Configuring the Gateway cluster and SIP proxy for a NAT environment

Configure a cluster of IBM® Sametime® Gateway Servers to operate in a NAT (Network Address Translation) environment.

Before you begin

Traversing a NAT environment is a known issue in the SIP domain. There are several ways to solve this issue, while some of them have been formed as IETF standard (RPORT, STUN and ICE), others have been formed as proprietary solutions. So what is the problem? Some of the SIP communication parameters contain the Fully Qualified DNS Name (FQDN) or the IP address, and the port, but a SIP device deployed in a NAT environment does not know how it will be seen from the internet because the NAT device translates the IP address.

A static NAT is defined in the NAT or firewall; the public IP address should be mapped to the SIP proxy server's internal IP address.

About this task

The following diagram illustrates the NAT environment that this solution was designed for. Only static NAT is supported. A fully qualified domain name for the cluster is mapped to the public IP address serving the Sametime Gateway. Then a custom property maps the cluster FQDN for traversing the NAT.


NAT environment for a cluster of Sametime Gateway Servers

Procedure

  1. Map a fully qualified domain name to the public IP address serving the Sametime Gateway Server.
  2. Install the SSL certificate.

    The CN name for the certificate should be the one defined as FQDN mapped to the public IP in step 1. For example, the preceding diagram uses the FQDN gw.ibm.com. For information on requesting the certificate, see Requesting a certificate signed by a Certificate Authority for a cluster.

  3. Define a custom property to map the cluster FQDN for traversing the NAT:

    Define a custom property to enable communications in a NAT (Network Address Translation) environment. Traversing NAT is known issue for the SIP domain; defining the "FQDN" custom property for Sametime Gateway is a workaround for this issue. Before beginning, make sure the following requirements have been satisfied:

    • A static NAT should be defined in the NAT or Firewall (only static NATs are supported).
    • The public IP address should be mapped to the SIP proxy internal IP address.
    • A fully qualified domain name must be mapped to the public IP address serving the Sametime Gateway Server.
    1. Log in to the WebSphere® Integrated Services Console as the WebSphere administrator.
    2. Click System administration > Cell > Custom Properties.
    3. Click New and enter information for the new custom property:
      • Type com.ibm.sametime.gateway.fqdn as the Name of the new property.
      • Type your fully qualified domain name as the Value.
      • Type a description of the new property.
    4. Click Apply, and then click OK.
    5. Perform a full synchronize with the nodes:
      1. In the Deployment Manager's Integrated Solutions Console, click System administration > Nodes.
      2. Click Full Resynchronize.
    6. Restart all Sametime Gateway nodes.

    For example, If you set the custom property to gw.ibm.com (and the port is set to 5070), the INVITE SDP would look like this:

    v=0
o=- 0 0 IN IP4 gw.ibm.com
s=session
c=IN IP4 gw.ibm.com
t=0 0
m=message 5070 sip null
  4. Set the ipForwardingLBEnabled custom property:
    1. In the Integrated Solutions Console, click Servers > Server Types > WebSphere proxy servers.
    2. In the list of proxy servers, click the link for your SIP proxy server to open its Configuration page.
    3. Click SIP Proxy server settings > SIP Proxy settings > Custom properties.
    4. Click New, enter information for the new custom property and then click OK:
      • Type ipForwardingLBEnabled as the Name of the new property.
      • Type True for the Value.
  5. Continuing on the Custom Properties page, enable the SIP Proxy IP Sprayer as follows:
    1. Define the TLS IP Sprayer by clicking New, adding the following settings, and then clicking OK:
      • Type tls.IPSprayer.host as the Name with the SIP Proxy server's external fully qualified host name as the Value; for example: stgw.example.com.
      • Type tls.IPSprayer.port as the Name with the port used by the IP sprayer for TLS encrypted communications; for example: 5061.
    2. Optionally define a TCP IP Sprayer by clicking New, adding the following settings, and then clicking OK:
      • Type tcp.IPSprayer.host as the Name and the SIP Proxy server's external fully qualified host name as the Value; for example: stgw.example.com.
      • Type tcp.IPSprayer.port as the Name and the port used by the IP sprayer for TCP communications as the Value; for example: 5060
    3. Optionally define a UDP IP Sprayer by clicking New, adding the following settings, and then clicking OK:
      • Type udp.IPSprayer.host as the Name and the SIP Proxy server's external fully qualified host name as the Value; for example: stgw.example.com.
      • Type udp.IPSprayer.port as the Name and the port used by the IP sprayer for UDP communications; for example: 5060.
    4. Click Save in the "Messages" box at the beginning of the page.
    5. Restart the SIP proxy server.
    6. Restart the cluster.