Chapter 1 What’s New for FortiOS 5.0 : Security Features : New SIP ALG features : Inspecting SIP over SSL/TLS (secure SIP)
  
Inspecting SIP over SSL/TLS (secure SIP)
Some SIP phones and SIP servers can communicate using SSL or TLS to encrypt the SIP signalling traffic. To allow SIP over SSL/TLS calls to pass through the FortiGate unit, the encrypted signalling traffic has to be unencrypted and inspected. To do this, the FortiGate SIP ALG intercepts, unencrypts and inspects the SIP packets. The packets are then re-encrypted and forwarded to their destination.
Normally SIP over SSL/TLS uses port 5061. You can use the following command to change the port that the FortiGate listens on for SIP over SSL/TLS sessions to port 5066:
config system settings
set sip-ssl-port 5066
end
The SIP ALG supports full mode SSL/TLS only. Traffic between SIP phones and the FortiGate unit and between the FortiGate unit and the SIP server is always encrypted.
You enable SSL/TLS SIP communication by enabling SSL mode in a VoIP profile. You also need to install the SIP server and client certificates on your FortiGate unit and add them to the SSL configuration in the VoIP profile.
Figure 35: SIP over SSL/TLS between a SIP phone and a SIP server
Other than enabling SSL mode and making sure the security policies accept the encrypted traffic, the FortiGate configuration for SSL/TLS SIP is the same as any SIP configuration.
SIP over SSL/TLS is supported for all supported SIP configurations.