I work at a school with a mid-sized ShoreTel deployment; two ShoreGear T1 trunk units and 15 ShoreGear 120/24 switches. We have a couple hundred IP phones and a couple hundred analog extensions (dorms).
We currently have two PRI trunks through CenturyLink, but honestly, we're paying them far too much and using it far too little. Nobody seems to care much about landlines phones. I'd like to switch to SIP trunking.
I've talked to several vendors, and some strongly recommend an Ingate SIParator session border controller in addition to the FortiGate, but for nebulous reasons.
We have a FortiGate 200B running FortiOS 4.0 MR2, which is a pretty fancy firewall (pre-dates me here). Does anyone know how well FortiOS handles Application Layer Gateway for SIP? I have a block of public IPv4 addresses, some of which are unused. Surely I can dedicate one to SIP traffic and use the FortiOS's built-in SIP functionality.
One of the reasons given for needing an SBC like the Ingate SIParators is security, since SIP constantly opens and closes a vast range of random ports. One vendor I spoke with addresses this by creating an IPSec tunnel between my gateway and their voice switches. That sounds perfect to me, and they say I don't need an SBC. Other vendors were adamant that I will not be satisfied unless I buy an SBC (and they're not cheap), and that I'll have wonky problems without one.
I know that Stack Exchange wants questions that can be answered, not just discussed, so I'll phrase it this way: Has anyone successfully configured native SIP trunking in ShoreTel with just a FortiOS firewall and no dedicated SBC?
Best Answer
The Fortigate has the most advanced SIP protection of any firewall I have seen. It does remove the need for an SBC if your concerns are solely security.
What a Fortigate will not do, which an SBC does, is to transcode the voice codecs, but this is probably not needed in your environment.
There are two SIP ALGs in the FortiGate, one is a basic session helper and is on by default. This takes care of any NAT problems but does not address security. The second is to apply a VoiP profile to your SIP traffic. With this VoiP profile you have a huge amount of granularity on what you can do in the way of protection, but this granularity is only visible and settable via CLI.