3.10.3.1. Secure Remote Subscriber on STMIX/STMIY 
Additionally to the information provided under Secure
Remote Subscriber for SoftGate, there are a few minor additions:
- STMIX/STMIY supports only SIP SRS (no HFA). In this case, STMIX/STMIY must have only SIP (HG3540) functionality (no MFS is allowed).
- Due to the limited number of physical interfaces, there is no possibility for an additional dedicated WAN interface. This means that USEWANIF=Y will be used only as a switch, activating additional firewall security and support for far-end (home based) NAT bypass (SIP@Home subscribers), enforcing subscriber security (CIPHER). Having no dedicated WAN interface means no extra WAN IP configuration (as opposed the SoftGate).
The following aspects must be considered when configuring a SIP secure remote
subscriber on STMIX/STMIY:
- STMIX/STMIY must have only SIP (BFDAT) functionality.
- Since subscriber security is enforced (even if the rest of the system is not secure), SPE certificates are necessary.
- As for any secure subscriber, NTP is mandatory.
- Optional, configuring WPUBIP will activate support for near end NAT (DMZ scenario – described in “DMZ” chapter). In this case, if multiple gateways (vHG or STMIX/STMIY) are used for SRS feature, port forwarding using different port ranges for each gateway is required.
- USEWANIF=Y will activate support for far end NAT, respectively support for SIP SRS.
- Firewall restrictions enforced by USEWANIF result in mandatory usage of a separate management interface (MANLANIF) with its own IP address.
- Parallel connections of SIP SRS from LAN and WAN to the same gateway are not possible.
Considering the above, we have the following configuration steps:
- Standard SIP GW configuration, where GW IPADR will be the local/internal DMZ IP address.
- Enable near end NAT, by configuring the firewall public IP in
WPUBIP:
CHANGE-CGWB:MTYPE=CGW,LTU=17,SLOT=1,TYPE=GLOBIF, WPUBIP=1.2.3.4;
- Configuration of the management (WBM access)
interface:
CHANGE-CGWB:MTYPE=CGW, LTU=24,SLOT=4, TYPE=MANLANIF, MIPADR=10.80.170.244, MNETMASK=255.255.240.0,MDEFRT=10.80.160.1;
Additional information:- MIPADR IP address used for WBM management
- MNETMASK Netmask of MANLANIF
- MDEFRT IP address of the default router in the IPDA/MANLANIF segment
- Enable far end NAT, respectively SIP secure remote subscriber, via
USEWANIF:
CHANGE-CGWB:MTYPE=CGW, LTU=17, SLOT=1, TYPE=GLOBIF, USEWANIF=YES;
- ASC config data for SIP STMI media ports. If SIP/UFIP SRS is used together with
HFA SRS and they share a single public IP address on the Primary DMZ firewall,
then the media port range configured for vHFA proxy MUST be different than the
port range for SIP STMI. I.e. default range 29100:30099 for vHFA and 30100:31099
for SIP. Moreover, if multiple SIP gateways share the same public IP in the DMZ
firewall, each one can be accessed/distinguished only by having unique SIP
signaling ports (i.e 5061, 5062) and of course proper forwarding rules in the
DMZ
firewall.
CHANGE-CGWB:MTYPE=CGW, LTU=24, SLOT=4, TYPE=ASC, UDPPRTLO=30100, UDPPRTHI=31099; CHANGE-CGWB:MTYPE=CGW, LTU=17, SLOT=1, TYPE=GLOBIF, SIPTCPP=5065, SIPTLSP=5066;
Additional information:- UDPPRTLO Lowest UDP port used for SRTP media streams
- UDPPRTHI Highest UDP port used for SRTP media streams
- Import SPE certificates.
- Generate the secure subscriber via SBCSU.
An IP password (IPPASSW) is mandatory.
INFO:
The same configuration steps are applied for the SoftGate and are described in
detail in the previous chapter, except for the WAN interface configuration.