Posts tagged: sip phone

Travelin’ Man 3: Securing a PBX in a Flash or VoIP in the Cloud Server

UPDATE: Be sure to read about the latest enhancement to Travelin' Man 3 here.

We're big fans of playing with our own VoIP hardware. It has the advantage of allowing the installation of everything behind a secure, hardware-based firewall thereby eliminating almost all of the security issues associated with VoIP telephony. With PBX in a Flash™ and its Zero Internet Footprint™, you can run a secure VoIP server in your home or office with no port exposure to the Internet. This setup, of course, assumes that you have the necessary bandwidth to support Internet telephony and that you possess the necessary skill set to maintain your own Linux® server running Asterisk®, FreePBX®, Apache®, SendMail®, PHP®, and on and on. Not everyone does. And, of course, there are thousands of organizations in which employees and their phones are not colocated with the home office VoIP communications server. And, believe it or not, there are folks that run their VoIP server on the public Internet without any firewall protection. For all of you, today's your lucky day.

Lest you think that we've bitten off more than we can chew, we want to acknowledge the dozens of thought-provoking comments on the PIAF Forums that ultimately led to today's new release. That is the hidden beauty of open source development. So, thank you dad311, atsak, tbrummell, Hyksos, markieb, Ramblin, darmock, lowno, blanchae, bmore, vcallaway, jroper, mag, briankelly63, mbellot, phonebuff, The Deacon, Astrosmurfer, frontline, ou812, LostTrunk, lgaetz, kh40s, rossiv, and all of our other gurus that make the PIAF Forums a great place to learn something new every day.

Thanks to our good friends at RentPBX, who provide terrific technical and financial support to both Nerd Vittles and the PBX in a Flash project, you don't have to roll your own. And your phones can be anywhere because your communications server sits on the public Internet. If cost is a factor or for those outside the United States that need a U.S. presence to take advantage of services such as Google Voice, the $15 a month price point using the PIAF2012 coupon code makes RentPBX more than competitive with what it would cost you in electricity, Internet bandwidth, and hardware resources to do it yourself... minus the headaches. You get a stable PBX in a Flash or Incredible PBX platform from the git-go. In addition, issues of jitter and latency all but disappear from the VoIP equation because you can choose the site of your hosted PBX from a worldwide list of Internet POPs including five regions in the U.S. as well as Canada and Europe. Many sit within a few milliseconds of the Internet backbone.

What you don't have with a hosted PBX solution is a hardware-based firewall sitting between your server and the Big, Bad Internet. With PBX in a Flash, the risk is lessened because the IPtables Linux Firewall is baked into the fabric of PBX in a Flash. For a comprehensive overview of how IPtables works, read this article. It explains IPtables better than any book you could buy.

Today we're pleased to introduce Travelin' Man 3™, a completely new security methodology based upon FQDN Whitelists and DDNS. In a nutshell, you get set-it-and-forget-it convenience and rock-solid VoIP security for your Cloud-based PBX or any PBX in a Flash server that's lacking a hardware-based firewall and you get both transparent connectivity and security for your mobile or remote workforce. We'll quickly cover the mechanics of this new IPtables methodology that allows you to secure your hosted PBX without compromising flexibility. The nitty gritty details of IPtables and firewalls we'll leave for you to explore at your leisure.

And, speaking of leisure, we always get the question: "Have you tested it?" For frequent readers of Nerd Vittles, you already know the answer. We eat our own dog food! In the case of Travelin' Man 3, we gave it a healthy workout just last week from the deck of the Carnival Fantasy as we passed by Cape Canaveral and in Key West with 4G service, and finally in several ports with WiFi access in the Bahamas. The beauty of the new design is you'll know instantly if it's not working because you'll never get your VoIP SIP phone to connect back to your VoIP server. We had zero problems using nothing more than an Android phone for both DynDNS updates and Bria SIP phone service. Being a pioneer isn't always easy, but... Somebody's gotta do it™. 😉

Unlike previous iterations of Travelin' Man, version 3 lets you configure remote phone access from the server and keep one or hundreds of phones in sync even with changing IP addresses using dynamic DNS update software at the sites of the remote phones. Whether the site is a remote office or a floating hotel room, any PC or Mac whether it's a desktop or netbook can automatically manage the dynamic DNS updates while keeping all of the local phones securely connected to the VoIP Cloud. And any jail-broken iPhone can manage the updates as well. With Android phones, it's even better. You have your pick of several great apps: DynDNS Client, Dynamic DNS Client, or Dynamic DNS Updater. We've found the DynDNS Client to be nearly perfect. As we'll explain in a minute, this version of Travelin' Man is not compatible with prior versions so you'll need to choose either the manual methodology of previous iterations or version 3 which does it automagically.

A New Approach to WhiteLists. Our new approach to IPtables is to lock down your server using a WhiteList of safe IP addresses and fully-qualified domain names (FQDNs) that should be given access to your hosted VoIP server. Then we'll periodically check to see if the IP addresses associated with the FQDNs have changed and make the necessary adjustments automatically. If any intruder attempts to access any port on your PBX, their packets are simply discarded by IPtables so the bad guys never know your server exists.

We've experimented with BlackLists for VoIP security, and the bottom line is they just don't work because of inherent problems with reliability and completeness. You spend your entire day updating lists of the bad guys only to discover that they've morphed to thousands of new IP addresses. Think Whack-A-Mole. IP addresses can easily be changed, and zombies have made attacks from third-party PCs a daily occurrence. Earlier this month, Nerd Vittles was hit with a denial of service attack from 30,000+ zombie PCs. This was in spite of the fact that we already block well over 100,000 IP addresses with the world's finest blacklists. Now it's 130,000. :roll: Of course, none of the owners of these PCs had any idea how their computers were being used. I'm reminded of a famous judge's secretary who received a knock at her door one Sunday morning from the FBI. They informed her that she was using her computer to host porno movie downloads. I won't offend your tender sensibilities by repeating what she actually told those "young men."

There's also the problem of dynamic IP addresses which means an address that was used by a bad guy yesterday may be handed out by the same ISP to your grandma tomorrow. And it didn't take the bad guys long to poison blacklists with IP addresses that you actually need for services such as DNS or network time services. If you've ever had an IP address that ended up on one of the major blacklists, you know what a hassle it is to get your IP address unBlacklisted. The Soup Nazi has nothing on these folks.

Bottom Line: Public web sites are pretty much forced to use BlackLists because they want their sites to be generally accessible. With a VoIP server, we have the luxury of choice, and WhiteLists are much more effective for server security.

Overview. Our recommended design works like this. Block everything. Then permit packets from known hosts and non-routable IP addresses only, and limit known hosts to only the services they actually need. For example, a VoIP provider such as Vitelity that is providing a DID for your inbound calls doesn't need web access to your server. They need SIP and RTP access. Nothing more. The same goes for a remote user: SIP and RTP access so their SIP phone works. Nothing more. You, as Administrator, need complete access to the server but only from a specific, defined IP address. We, of course, don't want IPtables to have to inspect and filter every single packet flowing into and out of your server because that would bog things down. And we don't want users on your private LAN and remote users with dynamic IP addresses to have to wrestle with updating their phones just to stay connected. So, we've opened up all non-routable IP addresses and, once we've verified that a remote site is authorized access, then subsequent packets flowing into and out of the server for that IP address will be passed along without additional packet inspection. And once we set up the FQDN for a remote user, local dynamic DNS update clients can be used to automate the process of keeping IP addresses current. Then, every few minutes, we'll let your server check whether there's been a change in any users' dynamic IP addresses. If so, we'll simply refresh the IP addresses of all FQDNs using an IPtables restart to bring the phones back to life. To end users, The Phones Just Work™.

Finally, a word about security for VoIP in the Cloud servers. If you run a virtual machine from any hosting provider with wide open access to SIP, IAX, and web services, it's just a matter of time before your server is going to be compromised, period! If you foolishly use credit card auto-replenishment for one or more of your hosting providers then you might as well mail a blank check to the bad guys and wait for them to cash it. Today's tools will take you less than a minute to permanently lock down your server. So... JUST DO IT™.

