Product Documentation

Load Balancing a Group of SIP Servers

Aug 31, 2016

The Session Initiation Protocol (SIP) is designed to initiate, manage, and terminate multimedia communications sessions. It has emerged as the standard for Internet telephony (VoIP). SIP messages can be transmitted over TCP or UDP. SIP messages are of two types: request messages and response messages.

The traffic in a SIP based communication system is routed through dedicated devices and applications (entities). In a multimedia communication session, these entities exchange messages. The following figure shows a basic SIP based communication system:

Figure 1. SIP Based Communication System


A NetScaler ADC enables you to load balance SIP messages over UDP or over TCP (including TLS). You can configure the NetScaler ADC to load balance SIP requests to a group of SIP proxy servers. To do so, you create a load balancing virtual server with the load balancing method and the type of persistence set to one of the following combinations:
  • Call-ID hash load balancing method with no persistence setting
  • Call-ID based persistence with least connection or round robin load balancing method
  • Rule based persistence with least connection or round robin load balancing method

Also, by default, the NetScaler ADC appends RPORT to the via header of the SIP request, so that the server sends the response back to the source IP address and port from which the request originated.

Note: For load balancing to work, you must configure the SIP proxies so that they do not add private IP addresses or private domains to the SIP header/payload. SIP proxies must add to the SIP header a domain name that resolves to the IP address of the SIP virtual server. Also, the SIP proxies must communicate with a common database to share registration information.
Server Initiated Traffic
For SIP-server initiated outbound traffic, configure RNAT on the NetScaler ADC so that the private IP addresses used by the clients are translated into public IP addresses.

If you have configured SIP parameters that include the RNAT source or destination port, the appliance compares the values of the source and destination ports of the request packets with the RNAT source port and RNAT destination port. If one of the values matches, the appliance updates the VIA header with RPORT. The SIP response from the client then traverses the same path as the request.

For server-initiated SSL traffic, the NetScaler ADC uses a built-in certificate-key pair. If you want to use a custom certificate-key pair, bind the custom certificate-key pair to the NetScaler internal service named nsrnatsip-127.0.0.1-5061.

Support for Policies and Expressions
The NetScaler default expressions language contains a number of expressions that operate on Session Initiation Protocol (SIP) connections. These expressions can be bound only to SIP based (sip_udp, sip_tcp or sip_ssl) virtual servers, and to global bind points. You can use these expressions in content switching, rate limiting, responder, and rewrite policies.

For more information, see SIP Expressions.

Configuring Load Balancing for SIP Signaling Traffic over TCP or UDP

The NetScaler ADC can load balance SIP servers that send requests over UDP or TCP, including TCP traffic secured by TLS. The ADC provides the following service types to load balance the SIP servers:

  • SIP_UDP – Used when SIP servers send SIP messages over UDP.
  • SIP_TCP – Used when SIP servers send SIP messages over TCP.
  • SIP_SSL – Used to secure SIP signaling traffic over TCP by using SSL or TLS. The NetScaler ADC supports the following modes:
    • End-to-end TLS connection between the client, the ADC, and the SIP server.
    • TLS connection between the client and the ADC, and TCP connection between the ADC and the SIP server.
    • TCP connection between the client and the ADC, and TLS connection between the ADC and the SIP server.

The following figure shows the topology of a setup configured to load balance a group of SIP servers sending SIP messages over TCP or UDP.

Figure 2. SIP Load Balancing Topology


Entity type

Name

IP address

Port

Service type / Protocol

Virtual Server

Vserver-LB-1

10.102.29.65

80

SIP_UDP / SIP_TCP / SIP_SSL

Services

Service-SIP-1

192.168.1.6

80

SIP_UDP / SIP_TCP / SIP_SSL

 

Service-SIP-2

192.168.1.5

80

SIP_UDP / SIP_TCP / SIP_SSL

Monitors

Default

None

80

SIP_UDP / SIP_TCP / SIP_SSL

Following is an overview of configuring basic load balancing for SIP traffic:
  1. Configure services, and configure a virtual server for each type of SIP traffic that you want to load balance:
    • SIP_UDP – If you are load balancing the SIP traffic over UDP.
    • SIP_TCP – If you are load balancing the SIP traffic over TCP.
    • SIP_SSL – If you are load balancing and securing the SIP traffic over TCP.

    Note: If you use SIP_SSL, be sure to create an SSL certificate-key pair. For more information, see Adding a Certificate Key Pair.

