CommuniGate Pro Server: Network

Many CommuniGate Pro components use Network (IP) Address lists. These lists are specify Client and Blacklisted addresses, access restrictions for Listeners, etc.

This section describes the Network Address List format.

A Network Address List is specified as multi-line text data.

Each text line should contain one of the following:

one IP address
an address range - two IP addresses separated with the minus (-) symbol: a range includes both IP addresses and all addresses between them
an address and a numeric mask, separated with the slash (/) symbol.
The mask value should be between 1 and 32 for IPv4 addresses and between 1 and 128 for IPv6 addresses. It specifes how many higher bits of the specified address are valid. The remaining lower bits of the address must be zero. The range includes all addresses with the specified higher bits.

The first IP address can be preceded with the exclamation point (!) symbol. In this case the specified IP address or the address range is excluded from the list composed using the preceding lines.

A comment (separated with the semicolon (;) symbol) the can be placed at the end of a line.
Lines starting with the semicolon symbol, and empty lines are comment lines.

If you use CommuniGate Pro in a corporate environment, most of your users will connect to the Server from the corporate LAN(s).

Use the WebAdmin Interface to specify your LAN Addresses. Open the Network pages in the Settings realm, then open the LAN IPs page.

LAN IP Addresses
10.0.0.1-10.0.0.255 ; office LAN 10.0.1.12 ; remote office on VPN 10.0.1.15-10.0.1.220 ; DHCP LAN addresses
Server LAN IP Address:

The LAN IP Addresses table initially contains the addresses the CommuniGate Pro software retrieved from the Server OS configuration. Correct this list to include all LAN (local networks) the CommuniGate Pro Server needs to serve.
The Network Address Lists section explains the list format.

Usually, you want all E-mail and Real-Time (VoIP/IM) clients connecting from the LAN addresses to be able to relay E-mails and Signals to any Internet destination. In this case you may want to inlcude the LAN addresses into the Client IP Addresses list.

The list of LAN IP Addresses is used to support Real-Time (voice, video, etc.) communications, so the CommuniGate Pro Server knows which addresses are belong to NAT'ed ("local") addresses, i.e. which addresses cannot be contacted directly from the Internet.

Use the Server LAN IP Address setting to select the Server own IP Address the Server OS uses to communicate with computers on the LAN.

CommuniGate Pro can provide SIP and real-time communications for remote clients located behind NAT devices, implementing the far-end NAT traversal functionality.

To detect clients located behind NATs, the Server needs to know which addresses are used on remote networks behind those NATs.
Use the WebAdmin Interface to specify the NATed Addresses. Open the Network pages in the Settings realm, then open the NATed IPs page.

NATed IP Addresses
10.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255 169.254.0.0/16

If a SIP client sends a request to CommuniGate Pro and the client own network address specified in the request headers is included into the NATed IP Addresses list, while the Server has received this request from a different network address, NOT listed included into the NATed IP Addresses list, the Server decides that this client is behind a NAT.

To allow other users to make incoming calls to a client behind a NAT, CommuniGate Pro keeps the "communication hole" between the client and Server open by periodically sending dummy packets to that client.

NATed Clients Pinger
Log Level:	Ping Clients every:	Clients:

Log Level: Use this setting to specify what kind of information the NAT Pinger component should put in the Server Log. Usually you should use the Major or Problems (non-fatal errors) levels.
The NAT Pinger component records in the System Log are marked with the NATPING tag.
Ping Clients Every: Use this setting to specify how often the Server should send its "pinging" packets.
Clients Limit: Use this setting to specify how many different NAT clients the Server can ping.

Local NAT/Firewall/Load Balancer
WAN IPv4 Address:	WAN IPv6 Address:

CommuniGate Pro supports various real-time communications. Most of those real-time protocols cannot be used via a NAT/Firewall, so CommuniGate Pro can act as "proxy" for those protocols.

When a client on the LAN tries to communicate with a remote system on the Internet (WAN), CommuniGate Pro creates a Media Proxy - a communication port on its own system.
It forces the client to connect to that Media Proxy instead of the remote system media port.
The CommuniGate Pro Media Proxy communicates with the remote system itself, relaying the data received from the LAN client to the remote system and vice versa.

