RTP Problem with Firewall

I saw the following statement in a tutorial on SIP, RTP firewall n NAT. I am unable to understand it - '

When there is a firewall in between the SIP signaling request response is allowed. But there is a problem during RTP.  During RTP the data will be able to go through firewall to User agent but data from user agent won’t be able to reach the other side of the firewall as the firewall does not have information about port to which the User Agent is sending data.

What i dont understand here is that
1) Why the firewall needs to have prior information about the port to which the User Agent will send data ?
why cant it allow data transfer to the port.
2) If there is a problem with RTP transfer when there is a firewall, why is there no problem during SIP signalling.

Also please let me know any good resources or tools to study SIP (session initiation protocol) and RTP, firewalls
Rohit BajajAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
The issue is that the port that will be used for the RTP stream is often chosen dynamically so you either have to open up a huge port range on your firewall, basically making the firewall useless, or you have to dynamically open the port that RTP will use only for the time it is being used. And that requires "prior knowledge."

The port that will be used is negotiated between the two SIP endpoints and is confirmed via SIP messages. Since the SIP traffic is often on a single port (5060, for example) a firewall rule to allow SIP is much easier.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rohit BajajAuthor Commented:
I am just trying to understand SIP and RTP so i have some doubts in the above explanation.
As i read the RTP port is exchanged between SIP clients in the SDP body. So i guess these are also fixed before the RTP flow starts. So how are the ports for RTP stream chosen dynamically ?

Cliff GaliherCommented:
It is exchanged in the SIP stream, but is dynamic and negotiated. It is not dissimilar to FTP where the actual data stream is dynamic and created at the time of transfer, which is why most firewalls have FTP "helper" inspection rules to discover the dynamic port from the FTP control stream. You'll also see newer firewalls have SIP inspection that can dynamically open RTP ports based on inspected SIP traffic.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Rohit BajajAuthor Commented:
Does the RTP port which is negotiated between the two SIP clients change in between flow of RTP stream ??
Cliff GaliherCommented:
It will not usually change during a single session. But it will likely change with every new session. The RTP stream only constructed as needed. So if you have a SIP trunk provider, each incoming or outgoing call creates a new RTP stream on a new port that lasts only as long as that call, as an example.
Rohit BajajAuthor Commented:
How will the call be handled if suppose client1 ip changes during rtp flow. That is say he moves to a different network while talking.
Cliff GaliherCommented:
That depends on the client. Some (most) will simply disconnect. Those that handle network changes gracefully do so by subterfuge. Both the SIP traffic and RTP traffic us changing so new constructs are built. This usually involves a new RTP port as it is actually a new stream.
Rohit BajajAuthor Commented:
Can you please let me know the exact steps that will happen in case the ip changes. How exactly will the client handle this network change.
Does the client need to simply inform the other client that this is my new ip so send the rtp data to this ip instead of the old one.
Cliff GaliherCommented:
There is no standard for this scenario. Different applications (or clients) and servers handle it differently. I can't give exact steps because they vary wildly.  Lynch handles it differently than asterisk. And asterisk handles it differently when talking to a Cisco endpoint than it does a 3Com endpoint. Or to one SIP trunk provider vs. another, or even dependent on an SBC in place. So many variables.
Rohit BajajAuthor Commented:
Thanks for the answers.  I am writing a new question on lines with this discussion. Please help me with it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.