Expired

XIII. IPPBX

Expired

VigorBX 2000 - Registering Remote Extensions

Products:

Keywords:

Show all

The ability to easily add extensions that are situated on remote sites is a significant benefit of using the VigorBX 2000.
Remote registrations are disabled by default on the VigorBX 2000 to prevent any unauthorised access into the system.

When enabling remote registration on the VigorBX 2000, the Extension Profile for each extension that registers remotely must be specifically configured to allow registration via either VPN or the WAN. It is best practice to use a strong password for all extensions.

The PBX system allows two methods for remote registrations:

NOTE: It is recommended that registration via the Internet should use a VPN connection.

VPN - Using another DrayTek Vigor router on a remote site and creating a LAN to LAN VPN link creates a securely encrypted connection between the VigorBX 2000 and the remote site. This allows multiple phones to register to the PBX system and operate as though they were connected to the PBX system locally. It also provides a method through which the phones could be securely managed from the main site.
WAN - This can be used to register extensions directly from the WAN side of the VigorBX 2000. If the WAN connection is an Internet connection then this would permit registration from the Internet. This requires either SIP-ALG support on the remote site's router or STUN on the IP Phone itself. If the remote site has multiple IP Phones then the VPN method would be more appropriate.

Registering over a VPN
Registering over the Internet

Registering over a VPN

VPN Configuration

The VigorBX 2000 PBX system has the same LAN to LAN VPN functionality as the Vigor 2860 router which allows it to make Dial-Out VPN connections and operate as a Dial-In VPN server. The LAN to LAN VPN configuration would need to be set up before the two sites can create a secure VPN tunnel to communicate.

Please check this guide for an overview of how a LAN to LAN VPN connection works and would be configured: DrayTek LAN-to-LAN VPN Overview

This requires a router that supports LAN to LAN VPN using either IPsec (recommended), PPTP or SSL (DrayTek only) VPN tunnels.

The following guides demonstrate how to configure a LAN to LAN VPN connection between DrayTek routers:

PBX Configuration

The VigorBX 2000 PBX system will only allow IP phones that are in its local subnet(s) to register, by default.

This means that if a phone attempts to register over a VPN or over the internet (WAN interface), the PBX system will ignore the registration attempts.

To change this behaviour, go to [IP PBX] > [PBX System] > [SIP Proxy Setting]:

These settings control the PBX system's SIP registration for IP phones. Untick the Disable remote registration tickbox to enable registration over VPN or WAN and Tick "Enable ACL" to allow only local and VPN registrations:

Untick the Disable remote registration tickbox to enable registration over VPN or WAN
The SIP Local Port setting is the port that the PBX system listens on for SIP registrations and communicates to IP phones with. This guide explains how to change this setting if required: Changing SIP Ports on the VigorBX 2000
The SIP Proxy Realm is the hostname that the PBX system will allow IP Phone's to register with, if registering remotely. If the hostname being used to register does not match the SIP Proxy Realm address, the PBX will send a Forbidden response to the IP Phone trying to register
RTP Local Port Start/End controls the port range used for RTP (Real Time Protocol) audio streams. This should not be changed from its default
Limit SIP Request WAN limits the number of SIP requests that the PBX system can respond to from a remote IP address per second. This should be enabled, the default value is 5 SIP packets per second
Enable ACL operates as a White List, which if enabled will only allow local and VPN registrations. Registrations from internet IP addresses must be specified in the ACL.
Automatic block Extension for wrong password will block an extension from registering if an IP phone attempts to register with the incorrect password more than the number specified. When blocked, the extension can only be unblocked by restarting the PBX system

Click OK to save that setting, which will prompt to restart the PBX system. Click OK again to restart the PBX system and apply the setting change.

Once the PBX system has restarted, the Extension Profiles will need to have VPN registration enabled. Go to [IP PBX] > [Extension] and click on the Index number for the extension to modify:

In the Extension Profile settings, the options to Allow Remote Registration will now be available. Tick the VPN option:

Click OK to save and apply that change. IP Phones will now be able to register with that Extension Profile across a VPN connection.

IP Phone Configuration

In the web interface of the phone, simply connect the phone as it would normally connect to the PBX system on the local network, with the phone registering to the PBX system's local IP address:

The routing of the VPN connection will allow the IP Phone to register as though it were connected to the VigorBX 2000's local network.

Registering over the Internet

PBX Configuration

The VigorBX 2000 PBX system will only allow IP phones that are in its local subnet(s) to register, by default.

This means that if a phone attempts to register over a VPN or over the internet (WAN interface), the PBX system will ignore the registration attempts.

