User Login      + Register  

SecurePBX Installation  SecureOffice  xoops  29-Nov-2020 17:00  0  295 reads


1        About SecurePBX

1.1    Economic Advantages of SecurePBX

1.2    Security Advantages

1.3    About Encrypted Phone Calls

1.3.1      About SRTP Encryption

1.3.2      About ZRTP Encryption

1.4    SecurePBX Specifications

2        SecurePBX Installation

2.1    Default SecurePBX Configuration

2.2    SecurePBX Pre-Requisites

2.3    SecurePBX Installation

3        Configure SecurePBX

3.1    Login to FusionPBX

3.2    Set FusionPBX Password

3.3    Set FusionPBX LAN Address

3.4    Configure FusionPBX Domain

3.5    Configure DNS for Local LAN Address

3.6    Configure Gateways

3.7    FusionPBX Extensions or Phones

3.8    Configure Extensions

3.9    Configure Fax Extensions

3.10 Ring Group Extensions for Incoming Calls

3.10.1  About Call Timeouts

3.10.2  Configure Incoming Ring Destinations

3.10.3  Configure Ring Groups

4        Test Your SecurePBX Installation

4.1    About Cellular Data Connections

4.2    Moving a Phone from LAN to Internet

4.3    Second Internet Connection

4.4    Basic Voice Calls

4.5    Optional Video Calls

4.6    ZRTP Encrypted Calls

5        TroubleShooting SecurePBX

5.1    FreeSwitch not Running

5.2    No FusionPBX GUI

5.3    Gateway not Registered

5.4    Extension not Registered

5.5    One Way or No Audio or Video

List of Figures

Figure 1:       FusionPBX Login Prompt

Figure 2:       FusionPBX Initial Login Page

Figure 3:       FusionPBX Account Settings

Figure 4:       FusionPBX LAN Address Configuration

Figure 5:       FusionPBX Domain Configuration Step 1

Figure 6:       FusionPBX Default Gateways

Figure 7:       Minimal Gateway Parameters

Figure 8:       Line Number to Gateway Assignments

Figure 9:       Assign Gateway Number to Line Number

Figure 10:       Extensions Summary Page

Figure 11:       Extension Configuration

Figure 12:       Extensions Registration Status

Figure 13:       Gateway to Ring Extension Assignments

Figure 14:       Ring Groups

Figure 15:       Edit Ring Group

List of Tables

Table 1:       Mandatory Extension Configuration Parameters

Table 2:       Optional Extension Configuration Parameters

1        About SecurePBX

SecurePBX is an optional part of the SecureOffice integrated secure services hosting system which allows you to move your information infrastructure out of the cloud, with total information control and privacy, while still remaining "of the cloud". It is intended for individuals, businesses and organizations wishing the economic advantages of IP telephony and / or are concerned regarding snoops "casing their joints", meddling in their freedoms and private, peaceful business and communications.

SecurePBX is a premium (licensed) SecureOffice application based on the FreeSwitch SIP PBX (Private Branch eXchange) and FusionPBX (simplified web based GUI for FreeSwitch administration) projects.

In the following sections, SecurePBX refers to the integrated FreeSwitch and FusionPBX applications.

SecurePBX was created to bring the advantages of VoIP and secure telephony to a broader user base by providing a standard, mostly preconfigured, more easily administered telephone system requiring far less technical skills than it takes to install and administer FreeSwitch and FusionPBX by themselves. SecurePBX can replace existing PBX's (such as now unsupported Nortel) from many vendors, assuming existing phones are or can be configured to be standard SIP devices.

There is absolutely nothing preventing anyone highly technically skilled willing to research and learn the requisite skills from spending months (at least) attempting to create, debug and fine tune their own custom FreeSwitch / FusionPBX installation, as opposed to paying for the significant effort that has gone into creating and testing SecureOffice and applications, an integrated, easier to use solution, consolidating all of your IP services.

If leading members of the FreeSwitch / FusionPBX teams consider any of the SecurePBX innovations (of their work) to be "of use", permission (copyright waivers) will be liberally considered by the SecurePBX team regarding incorporation of said innovations into their projects. SecurePBX is intended to augment and in no way detract from the awesome vision, competence and quality of the work of the FreeSwitch / FusionPBX teams.

Further, it is expected that SecurePBX will steer paid contracting work to members of the above teams by users who wish to add / augment custom features not yet provided by SecurePBX or HowTo's both on this site and the internet. It is also expected that some users, without the skills, time or interest to setup SecurePBX, but who require it, will just pay an IT consultant to install and maintain their installation.

At some point, a list of "approved" SecurePBX consultants (and customer ratings) will be provided on this site.

It is estimated (moderate PC / Linux skills) that it will take about four hours to go from bare metal to a fully configured and operational SecureOffice / SecurePBX system, once all perquisite configuration choices have been made and requirements are in place.

1.1    Economic Advantages of SecurePBX

If you are willing to install a SIP phone application on your cellphone(s) and take a mobility hit (no phone service unless WiFi available: home, work, internet cafe, incoming calls to voicemail), and make your cellphone extension a member of a ring group for your SecurePBX home phone number, you can completely eliminate your cellular phone bill. Incoming calls to your main phone will ring on your cell and outgoing calls will display your main phone number. An added bonus: those you call or call you cannot determine whether you are at home or "out and about", anywhere on the planet. Save $$$.

If you choose a cellular provider with a data only plan (as offered for Tablets), the above mobility restriction can be avoided.