  2. Bind the services to the virtual servers.
  3. If you want to monitor the states of the services with a monitor other than the default (tcp-default), create a custom monitor and bind it to the services. The NetScaler ADC provides two custom monitor types, SIP-UDP and SIP-TCP, for monitoring SIP services.
  4. If using a SIP_SSL virtual server, bind an SSL certificate-key pair to the virtual server.
  5. If you are using the NetSCaler ADC as the gateway for the SIP servers in your deployment, configure RNAT.
  6. If you want to append RPORT to the SIP messages that are initiated from the SIP server, configure the SIP parameters.

To configure a basic load balancing setup for SIP traffic by using the command line interface

  1. Create one or more services. At the command prompt, type:

    add service <name> <serverName> (SIP_UDP | SIP_TCP | SIP_SSL) <port>

    Example

    add service Service-SIP-UDP-1 192.0.2.5 SIP_UDP 80

  2. Create as many virtual servers as necessary to handle the services that you created. The virtual server type must match the type of services that you will bind to it. At the command prompt, type:

    add lb vserver <name> <serverName> (SIP_UDP | SIP_TCP | SIP_SSL) <port>

    Example

    add lb vserver Vserver-LB-1 SIP_UDP 10.102.29.60 80

  3. Bind each service to a virtual server. At the command prompt, type:

    bind lb vserver <name> <serverName>

    Example

    bind lb vserver Vserver-LB-1 Service-SIP-UDP-1

  4. (Optional) Create a custom monitor of type SIP-UDP or SIP-TCP, and bind the monitor to the service. At the command prompt, type:

    add lb monitor <monitorName> <monitorType> [<interval>]

    bind lb monitor <monitorName> <ServiceName>

    Example

    add lb monitor mon1 sip-UDP -sipMethod REGISTER -sipuRI sip:mon@test.com -sipregURI sip:mon@test.com -respcode 200

    bind monitor mon1 Service-SIP-UDP-1

  5. If you created a SIP_SSL virtual server, bind an SSL certificate key pair to the virtual server. At the command prompt, type: At the command prompt, type:

    bind ssl vserver <vServerName> -certkeyName <certificate-KeyPairName> -CA –skipCAName

    Example

    bind ssl vserver Vserver-LB-1 -certkeyName CertKey-SSL-1

  6. Configure RNAT as required by your network topology. At the command prompt, type one of the following commands to create, respectively, an RNAT entry that uses a network address as the condition and a MIP or SNIP as the NAT IP address, an RNAT entry that uses a network address as the condition and a unique IP address as the NAT IP address, an RNAT entry that uses an ACL as the condition and a MIP or SNIP as the NAT IP address, or an RNAT entry that uses an ACL as a condition and a unique IP address as the NAT IP address:

    set rnat <IPAddress> <netmask>

    set rnat <IPAddress> <netmask> -natip <NATIPAddress>

    set rnat <aclname> [-redirectPort <port>]

    set rnat <aclname> [-redirectPort <port>] -natIP <NATIPAddress>

    Example

    set rnat 192.168.1.0 255.255.255.0 -natip 10.102.29.50

    If you want to use a custom certificate-key pair, bind the custom certificate-key pair to the NetScaler internal service named nsrnatsip-127.0.0.1-5061.

    add ssl certKey <certkeyName> -cert <string> [-key <string>]

    bind ssl service <serviceName> -certkeyName <string>

    Example

    add ssl certKey c1 -cert cert.epm -key key.ky

    bind ssl service nsrnatsip-127.0.0.1-5061 -certkeyName c1

  7. If you want to append RPORT to the SIP messages that the SIP server initiates, type the following command at the command prompt:

    set lb sipParameters -rnatSrcPort <rnatSrcPort> -rnatDstPort<rnatDstPort> -retryDur <integer> -addRportVip <addRportVip> - sip503RateThreshold <sip503_rate_threshold_value>

Sample Configuration for load balancing the SIP traffic over UDP

> add service service-UDP-1 10.102.29.5 SIP_UDP 80

Done

> add lb vserver vserver-LB-1 SIP_UDP 10.102.29.60 80

Done

> bind lb vserver vserver-LB-1 service-UDP-1

Done

> add lb mon mon1 sip-udp -sipMethod REGISTER -sipuRI sip:mon@test.com -sipregURI sip:mon@test.com -respcode 200

Done

> bind mon mon1 service-UDP-1

Done

> set rnat 192.168.1.0 255.255.255.0

Done

> set lb sipParameters -rnatSrcPort 5060 -rnatDstPort 5060 -retryDur 1000 -addRportVip ENABLED -sip503RateThreshold 1000

