3CX on Debian 8 VPS (Cloud Service) - Detailed Instructions Needed for IP Phone Provisioning

Discussion in '3CX Phone System - General' started by og1, Oct 29, 2017.

Thread Status:
Not open for further replies.
  1. og1

    og1

    Joined:
    Sep 30, 2017
    Messages:
    5
    Likes Received:
    0
    Hi:

    I realize much of the 3CX documentation assumes a local on-site install of 3CX, but that's not how I'm using the software PBX.

    I'm very surprised there's no documentation on what should be a common configuration where 3CX runs on a Linux Debian 8 VPS on a cloud service provider.

    I got 3CX running on Debian 8 Linux VPS no problems. Now this is where the confusion starts.

    These instructions to configure the Cisco 79XX (I have the 7960G) IP phones to use with the 3CX assume the 3CX install is done locally. https://www.3cx.com/sip-phones/cisco-7940g-7960g/

    Are there instructions to setup the Cisco 79XX phones with a 3CX Debian 8 VPS configuration (using a cloud service provider)? For example it says set up that TFTP server? But do I set that TFTP server up exactly? Do I set up the TFTP server on the same cloud service Debian 8 VPS as 3CX is running on? Do I use one of the computers on my own local network (which I don't want to do really) for the TFTP service? These instructions don't say. They're written assuming everything is on the same local LAN.

    The user manual doesn't address my specific setup needs. Does someone have an up-to-date set up instructions to set up the TFTP server with a 3CX software PBX running on Debian 8 VPS on a cloud service provider? And then have the TFTP Server convert my phones to the 3CX 8.5.4 firmware and provision my phones with the proper extension information via the 3CX software PBX running on the Debian 8 VPS? This configuration has to have some documentation for it. It should be a common configuration out there.

    Let me know. Thanks for your help and time.

    Once I can get the TFTP server figured out and the Cisco 7960G information such that I can update the firmware on the 7960G's properly for a 3CX SIP interface and provisioned for the extensions with the 3CX PBX running on a Debian VPS (remotely, on a cloud service provider), I should be able to figure the rest out myself. But I don't want to walk into this important step without the proper documentation.

    Thanks.
     
  2. Nick Galea

    Nick Galea Site Admin

    Joined:
    Jun 6, 2006
    Messages:
    1,888
    Likes Received:
    190
    The user manual quite clearly specifies that you need to use supported phones to provision phones for a cloud PBX. Cisco phones can only be used in legacy mode and are only supported for an on site PBX. It would not be secure to provision those phones via the cloud.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. og1

    og1

    Joined:
    Sep 30, 2017
    Messages:
    5
    Likes Received:
    0
    Thanks for the quick reply. Appreciated. This is an important bit of information and it's not covered clearly on the forum.

    One of the first questions I asked (via email inquiry) was my intention not to have to buy any new hardware to test (trial) the 3CX software PBX, and if all was good, use 3CX with our existing on site Cisco phone hardware (at least for a while until operating with 3CX vs the status quo phone service was able to be economically justify buying the "supported or recommended phones" new. Our existing IP cloud phone service is very stable and very cost competitive. If it ain't broke, no need to fix it). I'd only consider running 3CX as a replacement for the existing IP phone service. That means using a Linux VPS (using a cloud service provider, not one of our own on-site computers. Using one of my own computers does not make sense in this day and age when I can get an un-managed VPS with 2GB RAM and 50GB SSD for $15/month).

    The responses where that "3CX does not support CISCO phones". But given the legacy IP phone systems out there (no doubt this is a question that has come up before), to enable 3CX to interface with a large installed base of Cisco phones, the 3CX software PBX can be used in the SIP configuration, but you won't have certain features. Now I'm not sure if people got confused and assumed I'd buy a computer just to run 3CX for the IP phones and forgot I mentioned Linux VPS (cloud) version of 3CX. I checked out the features that would not work on the Cisco 79XX IP phones, and I'm fine with that.

    Here's where the documentation issue (clarity) comes in. Using this page ( https://www.3cx.com/sip-phones/cisco-7940g-7960g/#h.qtd6ilzf2kgh ) on the setup of the Cisco Phones with 3CX, it says "legacy phones". So I'm inferring legacy phones to be these old phones identified. Makes complete sense, they are "legacy phones". My thinking based on the responses to my questions and documentation on the web site, is that I had the choice to use these "unsupported legacy phones" with 3CX running on the Linux (Debian 8) VPS if I wanted, but 3CX don't support it. I'm fine with them being unsupported. Completely understand. On this page, there's nothing about 3CX having to run locally on it's own Linux machine in the provisioning procedures laid out via this page.

    It's not until the User manual ( https://www.3cx.com/docs/manual/configuring-ip-phones/ ) that under that one diagram, it says,

    "Cisco, Polycom and Aastra phones do not support plug and play nor secure HTTPS provisioning with a Let’s encrypt Root CA. They can only be used on the local LAN and must be provisioned as follows:"

    And then it referrers to a different provisioning procedure than the previous instructions. On this procedure it says to "reset" the Cisco phones. Now I'm completely confused. Which procedure is the one to follow for the Cisco 7960G? My 7960G need to be converted to the SIP firmware to interface to 3CX and the two procedures are very different.

    The point about "security" is well taken. I thought about that going in as well.

    So now, we're at point where we need to clarify and decide what to the best way forward is:

    Does the note in the manual stating "not support plug and play nor secure HTTPS provisioning with a Let's Encrypt Roo CA" mean Cisco phones simple can't work with a Linux VPS (cloud version) of 3CX, because the phones and the 3CX software PBX can't communicate? Or is it "not supported" meaning anyone that tries or implements that configuration is on their own? That's the first thing we need to get past.

    The business plan going in was to eventually replace the Cisco phones based on 3CX running on a Linux VPS (cloud service) actually saving opex vs the status quo cloud based IP phone service. We use that saved opex to justify the capital expense of new phones (supported phones by 3CX).

    Is there a community work around (not supported, I know) to achieve that goal of using 3CX running on a cloud VPS in the near term? And what are the specific security issues that have to be addressed if that non supported configuration could be achieved? Or will it simply not work?

    I prefer not to have to buy a dedicated piece of hardware just to run 3CX locally to support working with the Ciso 7960G phones. Similar thinking behind not wanting to buy new phones simply to use 3CX in the cloud vs our status quo cloud based IP phone service.

    Appreciate everyone's help and time.
     
  4. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    752
    Likes Received:
    38
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. og1

    og1

    Joined:
    Sep 30, 2017
    Messages:
    5
    Likes Received:
    0
    Thanks. Appreciated.

    I noticed that thread and they were/are doing what I'm trying to do, except they used a Windows VPS (cloud VPS) for the 3CX software PBX and have different phones. They too didn't want to have to run a local server just for 3CX. I avoid Microsoft at all costs (I won't get into it here), and won't used 3CX software PBX on anything except Linux. Really, I prefer to use CentOS Linux, but when I asked the 3CX people were adamant about Debian Linux.

    The last message in that thread was someone in the community, in a succinct manner, asking the same question(s) I'm asking about using 3CX on a cloud based Linux VPS with their legacy phones. That was a year ago (again, nothing I'm asking is new). That thread got locked for some reason and no one has followed up. I've looked all through the threads for this scenario I'm asking about. There's nothing complete to the resolved stage that addresses it clearly for the Linux VPS scenario.

    But thanks for adding that previous thread into this new thread about 3CX on cloud based VPSs. Hopefully more people can add their knowledge and experiences for this scenario into this thread.

    It would have been nice also get some idea of the specific security issues. That person with the Windows cloud based 3CX VPS in the previous thread mentioned they set some files back to the original settings once they provisioned the phones. This may have something to do with security. But the question that comes to mind is "each time you want to provision a phone, you have to mess with those files?". I would be nice to understand the why behind setting the files back to the original settings and the specific risks for leaving the files and/or not setting them back to their original settings.

    Thanks for everyone's help and time.
     
  6. Nick Galea

    Nick Galea Site Admin

    Joined:
    Jun 6, 2006
    Messages:
    1,888
    Likes Received:
    190
    I will double check our documentation.

    But for the avoidance of doubt - You can not use Cisco 79XX phones in the cloud with 3CX. They are very old phones and simply not secure. It might work securely with your current service though, it really depends on how its setup.

    So, if you are happy with your current phone service and not ready to give up on the phones for the moment, i suggest sticking with your current phone service.

