Sangoma Connect - Mobile Client

Hi All,
I have configure my firewall to allow inbound from any to pbx server pjsip port for sangoma connect,
I have enable PBX firewall and i have enable Responsive Firewall for pjsip

Sangoma Connect works my question is that PJSIP port has to be open to the world or is there something im missing.

Thank you All

Some background -
We have been using FreePBX v13 for about 6 years as our enterprise PBX as well as our contact center platform (Noble Systems) audio path. We have about 150 concurrent reps all working from home, currently using the UCP/WebRTC phone via a Chromebox. Each rep connects back to the corporate network via a locally installed Cisco AnyConnect client so the PBX is on-net, so to speak.

We are working to migrate to v15 over the next 15-30 days. Our testing of the v15 UCP/WebRTC phone exposed a bug in the PJSIP device which makes it not usable for production. The bug is that every 600 seconds after initial login, the WebRTC phone refreshes its buttons UI back to just the “Call” button, no matter if a call is in progress or not.

So in turn we have started to test out the Sangoma Connect option. The first test was using a fresh distro install, and that worked without an issue. The next step was to test it on our POC v15 VM that was restored from a v13 backup.

The v15 restored system is working with the Sangoma Connect extension running on the Chromebox, but the Cloud Connect Agent Status is stating something other than just “Running” as the fresh distro did.

The v13-v15 restore VM is showing the CloudConnect Agent Status as “Running (disconnected from server)”

image

We were able to get the Sangoma Connect Android app to register the extension and it can make and accept calls.

The connect-proxy.log entry looks fine as well (below).

Is the status in the Sangoma Connect module/tab just a UI bug?

===================================================
72 {“name”:“socket-io-router”,“hostname”:"[our FQDN hostname]",“pid”:6204,“level”:30,“msg”:“SocketIOClient Connecting to remote wss://proxy.iot.sangoma.tech:443 with sid e1a08742-38a7-42e7-a726-0e5747abc7fc and token CFmO8Vjsvy”,“time”:“2021-03-08T18:49:19.263Z”,“v”:0}
73 {“name”:“socket-io-router”,“hostname”:"[our FQDN hostname",“pid”:6204,“level”:30,“msg”:“SocketIOClient [mN5F8oztcBufNjZbAFYQ] Connected”,“time”:“2021-03-08T18:49:19.609Z”,“v”:0}

Finally seem to have this working after manually installed the required module.

It only work with the PJSIP signaling port open to the internet. But this page (and I agree) says ‘Not recommended to open this up to untrusted networks.’. I’m trying to get my head around how this isn’t a security risk that didn’t exist with the Zulu app, which proxied the connections via 8002, a port not well-known to be associated with SIP.

https://wiki.freepbx.org/display/PPS/Ports+used+on+your+PBX

You will be far happier from an attack standpoint (lower your surface area) to change your PJSIP (All variations - UDP, TCP and TLS) to a very high and obscure port - somewhere in the 50K-64K Range - then it’s not a problem - I am up there on all my boxes and nothing is scanning up there - add the FreePBX firewall on top of it and you are pretty tight on security.

Exactly how I have all mine configured

In addition to changing the signaling port, the Responsive feature of the Firewall module is intended to allow for access from untrusted source IPs.

Zulu is a WebRTC application whereas Connect is SIP.

My opinion is if you are using SIP with TLS then there is no discernable difference. Both are encrypted connections.

If you are using plain SIP (UDP/TCP) then there’s more to be concerned about.

So the recommendation then is to disable UDP and TCP in the PJSIP Settings?

I mean to use Sangoma Connect in TLS mode (https://wiki.freepbx.org/display/CONNECT/Secure+Calling+for+Sangoma+Connect+Mobile). What you do then with PJSIP’s UDP and TCP transports is up to you (firewall them, turn them off, whatever your environment requires).

2 Likes

THANK YOU. Done.

@Lorne, is there a reason that it doesn’t default to TLS if available?