Sangoma Phone Provisioning through HAproxy

I have a working setup of FreePBX, now I like to place the provisioning of the telephones behind the firewall so I can use GeoIP and Spamhouse IP filters etc to keep out the bad guys…

Original Setup:
Phones ← https + auth :1443 → https://FreePBX.wanside.

  • Using SSL + Auth
    All provisioning works fine… I use employee home IP filter which is intensive to maintain…

New Setup
Phones ← https offloading by HAproxy <–> http://FreePBX.lanside:84 (using plain http to the backend)

Using curl
curl -u /cfg0705.cfg <–> haproxy
Works, no errors… same with Chrome and Safari all working fine… the cfg files gets downloaded…

I apply a factory reset at S7xx phone, and the phone is registered in the Sangoma Portal to the new provisioning url…

First hurdle…
However if the phone is connecting it fails with a: SSL handshake failure…

Doing a side by side comparison of the headers I made them identical of directly to the FreePBX https provisioning port and the response of the HAproxy… … still no cigar…

Now the S7xx phone fetches 2 config files but stays in an endless loop downloading the files and then again and again… it fetches the “cfg0705.xml” and the “cfg.xml” file, and just stops there… no additional config files are loaded (like vpn etc) it just starts over again… and loads the file again. No error on the display of the phone (can’t reach any logging since the web interface is not yet activated in this stage of booting)

Backend webserver of FreePBX:
10.0.1.1 - [13/Oct/2022:14:55:33 +0200] “GET /cfg0050xxxxxxxx.xml HTTP/1.1” 200 63932 “-” “Sangoma S705 3.0.4.78 00:50:xx:xx:xx:xx”
10.0.1.1 - [13/Oct/2022:14:57:04 +0200] “GET /cfg0705.xml HTTP/1.1” 200 738 “-” “Sangoma S705 3.0.4.78 00:50:xx:xx:xx:xx”

Anybody has this setup working or hints what the Sangoma S7xx phone needs to feel safe enough to continue load its config through HAproxy ?

Many thanks for any hints to break out this :slight_smile:

Ok got it working…

Also run SSL from HA to FreePBX makes it work :slight_smile: So dont use the 84 port, keep the 1443 SSL port and push your FreePBX hostname in the SNI of the cert to FreePBX makes it all work :slight_smile:

3 Likes

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.