TIPS Viva WAZO: A New Beginning

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Trying to set up incrediblepbx xivo - installed using vultr and the excellent nerd vittles tutorial - all seemingly ran fine and can ssh to console no problem but when trying to access web gui get a certficate not valid message and when overiding this get a 403 forbidden message from nginx - I have checked wards tutorials but cant see any missed steps - can anyone provide any answers/suggestions please.

There was a change in the web server setup between XiVO 16.12 and 16.13. It sounds like you ended up with half of each version. The easiest thing to do is to delete your existing Vultr setup and start over with a new build and a fresh download of today's new release of the Incredible PBX installer. Sorry.
 

Oliver Gaskell

New Member
Joined
Oct 27, 2013
Messages
25
Reaction score
0
There was a change in the web server setup between XiVO 16.12 and 16.13. It sounds like you ended up with half of each version. The easiest thing to do is to delete your existing Vultr setup and start over with a new build and a fresh download of today's new release of the Incredible PBX installer. Sorry.
Thanks Ward, up and running now just trying to figure out android client, csipsimple works perfect on office WiFi but not on 3/4g or home WiFi.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Incredible PBX for XiVO with Turnkey WebRTC

Cvof3_pWYAAt4C2.jpg


New Incredible PBX for XiVO release today supports WebRTC out of the box.

After installation completes, WebRTC is as easy as 1-2-3:

1. Obtain IP Address of Your Server: pbxstatus

2. Run /root/show-701-pw to decipher Password for User account 701

3. Open latest Firefox or Chrome browser on your desktop and...
CvoaZWGWAAASHYZ.jpg


Special thanks to @Sylvain Boily for another home run!!

Bug Fix: This release also addresses a bug that caused Google Voice calls to fail on the last few releases. If you experience the problem, here's the patch:

Code:
sed -i 's|noload => chan_motif.so|;noload => chan_motif.so|' /etc/asterisk/modules.conf
/etc/init.d/asterisk restart
 
Last edited:

wa4zlw

Member
Joined
Feb 14, 2008
Messages
845
Reaction score
22
why do you need to login to https://phone.xivo.io/?
doesnt this run on the pbx itself or is there some backdoor thats unknown?
or is this a totally separte thing that hooks into the pbx and if so can we run that on our own box?

Thanks leon
 

Sylvain Boily

Active Member
Joined
Apr 30, 2016
Messages
259
Reaction score
144
@wa4zlw yes it has a backdoor ;-)
Only because it's a SaaS service and it permit to have a software up to date easily. It only use the xivo web service. To use it you need to have a xivo up to date.
 

wa4zlw

Member
Joined
Feb 14, 2008
Messages
845
Reaction score
22
ok but can we run the SaaS on our own box instead of on your box?

THanks leon
 

Sylvain Boily

Active Member
Joined
Apr 30, 2016
Messages
259
Reaction score
144
It's only html/js connected to xivo via rest api/websocket and asterisk webrtc. So you can run it where you want. Copy the code source and serve it by http server.
 

wa4zlw

Member
Joined
Feb 14, 2008
Messages
845
Reaction score
22
thanks do you plan to package an installer for it? ALso what ports does it use so we can lock down the firewalls?

THanks again leon
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Once you open http/https access to your PBX, ALL BETS ARE OFF! That would be a security nightmare.
 

Sylvain Boily

Active Member
Joined
Apr 30, 2016
Messages
259
Reaction score
144
@wa4zlw nope my priority is to offer an unique solution. No update for end user. You could use the wizard to know the port you need to open and check if it open. But, on xivo 16.13, we introduce an nginx configuration to use every API on xivo with only https, include webrtc. I haven't finished to use it for the moment. But in few weeks, only https is needed to work.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Implementing DISA with Incredible PBX for XiVO

We finally have discovered some undocumented hidden nuggets in XiVO, the first of which is DISA support.

In addition to the 2-step authentication DISA script included with Incredible PBX for XiVO, there are two native ways to implement DISA with XiVO using one-step PIN authentication: (1) set up a DID specifically for DISA or (2) add a DISA option in an IVR script. Here's how...

