We strongly recommend that you use a Virtual Private Network (VPN) setup to securely tunnel SIP traffic back to an internal PABX, rather than attempting to pass unsecured SIP in the clear across the Internet.
NOTE: Since PABX version 6.2+, support for HTTPS Provisioning and SIP over TLS have been added to the product. This may be used as a secure alternative to a VPN, but is quite complicated to set up initially.
We recommend this for several reasons:
-
SIP is an inherently insecure protocol, so you should only really run a remote node over a VPN - If you are running over a VPN, then it should terminate on a network that has unrestricted UDP access to the PABX. This makes things simple and in this environment remote phones “Just work”
-
SIP is a complex protocol which is poorly supported in most firewalls! Like FTP, the control channel carries information about which ports and IP addresses the audio stream will use. Firewalls in general do not understand SIP (and sometimes understand SIP, but badly, causing matters to be even worse) so you have to open all UDP ports between the PABX and the phone.
-
SIP does not like NAT - Some features have been included to assist in making this work, but it can still be tricky to configure. Again, some devices support SIP fully, and this may help.
The PABX has a setting against each phone on the phone hardware config which marks it as “non-local or NAT”. This causes all communication for that handset to pass through the PABX, increasing the chance of the handset working remotely, but prevents handset-to-handset call handoff from working, so it is less efficient.
In contrast, setting up a VPN, or using an existing VPN is usually fairly simple and in many cases necessary for access to other internal applications. Once setup, a hard phone can simply be plugged into the network at the remote site and connect to the central PABX. Roaming applications can be dealt with using a soft phone and PC VPN client on a laptop.