It means “never ever make the FreePBX Admin Gui Accessible from outside”
Is it possible to secure the SSL Web Admin with additional Secure Credentials with "Basic Auth " and a Fail2BAN Script to give a customer the ability to change some config from anywhere outside without using a vpn?
Definitely not recommended by anyone who has been doing this for a while. If you do configure it the way you had stated you are asking for nothing but trouble.
My 2nd idea is doíng it with responsive Firewall. So i can tell the customer he can access the gui from everywhere where he has at least 1 Phone connected.
I talk about customers which dont know what a VPN is. I’ll just teach them howto change some time groups and extension names. And the epm. That’s it. The PBX is cloud hosted and the customer only has Dynamic ips.
If the PBX is behind a NAT firewall with a static public IP, and you access only from known IP addresses that you whitelist on the firewall, I think it’s acceptable to forward ports for https management to the PBX.
But if you don’t whitelist, never forward these ports and expose yourself to brute force attacks, even with fail2ban running.
I use the FreePBX Firewall. Its a very good Firewall. Is it possible to add the HTTPS Management into the Responsive Firewall like on RestApps ports etc.?
This should be a way to make it our customers possible to manage the PBX from his office Internet Connection where the phones are.
Well that depends as the firewall cant actually save a FQDN so it has to keep looking it up so of course that means race condition. And that assumes you have access to network to setup some type of DDNS service.