Table_of_Contents
1.1 Economic Advantages of SecurePBX
1.2 Security Advantages of SecurePBX
1.3 About Encrypted Phone Calls
1.3.1 About SRTP Encryption
1.3.2 About ZRTP Encryption
2.1 Default SecurePBX Configuration
2.2 Preparation Before Installing SecurePBX
3.3 Configure FusionPBX LAN Address
3.4 Configure FusionPBX Domain Name
3.5 Configure DNS for Local LAN Address
3.6 Configure FusionPBX Gateways
3.7 FusionPBX Extensions or Phones
3.10 Ring Group Extensions for Incoming Calls
3.10.1 About Call Timeouts
3.10.2 Configure Incoming Ring Destinations
3.10.3 Configure Ring Groups
4 Test Your SecurePBX Installation
4.1 About Cellular Data Connections
4.2 Moving a Phone from LAN to Internet
4.3 Second Internet Connection
5.2 No FusionPBX GUI
5.5 One Way or No Audio or Video
List of Figures
Figure 1: FusionPBX Login Prompt
Figure 2: FusionPBX Initial Login Page
Figure 3: FusionPBX Account Settings
Figure 4: FusionPBX LAN Address Configuration
Figure 5: FusionPBX Domain Configuration Step 1
Figure 6: FusionPBX Default Gateways
Figure 7: Minimal Gateway Parameters
Figure 8: Line Number to Gateway Assignments
Figure 9: Assign Gateway Number to Line Number
Figure 10: Extensions Summary Page
Figure 11: Extension Configuration
Figure 12: Extensions Registration Status
Figure 13: Gateway to Ring Extension Assignments
Figure 14: Ring Groups
Figure 15: Edit Ring Group
List of Tables
SecurePBX is a premium (licensed) SecureOffice application based on the FreeSwitch SIP PBX (Private Branch eXchange) and FusionPBX (simplified web based GUI for FreeSwitch administration) projects.
SecurePBX is an optional part of the SecureOffice integrated secure services hosting system which allows you to move your information infrastructure out of the cloud, with total information control and privacy, while still remaining "of the cloud". It is intended for individuals, businesses and organizations wishing the economic advantages of IP telephony and / or are concerned regarding snoops "casing their joints", meddling in their freedoms and private, peaceful business and communications.
In the following sections, SecurePBX refers to the integrated FreeSwitch and FusionPBX applications.
SecurePBX was created to bring the advantages of VoIP and secure telephony to a broader user base by providing a standard, mostly preconfigured, more easily administered telephone system requiring far less technical skills than it takes to install and administer FreeSwitch and FusionPBX by themselves. SecurePBX can replace existing PBX's (such as now unsupported Nortel) from many vendors, assuming existing phones are or can be configured to be standard SIP devices.
There is absolutely nothing preventing anyone highly technically skilled willing to research and learn the requisite skills from spending months (at least) attempting to create, debug and fine tune their own custom FreeSwitch / FusionPBX installation, as opposed to paying for the significant effort that has gone into creating and testing SecureOffice and applications, an integrated, easier to use solution, consolidating all of your IP services.
If leading members of the FreeSwitch / FusionPBX teams consider any of the SecurePBX innovations (of their work) to be "of use", permission (copyright waivers) will be liberally considered by the SecurePBX team regarding incorporation of said innovations into their projects. SecurePBX is intended to augment and in no way detract from the awesome vision, competence and quality of the work of the FreeSwitch / FusionPBX teams.
Further, it is expected that SecurePBX will steer paid contracting work to members of the above teams by users who wish to add / augment custom features not yet provided by SecurePBX or HowTo's both on this site and the internet. It is also expected that some users, without the skills, time or interest to setup SecurePBX, but who require it, will just pay an IT consultant to install and maintain their installation.
At some point, a list of "approved" SecureOffice consultants (and customer ratings) will be provided on this site.
It is estimated (moderate PC / Linux skills) that it will take about four hours to go from bare metal to a fully configured and operational SecureOffice / SecurePBX system, once all perquisite configuration choices have been made and requirements are in place.
If you are willing to install a SIP phone application on your cellphone(s) and take a mobility hit (no phone service unless WiFi available: home, work, Internet cafe, incoming calls to voicemail), and make your cellphone extension a member of the ring group for your SecurePBX home phone number, you can completely eliminate your cellular phone bill. Incoming calls to your home phone will ring on your cell and outgoing calls will display your home phone number. An added bonus: those you call or call you cannot determine whether you are at home or "out and about", anywhere on the planet. Save $$$.
If you can find a cellular provider providing a data only plan (as offered for Tablets), the above mobility restriction can be avoided.
TODO: elaborate, very long list.
No snoops monitoring your secure phone calls. Encrypted Audio / Video / FAX / SMS.
SecurePBX is capable of encrypting phone call audio / video media using either SRTP or ZRTP.
Given the superior performance, simplicity and security of ZRTP over SRTP, configuration instructions for using ZRTP are provided on this site. Users wishing to use SRTP can consult FreeSwitch / FusionPBX documentation HowTo's on the internet to do so.
Secure Real-time Transport Protocol (or SRTP) is an encryption standard for Real Time Transport (RTP) media used for audio / video phone calls. Further information may be found here.
SRTP requires both ends of the phone call to have access to a shared master encryption key, from which intermediate (per call) encryption keys are exchanged using SIP messaging, which must also be encrypted (SSL/TLS) to protect the per call encryption keys.
It is possible for SRTP endpoints to generate keys on the fly, but very few public telephony carriers support the required protocols, but private networks can.
SRTP was the first "real" media encryption standard. Widespread deployment has been held back by lack of a secure method (public key management infrastructure) for users to securely exchange the master key required for secure communications and lack of carrier (phone company) support for the protocols.
Further, should the SRTP master key ever be compromised, all recorded encrypted calls can be retroactively decrypted by snoops.
Zimmermann Real-time Transport Protocol (or ZRTP) encryption enables you to make encrypted phone (audio / video) calls over the internet. ZRTP has a superior architecture over previous and alternate approaches (SRTP) for secure VoIP. Its principal designer is Phil Zimmermann, the creator of PGP, the most widely used encryption software in the world. Zimmerman and PGP legally took on and prevailed against "the man", who was (and still is) dead set against encryption (private communications) in general (for anyone but themselves).
The ZRTP protocol has updated cryptographic features superseding previous VoIP secure voice / video technologies. Although it uses a public key algorithm, it avoids the complexity of a public key infrastructure (PKI). In fact, it does not use persistent public keys at all. It uses ephemeral Diffie-Hellman with hash commitment, and allows the detection of Man-in-The-Middle (MiTM) attacks by displaying a short authentication string for the users to verbally compare over the phone. It has perfect forward secrecy, meaning the keys are destroyed at the end of the call, which prevents retroactively compromising the call by future disclosures of key encryption material. Be aware that massive data centers are storing everyone's communications.
Even if users do not bother verifying the short authentication strings, decent authentication against a MiTM attack is provided, based on a form of key continuity. ZRTP does this by caching some key material to use in the next call, to be mixed in with the next calls DH shared secret, giving it key continuity properties analogous to SSH. All this is done without reliance on PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email and SRTP encryption world.
ZRTP does not rely on SIP signalling for key management, and in fact does not rely on any centralized servers at all. It performs its key agreements and key management in a purely peer-to-peer (between endpoint phones) manner on a call by call basis over the RTP packet stream. ZRTP supports opportunistic encryption by auto-sensing if the other VoIP client supports ZRTP and automatically negotiating a secure call if so.
The Z-phone project has an excellent ZRTP FAQ.
TODO: Elaborate
SecurePBX (FreeSwitch / FusionPBX secure telephone system) is an optional (licensed) application available to SecureOffice users. A free trial license is available to try before buy.
SecurePBX comes pre-configured to support 20 extensions (phones) and 4 SIP trunks (phone lines) with very minimal user configuration required to adapt to your networking environment. This allows you to be up and running quickly, making secure audio / video phone calls. More extensions / SIP trunks can be easily added. The limit for number of extensions is 10,000, enough to provide telephony services for a small town. See the step by step SecurePBX configuration instructions for further information.
SecurePBX comes pre-configured with a rich set of features, accessible by star codes (*feature#), listed by FusionPBX documentation. Alternatively, once SecurePBX is configured, using the FusionPBX GUI, the feature code list can be displayed and configured by accessing "Services->SecurePBX->Dialplan -> Dialplan Manager".
New features (including IVR applications) can be easily defined (by programmers) using XML scripting and a rich set of programming languages such as lua. An overview of programming languages supported is listed on the FreeSwitch wiki.
