Content
Provision Snom Phones within a closed network with SRAPS
In some cases phones are installed within a closed network, where the phones are not allowed to reach out of the company network, or even the Internet. This is done to either increase security or to restrict accessibility to some network segment.
To ensure a centralized management of those phones via SRAPS, there is a need to connect the phones to SRAPS. But how, if the phones cannot reach the internet?
This connection is secure, since the phone will authenticate the provisioning server and the server will also authenticate the phones. On both sides, Snom is using SHA-256 certificates. This also means the phones cannot be placed behind a HTTP proxy server, which has to forward the connection. Clear, in this case a two-way certificate based authentication is not possible.
To ensure the usage of SRAPS, you can use NGINX with the stream module. With this module, the phone will build up a direct connection to SRAPS, so the server can authenticate the client and vice versa.
Now you might think that this opens a hole in the firewall. In fact, it is not, since:
- you can limit which hosts (from the internal network) can connect to the proxy
- by firewall rules
- directly in the nginx.config
- or both
- NGINX does not listen on incoming connection from the internet since it is in the same network as the phones
- On the firewall, or router, which might do only NAT, you do not create any inbound rule, but only outgoing.
But how does this work?
To this article you can find a Dockerfile file with several configurations. Here are some description about what the daemons are doing:
- Nginx
NGINX is a (revers) proxy server, which will establish the TCP tunnel to reach SRAPS on the port 443.
This is listening on the port 443 of the provided interface (see How-to below). - NSD
NSD is an authoritative name server. This image provides the configuration to resolve "secure-provisioning.snom.com" and "provisioning.snom.com" to the IP Address of the docker container.
This is configured to listen on UDP and TCP on port 53530 of the provided interface. - Unbound
Unbound is a DNS balancer which forwards the request for the domain snom.com to the NSD daemon and all other request to the configured DNS Server of the container (see /etc/resolv.conf).
Listening on the port 53 of the provided interface
The Network
- The black arrows are representing the logical network connection: The phones are connected (IP) to the router which is connected to the internet. SRAPS is displayed on the top right corner.
- The blue dashed arrows are representing the communication for DNS and for the HTTPS connection for provisioning.
- The red arrow is the provisioning path between the docker container and SRAPS.
How to build the container
Copy all the attached file to this article into a directory on a docker container node and issue the command
docker build -t sraps_proxy .
This will create an image, which will contain the necessary software based on Alpine Linux and copies the configuration files there.
Now you can run the container with the following command:
docker run --name sraps -ti -d --network host -e IFACE=eth0 sraps_proxy
This will run the container on the host network, so all network interface are visible for it. The environmental variable IFACE specifies which interface is to be used. This is the interface where the phones can reach the container.
Attention, any change of the container after restart will be discarded.
Configuring DNS
To make the concept working the phones need to be 'hijacked' by DNS. This means that the phones must get the containers IP Address from the DHCP server, so they will connect to our NGINX instead of the real IP addresses of their request. Of course, if you can do this configuration on your DNS Server or on your router this is also fine. The way the "unbound" Server is configured, the snom.com addresses are resolved.
Snom has many DNS entries; This zone only covers the provisioning.snom.com and the secure-provisioning.snom.com. Hence, only use this for the phones!
Downloads
Further Information
Related articles
Overview
Content Tools
Tasks
