Home » Sonus » Skype for Business and Sonus–Part 6–Getting around NAT

Skype for Business and Sonus–Part 6–Getting around NAT

In Part 5 we discussed how to handle encrypted signalling and media. In this article we will be discussing how to configure the Sonus SBC to work behind a NAT firewall. If you have been following this blog series, in part 1 we discussed the recommended connectivity setup. This was to connect the SBC directly to your WAN by public IP address. However, there are some (actually majority) of customers who have a network configuration that is not optimised for this type of connectivity. In these scenarios, the SBC usually sits behind the network edge firewall and services are passed through from the outside world to the SBC using NAT.

The problem with using NAT becomes evident while trying the establish media using SDP. As the external interface of the SBC will in this instance be configured with a private IP address inside your network, this will be used as a possible media candidate.

Therefore, when SDP is negotiated between your service provider and the SBC the service provider will see something like as the media candidate.

There are a couple of problems with this. Problem 1 is that is a private IP address and therefore, the service provider endpoint cannot directly connect to this IP to establish media. Problem 2 is that the service provider usually authenticates a connection using the public IP of your SBC service as a source.

What we need to perform is some kind of NAT traversal mechanism that allows SDP to negotiate media establishment using the public IP address of the SBC service. This usually involves replacing the private IP with the public IP in the SDP negotiation message.

Luckily Sonus have a nice little configuration object to handle this sort of scenario, so you don’t have to go into message manipulation and replacement regex strings etc… phew.

Configuring NAT Traversal

To configure NAT traversal, connect to the SBC admin panel and click on the settings tab to begin

  1. Go to signalling groups and expand your service provider signalling group e.g. Tailspin Telecom SG
  2. Scroll down the settings until you come across SIP IP Details section
  3. Now we need to enable Outbound NAT traversal, set this to Static NAT
  4. Enter the public IP of the SBC service that the firewall is configured to use e.g.
  5. Then choose the interface to apply this NAT traversal configuration to e.g. interface 2 (as it is the external one)
  6. Apply the configuration

When SDP occurs now between the SBC and the service provider, the public IP will be used as a possible media candidate. Viewing the logs will show the candidate list similar to this: and media will establish properly.


  1. Hi Mark,
    Any plans for a part 7 on configuring HA? For instance where a company has two active/active datacentres.

    • Hi Mark,
      🙂 No plans for step 7 at the moment as I only have 1 Sonus SBC in my lab. Maybe when I get on my next deployment I may steal one temporarily. thanks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: