One of the best things about modern VoIP systems is how flexible they are when it comes to how you deploy them. You can use them on an appliance, virtualized, or on a cloud-based service like Amazon AWS, Google Cloud, or Microsoft Azure. Each configuration has a slightly different technique to making everything work, and one of the first challenges is registering extensions. For this post, we’ll focus on the general concepts of setting up extensions for a cloud based (hosted) solution with FreePBX.
If you’ve never heard of FreePBX, and you’re in the market for a new VoIP system, you should start doing a little research ( and also call VoIP Supply). To be brief, it’s a turn-key PBX solution that uses Asterisk, a free SIP based VoIP platform. Sangoma, the makers of FreePBX have created a web user interface for Asterisk to simplify configuration. They’ve also added an entire security architecture, and have added a lot of features above and beyond what pure Asterisk (no user interface) provides, such as Endpoint Manager, which is a way to centrally configure and manage IP Phones.
FreePBX isn’t the only product out there to do this, there’s quite a few out there actually, but FreePBX has really raised the bar in the past few years and has become a very series solution for the enterprise. Don’t let the word “Free” in FreePBX lead you to think it’s a cheaply created system.
FIRST, A LITTLE ABOUT VOIP CLOUD SECURITY:
There’s a huge benefit to hosting a VoIP system in the cloud, you have to deal with very little NAT. Why is that good? SIP and NAT generally do not cooperate with each other. It’s very common for SIP header information to be incorrect without a device such as a session border controller (SBC), or a SIP application layer gateway (SIP ALG). When deploying a system on premise, you will always need to port forward SIP (UDP 5060) and RTP ( UDP 10,000-20,000) at a minimum. Also, you’ll need to make sure these ports are open on your firewall. This helps direct SIP traffic to your phone system, similarly as if you had a web or mail server.
Of course, there are security concerns when exposing SIP directly to the internet, and the same concerns apply for a hosted system, but when dealing with a cloud solution, you are generally given a 1:1 (one to one) NAT from your external IP address to the VoIP system’s internal IP. A 1:1 NAT ensures all traffic is sent to the system without any additional rules. Some cloud services place an external IP address directly on your server, increasing simplicity.
If you’re reading this, and are becoming increasingly concerned, you’re not wrong. If you’re in the technology field, you’ve probably been taught that exposing any server directly to the internet is wrong, bad, horrible, and stupid. Generally speaking, that’s all correct, but luckily many cloud service providers will offer the ability to create access control lists to place in front of your server, like the one below from Microsoft Azure.
This gives you the ability to control access to specified ports, source, and destination IP addresses. Additionally, FreePBX has built in intrusion detection (Fail2Ban), and a responsive firewall, allowing you to further restrict access to ports and services. Is this hack proof? No, of course not. Nothing is hack proof, but I have run my personal FreePBX, exposed directly to the internet, with zero successful attacks. No, that’s not a challenge, and you can’t have my IP address. You can, however, have some of the would-be hacker’s IP’s (see below).
If you’d like to learn about the firewall that FreePBX has put together, go here. I’m not suggesting, that this is just as good as placing an on-prem VoIP system behind a hardware firewall, but the results so far are that it works very well. Using a cloud solution will always be at your own risk, so do plenty of testing and take whatever measures needed to secure your system (disclaimer).
SETTING UP (REMOTE) EXTENSIONS:
One of my favorite feature of a cloud based system is that all extensions are essentially remote extensions. This means you can place a phone anywhere in the world, in theory, with an internet connection, and place calls as if you were sitting in the office, or at home. There are some variables to this configuration, mainly restrictions on whatever network your phone is connected to, but generally speaking, it’s a useful and user-friendly solution. Now, for the rest of the article, I will assume that you know how to create an extension on FreePBX and have basic familiarity.
The first thing I typically do when deploying a new VoIP system is to define all of the network information for SIP. This is important for both cloud systems, and on-prem, Specifically, you need to tell FreePBX what networks are local, and which are not. To accomplish this, proceed to Settings > Asterisk SIP Settings, and define your external address, and local networks.
Next, if you have your firewall turned on and you should make sure SIP is accessible. You’ll notice in the below image that the “Other” zone is selected, meaning I have defined specific networks that are allowed under Zones> Networks. To allow all SIP traffic, you can select “External,” but you would be better off enabling the Responsive Firewall, which rate limits all SIP registration attempts and will ban a host if a registration fails a handful of times.
Also, something to pay attention to: Make sure you use the right port number. By default, PJSIP is enabled, and in use in FreePBX on port 5060 UDP. I will generally turn off PJSIP and re-assign 5060 USP to Chan SIIP. This can be adjusted under Settings > SIP Settings > Chen SIP Settings, and PJSIP Settings.
Once the ports are re-assigned, you MUST reboot your system, or in the command line, run ‘fwconsole restart.’ I also like to tell FreePBX to use only Chan SIP. To do that, go to Settings > Advanced Settings > SIP Channel Driver = Chan SIP. PJSIP is perfectly funcitonal, but for now, I recommend you stick with CHAN SIP as PJSIP is still underdevelopment.
We should also assign the global device NAT setting to “Yes”. This will be the option used wheneber you create a new extension. Without making this the global default, you will have to make this change manually in each extension, when you’ll likely forget to do, and your remote extension will not register. This setting lets FreePBX know that it can expect the IP phone or endpoint to be external and likely behind a NAT firewall. To change this global setting, go to Settings > Advanced Settings > Device Settings > SIP NAT = Yes.
Lastly, make sure your extensions are using SIP, if you haven’t turned off PJSIP. You can convert extensions from one channel driver to the other within an extension’s settings.
At this point, you should be able to register your remote extensions to your cloud based FreePBX system. If you are running into trouble, run through these troubleshooting steps:
- Check the firewall – Allowing SIP? Are you being blocked?
- Check Fail2Ban (Admin > System Admin > Intrusion Detection) Are you banned?
- Check that your networks are properly defined in SIP Settings
- Verify you are registering to the proper port
- Make sure the extension is using the proper protocol
- Debug the registration attempt in the command line – Authentication problem?
I hope this article sheds some light on the topic of cloud based VoIP systems, and how to set up extensions for that system. I also hope this saves you a few hours in troubleshooting if you are not well versed in FreePBX configuration. As a friendly reminder, before you make any changes to your production system, take a backup, or snapshot, and always test your changes.