localhost

E

ErikU

Guru
Joined
Mar 16, 2008
Messages
181
Reaction score
6
Made some changes to my ISP so the static IP of the PBX changed. Have a strange issue...

The server has two NIC's. One with a 10.x address for internal phones, and one with a public IP.

First I noticed that the FOP2 panel wouldn't connect, though FOP2 test connects to the manager ok.

Then I noticed that running status, down at the bottom, reports pbx.local on the public IP on the public nic.

the hosts file says: 127.0.0.1 pbx.local

Shouldn't the status report that it is on the internal address/nic?
 
It shows whatever eth0's IP address is. I'm assuming in this case that eth0 is externally connected and eth1 is internally connected.
 
The short answer is NO.

The long answer is NO.

we only test for internet connectivity and whatever one sees outside is what is reported.

Tom
 
one with a public IP
Click to expand...

Hmmm, someone hasn't been reading the recommendations of NEVER having your PiaF server connected directly to the Internet!
 
Got it. So I wonder why my FOP2 client will not connect. FOP server connects to the manager just fine, but the client can't connect. Ideas?

BTW- The public IP is behind a decent firewall and IP tables are on. I have multiple phone on the outside that need to connect. Someone have a better idea other than a VPN?
 
ErikU said:
Got it. So I wonder why my FOP2 client will not connect. FOP server connects to the manager just fine, but the client can't connect. Ideas?
Click to expand...

What browser are you using?
 
ErikU said:
Chrome. I see it works in ie. Hmm..
Click to expand...

I use Firefox, Chrome, Opera and IE. It seems that one of them never quite works right for whatever I'm viewing.

The public IP is behind a decent firewall
Click to expand...

How are you forwarding/filtering traffic to your server with a public IP through your firewall? Are you using a demilitarized zone?
 
It's and edgemarc that only allows the necessary ports to pass for the outside phone.

I also use voip.ms as the service provider on a pre-paid acct. The most I'd be out is $50. That combined with IP tables and Fail2ban is good enough I think.

I need to find a balance between ease of use and security. I am honestly open to other ideas though for multiple phones on the outside.
 
Fail2Ban is next to worthless with powerful computer attacks such as those coming from Amazon S3 hosting.

Better idea is totally lock down your IPtables firewall and use a white list of safe IP addresses or FQDN's.
 
Last edited by a moderator:
IP tables are locked down except to allow ports for outside phones.

The outside phones are not on static IP's, so I can't white list them.

I'm all for reasonable and prudent security, but I think IT folks sometimes get so wrapped up in it that they forget to balance the cost/potential of security with operational ease of use.

For me, IT is only a secondary/support part of my business so I bump into this all the time. I sometimes have to remind people that we don't generate any revenue with IT.... and that IT is there to support us.
 
The referenced solution works fine with dynamic IP addresses using DynDNS or a similar service to manage FQDNs for the remote phones.

As for IT being a non-revenue generator, I've heard many folks say that... until their IT infrastructure comes unglued and all of a sudden none of the tools necessary to generate their revenue are available. It's akin to saying a lock on the front door of a jewelry store is a non-revenue generator. True, but...
 
I think you are right on in saying that IT is a necessary tool for a business and my clients would be out of business without it.

However, it's important to remember that (for most businesses) IT doesn't generate any revenue. So a balance must be found between the security needs of IT and the revenue generating core of a business. If that jewelry store, for example, had a door made of 26" of steel and required a retina scan to gain entrance, it might not be good for business. A deadbolt and an alarm are a good idea though.

In my example, that balance is found by limiting my financial exposure to a small dollar amount while allowing for simple outside phone connections. I know DDNS would work, but I also know that it just isn't going to happen.

I'm reminded of working for a major television network covering the Olympic Games. The company IT group locked down the network tight and wouldn't allow anyone to connect a laptop in any way to the network unless it had been approved by the IT dept, and the IT dept wasn't approving or accommodating at all. I found a way around the block in order to gain web access so I could do my job and was quickly busted by the IT guys. They went so far as telling me that if this happened again at my venue they would simply turn off web access all-together..

I laughed... that's fine with me I said, but when the show producers come out to make big money for the network and you tell them that they can't get online to download a bio, check spelling, stats etc.. well.. that just isn't going to happen. I reminded him that we were in business to make TV.

The solution, of course, is to find a balance between IT security and making it easy to make money for the company.
 
You must log in or register to reply here.

Members online

No members online now.
Total: 33 (members: 0, guests: 33)

Latest Posts

Forum statistics

Threads
26,688
Messages
174,412
Members
20,259
Latest member
Fadeek86
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top