Softphone config suggestion without exposing lots of ports

I was wondering if I could solicit a some suggestions for what others have done for WAN softphone use without exposing the PBX to lots of internet accessible ports.

I would LOVE a softphone that tunneled into the PBX via OpenVPN, but failing that, what have others done?

The problem you’ll run into is how the various cell OSs handle running applications. For example, I am not sure if iOS will allow you to have a VPN tunnel open while the phone is just sitting idle to receive the push notifications for incoming calls and such. This is less an issue with asterisk/softphones and more a limitation that’s placed on running applications by the OS when the phones are idle.

And since you will never know what IP address your cell phone will have at any given time SIP and RTP port access usually needs to be open to the world.

What we do is require our remote workers to log in to one of our sshd server hosts via ssh. We have a bash script on our firewall that periodically polls all the sshd hosts identifying all successful logins since the log rollover at midnight. Those logons have their ip origin addresses merged with our firewall whitelist. This script runs on the firewall every 10 minutes at the moment, which seems to meet our needs. There are multiple private services that we handle this way, voip is but one. The script also merges failed login attempts with our blocklist, which is only expunged manually. As the whitelist is passed before the blocklist is blocked a clumsy ssh login failure followed by a success does not result in a blocked IP. Brute force attacks on the sshd servers are handled otherwise.

At regular intervals the whitelist contents are expunged. At the moment this is once per day overnight.

So the morning procedure for our staff is to first log into an sshd service with their credentials, wait ten minutes, then connect their soft-phones and web browsers to our internal private web services.

Since our actual sip ports are always blocked for everything other than the whitelist scanners do not see us, at least so I believe.

I would recommend you look at a Session Border controller. Its not that they prevent you from opening ports but they are designed to provide segmenation.

There are many different SBC. I use the ingate Siperators, other use the Sangnoma , or kamillio, etc…
Most SBC’s will provide several layers of controls to prevent common attacks.

Ie if the clients don’t have the right sip realm the traffic is tossed., if they don’t have the right data in the packet headers you toss the traffic. If they send too much traffic you block that ip.

Byrnejb soluion is Very Creative but it would kill me trying to keep that up to date in my environment.

If this is for mobile devices, just buy SangomaConnect (rebrand of acrobits, arguably the global leader in softphones). IoS and Android will not allow you to keep an app up and listening to ring, but this is rather accomplished with push. Without push you will not be successful.

If this is Windows or Mac, you certainly can use an RTC client (FOP2 has one that works well with FreePBX - we have it deployed with good success). Do know that an extension cannot be both PJSIP and RTC. Also know that RTC must be over ssl only (at least FOP2 RTC client must).

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.