TODO: elaborate, very long list.

1.2    Security Advantages

No snoops monitoring your secure phone calls. Encrypted Audio / Video / FAX / SMS.

1.3    About Encrypted Phone Calls

SecurePBX, out of the box, is capable of encrypting phone call audio / video media using either SRTP or ZRTP.

Given the superior performance, simplicity and security of ZRTP over SRTP, configuration instructions for ZRTP are provided on this site. Users wishing to use SRTP can consult the FreeSwitch / FusionPBX documentation and HowTo's on the internet for instructions.

1.3.1      About SRTP Encryption

Secure Real-time Transport Protocol (or SRTP) is an encryption standard for media streams used for audio / video phone calls. Further information may be found here.

SRTP requires both ends of the call to have access to a shared master encryption key, from which intermediate (per call) encryption keys are exchanged using SIP messaging, which must also be encrypted (SSL/TLS) to protect the per call encryption keys.

It is possible for SRTP endpoints to generate keys on the fly, but very few public telephony carriers support the required protocols, but private networks can.

SRTP was the first "real" media encryption standard. Widespread deployment has been held back by lack of a secure method (public key management infrastructure) for users to securely exchange the master key required for secure communications and lack of carrier (phone company) support for the protocols.

Further, should the SRTP master key ever be compromised, all recorded encrypted calls can be retroactively decrypted by snoops.

1.3.2      About ZRTP Encryption

Zimmermann Real-time Transport Protocol (or ZRTP) encryption enables you to make encrypted phone (audio / video) calls over the internet. ZRTP has a superior architecture over previous and alternate approaches (SRTP) for secure VoIP. Its principal designer is Phil Zimmermann, the creator of PGP, the most widely used encryption software in the world. Zimmerman and PGP legally took on and prevailed against "the man", who was (and still is) dead set against encryption (private communications) in general (for anyone but themselves).

The ZRTP protocol has updated cryptographic features superseding previous VoIP secure voice / video technologies. Although it uses a public key algorithm, it avoids the complexity of a public key infrastructure (PKI). In fact, it does not use persistent public keys at all. It uses ephemeral Diffie-Hellman with hash commitment, and allows the detection of Man-In-The-Middle (MITM) attacks by displaying a Short Authentication String (SAS) for call participants to verbally compare during the call. ZRTP has perfect forward secrecy, meaning the keys are destroyed at the end of the call, which prevents retroactively compromising the call by future disclosures of key encryption material. Be aware that massive data centers are storing everyone's communications.

Even if users do not bother verifying the SAS, decent authentication against a MITM attacks is provided, based on a form of key continuity. ZRTP does this by caching some key material to use in the next call, to be mixed in with the next calls DH shared secret, giving it key continuity properties analogous to SSH. All this is done without reliance on PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils email and SRTP encryption.

ZRTP does not rely on SIP signalling for key management, and in fact does not rely on any centralized servers at all. It performs its key agreements and key management in a purely peer-to-peer (between endpoint phones) manner on a call-by-call basis over the RTP packet (media) stream. ZRTP supports opportunistic encryption by auto-sensing if the other VoIP endpoint supports ZRTP and automatically negotiates a secure call if so.

The Z-phone project has an excellent ZRTP FAQ.

1.4    SecurePBX Specifications

  • Approximately 10,000 phone extensions (sufficient for a small town)
  • Four phone lines (easily add as many lines as you like)
  • Twenty extensions / phones (easily add as many extensions as you like)
  • Uses logtrigger to protect against unauthorized access and toll fraud.
  • Specifications for the FreeSwitch portion of SecurePBX can be found here.

TODO: Elaborate

2        SecurePBX Installation

SecurePBX (FreeSwitch / FusionPBX secure telephone system) is an optional (licensed) application available to SecureOffice users. A free trial license is available to try before buy.

2.1    Default SecurePBX Configuration

SecurePBX comes pre-configured to support 20 extensions (phones) and 4 SIP trunks (phone lines) with very minimal user configuration required to adapt to your networking environment. This allows you to be up and running quickly, making secure audio / video phone calls. More extensions / SIP trunks can be easily added. The limit for number of extensions is 10,000, enough to provide telephony services for a small town. See the step by step SecurePBX configuration instructions for further information.

SecurePBX comes pre-configured with a rich set of features, accessible by star codes (*feature#), listed by FusionPBX documentation. Alternatively, once SecurePBX is configured, using the FusionPBX GUI, the feature code list can be displayed and configured by accessing "Services->SecurePBX->Dialplan->Dialplan Manager".

New features (including IVR applications) can be easily defined (by programmers) using XML scripting or a rich set of programming languages such as lua. An overview of programming languages supported is listed on the FreeSwitch Wiki.

2.2    SecurePBX Pre-Requisites

To maximize usage time for trial licenses, it is recommended that requirements be prepared in advance, since they may take time. The following are required:

  • SecureOffice installed and configured with domain name, DDNS and SSL certificates.
  • A SIP phone line (gateway) provider and account as documented in Gateways and Phones.
  • At least two SIP phones, which may be free Android, PC or Mac applications as documented in choose phones.

The effort required to meet these requirements is not wasted if the SecurePBX trial license runs out and you do not purchase a SecurePBX license. After license expiry, any SIP phone(s) can be re-configured to bypass SecurePBX and communicate directly with the selected gateway (phone number) provider and you will have a low (or zero) cost VoIP phone number for your SIP phone. At a minimum, you have learned something, value unto itself.

