We interrupt our Incredible PBX coverage this week to bring you a summer roundup of the best and worst VoIP softphones for use with an iPhone, iPad, or iPod Touch in conjunction with Asterisk®. We’ve tested all of these products with Asterisk sitting behind a NAT-based firewall/router which introduces some additional wrinkles unless your softphone and server are connected through a virtual private network. We’ll leave the VPN discussion for another day. None of these products has native support for the iPad although all will work with any iPad as will any standard iPhone app in either 1X or 2X mode.

The three four products we’ll be evaluating are Acrobits SIP Softphone, the WiFone from Snizmo.com Ltd., the Media5-fone, and CounterPath’s just-released Bria softphone. All support SIP dialing, and the WiFone provides IAX connectivity as well. We were a bit surprised that, despite their reliance on SIP to connect calls, SIP URI support was minimal to non-existent in all but the Bria product. Before diving into the individual products, we should note that, in conjunction with our product evaluations, we received no compensation or discounted/free software from any source. We are a beta site for CounterPath’s next Bria release.

Acrobits Softphone. The Acrobits Softphone requires iPhone OS 3.0 or later and was recently updated on June 3, 2010. The softphone only supports SIP but works with both WiFi and 3G connections which makes it a perfect complement to current generation iPhones as well as the iPad-3G. The softphone also supports push notifications for inbound calls until multitasking is available with iOS 4.0. Multiple SIP accounts can be registered, and the softphone has SIP proxy, VPN, and STUN server support, a must with Asterisk sitting behind most NAT-based routers. G.711, GSM, and iLBC audio codecs are supported in the standard configuration, and we experienced excellent call quality using WiFi with no DTMF issues. As with all of these VoIP phones, 3G call quality was all over the map depending upon the reliability of your nearest cell tower. SIP URI’s can be called by cutting-and-pasting dial strings from entries in the Contacts list email address fields provided the SIP URI destination name is numeric. Quirky but it works. There’s also a speed dial feature for your 12 favorite contacts. Flexible dial strings are supported to smooth the path for international calling. With iOS 3.1, a bluetooth headset can also be used. The application sells for $7.99 in the App Store, and G.729 support can be added for an additional $9.99. G.729 is a must-have if you’ll be using a 3G network for most of your VoIP calls.

While call quality is obviously subjective, the Acrobits Softphone was our personal favorite for daily use. We routinely use it on an iPad to check Asterisk voicemails and to make outbound calls through our home Asterisk server while traveling. Setup is as simple as entering the IP address or FQDN¹ of your Asterisk server and an extension number and password to handle the calls. We added a public STUN server entry because of our NAT-based Asterisk setup.

Snizmo’s WiFone. A very close runner-up in voice quality was the WiFone from Snizmo.com Ltd. This softphone has the added advantage of supporting both SIP and IAX2 connections to Asterisk. If security and ease of use matter most to you, then you can’t go wrong with this softphone. IAX2 connections are much less vulnerable to attack from the Internet and are considerably easier to configure because of the elimination of thorny NAT issues. If we had found this softphone first, we probably would have looked no further. As you can see from the screenshot, this softphone supports multiple SIP and IAX connections and is easily set up using the configuration menu. For our European friends, it also supports SMS using a dozen different providers. Echo cancellation and STUN support are available, and G.711 and GSM codecs can be individually configured for SIP and IAX connections. An Outbound Proxy is also available as well as support for international dial strings and prefixes if you need it.

For SIP accounts, simply provide the server address, a username, and password. Authorization name, SIP port, and proxy server settings are optional. For IAX accounts, server address, username, and password are the only required entries. Each account can be toggled ON and OFF to meet your individual requirements. SMS Settings provides a listing of a dozen SMS providers. Simply add your username, password, and a CallerID and SMS just works. The contacts list also synchronizes with your Mac Address Book as well as MobileMe. The call quality of both SIP and IAX connections using WiFi was excellent. 3G support is not yet available. The web-based tutorial is excellent, and the application is available in the App Store for $6.99. An international version also is available.

We could not get the SIP URI functionality to work because the Contacts list phone numbers do not support SIP URI syntax, and there’s no way to manually enter or cut-and-paste a dial string from an email address in the Contacts list. While the polish of the application was not quite up to the Acrobits Softphone, the call quality was uniformly excellent with the SIP URI limitation that we’ve noted.

