<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
Dear friends, like someone said before me in the list : neither of both extrems could be pretty good!!<BR>
one for dangerous the other for heavy dutty requeirements in maintenance for users changes...<BR>
<BR>
thus leave the system open with out Firewall+ IDS system this will be dangerous <BR>
, or closing the firewall at all , if you needs to lead with users that will be travelling or changing from ip address , and need to use the same account from any IP, from anywhere.. then the users will be angry any timne that they can't make a call.<BR>
<BR>
<BR>
So i think we must workaround the needs and search the mix that better serves to our purproses. many times the solution may seems something "out of good arts rules" or , but if it works with efficciency, and it is non expensive... then " ARE WELLCOME"<BR>
<BR>
VPNs routed end to end with VPN- Routers requeires some hardware that limits the mobile use and requeires more expensive hard, i.e. if i have my sip acocunt configured on my handheld using it with wifi behind a VPN router i can't to use it to make calls in a hotel or airpot or any wifi zones o hotspot, with the exception that this unit can run a vpn client too.<BR>
<BR>
on other hand, if i have a notebook, laptop or netbook using a softphone with TLS may be usefull, but a bunch of IP telephones, sofphones and gateway not support TLS , or many protocols , then it will depend on the user ....<BR>
<BR>
On my mind asking to my self, " some advice to follow?? " and the answer could be <BR>
<BR>
try using services that enable me to locate users from domains and at the same time define yours accoutns using it ... it may requieres aditional efforts to use them, but setting up the peers using host with DNS resolution , avoiding the resgiter use from users,may help <BR>
<BR>
host= my.domain<BR>
<BR>
What will be happen if the ip changes or the user hasn't your own domain??? askme again , and asnwer me:<BR>
<BR>
<BR>
try this DDNS service like this :<BR>
<BR>
host=my.domain.in.prefer.ddns.service.<BR>
<BR>
may be helpull , any servers from popular ones, ( dyndns, no-ip, ...)<BR>
it will requiere that the user can run at same time a DDNS client ( many router/ATAs/Gateways have embeded on them) and a softphone/SIP Client from same ip address,<BR>
and the other end , on the PBX , also need reload the sip module each time that the ip changes , to reload the news ip from those domains, this must be so often like the client's ip changes...<BR>
<BR>
WHAT A CHEAP SOLUTION !!! <BR>
<BR>
<BR>
this task for reload , could be MADE at fixed period of time , ie the same value that you usually speficiy in the expire options for registering , thus the "GAP " between the old ip and the new, has the same behavior if you customer changes th ip addres with out re-registering, ie an user using DHCP in you internet conection , that changes your ip adders and not restart your softphone or gateway., i means : the the incoming calls goes to old ip , until the client re-register orput an outgoing call.<BR>
<BR>
<BR>
in the same way , for the inbound connections to the servers ( a PBX or any other server too) ,some similar can be made with iptables modules , it's quite simple, former set the policy to DENNY all connections and then enables just according ddns domains that you will accept ..<BR>
<BR>
iptables -P INPUT DROP<BR>
iptables -I INPUT -s my.first.client,inddns.service -j ACCEPT<BR>
iptables -I INPUT -s my.fsecond.client,in-other-ddns.service -j ACCEPT<BR>
<BR>
( some specfication for ports and protocols may be added, i dont include in the example to make it easier )<BR>
<BR>
after made this, only the ip according to domains can connnect to server , <BR>
but at any time that the ips may change, you need to restart iptables services ,and the input filter will be refilled with the ips according that domains defined on DDNS service ....<BR>
<BR>
to restart this at regular frecuencies in "automatic mode", just need to enable this task in CRON service, also can be joined with the sip module reload to update the host definition in the peer/users/friend in the PBX , for that must need include any script that has this two lines for system excution <BR>
<BR>
sevrice iptables restart ( restarting iptables fedora /centos style other use init.rc services)<BR>
asterisk -rx sip reload ( relaod the sip modules , renewing the domain definitios for peers , be carefull that your PBX systems must resolve using DNS service )<BR>
<BR>
and... that's all <BR>
<BR>
now can renew the ip that can connect with the server and also the host defined to make calls <BR>
<BR>
<BR>
easy efecctive and cheap, may be other solution betters ,, yeap....so more expensive too<BR>
<BR>
Feel free to contact off the list.<BR>
I hope that it can be helpfull.<BR>
<BR>
Marcos<BR>
<A href="mailto:info@calleasy.com.ar">info@calleasy.com.ar</A><BR>
<BR> <br /><hr />No importa si es pesado o liviano. Con Hotmail Skydrive tenés 25 GB para guardar todo. <a href='http://www.descubrehotmail.com/almacenamiento.asp ' target='_new'>Clic aquí</a></body>
</html>