All of this assumes you are running an ‘on premise’ or ‘cloud’ PBX server somewhere. They are generalities intended to act as a guide for your continued system health and prosperity.
Yeah - that’s probably fine.
Yes. This way people can’t probe your network, get connected through your phone configs and run up your phone bill.
Under no circumstances should you open any port on your phone system to the world, especially since you are behind a firewa…/
Not really. There’s some variability in SIP requests, so you have to open these up from anyone and forward them all to the PBX. Note that these are only used for incoming data streams for phone calls - the ‘Start’ packets for these are the ones that set up the connection and nothing else on your network is likely to be using these for anything, so they are reasonably safe.
If you use a VPN product (and OpenVPN is just an example), you may need to forward a port. Note that the point of VPN Interfaces is to allow ‘random’ addresses to connect to your machine securely, so this one is probably OK for open and forward, but ONLY if you are using VPN products to connect. We’re going to come back to this in a sec.
That’s a “your needs will dictate” that one. First, when you set up your system, you can change port 5060 (the SIP port) to be on some other port. If the people you are communicating with are at a ‘predictable’ IP address, then you can lock it down, but if they come in from random addresses, you may not be able to.
In addition to this, you might also consider using the Adaptive Firewall to control your SIP ports (if you can’t lock them down). This will reduce your chances of getting port-hammered.
Now, if you are using a VPN product on the phone system, you can use that instead of opening up ports to these people. This way, the port 5060 stuff would show up in your local network, having been ‘magically’ transported from your Sangoma Connect machine to your phone server.
So, in conclusion:
- Use a VPN for any phones that connect from outside your network to your PBX.
- Only allow direct connections from your ITSP to your SIP control port.
- If you need to open port 5060 (TCP or UDP), try as much as possible to lock it down.
- Ports 10000-20000 need to be open on the firewall and forwarded to your PBX if you want to hear the people that are calling you.
- If you are operating in The Cloud (on other people’s hardware), then you will need to open up ports 443 and 80 (and maybe a couple others) to your local network. If you are running a machine in your local network (your own hardware), then you can open the Integrated Firewall up a little bit more to allow local machines “a little” more access to your machine.