External Phone Autoprovision Firewall Settings

I’m getting started with FreePBX, and starting to configure my external phones. I see that the Connectivity -> Firewall -> Services -> Extra Services -> HTTP Provisioning has Internet disabled by default and advises not to expose this to the internet. How am I supposed to provision my external phones if I don’t use HTTP Provisioning? Would I use TFTP and open that Service/port to the internet?

It depends on the phone.

You need to set up your provisioning service to require a username and password, but even then you really want to do this through an HTTPS/TLS connection. Passing your phone provisioning and connectivity details through clear-text on an unencrypted connection is considered bad form.

If you want to do this, one “best practice” method is to set up a VPN connection between the phone and the server (or the remote network and the server) and use the “Internal” connection on the VPN to get there. From there, the regular HTTP method is protected.

Do not, under any circumstances, open the TFTP service/directory to the wild wild web. This is a sure method for amassing huge toll-charges through loss of security on your phones.

Hmm, if I didn’t want to set up a VPN would it be considered decent if I open TFTP to the wicked wicked web while provisioning phones, and then closing it right after?

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.