Docs for Zero-Touch with HTTPS and Provision auth?

FreerPBXer · September 8, 2021, 4:43pm

Spent the last hour reading various posts about setting this up without finding a definitive document.

We want to use Sangoma zero-touch with provisioning over https only with provision authentication.

We have a cert for a host name that’s valid on the WAN and LAN sides. Added the phone to portal.sangoma.com and selected a deployment redirection type. No option 66 set in DHCP. Test phone is on-LAN with the system, and the LAN subnet is trusted in the responsive firewall.

Defaulted phone boots and connects to rs.sangoma.com but doesn’t pull firmware or a config. After a reboot it’s just sitting with History, Directory, and Menu softkeys along the bottom and no line keys.

Do we have the manual IP/FQDN ZTC method if we are requiring provisioning auth?

sorvani · September 8, 2021, 7:49pm

Set your redirection settings correctly, you cannot use Deployment type.

Go in the portal here

Select the phones you want

Check the box to enable redirection (yes even though they are already redirected)

Enter your information. Note, it now shows IP/FQDN instead of deployment.
Change hte method to HTTPS, fill out the boxes, click change.

FreerPBXer · September 9, 2021, 4:28pm

Thank you, @sorevani. I had already gone ahead and switched to IP/FQDN yesterday and can confirm that it did work. This is a slick system…just request that the documentation in the wiki would get updated so there is a bit less floundering trying to use it.

I still have misgivings about exposing SIP and RTP ports to the entire internet, and am just hoping that the responsive firewall does its job well.

sorvani · September 9, 2021, 6:51pm

You don’t have to do that if it is a local install. If your internal DNS works right, you don’t need anything open to the internet.

You also don’t need anything open to to everything even if it is hosted. You can always only allow trusted traffic.

FreerPBXer · September 9, 2021, 7:04pm

Of course, yes. We use option 66 for on-LAN config when the install is on-LAN with endpoints.

In this case it’s a cloud-hosted install and the endpoints do not sit behind a static public IP. We’re also using SangomaConnect on mobile phones.

dicko · September 9, 2021, 8:19pm

RTP ports are really only likely to be compromised by a ManInTheMiddle attack (inside your LAN) decoding your super secret voice calls if un-encryted.

You can choose any of over 63000 ports and any of at least four protocols two of which are encrypted and require a properly certified domain name (ip addresses won’t work) and all are filterable for just ‘good guys’ for opening SIP sessions.

kierknoby · September 9, 2021, 8:33pm

I didn’t know you could edit multiple phones like that Thanks Jared!

system · October 10, 2021, 8:33pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.