The first thing we need to do is to create a new Device Profile for PJSIP. Go to Settings > Technology Settings > Device Profiles.

Here, we will select the PJSIP Profile Type. Then, enter a Name and Description to identify this device profile. Under Network, we will set the Transport to TLS. And under Media, we will set the Media Encryption to SDES.

Then click on Save, and then Apply Changes.

Next, we will create a new SSL Certificate. Go to Admin > System Settings > Certificates. In this example, we will be creating a Let’s Encrypt certificate. In this module, you can create self-signed certificates and custom SSL certificates you may acquire with an SSL Certificate vendor. Self-signed may be used in local network environments, but they are not recommended as many browsers consider sites using self-signed certificates risky.

For the Let’s Encrypt certificate, we need to enter a Description to identify the certificate, enter the Hostname for the VitalPBX server, and enter the Owner’s Email address.

When creating a Let’s Encrypt certificate, we support Sub-Domains. This means that under hostname, you can enter the main valid FQDN. Then, you can enter a sub-domain, i.e. sip.mydomain.com, that you can use to access the VitalPBX installation if you use this certificate for an HTTPS connection. You can enter multiple sub-domains in this section. This is helpful if you want to separate different tenants by sub-domain, and still use a single VitalPBX instance.

With the fields configured, click Save.

Now, go to Settings > Technology Settings > PJSIP Settings. Under Certificate select the certificate we just created. If you are using multiple sub-domains, you must also enable the Allow Wildcard Certs just created. If you are using multiple sub-domains, you must also enable the Allow Wildcard Certs option. Then, click on Save and then Apply Changes.

Afterward, we will need to assign the device profile we created to the devices we want to use TLS encryption with. Go to PBX > Extensions > Extensions, and under the device section on the Profile field, select the device profile we created.

All that is left is to register the extensions using the TLS port instead of the default port for PJSIP. By default, this is port 5061. Some devices will require you to enable encrypted calls so you are able to use TLS for the voice packets and change the signaling from UDP to TLS. With this, your devices will have their calls encrypted, making their conversations even more private and secure.

This section can work as a checklist of various configurations you can follow when setting up your VitalPBX installation.

1. Never use the same username and password on your extensions.

• It is quite common to see instances where the username and password for extensions are the same as the extension number. This might make remembering the usernames and passwords easier when setting up your devices, but it is the easiest way to get bad actors registering on your PBX
  system. The bad actors can then start placing a massive number of phone calls.
• What we recommend, and taking advantage of VitalPBX’s separation of the extension number and devices, is to use unique usernames and strong passwords for your extensions. You can make the device’s user anything you like, instead of the extension number. VitalPBX also generates a random strong password automatically, so we recommend using this instead of a repeating
  password for all your devices.

2. Use the “Permit” and “Deny” options for your devices.

If possible, you should limit the networks that can reach the registration for your devices. In the case you know that a device will only register from a specific network address, you can use the Permit and Deny options when configuring your devices. Permit will only allow devices from the defined network address or segment to register. Deny will disallow devices from the defined segment to register.

3. Limit extension registration using a Bind Address.

The Bind Address option will also limit who can register to your extensions. With this option, you can limit the network addresses or segments that can register to your extension devices.

4. Change the default ports for the services you are using.

Default ports are one of the most common ways to have your system attacked by online scanners. By changing these ports to another value, bot scanners will have a harder time detecting open spots in your VitalPBX Server. You can change these ports on the VitalPBX firewall. Remember that you also need to change the ports on the Technology Settings module for PJSIP and IAX2. The most common ports to change are PJSIP, IAX2, and SSH.

5. Disable the ports you are not using.

Speaking of ports, if you are not using a service, disabling the port is a better option than changing it to something else. For example, if you are not using IAX2, disable the port on the VitalPBX firewall. This is one less way to detect an open spot by bot scanners.

6. Don’t route inbound calls to very permissive contexts.

When routing incoming calls make sure that you are limiting the incoming calls to only the intended destinations. Using the right Class of Service can help you limit the destination options that someone can reach in a context. For example, don’t have an IVR with a permissive Class of Service. Create one that limits the options to the destinations you intend. If you are using a Custom Context, only allow dialing to a specific destination.