To give you some idea of how far the Android platform has come, here are a couple screenshots of our Samsung 4G Skyrocket smartphone running three simultaneous VoIP apps all day, every day: Bria SIP extension to our PIAF2 server in Charleston, CSipSimple extension to our RentPBX VM in California, and GrooveIP session with Google Voice. Try that on your 3G iPhone 4S. 😉

We're officially releasing this for RentPBX users running PBX in a Flash or Incredible PBX 3™. These folks have been our pioneers for a very long time, and we like to take care of them first. Properly installed, Travelin' Man 3 should work fine on any PIAF™ or Incredible PBX system. We'll make a backup of /etc/sysconfig/iptables before replacing your IPtables setup with the PIAF default setup. It assumes ALL of your traffic is flowing on eth0. If that's not the case, don't use it without major modifications! We would hasten to add that Travelin' Man 3 is licensed as GPL2 open source software. So it's available NOW to everyone to use or to embellish as they see fit. We hope every provider of VoIP services offering virtual machines in the cloud as well as those without a hardware-based firewall to protect your Asterisk server will take advantage of the opportunity to customize and deploy this code for their particular IPtables environment. To paraphrase Bill Clinton: "It's your phone bill, stupid!"

Deploying Travelin' Man 3. Here's how to deploy Travelin' Man 3 on your server. In Step #1, we run secure-iptables. This locks down virtually all IP ports and services in the original IPtables configuration for PBX in a Flash to either the IP address or the FQDN of the administrator. Be advised that this setup uses the default ports for all PIAF services, e.g. SSH, WebMin, HTTP, etc. If you use custom ports, you'll need to modify the script accordingly. If the administrator is on the move or has a dynamic IP address on his or her desktop or notebook PC/Mac that will be used to administer the cloud server, then use an FQDN, not a static IP address, when you run secure-iptables.

Step #2 is automatic and is part of secure-iptables. It opens SIP and IAX port access for "trusted providers" such as Google, Vitelity, etc. This is covered in detail below. We also open accessibility from non-routable IP addresses. You obviously can close or limit private LAN access, if desired. We included it for the benefit of those running and administering PBX in a Flash on private LANs where internal security is not a concern.

In Step #3, we'll let you set up additional access for other providers, users, and phones. You get your choice of up to 9 separate services in addition to the whole enchilada, and each account gets a name and a file to keep track of the latest IP address entry: somename.iptables. These are stored in /root. Don't delete them! New accounts can be added using either a static IP address (add-ip) or an FQDN (add-fqdn). These accounts also can be deleted whenever necessary (del-acct). You can rerun secure-iptables whenever you like, but it automatically deletes all custom user accounts. Here's the list of services from which to choose. Mix and match as desired to meet your own requirements.

0 - All Services
1 - SIP (UDP)
2 - SIP (TCP)
3 - IAX
4 - Web
5 - WebMin
6 - FTP
7 - TFTP
8 - SSH
9 - FOP

Just a word of caution. IPtables stores its setup in /etc/sysconfig/iptables, but it actually runs from an image in memory on your Linux server. As part of the load process, IPtables converts all FQDNs stored on disk to static IP addresses. This speeds up firewall processing enormously. While it's possible to add IPtables rules in memory without writing them to disk (as in the original Travelin' Man design), don't do it with Travelin' Man 3! You will lose these settings whenever IPtables is restarted by running any of the above scripts or whenever a refresh of FQDN IP addresses becomes necessary. Whatever you do, never ever run the command: service iptables save. This command is used to write the IPtables entries in memory to disk. In doing so it writes only static IP addresses to disk. This will erase (a.k.a. ruin) your Travelin' Man 3 FQDN setup and force you to start over with Step #1. Otherwise, none of your FQDN's would ever get refreshed because they've all disappeared and become static IP addresses.

IPtables also has a major shortcoming IMHO. We support FQDNs in IPtables to make it more flexible. However, a failed FQDN during an IPtables restart will cause IPtables not to load at all. We have worked around this by adding our own restart command which you should always use: iptables-restart. You've been warned.

Locking Down Your Server. While there's still time, let's spend a minute and lock down your server to the public IP address of the PC that you use to administer the system. If you don't know the public IP address of the desktop machine you use to manage your server, then click on this link using a browser on that machine, and our web site will tell you the IP address.

Now log into your virtual machine as root using SSH and issue the following commands:

cd /root
wget http://incrediblepbx.com/travelinman3.tar.gz
tar zxvf travelinman3.tar.gz
yum -y install bind-utils
./secure-iptables

When prompted for the FQDN or IP address of your Administrator PC, use the FQDN if you have one. Otherwise, type in the IP address and press the Enter key. Agree to the terms of service and license agreement by pressing Enter. When the IPtables file displays, verify that you have typed your FQDN or IP address correctly, or you will lock yourself out of your own server. Press Ctrl-X to exit the editor, and then press Enter to update IPtables and save your new configuration.

NOTE: If you are running PBX in a Flash in a cloud environment, be sure to add an entry to Travelin' Man 3 with the IP address of your cloud server. ifconfig will tell you what the IP address is. To add the entry, issue the command: /root/add-ip cloud 12.34.56.78 using your actual cloud IP address.

WARNING: If you use an FQDN for your Administrator PC and it points to a dynamic IP address, be sure to also add this same FQDN using add-fqdn. Otherwise, IP address changes will not be detected, and you may lock yourself out of your own server.

Nobody can access your server except someone seated at your PC or on your private LAN with your login credentials. You can repeat this process as often as you like because each time the script is run, it automatically restores your original IPtables configuration. Now let's grant access to your SIP providers and those using remote SIP or IAX phones.

Using DynDNS to Manage FQDNs. The key ingredient with Travelin' Man 3 is automatic management of dynamic IP addresses. When a user or even the administrator moves to a different location or IP address, we don't want to have to manually adjust anything. So what you'll first need is a DynDNS account. For $20 a year, you can set up 30 FQDNs and keep the IP addresses for these hostnames current 24-7. For $30 a year, you can manage 75 hostnames using your own domain and execute up to 600,000 queries a month. That's more than ample for almost any small business but, if you need more horsepower, DynDNS.com can handle it. What we recommend is setting up a separate FQDN for each phone on your system that uses a dynamic IP address. This can include the administrator account if desired because it works in exactly the same way. When the administrator extension drops off the radar, a refresh of IPtables will bring all FQDNs back to life including the administrator's account. Sounds simple? It is.

Preparation. Before we make further modifications to IPtables in Step #3, let's make a list of all the folks that will need access to your VoIP Server in the Cloud. For each entry, write down the name of the person, server, or phone as well as the type of entity which needs server access. Then provide either the static IP address or FQDN for each entry. If one or more of your IP addresses are dynamic (meaning the ISP changes them from time to time), we'll cover managing dynamic IP addresses in a minute. For now, just make up a fully-qualified domain name (FQDN) for each dynamic IP address using one of the available DynDNS domains. For static IP addresses, use the FQDN or the IP address. HINT: FQDNs make it easy to remember which entry goes with which provider.

Make a list of your providers NOT in this list: Vitelity (outbound1.vitelity.net and inbound1.vitelity.net), Google Voice (talk.google.com), VoIP.ms (city.voip.ms), DIDforsale (209.216.2.211), CallCentric (callcentric.com), and also VoIPStreet.com (chi-out.voipstreet.com plus chi-in.voipstreet.com), Les.net (did.voip.les.net), Future-Nine, AxVoice (magnum.axvoice.com), SIP2SIP (proxy.sipthor.net), VoIPMyWay (sip.voipwelcome.com), Obivoice/Vestalink (sms.intelafone.com), Teliax, and IPkall. The providers listed above are already enabled in the secure-iptables setup script. We call them Trusted Providers only because we trust them and have personally used all of them. We consider them reliable folks with whom to do business. It doesn't mean others aren't. It simply means these are ones we have tested with good results over the years. The only providers you'll need to add are ones we haven't provided. Also be sure to check whether the FQDNs of the providers above cover the server for your account. If not, you'll need to manually add those FQDNs as well. Keep in mind that trusted providers will have full SIP and IAX access to your server so stick with tried-and-true providers for your own safety. The PBX in a Flash Forum and DSL Reports are good sources of information on The Good, The Bad, and The Ugly.

