FOOD FOR THOUGHT Local installs vs cloud installs

[Alex Hackney]

I've been installing these systems for clients for a couple of years and I've been seeing more people talk about using it in the cloud. How are people setting this up? I have my own pbx running on digital ocean but I have no sip phones on it yet. I basically have it running the software and rerouting inbound calls to my cell phone. I have the instance firewalled off from all incoming traffic and I allow specific connections to asterisk from my provider only. The only exception is for the web interface which I have open to only my static ip.

How would I get my phones at an office tied in to this system? A VPN? Or just like I'm doing now with firewall rules blocking all sip traffic but from my ip? What other safe guards should I implement?

I like the idea of moving the pbx server to the cloud so that if the internet goes down at the location then I can route failover calls to their cell phones or wherever. What do you do?

 

[briankelly63]

I'm sure a lot of people will chime in but I only think that makes sense for business architectures that are not centrally located. Support issues even when the equipment is onsite can crop up but I don't think it makes any sense to have a bunch of sip phones talking to a distant server. There are two many points of failure, QOS issues and not as easy to provide a backup solution for failure especially trunk failure. Security IS an issue. I have seen people implement a VPN to that things are secure especially voice.
If the internet goes down you should be able to do a re-route via the trunk providers dashboard. Cloud solutions also lack a robust hardware firewall solution like Pfsense or hardware.
In a local implementation you can also do a POTS backup solution easily.

 

[w1ve]

I have a consultancy supporting business customers using cloud-based pbxs. They are retail establishments. Currently, I'm doing this with Incredible PBX and it's security model. I am not using VPN.

- Client sites have redundant internet. This is mandatory for Voip and for other business-critical infrastructure. We use Cradlepoint Routers and fail between whatever tech is available, typically DSL/Cable and 4G Cellular.
- DDNS Updater on some always-on computer/device which is downstream from the router.
- IncrediblePBX FQDN authorization via ./add-fqdn.
- PBX instance in the cloud located as close as possible to client locations (I'm getting less than 10ms ping times and zip jitter to most sites)
- one benefit of cloud hosting is very, very fast, redundant, reliable internet connections. If you go with large providers, typically, many trunking providers will have a POP in the same facility. I'm getting less than 3 mS ping times to multiple providers.
- Some business-related phones are located throughout the country and may move. These are Yealinks that are also setup via FQDN security.
- PBX backed up regularly and can be rebuilt quickly.
- I build a private monitoring page using many of the free monitoring services available today. Client can see all sites. This way, if an issue, they know immediately and they (and I) get email notification.

There are pitfalls: I find local techs to support installs and helping with issues. Get a lot of detail about the network infrastructure and vendors. I've encountered some very challenging scenarios.

 

[Alex Hackney]

@w1ve Thanks for the information

So you setup an incredible pbx install for each client? What version are you using?

Thank you!

 

[w1ve]

Typically, yes. Not doing shared tennant. Cloud cost makes it viable. Incredible PBX 13-12.2

 

[Alex Hackney]

@w1ve Sounds good. So then I just assume you set all the endpoints to connect to the public static ip for the cloud system and make sure you white list the client static ip and you're good. That's a really good way to do it I think.

 

[w1ve]

Not quite. Life is not that easy. Yes, the phones connect to a static ip on the server (actually, via dns name).
For the clients -- unless you have the choice for static ip, and don't mind paying for it, most of them are dynamic IP.
Incredible PBX handles this nicely though, via a DNS (FQDN) name, and a script that keeps checking the IP. In IncrediblePBX, the setup script is ./add-fqdn. As I said, with many of my clients, I have a Dual-Wan Router, with one ISP Cable or DSL, and the other Cellular. It fails over. Of course, when this happens, the IP changes. So, I have a DDNS client downstream of the router, which will update the public IP of the FQDN when the IP changes.

Some of my clients have Yealink T2x series phones. As I said in a different post, I do the DDNS update with a Yealink Action URL, which makes an HTTP GET call every time the phone reboots, has a register failure or success. To do that, you use a DNS provider that can update DNS entries by a http GET call (like cloudns.net can).

Gerry

 

[Alex Hackney]

Well that's what I meant by client static. I require all of my clients to have static ips. But I guess doing a dyndns would be sufficent as well. I think the peplink routers I use have that installed by default.

Also since the phones reach out to make the connection you dont have to open firewall ports right?

 

[Alex Hackney]

Also, how well would this work for a site with 50 endpoints?