    Once you need the additional features 3CX can offer and are ready to invest in new phones then look into 3CX.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 Nick Galea, Oct 30, 2017
    Last edited: Oct 30, 2017
  7. og1

    og1

    Joined:
    Sep 30, 2017
    Messages:
    5
    Likes Received:
    0
    Thanks. No need to repeat the "not secure" statement. I'm asking what specifically what "not secure" means and what can be done to get the phones to work. Don't just say "it depends". I spent a month with the appropriate 3CX people on the capabilities of 3CX (made it clear them I have no intention of buying a server to run 3CX) with the Cisco 79XX phones. They said it's an unsupported configuration (as I mentioned), and only mentioned certain featuers, which I don't need, would not work. That the "community" was active and that someone would have a would have figured out how to setup the 79XX with the 3CX cloud VPS.

    What being suggesting here in the forum, it not a wise way to sell 3CX, nor conduct business given the very detailed questions I've asked, the replies received from 3CX, and time I've put into it. Plus, I'm now paying for a Linux VPS each month that specifically set up to support 3CX and not my general business. Then to turn around and say "Well, that cloud VPS configuration is simply not secure, so stick with what you have". That's not an option anymore. I need a technical using a Linux Debian 8 cloud solution that fits within the economics (unfortunately, technology decisions are still dictated by the money) regardless of how complex.

    Is 3CX going to buy me a miniPC (an i3 NUC from Intel for example) to run 3CX software PBX locally? Otherwise, I'm down $525 (at least, I'm not including every cost here) on a decent NUC. The payback on a miniPC vs an un-managed Linux VPS to run 3CX is 35 months. So you can see why it makes no sense to have even considered 3CX running it locally. Let me know what can be done. It seems people have got 3CX running on a cloud VPS with their installed phone base in the past. That's what I'm asking about and wish to discuss on the thread.

    Thanks for your help and time. Greatly appreciated.
     
  8. 3CXDude

    Joined:
    Oct 1, 2015
    Messages:
    94
    Likes Received:
    24
    If you want to get those phones working on a cloud VPS, the only way I know of is to use VPN.

    Depending on where your VPS is hosted, that may or may not be an option. I've been reading that this is relatively simple on Google. Basically, you setup a site to site VPN between your VPS and your firewall and then the phones aren't remote.
     
    Nick Galea and us1 like this.
  9. og1

    og1

    Joined:
    Sep 30, 2017
    Messages:
    5
    Likes Received:
    0
    Thanks. I've seen mention of using a VPN as well, but no one gets into the details of the configuration on the forum. I'm looking into that in more detail now. I hadn't researched it more before because one of the first questions I asked the 3CX people about the cloud VPS configuration is "Do I need to use a VPN" and the answer was no.

    It's really frustrating as I can not have spent more time on this detailing what I wanted with the 3CX people. I guess they are so used to corps spending money on new phones or buying/setting up a Linux/Windows computer locally for 3CX, that they just assume I'd do one or the other, when I specifically preface every statement with "I'm not buying any new hardware just for 3CX" It defeats the entire purpose of a software PBX.

    If anyone has more details on using a site-to-cloud VPS VPN to integrate a Debian Linux Server running 3CX software PBX with their local network it would be appreciated.
     
  10. cobaltit

    cobaltit Active Member

    Joined:
    Mar 22, 2012
    Messages:
    734
    Likes Received:
    113
    I haven't tried it although if I find an old Cisco phone I can't. But typically with the unsupported phones they don't support provisioning securely, aka they don't accept the Let's Encrypt certificate. So for some phones you should be able to install the trusted root certs (SPA phones) and then they should provision although you have to make a custom template to do so. For other phones you can tell it to ignore the SSL and that should work. And in almost every case you can manually provision the phones and they will still work. Provisioning and registering are two separate things. So just because you can't provision the phone remotely doesn't mean it won't work remotely.

    As far as not finding detailed VPN configs here that doesn't surprise me. If you are determined to wander off the reservation, then do so at your own risk and with your own knowledge. All the support here is free so if you don't want to invest your own time via trial and error then either use the recommend/supported phones, pay someone to help you or cut your losses and move on to something else. I don't know if you actually purchased a key yet but if you had, you would have been directed to go through a reseller like myself who would have clarified these things for you.

    If you want to pursue the VPN approach then you want to stop looking here for suppport. This isn't a 3CX issue. You would be better off looking for support on GCP forums since creating a VPN between your GCP instance and whatever edge device you have is not 3CX specific and you are more likely to find folks who've created VPNs to GCP over there.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.