Media5-fone. Our final softphone in today’s roundup is Media5-fone from Media5 Corporation. It can be downloaded from the App Store for $4.99. While the application is exclusively a SIP phone, it does have preconfigured setups for dozens of providers in the event your requirements extend beyond the Asterisk universe. Unfortunately, there is no STUN support in the current version which makes it unsuitable for use with Asterisk implementations that sit behind NAT-based routers. Multiple SIP connections are supported as are second call, call waiting, and call toggle. In the current version, both SIP over WiFi and 3G are supported using iLBC, G.711, Enhanced G.711, G.722, and iSAC codecs. SIP Info, RFC 2833, and RTP Inband DTMF methods are configurable for each SIP account. Dialing prefixes are flexible and the phone has language support for English, Arabic, French, German, Italian and Spanish which facilitates international use. The phone also includes a nice implementation of visual voicemail; however, the SIP password and voicemail password would have to be the same to function properly with Asterisk. Automatic gain control and echo cancellation also are supported. With the addition of STUN and SIP URI support, Media5-fone would be a worthy competitor.

Update: CounterPath’s Bria. As luck would have it, CounterPath released their new Bria softphone for the iPhone today. It also is iPod Touch and iPad-compatible and supports both WiFi and 3G. The softphone is available at an introductory price of $3.99 in the App Store. It’s the best bargain in the softphone market. G.729 support can be added for an additional $8.99. G.722 wideband support reportedly is coming in August. You may recall CounterPath’s terrific and free X-Lite offerings for Windows, Macs, and Linux. They’ve been one of our favorite developers ever since, and we are actually serving as a beta tester for their next release. As usual, the Bria interface offers what is hands-down the best UI in the business. The voice quality of the calls is impeccable. Our only criticism is that out-of-the-box, Bria doesn’t work for placing outbound calls with Asterisk. Registration of credentials works fine, inbound calling works great, but outbound calls to either an extension, a phone number in the Address Book, or a SIP URI all just hang with no error message or notation in the log. Only after tracing down an obscure link on their web site did we discover the problem. It turns out that one simple change of a single default setting gets things working as they should. To make the change to support Asterisk, click Settings, Advanced Settings, Network Traversal Strategy, User Specified. Then change ICE:ON to ICE:OFF. Click the Advanced button, and then Apply Changes. Aside from this one default configuration glitch, the Bria softphone would be our Editor’s Choice. We highly recommend you make your purchase while the softphone still is available at the introductory price. For an excellent review, see Alec Saunder’s Blog today.

Tweet

---

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.

---

whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

---

 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! After the free hour of outbound calling, Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 

---

Some Recent Nerd Vittles Articles of Interest…

1. FQDN = Fully-Qualified Domain Name [↩]

Unlike most Asterisk®-based PBXs which are insecure as installed and leave it to you to implement sufficient safeguards to preserve the integrity of your system, the Incredible PBX is delivered with rock-solid, air-tight security already in place. Because it is designed to operate behind a hardware- based firewall, what you'll be doing when you want to add functionality with the Incredible PBX is loosening security rather than tightening it. The trick, of course, is to do it in a way that doesn't compromise the overall integrity of your system. As delivered, the Incredible PBX relies upon four layers of network security: a hardware-based firewall of your choice¹, a preconfigured IPtables software-based Linux firewall, preconfigured Fail2Ban to monitor your logs for suspicious activity and to block specific IP addresses when abuse is detected, and random passwords for all extensions and DISA connections.

If you installed the Incredible PBX using SIPgate as the intermediate provider with Google Voice, then your hardware-based firewall should have no ports opened and forwarded to your server. If you used IPkall, then only UDP 4569 has been opened and forwarded to your server. And the Incredible PBX IPtables setup for IAX restricts access to just a few IP addresses to support IPkall.

There are obviously situations in which you will want or need additional connectivity. The most likely one involves activation of SIP telephones at remote locations, such as a branch office, or Grandma's house or a relative in college. The other obvious use is with cellphones and PDAs that support SIP clients such as Android phones, iPhones, and iPads.²

What we'd recommend you not do is open the SIP floodgate to your PBX by providing unrestricted inbound SIP access, but we'll show you how if you really want or need this functionality. As desirable as this can be, it is accompanied by an array of security issues that really are not worth the risks unless you know what you're doing and you're willing to stay on top of security updates and keep your system patched.