 

[krzykat]

Unless you're using POTS, you can make an argument for or against on-site with still the point of failure being the internet connection. With on-site - you've got the point of failure at the site's internet. With hosted cloud, you've got it at the hosting site. Now which do you think is more likely to go down? With hosted, even if your local internet goes down, you can still have your PBX answering calls, and forward them to mobiles. As w1ve say's, backups are fast, automated, and can be managed from anywhere. The big issue I think most people have is locking it down. I use whitelist, and then have a provisioning script on (either Yealink or Grandstreams I use) the phone that uses a key to unlock and add their IP address to the firewall.

I also use a series of open source (and some paid) products to monitor all my sites. I get alerts and can tell you the instant any PBX has an issue with either disk space, load, or if asterisk is working properly. I can also monitor all client extensions and be notified when one goes off line or has high latency. This allows me to monitor their systems pro-actively and tell them they've got a problem before they even know they have one. Really adds to the white-glove valued service we offer. Then we can also monitor with metrics every call that runs through the system. Whenever one doesn't meet our criteria (typically anything below a 4.4 MOS), we receive notification with complete details such as latency, dropped packets, etc. And we can know, not guess where the problem is coming from. Really helps to reduce the finger pointing.

Yeah - I like the hosted solutions if done right, and YES - 50 endpoints - no problem.

 

[Alex Hackney]

Very nice write up. I appreciate that. I just reinstalled a system that is running in a vm now locally. I am not using any pots lines any longer so I think I will try this. I do have my own system running in digital ocean I just dont use any phones, I forward everything to my cell. I'm going to start trying this out with my next customer. Thanks guys!

 

[tbrummell]

Then we can also monitor with metrics every call that runs through the system. Whenever one doesn't meet our criteria (typically anything below a 4.4 MOS), we receive notification with complete details such as latency, dropped packets, etc.

Care to expand on how you are doing this?

 

[islandtech]

https://www.voipspear.com/

 

[briankelly63]

Unless you use a cloud provider who offers 24/7 support by phone or paid priority support by phone I would never use them in a business situation. For larger customers I would expect a designated or assigned person for my account. If 50 plus people can't do business YOU have exposure and no amount of paperwork will protect you if a court determines you didn't use at least an appropriate level of care. The customer is not the expert you're supposed to be and they'll claim ignorance. I'm amazed when I get these emails from providers about an upcoming holiday and how they won't be around unless there is some major failure! The voip community let's these companies get away with providing a sub-standard level of access. Being able to see a problem is one thing but being able to fix it is quite another.

A company like digital ocean is for developers and is bare bones.

There's no doubt that your local internet connection can be the single point of failure if your equipment is locally based but most DID's can be re-routed at the provider end. Some people have Cable and DSL as a backup on site. Until the internet returns at least you'd have communication between departments at a given location.

Some problems in the voip world are difficult to diagnose and resolve. Having access to all the hardware makes a big difference

https://www.ibm.com/developerworks/cloud/library/cl-slastandards/

 

[w1ve]

I use RentPBX for my cloud-hosted PBXs. Singular purpose. With enough POPs, they provide great service, and I locate my servers close to the clients phones. The chances of them going down vs a PBX hosted in store are slim. As I said, at the client I use a redundant WAN technology -- typically fiber/Cable/DSL + 4G LTE Stick. The Cradlepoint MBR1200B is great for this. Typical client has retail locations with one or two phones, so the LTE failover is not a bandwidth issue.
As @krzykat said, if a cloud server goes down, I re-route the call to the cell phone of someone in the location.. there is always one available.
@krzykat's solutions sound like a higher-level of service than I provide, but I think there is value in both approaches.

 

[Setel]

Unless you use a cloud provider who offers 24/7 support by phone or paid priority support by phone I would never use them in a business situation.

Same can be said for unmanaged voice?

That’s why you’d really want to run your voice traffic, at least for your business, over something that has a MPLS enabled network where you can optimize that traffic and control quality for just that kind of traffic. A public internet connection simply doesn't provide those options.

EDIT: race to the bottom?

Their costs are low because they use other carrier’s infrastructures, and often provide VoIP over the public Internet. This keeps your price down, but they can only provide service on a “best-efforts” basis. These operators cannot manage or ensure QoS – Quality of Service, and as a result, their customers will have to accept some compromises with VoIP performance.

Most VoIP, is actually sold and provided to customer locations over the actual Internet vs. a private network. It is an ‘ok’ way to do it. The problem comes down to consistency. There is a funny and effective adage that states ‘you can have good, reliable or cheap – pick two!’. When routing over the public internet, you are in fact getting one, ‘cheap’. There is a better way – go private.

Many people don’t realize there are 2 way's to provide VoIP service;
There are advantages and disadvantages to both the private and public services. Making the wrong choice can cost you thousands of dollars to correct.

If you are looking for a way to talk to a family member that lives overseas, the public network is great. If you are conducting business, the few dollars a month you pay to be on a private network is well worth it.