To maximize usage time for trial licenses, it is recommended that requirements be prepared in advance, since they may take time. The following are required:
The effort required to meet these requirements is not wasted if the SecurePBX trial license runs out and you choose to not purchase SecurePBX. After license expiry, any SIP phone(s) can be re-configured to bypass SecurePBX and communicate directly with the selected gateway (phone number) provider and you will have a low (or zero) cost VoIP phone number for your SIP phone. At a minimum, you have learned something, value unto itself.
After the router (OpenWrt) functionality of SecureOffice is configured according to previous (pre-requisite) sections, SecurePBX can be installed and configured.
Follow the instructions in Install Premium Content, selecting SecurePBX as the application.
During configuration, if behavior is unexpected (not according to this documentation), follow the instructions in TroubleShooting SecurePBX.
Using a browser on the appropriate network (SecureOffice LAN port for WAN topology, existing router LAN port for LAN topology), enter the SecureOffice IP address in a browser. For WAN topology, this will be the SecureOffice LAN address (default 192.168.10.1). For LAN topology, this will be the static IP address configured for the SecureOffice WAN port.
Login to OpenWrt GUI, navigate to "Services->SecurePBX". You will see the FusionPBX login page, (Figure 1):
If you have just installed SecurePBX and cannot access the web GUI for configuration (installation may require cleaning Luci cache and restarting Nginx), rebooting SecureOffice (enter "reboot" at a command prompt") should fix the problem.
Figure 1: FusionPBX Login Prompt
The username is "admin@<domain>", where <domain> is the domain that FusionPBX is configured for (default: example.com) and, the default password is "admin". Enter them and, you will be logged in, ready to configure, as shown below:
Figure 2: FusionPBX Initial Login Page
Subsequent navigation instructions will be expressed (as with OpenWrt) using the form:
"Tab1 -> Tab2 -> Tab3", etc. using FusionPBX menu entries.
Navigate to: "Home -> Account Settings"
You can add user accounts, change the admin password, language and time zone on this page (Figure 3, below).
Be sure to remember your new password. Recovery is possible, but will require a web search and technical skills to recover. The procedure is here using PostgreSQL database:
Figure 3: FusionPBX Account Settings
If the SecureOffice LAN IP address has been changed from the default of "192.168.10.1", for either LAN or WAN network topologies, FusionPBX must be configured for the same IP address.
Navigate to: "Advanced->Variables" and scroll down to the "SecurePBX Environment" section as shown below.
Figure 4: FusionPBX LAN Address Configuration
Click the pencil icon for the "force_local_ip4" entry to change it. Change the "Value" field to the configured LAN address (WAN Topology, LAN Topology). Click "Save".
If you require telephony (or any) services to be publicly accessible over the internet, a domain name is required. FusionPBX must be configured for the domain. It is assumed (from SecureOffice installation) that you already have a working domain name and dynamic DNS service.
To verify that your domain is active, from any PC (command prompt) with internet connectivity:
Enter "ping www://<yourdomain>", where "<yourdomain>" is the domain name chosen and configured previously. Ensure a valid response containing your public IP address (and not LAN address) and fix any problems before proceeding.
Navigate to "Advanced->Domains", as shown below:
Figure 5: FusionPBX Domain Configuration Step 1
Click the pencil icon and change the Domain to match your domain name Click "Save".
It is possible to configure FreeSwitch / FusionPBX to serve multiple domains, so one SecureOffice installation can serve multiple domains. This is useful for service providers, to provide SecureOffice telephone functionality for multiple organizations. To do so is beyond the scope of this document, but Google is your friend.
After changing FusionPBX domain, it is necessary to restart FreeSwitch for the changes to take effect. This can be deferred until all FusionPBX configuration is complete.
To restart Freeswitch, enter "/etc/init.d/freeswitch stop; /etc/init.d/freeswitch start" from a command prompt.
SecurePBX is configured to require domain names (as opposed to IP addresses) for phone / device configuration. This means when a phone is connected to the SecurePBX LAN, IP address lookup (DNS) for the SecurePBX domain must return the local LAN address of SecureOffice / SecurePBX. This is achieved by an entry in the "/etc/hosts" file relating domain names to LAN address.
To achieve this, edit the "/etc/hosts" file and add an entry of the following form:
"<Your LAN Address> <Your Domain>, Example: "192.168.10.1 bogus_domain.org"
The effect of this is, for phones, when "out and about" using a data connection or WiFi; DNS will return the public IP address of your domain. When connected over WiFi (local LAN), DNS will return the LAN address of SecurePBX.
A gateway is a SIP phone line with associated PSTN phone number.