Finally, list with a name each phone that will be connected to an extension on your server. If you have 10 traveling salesmen, then you might want to name them all by last name and also provide FQDNs with their last names, e.g. smith.dyndns.org and jones.dyndns.org. No spaces or punctuation in names or FQDNs! We strongly recommend using FQDNs wherever you can because it means zero work for you when a provider changes an IP address. Here's the table we use:

Name
Type: Person, Provider, Server, Phone
IP Address Type: Static or Dynamic
FQDN or IP Address
Services Desired: SIP, IAX, Web, FTP, SSH, etc.

Step #3: Adding Authorized Users. Now take your list and add each account to your server while logged in as root and positioned in the /root directory. For static IP addresses, use add-ip. For dynamic IP addresses and FQDNs, run add-fqdn and plug in the FQDN for each account. When one of your accounts needs to be removed, just run del-acct from the /root folder on your server and plug in the name of the account to delete. If a user changes from a static IP address to a dynamic IP address or vice versa, just delete the user and then add them again with the new IP address or FQDN. All of the accounts are stored in /root and have names like this: name.iptables.

Step #4: Setting Up DynDNS Client Updates. There are actually two pieces in the Dynamic DNS update puzzle. At the end-user side, you need to deploy a DynDNS update client on the same subnet as the phone of your user. See the links above to download the update software you prefer. In the case of cellphones with SIP phone capability, this could be as simple as installing the DynDNS update client directly on the phone itself. Plug in your DynDNS credentials as well as the FQDN associated with the particular phone, and the rest is automatic.

Step #5: Setting Up IPtables Auto-Refresh. Finally, we need a way for your server to discover when a refresh of FQDNs becomes necessary because someone's IP address has changed. The simplest way to do this is to automatically run a simple script (ipchecker) that polls the DNS authoritative server to determine whether the dynamic IP address associated with an FQDN has changed. If so, we'll update the account.iptables file to reflect the new IP address and then restart IPtables. This will refresh all IP addresses associated with FQDNs. If all or most of your users spend time sleeping each day, you may wish to run the script only during certain (waking) hours of the day so your server has less of a load. The other consideration is how often to check. The guideline here is how long can any user live without their SIP phone being connected to your server. 10 minutes may be reasonable for some. 60 minutes may suffice for others. For us, it's 3 minutes. It's your choice. The way Travelin' Man 3 works is, whenever at least one account has an IP address change, it will trigger a restart of IPtables to do an IP address refresh for all of the FQDNs.

The top of the ipchecker script in /root looks like this:

#!/bin/bash

# Insert the account filenames to be checked below
# Remember to increment the account[#] for new entries

account[0]=larry.iptables
account[1]=curly.iptables
account[2]=moe.iptables

# ipchecker (c) Copyright 2012, Ward Mundy & Associates LLC.

You'll need to edit the script (nano -w /root/ipchecker) and modify the section in bold to reflect the actual FQDN account names you've created on your server that are associated with dynamic IP addresses only. You don't want to monitor accounts with static IP addresses or FQDNs that never get updated. When those extensions are off-line, it's not because their IP address changed, and restarting IPtables won't really help to improve the situation. Be sure to increment the account[n] array for each new account that you want to monitor and use the exact format shown in the example above. Before you enter an account in the script, display the contents of the file using cat /root/accountname.iptables. Make certain that the file includes BOTH an FQDN, then a space, and then an IP address. If not, delete the account (del-acct) and add it again using add-fqdn.

Once you've entered all of your accounts with dynamic IP addresses, save the script: Ctl-X, Y, then Enter. Run the script manually now to be sure it works as you intended: /root/ipchecker. Be advised that typos that list accounts that don't exist will cause problems. Error checking consumes processing cycles by requiring additional queries so we've left it out. That means it's solely up to you to check your account names for accuracy. And, remember, only include accounts that have dynamic IP addresses with FQDNs.

Step #6: Automating FQDN Refreshes with Cron. Finally, you'll need to add an entry to the bottom of /etc/crontab using nano. If you wanted the script to run 24 hours a day at 10 minute intervals, here's the command:

*/10 * * * * root /root/ipchecker > /dev/null

If you wanted the script to only run between the hours of 8 a.m. and 9 p.m. (server time zone) at 10 minute intervals, then you'd use something like this:

*/10 8-21 * * * root /root/ipchecker > /dev/null

On our RentPBX complimentary account which we use while traveling, we actually set the interval to 3 minutes. Since the DNS lookups use dig, changes on Android phones using the DynDNS client are almost instantaneous even with automatic switching between WiFi and cellular service. Finally, be sure to type date on your server and verify which time zone your cloud server thinks it's in! Adjust the times in /etc/crontab accordingly.

Be sure to check back here periodically for updates and follow the latest happenings about Travelin' Man 3 in this thread on the PIAF Forums. Enjoy!

Originally published: Thursday, March 29, 2012   Updated: April 19, 2014

UNLESS YOU DISCONTINUE USING FQDN'S WITH IPTABLES, IT IS ABSOLUTELY ESSENTIAL THAT YOU MONITOR YOUR SERVER DAILY IF YOU ARE RELYING EXCLUSIVELY UPON IPTABLES AS YOUR FIREWALL PROTECTION MECHANISM AND YOU ARE USING FQDN'S AS PART OF YOUR CENTOS SECURITY METHODOLOGY!




Need help with Asterisk? Visit the NEW PBX in a Flash Forum.


whos.amung.us If you're wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what's happening. It's a terrific resource both for us and for you.


 
Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won't get the special pricing! Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


Some Recent Nerd Vittles Articles of Interest...

The Perfect Threesome: iNum + VoIP.ms + Google Voice

We’ve got a terrific new VoIP development for you today especially for those who travel internationally. For several years, a VoIP company called VoxBone has been pushing hard to establish an International Number™ (iNum™) for every phone on the planet so that every telephone could call every other telephone at little or no cost. They’re not quite there, but two recent events will certainly hasten the implementation. The first was an announcement from VoIP.ms that they would provide a free iNum DID and free iNum calling to every one of their customers with a credit balance in their account. The second was last week’s announcement from Google that they, too, would support free iNum calling worldwide using any Google Voice account. Today, we’ll show you how to take advantage of these two developments to begin making free calls worldwide using your PBX in a Flash™ server, a WiFi-enabled smartphone, and an available WiFi connection. Basically, the plan is to use free iNum calling to get back to your PBX for dial tone and then use DISA for free Google Voice calling in the U.S. and Canada.

Until everyone has an iNum or Google opens up Google Voice outside North America, the hidden beauty of iNum for those of us who have both is the cost savings that can be achieved by phoning home with iNum from anywhere in the world for free. And, once the call hits your Asterisk® PBX, it’s incredibly simple to route the call to DISA, prompt for a password, and then place a call to anywhere in the U.S. or Canada at no cost with PIAF2™ and Google Voice.

This can be accomplished in several ways. First, you can download a SIP phone and use it in conjunction with your VoIP.ms account and a smartphone to make free iNum calls from any WiFi hotspot in the world. Bria is our favorite on both the iPhone/iPad and Android platforms. If $10 is too rich for your blood, there are some free alternatives: CSipSimple for Android and 3CXPhone for Android or iPhone. A second alternative is to use Google Voice or Gtalk to connect back to your PIAF2 server via iNum and then use DISA and your local trunks to place outbound calls. A final alternative is to take advantage of the numerous local numbers now available in many countries to phone home using iNum. The only cost of these calls is the cost associated with calling the local number. You’ll find a list of the local phone numbers to make these calls on the iNum web site or in the footnote to this article.1 So today we’ll show you how to set up your PIAF2 server to support free iNum calling. It’s a 15-minute project.