(1) Setting Up a DID for DISA. Add an Incoming Call DID and make it look like the following using your own DID and PIN:

CwLm9uVXYAAckzJ.jpg


(2) Adding a DISA option to the Demo IVR: /etc/asterisk/extensions_extra.d/ivr-1.conf*

a. Replace the exten => 0,1(ivrsel-0) line with the following 3 lines specifying your desired DISA PIN in the first line:
Code:
exten => 0,1(ivrsel-0),Set(XIVO_FWD_ACTIONARG1=12345678)
exten => 0,2,Set(XIVO_FWD_ACTIONARG2=custom-callboth)
exten => 0,3,Goto(forward,application:disa,1)

b. Reload the Asterisk dialplan: /etc/init.d/asterisk reload

* NOTE: You must have AsteriDex installed as part of Incredible PBX for XiVO with the [custom-callboth] context included in asteridex.conf
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Integrating Anveo Direct DIDs into Existing XiVO PBXs

This week's Nerd Vittles article documents the ease with which you can add Anveo Direct DIDs to Nov. 9, 2016 or later installs of Incredible PBX for XiVO assuming you've activated all features to take advantage of the Incredible PBX XiVO Snapshot.

If you have a XiVO PBX that was installed before November 9, 2016, there's a little more work to do to get the platform squared away to support Anveo Direct DIDs.

From the Linux CLI using SSH/Putty, login as root and...

1. Create a new Anveo context to process incoming calls:
Code:
echo ';# // BEGIN anveo-incall
[anveo-incall]
exten = _.,1,Ringing
exten = _.,n,Goto(from-extern,${SIP_HEADER(X-anveo-e164)},1)
;# // END anveo-incall
' > /etc/asterisk/extensions_extra.d/anveo.conf
chown asterisk:www-data /etc/asterisk/extensions_extra.d/anveo.conf
chmod 660 /etc/asterisk/extensions_extra.d/anveo.conf

2. Edit /etc/asterisk/extensions_extra.d/cid-superfecta.conf and replace the first two lines of [xivo-subrgbl-did] with:
Code:
exten = s,1,NoOp(### DID Incoming Call Subroutine ###)
same = n,GotoIf($["${XIVO_SRCNUM:0:3}" != "001"]?leaveitalone)
same = n,Set(XIVO_SRCNUM=${XIVO_SRCNUM:-10})
same = n,Set(CALLERID(num)=${XIVO_SRCNUM})
same = n(leaveitalone),NoOp(Calling FROM: ${XIVO_SRCNUM})

3. Reload your Asterisk dialplan: asterisk -rx "dialplan reload"

From the XiVO Web GUI, login with a browser with your root credentials and...

1. In IPBX Configuration → Contexts, Add a new context anveo-incall.

In the General tab, make it look like this:

Cw5Xh3JXEAEDuGs.jpg


In the Incoming Calls tab, make it look like this and then click Save button.

Cw5X-5gWIAAnwQq.jpg


2. In Call Management → Incoming Calls, you now can add your 11-digit DIDs following the steps in the Nerd Vittles tutorial.

Make adjustments above as necessary to support international calling.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Enabling Anonymous SIP Access and SIP URI Calling into Your XiVO PBX

GlobalSIP-166054721.jpg

Photo credit: FingerMedium/GettyImages


WARNING: This is very dangerous! Only implement this if there is no other way for folks to reach you by phone. Anonymous SIP URI access to your server means anyone with an Internet connection worldwide can not only call your server, but they also can attempt to register a SIP account to any SIP extension on your PBX and they also can attempt to place outbound calls through your PBX. The only thing standing in their way are your SIP account passwords! What follows is an approach to SIP URI access that minimizes (BUT DOES NOT ELIMINATE) the risk. The safest and recommended way to implement SIP URI access to your PBX does not expose your server to anonymous SIP access. It is documented in this Nerd Vittles tutorial. You've been warned!

