Snom + Elastix Transfer Button Bug Workaround

It has come to my attention that I am not the only person who has this problem, a weird bug that I seemingly could not believe at first when reported by my users. The reports came in that when they were busy on the phones, and they had multiple people on hold, that sometimes, two holding clients would be connected to each other and disconnected by pressing the hold button. I was baffled, “you must be hitting the conference button I said” but no. There is a definite bug in the behavior of the transfer button on the Snom when using Elastix. It works fine with call waiting disabled, but it’s behavior is terrible with multiple lines ringing.

Here is what the button does.

If there is only one line active it places the current line on hold and lets you dial a number or extension then connects the caller to that extension.

If there are multiple lines active, It connects the current active line with the previously active line if two lines are active.

It is trying to do an attended transfer where you hold a call, call the intended recipient, fill them in and press Transfer again to connect them.

BUT HERE IS THE PROBLEM

This means if you get a call, put it on hold to answer a second call and then try and transfer the second call by pressing transfer, it thinks you are completing an attended transfer and connects your two held calls together, causing confusion and anger.

The solution to this problem is a combination of training and disabling or moving the transfer behavior on the phone.

If you have multiple lines active and you want to transfer a call you need a transfer button that just transfers and does not try and be smart and connects your callers. The easiest thing to do is to reprogram the transfer button on the phone in the Snom’s user interface from:

Key_Event:Transfer

DTMF:#

Pressing the # key in Elastix activates the PBX’s built in transfer function the voice on the line will say “Transfer” and you key the extension to connect the caller to the intended recipient and disconnect from you.

If you want to you can reprogram the Snom button to be the transfer button’s old behavior as I did and explain the behavior to the user and that they need to place the current call on hold, with the hold button, and then call the intended party and push the snom button for an attended transfer.

Here is the function key screen once reprogrammed.

Asterisk Failover – Switch to Second ISP Script

I wanted to make a script to make my failover to a secondary ISP easy and fast if my dedicated WAN link for VoIP went down and I needed to route traffic through my data WAN link in a hurry.

Lets assume the following:

You have a secondary IP connection that you use exclusively for voip traffic.
You have a NAT Router/Firewall for each WAN link plugged into your main switch, and use one as a gateway for data and the other for VoIP but you have SIP and RTP forwarded to the Asterisk Server from both NAT/Firewalls.
Your SIP Provider supports failover to a Secondary IP and you have configured the failover to your secondary data WAN
Both WAN Connections have a static IP address
You only have one asterisk server

I know this is super specific, but you may get some use out of this script in other similar scenarios. You need to do a bit of setup in order for this to work. The script will switch between configuration files and restart associated services. The files affected are:

/etc/asterisk/sip_nat.conf
/etc/sysconfig/network
/etc/resolv.conf

Assuming your system is currently set up for your VoIP ISP, lets assume its AT&T, and your data WAN is Time Warner Cable, you want to make a config file for each ISP as follows:

# cp /etc/asterisk/sip_nat.conf /etc/asterisk/sip_nat.att
# cp /etc/asterisk/sip_nat.conf /etc/asterisk/sip_nat.twc
# cp /etc/sysconfig/network /etc/sysconfig/network.att
# cp /etc/sysconfig/network /etc/sysconfig/network.twc
# cp /etc/resolv.conf /etc/resolv.att
# cp /etc/resolv.conf /etc/resolv.twc

now edit all of the .twc files in your text editor of choice and change the settings needed.

in sip_nat you need to change the external ip to the static ip address for your data WAN, in network, you need to change the gateway to the local IP of the NAT router/firewall for the data WAN and in resolv.conf you need to change the DNS servers if you are using the router or your ISP’s DNS servers. If you are using a third party like google or openDNS you don’t need to change the values.

So now you have two alternative versions of the configuration files, one for ISP att and one for ISP twc.

now just make the shell script.

