Table_of_Contents
1 Choose a Voice over IP Provider
1.1 Quick Start Recommendations
2.7 Hardware Phones
2.8.1 FXO and FXS Adapters
2.8.2 FXO Adapter
2.8.3 When to Use an FXO Adapter
2.8.4 FXS Adapter
2.8.5 When to Use an FXS Adapter
3.1 Server Proxy and IP Address Resolution
3.3 Configuring Acrobits or Groundwire
3.5 Configuring SipMobile or Linphone
3.8 Configuring Nortel 1535 VideoPhone
3.9 Configuring UTStarcom F1000 WIFI Phone
3.10 Linksys PAP2 NA Two Line Phone Adapter
List of Figures
Figure 1: FXO Interface
Figure 2: FXS Interface
Figure 3: Linksys PAP2 RTP Parameters
Figure 4: Linksys PAP2 NAT Parameters
Figure 5: Linksys PAP2 Registration Parameters
List of Tables
Table 1: Android Phones
Table 2: Windows Phones
Table 3: Linux Phones
Table 4: Apple iOS Phones
Table 5: Mac OS Phones
Table 6: Basic Phone Configuration
Table 7: CSipSimple Configuration
Table 8: Acrobits or Groundwire Configuration
Table 9: Zoiper Configuration
Table 10: SipMobile or Linphone Configuration
Table 11: Jitsi Configuration
Table 12: PhonerLite Configuration
Table 13: Nortel 1535 VideoPhone Configuration
Table 14: UTStarcom F1000 WIFI Phone Configuration
In order to communicate using the PSTN (Public Switched Telephone Network), using regular telephone phone numbers, a minimum of one SIP gateway (trunk, phone #) is required.
Gateway service is provided by SIP providers, most of which are capable of porting your existing phone # and area code allowing you to retain the same phone #, to avoid communication disruption. Some research is required to select a SIP provider to meet your needs.
SIP gateways can be used to provide phone lines for SecurePBX or, any SIP phone. This means: if, after the trial period ends, you choose to not use SecurePBX, the phone number can be used for any SIP phone.
If you require a public phone number that anyone can call and are interested in getting SecurePBX up and running quickly, for evaluation purposes, you will need at least one gateway (phone number) from a VOIP provider.
Having a public incoming / outgoing phone number is not free, nor expensive. It is suggested to choose a VoIP provider without commitments / contracts after researching alternatives and reviews on the internet.
If you are interested in zero cost SecurePBX evaluation or, a free private phone number within a private network (only members of that same network can call each other), choose one of the free SIP providers below.
To maximise usage of SecurePBX during the free trial period, it is suggested that you create an account for your chosen SIP VoIP provider prior to installing SecurePBX.
Once you have selected a VoIP provider and have SIP credentials, it is suggested that you test them using one of the SIP phones selected below, prior to installing SecurePBX.
If you already have a VoIP phone number and a phone or ATA (Analog Terminal Adapter) with access to the SIP credentials, you can use these credentials as a gateway, if you are willing to tolerate possible phone disruption until SecurePBX configuration is complete.
If you choose to not have a public phone number (that can be called from any telephone), but desire to securely communicate with a group of your choosing, this can be done for free (for all group members) by using free SIP providers such as OnSip (US), Mondotalk (Australia), Voipfone (UK), FreePhoneline (CA).
A list of popular SIP providers is here. A list of free SIP providers is available here.
In Canada, the SecureOffice team has experienced satisfactory service, for years with Vonage and FreePhoneLine. Using FreePhoneLine, purchasing SIP credentials and paying to port existing phone numbers, the team has a lifetime of phone service and has not paid for telephone service (excluding cheap international long distance) for over six years.
It is strongly suggested to search the internet for reviews of your chosen SIP provider(s) prior to making a commitment.
Once you have selected a VoIP provider and as many phone #'s (SIP accounts) as required, FusionPBX gateways can be configured with the credentials provided by the VoIP provider.