Done

Sample Configuration for load balancing the SIP traffic over TCP

> add service service-TCP-1 10.102.29.5 SIP_TCP 80

Done

> add lb vserver vserver-LB-1 SIP_TCP 10.102.29.60 80

Done

> bind lb vserver vserver-LB-1 service-TCP-1

Done

> add lb mon mon1 sip-tcp -sipMethod REGISTER -sipuRI sip:mon@test.com -sipregURI sip:mon@test.com -respcode 200

Done

> bind mon mon1 service-TCP-1

Done

> set rnat 192.168.1.0 255.255.255.0

Done

> set lb sipParameters -rnatSrcPort 5060 -rnatDstPort 5060 -retryDur 1000 -addRportVip ENABLED -sip503RateThreshold 1000

Done

Sample Configuration for load balancing and securing SIP traffic over TCP

> add service service-SIP-SSL-1 10.102.29.5 SIP_SSL 80

Done

> add lb vserver vserver-LB-1 SIP_SSL 10.102.29.60 80

Done

> bind lb vserver vserver-LB-1 service-SIP-SSL

Done

> add lb mon mon1 sip-tCP -sipMethod REGISTER -sipuRI sip:mon@test.com -sipregURI sip:mon@test.com -respcode 200

Done

> bind mon mon1 service-SIP-SSL

Done

> bind ssl vserver Vserver-LB-1 -certkeyName CertKey-SSL-1

Done

> set rnat 192.168.1.0 255.255.255.0

Done

> set lb sipParameters -rnatSrcPort 5060 -rnatDstPort 5060 -retryDur 1000 -addRportVip ENABLED -sip503RateThreshold 1000

Done

To configure a basic load balancing setup for SIP traffic by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and add a virtual server of type SIP_UDP, SIP_TCP, or SIP_SSL.
  2. Click the Service section, and add a service of type SIP_UDP, SIP_TCP, or SIP_SSL.
  3. (Optional) Click the Monitor section, and add a monitor of type: SIP-UDP or SIP-TCP.
  4. Bind the monitor to the service, and bind the service to the virtual server.
  5. If you created a SIP_SSL virtual server, bind an SSL certificate key pair to the virtual server. Click the Certificates section, and bind a certificate key pair to the virtual server.
  6. Configure RNAT as required by your network topology. To configure RNAT:
    1. Navigate to System > Network > Routes.
    2. On the Routes page, click the RNAT tab.
    3. In the details pane, click Configure RNAT.
    4. In the Configure RNAT dialog box, do one of the following:
      • If you want to use the network address as a condition for creating an RNAT entry, click Network and set the following parameters:
        • Network
        • Netmask
      • If you want to use an extended ACL as a condition for creating an RNAT entry, click ACL and set the following parameters:
        • ACL Name
        • Redirect Port
    5. To set a MIP or SNIP address as a NAT IP address, skip to step 7.
    6. To set a unique IP address as a NAT IP, in the Available NAT IP (s) list, select the IP address that you want to set as the NAT IP, and then click Add. The NAT IP you selected appears in the Configured NAT IP(s) list.
    7. Click Create, and then click Close.

    If you want to use a custom certificate-key pair, bind the custom certificate-key pair to the NetScaler internal service named nsrnatsip-127.0.0.1-5061. To bind the pair:

    1. Navigate to Traffic Management > Load Balancing > Services and click the Internal Services tab.
    2. Select nsrnatsip-127.0.0.1-5061 and click Edit.
    3. Click the Certificates section and bind a certificate key pair to the internal service.
  7. If you want to append RPORT to the SIP messages that the SIP server initiates, configure the SIP parameters. Navigate to Traffic Management > Load Balancing and click Change SIP settings, set the various SIP parameters.

SIP Expression and Policy Example: Compression Enabled in Client Requests

A NetScaler ADC cannot process compressed client SIP requests, so the client SIP request fails.

You can configure a responder policy that intercepts the SIP NEGOTIATE message from the client and looks for the compression header. If the message includes a compression header, the policy responds with "400 Bad Request," so that the client resends the request without compressing it.

At the command prompt, type the following commands to create the responder policy:

> add responder action sipaction1 respondwith q{"SIP/2.0 400 Bad Request\r\n\r\n"}

Done.

> add responder policy sippol1

> add responder policy sippol1 "SIP.REQ.METHOD.EQ(\"NEGOTIATE\")&&SIP.REQ.HEADER(\"Compression\").EXISTS" sipaction1