A Media Proxy is created to serve entries (users) located behind remote NAT devices.

A Media Proxy is created to relay traffic between an IPv4 and IPv6 entries.

Media Proxy
Log Level:			Round-Robin Port Allocation
UDP Ports:	-	Source Port Restriction:
TCP Ports:	-	UDP TOS Tag:

Log: Use this setting to specify what kind of information the Proxy component should put in the Server Log. Usually you should use the Major or Problems (non-fatal errors) levels. But when you experience problems with the Proxy component, you may want to set the Log Level setting to Low-Level or All Info: in this case protocol-level or link-level details will be recorded in the System Log as well.
The Proxy component records in the System Log are marked with the UDPPROXY or the TCPPROXY tag.
UDP Ports: This setting specifies the port number range to be used for UDP proxy operations. If the CommuniGate Pro server is behind a NAT/Firewall, make sure that all UDP packets received by the NAT/Firewall for these ports are relayed to the CommuniGate Pro Server.
TCP Ports: This setting specifies the port number range to be used for TCP proxy operations. If the CommuniGate Pro server is behind a NAT/Firewall, make sure that all TCP connections received by the NAT/Firewall for these ports are relayed to the CommuniGate Pro Server.
Round-Robin Allocation: When this option is selected, UDP and TCP ports are allocated evenly using the entire port range.
When this option is not selected, UDP and TCP ports are allocated using the first (lowest) available port in the port range.
Source Port Restriction: When this option is selected, the UDP-based media from external sources is accepted when it comes from the correct IP address and port number.
When this option is not selected, only the media source IP address is checked. This may help serving certain broken devices that incorrectly specify their own media port numbers (in SDP documents).
UDP TOS Tag: Unless this option is set to OS default, the UDP-based media packets get the specified TOS (type of service) tag value. This may help you prioritize the media traffic if your network infrastructure assigned a higher priority to packets with the specified TOS tag.

Note: the FTP Module uses the ports from the TCP Ports set for Passive Mode transfers.

The CommuniGate Pro Server uses its own high-speed multithreaded Domain Name Resolver to convert domain names into network (IP) addresses. To convert names, the Domain Name Resolver sends requests to the specified Domain Name Servers.

Use the WebAdmin Interface to configure the Resolver settings. Open the Network pages in the Settings realm, and follow the DNS Resolver link.

Domain Name Resolver
Log Level:		Concurrent Requests:
DNS Servers Addresses:
Initial Time-out:		Retry Limit:

Log Level

Use this setting to specify what kind of information the Domain Name Resolver should put in the Server Log. Usually you should use the Major or Problems levels. In the later case you will see the information about all failed DNS lookups. If you use the RBL services, you may see a lot of failed lookups in the Log. When you experience problems with the Domain Name Resolver, you may want to set the Log Level setting to Low-Level or All Info: in this case protocol-level or link-level details will be recorded in the System Log as well.

The Resolver records in the System Log are marked with the DNR tag.

DNS Addresses

This setting specifies how the CommuniGate Pro Server selects the DNS servers to use. If the OS-specified option is selected, the Server reads the DNS server addresses from the OS. To force the server to re-read those addresses, click the Refresh buttom on the General page in the Settings section.

If the Custom option is selected, the CommuniGate Pro Server will use the DNS servers addresses listed in the text field next to this pop-up menu.

If no DNS server address is specified, the CommuniGate Pro Server uses the 127.0.0.1 address, trying to connect to a DNS server that can be running on the same computer as the CommuniGate Pro Server.

Initial Time-out

The Domain Name System uses the connectionless UDP protocol by default, and if there any network trouble, a UDP request or reposnse can be lost (while the TCP protocol automatically resends lost packets).
The Domain Name Resolver waits for a response from a DNS server for the period of time specified with this option.

If a response is not received, the Resolver resends the request, and waits twice longer, if it times out again, it can resend the request again and wait three times longer.

