the myIT blog

sipXecs 4.6 is here!

If you are phone geeks like us, you might want to visit the SIPFoundry project and see what's new.  We use version 4.4 internally, and are testing the newer, shinier, leaner 4.6 version. sipXecs is a drop in replacement PBX for people who need VOIP feature sets. It scales and is aimed at enterprise users (not really a good choice for a home enthusiast pbx geek). It requires strong fundamental skills in networking and DNS. It scales to hundreds or thousands of users per node given the proper hardware, because it is a stateless proxy.

  • What's really new to the user in the upcoming 4.6 version:
  • It has the ability to define the voicemail attachment type as wav (standard) or mp3! This includes auto recorded conferences.
  • Faxes can be received paperless (like in 4.4) but now have the ability to define the attachment type as PDF instead of just TIFF.
  • No longer uses Gravatar links for the user address book, but can link to an external image, even your gravatar account and you can put in Linkedin, Twitter, Facebook and Xing stuff in your address book to share your information with internal staff.
What's new under the hood? Lots! Almost everything, actually.
  • There is a new configuration engine. This engine uses a lot less in the way of resources in a large environment. When you made a change to a user or group, the system would have projected over a dozen files for the user, even if a single file was the only one that changed. Now with the new configuration engine, the system is only writing the actual changes. When you made a change to a group of 1,000 users, it could have impacted performance while those files were projected, then replicated to a HA (High Availability, think cluster but in a role based fail-over sort of way) system.
  • Speaking of HA, HA file syncs now use MongoDB. This is a wise, lean and mean database system and is only used for certain aspects of the system, Postgres is still used for the main user/device configuration/system database.
  • How Apache is installed is a bit more straightforward, using the regular apache config and no longer using secure port 8443, etc. This makes it easier for tinkerers of XHTML or other PBX hosted webpages (telephone directories, production status pages in factory environments and the like) to use the existing apache server instead of installing yet another one to serve timy pages that are not heavily used. It also makes it easier for being able to provide proxy access to the user portal for more elaborate network needs.
  • It likes to role play. Not trying to be cute, it's trying to fit the mold you need it to fit though. Now when you build a new system, it asks you "how" it is to be used. It makes it simpler to move three or four systems into place for registrar/proxy and other telephony functions and lets you centralize your voicemail/media services onto a totally different system.   Note: There are differences in HA and what functions are available between the Open Source and commercial product (eZuce), and before you get too deep into it, we suggest you read up and figure out what is best for your needs.
  • FreeSWITCH is still used as only the media server engine for sipXecs, but its role is expanded, as it is the engine that plays greetings, records voicemails, mixes audio conferences, and the like. It is also receiving faxes (paperless), with a separate function in sipx taking those and putting these different communications (media) into the appropriate or chosen format and sending them where they need to go. So that's not really different in 4.6, so what's new? New Call Center - Previous versions of sipx used a huntgroup or its own ACD/Callagent call handling system for inbound call center-like capability. Out with the old, in with the new using the OpenACD project. OpenACD uses a recipe-like functionality (if the skillset is "english" then send the call to agent "x" if agent "x" is logged in to accept calls). OpenACD leverages and runs on top of FreeSWITCH and is configured through the slick sipXconfig admin GUI without the need to edit config files by hand or have to do much to get the calls handled in a basic way. This is great for the common helpdesk, support agent or inbound marketing call center scenario. The OpenACD project is small, but the core developers are pretty astute and have the product being supported in a few expensive systems and its a very active albeit, small project. Please note, the implementation method behind OpenACD (because it sits on top of FreeSWITCH) makes it very potent with very little code, which is why I say "little". It's a very good example of doing more with less and being very exact in the way it uses resources to be efficient.
  • Configuration management - the webgui has been reworked and things have moved around a lot, but nothing is really that much different for the experienced admin, so it's just a few more clicks to find something that moved from one spot in the menu systems to another. You will find the grouping of the menu to be be consistent with the new role based model too.

Gosh its fun being a geek with new toys!

To the rescue!

When we travel for work here, each person carries a smart phone, laptop and various other electronic gadgets to keep us in touch when we are away. One of the recent devices we've started carrying is a remote teleworker appliance. It requires electrical current (no the typical hostspot with battery of its own for several hours).  It has Ethernet and/or USB Internet connectivity plus four local ethernet ports AND wifi.

On a recent trip I plugged this into the desk of my hotel room and connected the Ethernet cable. My own wifi network came on and I had no issues nor did I have to train my devices to connect to another network. My wireless network was secure (as opposed to the open wifi that hotels usually offer).

A week later I got a panic call from a client's office suffering from an Internet outage. According to the carrier it was not likely to be resolved that day. So I plugged in a my compatible USB modem (3g/4g) and turned everything on. Within 3 minutes of turning this on at their office, "everything" started to work. All of the PC's were able to use email and it was like a "Bar Rescue" episode with a happy ending. We didn't even change the name of the business.

Ask us about teleworker devices or SMART Internet routers with USB modem failover!

How smart is your firewall?

