58
SIParator name, 49
SIParator Type

configuration, 33
DMZ, 31
DMZ/LAN, 31
standalone, 32
standalone type, 32

configuration of DNS server, 76

configuration of SIP clients, 76

standardntsluss, 40
Startup Tool, 25
static routing, 39
subgroup

networks, 44
surroundings, 46
test mode, 69
turn off the Ingate SIParator, 26
version control, 49
VPN peer, 67

Tests ICT 2024-2025 1 семестр (common) (1)
No ratings yet
Tests ICT 2024-2025 1 семестр (common) (1)
22 pages
Nir Aes101so
No ratings yet
Nir Aes101so
42 pages
N2X Getting Started Guide
No ratings yet
N2X Getting Started Guide
81 pages
MRV Training - OS900 Management
No ratings yet
MRV Training - OS900 Management
14 pages
DS Series IP Guide
No ratings yet
DS Series IP Guide
46 pages
Yealink SIP-T20P Datasheet
No ratings yet
Yealink SIP-T20P Datasheet
2 pages
Mivoice Office 250: Features and Programming Guide Release 6.3 Sp5
No ratings yet
Mivoice Office 250: Features and Programming Guide Release 6.3 Sp5
1,243 pages
Machine Tools, Metal Cutting Types World Summary: Market Values & Financials by Country
From Everand
Machine Tools, Metal Cutting Types World Summary: Market Values & Financials by Country
Editorial DataGroup
No ratings yet
Cisco CCNA Command Guide: An Introductory Guide for CCNA & Computer Networking Beginners: Computer Networking, #3
From Everand
Cisco CCNA Command Guide: An Introductory Guide for CCNA & Computer Networking Beginners: Computer Networking, #3
Ramon Nastase
4.5/5 (2)
PLUS +1 MC24-020 CONTROLLER 520l0713
0% (1)
PLUS +1 MC24-020 CONTROLLER 520l0713
2 pages
Technical Overview: User Agent
No ratings yet
Technical Overview: User Agent
38 pages
List of Ports
No ratings yet
List of Ports
60 pages
Caja de Piso Ref 25249-FBA
No ratings yet
Caja de Piso Ref 25249-FBA
4 pages
Netview IEC61850 Manual
No ratings yet
Netview IEC61850 Manual
7 pages
Report On IPTV
No ratings yet
Report On IPTV
19 pages
Industrial IP
No ratings yet
Industrial IP
2 pages
Network Cables
No ratings yet
Network Cables
19 pages
Protocols in IPTV Manishdas
No ratings yet
Protocols in IPTV Manishdas
36 pages
ISA Server Introduction & Installation
100% (1)
ISA Server Introduction & Installation
22 pages
Cara Nak Pasang Wayar Cats Eye Utk Network
100% (1)
Cara Nak Pasang Wayar Cats Eye Utk Network
15 pages
How Cable Modems Work
No ratings yet
How Cable Modems Work
6 pages
Avaya One-X Communicator Client R6 2 SP11 GA Release Notes
No ratings yet
Avaya One-X Communicator Client R6 2 SP11 GA Release Notes
19 pages
Raw Sockets
No ratings yet
Raw Sockets
15 pages
English Shortwave Schedules
No ratings yet
English Shortwave Schedules
12 pages
Computer Terminology and Software Testing
No ratings yet
Computer Terminology and Software Testing
99 pages
ISDN3
No ratings yet
ISDN3
11 pages
XDM-900 Product Overview
No ratings yet
XDM-900 Product Overview
17 pages
6.0.1.2 Leaving On A Jet Plane Instructions IG PDF
100% (2)
6.0.1.2 Leaving On A Jet Plane Instructions IG PDF
3 pages
C-Power External Calls Communication Protocol
No ratings yet
C-Power External Calls Communication Protocol
45 pages
Ethernet Crossover Cable
No ratings yet
Ethernet Crossover Cable
4 pages
Computer Networks Networking - Hardware
No ratings yet
Computer Networks Networking - Hardware
21 pages
RADIUS Server
No ratings yet
RADIUS Server
2 pages
Class-3 Bandwidth Management
100% (1)
Class-3 Bandwidth Management
77 pages
BDIX Peering Policy-01
No ratings yet
BDIX Peering Policy-01
2 pages
Avaya Switch Manual
No ratings yet
Avaya Switch Manual
538 pages
Comp247 Notes Summary Data Communications
No ratings yet
Comp247 Notes Summary Data Communications
74 pages
Understand The Working of Basic Networking Commands
No ratings yet
