• No matching documents

    Providing Keevio external access

    Depending on how much access you need, you will need to setup the following:

    1) Add a public CA signed certificate to the PBX using a domain name that you can subsequently point at the appliance in external DNS.

    2) Setup your firewall correctly, you will need TCP port 443 inbound on a static public IP address forwarding to port 443 on your appliance. The appliance also needs to be able to originate TCP and UDP "connections" outbound - in other words a statefull firewall rule needs to be added for outbound TCP connections, and to allow outbound UDP traffic and symmetrically allow inbound UDP reply packets from the destination address/port pair.

    3) Setup external DNS to point the domain name you registered the certificate in step 1 above to point at the public IP from step 2.

    4) Add keevio/HTTPS access to the filter in system/globals:

    5) For many kinds of non-trivial remote keevio phone or video/audio/screensharing use you will need a TURN server on a public IP address to relay media streams for remote clients on firewalled networks.

    rfc5766-turnserver, or coturn are perfectly good freely available TURN servers and you should install one of these on a suitably secured server on external connectivity using the instructions you can find at:
    https://code.google.com/p/coturn/

    An Amazon AWS server seems to work well for this but, if you are in Europe, you should set the instance up in a European Data Centre (e.g. Ireland/Frankfurt) rather than the default US Zone as the latter may give you excessive latency when talking UK to UK. If you are deploying on AWS in the EU-West (Ireland) Zone, then we have made a sample TURN server image available as a free AMI under id ami-e3ceec94.

    Setting the following (non-default) values in turnserver.conf works for us:

    external-ip=
    aux-server=:443
    fingerprint
    lt-cred-mech
    realm= 
    cert=/etc/ssl/certs/turn_server_cert.pem
    pkey=/etc/ssl/private/turn_server_pkey.pem
    no-multicast-peers
    
    user=:

    Obviously you will need to replace , , , and with the correct values for your environment, and install a suitable certificate for the turnserver domain name (which will obviously be different to the PBX appliance domain nane) in /etc/ssl... on the server.

    If you do not have a key/certificate available, you can operate the TURN server in an insecure/unencrypted mode, but will need to modify the turnserver.conf configuration file appropriately. Most of the necessary documentation can be found in the config file itself. Clearly this is not a good idea for a production unit.

    You should setup firewall rules something like the following up in front of your appliance:

    inbound:
    UDP 443 from anywhere
    UDP 3478 from anywhere
    UDP 5349 from anywhere
    UDP 49152 - 65535 from anywhere
    TCP 22 from 
    TCP 443 from anywhere
    TCP 3478 from anywhere
    TCP 5349 from anywhere
    
    outbound:
    TCP to anywhere
    UDP to anywhere

    6) Add the TURN server config to the appliance (using the turnserver info you setup above):

    7) If you want to send external keevio invites as SMS messages then you will need a text sending account from an API provider. We currently support Nexmo. So you will need to sign up with them and enter your account details in the keevio messaging config:

    8) Test external access, and then celebrate success whilst using keevio to stay in touch with your colleagues back at the office).