For default Secure PBX configuration, up to four SIP lines (trunks, phone numbers) are supported. More lines can be easily added, as needed.
The term "Phone" refers to devices, endpoints or extensions in VoIP terminology.
Any SIP phone meeting the RFC 3261 SIP standard and is optionally ZRTP or SRTP (secure) compliant will work with SecurePBX for basic telephone functionality, with minimal configuration.
This section provides an overview of available SIP phones (many free), to aid users in SIP phone and device selection and configuration.
Feature rich (business) SIP phones require extra configuration (beyond basic functionality) for items such as programmable feature keys, page, etc. This is beyond the scope of this document. A web search for the phone manufacturer / model regarding provisioning the extra functionality for FusionPBX will be required. The FusionPBX team works closely with various business SIP phone manufacturers for automatic provisioning of phones.
For large installations, with phones that support it, automatic phone provisioning is possible using SecureOffice TFTP (DnsMasq) or HTTP (uHttpd or Apache) to serve phone configuration data. This is beyond the scope of this document but is freely available on the internet from particular phone vendors, or the FusionPBX Wiki.
The sections following contain a list of softphones claiming to be ZRTP (secure encryption) capable. It is strongly suggested to use free, opensource, peer reviewed applications to avoid spyware and backdoor security risks. Phones that the author has successfully tested with SecurePBX (basic encrypted audio / video calls) are shown in the "Tested" column of the following tables. More information such as additional features can be found by following the link for each phone.
An overview of currently available softphones is located here.
Callcentric has excellent documentation regarding configuring particular SIP devices for their service here. Following Callcentric instructions for your particular device, substituting SecurePBX for Callcentric specific parameters should work for devices not covered in this document. The devices listed in the previous Callcentric link may also aid you in selecting phones (devices).
Caution: Many PC and Android phone applications exist. Quite a few of them lock you into using the network of the application provider and cannot be configured to use SecurePBX. Call security is a matter of trusting the provider. When researching SIP phone alternatives be certain that they are SIP compatible and SIP settings can be configured.
To get SecurePBX up and running quickly, for evaluation purposes, you will need at least two (free) extensions (SIP phones) to call each other, for testing. It is also suggested to start simple, with audio calls only.
For users not interested in video calls or paying money, CSipSimple for Android and PhonerLite or Jitsi for PC's / laptops are recommended.
If interested in video calls, no acceptable performing free SIP secure phone application for Android has yet been identified. If zero cost is a constraint, using Jitsi on two PC's is the best choice.
For those willing to pay for an Android video phone application, Acrobits (Play Store) has been used by SecureOffice developers for several years with excellent results. Another alternative (untested, Play Store), but very popular is the Bria Softphone by CounterPath (PC, Mac and IPhone versions also available. The author used Bria years ago as a developer at Nortel, with excellent results.
It is also recommended that you partner with a friend and configure extensions outside of your local LAN, on the internet, for testing, or, at a minimum use external SIP loopback test numbers (search internet). Another approach is use an extension on a PC or Android phone connected to the internet over VPN or using your cellular data plan.
To maximise usage of SecurePBX during the free trial period, it is suggested that the SIP phones you choose be installed and tested with your gateway (SIP phone number) settings, prior to installing SecurePBX.