In order to communicate using the PSTN (Public Switched Telephone Network), using regular phone numbers, a minimum of one SIP gateway (trunk, phone #) is required.
The default SecurePBX configuration allows up to four SIP lines (trunks). More lines can be easily added, as required.
It is assumed you already have an account with a SIP VoIP provider and possess the credentials required for configuring your phone lines / gateways. If not, choose and create an account with a VoIP provider as documented in Gateways and Phones before proceeding.
Navigate to: "Accounts->Gateways"
You will see the four default Gateways (phone #'s) shown below.
Figure 6: FusionPBX Default Gateways
Using the credentials supplied by your VoIP provider, configure and enable all the gateways (phone #'s) that you require.
If more than the default four gateways (phone lines) are required, click the "+" button to create another gateway (phone #).
To configure a gateway, click the pencil icon for the gateway and enter the parameters for each gateway (phone #).
The "Gateway" value MUST be assigned the eleven-digit (including leading 1) PSTN phone # of the gateway. The Gateway name (phone #) will be configured as a variable "${lineX_number}" used to assign outgoing lines for extensions and incoming lines for ring groups.
TODO: Document and test gateways for non-North American numbering plans. May need help from international users. Please post HOWTO in forum, including any required dialplan configuration.
Below are the gateway configuration parameters, showing the minimal values that most VoIP providers require.
Figure 7: Minimal Gateway Parameters
For each gateway, enter the parameters. The first four values are provided by the VoIP provider for a particular gateway. Enter the domain name of your SecureOffice installation for the "Proxy" and "Realm" fields. Scroll down, click "Save" and then "Back".
Optional: After all gateways are configured, restart FreeSwitch for the settings and gateway registrations to take effect:
Your browser should still be at the "Accounts->Gateways" page. If not, navigate there.
You will see the registration status for each gateway. All configured and enabled gateways should have status "REGED". If, after waiting a few minutes, the status is "UNREGED" or "FAIL_WAIT", there is a configuration problem. Verify all gateway parameters and ensure the gateway is enabled.
If all parameters look OK, but a gateway is not "REGED", you will need to check the freeswitch log for clues. At a SecureOffice command prompt, enter:
"Correct any problems reported" means: search the internet: "Freeswitch <error string from freeswitch.log>". The error string (if you are at a SecureOffice command prompt over SSH) can be copied from within the nano editor by highlighting it and right clicking. The error string will be in the clipboard and can be pasted. If the internet is not helpful, you may need to contact your VoIP provider's tech support.
Do not proceed until the status of all enabled gateways is "REGED".
The following "LineX_numbers" are used to select / assign the outgoing line for each extension (phone), as discussed in the next section.
Once all gateways are configured and registered, assign the corresponding line #'s by navigating to "Advanced->Variables". For each gateway # assigned above, assign the corresponding "lineX_number" to the gateway number to be used for lineX, where X is 1,2,3, etc., as shown below:
Figure 8: Line Number to Gateway Assignments
If you have created more gateways (phone numbers) than the default of four, each new gateway must have a corresponding "lineX_number" variable which must be created. To do so, click "+" to add a new variable with name "lineX_number", where X is the new line number and clone the settings from one of the existing line numbers. For example, line 5 will be named "line5_number" and so on. When creating / editing a "lineX_number", be sure that it is "Enabled", assigned the same "Category" and "Order" as the other lineX_numbers, so they will be grouped with the other "lineX_numbers" in the FusionPBX GUI.
The configuration page for a "lineX_number" (click pencil icon) is shown below:
Figure 9: Assign Gateway Number to Line Number
An extension is a phone with associated extension#, managed by the FusionPBX SIP switch / server.
The default SecurePBX dialplan uses four-digit extension numbers, allowing ten thousand local extensions, sufficient to serve a small town or a moderate size corporation. SecurePBX default configuration has twenty local extensions, numbered 1000 to 1019. More extensions can easily be added.
Each extension represents and requires a corresponding SIP phone (endpoint).
It is assumed you have already selected and installed any SIP phones needed. If not, choose and install (but not configure) as many SIP phones as required as documented in choose phones before proceeding.
Each extension can be configured to use a particular gateway ("$${lineX_number}") for outgoing calls. For incoming calls, an extension can also be configured to ring as part of a ring group or from a particular gateway (line#).
Configuration parameters for each extension such as "user" and "password" have a one-to-one correspondence to the corresponding physical device configuration (phone, softphone, ATA) serviced by FusionPBX.
