AWAITING FEEDBACK Auto Whitelist Add

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
I had a thought, and wanted to run it by before attempting it.

Assume it would work on most all phones, but thinking of the Yealink T46 ... the autoprovision coupled with the endpoint manager, it creates the p.php file for it to go grab the config. Why not modify that p.php file so that if it does find that this is a valid device from the list, then go ahead and add its IP to the whitelist??

Anyone see any potential pitfalls?
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
Question: If the server is setup for whitelist, then how do I tunnel through to hit the p.php file in the first place to recognize it as a valid device, add it, and whitelist the IP (unless I open HTTP which I don't want to do) ? I thought I could use MAC, but it doesn't seem to work unless on local LAN.

I think I could do a dual server where serverA say's Yes - you're valid and he's whitelisted on ServerB that you want to register to and then downloads the necessary config file, but that seems very ugly.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Haven't played with this so I'm confused. Where does the p.php file live? What sets it up? How is it accessed now?
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
It lives in /var/www/html/provisioning. I think I've got an idea for how to make it work, will be trying it out tonight. Here's the idea:i

Open a non-obvious port in IPTABLES - let's just call it 8080 for talking point.
Modify Apache config file to say that anyone typing myservername.com/provisioning:8080- is allowed through to that location, all others trying port 8080 get denied.

That should allow this small hole of someone must know the DNS name + the port + the directory location in order for the p.php to be called.
That file then will check their MAC and if it matches - download the config file.
The p.php file will also be modified from where it is today to add this IP that matched all these criteria to the whitelist.

The idea will be this: A phone will be sent to customer with auto-provision enabled, along with the exact name in the provision location: myserver.com/provisioning:8080
It gets through IPtables by requesting port 8080, apache then does its check and allows it through because the match on destination name+ port.
Config file from OSS-Endpoint Manager is downloaded to phone, and IP is added to the IPtables.

I think philosophically, this works.
 

matthew

Guru
Joined
May 22, 2013
Messages
83
Reaction score
26
I do something similar but with different endpoints. The provisioning server is the only publicly exposed service I have that is directly related to telephony. Make sure Apache doesn't list directory contents. Maybe add a self-signed certificate as well. I personally find the higher the port, the less probes I receive, but don't rely on that. Don't use a port that ends in 80 or 443 as they all get probed regularly.
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top