Name | Free | Video | Notes | Tested |
|
|
|
|
|
No | Yes | G729 CODEC, ZRTP outgoing calls not free. Trouble Free, audio, video, ZRTP | Yes | |
Yes | Alpha | Video in alpha test, poor quality, does not appear to be ongoing video development. | Yes | |
Yes | Yes | Contains Advertising. LinPhone based. | Yes | |
No | Yes | ZRTP, Video is optional, not free | Yes | |
Yes | No | Only for cellphones |
| |
Yes | Yes |
| Yes | |
Yes | Yes | PC tested, Android not. Android is beta, does not appear to be maintained / upgraded. Abandoned project. Replaced by Jitsi Meet, not SIP | No |
Table 1: Android Phones
Name | Free | Video | Notes | Tested |
|
|
|
|
|
Yes | Yes | Trouble Free, audio, video, ZRTP | Yes | |
Yes | Yes |
| Yes | |
Yes | No | Simple, basic, works | Yes | |
Yes | Not Working | Presence support, G729, not free, Video status may have changed. | Yes |
Table 2: Windows Phones
Name | Free | Video | Notes | Tested |
| ||||
Yes | Yes | No | ||
Yes | Yes | No | ||
Yes | Yes | No | ||
No | Yes | Presence support, G729, not free | No |
Table 3: Linux Phones
Name | Free | Video | Notes | Tested |
|
|
|
|
|
Yes | Yes |
| No | |
Yes | Yes | G729 CODEC, ZRTP outgoing not free. | No | |
Yes | Yes |
| No | |
No | Yes | ZRTP, Video is optional, not free | No | |
Yes | No | Only for cellphones | No |
Table 4: Apple iOS Phones
Name | Free | Video | Notes | Tested |
|
|
|
|
|
Yes | Yes | No | ||
Yes | Yes |
| No | |
No | Yes | ZRTP, Video is optional, not free | No | |
Yes | No | Paid version has more features | No | |
Yes | Paid | No |
Table 5: Mac OS Phones
There is a large variety of suitable hardware SIP phones available, far too many to list in this document.
ZRTP encryption has not yet penetrated the market, so very few, if any of these phones are ZRTP capable. Some are SRTP capable, which requires PKI management and distribution. This means, to make secure calls with hardware phones, these phones must reside on a physically secure LAN, behind SecureOffice. A non-ZRTP or SRTP capable phone, residing on the internet is a huge security risk. A possible workaround, if supported by the phone is to VPN into SecureOffice, with the phone appearing as a local extension.
If secure calls using a hardware phone on the internet is a requirement, SecurePBX also supports SRTP encryption which some hardware phones do. Configuring SecurePBX and phones for SRTP is beyond the scope of this document., but freely available on the internet.
If SecurePBX extensions are required, on the internet, either use one of the above softphones, or install the phone behind another SecurePBX installation with a secure LAN. The latter scenario is suitable for distributed organizations, installing SecurePBX at each branch office and using non-ZRTP SIP phones on the physically secure LAN.
Another possibility, for securing insecure phones in the internet is for the phone to use VPN to connect to SecureOffice. There may be voice / video quality issues with this approach on slow network connections.
To select a hardware SIP phone, determine the features (such as # of SIP lines) and search for "sip phone" on the following sites:
The author has configured and tested the following hardware phones.
Nortel 1535 Videophone has been in daily professional use for years.
UTStarcom F1000 WIFI Phone and, FAQ
It is possible to use your existing analog telephones, including cordless and fax machines with an inexpensive ATA FXO adapter. This allows you to keep your existing devices and avoid the cost of SIP phones and rewiring.
The author has configured and tested the following adapters and connected to various analog, including cordless phones and fax machines, with excellent results.
Linksys PAP2-NA Two Line Phone (FXS) Adapter
Cisco SPA-112 Two Line Phone (FXS) Adapter
The Cisco SPA-112 has better FAX performance than the PAP2-NA.
What they do and when each should be used.
A FXO adapter acts as a phone and is used to interface a PSTN phone line (from telephone utility) to a SIP switch, making it appear as a gateway.
A FXS adaptor acts as a phone line and is used to interface a standard analog phone to a SIP switch, making it appear as an extension.
FXO and FXS adapters ARE NOT interchangeable.
An FXO adapter is a VoIP to telephone line adapter.
An FXO adapter is used to connect VoIP systems such as SecurePBX, to regular analog telephone lines (POTS PSTN lines). An FXO adapter from the point of view of a telephone exchange appears to be a regular telephone. As such, it is able to accept ring signals, go on-hook and off-hook, and send and receive voice signals. From the point of view of a VoIP system it appears to be an external line (gateway).
