Page tree


Provision Snom Phones within a closed network with SRAPS

In some cases phones are installed within a closed network, where the phones are not allowed to reach out of the company network, or even the Internet. This is done to either increase security or to restrict accessibility to some network segment.

To ensure a centralized management of those phones via SRAPS, there is a need to connect the phones to SRAPS. But how, if the phones cannot reach the internet?

This connection is secure, since the phone will authenticate the provisioning server and the server will also authenticate the phones. On both sides, Snom is using SHA-256 certificates. This also means the phones cannot be placed behind a HTTP proxy server, which has to forward the connection. Clear, in this case a two-way certificate based authentication is not possible.

To ensure the usage of SRAPS, you can use NGINX with the stream module. With this module, the phone will build up a direct connection to SRAPS, so the server can authenticate the client and vice versa.

Now you might think that this opens a hole in the firewall.  In fact, it is not, since:

  • you can limit, which hosts (from the internal network) can connect to the proxy
    • by firewall rules
    • directly in the nginx.config
    • or both
  • NGINX does not listen on incoming connection from the internet since he is in the same network as the phones
  • On the firewall, or router, which might do only NAT, you do not create any inbound rule, but only outgoing.

But how does this work?

To this article you can find a Dockerfile file with several configurations. Here are some description about what the daemons are doing:

  • Nginx
    NGINX is a (revers) proxy server, which will establish the TCP tunnel to reach SRAPS on the port 443.
    This is listening on the port 443 of the provided interface (see How-to below).

  • NSD
    NSD is an authoritative name server. This image provides the configuration to resolve "" and "" to the IP Address of the docker container.
    This is configured to listen on UDP and TCP on port 53530 of the provided interface.

  • Unbound
    Unbound is a DNS balancer which forwards the request for the domain to the NSD daemon and all other request to the configured DNS Server of the container (see /etc/resolv.conf).
    Listening on the port 53 of the provided interface

The Network

  • The black arrows are representing the logical network connection: The phones are connected (IP) to the router which is connected to the internet. SRAPS is displayed on the top right corner.
  • The blue dashed arrows are representing the communication for DNS and for the HTTPS connection for provisioning.
  • The red arrow is the provisioning path between the docker container and SRAPS.

How to build the container

Copy all the attached file to this article into a directory on a docker container node and issue the command

docker build -t sraps_proxy .

This will create an image, which will contain the necessary software based on Alpine Linux and copies the configuration files there.

Now you can run the container with the following command:

docker run --name sraps -ti -d --network host -e IFACE=eth0 sraps_proxy

This will run the container on the host network, so all network interface are visible for it. The environmental variable IFACE specifies which interface is to be used. This is the interface where the phones can reach the container.

Attention, any change of the container after restart will be discarded.

Configuring DNS

To make the concept working the phones need to be 'hijacked' by DNS. This means that the phones must get the containers IP Address from the DHCP server, so they will connect to our NGINX instead of the real IP addresses of their request. Of course, if you can do this configuration on your DNS Server or on your router this is also fine. The way the "unbound" Server is configured, the addresses are resolved.

Snom has many DNS entries; This zone only covers the and the Hence, only use this for the phones!