If you have several Domain Name Servers specified, each time the resolver needs to repeat a request, it sends it to the next DNS server in the list.

Retry Limit

This option specifies how many time the Resolver should re-send the same request if it has not received any response from a DNS server.

Note: when a request is an RBL request, the Resolver sends the same request not more than twice, and both times it uses the same (Initial) response time-out.

Concurrent Requests

This setting limits the number of concurrent requests the Resolver can send to Domain Name Servers. On a heavily-loaded Mail or Signal relay processing many thousand requests per second, this parameter should be selected after some testing: older DNS servers may crash if requested to process too many concurrent requests.

The Domain Name Resolver uses TCP connections if a DNS server sent a UDP response with the "Truncated" flag set. This feature allows the Resolver to retrieve very large records from DNS servers.

Dummy IP Addresses

This Address List setting allows you to specify network (IP) addresses that should be considered as "non-existent".

Some DNS authorities may choose to "map" all non-existant names within their domains to some special IP address(es).

When a domain name is resolved into IP addresses, the Resolver checks the first address. If this address is listed in the Dummy IP Addresses list, the Resolver returns the "unknown host/domain name" error code.

The Domain Name Resolver caches responses to SRV-type DNS requests.

Cache
Limit: Cache Negative:

Limit: The maximum Cache size. When the number of items in the cache exceeds this limit, the oldest unused records are being removed from the cache.
Cache Negative: Use this setting to specify for how long negative (failure) DNS responses should be cached.

The CommuniGate Pro Server provides full support for both IPv4 and IPv6 network protocols for the following Server Operating Systems:

Solaris
FreeBSD
NetBSD
MacOS X
Linux
HP/UX
AIX
Tru64

If the Server runs on a platform with IPv6 support, and it detects any local IPv6 address, it assumes that the IPv6 networking is enabled.
In this case, the Server creates all network sockets as IPv6 sockets. These sockets communicate with IPv4 systems using the IPv4-mapped IPv6 address method.

Note: The IPv4-mapped IPv6 address method is disabled by default in FreeBSD and NetBSD system kernels. Use the

sysctl -w net.inet6.ip6.v6only=0

command in your OS startup scripts to enable this method.

Note: The IPv4-mapped IPv6 address method is permanently disabled in OpenBSD system kernels. As a result, IPv6 networking is not supported on this platform.

You can explicitly instruct the Server to switch IPv6 networking support on or off by using the --IPv6 Command Line Option:

--IPv6 NO switches the IPv6 support off, even if some local IPv6 addresses are detected.
--IPv6 YES switches the IPv6 support on, even if no local IPv6 local address is detected, but the Server OS supports IPv6 networking.

You may want to deny access to your Server for all incoming TCP connections and UDP packets coming from certain IP Addresses.

Use the WebAdmin Interface to specify the Denied Addresses. Open the Network pages in the Settings realm, then open the Blacklisted IPs page.

The TCP and UDP Listeners consult with this IP Address list before they check their own restrictions settings.

In a Cluster environment, connections and packets from an IP Address are denied if that Address is included into either Server-wide or Cluster-wide Denied IP Addresses list.

Denied IP Addresses
10.18.0.0-10.18.255.255 172.16.3.2 192.168.0.0/16

You may need to obtain a detailed Log of all communications with certain clients or remote servers.

Use the WebAdmin Interface to specify the Debug Addresses. Open the Network pages in the Settings realm, then open the Debug IPs page.

Debug IP Addresses
10.18.0.0-10.18.255.255 172.16.3.2 192.168.0.0/16

When the Server:

accepts a TCP connection from an address in this list
opens a TCP connection to an address in this list
receives a UDP packet from an address in this list
sends a UDP packet to an address in this list

the protocol Log Level for that connection or packet is set to All Info.

In a Cluster environment, both the Server-wide or Cluster-wide Debug Addresses lists are checked.

Network

Network Address Lists

LAN Addresses

NATed Addresses

NAT/Firewall Parameters

Media Proxy Parameters

Domain Name Resolver (DNR)

IPv6 Support

Denied Addresses

Debug Addresses