Page tree
Skip to end of metadata
Go to start of metadata

Overview

There are many situations when PBXact would be installed on a network where the PBXact will have no connection to the Internet.  The scope of this document is to help users in correctly preparing and configuring PBXact when there is either no connection to the Internet.  There are also networks  where there is access to the internet. but due to Security policies results in a restricted Internet connectivity, resulting in the PBXact having no connection to the internet. 

The PBXact has many Maintenance features, Unified Communication features and Networking features that rely on Internet connectivity for proper or complete operation.  In this document, it is important to understand what features will be restricted or limited when there is no Internet connection. 

There may be some scenarios in which the end user's PBX has to be totally disconnected from the Internet. 

No Internet Connection



In other cases, Internet connection is present but there may be hard restrictions coming for example from the IT Manager which will prevent your system access with the Public Internet Network.

Highly Restricted Network

The PBXact has a few fundamental commissioning and maintenance requirements where the PBXact system absolutely must be connected to the Internet to allow the exchange of information.  Licensing, Module Update, System Updates and Support VPN are key features that absolutely require Internet connectivity.  Although, once Licensing, Module Update, and System Updates have been completed in there online License activation and proper Module and System updates, the PBXact can then be moved into an isolated network.   From this point, the PBXact system will work in this isolated environment, with the exception of the features that require Internet access.

Preparing the PBXact

Out-of-the-box, the PBXact assumes it has Internet connectivity.  It is the exception that the PBXact not have Internet connectivity, this is because there are many Maintenance features, Unified Communication features and Networking features that can enhance the PBXact experience.  When the PBXact is going to be installed into an isolated network where there is no Internet connectivity, the PBXact first must be prepared for this type of network environment.  Here are some steps to take to make sure the PBX will correctly work in this isolated network environment;

Staging Network

Prior to moving the PBXact into an isolated network where there is no internet connectivity, the PBXact must be placed on a network where there is Internet connectivity.  The PBXact must have an IP Address, Mask, Default Gateway and a DNS Server properly configured and working.  The DNS Server must be able to resolve public Internet FQDNs.  The PBXact will use various FQDNs for various server locations to access for Licensing, Module Updates and Software updates.


Licensing - Register and/or Activate your PBXact

Making sure the PBXact is properly licensed requires that the PBXact to connect with Sangoma's licensing server (Portal Store).  In many cases, PBXact Appliances are shipped pre-licensed and ready to go, in this case, it is simply a good systems check to ensure everything is in order prior to moving the PBXact system into an isolated network.  In other cases, extra Modules or Licenses have been purchased and the PBXact system needs to be updated with the proper licenses.   When purchasing your PBXact, the Deployment ID should already be associated with your Portal Store Organization, it is good to check the Partner Portal (portal.sangoma.com) to ensure that the PBXact Deployment ID is registered to your Organization.   If not there are processes in place to Product Claim the Deployment ID.  https://wiki.sangoma.com/display/FPAS/Product+Claims

The PBXact must have Internet connectivity for updating Licenses. The PBXact must have an IP Address, Mask, Default Gateway and a DNS Server properly configured and working.  The DNS Server must be able to resolve public Internet FQDNs.  If you simply checking the licensing on the PBXact Or have assigned a new module to your Deployment ID, such as by purchasing a new commercial module in the Portal store, you will need to update your registered modules here in System Admin - Activation.  Otherwise, once the PBXact is installed onto the isolated network, the PBXact will not have the ability to reach out over the Internet and access the license server to update the new module.

To add the new Module item, click the Update Activation button. This will pull updated license information from our license server and give you access to the new module(s).


Also, a CLI command fwconsole sa update will also update the licensing.

System and Modules Updates

Once the PBXact is moved to an isolated network with no Internet connectivity, there is no ability to update the Modules software or the System Software.  Module Software is the PBXact application, such as System Admin, Zulu and more, and System Software are the OS, Network drivers, Asterisk and more.  It is highly recommended that the PBXact is updated to the latest and greatest releases for Modules and System software, prior to moving the PBXact into an environment where the PBXact can no longer retrieve the latest software updates.  While in the Staging Network and the Internet connection is available, the process of updating Module software and System Software is recommended.

System Updates

https://wiki.sangoma.com/display/FPG/System+Admin+-+Updates

Updates Module - System Updates tab

Click Check Online  - this will compare the PBXact System software with available system updates.

Follow the following prompts to complete the update of the system software.

Also, a CLI command yum update will also update the system software.


Module Updates

https://wiki.sangoma.com/display/FPG/Module+Admin+User+Guide

Updates Module - Module Updates tab

Click Check Online   - this will compare the PBXact Module software with available Module software online.

Click Upgrade All then click Process   - this will start the upgrading of the Modules.  There are dependencies, so this may take several passes to complete all updates.

Also, a CLI command fwconsole ma showupgrades - then - fwconsole ma upgradeall will also update the Module software.