Let's first tackle how to provide limited inbound SIP functionality without selling the farm. If the remote site has a fixed IP address, the procedure to allow remote access to your server is fairly straight-forward: just map the SIP ports on the hardware-based firewall to your server (UDP 5000:5082 and UDP 10000:20000) and then restrict SIP access using IPtables to the remote IP address as well as the subnet of your private LAN. You can decipher your private subnet by running status. If your server's IP address is 192.168.0.123, then your private subnet would be 192.168.0.0. The IPtables firewall settings are stored in /etc/sysconfig/iptables. Edit that file and find the line that looks like this:

-A INPUT -p udp -m udp --dport 5000:5082 -j ACCEPT

Delete or comment out this entry with a leading # and insert new entries that look like the following using the public IP address(es) you wish to add plus the private subnet:

-A INPUT -p udp -m udp -s 141.146.20.10 --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp -s 141.146.20.11 --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.0.0/255.255.0.0 --dport 5000:5082 -j ACCEPT

After making the changes, save the file: Ctrl-X, Y, then Enter. Then restart IPtables: service iptables restart.

Unfortunately, in many situations, the remote phone or cellphone uses an Internet connection with a dynamic IP address. So we don't know the actual IP address that will be assigned. There are a number of solutions to this problem, and we'll rank them in our order of preference. First, spend the $200 and install another Incredible PBX at the remote site. Then the two servers can be linked with IAX connections between the servers making connectivity between the systems totally transparent. Second, install VPN routers at both sites and use a private IP address to establish connectivity with the host system. In this situation, you will have the equivalent of a fixed IP address for the remote device which makes it the equivalent of the fixed IP address solution above. Third, install OpenVPN on your host system and purchase a SIP phone or cellphone that supports VPN connectivity. Most of the high-end SNOM SIP phones have this functionality as do Android phones, iPhones, and iPads. With this setup you also have the equivalent of a fixed IP address, even though it's on a virtual private network. Fourth, talk to the Internet service provider at your remote site and obtain the range of IP addresses that DHCP hands out to those using their services... or just make an educated guess.³

BEFORE Activating Full SIP Connectivity. OK. We hear you. You travel for a living, and the IP address of your cellphone changes hourly, all day, every day of the year. Then, yes, you are a candidate for a full-fledged Asterisk server with unlimited SIP access. Before covering how, let's review what responsibilities go with running such a server. Bear in mind that one compromised SIP password or otherwise vulnerable application on your server (including Asterisk, FreePBX, SSH, and hundreds of others), and you may very well be the proud owner of a whopping phone bill. And we're not talking hundreds of dollars. It could very well be tens of thousands of dollars. And it doesn't take weeks or months. It could be a few hours.

Baker's Dozen SIP Security Checklist

1. Keep Asterisk Current & Patched
2. Keep FreePBX Current & Patched
3. Make Frequent Backups
4. Visit PBX in a Flash Forums Regularly
5. Subscribe to PBX in a Flash RSS Feed
6. Secure Alphanumeric Extension Passwords
7. Secure DISA, VMail, Root, FreePBX Passwords
8. Lock Down Extensions with Deny/Permit
9. Turn Off Recurring Payments with Providers
10. Restrict Trunks to 1-2 Simultaneous Calls
11. Tighten Dialplan by Removing Wildcards
12. Eliminate Intl & Toll Calls With Providers
13. Check FreePBX Call Logs Daily for Abuse

Baker's Dozen SIP Security Checklist. Before opening the floodgates, let's review what you need to do. First, you'll need to run the very latest version of Asterisk... all the time. This means you need to monitor asterisk.org, and keep your system up to date by running update-scripts, update-source, and update-fixes regularly. The default version of Asterisk on current PBX in a Flash and Incredible PBX builds is extremely reliable, but it contains SIP and IAX vulnerabilities which should not be exposed directly to the Internet! Second, you need to run the latest version of FreePBX and apply all patches as they are released. Third, you need to make frequent backups appreciating that sometimes the Asterisk and FreePBX developers get things horribly wrong, and stuff that used to work no longer does. Believe it or not, they're human! Fourth, you need to visit the PBX in a Flash Forums daily and keep abreast of security alerts and bug reports on CentOS, Asterisk, and FreePBX. Fifth, you need to subscribe to the PBX in a Flash RSS Feed which provides regular security alerts when there are reported problems. Sixth, you need to really secure your extension passwords with very long, complex alphanumeric passwords. Ditto for your root and FreePBX passwords! Seventh, for DISA and voicemail, these passwords need to be numeric, complex, and extra long. Eighth, you need to lock down as many of your extensions as possible with deny/permit settings to restrict the IP addresses of those extensions. If you only have one or two remote SIP extensions with dynamic IP addresses, then all of the rest should have deny/permit entries! Ninth, turn off recurring payments with all of your telephony providers and keep minimal funds available in all of your accounts. This means you'll have to monitor these accounts to make sure they are not deactivated for lack of funds. Tenth, restrict all of your trunks to one or at most two simultaneous calls to reduce your call exposure in the event someone breaks into your system. Eleventh, tighten up your Trunk Dial Rules and eliminate any entries that would permit calls to anywhere in the world! If you don't regularly make international calls, there's absolutely no reason to have such entries in your dialplan. If you still have Ma Bell PSTN lines, this is even more important. In fact, consider eliminating long distance access to all of these trunks. Twelfth, where possible, configure your provider accounts to eliminate international and toll calls of all varieties. Finally, check your FreePBX call log every day to make certain no one is making calls on your nickel.