7. Always have the Firewall active and try to place your PBX behind a Firewall
   and/or SBC.

The firewall included in VitalPBX is set to block unwanted access to your PBX. Having it enabled at all times will deter attempts to breach the server. Having an external firewall is another good way to manage the network routes and permissions at a network level to limit access to the VitalPBX server. Finally, an SBC or Session Border Controller is a good way to externally filter registration and other type of events from reaching your VitalPBX server.

8. Use Fail2Ban to automatically detect malicious attempts to enter your PBX.

Using the Fail2Ban application allows you to easily jail malicious attempts towards your VitalPBX server. Fail2Ban will block the connection from an IP Address after multiple failed attempts to access the server. This can be through SSH, PJSIP/IAX2 Registration, or web login. You can set the number of failed attempts and for how long the IP address will be blocked.

Following these suggestions will allow you to have a more secure server and keep your data and work safely. These are ways that you can secure your server out of the box. In the following lessons, we will look into more ways to make your server even safer.

This module is typically used with WebRTC applications such as VitXi, so you can refer to the VitXi manual for more information on its use with that add-on application..

By default, we use ports 8088 and 8089 for the HTTP and TLS Bind addresses. If you change these, make sure you also change it in the Firewall Services under Admin > Firewall > Firewall Services.

To use this mini HTTP server, you need to Enable HTTP, and if you are using a Certificate, you need to Enable TLS. You can also change the Sessions Limit of how many WebSocket/HTTP sessions can be connected at the same time, by default this is 1000 sessions.

If you made any changes here, Save and Apply Changes.

In this module, you can enable Batch Mode for the CDR. With batch mode, instead of logging every call in the CDR as each call ends, the data will be stored in a buffer. The Max Batch Size is how many calls are stored in the buffer, and the Max Batch Time is how often in seconds the calls are transferred from the buffer to the CDR logs and Database.

Note: When Batch Mode is enabled, there is a risk of data loss after unsafe
Asterisk termination. For example, Power Loss, Software Crash, Kill -9, etc. So
keep this in mind when using this feature.

If you made any changes, you can Save and Apply Changes.

The first thing you will notice is that CEL will be disabled by default. This is why you might not see CEL events in the CDR. You can enable them so you can start logging the events. We have it disabled by default, since logging too many CEL events can fill your storage quickly if it is too small.

Here you can select the APPs and Events you wish to log for the CEL events. You can also change the Date Format using the strftime format.

You can then Save and Apply Changes.

With the CEL Events enabled, if you place a new call and check the CEL Events field in the CDR reports, you will now see information being logged.

If you require to change the RTP port range, these can be modified with the RTP Start and End fields. By default, these go from port 10,000 to 20,000. If you change these ports, make sure you also make the changes in the Firewall Services under Admin > Firewall > Firewall Services.

These fields can be left with their default values. You can enable or disable Strict RTP, and
RTP Checksums. We recommend you leave Strict RTP on for security purposes. If it is disabled, VitalPBX will not drop packets that come from any source that is not the source for the RTP stream. If you are using a STUN or TURN server you can enter the necessary information here.

Additionally, you can enable ICE Support in this module. If you are using an ICE server, you can enter your settings under the ICE Host Settings. Where the Local Address is a LAN IP Address, and the Advertised Address is a Public IP Address.

If you made any changes here, Save and Apply Changes.

The list of available voice prompt languages will appear blank in the beginning. To see the list of the latest languages, click on the green Check Online button. Next to the available language, you will find the Actions column. Here you can click the green Install button. This will install the voice prompts for that language. Once installed, you will see a blue Reinstall button, and a red Trash button to delete the voice prompt.

Once the language is installed, you can select more language options for voice prompts.

If you see that the voice prompts for a specific language are not available, we have created the following article so you can translate the prompts directly, https://vitalpbx.com/blog/how-to-translate-for-free-your-pbx-voice/.

In this article, we show you a small application we have created that uses Google© Translate
to translate the voice prompts. You can then verify the translation and record the prompts, or use the following article to use Microsoft© Azure’s Text-to-Speech to record these prompts,
https://vitalpbx.com/blog/free-voice-guide-with-azure-free/. In this other article, we use another small application we have created to connect with Microsoft© Azure’s TTS capabilities to record the prompts for us.

