• No matching documents

    Providing Keevio external access

    Depending on how much access you need, you will need to setup the following:

    1) Add a public CA signed certificate to the PBX using a domain name that you can subsequently point at the appliance in external DNS.

    2) Setup your firewall correctly, you will need TCP port 443 inbound on a static public IP address forwarding to port 443 on your appliance. The appliance also needs to be able to originate TCP and UDP "connections" outbound - in other words a statefull firewall rule needs to be added for outbound TCP connections, and to allow outbound UDP traffic and symmetrically allow inbound UDP reply packets from the destination address/port pair.

    3) Setup external DNS to point the domain name you registered the certificate in step 1 above to point at the public IP from step 2.

    4) Add keevio/HTTPS access to the filter in system/globals:

    5) For many kinds of non-trivial remote keevio phone or video/audio/screensharing use you will need a TURN server on a public IP address to relay media streams for remote clients on firewalled networks.

    rfc5766-turnserver, or coturn are perfectly good freely available TURN servers and you should install one of these on a suitably secured server on external connectivity using the instructions you can find at:

    An Amazon AWS server seems to work well for this but, if you are in Europe, you should set the instance up in a European Data Centre (e.g. Ireland/Frankfurt) rather than the default US Zone as the latter may give you excessive latency when talking UK to UK. If you are deploying on AWS in the EU-West (Ireland) Zone, then we have made a sample TURN server image available as a free AMI under id ami-e3ceec94.

    Setting the following (non-default) values in turnserver.conf works for us:


    Obviously you will need to replace , , , and with the correct values for your environment, and install a suitable certificate for the turnserver domain name (which will obviously be different to the PBX appliance domain nane) in /etc/ssl... on the server.

    If you do not have a key/certificate available, you can operate the TURN server in an insecure/unencrypted mode, but will need to modify the turnserver.conf configuration file appropriately. Most of the necessary documentation can be found in the config file itself. Clearly this is not a good idea for a production unit.

    You should setup firewall rules something like the following up in front of your appliance:

    UDP 443 from anywhere
    UDP 3478 from anywhere
    UDP 5349 from anywhere
    UDP 49152 - 65535 from anywhere
    TCP 22 from 
    TCP 443 from anywhere
    TCP 3478 from anywhere
    TCP 5349 from anywhere
    TCP to anywhere
    UDP to anywhere

    6) Add the TURN server config to the appliance (using the turnserver info you setup above):

    7) If you want to send external keevio invites as SMS messages then you will need a text sending account from an API provider. We currently support Nexmo. So you will need to sign up with them and enter your account details in the keevio messaging config:

    8) Test external access, and then celebrate success whilst using keevio to stay in touch with your colleagues back at the office).