If you are unwilling or unable to perform these Baker's Dozen steps while continuing to monitor the sites provided and recheck your setup regularly (at least every week), don't activate unrestricted SIP access to your server.

Other Options. Consider using an intermediate provider such as voip.ms to provide SIP URI access to your server. Keep in mind that having a registered connection between your server and a VoIP provider alleviates the need to punch a hole in your firewall. So the idea here is to sign up for an inexpensive voip.ms account and set up the trunk connection with your server as either an IAX or SIP account with an always-on connection. Then voip.ms gives you the option of activating a SIP URI as part of a subaccount setup. Just create an internal extension on their server, and this will generate a SIP URI, e.g. 123456666@sip.us4.voip.ms where 12345 is your voip.ms account number and 6666 is the internal extension you created. This lets you connect directly with your server through the SIP URI from anywhere once you map this subaccount to an extension or IVR on your server. The charge for SIP URI calls is only $.001 per minute. The last step is to use this SIP URI in your remote SIP phone to connect back to your server. You can take advantage of the full range of Asterisk functions once these calls reach your server including IVRs and DISA. The approach is not only simple to implement, but it's also safe and economical.

There are some other alternatives as well. Use something like Google Voice or Ooma to redirect calls to your cellphone when you're traveling. Or buy an Ooma for Grandma or a MagicJack for Joe College. These options also are safe, secure, and quite inexpensive.

Just Released: Remote Phone Meets Travelin' Man

Activating Inbound SIP on Your Server. If you still are hell-bent on opening SIP access to your server, the Incredible PBX already is preconfigured to support it. Just map the SIP ports on your hardware- based firewall to your server (UDP 5000:5082 and UDP 10000:20000). Once activated, anyone can reach you through the following SIP URI using the actual public IP address of your server: mothership@12.34.56.78. You also can adjust the e164 trunk in FreePBX to route inbound calls to any destination desired. Then register your phone number on e164.org and others can call you at no cost using your traditional phone number. Enjoy!

---

The Incredible PBX: Basic Installation Guide

Adding Skype to The Incredible PBX

Adding Incredible Backup... and Restore to The Incredible PBX

Adding Multiple Google Voice Trunks to The Incredible PBX

Remote Phone Meets Travelin' Man with The Incredible PBX

Continue reading Basic Installation Guide, Part II.

Continue reading Basic Installation Guide, Part III.

Continue reading Basic Installation Guide, Part IV.

Support Issues. With any application as sophisticated as this one, you're bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It's the best Asterisk tech support site in the business, and it's all free! We maintain a thread with the latest Patches and Bug Fixes for Incredible PBX. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won't have to wait long for an answer to your questions.

---

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.

---

whos.amung.us If you're wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what's happening. It's a terrific resource both for us and for you.

---

 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won't get the special pricing! After the free hour of outbound calling, Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 

---

Some Recent Nerd Vittles Articles of Interest...

1. We, of course, continue to recommend a dLink Router/Firewall. Low Cost: $35 WBR-2310  Better: DIR-825  Best: DGL-4500 [↩]
2. We recommend the free SipAgent client for Android devices and the commercial Acrobits Softphone for iPods and iPads. [↩]
3. Adding an entry like the following would dramatically reduce the likelihood of a SIP attack: -A INPUT -p udp -m udp -s 141.146.0.0/255.255.0.0 --dport 5000:5082 -j ACCEPT [↩]