FreePBX on Vultr - TFTP server not working

Hello friends!

I have a client that has 39 Cisco 7965 phones, and initially these servers were connected to a local server on their LAN, using chan_sccp and sccp_manager.

This local server had a TFTP server to send the configurations, but in addition the pt_br language package, locales and wallpapers were also sent (each sector of the client had a different wallpaper).

Everything was working smoothly that way, but their upper management decided to go away with all on-premises servers and migrate everything to the cloud.

I did a clean installation of FreePBX Distro on a Vultr VPS, updated all modules, and installed the SCCP Package as usual (chan_sccp, xinetd for TFTP, sccp_manager)… and with the cloud server, the phones register normally, make calls normally …but TFTP doesn’t work at all.
And this client really needs the phones to receive these files (wallpaper and language pack).

I tried going to the Firewall and allowing the TFTP service to access the Internet, but still without success.
I tried to connect to the server using the Windows TFTP client (to eliminate the possibility of it being the network or the phone) but still without success.

I don’t have Firewall rules at Vultr, I just use the FreePBX firewall.
I found this thread posted by our friend Jared Busch on the mangolassi forum where a person reports the same problem - TFTP on FPBX on Vultr not working.

Unfortunately, to date I have not found information about a possible solution.

Has anyone used TFTP successfully hosting FreePBX on Vultr?
Can you point me in the right direction?
I would be very happy with the help!!

PS: I know that TFTP is not a secure protocol for sending information, but unfortunately it is the only protocol supported by SCCP_MANAGER to send this info to the phone.

After putting it to work, would it be possible to create a rule in the Firewall to allow these TFTP connections only through trusted addresses?
My client has a Static IP, so this wouldn’t be a problem - TFTP connections would always be from a single address.

Thanks!!

Actually, not so. The 7965 can pull its config using http on port 6970. Just do like it describes on this page to add a listener for port 6970 on apache, and then open your firewall for your phones. The manager will create the config in the tftp location, and the web server will serve it to the phone.

It’s been a few years, but I had a SCCP-firmware 7965 that provisioned this way.

Hi Bill, thanks for the information!!
I created a file called tftp-http.conf in the /etc/httpd/conf.d directory, with this content:

Listen 6970
<Virtualhost *:6970>
   # HTTP Provisioning
   DocumentRoot /var/lib/tftpboot

   <Directory /var/lib/tftpboot>
     Options +FollowSymlinks
     Require all granted
   </Directory>
</Virtualhost>

I restarted Apache, opened the port in the firewall, everything was fine.
This port is already listed as open (only for the client’s IP).

However, there is a small detail - this client’s DHCP server does not have any configuration/parameters such as option 66, since the beginning the configuration had been done by accessing the device’s settings via the screen and manually pointing the tftp server (preferences > network configuration > ipv4 config > enable alternative tftp and put the server address below).

In this HTTP approach, it would be necessary to configure the DHCP Server on the client’s network, right?

I am not certain.

I think it will reach out HTTP port 6970 first every time, then fall back to TFTP if the HTTP provisioning is not available.

Also, better check that the path /var/lib/tftpboot is correct for your installation. On mine it was actually /tftpboot.

Thanks!
I ended up going automatic and just copying and pasting what was on the website, but in fact my tftp address is indeed /tftpboot.

For now, when I try to access http://mypbx.com:6970 I am taken to the apache test page, the phones still do not pull the configuration

Listen 6970

<Virtualhost *:6970>
  # HTTP Provisioning
  DocumentRoot /tftpboot

  <Directory /tftpboot>
    Options +FollowSymlinks
    Require all granted
  </Directory>
</Virtualhost>

Is there something wrong with the configuration?

I did a test by specifying the file name and it worked!
The files are already accessible via port 6970, I tested using something like http://mypbx.com:6970/SEPXXXXXXXXXX.cnf.xml and the content was displayed perfectly in the browser.

Initially I had only tested http://mypbx.com:6970 and I thought it would display an index of the tftpboot folder, but specifying the file it was fine

I’m going to do a test with some devices here and I’ll be back to give you feedback

A curious thing is happening… it seems that even though the port is open and the files are accessible, the phones still only try via TFTP… and consequently end up failing.

Is there any way to “force” them to be provisioned only via HTTP and disregard TFTP?

Sorry, I don’t know. I used the DHCP option to notify the phone of its provisioning server and it provisioned by HTTP port 6970. It might be that you must use DHCP and not manual configuration.

Don’t worry!
No problems

With the support of this client’s IT, we were able to define DHCP Options 66 and 150, and now the phones are pulling this information on their own, but unfortunately the HTTP provisioning did not work.

I spent some time analyzing and testing the TFTP connection between my computer and the server and I think I discovered why it doesn’t work - looks like NAT messes up the information, changing the sources/destinations ips.

Maybe the best option in this scenario is to keep the server locally, especially for information security reasons, i will try to show them this…
Thanks for all the support, friend!!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.