# nano /usr/local/bin ispswitch.sh

#/bin/bash
#Change Gateway to config based on argument
cp /etc/sysconfig/network.$1 /etc/sysconfig/network
#Change DNS Server to Arg Config
cp /etc/resolv.$1 /etc/resolv.conf
#Restart Networking
/sbin/service network restart
#Change SIP-NAT to arg config
cp /etc/asterisk/sip_nat.$1 /etc/asterisk/sip_nat.conf
#Restart Asterisk
asterisk -rx "restart now"

# sudo chmod +x ispswitch.sh

Now you have a shell script that will switch between the sets of config files when you feed it the three letter file extension as follows:

# ./usr/local/bin/ispswitch.sh att

Will switch to the ATT configuration files. If you feed the argument “twc” it will switch to those files.

Obviously this is not something you want to do or test while people are on the phone, but it will get the job done. The scenario would go that your VoIP data link goes down, your VoIP provider tries to route the calls to the backup IP address and it will start to ring through on the backup IP (but with one way audio due to the gateway and improper sip_nat.conf settings) you then quickly run this script and switch the settings while you fix the primary WAN connection.

VoIP Security: Configuring the Elastix Firewall GUI

So you’ve got your Asterisk based Elastix system up and running and you are able to make and receive calls. Its probably safe to assume you have a static public IP address, and a NAT router/firewall forwarding SIP traffic on port 5060 to your server and RTP traffic on a range of ports forwarded to your server as well. Your setup may vary, and I’ll assume that you have the knowledge to get the traffic to your server.

The good news is that your setup works, the bad news is that your VoIP server is probably still exposed to hackers who are (NO JOKE) actively trying to access your server. SIP is a very high value target for hackers and people are constantly scanning the internet for open connections on port 5060. When they find one the first thing they usually do is to try and brute force attack common extensions and get access to the server.

You will get notifications in your log like this one that show someone is trying to break in:

I am sure you were smart and set up very strong passwords for your extensions, but to be even safer it is a good idea to block inbound SIP traffic from non-trusted IP ranges.

The Elastix GUI interface allows you to control your server’s firewall settings by taking control of IPTables which is Linux’s software based firewall. If you choose to use the Elastix Firewall GUI, it is best to just use it and not rely on hand-coded IPTables rules.

The first thing to do is go to the Security Tab on the Elastix Admin.

The first thing open should be the Firewall settings and you need to specify to turn the Elastix Firewall on. At this point Elastix Firewall is controlling your IPTables and any hand coded settings you have made are nullified so you need to set up your firewall settings in the Elastix Firewall GUI exclusively.

Note that if you have services that are running on ports not covered by the default rules, like for example Webmin, they will cease to function until you allow them.

The default settings for the Elastix Firewall are pretty much useless for security purposes, just letting any traffic from anywhere into the serve. You need to know how they work to configure them, they are numbered and are processed in order. You should not modify the First rule or the last three as they are critical to the system. Rule 1 allows local loopback traffic in the last three rules also allow the system to function.

For an in-depth look at how these rules and the Elastix Firewall GUI work check out This Guide that will help with most everything covered here except the final configuration.

If the only thing you are running on your system is Elastix/Asterisk and your VOIP provider has given you the IP addresses of their servers from where you can expect incoming traffic, you need to create a rule for each IP address and move it up anywhere above the last three rules. You should click the new rule button and add the IP address of the first server with the CIDR of /32 (One address allowed)

Then move the rule up using the up and down buttons next to the service number, anywhere above the last three rules will work. Make a new rule for each valid server IP address from your SIP trunk provider. Your SIP provider may give you a range of expected RTP IP addresses as well, and you can set up those addresses for RTP in a similar fashion. My SIP trunk provider only provides them for SIP connections so I have to leave RTP open.

Now go ahead and edit the Firewall rules for the services that you do use to include only the IP ranges you want to allow to access them, For example edit the incoming SIP rule to your local network to allow for LAN devices to connect. Edit the SSH rule to be your personal workstation or your local LAN.

Now use the Lightbulb icon to deactivate any services you do not use.