VoIP.ms Setup. To get started, if you’re not already a customer, register for a voip.ms account by filling out their registration form.

Once you submit the form, you’ll have to confirm your registration by clicking on the link that is emailed to you. Then you’re ready to login with your email address and the password you set up when you created your account. That’ll bring you to the Main Portal Page for your new voip.ms account.

You’ll need a positive balance in your VoIP.ms account in order to create your free iNum account so deposit some money using PayPal or a credit card by clicking Finances, Add Funds. The minimum deposit is $25 which can be used to make penny a minute calls in the U.S. and Canada or equally reasonable calls to any phone number in the world. We won’t be doing any of that today. For today, all of our calls will be free thanks to iNum and the generous support of VoIP.ms. But the nest egg will be there as a backup to your other PIAF2 VoIP providers which is an excellent idea anyway.

Like Vitelity, VoIP.ms lets you create subaccounts to compartmentalize your VoIP services. This makes it easy to use VoIP.ms on multiple PIAF2 servers or even standalone SIP telephones. It also provides added security by separating out account names and passwords for VoIP services from your main VoIP.ms portal account that let’s you manage your settings and VoIP funding, a very good idea. So let’s first set up an account to use with Asterisk just to show you how easy it is.

From the Main Portal Menu, click on Subaccounts, Create Subaccount. The Subaccount creation form will display. Fill it out so it looks something like this. Just click on the form below to enlarge it if you want a better view.

Once you’ve clicked the button to create the subaccount, it takes about a minute for voip.ms to activate it. Then click Main Menu, Portal Home. The bottom of the portal page will now show your subaccount.

Let’s create one more subaccount. We’ll use this one so that we can access VoIP.ms from a standard SIP app running on our iPhone or Android device. We can use the subaccount either to make outbound calls directly from VoIP.ms on a pay per minute basis, or we can use it to make free iNum calls. To create the subaccount, repeat the process above and fill in the blanks using your own credentials and a very secure password. Be sure to choose ATA device, IP Phone or Softphone for the Device Type. We always leave International Calls Disabled unless we really plan to make international calls. This will not affect your ability to make iNum calls, and it reduces your financial exposure in the event your subaccount is compromised. Never, ever use auto-replenishment from your credit card on a VoIP provider account from any provider.

Before we get too far along, let’s activate your new iNum DID. Click on DID Numbers, Order DID. When the DID Order Form displays, click on the iNum link to order your free iNum DID.

When the iNum DID order form displays, fill out the form by clicking on the POP location nearest to your server. Then, in the SIP/IAX Routing column, be sure to select the Subaccount we created previously rather than the default Main Account. Finally click the Click Here to Order button.

You’ll get a Confirmation display that shows your new iNum DID. Write it down! We’ve already set up the proper routing for your new iNum DID in the previous step so you can ignore the Managing Your DID message.

That completes the setup of your VoIP.ms account with your free iNum DID. Now let’s configure your PBX in a Flash server to support VoIP.ms and iNum. We’re assuming you already have a PBX in a Flash server configured with at least one Google Voice account activated. If not, stop here and complete that step using the PIAF2 tutorial and optionally the Incredible PBX 3 and Incredible Fax 2 tutorial.

Smartphone SIP Client Setup. We used the free cSipSimple Android app to set up a connection with our second subaccount at VoIP.ms using cSipSimple’s Basic Setup Wizard. Here are the entries required to gain connectivity:

Once your SIP client is connected to VoIP.ms through your smartphone, you can make free iNum calls using this dial syntax: 0118835100xxxxxxxx where xxxxxxxx is the last 8 digits of your iNum beginning with 0. As noted previously, you do NOT have to enable international calls on your VoIP.ms subaccount for these calls to go through.

PBX in a Flash iNum Setup. We’ll be using the FreePBX GUI to configure PBX in a Flash to support iNum. Using your browser, log into the IP address of your server: http://ipaddress/admin. When prompted for your username and password, use maint and whatever FreePBX password you assigned when your server was set up.

To simplify things, we’re going to set up 2 trunks: one for your VoIP.ms subaccount and another for iNum. Begin by choosing Trunks, Add SIP Trunk in the FreePBX GUI. For Trunk Name, use voipms. For Maximum Channels, choose 2. For the Dial Pattern, enter 1 | NXXNXXXXXX and, in Outgoing Settings for the PEER Details, enter the following using your subaccount name and password as well as the POP you chose for your subaccount:

canreinvite=yes
nat=yes
context=from-trunk
host=atlanta.voip.ms
secret=subacctpw
type=peer
username=137786_myinum
disallow=all
allow=ulaw
fromuser=137786_myinum
trustrpid=yes
sendrpid=yes
insecure=invite
qualify=yes

Leave all the fields for Incoming Settings blank. For the Registration String, the syntax is subacctname:subacctpw@atlanta.voip.ms:5060/8835100xxxxxxxx. Using our example and assuming you’re using the Atlanta POP, the entry would look like this where xxxxxxxx is your own 8-digit iNum beginning with 0:

137786_myinum:secretPassword21@atlanta.voip.ms:5060/8835100xxxxxxxx

Verify that your server got a successful registration with your VoIP.ms subaccount by clicking Tools, Asterisk Info, SIP Info.

Now click Setup, Trunks, Add Custom Trunk. For Trunk Name, use iNum. For Maximum Channels, choose 5. For Dial Pattern, use 0XXXXXX. including the period! For Custom Dial String, use SIP/0118835100$OUTNUM$@voipms.

Next, we need to create an Inbound Route. Use your full iNum DID number in the DID Number field, e.g. 8835100xxxxxxxx where xxxxxxxx is your personal iNum beginning with a 0. Activate CallerID Superfecta for the CID Lookup Source. And choose a Destination for the incoming iNum calls. This could be an extension, an IVR, or whatever else you’ve set up on your server. For now, route it to a working extension on your PBX so we can test it below. Then you can edit the inbound route and change it to any destination.

Finally, create an Outbound Route. Name the route OutiNum. For the Dial Pattern, use 0XXXXXX. with the trailing period. For the Trunk Sequence for Matched Routes, choose inum. After you save the trunk settings, move it to the top of your trunk listing in the right column of FreePBX. What this route does is allow you to call other iNum numbers (including your own) by simply dialing the last 8-digits of any iNum that begins with 8835100 or 0118835100. These 8 digits will ALWAYS begin with a 0.

Now let’s modify at least one of your existing Google Voice Outbound Routes so that you also can make iNUM calls with Google Voice by dialing from any extension using the full 8835100xxxxxxxx international number. Go to Outbound Routes and click on the name of one of your Google Voice trunks. Add the following new Dial Pattern and click Submit Changes: 8835100XXXXXXXX

Taking iNum for a Spin. To test things out, use a phone connected to an extension other than the one you chose to route incoming iNum calls to above. Dial the last 8 digits of your own iNum DID, and that extension should begin ringing. Answer the other extension and make sure you have audio in both directions. Next, dial your complete iNum DID beginning with 8835100. This should also cause the other extension to ring even though the call was initiated through your Google Voice trunk. If you’d like to get a Weather Report by Zip Code, we’ve set up an iNum for you to try. Just dial 09901997.
Enjoy!

Originally published: Monday, February 27, 2012




Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 
Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


Some Recent Nerd Vittles Articles of Interest…

  1. Local iNum Access Numbers include the following: []

Tips, Tricks & Apps to Get the Most Out of Your iPad 2

Rather than providing another glowing review of the iPad 2®, we thought it might be more helpful to sketch out the daily use potential of this incredible device based upon our experience and that of our 10-year old daughter. Yes, we’re one of the 30% who purchased an iPad 2 having already owned a number of first generation iPads. With double the RAM and nearly double the processing power of the first generation device, the one cautionary note that potential purchasers should heed is don’t buy the $499 model. Our daughter has survived a year with a $499 iPad only to find it completely full when she attempted to load Garage Band. And you will want Garage Band which is a storage hog by iPad standards. That’s not to suggest that Katherine’s iPad hasn’t served her well. She has almost 150 applications plus substantial collections of photos and music. What she doesn’t have is movies and video clips. With the addition of two cameras on the iPad 2 as well as Camera, AutoStitch, Movie, and Photo Booth apps and once you see what’s possible with iMovie, you’ll be begging for more storage capacity. Keep in mind that your storage capacity choice is irrevocable! There’s no way to add more storage later unless you buy a new device. And there’s no external storage other than removing apps and data through the iTunes interface. Perhaps more than anything else, that’s why the absence of a microSD slot on the iPad 2 is both a significant shortcoming and a huge disappointment.

