Session Border Controller
Page tree
Skip to end of metadata
Go to start of metadata





As of Oct 7, 2020 This use case is no longer supported for new installations.

Support will continue to support existing installations.






































Switchvox Public IP:  149.248.51.143
Switchvox Private IP: 192.168.1.5


SBC Public IP:  149.248.58.42
SBC Private IP #1: 192.168.1.11    (Connection to Remote Phones - Public IP Ports Forwarded to this IP)
SBC Private IP #2: 192.168.1.10    (Connection to Switchvox)


Router Configuration

Ensure the following ports are open or forwarded to the public IP of the SBC and Switchvox. 

SBC Public IP Ports

  • 5060 UDP
  • 10,000 to 20,000 UDP

Switchvox Public IP Ports

  • 80 / 443 TCP


SBC Configuration

IMPORTANT: SBC FIRMWARE VERSION 2.3.27 IS REQUIRED FOR SWITCHVOX REMOTE CLIENT SUPPORT.

1) Go to Configuration → Routing → SIP Message Routing and create a new rule called External_swvx. Then download External_swvx.xml and copy and paste the contents into the webUI as shown below, and then save the changes. 


2) Create another new rule called Internal_swvx. Then download Internal_swvx.xml and copy and paste the contents into the webUI as shown below, and then save the changes. 


3) Go to Configuration → Routing → Call Routing and create a new Advanced rule (not a Basic rule). Then download advanced_external_to_swvx.xml and copy and paste the contents into the webUI as shown below, and then save the changes. 


4) Go to Configuration → Routing → Call Routing and create another new Advanced rule (not a Basic rule). Then download advanced_swvx_to_external.xml and copy and paste the contents into the webUI as shown below.
Image result for warning iconEnsure you change "149.248.51.143" to the Public IP of your Switchvox (not SBC). Once done save changes. 


5) Go to Configuration → IP Settings → Access Control Lists and create a new ACL called Switchvox. Set the default policy to Deny. Add the Switchvox IP as a ACL node as shown below. Ensure the policy is Allow and the prefix is 32 as shown below. Replace 192.168.1.5 with the private IP of your Switchvox. 

6) Go to Configuration → Signalling → SIP Profiles and add a SIP Profile called External_swvx (ensure the E is capital, as this is case sensitive). Select the private IP that the public IP ports are forwarded to. In this example 149.248.58.42 is forwarded to 192.168.1.11. Then put the public IP of the SBC in External SIP IP Address and External RTP IP Address as shown below. Then ensure SIP Trace is enabled. 


7) Next in the Authentication section disable Authenticate Calls. Then set the Network Validation ACL to IP Address as shown below. 

8) In the NAT Traversal section set the options exactly as shown below. These fix all the problems NAT can cause. Since the remote D series phone can be behind any router, its important these are all enabled as shown below. 

9) In Session Routing set the routing plan as shown below. As well as SIP Message Routing has to be enabled, and External_swvx needs to be set. The last step is to check off the MESSAGE sip relay allow methods. Once done save the SIP profile. 

10) Create a second SIP profile called Internal_swvx as shown below. Selecting the private IP, enabling SIP trace and enabling Strict Security. 


11) In the Authentication section Disable Authenticate Calls. Then move the Switchvox ACL over to the Used box for both Inbound calls, and Registrations.  


12) In Session Routing set the routing plan as shown below. As well as SIP Message Routing has to be enabled, and Internal_swvx needs to be set. The last step is to check off the MESSAGE sip relay allow methods. Once done save the SIP profile.


13) Next go to Configuration → Signalling → SIP Trunks and create a new trunk called swvx_trunk (ensure its all lower case, as this is required). Set the Domain to the IP of the Switchvox, and then ensure the SIP Profile is set to Internal_swvx. Once done save the SIP trunk. 


14) Next go to Configuration → Signalling → Domains and create a new domain. The Domain will be the public IP of the Switchvox (Not SBC). Put the Domain into the Display Name as shown below. Then enable forward registration. Set the forward SIP profile to Internal_swvx. Then move swvx_trunk over to the used box as shown below. Then save once done. 

