Softphone, SangomaConnect, Zulu

Hello. I have been trying to get SangomaConnect to work for me. Now I seen something called Sangoma Softphone. I have the two user free license. The most current problem is the CloudAgent says it is running, but disconnected from the server. I would very much like to get this running, and may purchase additional users, but cannot figure it out. Where can I go for help? Alternatively, is the Softphone app something I should be looking into instead? What about Zulu?

Thank you for reading through this.

“Softphones” is the license that covers both Zulu and SangomaConnect.

Thank you, billsimon! To clarify for me (I’m still fairly new to the FreeBPX scene): if I have the FreePBX Softphones 2-User 1-Year Free License, SangmoaConnect should work? Does the free license entitle me to support via the support tickets, or should I purchase support? I only ask because it seems like the answer to many of the questions users ask about SangomaConnect are answered with “open a support ticket.”

It does not include support. If you need help, you need to pay for that.

If it is a bug, you still open a support ticket, but that will not burn your support credit.

I’ve never seen this before. Are you sure you are fully up to date, rebooted, and tried again?

You don’t get this?

This is the screen. I am up to date, rebooted several times.

Screenshot%202021-10-12%20172428

Is your FreePBX behind NAT?

Is your FreePBX behind NAT?

@ sorvani It is. I have been through the ports several times. My Fail2Ban is always blocking different ip addresses, so it seems like something is getting through. I use all UniFi equipent elsewhere if that helps. Thank you for looking at this.

Then my guess is you have not forwarded enough things in m to your box for SangomaConnect to work correctly. Just a guess though. I have never set it up on an internal unit behind NAT yet. Only on systems with a direct public IP

@sorvani
Thank you. I worked on it a little last night and this morning and it is working now! My Fail2Ban is going crazy with notifications every 10 minutes or so. Is there anything I can do about that?

enable the sync from firewall to Fail2ban in the the advanced settings.

I’m sorry, where is that option? Will it set my UniFi Gateway to reject those ips?

No, your firewall needs to filter appropriately all on it’s own, anything you allow through on UDP/5XXX (and there will be lots) will need to be filtered by any downline firewall

You asked about fail2ban, which is part of FreePBX, in context.
There are settings to have everything in the firewall networks tab sync’d with fail2ban and ignored.

@dicko

(and there will be lots)

So this is normal behavior?

@sorvani

There are settings to have everything in the firewall networks tab sync’d with fail2ban and ignored.

I don’t see any settings in the Firewall Networks Tab – only hosts and zones.

image

image

image

You could call it normal, that is where the bandits look to rob you, there is good reason to just not open your system up there though.

@dicko Thank you! Maybe a better term is “expected.” When you say:

there is good reason to just not open your system up there though.

are you saying, I should actively seek to change those ports (I thought I read I cannot…) or just to make sure intrusion detection is active and robust?
On a side note, after seeing the number of Fail2Ban emails coming through every day, it saddens me that these bandits can’t find something more productive to do with their time than harass me. Comes with the territory, I guess.

Personally I avoid the ‘low-hanging ports’, there is no reason that you cannot do the same, some VSP’s refuse to use anything but UDP/5060 , for those, a couple of iptables NAT rules should suffice.

Better to use TCP
Better yet to use TLS
Better yet still, use TLS and check the client cert, (that means installing your certs on the extensions whenever the cert changes, this is either easy or not so easy depending on the phones)

Adding ‘port flooding’ and and ‘connection limiting’ rules to your firewall is a good way to negate the “obfuscation” argument but these general concepts will reduce that noise by ‘orders of magnitude’.

@dicko
I know I can change the listening port on my end, can I change it on SangomaConnect? Maybe I don’t have a good understanding of how this is supposed to work. If I change 5060 to something else, I have to change the port on all of my physical phones, correct?
I have had limited success configuring the Sangoma phones I use.

At this time, I only have one extension I’m using on Sangoma Connect. Can I just change the port on only the SangomaConnect extensions?

I’ll look into the iptables NAT rules.