Sangoma S500 Provisioning Problems - TLS, SRTP, HTTPS

Hi,

I just picked up my shiny new S500 and tried setting it up tonight with auto-provisioning by hard-setting the server though the phones web interface.

  1. Took me a few tries but I got it to provision finally. However, the extension I have assigned to it uses TLS and SRTP but those settings don’t seem to be carried through the provisioning cfg file properly. In my FreePBX logs I see the endpoint trying to connect via UDP transport instead of TLS.

  2. I don’t really care for the hot-desking feature at this time. I would like to just have the phone boot up already logged in with a bunch of extensions, BLFs, and other APPs at my fingertips. I tried setting “XML-API (RestAPI) Default Login” to NO under global endpoint settings but that did not seem to do anything.

  3. During the process of trying to get the phone to initially talk to the PBX I was playing around with the Internal, External, and Custom IP/Hostname settings for the “SIP Destination Address” and “Provisioning Address”. I ended up reverting back to “external” for both but now there seems to be some corrupt file in FreePBX as the phone is not being provisioned properly. See the attached screenshot. The port number of 443 appears before the sub-domain and should also be 1443.

I tried removing endpoint manager, and rest apps modules and then reinstalling them but that does not seem to purge the corrupt settings.

Any thoughts on how to get back to a working auto-provisioning setup where I don’t have to use the hot-desk feature?

The only way I can see the provisioning URL to look like that is if you messed up the custom provisioning server. If you browse to your template, and ensure your provisioning server is set to External, save, rebuild and re-provision the phone it should go back to normal.

By hot desking, I assume you mean you don’t want to give your users access to the login/logout Phone Apps. You can control Phone App permissions at a user and group level in Admin, User Management. You are also free to set up whatever buttons you want on your phones by editing/creating templates as desired. You don’t need to include login/out buttons.

Thanks for getting back to me.

I did try your first point. When I initially got things going - whether I set it to internal or external - my proper IP address was displayed at the right, although greyed out.

The reason I was tinkering with those settings back and forth was due to the “Login Internal” button working on the phone and the “Login External” button failing. It was saying it could’t find the .xml file.

When I first switched to custom, my IP address changed to “External” for both “Sip Destination Address” and "Provisioning address. I changed the first one to my domain name and the second one to “https://user:[email protected]:1443”.

This is when I first noticed the port number appearing as 443 and in the wrong place in the phone’s autoprovision section. I switched back to external and did as you said and selected the option to rebuild the config files but I still get the weird issue.

I should be able to switch back and forth between internal, external, and custom as I see fit and the GUI should update/reset the config files accordingly.

I think there is a bug in freepbx in that it does not properly revert and some code gets left behind which compounds the error.

Another bug i noticed is in the network scan section. Even though your allowed to enter host names for the SIP and Provisioning addresses, the domain name is used for the network scan in the format of subdomain.example.com.0/24

If my SSL certificate is only valid for sub.example.com and not an IP address as well, do I have to use the domain name instead of the IP?

with TLS and SRTP you need to use domain names that match the cert you have asterisk setup for. This is the basis of security

That’s what I figured but EPM doesn’t seem to play nice with domain names instead of IPs.

Should I set this in the global EPM settings or in the default sangoma template?

I’m having very similar issues at the moment, looking at the generated XML, I have the correct domain name, but on the standard UDP port (not TLS) and the TLS flag is still 0. I’m also having a fun time because my handset appears to not want to register over UDP (a separate issue)

Yeah, I still haven’t resolved this issue. Currently programming endpoints manually.

I wish the wiki would make it more clear which fields in FreePBX need an IP only and where you would use an IP or FQDN. Footnotes would be useful indicating the necessity of an FQDN for TLS/SRTP functionality and also whether or not a port number needs to be specified in certain fields.

I think when I specified a port number or FQDN where I didn’t need to, FreePBX got mixed up and added redundant info that is causing the errors I’m seeing.

Their is a bug report that if you set the extension in FreePBX to be TLS the phone config is not told to use TLS and the TLS Port. I believe the latest version of edge release of EPM fixes this

1 Like

Thats great news, do you have a rough main release date for it?

Usually takes 1-2 weeks for modules to make their way through testing and QA. You can watch the ticket here for auto progress updates:
http://issues.freepbx.org/browse/FREEPBX-14276