Navigate to "Accounts->Extensions". The extensions summary page will display as partially shown below:
Figure 10: Extensions Summary Page
Choose which phones (previously installed) will be assigned to which extensions. The parameters in Table 1 correspond to device parameters and must be identical for the FusionPBX extension and corresponding device (phone) configuration. It is suggested to first configure all FusionPBX extensions, then configure extension devices.
Name
Corresponding Device Parameter
Description
Extension
Yes
Extension Name. If numeric, Number Alias is optional. If a name (eg: "Mary Jones", Number Alias is extension #. If numeric, is extension #.
Number Alias
No
Leave blank if "Extension Name" is numeric, else "Extension#"
Password
Yes
Default = securePBX. The password used by the corresponding device to register with SecurePBX. Recommend to change password, unique for each extension.
Voicemail Password
No
Default: Extension #. Used to access extension voicemail using "*97". Recommend to change password, unique for each extension.
Effective Caller ID Name
No
Caller ID name for internal calls (extensions)
Effective Caller ID Number
No
Caller ID number for internal calls (extensions).
Outbound Caller ID Name
No
Caller ID name for external calls
Outbound Caller ID Number
No
Displayed Caller ID number and phone # (gateway) for external calls. Default "$${lineX_number}", relating extension # to outgoing phone number. Change X to correspond to the desired outgoing line #
Limit Max
No
The maximum # of external calls the user is allowed to make. "-1" = no limit.
Voicemail Enabled
No
Enable voicemail for this extension.
Context
Yes
The domain of this extension. Default = "$${domain_name}". Automatically replaced by configured FusionPBX domain name. Do not change unless you REALLY know what you are doing. For example, configuring FusionPBX for multidomain support, outside the scope of this document.
Enabled
No
Whether the extension is enabled or not.
Table 1: Mandatory Extension Configuration Parameters
To configure an extension, click the pencil icon next to the extension to be configured. The extension configuration page will display, as partially shown below:
Figure 11: Extension Configuration
Configure the extension with all of the mandatory parameters from Table 1. It is recommended to change the "Password" and "Voicemail Password" from the defaults. The current value of passwords can be displayed by moving the mouse over the password field.
Optional: Review Table 2 to determine if you require and enter any optional configuration parameters. It is suggested to defer this step, keeping the defaults until fine tuning particular extensions, or problems with a particular extension are observed and debugging, including internet search of symptoms suggests changing optional parameters.
Once an extension is configured, click "Save" and then "Back" for all extensions required.
After all extensions are configured, configure all devices with parameters corresponding to its extension parameters. If you selected a phone / device from the choose phones section, configuration instructions for a selection of devices are at the previous link. If the phone is a softphone, make sure the application is running and enabled.
If the phone / device does not have configuration instructions on this site, check the device documentation, manufacturers website or do an internet search for "device model # configuration:
To check the status of extensions, navigate to "Status->Registrations". The extension status page will display, as shown below:
Figure 12: Extensions Registration Status
If there are any extensions you have configured and expect to be registered, but are not on the registration page, the problematic extension configuration needs to be fixed.
The FusionPBX Wiki has additional information regarding configuring extensions and devices
Name
Corresponding Device Parameter
Description
Number Alias
Yes
Use if Extension has name. The extension # corresponding to name.
User List
No
The list of users assigned to this extension. Used for user web access to voicemail, etc.
Account Code
No
This is not used anywhere in the default dialplan but is provided by FreeSwitch and therefore is provided by FusionPBX for full compatibility. It sets a variable for the extension that could be used in a dialplan condition, for example call billing.
Emergency Caller ID Name
No
Future feature variable. Leave blank.
Emergency Caller ID Number
No
Future feature variable. Leave blank.
Directory Full Name
No
Full name of user for directory and dial by name applications.
Directory Visible
No
Whether user name is visible in directory.
Directory Extension Visible
No
Whether extension # is visible in directory.
Limit Destination
No
The destination to forward outgoing calls to when user has exceeded "Limit Max".
Device Provisioning
No
Select from template for various models of SIP phones from various manufacturers.
Voicemail Mail To
No
The email address to send voicemail / notifications to for this extension.
Voicemail Attach File
No
Whether to attach the recorded voicemail file to email notifications. Strongly advise to leave this False, since the email recordings will be insecure, defeating the purpose of secure communications. If voicemails are accessed using "*97" from a local (on LAN) phone or remote ZRTP capable phone, you can listen to them securely.