Understand The Working of Basic Networking Commands
13 pages
VDPL DMR - CRPF REP training
No ratings yet
VDPL DMR - CRPF REP training
28 pages
Fiber Optic Cable Types - Single Mode Vs Multimode Fiber Cable - FS Community - HTML
No ratings yet
Fiber Optic Cable Types - Single Mode Vs Multimode Fiber Cable - FS Community - HTML
9 pages
Acom EVO Manager 025-9642 PDF
No ratings yet
Acom EVO Manager 025-9642 PDF
83 pages
30-3001-720 CyberStation Installation Guide
100% (1)
30-3001-720 CyberStation Installation Guide
90 pages
Meraki Whitepaper VPN Redundancy
100% (1)
Meraki Whitepaper VPN Redundancy
6 pages
Protocol RS 485
100% (6)
Protocol RS 485
3 pages
Windows Multi Point Server 2011 - Deployment Guide
No ratings yet
Windows Multi Point Server 2011 - Deployment Guide
53 pages
Network & Cyber Security - module3-IPSECURITY - Part2
No ratings yet
Network & Cyber Security - module3-IPSECURITY - Part2
12 pages
32 - 3al 42941 Aaaa Tnaaa
No ratings yet
32 - 3al 42941 Aaaa Tnaaa
13 pages
Network Protocol Encapsulation Chart
No ratings yet
Network Protocol Encapsulation Chart
1 page
IEC 61850 Server Interface: User Manual
No ratings yet
IEC 61850 Server Interface: User Manual
33 pages
JMACX
No ratings yet
JMACX
250 pages
15EC81 Mod 4
No ratings yet
15EC81 Mod 4
35 pages
Topaz SIP Trunk Guide Dic 2007
100% (1)
Topaz SIP Trunk Guide Dic 2007
47 pages
LAN Technologies
No ratings yet
LAN Technologies
4 pages
Basic Architecture of A Digital Catv Headend
100% (1)
Basic Architecture of A Digital Catv Headend
6 pages
Network+ Guide To Networks 5 Edition
No ratings yet
Network+ Guide To Networks 5 Edition
90 pages
DCI - Layer 2 Extension Between Remote Data Centers PDF
No ratings yet
DCI - Layer 2 Extension Between Remote Data Centers PDF
30 pages
InfluxDB Third Edition
From Everand
InfluxDB Third Edition
Gerardus Blokdyk
No ratings yet
Ingate Siparator How To Guide
No ratings yet
Ingate Siparator How To Guide
196 pages
Ingates E-SBCs 4page
No ratings yet
Ingates E-SBCs 4page
4 pages
Avaya and Ingate: Enabling SIP-Based Communications
No ratings yet
Avaya and Ingate: Enabling SIP-Based Communications
2 pages
When Were OSI Model Developed and Why Its Standard Called 802
No ratings yet
When Were OSI Model Developed and Why Its Standard Called 802
7 pages
M0SIP3E2012Iv02 SIP-3 User Guide R2-I
No ratings yet
M0SIP3E2012Iv02 SIP-3 User Guide R2-I
144 pages
FortiAnalyzer_7.4_Analyst_Course_Description
No ratings yet
FortiAnalyzer_7.4_Analyst_Course_Description
2 pages
ISSMP Exam Outline November 2023 English
No ratings yet
ISSMP Exam Outline November 2023 English
11 pages
ESHP_-_Humic_Plus_c1f0dfd6-a4fc-411e-9039-9973a5468766
No ratings yet
ESHP_-_Humic_Plus_c1f0dfd6-a4fc-411e-9039-9973a5468766
3 pages
fortiaiops
No ratings yet
fortiaiops
8 pages
Fortinet Transceivers: Take The Guesswork Out of Selecting Transceivers
No ratings yet
Fortinet Transceivers: Take The Guesswork Out of Selecting Transceivers
4 pages
FortiEDR Fabric Integration Guide Rev2
No ratings yet
FortiEDR Fabric Integration Guide Rev2
15 pages
Globalprotect Admin Guide
No ratings yet
Globalprotect Admin Guide
232 pages
Forticare and Fortiguard Renewal
No ratings yet
Forticare and Fortiguard Renewal
2 pages
The Ultimate Guide To It Security Vendors: Esecurity Planet
No ratings yet
The Ultimate Guide To It Security Vendors: Esecurity Planet
13 pages
Palo-Alto-Networks Testking PCNSE v2018-11-18 by Jeremy 79q PDF
No ratings yet
Palo-Alto-Networks Testking PCNSE v2018-11-18 by Jeremy 79q PDF
45 pages
Secure Access - Solution - Talking - Points - March - 2017
No ratings yet
Secure Access - Solution - Talking - Points - March - 2017
2 pages
FortiNAC Network Sizing v2
100% (1)
FortiNAC Network Sizing v2
3 pages
Wildfire Appliance
