PBX Private IP: 192.168.1.5
SBC Public IP: 126.96.36.199
SBC Private IP #1: 192.168.1.11 (Connection to ITSP - Public IP Ports Forwarded to this IP)
SBC Private IP #2: 192.168.1.10 (Connection to Switchvox)
Ensure the following ports are open or forwarded to the public IP of the SBC.
- 5060 UDP
- 10,000 to 20,000 UDP
1) Go to Configuration → IP Settings → Access Control List and add a new list called ACL. Ensure the default policy is Deny, and then add both the IP of the PBX, and the IP(s) of your ITSP. Ensure the prefix is /32 to only allow the single IP.
Note: In this case the ITSP is Sangoma's SIP Station. The FQDN's are trunk1.freepbx.com and trunk2.freepbx.com. Check with your ITSP if you need the IPs.
2) Go to Configuration → Signalling → SIP Profiles and add a new SIP profile called External_ITSP. Select the private IP that the public IP ports are forwarded to. In this example 188.8.131.52 is forwarded to 192.168.1.11. Then put the public IP of the SBC in External SIP IP Address and External RTP IP Address as shown below. Then ensure SIP Trace is enabled, as well as Strict Security as shown below.
3) In the Authentication section Disable authenticate calls, and add the ACL list created previously to both inbound calls and registrations as shown below.
4) Go to Configuration → Signalling → SIP Profiles and add a new SIP profile called Internal_ITSP. Selecting the private IP, enabling SIP trace and enabling Strict Security.
5) In the Authentication section Disable authenticate calls, and add the ACL list created previously to both inbound calls and registrations as shown below.
6) Go to Configuration → Signalling → SIP Trunks and create a new SIP trunk called PBX. This trunk will point to your PBX. Put the IP of the PBX in the domain, and ensure the SIP profile is set to Internal_ITSP. As well ensure Registration is Disabled.
7) Create another SIP trunk called Trunk1. This will go to trunk1.freepbx.com. Enter the username and password. Set the SIP profile to External_ITSP and enable Registration.
8) Create another SIP trunk called Trunk2. This will go to trunk2.freepbx.com. Enter the username and password. Set the SIP profile to External_ITSP and enable Registration.
Note: Some ITSP's may only have 1 SIP Trunk. If this is the case skip this step.
9) Go to Configuration → Routing → Call Routing and create a new routing plan called External_ITSP. Then make a new rule as shown below. Ensure the Stop policy is set as shown below, and the trunk is set to PBX.
10) Go to Configuration → Routing → Call Routing and create a another new routing plan called Internal_ITSP. If your provider only has a single trunk, then you can use the same rule as in step #9, but select your providers trunk. If you are using SIP Station or any other provider with two trunks, then use the rule below. This will allow fail over to work; where the call will go to Trunk1, and if that is down, then it will go to Trunk2.
Action 1: hangup_after_bridge
Value 1: true
Action 2: continue_on_fail
Value 2: NORMAL_TEMPORARY_FAILURE,USER_BUSY,NO_ANSWER,NO_USER_RESPONSE,NO_ROUTE_DESTINATION,NETWORK_OUT_OF_ORDER,CALL_REJECTED,DESTINATION_OUT_OF_ORDER,NORMAL_CIRCUIT_CONGESTION
Action 3: bridge
Value 3: sip/trunk/Trunk1/$1
Action 4: bridge
Value 4: sip/trunk/Trunk2/$1
10) Go to Configuration → Signalling → SIP Profiles → External_ITSP and modify and then edit the profile. Scroll to the bottom and set the Routing plan to External_ITSP.
11) Go to Configuration → Signalling → SIP Profiles → Internal_ITSP and modify and then edit the profile. Scroll to the bottom and set the Routing plan to Internal_ITSP.
12) To configure the Intrusion Detection or IDS simply go to Configuration → Security → Intrusion Detection and select the following 4 rule groups as shown below. We will be isolating the webUI from the internet, so there is no need for the other rules. Once done click the update button at the bottom to save changes.
13) Go to Overview→ Security→ Intrusion Detection Status and then ensure the PBX IP is in the list. In this case the PBX is 192.168.1.5, which falls in the 192.168.0.0/16 range, which is part of the default config. In most cases this step can be skipped, as all private addresses are included here by default.
14) Last step to security is configuring both the webUI and SSH to only listen on the internal network. To do this go to System → Server → Web and set the Network Interface to the private network, then save changes.
15) Go to System → Server → Secure Shell to do the same for SSH. Setting the Network Interface to the private IP.
23) The SBC at this point is completely configured. Ensure you apply changes and start the SBC. Once the SBC starts take a configuration backup as shown at https://wiki.sangoma.com/display/SBC/Backup+and+Restore.
24) If there is any issues please contact Sangoma support with the info up at https://wiki.sangoma.com/display/SBC/How+To+Capture+Logs . To open a ticket please go to https://support.sangoma.com.