Provisioning is the fact of letting an IP Telephone to pull its configuration form an external entity. When a telephone pulls the information, it will at least this information:
- SIP Credential
- Codec configuration
- Admin access
Some other phones are more advanced and they can pull more information, such as shortcuts, display information, tunes, SIP/RTP parameters, etc.
CDR Importer is the element that allows pushing your call details into a database for a post-mortem analysis. For example, Billing.
FusionPBX as a project offers you these things. So, having a Provisioning and CDR Importer server sounds quite easy if you are talking about stand-alone deployments, but in this case, I will write about something more interesting: cluster deployment. Regardless of you have a high-availability or load-balanced cluster, there is a point where you have enough load that you need to take out non-essential VoIP functions out of the main SIP nodes to keep load and service quality at an acceptable level. Moving out of the SIP Cluster Nodes functions such as provisioning or CDR importing is one of the first steps you should do.
So, lets put the extreme scenario, where you have almost everything split into different servers like the following deployment.
You will have the following servers:
- SIP Cluster Nodes running FreeSWITCH and part of FusionPBX (as you need at least the XML Handler)
- Frontend Server running FusionPBX to allow people to connect and do changes
- Provisioning & CDR Importing Server running FusionPBX to allow IP phones pull the information and to allow SIP Cluster Nodes to push call detailed records
- File Sharing Server which it holds all the files that the SIP Cluster Nodes especially need to have in common: recording and voicemails are the most part of them
- SMTP Server to send outgoing emails as required by the system
- Database Cluster Nodes holding all the PBX information: dial plans, authentication information and anything else you may want to store in the database
And before continuing, if you are thinking "Hey! I want a cluster like that", yes, you can contact me and ask for it.
As you guest, the only point of contact should the Frontend Server. The public should not have access to the FusionPBX interface through the other servers. Fixing this is quite easy on the SIP Cluster Nodes, you just need to close port 80/tcp and 443/tcp as there is no need to have them open because the FusionPBX public part lives in the Frontend Server.
Things get more interesting and fun when you want to close that in the Provisioning & CDR Importing Server. The reason is easy, both of them are using port 80/tcp or 443/tcp, therefore using a Layer-3 control such as a firewall is not possible in this very specific case.
Happily, for us, Apache and more specific the .htaccess file has an option to block specific URL's. The first question I had is, what URL's should I block without breaking the provisioning and the CDR importing. After reading for a while the code and playing with my browser I found that any un-authenticated request is forwarded directly to the login.php URL, I also found that the password is asked for the default / URL or asking directly for the index.php file. Therefore my .htaccess config is like this:
RewriteRule ^login.php - [F]
RewriteRule ^index.php - [F]
RewriteRule ^$ - [F]
Just paste it at the end of the file. If you are a little more paranoid about security, you could also block pages that lack a reference header and different than the provisioning and CDR importing URL. But for me, this is enough.
Good luck!blog comments powered by Disqus