Port 84 Phone Provisioning Service Dead

Hello lovely folks over here in the community, back again with yet another question. It always seems there’s something to debug but hey I guess that’s the best way to learn.

It would appear that going to the config URL http://boxip:84/phonemaccfg.xml that the service isn’t running or is being blocked somehow as I now get a timeout / problem loading page. Prior I had an issue similar to this (that time it would return an error saying it couldn’t find the file however the provisioning service was working as I got the error for the file not being found, so simply rebuilding the configs that fixed the file.

Now however it just times out, so what the bologna could be causing this new issue?

Nothing has been modified service side, the provisioning service was working just fine the other day. God only knows if some automated package update hosed something (perhaps ill disable that since it automatically turned its self on)

Lovely community, ideas on how I can troubleshoot this before spending yet another block of hours endlessly trying to figure out why it wont work?

I’m not sure which “package” would include the provisioning service on port 84 but if you let me know ill tell you the version number.

tail -f /var/log/httpd/access_log | grep -I sangoma

Check me on the log file name but that’s my go to for troubleshooting

confirm it’s making it there and what it’s asking for

Edit: well to clear up my post as I’ve done some further digging and realized I may have actually added my past IP to the trusted hosts already which is why it worked and didn’t put two and two together. But hey as I said trying to debug does help to teach. What threw me off mostly was that the phone was getting the message saying it was provisioning etc… but then just going back to the main screen. But that would make sense since the refresh command and communicating with the phone is different than the provisioning server on port 84 so the system was telling the phone to refresh its config but then wasn’t able to since it wasnt allowed over internet traffic.

So the gist of it;
The log didn’t report anything back from the tail with the grep sangoma output.

However I did do a nmap on the freepbx server and saw it was listening on port 84, I then did a nmap on my remote site and saw some ports as listening however not port 84 and a few others. So I dug further into the firewall config in the FreePBX interface and realized that (correctly so?) that http provisioning isn’t open to the internet traffic as it says to not allow it. I completely forgot that I had setup my prior static IP to be trusted.

So I realized I needed to add my new static IP in, for whatever reason I had thought http provisioning was working over the web since it’s a cloud system and just forgot that it actually doesn’t and that I needed to trust the remote IP before.

So in that scenario then what do you guys do for remote workers if you’re just say drop shipping them a brand new phone and want them to be able to plug it in at their home and have it pull the configuration? Are you waiting for them to plugin and see what IP the request is coming from? It just seems like a hassle for zero touch configuration if you then need to find out what their remote site IP and add them to the trusted group.

So being that I’m new to deploying the Sangoma phones I’m curious what method others are doing.

We only open FreePBX services ports from trusted addresses, we setup Dynamic DNS on every router/firewall (even home users)

In some cases we use option 66, and some we use the Sangoma portal. The phone’s are literally plug and play.

That’s unfortunate because if I’m reading that correctly then every time you have a remote user it’ll require additional configuration.

My understanding is then that you’ll need to remote in at the very least to every remote user and configure dynamic dns services for example either on a system or if the router supports it built in?

If so then what are you doing just whitelisting the dynamic DNS address?

Are you just using one account for all phones or are you now paying for a DynamicDNS service for every device?

So what are the players out there that are providing “cloud” based PBX solutions doing? Is this just a limitation of FreePBX / sangoma phones?

For example we’ve got customers that used broad voice and they’d send out a mitel phone branded for them and it didn’t matter if it was dynamic or static IPs they were just plug in play.

How plug in play is the VPN services on the phones or do you run into issues even then with residential firewalls blocking the VPN service on the phone?

Well, if you want, you can open these ports publicly and use the built-in responsive firewall.

Well yes naturally that is an option :slight_smile: I just wasn’t sure if this is just a matter of how FreePBX does it or if the cloud providers for example have some type of more robust setup.

One warning for example with the provisioning is that passwords can be read in plaintext or something. Is this just due to using http protocol vs. if you only allowed provisioning over https (so if you only allowed https it would be more secure to open to internet traffic) or is it because the config file is just a plain text xml config file?

If you have remote users on dynamic IPs, then you want to be using responsive. You only need to provision a phone for the first time from a trusted IP, but thereafter the phone can register from anywhere. Once it registers successfully, Responsive white lists the phone IP to allow access to other services like provisioning.

So in this scenario you’re saying that if I receive the phones first or say have an inventory of phones that I setup. I can provision them and then once they get them at the remote site it’ll automatically work?

If so then maybe I’m missing something because in essence that’s what I did but it didn’t automatically update.

Example: so what it was in this case

I had provisioned the phone initially at the trusted site on static IP .2

I had then setup a separate network for my equipment on IP .3

However it would no longer pull the updated config was .3 needed to be manually added to trusted interfaces.

The phone registered fine but configuration updates didn’t work. It would say it was provisioning but then not pull anything because the provisioning server isn’t open to internet traffic.

The module specifically says not to allow it on internet as passwords can be intercepted. So I guess it goes back to is this not the case with https and just http?

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.