The other suggestion we would offer to first-time iPad 2 purchasers is this. Get organized early. What we mean is decide early on how you’re going to use the 10 screens to organize your applications. Before the year is out, you will use all 10 screens assuming your bank account survives. At least now you can also create folders within a screen if you run out of room. Here’s our methodology, and it has served us pretty well. Screen 1 is reserved for the apps we use every day. The other screens are reserved for categories of applications: business, news and books, social, drawing and graphics, music, games, location-based services, and system/network management. If you’re a big gamer, artist, or musician, you may want to reserve two screens for your favorite category. The point is to spend a little time up front deciding how to organize applications. And, fortunately, you can move things around with the iTunes interface down the road so long as you leave one screen available for reorganizing.

You can also place six apps at the bottom of the display, and these are accessible from all 10 screens. Here’s where you’d want your browser, email or Gmail buttons, App Store, and Settings. That leaves you two more must-have apps. If you play music all the time, you’d probably want the iPod app. If you look at Photos all the time, you’d want the Photo app. But you get the idea, use Screen 1 for Daily Use Apps and the 6 bottom slots for your must-have at all times apps. If you don’t heed this advice, then you’ll find yourself having to search for apps on Screen 0 every time you want to use an application.

Favorite Apps. That brings us to our favorite apps. For ease of reference, we’ll cover these in the same way they are organized on our iPad 2. And, we’d love to hear about your favorite apps, too. Just post a comment. In the Daily Use category, here’s our list:

Calendar
Contacts
Mail
Maps
Videos
FaceTime
Camera
Photo Booth
EyeTV
YouTube
Hulu Plus
SlingPlayer
NetFlix
Bria
Travelin’ Man
OBiON
Pandora
Pulse News
Flipboard
iSWiFTER
 

Most of the above applications are self-explanatory, but we’ll mention a few. If you have a Mac, then EyeTV is a must-have addition. It lets you play and record all your favorite TV shows. Removing commercials from a one-hour show is about a 2-minute click-and-drag operation. And it’s incredibly easy to export your favorite recordings in either iPhone or iPad format. So long as iTunes is running on your Mac desktop, you can play your recordings or live TV at any time using either a WiFi or 3G network connection. SlingPlayer does much the same thing (only worse) with no recording capability, but it works with Windows machines as well as Macs, and it’s a standalone device. The Netflix app lets you stream movies and TV shows to your iPad for $7.99 a month, and it supports 6 simultaneous devices including many current generation HDTVs. OBiON is the VoIP app that lets you make free Google Voice calls in the U.S. and Canada using your $49 OBi device. You can read all about it here. If you have an Asterisk® PBX, then you’ll want Bria and our Travelin’ Man app for secure, remote, and free SIP communications. Finally, there’s the new iSWiFTER app which brings Flash video back from the dead on the iPad platform. It’s free for a limited time and, believe it or not, it’s available in the App Store.

Books & News. We spend every morning at the breakfast table with the Books & News page on our iPad. Here’s our list:

Kindle
iBooks
Friendly (Facebook)
Twitterific
AccuWeather
ABC News
ABC Player
CBS News
CNBC RT
CNN
Huff Post
Newsy
NYTimes
News Pro
USA Today
WSJ
Wash Post
The Daily
TV Guide
Tweetdeck
 

We don’t watch much Faux News which has become more akin to Incitement TV. We really hoped The Daily would be different. It’s not. But… to each his own.

Business Apps. This is kind of a catch-all page for stuff we use frequently as well as some apps we’ll probably never use again. Here’s our list:

iMovie
Keynote
Pages
Notes
Bento
Sorted
2Do
Todo
Zenbe Lists
Voice Memos
aNote Lite
Dictation
Due
FlipTime XL
MobileNoter
Pad Info
PaperDesk LT
News Rack
GoodReader
textPlus
 

Of all the ToDo applications that are available (and we’ve tried most of them), we like Todo the best. But, for quick reminders, you can’t beat Due. GoodReader, Keynote, and Pages are must have business apps, and iMovie is every bit as good as the app on the Mac. It’s about perfect for an on-the-go, need-it-in-a-hurry project.

Navigation & Wi-Fi Apps. When we’re on the road or looking for a WiFi Hot Spot or good place to eat, here’s our list:

CoPilot HD
Charts & Tides
Navionics Marines
ShipFinder HD
GPS Drive HD
GPS HD
Hurricane HD
UrbanSpoon
Epicurious
Where To Eat
ZAGAT
Zillow.com
WiFiGet HD
Dash Four
Mifi
World Atlas
Skobbler
SpeedBox
WiFon
Trapster
 

GPS navigation on the roads is hit and miss on the iPad. Nothing comes close to Google Maps navigation. CoPilot could be a contender except for the outdated maps and copy protection paranoia. On the water, both Charts & TIdes and Navionics Marine are fantastic. We compared both of them to a $10,000 Nav system on a very fine boat only yesterday. There was virtually no difference in the information available with the exception of the radar-enhanced features. If you’re always shopping for real estate, there is no finer app than Zillow, period. If you’re in to fast cars, there is no finer app than Trapster.

Games. Last but not least, everybody needs a diversion once in a while. Here’s a list of some of our favorite iPad games:

Game Center
GearedHD
Frogger
Foosball HD
AirCoaster
Angry Birds
Asphalt 5
JirboBreak
Doons HD
ElectroRacer
FarmVille (WAF)
Hit Tennis 2
iFooty
Pac-Man
Pinball HD
RealRacing HD
RealRacing GTI
Snowboarding
Checkers HD
Wacky Circus HD

 

This will probably be the category that changes the quickest with the new lightening-fast graphics and dual core processor on the iPad 2. Stay tuned!

Originally published: Monday, March 14, 2011


Need help with Asterisk? Visit the PBX in a Flash Forum or Wiki.
Or Try the New, Free PBX in a Flash Conference Bridge.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 
Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


Some Recent Nerd Vittles Articles of Interest…

2010 Bargain of the Year: Nortel 1535 Color SIP Videophone

We try not to get overly excited by new discoveries, but once in a while there comes along a VoIP deal that probably never will be repeated. Now’s the time. Here are a Baker’s Dozen reasons why you should buy a boatload of these Nortel IP 1535 phones before they’re all gone. Just make a bid of ~$60. We’ve given you a hint below on the going rate. 😉

WARNING: There are reports that some of the phones from various merchants do NOT include WiFi even though the ad may say otherwise. If you need WiFi, be sure to carefully read the merchant’s ad AND verify that the phone you are ordering has WiFi before purchasing.

  • Nortel’s top-of-the-line $700 phone can be had for about $60
  • SIP-compatible and works with Asterisk® and sip2sip.info among others
  • H.263-compatible color videophone works flawlessly
  • Wired and 802.11 b/g WiFi is easily configured
  • Supports both U.S. and European power cords out of the box
  • Speakerphone rivals the best speakerphones on the market
  • Integrated apps include browser, email, calendar
  • Music and video storage supported using SD/MMC cards
  • Configurable voicemail button for easy access to any mailbox
  • Language support for English, French, Spanish, German and more
  • Tons of integrated multimedia capabilities
  • Robust STUN and proxy support so they work from anywhere
  • One year warranty on the phones from the eBay merchant

Connectivity Options. Once you have your phones, there are almost limitless SIP connectivity options including direct connections to many of our favorite providers: Vitelity, voip.ms, Future Nine, and Axvoice. But today we want to address two other connectivity options: sip2sip.info or as an Asterisk extension on your PBX in a Flash system, both of which give you color videoconferencing out of the box.