A word about the methodology that follows. To minimize the risk of compromising your server, use incredibly secure passwords for all of your user, line, and trunk accounts. Do this before proceeding. Also make certain that your server has a difficult-to-guess fully-qualified domain name (FQDN) as this will provide some security through obscurity. We will block outgoing SIP calls that attempt to use the actual IP address of your server, and we will block incoming SIP URI calls made to the IP address of your server. Use trunk providers on this PBX that have a very low account balance with NO recurring credit card refresh. Google Voice accounts with a zero balance are perfect. If someone does manage to make calls, it will not hurt your wallet. Do NOT use IAX trunks. This hasn't been tested or secured at all for use with IAX trunks. Add passwords to all Asterisk applications that matter, e.g. blacklisting callers, accessing AsteriDex to place calls, conference apps, IVRs, etc.

What does SIP URI access provide to the caller? It means the caller that knows your FQDN can place calls to every extension on your PBX, to every incoming DID defined on your PBX, and to almost every Asterisk feature code enabled on your PBX. It also means any anonymous user with either your FQDN or IP address can attempt to register to any SIP account on your PBX. All they'll need is the account name and password. If a user successfully registers to your PBX using the IP address of your server (as opposed to your FQDN), we will block them from making outbound SIP calls. If any of this frightens you, turn back now!!

1. Activate Accept Unauthenticated Calls (General tab) and set Context to In-Calls (Default tab) in IPX -> General Settings -> SIP Protocol.

2. Add IP address protection and modify failure routine in xivo-subrgbl-did and xivo-subrgbl-outcall contexts:

2.a. Edit /etc/asterisk/extensions_extra.d/cid-superfecta.conf and replace [xivo-subrgbl-did] context with the following:
Code:
[xivo-subrgbl-did]
exten = s,1,NoOp(### DID Incoming Call Subroutine ###)
same = n,GotoIf($["${XIVO_SRCNUM:0:3}" != "001"]?leaveitalone)
same = n,Set(XIVO_SRCNUM=${XIVO_SRCNUM:-10})
same = n,Set(CALLERID(num)=${XIVO_SRCNUM})
same = n(leaveitalone),NoOp(Calling FROM: ${XIVO_SRCNUM})
same = n,Noop(SIP TO: ${SIP_HEADER(TO)})
same = n,Noop(SIP FROM: ${CUT(SIP_HEADER(FROM),>,1)}>)
same = n,Set(NUMTEST=${SIP_HEADER(TO):-2:1})
same = n,GotoIf(gv$["${NUMTEST}" = "gv"]?gv)
same = n,GotoIf($["${NUMTEST}" < "A"]?byebye)
same = n(gv),NoOp(Blacklist: ${DB(blacklist/${XIVO_SRCNUM})})
same = n,NoOp(Whitelist: ${DB(whitelist/${XIVO_SRCNUM})})
same = n,GotoIf($[${LEN(${DB(whitelist/${XIVO_SRCNUM})}))} > 1]?keepon)
same = n,GotoIf($[${LEN(${DB(blacklist/${XIVO_SRCNUM})}))} > 1]?byebye)
same = n(keepon),GoSub(cid-superfecta,s,1)
same = n(return),Return()
same = n(byebye),Answer
;same = n,Congestion
same = n,Zapateller
same = n,Zapateller
same = n,Hangup
same = n,Return()

2.b. Edit /etc/asterisk/extensions_extra.d/out-calls.conf and replace [xivo-subrgbl-outcall] context with the following:
Code:
[xivo-subrgbl-outcall]
exten = s,1,NoOp(### DID Outgoing Call Subroutine ###)
same = n,NoOp(Calling FROM: ${XIVO_SRCNUM})
same = n,NoOp(Calling TO: ${EXTEN})
same = n,Noop(XIVO SRC NUMBER=${XIVO_SRCNUM})
same = n,Noop(XIVO DST NUMBER=${XIVO_DSTNUM})
same = n,Noop(XIVO DST ID=${XIVO_DSTID})
same = n,Noop(XIVO USR ID=${XIVO_USRID})
same = n,Noop(SIP TO: ${SIP_HEADER(TO)})
same = n,Noop(SIP FROM: ${SIP_HEADER(FROM)})
same = n,Set(NUMTEST=${SIP_HEADER(TO):-2:1})
same = n,GotoIf(gv$["${NUMTEST}" = "gv"]?return)
same = n,GotoIf($["${NUMTEST}" < "A"]?byebye)
same = n(return),Return()
same = n(byebye),Hangup
same = n,Return()

