Does my FreePBX server need to be accessible from my public facing IP address?

We’re looking at FreePBX as a replacement for our legacy Nortel PBX. We currently use PRI and the majority of our usage is local and interstate long distance. We do very little interstate and virtually zero international long distance. PRI works well for us as we seldom (if ever) have more than 23 concurrent inbound/outbound calls and I’ve not been able to find a SIP trunk pricing that matches what we’re currently paying for PRI ($265 / month including 60 DID numbers).

We have 2 sites which are currently connected via a site-to-site VPN and will soon have a 100Mbps Ethernet link to replace our site-to-site VPN. We’re planning on a FreePBX server and PRI at each location for redundancy purposes and plan on connecting the 2 systems using an IAX2 trunk. We don’t have any remote workers and all calls originate from our physical location. Lastly, offsite FreePBX administration could easily be done via a VPN connection to access the local FreePBX servers.

In this scenario, is there any reason to make the server available from the outside or expose any VoIP specific ports? Sorry if this is a newbie question but the “bad guys hacked my FreePBX and made $5000 worth of long distance calls” type posts have me spooked and I’m trying to limit possible security exposure.

Thanks – Steve

Sounds like there’s no reason at all. Keep it internal, but make sure the machine has internet access OUTBOUND so it can check for updates and send you emails if it needs something!

Our test FreePBX box is sitting behind a Cisco ASA firewall. The box can access the internet and we’ve been receiving emails about available updates so we’re in good shape. Thanks.