2.3    SecurePBX Installation

After SecureOffice has been configured according to previous (pre-requisite) sections, SecurePBX can be installed and configured.

Follow instructions in Install Premium Application, selecting SecurePBX as the application.

3        Configure SecurePBX

During configuration, if behavior is unexpected (not according to this documentation), follow the instructions in TroubleShooting SecurePBX.

3.1    Login to FusionPBX

Using a browser on the appropriate network (SecureOffice LAN for WAN topology, existing router LAN for LAN topology), enter the SecureOffice IP address in a browser. For WAN topology, this will be the SecureOffice LAN address (default For LAN topology, this will be the static IP address configured for the SecureOffice WAN port.

Login to SecureOffice GUI, navigate to "Services->SecurePBX". You should see the FusionPBX login page, (Figure 1) below.

If SecurePBX is newly installed and the web GUI is not visible, try the following:

  • Enter "rm -rf /tmp/luci-*" (clear Luci cache)
  • Enter "/etc/init.d/nginx stop; /etc/init.d/nginx start" (stop and start Nginx web server)
  • Clear browser cache.
  • If the above methods fail, reboot SecureOffice: Enter "reboot" at a command prompt, reconnect WiFi and SSH session and try to access the Fusion PBX web GUI again.

Figure 1: FusionPBX Login Prompt

The username is "admin@<domain>", where "<domain>" is the configured FusionPBX domain (default: ""), default password is "admin". Enter login credentials and, you will be logged in, as shown below:

Figure 2: FusionPBX Initial Login Page

Subsequent navigation instructions will be expressed (as with OpenWrt) using the form:

"Tab1->Tab2->Tab3", etc. using FusionPBX menu entries.

3.2    Set FusionPBX Password

Navigate to: "Home->Account Settings"

You can add user accounts, change the admin password, language and time zone on this page (Figure 3, below).

Be sure to remember the new password. Recovery is possible, but will require a web search and technical skills to recover. The procedure is here using PostgreSQL database:

Figure 3: FusionPBX Account Settings

3.3    Set FusionPBX LAN Address

If the SecureOffice LAN IP address has been changed from the default of "", for either LAN or WAN network topologies, FusionPBX must be configured for the same IP address. In particular, for single ethernet hardware in LAN topology, the LAN IP address must be set for the static WAN IP address of SecureOffice.

Navigate to: "Advanced->Variables" and scroll down to the "SecurePBX Environment" section as shown below:

Figure 4: FusionPBX LAN Address Configuration

Click the "force_local_ip4" entry to change it. Change the "Value" field to the configured IP address (WAN Topology, LAN Topology). Click "Save".

3.4    Configure FusionPBX Domain

If you require telephony (or any) services to be publicly accessible on the internet, a domain name is required. FusionPBX must be configured for the domain. It is assumed (from SecureOffice installation) that you already have an active domain name and dynamic DNS service.

To verify that your domain is active, from any PC (command prompt) with internet connectivity:

Enter "ping www://<yourdomain>", where "<yourdomain>" is the domain name chosen and configured previously. Ensure a valid response containing your public IP address (and not LAN address) and fix any problems before proceeding.

Navigate to "Advanced->Domains", as shown below:

Figure 5: FusionPBX Domain Configuration Step 1

Click the domain entry and change the Domain to match your domain name (without "www"), Click "Save".

It is possible to configure FreeSwitch / FusionPBX to serve multiple domains, so one SecureOffice installation can serve multiple domains. This is an opportunity for service providers / VAR's, to provide SecureOffice functionality for multiple individuals / organizations. To do so is beyond the scope of this document, but Google is your friend.

After changing FusionPBX domain, it is necessary to restart FreeSwitch for the changes to take effect. This can be deferred until FusionPBX configuration is complete.

To restart Freeswitch, enter "/etc/init.d/freeswitch stop; /etc/init.d/freeswitch start" from a command prompt.

3.5    Configure DNS for Local LAN Address

SecurePBX is configured to require domain names (as opposed to IP addresses) for phone / device configuration. This means when a phone is WiFi connected to the SecurePBX LAN, IP address lookup (DNS) for the SecurePBX domain must return the local LAN address of SecureOffice / SecurePBX. This is achieved by an entry in the "/etc/hosts" file relating domain names to LAN address.

To achieve this, edit the "/etc/hosts" file (should already be done by SecureOffice initial configuration) and add an entry of the following form:

"<Your LAN Address> <Your Domain>, Example: ""

The effect of this is, for phones, when "out and about" using a data connection or WiFi; DNS will return the public IP address of your domain. When connected by WiFi (local LAN), DNS will return the LAN address of SecurePBX.

3.6    Configure Gateways

A gateway is a SIP phone line with associated PSTN phone number.

In order to communicate using the PSTN (Public Switched Telephone Network), using regular phone numbers, a minimum of one SIP gateway (trunk, phone #) is required.

The default SecurePBX configuration allows up to four SIP lines (trunks). More lines can be easily added, as required.

It is assumed you already have an account with a SIP VoIP provider and possess the credentials required for configuring your phone lines / gateways. If not, choose and create an account with a VoIP provider as documented in Gateways and Phones before proceeding.

Navigate to: "Accounts->Gateways"

You will see the four default Gateways (phone #'s) shown below:

Figure 6: FusionPBX Default Gateways

Using your VoIP provider credentials, configure and enable all the gateways (phone #'s) that you require. If more than the default four gateways (phone lines) are required, click the "+ ADD" button to create another gateway (phone #).

The "Gateway" value MUST be assigned the eleven-digit (including leading 1) PSTN phone # of the gateway. The Gateway name (phone #) will be configured as a variable "${lineX_number}" used to assign outgoing lines for extensions and incoming lines for ring groups.

TODO: Document and test gateways for non-North American numbering plans. May need help from international users. Please post HOWTO in forum, including any required dialplan configuration.

Below are the gateway configuration parameters, showing the minimal values that most VoIP providers require.

Figure 7: Minimal Gateway Parameters

For each gateway, enter the parameters. The first four values are provided by the VoIP provider for a particular gateway. Enter the domain name (without "www") of your SecureOffice installation for the "Proxy" and "Realm" fields. Scroll down, click "Save" and then "Back".

After all gateways are configured, restart FreeSwitch for the settings and gateway registrations to take effect:

  • At a SecureOffice command prompt, enter "/etc/init.d/freeswitch stop; /etc/init.d/freeswitch start"

Your browser should still be at the "Accounts->Gateways" page. If not, navigate there.

You will see the registration status for each gateway. All configured and enabled gateways should have status "REGED". If, after waiting a few minutes, the status is "UNREGED" or "FAIL_WAIT", there is a configuration problem. Verify all gateway parameters and ensure the gateway is enabled.

If all parameters look OK, but a gateway is not "REGED", you will need to check the freeswitch log for clues. At a SecureOffice command prompt, enter:

  • "nano /var/freeswitch/log/freeswitch.log"
  • Search for gateway name (phone #): "CTL+w" <phone #>" (Correct any problems reported)
  • If that fails search for errors: "CTL+w" "[ERR]" (Correct any problems reported)
  • Exit nano: "CTL+x"

"Correct any problems reported" means: search the internet: "Freeswitch <error string from freeswitch.log>". The error string (if you are at a SecureOffice command prompt over SSH) can be copied from within the nano editor by highlighting it and right clicking. The error string will be in the clipboard and can be pasted. If the internet is not helpful, you may need to contact your VoIP provider's tech support.

Do not proceed until the status of all enabled gateways is "REGED".

The following "LineX_numbers" are used to select / assign the outgoing line for each extension (phone), as discussed in the next section.

Once all gateways are configured and registered, assign the corresponding line #'s by navigating to "Advanced->Variables". For each gateway # assigned above, assign the corresponding "lineX_number" to the gateway number to be used for lineX, where X is 1,2,3, etc., as shown below:

Figure 8: Line Number to Gateway Assignments

If you have created more gateways (phone numbers) than the default of four, each new gateway must have a corresponding "lineX_number" variable which must be created. To do so, click "+" to add a new variable with name "lineX_number", where X is the new line number and clone the settings from one of the existing line numbers. For example, line 5 will be named "line5_number" and so on. When creating / editing a "lineX_number", be sure that it is "Enabled", assigned the same "Category" and "Order" as the other lineX_numbers, so they will be grouped with the other "lineX_numbers" in the FusionPBX GUI.

The configuration page for a "lineX_number" (click line number) is shown below:

Figure 9: Assign Gateway Number to Line Number

3.7    FusionPBX Extensions or Phones

An extension is a phone / endpoint with associated extension number or name (alias), managed by the FusionPBX SIP switch / server.

The default SecurePBX dialplan uses four-digit extension numbers, allowing ten thousand local extensions, sufficient to serve a small town or a moderate size corporation. SecurePBX default configuration has twenty local extensions, numbered 1000 to 1019. More extensions can easily be added.

Each extension represents and requires a corresponding SIP phone (endpoint).

It is assumed any SIP phones required have been selected and installed. If not, choose and install (but not configure) as many SIP phones as required as documented in choose phones before proceeding.

Each extension can be configured to use a particular gateway ("$${lineX_number}") for outgoing calls. For incoming calls, an extension can also be configured to ring as part of a ring group or from a particular gateway (line#).

Configuration parameters for each extension such as "user" and "password" have a one-to-one correspondence to the physical device configuration (phone, softphone, ATA) serviced by FusionPBX.

3.8    Configure Extensions

Navigate to "Accounts->Extensions". The extensions summary page will display as partially shown below:

Figure 10: Extensions Summary Page

Choose which phones will be assigned to which extensions. The parameters in Table 1 must be identical for each FusionPBX extension and corresponding device (phone) configuration. It is suggested to configure all FusionPBX extensions first, then configure extension devices.


Corresponding Device Parameter







Extension Name. If numeric, Number Alias is optional. If a name (eg: "Mary Jones", Number Alias is extension #. If numeric, is extension #.

Number Alias


Leave blank if "Extension Name" is numeric, else "Extension#"



Default = securePBX. The password used by the corresponding device to register with SecurePBX. Recommend to change password, unique for each extension.

Voicemail Password


Default: Extension #. Used to access extension voicemail using "*97". Recommend to change password, unique for each extension.

Effective Caller ID Name


Caller ID name for internal calls (extensions)

Effective Caller ID Number


Caller ID number for internal calls (extensions).

Outbound Caller ID Name


Caller ID name for external calls

Outbound Caller ID Number


Displayed Caller ID number and phone # (gateway) for external calls. Default "$${lineX_number}", relating extension # to outgoing phone number. Change X to correspond to the desired outgoing line #

Limit Max


The maximum # of external calls the user is allowed to make. "-1" = no limit.

Voicemail Enabled


Enable voicemail for this extension.



The domain of this extension. Default = "$${domain_name}". Automatically replaced by FusionPBX domain name. Do not change unless you REALLY know what you are doing. For example, configuring FusionPBX for multidomain support, outside the scope of this document.



Whether the extension is enabled or not.

Table 1: Mandatory Extension Configuration Parameters

To configure an extension, click the extension to be configured. The extension configuration page will display, as partially shown below:

Figure 11: Extension Configuration

FusionPBX supports automatic Device Provisioning for phones from major manufacturers. Instruction for automatic and manual phone provisioning for major manufacturers are here.

Configure the extension with all of the mandatory parameters from Table 1. It is recommended to change the "Password" and "Voicemail Password" from the defaults. The current value of passwords can be displayed by hovering the mouse over the password field.

Optional: Review Table 2 to determine if you require and enter any optional configuration parameters. It is suggested to defer this step, keeping the defaults until fine tuning particular extensions, or problems with a particular extension are observed and debugging, including internet search of symptoms suggests changing optional parameters.

Once an extension is configured, click "Save" and then "Back" for all extensions required.

After all extensions are configured, configure all phones / devices with parameters corresponding to its FusionPBX extension parameters. If a phone / device from choose phones, was selected, configuration instructions for selected device are at the previous link. If the phone is a softphone, ensure the application is running and enabled.

If the phone / device does not have configuration instructions on this site, consult the device documentation, manufacturers website or do an internet search for "device model # configuration:

To check the status of extensions, navigate to "Status->Registrations". The extension status page will display, as shown below:

Figure 12: Extensions Registration Status

If there are any extensions you have configured and expect to be registered, but are not on the registration page, the problematic extension configuration needs to be fixed.

The FusionPBX Wiki has additional information regarding configuring extensions and devices


Corresponding Device Parameter





Number Alias


Use if Extension has name. The extension # corresponding to name.

User List


The list of users assigned to this extension. Used for user web access to voicemail, etc.

Account Code


This is not used anywhere in the default dialplan but is provided by FreeSwitch and therefore is provided by FusionPBX for full compatibility. It sets a variable for the extension that could be used in a dialplan condition, for example call billing.

Emergency Caller ID Name


Future feature variable. Leave blank.

Emergency Caller ID Number


Future feature variable. Leave blank.

Directory Full Name


Full name of user for directory and dial by name applications.

Directory Visible


Whether user name is visible in directory.

Directory Extension Visible


Whether extension # is visible in directory.

Limit Destination


The destination to forward outgoing calls to when user has exceeded "Limit Max".

Device Provisioning


Select from template for various models of SIP phones from various manufacturers.

Voicemail Mail To


The email address to send voicemail / notifications to for this extension.

Voicemail Attach File


Whether to attach the recorded voicemail file to email notifications. Strongly advise to leave this False, since the email recordings will be insecure, defeating the purpose of secure communications. If voicemails are accessed using "*97" from a local (on LAN) phone or remote ZRTP capable phone, you can listen to them securely.

VM Keep Local After Email


Whether or not to keep the voicemail, after it has been emailed. Suggest True, user can delete voicemail using "*97" voicemail IVR menu.

Toll Allow


Toll Allow is a variable that can be set per extension. It allows you to limit who can make what type of calls. Note that although the variable is provided in the extension configuration, the default dialplan DOES NOT make use of it. Therefore, if you want to use it you need to add conditions to the dialplan to enable it. This requires dialplan programming skills.

Call Timeout


The time-out for giving up during call setup, should the call fail. Default 30 seconds

Call Group


Assign extension to a call group for features like ring groups. Superseded by Apps->Ring Groups. May be useful for user dialplans.



Whether to record calls from / to this extension.

Hold Music


Source of music when far end is placed on hold.

Auth ACL


Users can have "auth-acl" parameters applied to them so as to restrict user access to a predefined ACL or a CIDR.



Allow calls only from / to a particular IP address range.

SIP Force Contact


Re-write the IP address and / or port # to match far end parameters.

SIP Force Expires


Ignore client registration expire time (seconds) and de-register client after this time.

Nibble Account


The account to bill calls from / to this extension to.

MWI Account


Send MWI indications to email address, as opposed to device at this extension. This is a future feature. This parameter does nothing. Leave blank.

SIP Bypass Media


FusionPBX media handling mode. Default blank (Man in The Middle), FusionPBX transcodes (and encrypts if secure call) media and passes it end to end. If this extension is ZRTP capable and resides on the internet, not on SecureOffice LAN, system load can be reduced by selecting "bypass after bridge" resulting in RTP media being handled peer to peer, bypassing FusionPBX once the call is established. Be very sure what you are doing (internet search) before enabling this.

Dial String


Define alternate dial string, as opposed to default.



Optional description of extension

Table 2: Optional Extension Configuration Parameters

3.9    Configure Fax Extensions

The FusionPBX documentation explains how to set up Fax extensions.

If you are interested in secure (encrypted) fax, there are two ways to achieve this:

  • Use physical fax machines with SRTP capable ATA's, with SRTP enabled at both ends.
  • Use a VPN connection between both fax endpoints, have both fax extensions registered on the same SecurePBX switch.

At this point, secure fax is outside the scope of this document. It is hoped that users will contribute a HowTo.

3.10 Ring Group Extensions for Incoming Calls

A ring group is an extension, or, group of extensions that ring when an incoming call comes in over a gateway (external PSTN phone number). The extensions that ring for each external line are configurable. Ring groups are virtual extensions that ring other extensions.

SecurePBX default configuration provides four ring groups, one per default gateway (external phone number).

3.10.1  About Call Timeouts

Call Timeout is a variable assigned to each extension ("Accounts->Extensions") which sets the amount of time (seconds) from the extension's first ring to when the default action (transfer to voicemail) occurs if no answer. The default timeout assigned to extensions is 60 seconds, which can be changed on a per extension basis.

Ring groups also have timeouts that determine when (from first ring), if no extension answers, the call is transferred to the "Timeout Destination". There is an interaction between an extension's call timeout and ring group (of which an extension is a member) timeouts.

In order for a ring group to be able to function properly and transfer to the "Timeout Destination", the sum of the "Delay" and "Timeout" values assigned to extensions within ring groups must be less than the smallest "Call Timeout" value assigned to any extension within the ring group. If this is not so, the first extension (within the ring group) to timeout will perform its default action (transfer to voicemail) and the ring group timeout action will never occur.

If the default transfer to voicemail timeout (60 seconds) for extensions is considered too much or too little, it is suggested to set the "Call Timeout" for all extensions to be identical, for simplicity. This saves the effort of having to consider the timeouts of each extension within a ring group when setting the "Delay" and "Timeout" values for each extension within a ring group.

3.10.2  Configure Incoming Ring Destinations

The extension that rings for each gateway are configured by navigating (FusionPBX GUI) to "Advanced->Variables" and scrolling down to the "SecurePBX Environment" section, partially shown below:

Figure 13: Gateway to Ring Extension Assignments

Referring to the above figure, the ring group extensions are 9991 to 9994, corresponding to Line1 to Line4 ring (incoming calls) extensions.

If you do not want a ring group for a particular gateway, the corresponding "lineX_extension" number can be changed to any extension. This is useful for redirecting a gateway to a dedicated extension, FAX or IVR (Integrated Voice Response) extension.

If you have added more gateways, a ring group can be created for it by clicking "+". Be sure the extension number you allocate for it is unassigned (check "Dialplan->Dialplan Manager"). Change "Context" to "${domain_name}" for any new ring groups.

3.10.3  Configure Ring Groups

To configure multiple phones to ring for a gateway, navigate to "Apps->Ring Groups". You will see the default ring groups, as shown below:

Figure 14: Ring Groups

To assign extensions that ring to a ring group, click the pencil icon next to the ring group corresponding to the gateway (LX_Ring_Group), where X is the line number of the gateway the extensions should ring for. You will see the ring group configuration page, as shown below.

Figure 15: Edit Ring Group

In Figure 15 above, extensions 1000, 1004, 1005 and 9999 Fax have been configured to ring simultaneously for Line 1 incoming calls. The first extension to answer gets the call. If no extension is answered, after the Timeout, the call is transferred to the "Timeout Destination" (extension 1000) which will go to voicemail (default).

Note that the sum of "Delay" and "Timeout" (seconds) are (and must be) less than the extension timeout (default 30 seconds) for all extensions.

4        Test Your SecurePBX Installation

It is suggested to verify ability to initiate / receive phone calls between two phones. Test each phone for ability to both initiate and receive calls, under various conditions according to the following sections.

4.1    About Cellular Data Connections

Many, if not all cellular data providers are moving to firewalls and symmetric NAT which badly break VoIP protocols, or in general, IP services which rely on multiple ports.

SecureOffice solves this problem using the custom VPN Scripts package, to run a VPN server for mobile clients to connect to using a VPN client. This bypasses any cellular network restrictions, allowing SIP to work on mobile devices over cellular networks. Secure fax (external fax extension) can also be accomplished using SecureOffice VPN server.

In subsequent sections, if your extension is not working using your cellular connection or external (not SecureOffice) network, you may have to connect to SecureOffice using VPN to bypass firewalls of intermediate servers, in which case, your device will appear to be on the SecureOffice LAN.

4.2    Moving a Phone from LAN to Internet

Some tests require phones registered on the SecureOffice LAN and phones registered on the internet.

You can easily change an Android SIP phone from being registered on the SecureOffice LAN to being registered on the Internet by turning off phone WiFi. This forces phone registration using a cellular data connection. Turning WiFi back on will force the extension to register on the LAN. The Android SIP phone application must support and be configured for network switching.

  • Acrobits can be configured for network switching. Use "Preferences->WiFi Settings -> Prefer WiFi"
  • CSipSimple can be configured for network switching Use "Network settings->Use WiFi" and "Use 3G (or better)" to switch Networks.
  • For SIP phones that do not support a similar feature, manually enable / disable the WiFi and data connections as needed.

4.3    Second Internet Connection

Some tests require two phones registered as extensions on the internet, using two separate Internet connections. Possibilities are:

  • Two cellphones (borrow one) with data plans and SIP phone applications installed and configured as extensions. This is the easiest option.
  • Collaborate with a friend with another internet connection, where phones on their connection register with your SecurePBX.
  • Windows connection sharing of a VPN connection (requires another Ethernet port, may be USB).
  • SecureOffice developers use a dedicated SecureOffice router with a VPN connection bridged to WiFi and a physical Ethernet port, providing another LAN with a different internet connection using VPN Scripts. This can be done with SecureOffice, no separate router required.

4.4    Basic Voice Calls

Test the following call permutations:

  • Extension to extension, both extensions on local LAN.
  • Extension to extension, one extension on local LAN, one remote, on internet. See "Moving a Phone from LAN to Internet", above.
  • Extension to extension, both extensions on internet. This requires access to another internet connection. See "Second Internet Connection" above
  • Incoming call to each gateway phone # using a phone which is not a SecurePBX extension (cellphone, etc.). All phones which are part of the LineX_number (gateway) ring group should ring.
  • Outgoing calls to a phone which is not an extension (cellphone, etc.) using each extension configured to use LineX_number (gateway) for outgoing calls, for each gateway.

For each call above, ensure that Caller ID is displayed as expected on the destination phone and that audio is two way.

Diagnose and fix any problems before proceeding.

4.5    Optional Video Calls

Repeat the Basic Voice Call tests above for video calls. Alternatively, omit "Basic Voice Calls" testing and use video phones instead of voice phones for basic call testing.

For each call, ensure that Caller ID is displayed as expected on the destination phone and that audio and video is two way.

4.6    ZRTP Encrypted Calls

Determining if a call is ZRTP encrypted is phone specific. Usually, the phone UI main page indicates encryption status, including the Secure Authentication String (SAS) which must match for both call ends, else there is a "Man In The Middle" (MITM), monitoring the call.

Test each phone for both call initiate and receive.

The following calls should be ZRTP encrypted (totally secure), unconditionally:

  • Both phones ZRTP capable
  • ZRTP phone (extension) on internet, calling or receiving call from non-ZRTP SecurePBX extension. Internet phone indicates encrypted (SecurePBX proxies ZRTP for non ZRTP extensions)
  • ZRTP phone (not an extension, using cellular number for calls) on internet, calling or receiving call from non-ZRTP SecurePBX extension using gateway. Internet phone indicates encrypted (SecurePBX proxies ZRTP for non ZRTP extensions).
  • Using gateway means: Internet phone calls SecurePBX gateway number and extension is part of gateway incoming ring group. Extension uses gateway to call cellular phone number.

5        TroubleShooting SecurePBX

Unless noted otherwise, the FreeSwitch and FusionPBX portions of SecurePBX behave and are configured identically to the standard applications.

Once SecurePBX has been installed, fully configured, tested and any problems fixed, it should run trouble-free for years.

If problems do occur later, the prime suspect is recent user SecureOffice configuration changes.

After identifying the problem by following the steps in subsequent sections and the problem is still not solved, search the internet ("FreeSwitch <what is the problem>") for possible solutions. Another option is the FreeSwitch debugging procedures (some expertise required).

If still unable to determine a solution, ask for help in the support forum (this site) with detailed information regarding problem symptoms and what you have already tried. Nobody can help you until you help yourself by accurately identifying and describing the problem. Posts containing a simple "help, doesn't work" will be ignored and purged from the forum on a regular basis.

As problems are identified and corrected, they will be added to troubleshooting documentation on this support site.

Until SecurePBX is fully configured and tested, it is suggested to keep a SSH session open to SecureOffice using PuTTY. It is further suggested to learn how to use the "nano" editor. Instructions for both are available here.

Hint: When you use PuTTY to SSH into SecureOffice, any string can be copied from within the SSH session window by highlighting it and right clicking. The string will be in the clipboard and can be pasted in Windows applications or, into the SSH command window by moving the cursor to where you want to paste and right clicking again.

5.1    FreeSwitch not Running

If FreeSwitch is not running, you will see one or both of the following symptoms:

  • FusionPBX GUI displays: "Connection to Event Socket failed"
  • enter "ps -Af | grep freeswitch" at a command prompt. You should see "/usr/bin/freeswitch <parameters>". If not, FreeSwitch is not running

If FreeSwitch is not running, inspect the logs and attempt to re-start (command prompt):

  • Enter "nano /var/freeswitch/log/freeswitch.log" to determine if the problem has been logged and fix it if so. It may be useful to search for errors from within nano (Ctl+w "[ERR]"). Normally, errors that prevent FreeSwitch from starting are at the end of the logfile.
  • check syslog. Enter "logread > /tmp/syslog; nano /tmp/syslog" and inspect for FreeSwitch or service-related issues. Fix any problems.
  • Restart freeswitch. enter "/etc/init.d/freeswitch stop; /etc/init.d/freeswitch start", then re-check if FreeSwitch is running.

There may be a licensing issue. (Luci) Navigate to "System -> Licensing -> Manage". The log should show "license server up" and "X days remaining in license for securepbx". If not, diagnose licensing failures.

FeeeSwitch requires the following support services to be enabled at boot and running:

  • miniupnpd, minissdpd, logtrigger, memcached, postgres (four instances), postmaster

For each service above, determine if it is running:

  • enter: "ps -Af | grep <service>", where <service> is the service name from the above service list.

If the service is running, you will see two lines of output. If the service is not running, you will see only one line containing "grep <service>"

For each service that is not running:

  • enter "/etc/init.d/<service> enable; /etc/init.d/<service> stop; /etc/init.d/<service> start", where <service> is the service identified as not running.

The above commands enable the service to start at boot, stops the service and then starts the service.

If a service will not start, something may have changed from the standard SecureOffice / SecurePBX configuration. It is assumed the hardware requirements at SecureOffice Prerequisites have been met, eliminating hardware and device driver related problems.

To check for service-related problems, inspect logfiles:

  • check syslog. Enter "logread > /tmp/syslog; nano /tmp/syslog" and inspect for FreeSwitch or service-related issues. Fix any problems.
  • check logtrigger. Enter "nano /var/log/logtrigger.log" and inspect for errors. Fix any problems.
  • check postgresql (database): Enter "nano /var/log/postgresql.log" and inspect for errors. Fix any problems.

After all service related problems are solved, enter "/etc/init.d/freeswitch stop; /etc/init.d/freeswitch start" at a command prompt to start SecurePBX. Repeat all of the above until successful and FreeSwitch and all support services are running.

If FreeSwitch is still not running, follow the advice at the beginning of this section.

5.2    No FusionPBX GUI

If you have just installed SecurePBX and cannot access the FusionPBX web GUI for configuration, rebooting SecureOffice (enter "reboot" at command prompt") should fix the problem which is likely due to Nginx (at installation) configuration changes and Luci cache.

If FreeSwitch is running and you cannot access the FusionPBX GUI configuration pages, it may be a problem with the OpenWrt web server. Try the following commands:

"rm -rf /tmp/luci-*" (clear web server cache)

"/etc/init.d/nginx stop; /etc/init.d/nginx start" (stop and start web server)

  • check "/var/log/nginx/error.log" for errors.
  • check syslog. Enter "logread > /tmp/syslog; nano /tmp/syslog" and inspect for nginx related issues. Fix any problems.

5.3    Gateway not Registered

If all gateway parameters look OK, but a gateway status is not "REGED", you will need to check the FreeSwitch log for clues. At a SecureOffice command prompt, enter:

  • "nano /var/freeswitch/log/freeswitch.log"
  • Search for gateway name <phone #>: "Ctl+w <phone #>" (Correct any problems reported)
  • If that fails search for errors: "Ctl+w [ERR]" (Correct any problems reported)
  • Exit nano: "Ctl+x"

"Correct any problems reported" means: search the internet: "Freeswitch <error string from freeswitch.log>". The error string (if you are at a SecureOffice command prompt over SSH) can be copied from within the nano editor by highlighting it and right clicking. The error string will be in the clipboard and can be pasted.

To check whether SecurePBX is running, enter "ps -Af | grep freeswitch" at a command prompt. You should see "/usr/bin/freeswitch <parameters>". If not, Freeswitch is not running.

If freeswitch is running and the problem is you cannot access the OpenWrt GUI FusionPBX configuration pages, it may be a problem with the OpenWrt web server. Try the following commands:

"rm -rf /tmp/luci-*" (clear web server cache)

"/etc/init.d/nginx stop; /etc/init.d/nginx start" (stop and start web server)

5.4    Extension not Registered

Registration status for extensions is available using the FusionPBX GUI. Navigate to "Services->SecurePBX", login to FusionPBX and navigate to "Status->Registrations". Registered extensions will shown in Figure 12. Unregistered extensions will not be displayed.

Determine which extension(s) are not registered, but are expected to be.

For each un-registered extension, verify that the configuration values are correct, the device and extension are both enabled and the configuration for the device and FusionPBX extensions match. After correcting any configuration errors, re-start FreeSwitch and the device and re-check registration status.

If all configuration appears OK, but an extension is still not registered, you will need to check the FreeSwitch log for clues. At a SecureOffice command prompt, enter:

  • "nano /var/freeswitch/log/freeswitch.log"
  • Search for <extension name or number>: "Ctl+w <extension name or number>" (Correct any problems reported)
  • If that fails search for errors: "Ctl+w [ERR]" (Correct any problems reported)
  • Exit nano: "Ctl+x"

If there are no extension registration related error messages in the logfile, verify that SecureOffice and the extension are able to communicate with each other:

  • Determine the extension's IP address (on LAN or Internet) and ping it from a SecureOffice command prompt.
  • Fix any connectivity issues.

If the extension is not on the SecureOffice LAN, check SecureOffice firewall uPnP port status. Using OpenWrt GUI, navigate to "Status -> Overview", scroll to bottom and insure that "Active uPnP Redirects" table is not empty and contains the proper SIP ports.

If the extension is not on the SecureOffice LAN, it is possible, due to previous incorrect password configuration that its IP address has been banned by logtrigger (security measure, guards against brute force password attacks). If this is the case, consult the logtrigger documentation for a remedy which requires restarting the OpenWrt firewall. SIP switches experience a lot of hacker attacks, invalid logins attempting to engage in toll fraud, attempting to get free long distance calls at your expense.

If there are no Redirects, the uPnP services (miniupnpd, minissdpd) are not running. Follow the services procedures in the "Freeswitch not Running" section.

If the extension is not on either (existing router or SecureOffice) LAN and you are using LAN Topology, ensure that your existing router firewall has the correct port forwards (SecureOffice Installation).

If all else fails, search the internet: "FreeSwitch <device model#> not registered" for additional help.

5.5    One Way or No Audio or Video

This indicates a firewall (uPnP or existing router) issue or IP address error (local LAN address and WAN address confusion during call setup).

Another symptom is the call is automatically dropped after approximately 30 seconds as the media watchdog activates.

Verify that uPnP is running and, if using LAN Topology that the existing router firewall is configured with the correct port forwards.

Verify that the SecureOffice "/etc/hosts" file contains an entry "<SecureOffice LAN address> <SecureOffice domain>" discussed here. Otherwise, phones, using DHCP on the SecureOffice LAN will use (DNS lookup) your WAN address instead of your LAN address for call setup, resulting in one-way audio / video.

Rating 0/5
Rating: 0/5 (0 votes)
Votes are disable!
Print article
The comments are owned by the author. We aren't responsible for their content.

Technologies Used:

Design by: XOOPS UI/UX Team