In some cases phones are installed within a closed network, where the phones are not allowed to reach out of the company network, or even the Internet. This is done to either increase security or to restrict accessibility to some network segment.
To ensure a centralized management of those phones via SRAPS, there is a need to connect the phones to SRAPS. But how, if the phones cannot reach the internet?
This connection is secure, since the phone will authenticate the provisioning server and the server will also authenticate the phones. On both sides, Snom is using SHA-256 certificates. This also means the phones cannot be placed behind a HTTP proxy server, which has to forward the connection. Clear, in this case a two-way certificate based authentication is not possible.
To ensure the usage of SRAPS, you can use NGINX with the stream module. With this module, the phone will build up a direct connection to SRAPS, so the server can authenticate the client and vice versa.
Now you might think that this opens a hole in the firewall. In fact, it is not, since:
To this article you can find a Dockerfile file with several configurations. Here are some description about what the daemons are doing:
Copy all the attached file to this article into a directory on a docker container node and issue the command
This will create an image, which will contain the necessary software based on Alpine Linux and copies the configuration files there.
Now you can run the container with the following command:
This will run the container on the host network, so all network interface are visible for it. The environmental variable IFACE specifies which interface is to be used. This is the interface where the phones can reach the container.
Attention, any change of the container after restart will be discarded.
To make the concept working the phones need to be 'hijacked' by DNS. This means that the phones must get the containers IP Address from the DHCP server, so they will connect to our NGINX instead of the real IP addresses of their request. Of course, if you can do this configuration on your DNS Server or on your router this is also fine. The way the "unbound" Server is configured, the snom.com addresses are resolved.