Using Forefront TMG, you can configure policy rules that allow Voice over IP (VoIP) traffic through Forefront TMG.

VoIP is carried out using User Datagram Protocol (UDP), which is based on two other protocols: Session Initiation Protocol (SIP) for call establishment and termination, and Real Time Protocol (RTP) for media (audio and video).

An Internet Protocol Private Branch Exchange (IP PBX) telephone system switches calls between VoIP users. The IP PBX transfers voice over data networks, such as local area network (LAN) and wide area network (WAN), and can also switch calls between a VoIP user and a traditional telephone user, or between two traditional telephone users. When Forefront TMG is deployed at the edge or within your organization, you can configure policy rules which enable SIP and RTP traffic to pass through Forefront TMG.

The following procedures describe:

Configuring an external (hosted) IP PBX

Use this configuration when you use an external or hosted IP PBX system provided by an Internet Telephony Service Provider (ITSP). This VoIP configuration adds the following rules:

  • Allow SIP traffic between phones and IP PBX—Enables SIP traffic from the internal phones to reach the external PBX.

  • Allow RTP traffic to External network—Enables media traffic from the internal phones to reach the external network.

  • Allow RTP traffic between phones—Enables media traffic between the internal phones.

To configure a hosted IP PBX

  1. On the Forefront TMG server, click the Firewall Policy node.

  2. In the Tasks tab, click Configure VoIP.

  3. In the SIP Configuration Wizard, select IP phones are connected to an External (Hosted) IP PBX.

  4. Follow the steps in the wizard to specify the location of the external IP PBX (your ITSP will typically provide you with a DNS name), and specify the network addresses of the phones that will be used for SIP traffic.

  5. The completion page details the Forefront TMG policy rules that will be created. The rules specify the source and destination by which the specified traffic is allowed.

Configuring an internal IP PBX connected to the PSTN

Use this configuration when you use an internal IP PBX and the PSTN for external calls. In this case, you need an SIP gateway that converts calls between the IP network and PSTN. This VoIP configuration adds the following rules:

  • Allow RTP traffic to SIP gateway—Enables media (RTP) traffic from the internal phones and IP PBX to reach the SIP gateway.

  • Allow RTP to internal IP PBX—Enables media (RTP) traffic from the internal phones and SIP gateway to reach the IP PBX.

  • Allow RTP traffic to Phones—Enables media (RTP) traffic from the IP PBX and SIP gateway to reach the IP phones.

  • Allow SIP traffic SIP IP PBX and internal SIP components—Enables SIP traffic between the IP phones, IP PBX, and SIP gateway.

To configure an internal IP PBX connected to the PSTN

  1. On the Forefront TMG server, click the Firewall Policy node.

  2. In the Tasks tab, click Configure VoIP.

  3. In the SIP Configuration Wizard, select IP phones are connected to an Internal IP PBX.

  4. Select The internal PBX is not connected to an external service provider and The internal PBX is connected to a PSTN via SIP.

  5. Follow the steps in the wizard to specify the location of the SIP gateway, the IP address of the internal PBX, and specify the network addresses of the internal IP phones.

  6. The completion page details the Forefront TMG policy rules that will be created. The rules specify the source and destination by which the specified traffic is allowed.

Configuring an internal IP PBX with a SIP trunk

Use this configuration when you use an internal IP PBX and a SIP trunk between your IP PBX and the ITSP for external calls. This VoIP configuration adds the following rules:

  • Allow RTP traffic to internal IP PBX—Enables media (RTP) traffic from the internal phones to reach the IP PBX, that is, the internal SIP Proxy.

  • Allow RTP traffic to phones—Enables media (RTP) traffic from the IP PBX to reach the IP phones.

  • Allow RTP traffic to External network—Enables media (RTP) traffic from the internal phones and IP PBX to reach the external network.

  • Allow SIP traffic between internal IP PBX and external IP PBX —Enables SIP from the internal IP PBX to reach the external IP PBX.

  • Allow SIP between internal SIP components—Enables SIP between the IP phones and the IP PBX.

  • Publish internal IP PBX to the External network—Allows traffic from the external IP PBX to reach the internal IP PBX.

To configure an internal IP PBX with a SIP trunk

  1. On the Forefront TMG server, click the Firewall Policy node.

  2. In the Tasks tab, click Configure VoIP.

  3. In the SIP Configuration Wizard, select IP phones are connected to an Internal IP PBX.

  4. Select The internal PBX is serviced by SIP trunk service.

  5. Follow the steps in the wizard to specify the IP address of the internal PBX, the location of the external IP PBX (your ITSP will typically provide you with a DNS name), and specify the network addresses of the internal IP phones.

  6. The completion page details the Forefront TMG policy rules that will be created. The rules specify the source and destination by which the specified traffic is allowed.

Configuring an internal IP PBX with an external (hosted) IP PBX

Use this configuration when you use an internal IP PBX and a hosted PBX. This VoIP configuration adds the following rules:

  • Allow RTP traffic to internal IP PBX—Enables media (RTP) traffic from the internal phones to reach the IP PBX, that is, the internal SIP Proxy.

  • Allow RTP traffic to phones—Enables media (RTP) traffic from the IP PBX to reach the IP phones.

  • Allow RTP traffic to External network—Enables media (RTP) traffic from the internal phones and IP PBX to reach the external network.

  • Allow SIP traffic between internal IP PBX and external IP PBX—Enables SIP from the internal IP PBX to reach the external IP PBX.

  • Allow SIP traffic between the SIP IP PBX and internal SIP components—Enables SIP between the internal SIP components and the SIP IP PBX.

To configure an internal IP PBX with an external (hosted) IP PBX

  1. On the Forefront TMG server, click the Firewall Policy node.

  2. In the Tasks tab, click Configure VoIP.

  3. In the SIP Configuration Wizard, select IP phones are connected to an Internal IP PBX.

  4. Select The internal PBX is serviced by external (hosted) service.

  5. Follow the steps in the wizard to specify the IP address of the internal PBX, the location of the external IP PBX (your ITSP will typically provide you with a DNS name), and specify the network addresses of the internal IP phones.

  6. The completion page details the Forefront TMG policy rules that will be created. The rules specify the source and destination by which the specified traffic is allowed.

Copyright © 2009 by Microsoft Corporation. All rights reserved.