15) Now that the domain is made, go to Configuration → Signalling → SIP Profiles → External_swvx and click the Bind button. A popup will come up, simply select the domain made in the last step. 


16) Go to Configuration → Media → Media Profiles → Default and only enable G711 as shown below. Once done press save to continue. 


17) To configure the Intrusion Detection or IDS simply go to Configuration → Security → Intrusion Detection and select the following 4 rule groups as shown below. We will be isolating the webUI from the internet, so there is no need for the other rules. Once done click the update button at the bottom to save changes. 


18) Next go to Configuration → Security → SIP Firewall and edit the default rule Fail_Call_Block. This rule will block any IP that fails 10 times over a 30 minute period. By default the rule only blocks for 60 minutes, but it is best to change this to forever. To do this change the Action Parameter to 0 as shown below. 

This rule can be adjusted if you find there is too many users being blocked by this. Also note if you have multiple phones a remote site, the block can take down the whole site. To avoid this, put any known remote site IPs in the "Source IP White List Filter", and separate the IPs by commas if there is more than 1. 


19) Next we need to do the same rule as the previous step, but this time for Registrations. Just as mentioned in the previous step you can white list IPs of known remote sites. Once done save to complete the SIP Firewall setup.  


20) If you do have an IP blocked by the IDS you can go to Overview → Security → Intrusion Detection Status to see if its blocked. It will be shown at the bottom there, and you will have the ability to unblock the IP. You can also add known IPs to the Exempt list so the IDS doesn't block them. Keep in mind, the Exempt list for the IDS is different then the White list for the SIP firewall as mentioned in Step #17. You should put known remote site IPs in both locations. 

21) If the IP isn't blocked by the IDS, then it can be blocked by the SIP Firewall configured in steps #17/18. If the IP is blocked you will see it in the list as shown below. You can unblock the IP by pressing the unblock button. 


22) Last step to security is configuring both the webUI and SSH to only listen on the internal network. To do this go to System → Server → Web and set the Network Interface to the private network, then save changes. 


23) Go to System → Server → Secure Shell to do the same for SSH. Setting the Network Interface to the private IP. 


24) The SBC at this point is completely configured. Ensure you apply changes and start the SBC. Once the SBC starts take a backup as shown at https://wiki.sangoma.com/display/SBC/Backup+and+Restore, and then follow the next section to configure the Switchvox. 



Switchvox Configuration

1) Go to Server → Networking → IP Configuration Enable Allow Nat Port Forwarding, and click the blue "Look up External IP" button, then click Insert IP Address to set the correct External IP Address as shown below.

Image result for warning iconNote: Saving the IP Configuration page will restart the software and drop all active calls.


2) Go to Server → Networking → Access Control Rules and disable everything for All Networks except enable User API as shown below. If you have remote networks that need to access extension or admin log in, and do not have a separate Access Control Rule for those networks, you must also enable Web User Portal and Web Admin Portal. Then add a new network for the SBC's Private IP with the /32 as shown below. Then enable only Never Block IPs and SIP, everything else should be disabled as shown below. 

3) Go to Server → Networking → Phone Networks and edit the All Networks because remote phones can come from any remote IP address. Enable Direct Port Access, then set the Outbound proxy to the public IP of the SBC. Then set the Host Address to the public IP of the Switchvox as shown below. 


4) To setup the Digium Config Server go to Setup → Phones → Digium Phones and then click on the Desk Phone Assignment Options button.  Then assign a Assignment Code. This is the code you will need to enter into your D series phone to configure it. 


5) Next create the First Extension by going to Setup → Extensions → Manage and then click Create Extension. On the next page select SIP Phone or SIP Adapter as shown below. 



6) Next fill out the extension number, name and all other info required as shown below. 


7) All configuration is now completed. You are ready to point your D series phone to the SBC's public IP. In this example the IP is 149.248.58.42. Then enter the assignment pin to configure the phone. 


8) If there is any issues support will need the info up at https://wiki.sangoma.com/display/SBC/How+To+Capture+Logs when reporting an issue related to the SBC. 



  • No labels