3. Secure Asterisk apps using Asterisk's Authenticate function. Insert the line below just after the Answer and Wait() lines in /etc/asterisk/extensions_extra.d/app-blacklist.conf contexts: [app-blacklist-add], [app-blacklist-remove], and [app-blacklist-last] using a very secure PIN to replace 90210:
Code:
exten => s,n,Authenticate(90210)

4. Do the same for any contexts you wish to protect in /etc/asterisk/extensions_extra.d/xivo-extrafeatures.conf.

5. Reload Asterisk dialplan: asterisk -rx "dialplan reload"

6. By default, the SIP port (UDP 5060) is only accessible from whitelisted IP addresses. We're now going to open the IPtables floodgate for UDP 5060 so that anonymous SIP calls can reach your PBX. Edit /etc/iptables/rules.v4. Just above the COMMIT line at the end of the file, insert the following entry:
Code:
-A INPUT -p udp -m udp --dport 5060 -j ACCEPT

Save the file and then restart IPtables: iptables-restart

7. Test, test, test. From an IP address not otherwise whitelisted on your PBX, place anonymous SIP calls to every extension on your PBX and to every DID listed in your Incoming Calls list. Use both the IP address of your PBX and also the FQDN associated with your PBX. Also place calls to all of the Nerd Vittles and XiVO apps that could do you harm, i.e. voice dialing, speed dialing, blacklist callers, etc. Complete list of potentially hazardous dial codes is at the end of this Nerd Vittles article.

For the Geeks and Nerds: The methodology to weed out SIP URI calls made to an IP Address instead of an FQDN takes advantage of a careful parsing of the TO SIP Header. You will note that the next-to-the-last character in this SIP header will always be a letter for an FQDN and will always be a number for an IP address. Thus, we can test where the alphanumeric character fits in the ASCII sort order to determine whether the incoming call is being routed to an IP address or an FQDN. And, by the way, for incoming Google Voice calls, this result will always be NULL. :smartass:
 
Last edited:

sirdotcom

Member
Joined
Mar 20, 2010
Messages
150
Reaction score
25
Hi,
I've just set up an Anveo DID, although I used the script from yesterday so I didn't have to follow the above steps as it was automagically done already :)
After adding my DID to the Incoming Calls area, when I call the number I get a context error in the CLI:
Code:
 NOTICE[1442][C-00000006]: chan_sip.c:26279 handle_request_invite: Call from 'AnveoDirect' (50.22.101.14:5060) to extension '1702xxxxxxx' rejected because extension not found in context 'from-extern'.
What am I missing here?
Thanks,
Steve
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Was this server freshly installed yesterday, or did you add Anveo DID to an existing server? If the latter, you'll need to be sure you completed all of the additional steps here.
 

sirdotcom

Member
Joined
Mar 20, 2010
Messages
150
Reaction score
25
Yes I just did a fresh install yesterday on OVH, which is blazing fast by the way. Not sure what's going on, but I'll review the steps and make sure everything is correct.

EDIT (a few hours later): I went over the DID steps carefully, and everything was correct accept in cid-superfecta.conf, where the 2 lines at the top had not been replaced with the five lines given. After replacing that and restarting asterisk, still no joy, same error. So at my wit's end I tried changing the context in Incoming Calls from Anveo to from-extern, and now it works!

I have no idea what repercussions that has or what might break from that "deviation", but that at least got it to receive incoming Anveo calls.
 
Last edited:

Members online

Forum statistics

Threads
25,779
Messages
167,505
Members
19,199
Latest member
leocipriano
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top