Preparing to enable VoIP through Forefront TMG
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
Voice over IP (VoIP) is used in Internet telephony to transmit voice and video communications over intranets, extranets, and the Internet.
This topic is designed to help you plan to enable VoIP traffic through Forefront TMG, depending on the deployment of VoIP in your organization, and the relationships between the IP Private Branch Exchange (PBX) and the Public Switched Telephone Network (PSTN), or Internet Telephony Service Provider (ITSP).
The following VoIP deployments are supported by Forefront TMG:
External (hosted) PBX
Internal PBX connected to PSTN
Internal PBX connected to PSTN via a SIP Trunk
Internal PBX connected to external (hosted) PBX
Note
- Forefront TMG employs flood mitigation to protect itself and the PBX from floods of REGISTER and INVITE messages. However, it does not protect the PBX against other types of VoIP attacks; for example, flooding established calls with other SIP messages, or repeatedly establishing and disconnecting calls to specific phones.
- To enable support for VoIP, multiple Internal networks must have route relationships between them. NAT relationships between internal networks are not supported.
External (hosted) PBX
In a hosted PBX system (often called Centrex), PBX functionality is provided as a service by an ITSP. In this deployment:
Both internal users and roaming users must register with the ITSP to be able to initiate and receive calls.
Network Address Translation (NAT) relationships exist between the network where internal phones are located and external networks.
The hosted PBX is located in the external network.
Internal PBX connected to PSTN
In this deployment, VoIP is used in the internal network and PSTN is used for external calls. This deployment requires:
A Session Initiations Protocol (SIP) gateway device, to convert calls between the internal IP network and the PSTN. The device can be part of the internal PBX.
A Route or Same network relationship between the networks that contain the VoIP components: phones, PBX, and SIP gateway.
To enable roaming users to use VoIP while connected to the internal network via the Forefront TMG remote access Virtual Private Network (VPN), a session border controller must be installed in the external network to which the roaming users connect.
Internal PBX connected to PSTN via a SIP Trunk
In this deployment, PSTN services are provided as a service by an ITSP. A SIP Trunk is a service that the ITSP provides to enable communications between the PBX and the ITSP over SIP. In this deployment:
Both the ITSP and the PBX use port 5060 for SIP communication.
SIP Trunk is located in the external network.
To enable roaming users to use VoIP while connected to the internal network behind NAT, a session border controller must be installed in the external network to which the roaming users connect.
Internal PBX connected to external (hosted) PBX
In this deployment, PBX is used in both the internal and external networks; external PBX functionality is provided as a service by an ITSP. The reasons to choose this model over a connection to a PSTN include, ITSP capabilities, ITSP price model, or using different ITSPs in different regions to reduce communications costs.