Figure 1: FXO Interface
An FXS adapter is a telephone line to VoIP adapter.
FXS adapters are used to connect regular analog telephones to a VoIP system such as SecurePBX or a VoIP telephone service such as Vonage. An FXS adapter is a device that, from the point of view of a telephone, seems to be a telephone exchange but connects to a VoIP service instead.
Figure 2: FXS Interface
Configuration instructions for the particular soft / hard phones that the author has researched / tested are located in following sections.
It is suggested these steps be performed after SecurePBX has been installed / configured.
All SIP devices must, at a minimum, be configured with the following parameters.
User ID | The FusionPBX extension name or number of the phone being configured (Accounts -> Extensions). |
|
Password | The password assigned to the particular FusionPBX extension (Accounts -> Extensions). |
|
Server | The public DNS (domain) name of SecureOffice on the internet (eg: example.com). May also be called "Domain". |
|
Proxy | Leave blank unless on LAN and DNS is resolving your Server IP to your internet address. |
Table 6: Basic Phone Configuration
The following sections assume default settings for phone features such as audio / video CODECS, ZRTP, etc. These are a matter of preference and, the phone website or internet search can be used to determine further details.
SecurePBX is configured to require domain names for phone configuration. This means when a phone is on the SecureOffice LAN (wired, WIFI, VPN), IP address lookup (DNS) for the SecureOffice domain name must return the local LAN address of SecureOffice / SecurePBX. This is achieved by an entry in the "/etc/hosts" file relating the domain name to LAN address. This entry should have been set during SecureOffice installation.
To achieve this, the "/etc/hosts" file must contain an entry of the following form:
"Your LAN Address" "Your Domain"
Example: "192.168.10.1 bogus_domain.org"
The effect of this is, for a SIP phone, when "out and about" using its data connection; DNS will return the public internet address of your SecureOffice domain. When connected to local LAN, DNS will return the LAN address of SecureOffice.
This setting is mandatory for SecureOffice user / license verification. Without it, no licensed application can be installed or run.
CSipSimple is an Android SIP Phone client supporting ZRTP encryption. It can be downloaded from the Google Play store. Video support (when tested) is preliminary, poor quality and not fully implemented (internet research to determine if this has changed).
If you downloaded from Google Play, install the CSipSimple app for your Android device, open the application. Click on "Add Account" and choose "Advanced".
If you downloaded a beta version, you may have to install it as a foreign application (search internet for instructions).
Enter the following information:
Account Name | Arbitrary name for this Extension (eg: yourdomain-extension#, example.com-1010) |
Caller ID | Caller ID to send with outgoing calls. Can leave blank and the FusionPBX Caller ID configured for this extension will be used. |
Server | The domain (public DNS) name of your SecureOffice server. |
User Name | The corresponding FusionPBX extension number or alias. |
Sip Auth ID | Leave blank. |
Password | The corresponding FusionPBX extension password. |
Use TCP | Leave unchecked. |
Proxy | Leave blank. |
Table 7: CSipSimple Configuration
These instructions apply to Acrobits / Groundwire on Android. The same settings apply for Apple iOS installations, although the method may differ.
Install (from Play Store) the Acrobits or Groundwire application for your device, open the application. Click on "New Account" and choose "SIP Account".
Enter the following information:
Title | Arbitrary name for this Extension (eg: yourdomain-extension#, example.com-1010) |
Username | The corresponding FusionPBX extension number or alias. |
Password | The corresponding FusionPBX extension password. |
Domain | The domain (public DNS) name of your SecureOffice server. |
Display Name | Caller ID to send with outgoing calls. Can leave blank and the FusionPBX Caller ID configured for this extension will be used. |
Table 8: Acrobits or Groundwire Configuration
During testing and daily usage, Acrobits has been very reliable for Voice, Video and ZRTP encryption. It is worth the money.