Use of Domains and DNS Servers

'Out-of-the-box' the PBXact assumes it has Internet connectivity and that there is a DNS Server available to resolve FQDNs.  There are a number of system services that rely on the DNS Service to start and keep running for proper operation.  Failure of the DNS Service can result in catastrophic failure in the operation of the PBXact application.  Because of the importance of DNS to the operation of PBXact, close attention must be made to the use and configuration of FQDNs and DNS Servers configured and located on the PBXact.

There is a specific part of the System Admin Module called DNS which needs you to pay attention on the configuration you may set: https://wiki.sangoma.com/display/FPG/System+Admin+-+DNS


Because the system is relying on DNS service to start and keep running some services, Name Server Resolution has to be configured in one of these two ways:

Local DNS

If there is no Internet connection available, and there are no DNS Servers on the Network, it is critical that the first value in the DNS Server List is '127.0.0.1'

If there is no Internet connection available, But there is some Private Domain Name Server Resolution, it is important that the PBXact have network access to the DNS Server on the Local network and the the first value in the DNS Server List is '127.0.0.1', then any additional Local DNS Servers can be set as secondary, tertiary and so on.


Normal External DNS

If the PBXact has Internet connectivity, as normal, '127.0.0.1' must be again the first in the DNS list; any other DNS Servers (private or public and allowed one) can be set as secondary, tertiary and so on.


Domains on PBXact

There are many fields throughout the PBXact configuration where you can enter either an IP Address or a Hostname.

Do Not use Hostnames, if there are no DNS Servers to resolve them. 




Other Services

Because the PBXact is designed to work in an IP network environment and mostly connected to the Internet, once you plan to disconnect your system from the public network, you must take care of some key services running on the box. Most of them are included into the System Admin Pages module: https://wiki.sangoma.com/display/FPG/System+Admin+Module

SMTP Server

Whether you can choose to utilize the Local SMTP or an external one, it's important to remember that SMTP is intended to work on a public network for mail exchange with other mail domains. In case of no Internet Connection, you can configure your private SMTP server to allow the delivery of all the communications sent by the PBX (alerts, updates status, voicemail notifications, fax and so on)

NTP Server

Telephone system relies on Network Time Protocol which will be propagated to all the connected device (mostly to the phones). Correct time and timezone it's fundamental for debug: logging, error reporting and CDRs can provide wrong information if no correct time is set in the PBX System.

DynDNS

There is a Dynamic DNS client running on the PBXs which allows you to be identified outside your network and to facilitate NAT process. Without Internet connection this service will be not correctly working too.

Phones and Phone Apps

Phones must always be connected to the same PBXact IP network: communication between Phones and PBXact, together with their related services, occurs through IP that's why any network disruption will cause the Phones not to work.


Move to an Isolated Network Environment

Now to move the PBXact off the Staging network and into the isolated network.

Whether the Staging Network is the same Subnet or different - if different the option of adding additional IP Address(es) in System Admin - Network Settings to the new isolated network is possible.  Once configured, the PBXact can be turned off and moved over to the new isolated environment.



Application Awareness

When the PBXact is disconnected from the public Internet, there are some applications that will be limited:

Maintenance Applications

 - No Licensing Updates

 - No Module Updates

 - No Systems Updates

Phone Provisioning Applications

 - No Sangoma Redirect Server to take advantages of the Zero Touch Provisioning

Zulu

 - No Zulu Mobile Push Notifications to alert Zulu Mobile Users

 - No Zulu Mobile connectivity for Phone, Chat or other features.

Notifications

 - No Sangoma SMTP Server for Email Notification

 - No use of External/Hosted Applications (SNMP, SMTP, NTP, DNS, and many others)

 - Only if an internal SMTP Server is configured can this be avoided

Unified Communications

 - No use of External hosted Unified Communication applications (CRMs, Call Accounting, Speech Recognition, and others)

 - No Use of Google or Microsoft Calendar Service integration

SIP Trunking

 - No use of external SIP Trunks or IAX Trunk will be possible to ITSPs

 - Trunking must be accessible to internal network - Gateways or SIP Trunk

Support Access

 - Sangoma's Support Team will be not able to connect remotely through the onboard Support VPN module (this is the only official way for Sangoma to provide any kind of Support)


PBXact Features

In the following table are the PBXact features and how they are impacted by not having Internet connectivity.  As mentioned. any services relying on Internet connection will not work: let's have a look to a non exhaustive list of "Working" and "Not Working" applications/services. 


