On 7/19/07, <b class="gmail_sendername">Ryan Stille</b> <<a href="mailto:ryan@cfwebtools.com">ryan@cfwebtools.com</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Right now I've been working on setting up an Trixbox server on our<br>internal network. Its behind the firewall, but I'd like to open up the<br>firewall to it because we sometimes have developers working off site and
<br>I'd like them to be able to connect.</blockquote><div><br>How many developers? And what kind of developers? If they're developing things for your phone system, then you may want them on their own development boxes instead. If you're a software shop and they're just users, then that's different.
<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Is this safe to do? I've got the "Allow Anonymous Inbound SIP Calls"
<br>box unchecked in freePBX. Is there anything else I need to do? Isn't<br>there an issue with the extension/secret being passed in clear text?</blockquote><div><br>I'm not the most knowledgable on what freePBX does, as far as the check box. My guess is that it's just tweaking the SIP users/peers in the
sip.conf file. This gives only a minimal level of security, in my opinion.<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">It looks like I need to open port 5060, and whatever ports are inbetween
<br>the rtpstart/rtpend values in /etc/asterisk/rtp.conf. Is that right?<br>Right now thats 9999 ports, I've read that you can chop that down to 20<br>ports for just a few calls. We want to have 5-6 simultaneous calls, so
<br>if I set rtpstart to 10001 and rtpend to 10100, then open up those<br>ports, is that adequate?</blockquote><div><br>If it were me, and I had 20 remote users or less, I would create a VPN and have them join my network that way. Then, no SIP ports would be open to the world. And the NAT problems would pretty much disappear. You may have a slight reduction in sound quality, depending on how you set up the VPN. I really haven't had major problems with it, but again, it depends on your type of VPN. We're using a site-to-site hardware-accelerated IPSec VPN for each of our remote sites (including my house), and I have not had any problems. Except when the underlying medium (the Intarweb) has latency/jitter problems. But then, straight SIP would have issues too...
<br><br></div></div><br>