VM Keep Local After Email
No
Whether or not to keep the voicemail, after it has been emailed. Suggest True, user can delete voicemail using "*97" voicemail IVR menu.
Toll Allow
No
Toll Allow is a variable that can be set per extension. It allows you to limit who can make what type of calls. Note that although the variable is provided in the extension configuration, the default dialplan DOES NOT make use of it. Therefore, if you want to use it you need to add conditions to the dialplan to enable it. This requires dialplan programming skills.
Call Timeout
No
The time-out for giving up during call setup, should the call fail. Default 30 seconds
Call Group
No
Assign extension to a call group for features like ring groups. Superseded by Apps->Ring Groups. May be useful for user dialplans.
Record
No
Whether to record calls from / to this extension.
Hold Music
No
Source of music when far end is placed on hold.
Auth ACL
No
Users can have "auth-acl" parameters applied to them so as to restrict user access to a predefined ACL or a CIDR.
CIDR
No
Allow calls only from / to a particular IP address range.
SIP Force Contact
No
Re-write the IP address and / or port # to match far end parameters.
SIP Force Expires
No
Ignore client registration expire time (seconds) and de-register client after this time.
Nibble Account
No
The account to bill calls from / to this extension to.
MWI Account
No
Send MWI indications to email address, as opposed to device at this extension. This is a future feature. This parameter does nothing. Leave blank.
SIP Bypass Media
No
FusionPBX media handling mode. Default blank (Man in The Middle), FusionPBX transcodes (and encrypts if secure call) media and passes it end to end. If this extension is ZRTP capable and resides on the internet, not on SecureOffice LAN, system load can be reduced by selecting "bypass after bridge" resulting in RTP media being handled peer to peer, bypassing FusionPBX once the call is established. Be very sure what you are doing (internet search) before enabling this.
Dial String
No
Define alternate dial string, as opposed to default.
Description
No
Optional description of extension
Table 2: Optional Extension Configuration Parameters
The FusionPBX documentation explains how to set up Fax extensions.
If you are interested in secure (encrypted) fax, there are two ways to achieve this:
At this point, secure fax is outside the scope of this document. It is hoped that users will contribute a HowTo.
A ring group is an extension, or, group of extensions that ring when an incoming call comes in over a gateway (external PSTN phone number). The extensions that ring for each external line are configurable. Ring groups are software extensions that ring other extensions.
SecurePBX default configuration provides four ring groups, one per default gateway (external phone number).
Call Timeout is a variable assigned to each extension ("Accounts->Extensions") which sets the amount of time (seconds) from the extension's first ring to when the default action (transfer to voicemail) occurs if no answer. The default timeout assigned to extensions is 60 seconds, which can be changed on a per extension basis.
Ring groups also have timeouts that determine when (from first ring), if no extension answers, the call is transferred to the "Timeout Destination". There is an interaction between an extension's call timeout and ring group (of which an extension is a member) timeouts.
In order for a ring group to be able to function properly and transfer to the "Timeout Destination", the sum of the "Delay" and "Timeout" values assigned to extensions within ring groups must be less than the smallest "Call Timeout" value assigned to any extension within the ring group. If this is not so, the first extension (within the ring group) to timeout will perform its default action (transfer to voicemail) and the ring group timeout action will never occur.
If the default transfer to voicemail timeout (60 seconds) for extensions is considered too much or too little, it is suggested to set the "Call Timeout" for all extensions to be identical, for simplicity. This saves the effort of having to consider the timeouts of each extension within a ring group when setting the "Delay" and "Timeout" values for each extension within a ring group.
The extension that rings for each gateway are configured by navigating (FusionPBX GUI) to "Advanced->Variables" and scrolling down to the "SecurePBX Environment" section, partially shown below:
Figure 13: Gateway to Ring Extension Assignments
Referring to the above figure, the ring group extensions are 9991 to 9994, corresponding to Line1 to Line4 ring (incoming calls) extensions.
If you do not want a ring group for a particular gateway, the corresponding "lineX_extension" number can be changed to any extension. This is useful for redirecting a gateway to a dedicated extension, FAX or IVR (Integrated Voice Response) extension.
If you have added more gateways, a ring group can be created for it by clicking "+". Be sure the extension number you allocate for it is unassigned (check "Dialplan->Dialplan Manager"). Change "Context" to "${domain_name}" for any new ring groups.