To change this behaviour, go to [IP PBX] > [PBX System] > [SIP Proxy Setting]:

Specify the allowed internet IP addresses in this list then click Close to go back to the SIP Proxy settings.

Untick the Disable remote registration tickbox to enable registration over VPN or WAN
The SIP Local Port setting is the port that the PBX system listens on for SIP registrations and communicates to IP phones with. This guide explains how to change this setting if required: Changing SIP Ports on the VigorBX 2000
The SIP Proxy Realm is the hostname that the PBX system will allow IP Phone's to register with, if registering remotely. If the hostname being used to register does not match the SIP Proxy Realm address, the PBX will send a Forbidden response to the IP Phone trying to register
RTP Local Port Start/End controls the port range used for RTP (Real Time Protocol) audio streams. This should not be changed from its default
Limit SIP Request WAN limits the number of SIP requests that the PBX system can respond to from a remote IP address per second. This should be enabled, the default value is 5 SIP packets per second
Enable ACL operates as a White List, which if enabled will only allow local and VPN registrations. Registrations from internet IP addresses must be specified in the ACL.
Automatic block Extension for wrong password will block an extension from registering if an IP phone attempts to register with the incorrect password more than the number specified. When blocked, the extension can only be unblocked by restarting the PBX system

Click OK to save that setting, which will prompt to restart the PBX system. Click OK again to restart the PBX system and apply the setting change.

Once the PBX system has restarted, the Extension Profiles will need to have WAN registration enabled. Go to [IP PBX] > [Extension] and click on the Index number for the extension to modify:

In the Extension Profile settings, the options to Allow Remote Registration will now be available. It is best practise to set the Password in the Extension Profile to a strong password that would be less susceptible to brute force or dictionary attacks, using a mixture of upper-case, lower-case, numbers and special characters.

To enable registration over the internet for this extension, Tick the WAN option:

Click OK to save and apply that change. IP Phones will now be able to register with that Extension Profile across the internet.

IP Phone Configuration

The IP Phone connecting to the PBX system will need to connect to the PBX system's WAN IP address or hostname if there is a hostname linked to the IP. Registering to the PBX system will often work without configuring any other settings but because of the way that SIP works, calls are likely to have one-way audio or no audio because the phone would not be aware of the internet connection's WAN IP address and would send its local IP for call audio routing.

To help with this, there are two methods:

SIP-ALG (Session Initiation Protocol - Application Layer Gateway) - This is a facility available on many NAT routers (including all current DrayTek routers) which modifies the IP address details in SIP packets from local IP addresses to routable public IP addresses, assuming that the router performing SIP-ALG has a direct connection to the internet.
STUN (Session Traversal Utilities for NAT) - A STUN server assists an IP phone with determining the public IP address of the internet connection that it is routing through.

SIP-ALG
STUN

SIP-ALG

To use SIP-ALG, this would need to be enabled on the router that the IP phone is connecting through. This is not enabled by default on DrayTek routers and can be enabled by following this guide: SIP-ALG on DrayTek Routers

Once that has been enabled, the router will modify the SIP packets and modify the call setup packets to include the correct internet IP addresses.

To configure this on the IP Phone, with a Yealink T26P shown here as an example, set up the remote extension with the IP or Hostname of the PBX system as the SIP Server / SIP Registration Server and specify the configured SIP port of the PBX as the Port:

The NAT Traversal or STUN settings do not need to be enabled. It may also be beneficial to enable the Rport setting if the phone has that available:

When the phone has registered, it should then be able to make and receive calls with the PBX system.

STUN

Setting up a STUN server on a handset requires a STUN server, which is not provided by the VigorBX 2000 system and may be available from your ITSP. We cannot provide recommendations of which STUN server to use as that can vary depending on the SIP provider and location.

To configure STUN on the IP Phone, with a Yealink T26P shown here as an example, set up the remote extension with the IP or Hostname of the PBX system as the SIP Server / SIP Registration Server and specify the configured SIP port of the PBX as the Port.

Set the NAT Traversal setting to STUN and specify the STUN Server and Port (by default UDP 3478):

When the phone has registered, it should then be able to make and receive calls with the PBX system. If the phone is unable to register or there is delay when making or receiving calls, test with a different STUN server to determine whether that helps with registration or call issues.

How do you rate this article?

1 1 1 1 1 1 1 1 1 1

: First Published: 18/01/2016; Last Updated: 08/03/2016

Share this link

VigorBX 2000 - Registering Remote Extensions

Registering over a VPN

VPN Configuration

PBX Configuration

IP Phone Configuration