WORKING

PARTIALLY WORKING

NOT WORKING

Admin

  • Administrators
  • Asterisk CLI
  • Asterisk Modules
  • Backup & Restore
  • Basic Dashboard
  • Blacklist
  • Bulk Handler
  • Class of Service
  • Config Edit
  • Contact Manager
  • Custom Destinations
  • Custom Extensions
  • Feature Codes
  • Phone Apps
  • Presence State
  • Queue Penalty Rules
  • REST API
  • System Recordings
  • User Management
  • XMPP
  • XactViewV3 Admin

Applications

  • AMD Settings
  • Announcements
  • Appointment Reminder
  • Broadcast
  • Call Flow Control
  • Call Recording
  • Callback
  • CallerID Management
  • Conferences
  • Conferences Pro
  • DISA
  • Extensions
  • Follow Me
  • IVR
  • Misc Applications
  • Misc Destinations
  • Paging and Intercom
  • Park and Announce
  • Parking
  • Property Management
  • Queue Callback
  • Queue Priorities
  • Queues
  • Ring Groups
  • Set CallerID
  • Time Conditions
  • Time Groups
  • Virtual Queues
  • Voicemail Blasting
  • Wake Up Calls

Connectivity

  • DAHDI Channel DIDs
  • DAHDi Config
  • Inbound Routes
  • Outbound Call Limit
  • Outbound Routes
  • Vega Gateway Management


Reports

  • Asterisk Info
  • Asterisk Logfiles
  • CDR Reports
  • Call Event Logging
  • Call Recordings
  • PHP Info
  • Pinsets Code Reports
  • Print Extensions
  • Queue Callback Report
  • Queue Report Templates
  • Queue Reports
  • Queue Wallboard
  • REST API Report
  • Weak Password Detection


Settings

  • Advanced Settings
  • Asterisk IAX Settings
  • Asterisk Logfile Settings
  • Asterisk Manager Users
  • Asterisk REST Interface Users
  • CRM API Settings
  • CRM Settings
  • Extension Settings
  • Music on Hold
  • PIN Sets
  • QueueMetrics
  • Route Congestion Messages

User Panel

  • XactView Panel

Admin

  • Certificate Management(*)
  • Online Support(**)
  • Sound Languages(**)
  • System Admin(*)
  • Updates(**)
  • Zulu(*)


Applications

  • Calendar(*)
  • Calendar Event Groups(*)
  • Languages(**)
  • Voicemail Notifications(*)


Connectivity

  • Firewall(*)
  • Trunks(*)


Reports

  • Voicemail Reports(*)


Settings

  • Asterisk SIP Settings(*)
  • EndPoint Manager(*)
  • Fax Configuration(*)
  • Text To Speech Engines(**)
  • Voicemail Admin(*)

Admin

  • CID Superfecta
  • CallerID Lookup Sources
  • DUNDi Lookup

Applications

  • Text To Speech


Connectivity

  • Google Voice (Motif)
  • SIPSTATION


Reports


Settings

  • High Availability


User Panel

(*) = works for local network and authorised IP networks/services

(**) = needs access to the Internet to work 100%



System Maintenance and Updates

Regarding Maintenance and Updates to Modules and System software, as already reported in the lines above, it will be necessary for the end customer to define a proper schedule for periodic system updates.  As Sangoma is continuously analyzing, updating and releasing software improvements and Security patches: leaving the System in a very old state, without software updates, can have impact on the performance and on the security. 

In addition, purchasing a new/update module license, you MUST connect the PBX to the Internet to allow your system going through the public network on to Sangoma's Servers and fetch all the needed data/software.

As a possible solution to overcome isolated connectivity to the internet, these Licenses and Software updates, can be done with a Cellular 4G router or using any temporary connection.  These updates - Licensing, System and Modules are typically less than 600 MB.



When Firewalls can Open Specific Ports

In some cases, Security Policies will allow traffic from known sources.  Here are some Sangoma Public IP addresses and FQDNs

In case your network is filtered by a firewall or any equivalent service, you may ask your IT manager to allow traffic going to/back to/from the following IP

Licensing / Modules updates:

199.102.239.11 (licensing)
199.102.239.170 (modules)

Yum update:

vault.centos.org
mirrorlist.sangoma.net
package1.sangoma.net
sng7.com

All aforementioned connections and related streams are carried using TCP

Knowing PBXact exposed ports

Ports used on your PBX


  • No labels

2 Comments

  1. Danilo Smaldone - nice article 


    i dont see much in there about the long term impact of the incessant email alerts delivered when setup in this fashion ... 


    im not sure i would say mail worked in this situation - if you need a case to look at get with Robert Pereiraand have a look at the asterisk user crontab; its a whack-a-mole game trying to figure out what cron jobs are creating error emails , some sending 1 mail alert per minute (sad)  if you know how to disable those alerts based on connectivity please add those to the wiki in a section dedicated to email alerts 

  2. Chris Dolese Robert Pereira

    Email alerts can be easily disabled through the WebGUI under Modules->Updates/Scheduler and Alerts.

    You can choose which to disable between:

    • Automatic System Updates
    • Automatic Module Updates
    • Automatic Module Security Updates
    • Send Security Emails For Unsigned Modules