To configure multiple phones to ring for a gateway, navigate to "Apps->Ring Groups". You will see the default ring groups, as shown below:
Figure 14: Ring Groups
To assign extensions that ring to a ring group, click the pencil icon next to the ring group corresponding to the gateway (LX_Ring_Group), where X is the line number of the gateway the extensions should ring for. You will see the ring group configuration page, as shown below.
Figure 15: Edit Ring Group
In Figure 15 above, extensions 1000, 1004, 1005 and 9999 Fax have been configured to ring simultaneously for Line 1 incoming calls. The first extension to answer gets the call. If no extension is answered, after the Timeout, the call is transferred to the "Timeout Destination" (extension 1000) which will go to voicemail (default).
Note that the sum of "Delay" and "Timeout" (seconds) are (and must be) less than the extension timeout (default 30 seconds) for all extensions.
It is suggested to verify ability to initiate / receive phone calls between two phones. Test each phone for ability to both initiate and receive calls, under various conditions according to the following sections.
Many, if not all cellular data providers are moving to firewalls and symmetric NAT which badly break VoIP protocols, or in general, IP services which rely on multiple ports.
SecureOffice solves this problem using the custom VPN Scripts package, to run a VPN server for mobile clients to connect to using a VPN client. This bypasses any cellular network restrictions, allowing SIP to work on mobile devices over cellular networks. Secure fax (external fax extension) can also be accomplished using SecureOffice VPN server.
In subsequent sections, if your extension is not working using your cellular connection or external (not SecureOffice) network, you may have to connect to SecureOffice using VPN to bypass firewalls of intermediate servers, in which case, your device will appear to be on the SecureOffice LAN.
Some tests require phones registered on the SecureOffice LAN and phones registered on the internet.
You can easily change an Android SIP phone from being registered on the SecureOffice LAN to being registered on the Internet by turning off phone WiFi. This forces phone registration using a cellular data connection. Turning WiFi back on will force the extension to register on the LAN. The Android SIP phone application must support and be configured for network switching.
Some tests require two phones registered as extensions on the internet, using two separate Internet connections. Possibilities are:
Test the following call permutations:
For each call above, ensure that Caller ID is displayed as expected on the destination phone and that audio is two way.
Diagnose and fix any problems before proceeding.
Repeat the Basic Voice Call tests above for video calls. Alternatively, omit "Basic Voice Calls" testing and use video phones instead of voice phones for basic call testing.
For each call, ensure that Caller ID is displayed as expected on the destination phone and that audio and video is two way.
Determining if a call is ZRTP encrypted is phone specific. Usually, the phone UI main page indicates encryption status, including the Secure Authentication String (SAS) which must match for both call ends, else there is a "Man In The Middle" (MITM), monitoring the call.
Test each phone for both call initiate and receive.
The following calls should be ZRTP encrypted (totally secure), unconditionally:
Unless noted otherwise, the FreeSwitch and FusionPBX portions of SecurePBX behave and are configured identically to the standard applications.
Once SecurePBX has been installed, fully configured, tested and any problems fixed, it should run trouble-free for years.
If problems do occur later, the prime suspect is recent user SecureOffice configuration changes.
After identifying the problem by following the steps in subsequent sections and the problem is still not solved, search the internet ("FreeSwitch <what is the problem>") for possible solutions. Another option is the FreeSwitch debugging procedures (some expertise required).
If still unable to determine a solution, ask for help in the support forum (this site) with detailed information regarding problem symptoms and what you have already tried. Nobody can help you until you help yourself by accurately identifying and describing the problem. Posts containing a simple "help, doesn't work" will be ignored and purged from the forum on a regular basis.
As problems are identified and corrected, they will be added to troubleshooting documentation on this support site.
Until SecurePBX is fully configured and tested, it is suggested to keep a SSH session open to SecureOffice using PuTTY. It is further suggested to learn how to use the "nano" editor. Instructions for both are available here.
Hint: When you use PuTTY to SSH into SecureOffice, any string can be copied from within the SSH session window by highlighting it and right clicking. The string will be in the clipboard and can be pasted in Windows applications or, into the SSH command window by moving the cursor to where you want to paste and right clicking again.
If FreeSwitch is not running, you will see one or both of the following symptoms:
If FreeSwitch is not running, inspect the logs and attempt to re-start (command prompt):
FeeeSwitch requires the following support services to be enabled at boot and running:
For each service above, determine if it is running:
If the service is running, you will see two lines of output. If the service is not running, you will see only one line containing "grep <service>"
For each service that is not running:
The above commands enable the service to start at boot, stops the service and then starts the service.