Using sip2sip.info with the Nortel 1535. If you haven’t discovered sip2sip.info, it’s one of the few VoIP freebies left in the universe. By simply providing your name and email address, sip2sip.info will give you a free SIP a URI that lets anyone on the planet call you via SIP at no cost. In addition, all calls to numbers registered with ENUM are free as well. For example, to call numbers in the U.S. listed with e164.org, just dial 001NXXNXXXXXX. You can talk as long and as often as you like. The call can be pure audio, or it can be an H.263 video call. It’s simple to set up and use. And, once you have your phone configured with sip2sip.info, it’s incredibly easy to add a free DID from IPkall and then a free local DID from Google Voice. Then, presto, you have a local phone number for inbound calls that will never cost you a dime. If you make most of your outbound calls from a cellphone, then this is a perfect solution for a free home telephone number where anyone can reach you. And it includes a free voicemail account that will deliver the voicemails to your registered email address whenever you miss a call. We actually travel with one of these phones preconfigured with a local number in our favorite towns. When we go to a different place, it’s easy to change the local phone number. Update: You also can obtain a free SIP URI from GetOnSIP.

There’s only one trick to the sip2sip.info setup. Once your credentials are emailed to you, log into your account and change your password to a very secure but all-numeric password.

Using Asterisk with the Nortel 1535. We have a personal preference for Asterisk, and it’s a perfect fit with these phones. Just add these entries to sip_general_custom.conf in /etc/asterisk, and video support comes to life in all versions of PBX in a Flash once you restart Asterisk:

rtptimeout=120
videosupport=yes
allow=h263

Then you’re ready to set up your extensions to support the Nortel 1535. Here are the settings we use, and they work equally well with the X-Lite 4 client if you’d like to try some test video calls on your server:

dtmfmode=rfc2833
canreinvite=yes
context=from-internal
host=dynamic
type=friend
nat=yes
port=5060
qualify=yes
disallow=all
allow=h263,ulaw,gsm

Configuring the Nortel 1535. All of the manuals for these phones still can be downloaded from Nortel’s web site. With the exception of the early phones which were configured for Turkey, here is the setup that works for us with sip2sip.info and Asterisk. Our special thanks to the dozens of gurus on the PBX in a Flash Forum who assisted with sorting all of this out. If you get stumped on any of this, the thread link provided has loads of additional information.

The two buttons at the top of the phone do most of the heavy lifting. The left one is the equivalent of the Enter key on a keyboard. The right one is the Back key. The other two keys of importance are * and #. * is used to enter special characters such as the period, slash, etc. # is used to change the keyboard type: ABC, Abc, 123, etc. Be sure you always have the correct keyboard type for the type of data you are entering. Pressing the Green button twice redials the last number called. The function key to the right of the number 3 connects you to voicemail. The function key to the right of the number 6 accesses the web browser.

Before you can configure the phone, you have to log in as Admin (Menu, Settings, System Settings, Admin, Login). The password is 1234. Then back out one level and set your Date/Time preferences. The most important one is to enable Network Time. For the Server Setting, enter time.nist.gov for a reliable NTP server. Then back out a level and choose Enable.

You’ve got to set up network connectivity before the phones will work obviously. They come preconfigured for a wired connection with DHCP support. That’s a good way to begin. Once everything is working reliably, you can switch to WiFi if desired. The only trick to WiFi is that you need to set your WiFi Type (Menu, Settings, Profile, WiFi, Settings, Wireless Settings, Authentication, Type) and then the WiFi Password for the chosen type before choosing your WiFi network (Menu, Settings, Profile, WiFi, Settings, Wireless Settings, WiFi Scanning). Once you have those set up, back out one level and choose Apply. Then back out one more level and choose Enable. You’ll be prompted to confirm you wish to restart the WiFi network. Then you’re all set.

Now you’re ready to configure your VoIP settings (Menu, Settings, VoIP Settings). Start with the domain of your server: sip2sip.info or the FQDN of your Asterisk server (Menu, Settings, VoIP Settings, Misc., Domain Name). While still in Misc., adjust the Codec Priority for video (Menu, Settings, VoIP Settings, Misc., Codec priority, Video). Choose First and change it to None. Choose Second and change it to H.264. Then choose First again and change it to H.263. Asterisk only supports H.263 so it has to be the first priority, or video won’t work. Then back out until the top left of the screen shows VoIP Settings. Choose User Information and enter your username for Username, Display Name, and Authentication name. For Asterisk, it’s your extension number. For sip2sip.info, it’s your 10-digit number beginning with 223. Enter your account password for Authentication pwd. Back out to VoIP Settings and enter the IP address of your server for Proxy, Proxy Address. For sip2sip.info, it’s 81.23.228.129. For Asterisk, it’s the public IP address of your server. While still in Proxy, choose STUN. For STUN Server IP Address, enter 75.101.138.128. Then Enable the STUN Server. Finally, back out to VoIP Settings again and choose Registration. Set the Expiry Timer to 3600. Then choose Register to connect your phone to your desired server. Done!

Using sip2sip.info with Asterisk. We were so impressed with the simplicity and functionality of sip2sip.info that we decided to also set up a sip2sip.info trunk on our Asterisk server. This is a very secure way to enable a SIP URI on your Asterisk server without exposing your server to SIP vulnerability. The only additional step with PBX in a Flash is to lock down external SIP access to the IP address of sip2sip.info. For setup instructions, see this thread on the PBX in a Flash Forums.

Configuring Voicemail Access. It’s easy to configure these phones to access any existing voicemail system. The only trick is that the number to call for voicemail access must be all numeric. On Asterisk systems, this means *98 won’t work! So, in FreePBX, first set up a Misc. Destination called Voicemail-Read and use *98 as the Dial String. Then set up a Misc. Application called VoiceMailRead and enter 86245 as the Feature Code. Then choose Misc Destination: Voicemail-Read as the Destination.

On the phone, choose Menu, Settings, VoIP Settings, Misc., Voice Mail, Voicemail Number and enter 86245. You can leave the Mailbox ID and password blank on Asterisk-based systems, and you’ll be prompted for them. Or you can fill in either the mailbox number or both the mailbox number and password, and your entries will be passed to Asterisk to access the desired voicemail box.

To access Voicemail from the phone, press the function key just to the right of the number 3 on the phone.

Using the Nortel 1535 Browser. While it’s not the best browser on the planet, these Nortel phones do have a decent web browser that can be used to retrieve current content such as news, weather, and sports scores. To set up a web link, choose Menu, Services, Web Browser, and choose one of the four links. Here are a couple entries to get you started. Others can be found in this thread on the PBX in a Flash Forums. Remember to use the Top Left function key as the Enter key in browser links! HINT: While in one of your four preconfigured web sites, if you press the Right Button just above the directional arrow keys, you can navigate to additional web sites.

  • mundy.org/news.php – Latest Yahoo! News
  • google.com/m – Google Mobile

To access the Browser, press the function key just to the right of the number 6 on the phone.

Accessing Email on the Nortel 1535. Both POP3 and IMAP email access are supported on the phone. And a number of boilerplate email messages already are preconfigured for sending using your chosen email provider. You can set up additional ones using the Template option. To set up email, go to Setup, Messages, Account Settings.

Nortel 1535 Organizer. These phones also include a very capable Address Book and Calendar. Entries can be imported using a standard SD/MMC card. We’ll leave the rest for you to sort out. Or take the guess work out of the experiment and read Nortel’s excellent documentation. Enjoy!




Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 
Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


Some Recent Nerd Vittles Articles of Interest…

The Incredible PBX: Remote Phone Meets the Travelin’ Man

Ever wrestled with one of those thorny problems for weeks only to wake up in the middle of the night with the answer? Thus was born Travelin’ Man, a web- based, one-click Asterisk® application that automatically reconfigures your Asterisk PBX to enable remote SIP phone access from your cellphone, iPad, remote PC, NetBook, or desktop telephone.