No ratings yet
Wildfire Appliance
3 pages
Palo-Alto-Networks PracticeTest PCNSA 26q
No ratings yet
Palo-Alto-Networks PracticeTest PCNSA 26q
16 pages
Importify-The Ultimate Guide To Start Building Your Dropshipping Business PDF
100% (1)
Importify-The Ultimate Guide To Start Building Your Dropshipping Business PDF
36 pages
FortiOS PDF
No ratings yet
FortiOS PDF
13 pages
How To SIP Trunking Using The SIP Trunk Page PDF
No ratings yet
How To SIP Trunking Using The SIP Trunk Page PDF
19 pages
Nss Labs Aep Security Value Map
No ratings yet
Nss Labs Aep Security Value Map
1 page
BlueCoat Mach5 WAN Optimization Sizing Guide
No ratings yet
BlueCoat Mach5 WAN Optimization Sizing Guide
3 pages
PAN-OS® 8.0 CLI Quick Start
No ratings yet
PAN-OS® 8.0 CLI Quick Start
48 pages
200 310
No ratings yet
200 310
211 pages
Noida Dealers 228 - PDF - Sikhism - Business
No ratings yet
Noida Dealers 228 - PDF - Sikhism - Business
15 pages
SMP Io 2230 Distributed Io Platform Ca912004en
No ratings yet
SMP Io 2230 Distributed Io Platform Ca912004en
20 pages
Explosive Money-Making Method
No ratings yet
Explosive Money-Making Method
6 pages
Procedure:: Importing Creo Schematics Data Into Creo Parametric
No ratings yet
Procedure:: Importing Creo Schematics Data Into Creo Parametric
3 pages
BIM and Sustainability in Terms of Philippine Standards
100% (1)
BIM and Sustainability in Terms of Philippine Standards
6 pages
Reanalysis
No ratings yet
Reanalysis
46 pages
A_Survey_and_Evaluation_of_FPGA_High-Level_Synthesis_Tools
No ratings yet
A_Survey_and_Evaluation_of_FPGA_High-Level_Synthesis_Tools
14 pages
ProVideoHelp en-GB
No ratings yet
ProVideoHelp en-GB
99 pages
Java9e PPT ch10
No ratings yet
Java9e PPT ch10
33 pages
English for Management Information Systems (Final)
No ratings yet
English for Management Information Systems (Final)
163 pages
Powerpoint Training
No ratings yet
Powerpoint Training
22 pages
DM-1801 Programming Manual V1.1.1
No ratings yet
DM-1801 Programming Manual V1.1.1
21 pages
4-Electronic Health Record Management Using Hyperledger Fabric
No ratings yet
4-Electronic Health Record Management Using Hyperledger Fabric
6 pages
PRO-0025-BM-Reliability Playbook
100% (1)
PRO-0025-BM-Reliability Playbook
15 pages
Customer Feedback Management System
No ratings yet
Customer Feedback Management System
51 pages
Using The CMOS Dual Monostable Multivibrator: CC EXT
No ratings yet
Using The CMOS Dual Monostable Multivibrator: CC EXT
10 pages
Digital Thermometer Reloaded
No ratings yet
Digital Thermometer Reloaded
22 pages
Introduction To PHP (Part-1) : Khizra Hanif, Department of Software Engineering, LGU Lahore, Pakistan
No ratings yet
Introduction To PHP (Part-1) : Khizra Hanif, Department of Software Engineering, LGU Lahore, Pakistan
32 pages
Mathematical-Typesetting-System-LaTeX-Practical (1)
No ratings yet
Mathematical-Typesetting-System-LaTeX-Practical (1)
2 pages
Log Report 14-4-2021
No ratings yet
Log Report 14-4-2021
3 pages
QUESTION PAPER AI
No ratings yet
QUESTION PAPER AI
3 pages
Slide Share
67% (3)
Slide Share
14 pages
Design and Analysis On Robotic Arm For Serving Hazard Container
No ratings yet
Design and Analysis On Robotic Arm For Serving Hazard Container
10 pages
Salesforce Development Syllabus
No ratings yet
Salesforce Development Syllabus
3 pages
52492-rc071 Postgresql PDF
No ratings yet
52492-rc071 Postgresql PDF
11 pages
SecurOS ProxCom 211 Controller Datasheet v1.1 EN
No ratings yet
SecurOS ProxCom 211 Controller Datasheet v1.1 EN
3 pages
Collabora Online Installation Guide
No ratings yet
Collabora Online Installation Guide
21 pages
Basic Concepts of Surveying
100% (1)
Basic Concepts of Surveying
17 pages
Prison Transfer
100% (2)
Prison Transfer
14 pages