These instructions apply to Zoiper on Android. The same settings apply for Apple iOS, Windows, Mac and Linux installations, although the configuration method may differ.
Install the Zoiper app for your Android device, open the application. Click on "Config" -> "Accounts" -> "Add Account" and choose "SIP".
Enter the following information:
Account Name | Arbitrary name for this Extension (eg: yourdomain-extension#, example.com-1010) |
Host | The domain (public DNS) name of your SecureOffice server. |
Username | The corresponding FusionPBX extension number or alias. |
Password | The corresponding FusionPBX extension password. |
Caller ID | Caller ID to send with calls. If leave blank the FusionPBX Caller ID configured for this extension will be used. |
Proxy | Leave blank. |
Table 9: Zoiper Configuration
These configuration instructions apply to SipMobile / LinPhone on Android. The same settings apply for Apple iOS, Windows, Mac and Linux installations, although the configuration method may differ.
Install the SipMobile or Linphone app for your Android device, open the application. Click on "Settings" -> "Account Setup Assistant" -> "Lets Go" and choose "I already have a SIP account".
Enter the following information:
Note: Press "Apply" after entering the first three parameters. The new account will be named username@domain. Select it to change optional parameters, including "proxy".
username | The corresponding FusionPBX extension number or alias. |
password | The corresponding FusionPBX extension password. |
domain | The domain (public DNS) name of your SecureOffice server. |
Proxy | Leave blank. |
Table 10: SipMobile or Linphone Configuration
Jitsi is a free desktop SIP phone client (Windows, Mac, Linux, Android beta) capable of audio / video calls, as well as instant messaging, screen sharing, ZRTP encryption and many other features.
To get the latest features / fixes, download from the latest nightly builds.
Download Jitsi from the link above and install it. Press cancel at the initial quick setup screen offering to configure multiple protocols, displayed at Jitsi initial startup.
These configuration instructions apply to Jitsi on Windows. The same settings apply for Mac and Linux installations, although the entry method may differ.
To configure Jitsi, open the application. Select Tools->Options->Accounts. Select "Add". Select "SIP" as account type (dropdown list).
One potential Jitsi pitfall (with SecurePBX) is one-way audio and / or video. This is due to the ports that Jitsi uses by default falling outside of the range configured for SecurePBX and, if using LAN topology for the main router (UDP ports 16384-32768). To remedy this, using the Jitsi advanced property editor, create and enter the following keys and values (even if not experiencing one-way media):
"net.java.sip.communicator.service.media.MIN_PORT_NUMBER" "16384"
"net.java.sip.communicator.service.media.MAX_PORT_NUMBER" "32768"
"net.java.sip.communicator.service.protocol.MIN_MEDIA_PORT_NUMBER" "16384"
"net.java.sip.communicator.service.protocol.MAX_MEDIA_PORT_NUMBER" "32768"
"net.java.sip.communicator.service.protocol.MIN_AUDIO_PORT_NUMBER" "16384"
"net.java.sip.communicator.service.protocol.MAX_AUDIO_PORT_NUMBER" "32768"
"net.java.sip.communicator.service.protocol.MIN_VIDEO_PORT_NUMBER" "16384"
"net.java.sip.communicator.service.protocol.MAX_VIDEO_PORT_NUMBER" "32768"
Enter the following information:
username | The corresponding FusionPBX extension number or alias. |
password | The corresponding FusionPBX extension password. |
Registrar | The domain (public DNS) name of your SecureOffice server. |
Proxy Address | Leave blank. |
Table 11: Jitsi Configuration
Install and run PhonerLite. Select "Options", "Configuration"
Enter the following parameters, under the corresponding Tabs:
Parameter | Tab | Value |
|
|
|
Proxy | Server | Leave blank |
Domain | Server | The domain (public DNS) name of your SecureOffice server. |
Register/MWI | Server | Both checked. |
User Name | User | The corresponding FusionPBX extension number or alias. |