News Flash: Be sure to read our latest article introducing Travelin’ Man 3, a completely new security methodology based upon FQDN Whitelists and DDNS. In a nutshell, you get set-it-and-forget-it convenience and rock-solid VoIP security for your Cloud-based PBX or any PBX in a Flash server that’s lacking a hardware-based firewall and you get both transparent connectivity and security for your mobile or remote workforce.

If you’ve read the Incredible PBX series of articles on Nerd Vittles, you already know what a thorny problem remote phone access is if you want to preserve the overall security of your server. Indeed, our recommendation has been to leave SIP access closed on your hardware-based firewall because of the dangers inherent in activating remote SIP access. Now we have a better idea!

Today’s new approach works like this. First, we’ll run a little script that secures all of your extensions with permit entries locking down all these connections to the IP address range within your private network. Then we’ll open the SIP and RTP ports on your hardware and software firewalls and map these ports to your Asterisk server’s private IP address. With this setup, no one can attempt remote SIP logins to your server because Asterisk blocks all SIP extension connection attempts except those originating inside your LAN. To manage external phone connections to your server, the install script creates a new virtual Apache web server on your Incredible PBX using port 83. We’ll enable and map TCP port 83 on your hardware and software firewalls to your server as well. Web access with port 83 is limited to running the Travelin’ Man app to activate external phones.

Now we’re ready to set up access to your server for remote devices. For each extension you wish to enable for remote access, we’ll create a special web directory using an obscure, random file name which will serve as the web link for the Travelin’ Man web app. For example, in the diagram above, directory 184778 manages extension 501, directory 2389957h manages extension 701, and directory 6993h5j manages extension 702. This is accomplished by simply changing the extension number in the index.php script stored in each directory.

When one of these web links is accessed remotely, the PHP script will automatically reconfigure Asterisk to enable access to the designated SIP extension on your server using the remote IP address from which the web page was accessed. And, of course, there’s an additional layer of SIP security as well. You still need your extension credentials to actually log in to your server with a softphone to place and receive calls. The Travelin’ Man installation process takes only a couple minutes, and the remote SIP activation procedure takes just a couple seconds each time you want remote access from a different location. Here’s a quick example of how it actually works.

Let’s assume we want to use the new $3.95 Bria SIP softphone on an iPad to connect as extension 501 on our Incredible PBX back at home. The problem is that the dynamic IP address of your iPad changes at each new site on your itinerary. Some locations have WiFi while others only have 3G connections.

First, we’ll generate an icon to run Travelin’ Man from your iPad desktop. Use the same procedure with an iPhone or iPod Touch, and there’s a similar procedure for Android devices.1 You only have to do this once. Start up Safari on the iPad to access the new port 83 web server at the random web address the installer created to support extension 501. That web address is something like this using your own FQDN2: http://myserver.dyndns.org:83/184778. After establishing the link once, we’ll hit the + button in Safari and choose Add to Home Screen. This creates the TravelMan icon on the iPad. See the screenshot below of our demo iPad setup which used extension 221 instead of 501.

Once configured, it’s just two clicks to enable your remote phone anywhere: click once on the TravelMan icon. When your IP address is confirmed, return to your Home Screen and click the Bria softphone icon to establish a SIP connection back to your server. Behind the scenes, the Travelin’ Man application will generate the required permit entry for your remote IP address mapping it to the designated extension on your server, and then it will reload your SIP settings to make your Asterisk server accessible to the Bria softphone in your hotel room. The entire process takes only a couple seconds.

If your company happens to have a dozen traveling salesmen, then you’d simply assign a dedicated extension to each employee and create secure directory names for each person (e.g. 2389957h and 6993h5j in diagram above) with a copy of the Travelin’ Man app configured for that employee’s extension number. Now your entire mobile workforce has connectivity back to the home office from any location on the globe. And, when an employee leaves the company and another arrives, just create a new name for the old employee’s web directory to preserve the security of your system (e.g. 184778 in our example becomes 78hd773). Keep in mind that each time the Travelin’ Man app is run for any extension, it wipes out any previously authorized IP address entry for that extension. Thus, the security of your Incredible PBX is always preserved.

Prerequisites. Before proceeding with today’s install, you must be running a stock install of Incredible PBX with PBX in a Flash behind a properly-secured, hardware-based firewall3. We recommend the latest version of Asterisk 1.4 because it addresses a SIP vulnerability that might cause you problems if malformed SIP packets are targeted at your server. The current release of PBX in a Flash (1.7.5.5 Silver) is ideal, but any version of PBX in a Flash can be brought current with Asterisk using the update-source and update-fixes tools. Travelin’ Man assumes that you have the Incredible PBX base install of extensions: 501 plus 701-715. You can obviously add more or remove some, but you’ll need to manually adjust sip_custom_post.conf to reflect your actual extension list after the install completes.

The installer has been encrypted for your/our own protection. In source form, the script would allow anyone to defeat the Incredible PBX requirement. Doing so would mean the required IPtables security component would not be in place and properly configured to protect the underlying system from attack. So we’ve opted to play Big Brother to avoid potential security problems for all of us down the road. This article clearly explains all the necessary components if some folks want to roll their own version. We just don’t want the responsibility if something goes horribly wrong. As Forrest Gump would say, “Shit Happens.” :-) If you don’t believe it, check out the latest security scramble in the trixbox forums.

Installation. Now we’re ready to get started. So log into your Incredible PBX as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/travelinman.tar.gz
tar zxvf travelinman.tar.gz
./travelinman.x

NOTE: If you’re using PIAF2 with CentOS 6.2, you’ll need to use the updated version of Travelin’ Man because of a syntax change in the Apache config file:

cd /root
wget http://incrediblepbx.com/travelinman2.tar.gz
tar zxvf travelinman2.tar.gz
./travelinman2

The first step in the install procedure is to lock down access to all of your extensions to your private LAN subnet. In case you ever want to do this on another server not running the Incredible PBX, here’s a link to our privip.sh shell script that shows how to do it. This should work on most FreePBX-based Asterisk systems.

Once the extensions are locked down, the script will modify your IPtables and Apache configurations to permit web access on port 83. Next, it will adjust your Asterisk setup to support the Travelin’ Man permit scheme. This involves reworking of sip_custom_post.conf so that permit settings for individual extensions can be stored in files named 501.inc, 701.inc, etc. Finally, the installation procedure will set up a single web site to support extension 501 with a randomized directory name for remote access.4 This setup will be stored in /var/www/travelman. To activate support for additional extensions, you would simply copy the subdirectory giving it a new random name: cp -r dir1 dir2. Then edit config.php in the new subdirectory and change the $extension entry.

To complete the install, you must reconfigure your hardware-based firewall and map the following ports to the private IP address of your server:

TCP 83
UDP 5060
UDP 10000-20000

When the installation is completed, it will show you how to access the new web site for extension 501 using either a fully-qualified domain name or a public or private IP address. Now just follow the steps at the beginning of this article to set up your Android or iDevice, and test things out. Enjoy!

Reminders: Be sure to review the comments to this article and the related support forum thread for a week or two for late-breaking enhancements and issues. Also, Incredible PBX comes preconfigured with call forwarding activated for extension 501. Don’t forget to either disable it or set up a real call forwarding number for extension 501 if you want your cellphone to ring. From any extension on your server, just dial *72501 to set up call forwarding. To cancel call forwarding and pass calls directly to the registered 501 softphone, dial *74 and enter 501. Also be aware that the default RingAll ring group (700) configuration on Incredible PBX systems does not include extension 501. So add 501 if you want your remote extension to ring for incoming calls.


The Incredible PBX: Basic Installation Guide

Adding Skype to The Incredible PBX

Adding Incredible Backup… and Restore to The Incredible PBX

Adding Multiple Google Voice Trunks to The Incredible PBX

Adding Remotes, Preserving Security with Incredible PBX

Continue reading Basic Installation Guide, Part II.

