PBX Private IP: 192.168.1.5
Ensure the following ports are open or forwarded to the public IP of the SBC.
- 5060 UDP
- 10,000 to 20,000 UDP
1) Go to Configuration → IP Settings → Access Control Lists and create a new Access Control List called ACL. Set the default policy to Deny. Add the PBX IP as a ACL node as shown below. Ensure the policy is Allow and the prefix is 32 as shown below. Replace 192.168.1.5 with the private IP of your PBX.
2) Go to Configuration → Signalling → SIP Profiles and add a SIP Profile called External. Select the external facing private IP that the public IP ports are is forwarded to. In this example 18.104.22.168 is forwarded to 192.168.1.11. Then put the public IP of the SBC in External SIP IP Address and External RTP IP Address as shown below. Then ensure SIP Trace is enabled.
3) Next in the Authentication section disable Authenticate Calls. Then set the Network Validation ACL to IP Address as shown below. The Network Validation ACL only allows Registration messages through until the device registers. This means only Registrations are allowed from any IP, and everything else is blocked. Then in step #18 below we create a firewall rule to block multiple failed Registrations. Which ensures hackers can't keep sending countless attempts to Register.
4) In the NAT Traversal section set the options exactly as shown below. These fix all the problems NAT can cause. Since the remote phone can be behind any router, its important these are all enabled as shown below.
5) Create a second SIP profile called Internal as shown below. Selecting the internal side private IP, enabling SIP trace and enabling Strict Security.
6) In the Authentication section Disable Authenticate Calls. Then move the ACL over to the Used box for both Inbound calls, and Registrations. This only permits SIP requests from IPs in the ACL.
7) Next go to Configuration → Signalling → SIP Trunks and create a new trunk called PBX. Set the Domain to the IP of the PBX, and then ensure the SIP Profile is set to Internal. Once done save the SIP trunk.
8) Next go to Configuration → Signalling → Domains and create a new domain. The Domain will be the public IP of the SBC. Put the Domain into the Display Name as shown below. Then enable forward registration. Set the forward SIP profile to Internal. Then move the PBX trunk over to the used box as shown below. Then save once done.
Note: In some cases you may want to set the Force Expires time. Setting this will allow you to shorten the time that devices stay Registered. If phones are constantly changing between networks, then a shorter Register time such as 300 seconds or less is a good idea. This way the SBC always has the most current location of the phone.
9) Now that the domain is made, go to Configuration → Signalling → SIP Profiles → External and click the Bind button. A popup will come up, simply select the domain made in the previous step.
13) Next Add a new rule as shown below. This rule will route all Internal calls to the Registered users.
514) Go to Configuration → Signalling → SIP Profiles and Modify the External SIP profile. Then on the following page click Edit. At this point scroll to the bottom and set the Routing Plan to External.
615) Go to Configuration → Signalling → SIP Profiles and Modify the Internal SIP profile. Then on the following page click Edit. At this point scroll to the bottom and set the Routing Plan to Internal.
This rule can be adjusted if you find there is too many users being blocked by this. Also note if you have multiple phones a remote site, the block can take down the whole site. To avoid this, put any known remote site IPs in the "Source IP White List Filter", and separate the IPs by commas if there is more than 1one.
18) Next we need to do the same rule as the previous step, but this time for Registrations. Just as mentioned in the previous step you can white list IPs of known remote sites. Once done save to complete the SIP Firewall setup.
This rule can be adjusted if you find there is too many users being blocked by this. Also note if you have multiple phones a remote site, the block can take down the whole site. To avoid this, put any known remote site IPs in the "Source IP White List Filter", and separate the IPs by commas if there is more than one.
19) If you do have an IP blocked by the IDS you can go to Overview → Security → Intrusion Detection Status to see if its blocked. It will be shown at the bottom there, and you will have the ability to unblock the IP. You can also add known IPs to the Exempt list so the IDS doesn't block them. Keep in mind, the Exempt list for the IDS is different then the White list for the SIP firewall as mentioned in Step #17. You should put known remote site IPs in both locations.
23) The SBC at this point is completely configured. Ensure you apply changes and start the SBC. Once the SBC starts take a configuration backup as shown at https://wiki.sangoma.com/display/SBC/Backup+and+Restore, and then follow the next section to configure the Switchvox.
1424) If there is any issues please contact Sangoma support will need with the info up at https://wiki.sangoma.com/display/SBC/How+To+Capture+Logs when reporting an issue related to the SBC. . To open a ticket please go to https://support.sangoma.com.