How does SIP get through a firewall or NAT?
There are several possible approaches to SIP-capable firewalls. One of the difficulties is that, unlike for, say, HTTP, connections are originated both by hosts inside and outside the firewall. A likely arrangement is that a SIP proxy sits “on” the firewall and relays SIP requests between the Internet and the intranet. This proxy would also open up the necessary ports in the firewall to let audio and video flow through, for example using Socks V5. (Such server would normally be referred to as ALG (App. Layer Gateway)) As an alternative, if a firewall or NAT allows outgoing TCP connections, the inside client can open up a TCP connection to an outside proxy. All outgoing and incoming calls would then be handled by that TCP connection. (The client would still have to use SOCKS or similar mechanism to convince the firewall to let RTP packets through.) As of 2006 the key solutions for NAT/firewall traversal are: SBC (Session Border Controller), ALG and using the STUN protocol (RFC 3489).
