Remote provisioning not working


(Paul) #1

I need some help getting zero touch configuration working for remote users. I am currently testing with Sangoma s305. I have been able to setup OpenVPN and have a template that will allow a phone to connect via VPN successfully. If a phone is first provisioned on the PBX LAN, it will work fine when moved to a remote location. However provisioning fails when initiated fully remote. I end up with a “blank” template of some sort.

I currently have ports 1194, 83-84 forwarded to my freePBX server.

I have been following instructions in the wiki
https://wiki.freepbx.org/display/PHON/VPN+Setup
https://wiki.freepbx.org/display/FPG/System+Admin+-+VPN+Server

The issue seems to be with the Sangoma Smart Firewall settings. If eth0 of the FreePBX server is set to internet then remote provisioning fails. If however I set it briefly to trusted then remote provisioning occurs. I have whitelisted my internal LAN subnet so that would explain why provisioning works internally but not externally. I feel like I just want to allow the provisioning ports through the SRF but don’t see how to do that. Any suggestions on how to properly configure this would be appreciated.


(Alejandro) #2

When remotely provisioning the first time, the best way to ensure the firewall does not get in the way is to whitelist the external IP in the Firewall and Intrusion Detection.


(Paul) #3

Thanks for the comment but no luck. I can use zero touch to provision a phone and connect the VPN while on the LAN, move to out of the network and everything works fine. But nothing I have tried allows for a full remote provision. The phone get the settings but the VPN never connects. I had tried previously the whitelisting you suggested without any success.

Pretty frustrated as this is a key feature I am going to need if I use this platform for my clients. I have spent many hours on it without success. I was hoping for more input here but nothing but crickets…


(Paul) #4

I finally solved the problem.
Under the EPM -> template model used for the VPN
Provisioning Address -> choose “Custom”. “External” will not work!

When choosing “Custom” you will get a dialogue warning about how the provisioning address must be formated.

http://public_Ip:84

or if http(s) authentication is turned on

http://username:password@public_server_IP:84 .

I set all this up initially by following the VPN wiki instructions.The wiki instructions do not mention this issue with the template configuration. I also found a (truly horrible) video on youtube posted by Sangoma about configuring the OpenVPN client on their phones. In the video, the engineer incorrectly formats the provisioning address as Public_IP:84 which sent me in the wrong direction for way, way too long.

Also since finally solving the problem I did find a couple of posts from someone else that confirmed the fact that for whatever reason “External” does not work and you must choose “Custom” with the properly formatted address. Hope this helps someone.


(Alejandro) #5

In EPM, go to the Global Settings.
You should be able to see what protocols are available and what ports to use.

If you are missing the one you originally tried then that can be turned on in System Admin.

In Global Settings, make sure that the external address is the public IP. If it is missing or the internal IP that could cause the issues mentioned.

If the external address is correct in Global Settings, then make sure your template and extension in EPM are set to external.

If all of that was correct, you may have a bug.


(Paul) #6

As I mentioned above choosing “External” in the template does not work. For some reason “Custom” must be chosen. Others have experienced the same issue.
Thanks for the input!


(Alejandro) #7

Can you provide a sanitized screenshot of the Global Settings page?

I am interested in what you are putting in the external section.
It should only be an FQDN or IP address. You should not declare a specific protocol or port.