Continue reading Basic Installation Guide, Part III.

Continue reading Basic Installation Guide, Part IV.

Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! We maintain a thread with the latest Patches and Bug Fixes for Incredible PBX. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won’t have to wait long for an answer to your questions.




Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 
Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


Some Recent Nerd Vittles Articles of Interest…

  1. To create a desktop icon for Travelin’ Man on Android devices, navigate to the link with your browser. Then save the link as a Bookmark by clicking the Star icon in your browser then click Add. Return to the Home Screen and, from the screen on which you wish to add the icon, touch and hold your finger on the screen. When the Add to Home Screen menu appears, choose Shortcuts then Bookmarks and select the link you previously saved. As with iDevices, you only have to do this once. []
  2. FQDN = Fully-qualified domain name []
  3. We recommend the dLink Router/Firewall. Low Cost: $35 WBR-2310  Best: DGL-4500 []
  4. If you’d like to download the web site code independently from the Travelin’ Man install procedure, here’s the link. []

VoIP Softphone Shootout for iPhone, iPad, & iPod Touch

We interrupt our Incredible PBX coverage this week to bring you a summer roundup of the best and worst VoIP softphones for use with an iPhone, iPad, or iPod Touch in conjunction with Asterisk®. We’ve tested all of these products with Asterisk sitting behind a NAT-based firewall/router which introduces some additional wrinkles unless your softphone and server are connected through a virtual private network. We’ll leave the VPN discussion for another day. None of these products has native support for the iPad although all will work with any iPad as will any standard iPhone app in either 1X or 2X mode.

The three four products we’ll be evaluating are Acrobits SIP Softphone, the WiFone from Snizmo.com Ltd., the Media5-fone, and CounterPath’s just-released Bria softphone. All support SIP dialing, and the WiFone provides IAX connectivity as well. We were a bit surprised that, despite their reliance on SIP to connect calls, SIP URI support was minimal to non-existent in all but the Bria product. Before diving into the individual products, we should note that, in conjunction with our product evaluations, we received no compensation or discounted/free software from any source. We are a beta site for CounterPath’s next Bria release.

Acrobits Softphone. The Acrobits Softphone requires iPhone OS 3.0 or later and was recently updated on June 3, 2010. The softphone only supports SIP but works with both WiFi and 3G connections which makes it a perfect complement to current generation iPhones as well as the iPad-3G. The softphone also supports push notifications for inbound calls until multitasking is available with iOS 4.0. Multiple SIP accounts can be registered, and the softphone has SIP proxy, VPN, and STUN server support, a must with Asterisk sitting behind most NAT-based routers. G.711, GSM, and iLBC audio codecs are supported in the standard configuration, and we experienced excellent call quality using WiFi with no DTMF issues. As with all of these VoIP phones, 3G call quality was all over the map depending upon the reliability of your nearest cell tower. SIP URI’s can be called by cutting-and-pasting dial strings from entries in the Contacts list email address fields provided the SIP URI destination name is numeric. Quirky but it works. There’s also a speed dial feature for your 12 favorite contacts. Flexible dial strings are supported to smooth the path for international calling. With iOS 3.1, a bluetooth headset can also be used. The application sells for $7.99 in the App Store, and G.729 support can be added for an additional $9.99. G.729 is a must-have if you’ll be using a 3G network for most of your VoIP calls.

While call quality is obviously subjective, the Acrobits Softphone was our personal favorite for daily use. We routinely use it on an iPad to check Asterisk voicemails and to make outbound calls through our home Asterisk server while traveling. Setup is as simple as entering the IP address or FQDN1 of your Asterisk server and an extension number and password to handle the calls. We added a public STUN server entry because of our NAT-based Asterisk setup.

Snizmo’s WiFone. A very close runner-up in voice quality was the WiFone from Snizmo.com Ltd. This softphone has the added advantage of supporting both SIP and IAX2 connections to Asterisk. If security and ease of use matter most to you, then you can’t go wrong with this softphone. IAX2 connections are much less vulnerable to attack from the Internet and are considerably easier to configure because of the elimination of thorny NAT issues. If we had found this softphone first, we probably would have looked no further. As you can see from the screenshot, this softphone supports multiple SIP and IAX connections and is easily set up using the configuration menu. For our European friends, it also supports SMS using a dozen different providers. Echo cancellation and STUN support are available, and G.711 and GSM codecs can be individually configured for SIP and IAX connections. An Outbound Proxy is also available as well as support for international dial strings and prefixes if you need it.

For SIP accounts, simply provide the server address, a username, and password. Authorization name, SIP port, and proxy server settings are optional. For IAX accounts, server address, username, and password are the only required entries. Each account can be toggled ON and OFF to meet your individual requirements. SMS Settings provides a listing of a dozen SMS providers. Simply add your username, password, and a CallerID and SMS just works. The contacts list also synchronizes with your Mac Address Book as well as MobileMe. The call quality of both SIP and IAX connections using WiFi was excellent. 3G support is not yet available. The web-based tutorial is excellent, and the application is available in the App Store for $6.99. An international version also is available.

We could not get the SIP URI functionality to work because the Contacts list phone numbers do not support SIP URI syntax, and there’s no way to manually enter or cut-and-paste a dial string from an email address in the Contacts list. While the polish of the application was not quite up to the Acrobits Softphone, the call quality was uniformly excellent with the SIP URI limitation that we’ve noted.

Media5-fone. Our final softphone in today’s roundup is Media5-fone from Media5 Corporation. It can be downloaded from the App Store for $4.99. While the application is exclusively a SIP phone, it does have preconfigured setups for dozens of providers in the event your requirements extend beyond the Asterisk universe. Unfortunately, there is no STUN support in the current version which makes it unsuitable for use with Asterisk implementations that sit behind NAT-based routers. Multiple SIP connections are supported as are second call, call waiting, and call toggle. In the current version, both SIP over WiFi and 3G are supported using iLBC, G.711, Enhanced G.711, G.722, and iSAC codecs. SIP Info, RFC 2833, and RTP Inband DTMF methods are configurable for each SIP account. Dialing prefixes are flexible and the phone has language support for English, Arabic, French, German, Italian and Spanish which facilitates international use. The phone also includes a nice implementation of visual voicemail; however, the SIP password and voicemail password would have to be the same to function properly with Asterisk. Automatic gain control and echo cancellation also are supported. With the addition of STUN and SIP URI support, Media5-fone would be a worthy competitor.

Update: CounterPath’s Bria. As luck would have it, CounterPath released their new Bria softphone for the iPhone today. It also is iPod Touch and iPad-compatible and supports both WiFi and 3G. The softphone is available at an introductory price of $3.99 in the App Store. It’s the best bargain in the softphone market. G.729 support can be added for an additional $8.99. G.722 wideband support reportedly is coming in August. You may recall CounterPath’s terrific and free X-Lite offerings for Windows, Macs, and Linux. They’ve been one of our favorite developers ever since, and we are actually serving as a beta tester for their next release. As usual, the Bria interface offers what is hands-down the best UI in the business. The voice quality of the calls is impeccable. Our only criticism is that out-of-the-box, Bria doesn’t work for placing outbound calls with Asterisk. Registration of credentials works fine, inbound calling works great, but outbound calls to either an extension, a phone number in the Address Book, or a SIP URI all just hang with no error message or notation in the log. Only after tracing down an obscure link on their web site did we discover the problem. It turns out that one simple change of a single default setting gets things working as they should. To make the change to support Asterisk, click Settings, Advanced Settings, Network Traversal Strategy, User Specified. Then change ICE:ON to ICE:OFF. Click the Advanced button, and then Apply Changes. Aside from this one default configuration glitch, the Bria softphone would be our Editor’s Choice. We highly recommend you make your purchase while the softphone still is available at the introductory price. For an excellent review, see Alec Saunder’s Blog today.




Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 
Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


Some Recent Nerd Vittles Articles of Interest…

  1. FQDN = Fully-Qualified Domain Name []