At the end of the day your firewall should look similar to this:

The rules basically say:

Loopback traffic is OK
Traffic from 37.75.0.0 /16 on any protocol is Blocked (Region was trying to break in often)
Traffic from my LAN is allowed on SSH
Traffic from Provider SIP IP 1 on UDP:5060 is allowed
Traffic from Provider SIP IP 2 on UDP:5060 is allowed
Traffic from Provider SIP IP on UDP:5060 is allowed
Traffic from Provider SIP IP on UDP:5060 is allowed
Traffic from my LAN on UDP:5060 is allowed
Traffic from my LAN on HTTPS is allowed
Traffic from my lan on Dell Openmanage is allowed
Traffic from any address on RTP is allowed

To set up rule 10 or a similar rule for a non-standard service/port you need to go to define ports and add a new port for your service then add a firewall rule to allow the service for the appropriate IP ranges.

All the rules below are disabled with the yellow light bulb except the final three system rules.

Now you have a more-secure Elastix system, using the Elastix Firewall GUI.

A word to the wise, should you break your ability to access the Elastix admin via HTTPS with the Elastix Firewall GUI, you need to SSH or locally access the system and type:

SUDO service iptables stop

Then go ahead and log in via the admin panel, change the offending rule and then go back in via SSH or local access and type:

SUDO service iptables start

Pointing DNS to Your Web Server with EntryDNS

This guide is intended for people who are hosting a site with a cloud-based server or a server with a public IP address. Folks who are hosting a site on a home computer with a home internet connection with a dynamic IP address need to use a dynamic DNS service. Namecheap is probably the best registrar to go to for this scenario, and here is a guide on how to set that up.

So you’ve decided to do your own web hosting and set up your own web server. You may have followed this guide on setting up a free/cheap virtual wordpress server on Amazon Web Services and liked the result. Now you want a pretty domain name to match your pretty wordpress hyperlinks.

Lets face it, http://54.XX.XX.XX/blog, just does not have that great of a ring to it.

You can get the rest of the way towards having “yourname.com” up and running in a few cheap and/or free steps. That is assuming your name is super unique. Trust me, if its not, its already registered.

There have been a million guides to registering your own domain name, basically you are going to have to pay between $5 and $10 per year at the registrar of your choice and follow their steps towards signing up and registering an available address. Coupole that with as low as $35 a year for your AWS micro instance and you’re looking at around $4 a month for a good looking website/blog. Here is a good article of the top 5 registrars.

Many or most of these also offer hosting plans, and you are free to use them but if you want complete control of your site, you have your own web server and it’s either cloud-based on something like AWS or its a real or virtual server and you’ve got your port 80 traffic going to it from your Public IP address.

The way to link these two things together is with DNS management services, which your registrar may or may not offer for free. If they do not offer free DNS management.

AWS itself offers cheap DNS management through it’s Route 53 console. However there is a long way between cheap and free and I like free.

Head over to entry DNS and sign up for a free account.

Then click the “Add Domain Button”

and you will enter your registered domain name, IP address of your server and take note of the name servers listed on the page, in this case

ns1.entrydns.net

Now just head back over to your registrar and enter this nameserver in the DNS settings and when people type in your domain it will point straight to your webserver and no longer show the ugly IP address in the address bar.

Here are guides for using your own name server with the registrars listed: 1 and 1, Namecheap, GoDaddy,

Creepy… See where your android (and you) have been.

Google’s promise to not be evil is something that I really do believe in still, I think they had the best intentions when they made this creepy, creepy feature.

Your Android phone records your location and that data is stored by Google. If you would like to see what your phone, and by extension probably you, have been up to head over to the android location history page.

And use the calendar to see where your phone has been. Anyone with access to your google account can see this if they are logged in. People at google can also use this information to do things like provide location-based suggestions and information to your Android through google now. If you’ve ever wondered how your phone knows what your daily commute time will be its about mashing up your location history with traffic data.

If you decide you do not want Google to track your Android device’s location history, the service is opt-in and you can find instructions on how to disable it there is a page here that offers:

Location History Disable

Open Google Settings from your device’s apps menu.
- Devices running Android 4.3 or lower: Touch Location > Location History.
- Devices running Android 4.4: Touch Location > Location services > Google Location Reporting > Location History.
Slide the switch ON or OFF.

Launch a simple WordPress site using Amazon Web Services

Who doesn’t love WordPress? It is responsible for somewhere around 19% of the web’s content and if you’ve never used it you should give it a try. Who doesn’t want to learn how to use AWS? Well probably most people but I’ve been liking the granular control of AWS since I started playing around with it. If you want to give it a spin, here is a brief tutorial that should get you up and running in about a half hour and give you a look at many of the key components.

First of all you are going to need to set yourself up, depending upon your OS and what you already have going on, you are going to need to install an SSH client, Putty is a great free tool and the software of choice for most, but I actually like the free edition of MobaXTerm as it automatically supports the .pem public key format from amazon, is more colorful and has SFTP built right in.

You will be using the terminal, SSH and the Linux command line for this project.

Next head over to AWS.amazon.com and sign up for a free tier account. This will allow you to use up to 750 hours of hosting for free among other things.

Once you have done all the verification steps and are able to log into the AWS console head to the EC2 Managment Console

In the Network and Security section make a new keypair and download the .pem file to your computer and put it in a safe location. This is the public key encryption information that take the place of a password for your server. It is more secure tan a simple password as long as you keep the file away from prying eyes. In fact on Linux and OSX you will need to chang the permissions of the .pem file to 600 (Only You can Read and Write all others forbidden) in order to use it to connect. You can do this simply on the command line using:

sudo chmod 600 /pathtoyourfile/keyname.pem

Now you can use your terminal program of choice to connect to your server isntance once you create it in AWS.

Now you can go ahead and head back to the root of the AWS console by clicking the orange box in the upper left. Now head over to Cloud Formation.

This is where you can set up templates for server instances that you can create on demand. Click the “Create Stack” button to begin the process you can tinker with custom test based templates to your heart’s content in the future, but for now give your template a name like “WordPressLab” and use the following URL in the “Provide a Template URL field”

https://s3.amazonaws.com/cloudformation-templates-us-east-1/WordPress_Single_Instance.template

In the next screen enter strong passwords. You’ll need to enter your key name that you chose and CHANGE THE INSTANCE type to:

t1.micro

If you do not enter the key exactly you will not be able to connect and if you do not change the instance type it won’t be free. If you have a static ip address for your home computer or dont mind changing this seting frequently for added security change the SSH Address to 111.111.111.111/32 where the 1’s are your systems static IP address, that way only that system can log in through SSH with the encrypted key.

Skip by the “Tags” screen and you should get to the confirmation screen.

and clear the next screen and you should see this in the Cloud Formation console:

Head back on over to the EC2 Instance Manager where you made the Key Pair and take a 5 minute coffee break.

You should now have a running WordPress Web Server and the console will look somewhat like this:

The IP address listed there is a public IP and you can put it in a new browser window and you will see that your Apache is up and running just fine.

If you head to http://yourserverIP/wordpress/ the wizard will let you create a login to your new blog. Its easy as pie from there.

However, you are not done that easily. Unfortunately your server does not support pretty hyperlinks so your blog posts will always have ugly names and you really don’t want that. Also you should know how to login to your server via SSH so fire up your terminal program.

If you are using ModXterm you simply need to set up an new connection and chose the .pem key in the connection screen, the username is

ec2-user

Its similar using putty but you need to use putty convert to to change the pem file to a ptk file, just google that. This is not a Putty or ModXterm article.

If you are using a linux or OSX terminal use:

ssh ec2-user@yourserverip -i /pathtopemfile/keyname.pem

Add the server with a yes and you are greeted with:

:~ user$ ssh ec2-user@yourserverip -i /pathtokey/keyname.pem
The authenticity of host 'yourserverip' can't be established.
RSA key fingerprint is a5:44:98:e9:88:c9:ea:ec:24:26:eb:a2:fb:13:ce:46.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'your server ip' (RSA) to the list of known hosts.
__| __|_ )
 _| ( / Amazon Linux AMI
 ___|\___|___|
See /usr/share/doc/system-release/ for latest release notes.
There are 38 security update(s) out of 243 total update(s) available
Amazon Linux version 2013.09 is available.
[ec2-user@ip-172-31-7-36 ~]$

Now you are in, you can use the SUDO command to do root things and have control to your heart’s content. In order to enable the pretty hyperlinks you ned to issue the following command, this is assuming you know how to use the vi editor:

sudo cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.backup

sudo vi /etc/httpd/conf/httpd.conf

Find the section here:

And change BOTH instances of:

AllowOverride None

AllowOverride All

Save your file and then use

sudo httpd -k restart

Now you are ready to log back into your wordpress blog, head to settings>permalinks and choose the permalink you you want. You are also ready to SSH in when you need to!

Happy Pressing!

Amazon Web Services Overview

Most people know Amazon as a great place to buy products online, and possibly to soon get a drone to fly to your front door. What many people outside of the tech world don’t know is that Amazon also hosts a great deal of the content on the web and has a myriad of services under the umbrella of Amazon Web Services or AWS for short.

AWS is a very complicated array of services and even looking at all those icons, much less knowing what each one does is honestly still giving me a headache. So here is the dimestore version, AWS is a central portal for a growing array of Cloud-Based computing services. Cloud based essentially means things that the services are out there in the internet and not at your office. You access cloud based services through your computer, smartphone and other devices and they are great for certain applications.

This site is intended for SMBs and I’m going to focus on a few services that are probably of interest to you, some of the other ones may be more interesting to your web developer or other tech staff, but as an owner, knowing about these is a good step into learning about cloud computing.

Amazon EC2

This is the center that lets you manage and create virtual servers in the cloud. They range in power and configuration, but basically, instead of building a physical server at your office or going to a hosting company and getting limited access to a virtual or dedicated server there, you can launch a virtual server (instance) and have full root access to it via SSH as if it were sitting in your office. Well, almost. You do need to use a special command to get root privileges, and you can’t just flip a switch if something goes wrong, but in practice its the next best thing.

The ec2 management panel makes it easy to create, manage, restart, clone and backup any of your instances. Some good uses for virtual servers are web servers and web application hosts since the cloud is generally more available and resilient than on-premises.

Amazon S3

At it’s most basic, S3 is a set of buckets to store your files on the web. These buckets are redundant and are a great place to back things up or store files in the cloud that you need access to from multiple devices. A lot of people set up servers to back up their data to S3 so that if a premises is damaged or compromised as secure, encrypted backup exists off site. S3 is very affordable and off-site backups are priceless in terms of peace of mind. You can even host a simple website right from an S3 bucket if all you need is a simple html directory.

Amazon Glacier

Glacier is where you can backup your data really cheaply if you don’t need it back in a hurry as requests for retrieving data take several hours to process.

Current data storage pricing at the time of this post is:

Just doing the math for you to backup a 1TB dataset would be $95 per month on Standard and $10 a month on Glacier

Obviously this is just scratching the surface of what you can do with AWS, much more to come on this blog.

Asterisk Adventure – Part 1

Asterisk Adventure goes back in time to detail my very first Asterisk Installation.

I need to figure out how to handle the transition from the old-school system to a better one and I work for the cheapest organization in the history of the world so I have no budget.

Luckily I had enough VoIP hard phones for everyone in the office from a previous attempt by the Phone Provider From Hell – PFH for short at sort of transitioning us to a fully VoIP system. For reasons I will not get into this system involved everyone having two phones on their desk and the new phones did not do everything that the old ones did because the PFH sucks at VoIP.

These were hosted phones and the hosting was some odd homebrew looking crap that the PFH just rebranded from some white-label solution that they knew very little about. It sort of worked, but it shared our office data connection with no QoS (Prioritizing the VoIP traffic so it works better) and it just sucked. Also my users are technophobic and having a new phone was scary, and letting them keep the old one doomed everything. Also the system did not do very simple things like park calls or intercom.

I looked into trying another hosted system for a bit but I ruled it out. Hosted VoIP service basically moves the PBX out of your office and into the cloud. It has its advantages, but they generally nickle and dime every little thing you need to do like add more mailboxes and auto attendants etc…. With all of the bizarre configuration requirements that we have, it was cost-prohibitive and clunky to do hosted.

I looked into getting a turnkey VoIP PBX from about a billion vendors, including through an actual telecom company that would have handled the whole project. Their quote, including equipment was $20K. The cheapest turnkey solution was like $3-4K for the bottom of the line and that still required a ton of configuration.

My exploration into FOSS solutions for the project led me to consider many options, but in the end I chose to go with Asterisk, and more specifically with an implementation called Elastix.

Elastix is a pretty slick web-based GUI made by Digium that configures a basic PBX pre-built on Asterisk it also uses uses freepbx at times (another GUI for asterisk).

To all the linux/Asterisk gurus out there, I will get it over with now, I chose to use a GUI because I am a total noob and you are all better than I. Also because if I really messed things up I could buy support from Digium.

Plus also lets be real. Open Source projects on linux are never fully GUI based. If i was afraid to write a shell script or to edit some configuration files I would have gone turnkey or with a vendor.

Asterisk Adventure – The Prelude

I am going back pretty far into the past, but I want to tell the story here.

Work has been using the same phone system for about a million years. The main part of it is an old Siemens Analog PBX that used to be interfaced with a PRI and has since been converted by the Provider From Hell (PRF – a lot more on that later) to use an Adtran SIP>PRI Gateway to utilize a SIP trunk to varying success over a T1 line to the office.

The problems with this system are myriad.

• Unreliable call quality

• Regular crashes of the PBX requiring a hard reboot

• Intermittent Trunk to PSTN routing problems that result in fast busy when dialing

Trying to diagnose the issues are compounded by the fact that we are using ancient equipment with a million points of failure and the PRF is very hard to deal with in getting a straight answer about anything. I will concede that my users are also incredibly hard to deal with in that they seem to have unlimited free time in their complaining schedule, but there accurate notation of errors schedule is completely booked.

All this is a nightmare, and considering when this all started, I knew basically nothing about telecom and VoIP other than that carried voice over IP, hence the name, I was highly reticent to involve myself at all in the process.

It finally came to pass that the difficult users and the PFH built up enough hatred towards one another that they needed to divorce, and hey, I handle IT right, it should totally be your job to fix all this.

Now it was the time to embark on a project to hopefully achieve all of the stated goals:

• Provide relatively reliable phone service

• Save a bunch of money

• Be able to handle everything but the data link and trunk in house.

If you are still reading this and don’t know what VoIP or a SIP trunk are, VoIP stands for Voice over Internet Protocol, which takes standard phone communication and directs a lot of it over the internet, rather than the PSTN (Public Switched Telephone Network) and in the process saves money in a lot of cases. Also since it works over IP, Techies like myself have an easier time working with it because we are already familiar with IP.

A SIP trunk is a service that takes SIP (Session Initiated Protocol) communications (the most popular way to transmit VoIP) and connects them to the PSTN if necessary so that Internet calls can become “real” calls and go over the phone network and ring your grandma’s old-school phone line.

Configuring On-Demand Call Recording in Elastix

Took a little fussing to get On-Demand Call Recording to work in Elastix.

This setup should be phone agnostic, but I am working with SNOM 320 phones (Elastix Certified), these phones send a silent SIP INFO command to Asterisk when a record button is pressed but would also work with any phone that supports DTMF or similar SIP INFO with a configurable (non silent) default of “*1” on the dialpad.

Elastix places recorded calls into

/var/spool/asterisk/monitor/

There is a GUI option to change this default directory as well.

and by default records the files as .WAV

Once you have configured a user account in elastic and associated it with the extension the used can login to:

https://yourserverip/

Provide credentials and then open the PBX tab and monitoring sub-tab to see the calls (don’t forget the handy dandy star shortcut to bookmark this location to the user’s home-screen.

They can manage their recorded calls and download them, listen, etc.

In order to set up call recording you need to set it up for the extension in the PBX tab

As well as in the feature codes tab if you want to use *1 or whatever you choose.

Now the tricky part is that you need to change the setting by hand and put “wW” in the Dialing Options on the PBX>General Settings Tab. This was not well-documented in the Gui but it only worked after doing this.

Now you are on your way to recording to your heart’s content!