Password | User | The corresponding FusionPBX extension password. |
CODECS | Check SRTP, SAVP, ZRTP, MOH, and Masquerade. |
Table 12: PhonerLite Configuration
Using the softkeys, select "Settings", "VoIP Settings"
Parameter | Menu | Value |
|
|
|
Username/Number | User Information | The corresponding FusionPBX extension number or alias. |
Display Name | User Information | The corresponding FusionPBX extension number or alias. |
Auth Name | User Information | The corresponding FusionPBX extension number or alias. |
Auth pwd | User Information | The corresponding FusionPBX extension password. |
Proxy Address | Proxy | Use the domain (public DNS) name of your SecurePBX server as proxy or, leave blank. |
Proxy Type | Proxy | Select "AS5200" |
Domain Name | Misc | The domain (public DNS) name of your SecureOffice server. |
Table 13: Nortel 1535 VideoPhone Configuration
This phone uses an older WIFI standard. To connect, SecureOffice WIFI must be configured to support it. This may cause trouble for existing WIFI connections.:
Configure F1000 Wifi using the phone menu:
Enter the F100's IP address determined above into a browser on your LAN. The default login credentials are "user", "888888"
Using the F1000 web interface for configuration, navigate to "User Menu", "SIP and RTP Config".
Enter the following values:
Outbound Proxy | Yes. |
Use Registrar | Yes. |
Outbound Domain | Use the domain (public DNS) name of your SecureOffice server. |
Register Domain | Use the domain (public DNS) name of your SecureOffice server. |
Auth String | The corresponding FusionPBX extension number or alias. |
User Name | The corresponding FusionPBX extension name or alias. |
Password | The corresponding FusionPBX extension password. |
Use Null Packet | No. |
Use DNS | Both Register And SIP Proxy Servers Use DNS |
DNS Type | None SRV. |
Table 14: UTStarcom F1000 WIFI Phone Configuration
On the phone configuration page, press "Submit" and then "Reboot"
Other FXS ATA's are configured in a similar manner. An internet search "ATA model #, FreeSwitch" or, searching the manufacturer's website should provide ATA specific instructions.
It is strongly suggested to perform a PAP2 factory reset prior to configuration, to avoid difficult to diagnose problems.
WARNING! If you're using an unlocked PAP2 previously supplied by Vonage, your adapter will revert back to the settings from the factory after resetting and will immediately attempt to 'phone home', re-provisioning itself from Vonage. If you'd like to reset your PAP2 then re-unlock it, make sure that you disconnect it from the Internet prior to performing a factory reset.
Resetting your PAP2 to its factory default settings (often referred to as a 'hard reset') is done via the built-in IVR (Interactive Voice Response) menu. To access the IVR, simply pick up a telephone that is connected to the PAP2 and dial:
**** (yes, 4 stars)
This will activate the IVR 'Configuration Menu (you'll hear a voice tell you this) after which, simply press the following sequence of keys to 'factory reset' your PAP2:
73738#
The above key sequence spells 'R E S E T', followed by a #. You'll be asked to confirm your selection - simply press 1 to continue. That's it.
Using the PAP2 web configuration GUI (Advanced View, Admin Login), verify the following settings.
Under SIP Tab:
Figure 3: Linksys PAP2 RTP Parameters
Figure 4: Linksys PAP2 NAT Parameters
Press "Save Settings".
Under Line (1, 2) Tabs:
Figure 5: Linksys PAP2 Registration Parameters
Replace the values above with corresponding SecureOffice / FusionPBX configuration values for both Line1 and Line2 extensions.
"Outbound Proxy" can be SecureOffice domain name, or, left blank.
Press "Save Settings".
Note the certificate and key fields in Figure 5, indicating the PAP2 is SRTP (secure calls) capable. This is true of most ATA's. This is important for organizations and groups wishing widespread (and inexpensive) deployment of secure phones for their members. ATA's are very inexpensive as are analog phones.
|
Technologies Used: