Reference11r1:Concept Using PBX services from public internet: Difference between revisions
(→DNS) |
|||
(10 intermediate revisions by 4 users not shown) | |||
Line 15: | Line 15: | ||
==NAT== | ==NAT== | ||
===Port forwardings=== | ===Port forwardings=== | ||
In order to make the PBX services available from public internet, the following port forwardings | In order to make the PBX services available from public internet, the following port forwardings may be used on the NAT router. | ||
[[Image:Pbx services nat mappings.png]] | [[Image:Pbx services nat mappings.png]] | ||
;TCP/1300 on the PBX | ;TCP/1300 on the PBX | ||
:This port is used by phones to register using H323/TLS. The public port must be TCP/1300 as well. | :This port is used by phones to register using H323/TLS. The public port must be TCP/1300 as well. | ||
;TCP/1720 on the PBX | |||
:This port is used by phones to register using H323/TCP (no TLS encryption, not recommended). The public port must be TCP/1720 as well. | |||
;TCP/443 on the PBX | ;TCP/443 on the PBX | ||
:This port is used by the myPBX web application and the WebRTC softwarephone to communicate with the PBX. Assign any free public port. | :This port is used by the myPBX web application and the WebRTC softwarephone to communicate with the PBX. Assign any free public port. | ||
Line 26: | Line 28: | ||
''Please mind that forwarding the HTTPS ports of the PBX and the innovaphone Reporting also exposes the adminstration interface.'' | ''Please mind that forwarding the HTTPS ports of the PBX and the innovaphone Reporting also exposes the adminstration interface.'' | ||
===NAT type=== | ===NAT type=== | ||
To support any-to-any communication, all of the routers must support full-cone or restricted NAT. If this is an issue, media-relay can be enabled for all remote clients in the SB object (note though that this does not help for remote WebRTC endpoints). | |||
If none of the involved routers support full cone NAT, it might still work. Full-cone, restricted- and port-restricted will work in any combination. However, if one end does symmetric NAT it will work only if the other side does full-cone or restricted NAT. | |||
==== Detecting the NAT style ==== | |||
To find out what type of NAT router is installed, you can use the following stun-client: | |||
http://sourceforge.net/projects/stun/ | |||
You can then start the client by commandline, e.g: | |||
stun-client-0-96.exe stun.sipgate.net | |||
The output can be interpreted like this: | |||
Independent Mapping, Independent Filter = Fullcone NAT | |||
Independent Mapping, Address Dependent Filter = Restricted Cone NAT | |||
Independent Mapping, Port Dependent Filter = Port-Restricted Cone NAT | |||
Dependent Mapping = Symmetric NAT | |||
==STUN== | ==STUN== | ||
Line 37: | Line 55: | ||
Please make sure the following conditions are given: | Please make sure the following conditions are given: | ||
* The phone certificates contain the device ID that is used for registration | * The phone certificates contain the device ID that is used for registration | ||
* The PBX trusts certificates of the phones (or the issuing certification authority) | * The PBX trusts certificates of the phones (or the issuing certification authority) | ||
* The web browsers trust the certificate of the PBX | * The web browsers trust the certificate of the PBX | ||
Line 46: | Line 63: | ||
==See also== | ==See also== | ||
* [[ | * [[Reference11r1:Concept H.323 over TCP/TLS (H.460.17)]] | ||
* [[ | * [[Reference11r1:Concept ICE]] | ||
* [[ | * [[Reference11r1:IP4/NAT/General]] | ||
* [[ | * [[Reference11r1:Certificate management]] |
Latest revision as of 19:38, 25 March 2015
Applies To
This information applies to
- all innovaphone devices from V11
Overview
This article illustrates the requirements for using the following services of the innovaphone PBX from the public internet without VPN:
- Phone registration and telephony
- myPBX web application including WebRTC softwarephone
- myPBX call list from the innovaphone Reporting (optional)
In the following the term phone means hardware phone, softwarephone or myPBX for Android.
NAT
Port forwardings
In order to make the PBX services available from public internet, the following port forwardings may be used on the NAT router.
- TCP/1300 on the PBX
- This port is used by phones to register using H323/TLS. The public port must be TCP/1300 as well.
- TCP/1720 on the PBX
- This port is used by phones to register using H323/TCP (no TLS encryption, not recommended). The public port must be TCP/1720 as well.
- TCP/443 on the PBX
- This port is used by the myPBX web application and the WebRTC softwarephone to communicate with the PBX. Assign any free public port.
- TCP/443 on the innovaphone Reporting (optional)
- This port is used by the myPBX web application to get the call list from the innovaphone Reporting. Assign any free public port.
Please mind that forwarding the HTTPS ports of the PBX and the innovaphone Reporting also exposes the adminstration interface.
NAT type
To support any-to-any communication, all of the routers must support full-cone or restricted NAT. If this is an issue, media-relay can be enabled for all remote clients in the SB object (note though that this does not help for remote WebRTC endpoints).
If none of the involved routers support full cone NAT, it might still work. Full-cone, restricted- and port-restricted will work in any combination. However, if one end does symmetric NAT it will work only if the other side does full-cone or restricted NAT.
Detecting the NAT style
To find out what type of NAT router is installed, you can use the following stun-client: http://sourceforge.net/projects/stun/
You can then start the client by commandline, e.g:
stun-client-0-96.exe stun.sipgate.net
The output can be interpreted like this:
Independent Mapping, Independent Filter = Fullcone NAT Independent Mapping, Address Dependent Filter = Restricted Cone NAT Independent Mapping, Port Dependent Filter = Port-Restricted Cone NAT Dependent Mapping = Symmetric NAT
STUN
VoIP endpoints (e.g. phones and interfaces) need a STUN server in order to do NAT traversal using ICE. Therefore make sure that a STUN server is configured on all phones and gateways.
- If your installation uses an innovaphone box as the only NAT router, you can use the box as the STUN server. Enable STUN and configure the public address or the DNS name of the box as the STUN server on all devices.
- Otherwise configure a STUN server that is located in the public internet on all devices.
Certificates
Please make sure the following conditions are given:
- The phone certificates contain the device ID that is used for registration
- The PBX trusts certificates of the phones (or the issuing certification authority)
- The web browsers trust the certificate of the PBX
- The web browsers trust the certificate of the innovaphone Reporting (optional)
DNS
The use of DNS names for PBX, Reporting and STUN servers is optional. It can facilitate the management of the installation. But this means that DNS must be available on all the endpoints.