How do you folks with hosted PBX systems handle your extensions? I have an off-site PBX and I need to support remote offices and remote workers. We need to support an encrypted connection due to PCI compliance, so looking at the various ways of supporting non-local phones it appears that these are the options:
Setting up TLS SIP connections
Using a VPN set up on each phone to connect to the PBX. I have no access to the networking for remote users/sites, so I’m going with each phone has a VPN. I may be able to convice the powers that be to set up a VPN router for remote offices to connect to the PBX, but I’m not overly confident.
I’m looking at possibly 200-300 phones, and I’m unsure of a best practice for this sort of phone system. Are there options that I have missed? If anyone has a situation similar, how did you configure your PBX?
I’ve used OpenVPN a lot in the past, but that requires that your phones support it. I never had any problems with Snom and Yealink phones, but I cannot comment on other ones.
If you use a VPN tunnel, then your phone will use it exclusively. In case of SIPs other accounts can be configured, which may or may not be a problem. Another advantage is that the VPN tunnels can easily keep their connections alive, while with SIPs, the routers may get into your way (especially if you have to look into dozens of consumer routers). I guess that the phones are typically behind a NAT barrier.
In the past I’ve used Site to PBX VPN’s on my cloud PBX’s. The PBX’s were VM on Vultr’s platform where I added in Strongswan VPN and then setup a tunnel between the local router/firewall and the PBX. I’ve done this successfully for years with multiple clients. I’ve had a few that used multiple sites connecting to the same PBX. The only requirement there was that each site have a different IP subnet.
In the past two years I’ve moved to using individual phone based VPN’s on Sangoma phones, yealink and grandstream. In this scenario the phones connect to the OpenVPN server built into FreePBX. This has worked fairly well and provides the ability to have a more flexible install if you have a lot of remote workers in a work from home scenario where you can’t or don’t want to set up Site to PBX VPNs.
Host the PBX in a reliable datacenter that is low latency to both your carrier and your endpoints. Allow only long ID:Password, only over https, connections to your your PBX for provisioning phones. Configure all phones for only TLS for SIP and SRTP for RTP. Using only https, TLS, and SRTP, means all connections between the phone and the PBX are encrypted - no need for OpenVPN. Lockdown all management of the PBX to only your location for security.
We use AWS because we like their firewall that sits before our PBX. AWS has been very reliable (4+ years running lots of PBXes) too.