On 7/19/07, Ryan Stille <[EMAIL PROTECTED]> wrote:
Right now I've been working on setting up an Trixbox server on our internal network. Its behind the firewall, but I'd like to open up the firewall to it because we sometimes have developers working off site and I'd like them to be able to connect.
How many developers? And what kind of developers? If they're developing things for your phone system, then you may want them on their own development boxes instead. If you're a software shop and they're just users, then that's different. Is this safe to do? I've got the "Allow Anonymous Inbound SIP Calls"
box unchecked in freePBX. Is there anything else I need to do? Isn't there an issue with the extension/secret being passed in clear text?
I'm not the most knowledgable on what freePBX does, as far as the check box. My guess is that it's just tweaking the SIP users/peers in the sip.conffile. This gives only a minimal level of security, in my opinion. It looks like I need to open port 5060, and whatever ports are inbetween
the rtpstart/rtpend values in /etc/asterisk/rtp.conf. Is that right? Right now thats 9999 ports, I've read that you can chop that down to 20 ports for just a few calls. We want to have 5-6 simultaneous calls, so if I set rtpstart to 10001 and rtpend to 10100, then open up those ports, is that adequate?
If it were me, and I had 20 remote users or less, I would create a VPN and have them join my network that way. Then, no SIP ports would be open to the world. And the NAT problems would pretty much disappear. You may have a slight reduction in sound quality, depending on how you set up the VPN. I really haven't had major problems with it, but again, it depends on your type of VPN. We're using a site-to-site hardware-accelerated IPSec VPN for each of our remote sites (including my house), and I have not had any problems. Except when the underlying medium (the Intarweb) has latency/jitter problems. But then, straight SIP would have issues too...
_______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