Recently I had to find a needle in a haystack for a client. A small inexpensive branch router that would be able to help me easily provide reports and insight to a network while also adequately protecting it and keeping VPN connections up AND properly groom Internet and VPN traffic and classify and prioritize it. This is all somewhat easy except for the traffic shaping part of it. First, there is shaping, then there is shaping within a tunnel.  There is also the tougher part of making the reporting simple and easy enough to look at for the non-technical user. We needed a simple "google-like" interface. This way when we push the adoption of the technology within the corporate structure on a wide scale we can "show" the the people who allocate budgets and guide their business, who might not be highly technical or CIO types. Don't take this wrong, but if your enterprise is a small healthcare or insurance company, that's what they know and they turn to firms like ours to demystify the technical part of things.

So here is what we did, we installed 4 networks, all were 3 or more hours (one way drive), from the main headquarters. Once we did that we connected them all with these smart routers and turned on PC, mobile device, anti-virus and firewall (also cloud managed) and set the PC's up with Google Apps and migrated all user email. Now once they (remote branches) were all visible to us, we connected them via VPN and setup the traffic shaping. One site has a VOIP PBX (www.sipfoundry.org) and sip trunks to a suitable ITSP. The other three sites use that same phone system back at this main PBX host site.

Why didn't we cloud host the phone system? Didn't make sense fiscally.  Hosted services for this size organization start (basic options) at 500.00 per month, and to get what they really needed with some feature sets, 750.00 or so (conference calling, etc.), based on the number of users. So putting in a system made sense because "operating' it, costs so much less than you think.

We can see the PC's, mobile devices, wireless network, Internet traffic and in general how they use the Internet connection. We also block certain traffic by category (any category you wish to specify that might lend itself to either wasting productivity or perhaps making it less likely a problematic employee can keep their eyes off unsuitable material using the company's resources). We've found by specifying non-essential categories that can cause HR  to have its hands full if used, people stay gainfully employed and also it eliminates embarrassment and potential harassment or "hostile workplace" lawsuits. 

The firewall is smart enough to track this data AND store it offsite. It also monitors the state of the network connections and informs us from the outside in if there is an extended outage. The routers are managed from a cloud portal and also eliminate any possibility that you deploy a firewall rule that locks you out of that router. VERY helpful, especially if there are multiple people managing it and someone says "uh oh".

The customer can see all of this data at any time (it's their network) and let you manage it or they can do it themselves if they have the desire to do so.

We don't find that simply "prioritizing ports" and things like that work anymore. In this instance we can prioritize SIP (voice) but NOT Facetime or iChat (not how this business communicates). It knows the difference between surfing Netflix's website AND streaming a video from Netflix. It knows Vocera, Skype, and more. It knows Rhapsody, iTunes, Dropbox, Carbonite, Pandora and dozens of other "protocols". So it's "smart" because it knows that seventh layer stuff and also still allows you to define custom stuff (ip address, networks, ports, etc.) and add something you still need to define that might not be that noticeable and continue to reflect what your existing rulesets have. Oh, did we mention you can easily do things like block peer-to-peer or Skype or iTunes or whatever too?

So in 2 days while working with wiring contractors and our staff, we rewired 4 offices, put brand new networks in and transformed a set of offices with technology. In doing so we reduced their collective communications costs from over 1,400.00 per month to around 150.00.  This is the thing that always makes me go "hmmmm". The reason we were brought in? Fix it, top to bottom. How we were able to do it? We worked smart, not hard. In order to do this we use smarter tools and spend a little money where it pays back.

In one day we were also able to determine one of the ISP's was just not offering a quality connection. So it was replaced with a more reasonably priced one (costs less) and provides better performance. There wasn't any guesswork. In this case the FIOS 25M/25M connection had horrible latency compared with the other connections both connecting back to the well peered cloud data center and several other needed sites. While the price for the service was "good" the latency (with no discernible traffic present) showed us it was going to be unsuitable for voice traffic in general and it was the, well, "weakest link" in this network.

Any network can be strong, agile, simple and affordable AND smart. You just have to make good decisions up front.

DOS protection (onboard) your sip server

This concept will work for practically any sip server, assuming it runs linux and uses iptables. I wrote this looking forward into the future of sipxecs, where protection mechanisms of certain levels are being added at the proxy level. Until users adopt and deploy 4.6 (some are slower than others, right Windows XP users?), this can be considered a crutch to help them stay functional in the event of a DOS attack or a script to try to penetrate weak security.

Please see my wiki article I posted at sipfoundry.org.

It should be trivial for any network admin to edit and make it functional on your system.

 

In

pfSense 2.01 and sipXecs

We find pfSense to be an excellent free firewall. We do also find with the 2.0 release that the traffic shaping capabilities are still not fixed (worked great in 1.23 though). We don't let this dissuade us from using it as a firewall, though we now shpae bandwidth with a commercial appliance that gives us much better control and sits between the LAN port of the firewall and SWITCH transparently. If you organization needs much more infinite control, oversight and monitoring/reporting of bandwidth, we can help!

Installing pfSense is still recommended for organizations on a budget that need to put "something" in front of sipXecs and use the sipXecs built-in remote user and/or sip trunking functions.

Remember to configure the outbound NAT and MANUAL and STATIC PORT, and this is uber important, BEFORE YOU ADD ANY NAT RULES.

If you need a rate limiting function, once you create the NAT rule, go to:

Firewall, Rules and edit the rule for the port (i.e. 5060) and click the ADVANCED button. There you will see:

Maximum new connections / per second(s).

Also, if you need something to block inbound requests from other countries,

System>Packages" click the "+" next to "pfBlocker", install that and configure it to deny inbound traffic to all countries you don't have remote users of traffic coming from for you network!

In