Is there a “Best Practices” for FreePBX running on cloud servers?
We have a fresh new FreePBX running on FreePBXHosting.com. It’s version 12.7.6-1904-1.sng7 according to /etc/schmooze/pbx-version.
The Admin Dashboard shows everything green (with the exception of an annoying message about LetsEncrypt).
The firewall is configured, and we don’t allow anonymous SIP connections. (Was quite surprised that wasn’t the default configuration.)
We have 2 main sites, one in AZ and another in AR with about 20 endpoints. In addition we have about 10 other locations across 5 states with an endpoint at each location.
I kind of naively assumed that the default FreePBX image provided by Sangoma/FreePBXHosting would be secure. (I already mentioned the anonymous connection default that I have changed.)
We have also changed the Apache Rewrite rules to redirect http requests to use the https scheme. (I think that’s what’s messing with LetsEncrypt, btw. It’s on my ToDo list to run that down.)
As I have been becoming more familiar with the FreePBX system, I can see that a number of non-TLS protected channels are enabled, and I am unsure whether our calls are in the clear over the internet. I sure hope not.
A lot of the FreePBX documentation speaks about the PBX server being “on the same network”. I’m assuming that means on the LAN segments that will receive broadcast packets during discovery. Could be wrong.
Either way, since the FreePBX is cloud hosted is should be obvious that none of the endpoibts are local to it.
We are currently auto configuring Yealink handsets using the commercial EndPoint Manager. To get this to work, we’ve selected the External Address for Destination and Provision, and we require HTTPS for provisioning and for Phone Apps Protocol.
I suspect a better configuration would be to have each of the two main sites VPN/L2TP to the FreePBX server and then change back to HTTP and Internal Addresses.
But, it doesn’t seem right to have the 10 satelite locations VPN to the PBX server, especially since they already VPN to our AR site gateway.
So…
Who out there has real-world experience with FreePBX on a virtual private server, and what is the recommended configuration to deploy a solid, stable, and secure FreePBX solution on a VPS (e.g. Sangoma/FreePBXHosting)??
Thanks in advance for constructive input. And, I’m happy to provide any details or answer questions.
-Mark