If a service will not start, something may have changed from the standard SecureOffice / SecurePBX configuration. It is assumed the hardware requirements at SecureOffice Prerequisites have been met, eliminating hardware and device driver related problems.
To check for service-related problems, inspect logfiles:
After all service related problems are solved, enter "/etc/init.d/freeswitch stop; /etc/init.d/freeswitch start" at a command prompt to start SecurePBX. Repeat all of the above until successful and FreeSwitch and all support services are running.
If FreeSwitch is still not running, follow the advice at the beginning of this section.
If you have just installed SecurePBX and cannot access the FusionPBX web GUI for configuration, rebooting SecureOffice (enter "reboot" at command prompt") should fix the problem which is likely due to Nginx (at installation) configuration changes and Luci cache.
If FreeSwitch is running and you cannot access the FusionPBX GUI configuration pages, it may be a problem with the OpenWrt web server. Try the following commands:
"rm -rf /tmp/luci-*" (clear web server cache)
"/etc/init.d/nginx stop; /etc/init.d/nginx start" (stop and start web server)
If all gateway parameters look OK, but a gateway status is not "REGED", you will need to check the FreeSwitch log for clues. At a SecureOffice command prompt, enter:
"Correct any problems reported" means: search the internet: "Freeswitch <error string from freeswitch.log>". The error string (if you are at a SecureOffice command prompt over SSH) can be copied from within the nano editor by highlighting it and right clicking. The error string will be in the clipboard and can be pasted.
To check whether SecurePBX is running, enter "ps -Af | grep freeswitch" at a command prompt. You should see "/usr/bin/freeswitch <parameters>". If not, Freeswitch is not running.
If freeswitch is running and the problem is you cannot access the OpenWrt GUI FusionPBX configuration pages, it may be a problem with the OpenWrt web server. Try the following commands:
"rm -rf /tmp/luci-*" (clear web server cache)
"/etc/init.d/nginx stop; /etc/init.d/nginx start" (stop and start web server)
Registration status for extensions is available using the FusionPBX GUI. Navigate to "Services->SecurePBX", login to FusionPBX and navigate to "Status->Registrations". Registered extensions will display.as shown in Figure 12. Unregistered extensions will not be displayed.
Determine which extension(s) are not registered, but are expected to be.
For each un-registered extension, verify that the configuration values are correct, the device and extension are both enabled and the configuration for the device and FusionPBX extensions match. After correcting any configuration errors, re-start FreeSwitch and the device and re-check registration status.
If all configuration appears OK, but an extension is still not registered, you will need to check the FreeSwitch log for clues. At a SecureOffice command prompt, enter:
If there are no extension registration related error messages in the logfile, verify that SecureOffice and the extension are able to communicate with each other:
If the extension is not on the SecureOffice LAN, check SecureOffice firewall uPnP port status. Using OpenWrt GUI, navigate to "Status -> Overview", scroll to bottom and insure that "Active uPnP Redirects" table is not empty and contains the proper SIP ports.
If the extension is not on the SecureOffice LAN, it is possible, due to previous incorrect password configuration that its IP address has been banned by logtrigger (security measure, guards against brute force password attacks). If this is the case, consult the logtrigger documentation for a remedy which requires restarting the OpenWrt firewall. SIP switches experience a lot of hacker attacks, invalid logins attempting to engage in toll fraud, attempting to get free long distance calls at your expense.
If there are no Redirects, the uPnP services (miniupnpd, minissdpd) are not running. Follow the services procedures in the "Freeswitch not Running" section.
If the extension is not on either (existing router or SecureOffice) LAN and you are using LAN Topology, ensure that your existing router firewall has the correct port forwards (SecureOffice Installation).
If all else fails, search the internet: "FreeSwitch <device model#> not registered" for additional help.
This indicates a firewall (uPnP or existing router) issue or IP address error (local LAN address and WAN address confusion during call setup).
Another symptom is the call is automatically dropped after approximately 30 seconds as the media watchdog activates.
Verify that uPnP is running and, if using LAN Topology that the existing router firewall is configured with the correct port forwards.
Verify that the SecureOffice "/etc/hosts" file contains an entry "<SecureOffice LAN address> <SecureOffice domain>" discussed here. Otherwise, phones, using DHCP on the SecureOffice LAN will use (DNS lookup) your WAN address instead of your LAN address for call setup, resulting in one-way audio / video.
|
Technologies Used: