Posts made by NetworkNerd

I guess follow me wasn't good enough for roaming?

In regard to exposing the PBX to the public internet...
Strong SIP secrets and the firewall rules mentioned here can be a decent deterrent. Throw fail2ban in there too if your PBX can utilize it. Some SIP providers will allow you to limit the maximum charge for international or LD calling for situations such as Jared mentions (unexplained phone charges). And monitor the logs like crazy.

And as Scott said, many phones have OpenVPN built in, but the better question is...do you have a VPN endpoint on your side that can accept the connection? What I find may be the better recommendation is try to get people who work from home to use a soft phone in conjunction with the corporate VPN solution (perhaps Pertino or something else) on their PC so that they are not going directly over the internet. Mobile phones can utilize VPN client software as well for soft phone access on those devices as you mention above.

Related to this, I thought I saw a post the other day in Spiceworks about someone who worked for a company that would send every person who worked from home a Meraki router that would be connected via VPN back to corporate. That didn't sound fun to have to manage.

@JaredBusch said:

@NetworkNerd said:

Did you end up using the Dell ESXi ISO here or just the one you can download from VMWare? This is more for my own curiosity than anything. I had some issues on a Dell R510 recently and could only resolve them by using the Dell ESXi ISO.

Dell has an ISO? Seriously, I never bothered to look. I know these were installed 5.0 with the VMWare Free license originally. After buying Essentials a few weeks back, I simply downloaded the 5.5 ISO. Today, I installed it to the internal USB (32GB drive) and configured the 8 SFF 1TB drives I stuck in it as a RAID10.

I would not have looked either had I not had purple screen of death issues when using the VMWare ISO. It just so happens all my troubles went away by going with the Dell ISO. That has only ever happened to me on the Dell server I mention above. I installed the ISO on a HP server and a Cisco server with no issues prior to that experience.

@scottalanmiller said:

Good luck

By far the easiest option will be to create a direct tunnel.

This is the way to go for sure. I can tell you I am running 4 sites (soon to be 5) from a single PBX at my main site, so if you're able to follow Scott's advice above, it can work very, very well for you. All of my sites are in the same metro area, and each remote site is connected via site-to-site vpn back to the main site. We have QoS configured at every firewall. And we do not filter / inspect SIP traffic as that can cause you a world of hurt.

Did you end up using the Dell ESXi ISO here or just the one you can download from VMWare? This is more for my own curiosity than anything. I had some issues on a Dell R510 recently and could only resolve them by using the Dell ESXi ISO.

@scottalanmiller said:

You can have one throat to choke in open source too. Open source and free are not synonymous. Digium makes a non-free, OEM vendor supported open source PBX product for example.

Open source allows code review and allows a broader support ecosystem.

I completely agree, but I think business leaders do not see it that way, tending to think there is not as much support for open source solutions. And that, of course, is not the case.

@FiyaFly said:

While I have only a little experience with proprietary systems, I can tell you that Asterisk systems are pretty easy to administer in an overall sense. You've got countless options- Elastix, FreePBX straight, PBX in a Flash, etc. Extension creation takes 30 seconds, and modifying current settings is pretty intuitive from the interface.

Could you give me some examples on what administering a proprietary system like that is like?

We had an old Avaya system that Elastix replaced that would allow you to configure a button on a phone from the management console. That was a neat feature and did not require you to go into the web GUI of the phone. Also, the call flow designer was a bit more visual (very much like building a flow chart in Visio) so you could see the flow as you built it. You likely will not get that with open source and really have to think about what you want to do with your call flows, where they go next, etc. Not that this is difficult to do, but it is a significant difference.

@Katie said:

@FiyaFly said:

Could you give me some examples on what administering a proprietary system like that is like?

In the systems I've administered, the hardware and software involved had to be specific - I had a closet full of Shoretel gear and Shoretel-branded phones on every desk. The Cisco system was even more intensive in terms of hardware, at a much greater cost.

I think for some enterprise environments, the comfort of a well-known name brand is preferred, even though it comes at a higher cost. In the SMB market, open-source seems to be more cost effective. Much of the research I've done on this topic seems to support open source as a better alternative. I wanted to get some feedback on one vs the other. I'm sure there are advantages to each, wanted to spark some discussion on that.

Since I am pro-open source, I will try to make an unbiased comment here. Going with a proprietary system (hardware / software / phones / whatever else) basically gives someone one throat to choke when there is an issue because it's all Avaya or it's all Digium / Cisco / Shortel. You're not using one type of PBX and trying to marry it to a hodgepodge of hardware for phones (usually). You pay a steep price to get support from a Tier one PBX vendor.

I will also say that many proprietary vendors include things like an integrated chat platform with presence indicators (think Avaya One-X here), integration with platforms like Salesforce, centralized management of individual phone buttons and features, and other things like that. These types of functionalities may require an extreme effort to get working on an open source platform or may just not be possible without being an Asterisk developer. So if companies need the types of features mentioned here, they will pay for it.

I think it comes down to business decisions in terms of what companies need from their phone system. Often times the proprietary vendors tout what makes them stand out in terms of features and functionality that open source does not have out of the box and sell business decision makers on things they do not actually need.

@Dashrender said:

I've been looking at this same topic. A bigger thing that I've had to look at is the cost difference between simply upgrading what you currently have versus rip and replace to move to an open source PBX.

In my case I have 50+ digital phones on a system that is now EOL. The vendor has an upgrade path that will allow me to install a VOIP switch and a digital backplane that allows me to keep all of my current phones for about $6000. Replacing the phones alone will cost me around $6250 ($125/ea + tax and maybe shipping) not to mention the hardware to run the PBX (granted there should be plenty of room on my current ESXi server for this) or the PoE switches.

Then I'll also need to build all of the routing/huntgroups/ACDs, etc to get my system online (I'd really like to bring in a Pro which will add in more expense).

So while I could get a ton of extras in the Opensource 'free' solution, it will cost me probably 30-50% more than upgrading my current system.

They do make TVAs for digital phones that could be utilized to assist you moving to open source (similar to FXS but for digital phones). It's worth researching: http://www.citel.com/Products/Portico.asp.

@JaredBusch said:

@ajstringham said:

3. What is your long-term backup plan?

Depends on a few things. When I talked to Unitrends I got completely run around, AFTER getting Katie involved. It was a completely horrible experience.

That said, I am looking for a solution to handle offsite pushing of the backups so I am basically going to use Veeam or UEB. One thing I have not done with Veeam is actually see how the offsite functionality works. Not enough hours in the day it always seems. UEB was quoting me stupid numbers for backing things up using my own hardware both onsite and offsite, I was not impressed. Where my understanding of Veeam is a $1600 purchase of Essentials to handle 4 sockets (my two servers that i will be keeping) and then I can install the offiste side of that with no extra licensing needed.

You would do well to look at Enterprise Plus licenses of Veeam to get the WAN Accelerator for backup copy jobs here. I am hoping to try this out in the next 4-8 weeks since we just beefed up internet connections at 2 of our sites.

@Bill-Kindle said:

@NetworkNerd Charter didn't offer to setup an additional IP to move to? one on the same subnet as the newest addition?

They did not. Their immediate fix was to run things with a dual subnet setup as described above. Maybe it's time to push for having both on the same subnet rather than beat my head against the wall with the above.

Charter Business just turned up a 50/5 coax circuit for us at one of our sites. Originally we had ordered one public ip address for this location, but we ended up having to order another after the service was turned up to make it easier to allow our video monitoring company to watch the cameras at this location (recently installed as well).

So when I called Charter to get a second public ip address they gave me one no problem. But, it's on a different subnet and has a different gateway than the first public ip we had to start.

We have an ASA 5505 at this location currently, and there should be a way to configure it to use both ip addresses since this is not a dual ISP situation or trying to configure failover, etc. When you have a block of ip addresses it is pretty easy to configure the ASA to use them. I can do that. But it's this public ip on an alternate subnet that is throwing me for a loop.

I should also mention that we are using 10.0.1.0/24 for the LAN at this location and will be using 10.192.0.0/23 for the cameras. There will be no VLANs. The cameras just need to be on a different subnet. The ASA provides DHCP for devices on the 10.0.1.0/24 subnet only. Devices on the 10.192.0.0/23 subnet will have static ip addresses.

ASA 5505 Config

We have one interface tied to a switch port (port 0) for the first public ip and every other switch port on the ASA tied to the LAN ip block we are using at this location. I'd leave port 0 for public ip 1 and port 1 for LAN1 (10.0.1.0/24). Here's what I am thinking for the rest:

• list itemCreate a new interface tied to a 3rd switch port (port 2) that is set with the 2nd public ip I mention above.
• list itemCreate a matching static route for the second public ip.
• list itemCreate one more interface tied to a 4th switch port (port 3) for LAN2 (10.192.0.0/23).
• list itemConfigure all devices on each LAN to use the LAN gateway ip address for their specific segment.

Will what I have mentioned above work? I would then create access rules and NAT rules for the camera traffic using the second public ip. I'd really like to do one-to-one NAT for the second public ip and the NVR at this location since accessing the camera software seems to play better with that than NAT with PAT.

Have I over-complicated it? Any advice is much appreciated. The second ip being on a different subnet is really throwing me for a loop.

@scottalanmiller said:

Yeah, the vast majority of the points are just from participating. You get 11 points for every thread you say "me too". Only takes a second. So the points actually encourage shallow, pointless interactions. BA points are so hard to get that they are a waste of time if points are the goal.

And, of course, there are reviews too....

Let me just say that when I upgraded from 5.0 to 5.1, some things went semi-haywire. I've not gone to 5.5 yet on any ESXi hosts, but if it were me, I would go straight to 5.5 with a clean install on a USB drive as you mentioned.

I would agree a BIOS flash probably will not fix it long term, but I am curious to see what happens. I don't suppose there's a chance you have a spare SSD lying around to test with just to see what happens...?

It sounds like fun to me.

Could it be disk I/O? Does the box have a SSD, or is it 5400 / 7200 RPM?

Someone told me about it recently. Unetbootin supposedly will not work with Windows 8 / 8.1, but Rufus will. Also, there's a nice how-to online to reformat a drive that you had ESXi installed on using Rufus so that you can reclaim all the space. It is a great tool.

@scottalanmiller said:

@FiyaFly said:

Looks pretty good, but doesn't that seem a bit pricy? Maybe I just look for the simpler things.

Did seem pricey to me too.

Whoa! Per month per user pricing for time tracking seems silly to me, but with the CRM components and other functions I could see it as being worth the money.

@Mike-Ralston
I would add my good friend Rufus to the mix as an option - http://rufus.akeo.ie/.