My head is swimming with certificates. We have Sangoma phones, and there is a warning that several capabilities in the phones will not work unless I get https working. OK, apparently I can do that with a self-signed certificate.
I will also want to have users, when working from home, to connect remotely (using hardware or a softphone, not sure yet) to our public IP address.
I can put a fqdn name into our DNS Registrars’ DNS, so pbx.myorgname.com will resolve to our public-facing IP (www.myorgname.com, and everything else, goes elsewhere). In the router I can port-forward port 5060 to our onsite FreePBX. And, if generating a certificate from LetsEncrypt, for the duration of the exercise I can forward Port 80 of the router’s firewall to the PBX. As I understand it, this should work. The remote phone (client) will reach out to pbx.myorgname.com, which resolved to the public IP address, to which the client connected, and there is a certificate match between all of these elements (that the IP stream continued through a port-forward to different, internal, IP address does not matter).
But what about my onsite phones? The PBX is actually at 192.168.0.31, and that’s where the phones will try to connect. I can put a record into my onsite DNS so pbx.myorgname.com points to 192.168.0.31. Will the same certificate work? I’m guessing that the onsite world will throw an error saying that the IP address x.x.x.31 does not match the IP address in the certificate. Can I load two certificates, and use templates to (or something) to specify Internal vs. External? Do I use a different FQDN for the internal phones (pbx.myorgname.local) in a self-signed certificate?
TL;DR: How do I get this to work both onsite and offsite?
needs to resolve locally to 192.168.0.31 and that name not the ip address of the PBX should be used for REGISTER and INVITE (your ‘connections’) on the local phones, that would normally be done with a ‘hairpin’ route on your router ( LAN DNS server) back to 192.168.0.31 (or the local ‘name resolver’ perhaps if using softphones on a local host)
Public DNS has FQDN pbx.a.com, and points to the external (public-facing) IP of my router
Certificate through LetsEncrypt has my FGDN pbx.a.com. The creation process will get my public IP and put it into the certificate
Delete all other certificates - they will not be used.
Make the LE certificate the Default. I’ll check the processes, but I believe the cert needs to be installed into Apache as well.
Internally, do not have a DNS entry pointing to my PBX.
Put the FQDN into my templates. My phones get the FQDN from the templates, get the public IP from DNS, and traffic heads out through the router to go to the Internet
My router uses hairpin NAT (it is available in the router and it is turned on) to turn that traffic around, and it comes back in as if it is coming from the Internet.
Traffic goes through the Port Forward for 5060, and gets to my PBX at 192.168.0.31. Cert and IP all agree, and the magic happens.
What we have done is make it look like my internal phones are all external - but traffic never gets past the router. It sounds a little odd, but I can see how this works. Rather ingenious, actually.
And because a certificate is involved, HTTPS works.
Thanks. I’m tied up on another effort for a week, will get back to this when available.