I installed VitalPBX with VitXi (Starter license) on my LAN.
I have installed real SSL Certificat (wildcard).
All works on my LAN.
I would like acces Vitxi from outside.
I use Sophos UTM as gateway and firewall.
I setup reverse proxy on it (with SSL).
I setup NAT for port 8089.
I can access VitXI login page , I can log in … but after I get a RED pop up with message :
The connection to your server could not be established.
Please, contact the administrator.
So could you help me ?
Is it possible to use Reverse proxy to secure access to Vitxi ?
Which port should I forward to my vitalpbx/vitxi server ?
Thanks for your help.
did you really do ALL of this?
And look into settings of Vitxi. I think you can enter Hostname there.
So you should use a dyndns in your case?
I did everything written on your Wiki guide.
All work perfectly on LAN.
I can access my Vitxi without any problem :
I can log in and use it. (receive call …)
I use split DNS to use DNS on my LAN and from OUTSIDE.
on my LAN:
vitxi.MYDOMAIN.fr resolve LAN ADDRESS
vitxi.MYDOMAIN.fr resolve WAN ADDRESS
But I want to be able to use it outside my LAN , so I used Sophos UTM (which use SQUID as Reverse proxy) to access VitXi.
I added a NAT rule for 8089 port.
From outside , when I try to access VitXi , I use :
I can log in , but I get a red popup :
The connection to your server could not be established
and I’m not able to make a call or receive a call.
So I moved forward.
I allowed “websocket” on firewall , and now , I can send or receive call.
But … I have no sound.
On my laptop , it’s ringing … I answer … but I can’t hear something … no sound.
Same thing on other way.
Do you have any idea ?
Go to RTP settings
In ICE settings
Put the local host the ip adress of the local network and in advertised adress put the public ip
Then Make DNAT rule on the firewall to forward port 443 and 8089
Make sure to disable the reflexive rule if you have internal routing
Thanks for your help.
I will try this evening.
Two things to note here.
Wildcard SSL certificate only recently got support in Asterisk, I’m not sure if VitalPBX is already running the version that supports it. (I can check later what version has support. The reason why it wasn’t in Asterisk, is because wildcard SSL certs in SIP are against the RFC rules. But hey, everyone is doing it anyway, so they decided to add it)
We are also using WebRTC behind a NGINX proxy and experience the same issue.
In the past, it was working fine, but around 6 months ago there was some update to VitXi and since then we started having issues. @maynor kept on saying that the new update requires the server hostname and the domain name to match, which is super annoying as we have multi tenancy with a unique domain for each tenant… As well as the hostname and domain matching isn’t a WebRTC standard requirement.
think that because the browser SSL and Asterisk SSL are not the same, that’s probably what’s causing it. Meaning, Asterisk uses the SSL configured on the PBX and the WebRTC client uses your proxy’s SSL.
I think that if VitalPBX offers multi tenancy, they MUST support using different WebRTC domains as well as wildcard SSLs. Additionally, it would be nice if they test it behind a popular proxies such as NGINX, Caddy, HAProxy etc. Since proxies are today everywhere for security reasons.
We can make this available on VitalPBX 4. Even though, this only applies to TLS and not to WSS, which is the protocol that uses the WebRTC applications.
So why isn’t wildcard SSLs allowed with WebRTC then?
We are going to perform tests on our development servers. Any news about this will be posted in this topic.
We have tried copying the SSL from the NGINX reverse proxy to the PBX, but we still get the error. However, we did not restart Asterisk after setting the SSL on the PBX.
Let me know if you need any additional information or if you want me to test something
For me , All works fine (except VitalPBX Mobile , I opened a case about it on helpdesk).
I use same Wildcard on VitalPBX and Sophos UTM (to protect access to it).
VitalPBX WebRTC works fine.
I didn’t tested with real phone (Yealink or anything else, I don’t need it now).
except VitalPBX Mobile
Did you do ALL this?
The new version of VitalPBX Mobile requires the following configuration to work correctly:
You have to create a dedicated PJSIP account with two contacts as maximum.
Don’t use the same account for other devices. e.g.: desktop phones or softphones.
If you have a version earlier than 3.5.1-4 of VitalPBX, then disable the Push Notification option in VitalPBX. It is no longer necessary since the new App incorporates another methodology to do Push.
On the App side, you only need to scan the QR code…
Allow the IP on your UTM as well!
I can register an extension on VitalPBX Mobile.
(I use latest version of VitalPBX server : 3.2.3-5))
I can make or receive call … but without sound.
Can you access
Could you please send a screenshot (without showing sensitive data) of your Nginx proxy configuration?
Does the VitXi WebRTC not have audio either?
You can check that the “Ice Support” option is enabled. This option can be found in the “RTP Settings” module.
add the advertised address and the local adress
This got solved during a remote support session!!
Please can share the solution for learning purpose