Afterward, you can send the translated recordings to us at sales@vitalpbx.com, and we will be able to add them to a future version of VitalPBX.

In this module, we create a Music on Hold Classes. A class is a playlist of sound files that will play when Music on Hold is used. Music on Hold is usually abbreviated as MOH.

First, you must enter a Name to identify this Music on Hold Class. Then, we select the Mode for this MOH, which can be either Files or Custom. Files will allow you to upload WAV files that can play based on the Sort option you select. You can sort in a Linear fashion, so the Sound Files play in the order they are uploaded, or in a Shuffle fashion and playback in a random order.

The first file is uploaded when you click on Save. To upload more files, you must go back to the MOH Class, select a new sound file, and click on Update. You will see the list of sound files at the bottom of your MOH class. You can playback the sound files or delete them if necessary.

Additionally, you can set the MOH class as the Default MOH class. When you enable this option, every module that uses a MOH class will use this MOH class instead of the default music on hold that comes with VitalPBX. If you set a new MOH class as default, this will disable the option for any other MOH class that had this enabled. You cannot have two default MOH classes at once.

Once you have all your sound files uploaded, you can then Apply Changes.

The other mode available is Custom. This is an extended feature for the MOH module, where you can use a streaming URL to playback instead of predetermined sound files.

To create a custom MOH class, you must enter a Name to identify it and select the Custom mode. Then, you have the Application field. Here, you can select the application to playback the streaming MOH. By default, we use the mpg123 application to playback the music, but you can use any other and enter the parameters here. You can leave this field blank to use the default values.

Next, we have the Streaming URL. This is the URL that has the music stream to playback. This can come from a streaming server or a streaming service that provides this URL.

Make sure that the streaming URL you use does not use HTTPS. This is due to Asterisk not
being able to process HTTPS URLs.

The Format field specifies the format option that the application will provide to Asterisk. The
options you can enter here are the formats that Asterisk can accept, like ulaw, alaw, wav, and
mp3. You can leave this field blank.

You can then Save and Apply Changes.

Note: With Debian 11, there is currently a bug (as of October 2023) with the
FFMPEG libraries that may playback static noise. This may be fixed in a future
version of Debian 11 or Debian 12.

When using a streaming service, make sure that you take into account Copyright based on your local copyright laws, as well as the quality, reliability, and content of the streaming music. Remember that any caller will be able to listen to this stream when reaching your VitalPBX.

First, you must enter the Name of the Voicemail Timezone to create, and select the Time Zone to consider.

Next, we have the Time Definition. This is what will be played back in the envelope for the voicemail message a caller leaves us. The supported values are as follows.

• ‘filename’ – This is any Asterisk Sound to play. The filename must be placed between
  single ticks and in the exact casing of the file without the file extensions.
• ${VAR} – This is a variable substitution. You can use any variable from the Voicemail
  Email Template, such as ${VM_CIDNAME}, ${VM_CIDNUM}, etc.
• A or a – Day of the week (Monday, Tuesday, …).
• B, b, or h – Month name (January, February, …).
• d or e – Numeric day of the month (First, Second, Third, …, Thirty-First).
• Y – Year.
• I – Hour in a 12-hour format.
• H – Hour in a 24-hour format (preceded by “oh”).
• K – Hour in a 24-hour format (not preceded by “oh”).
• M – Minute, with 00 pronounced as “o’clock.”
• N – Minute, with 00 pronounced as “hundred.” (US Military Time)
• P or p – AM or PM.
• Q – This is used for “today”, “yesterday”, or ABdY. (Note: this is not standard strftime)
• R – 24-hour time including minutes.

We already have some Voicemail timezones for eastern, central, central 24, military, and
European. An example of a Time Definition can be as follows.

• Eastern, Time Zone: America/New York – ‘vm-received’ Q ‘digits/at’ IMp

This reads in the GMT (-04:00) Timezone as “Voicemail Received Today at 12:45 PM”.

Here you will find various settings that affect global settings for voicemail in your system. You
can configure the following settings.

• Max Message Length – This is the maximum voicemail message length in seconds.
• Min Message Length – This is the minimum voicemail message length in seconds.
• Greetings Length – This is the maximum greeting length in seconds. The Greeting is
  the recording of the caller’s name.
• Max Silence – This is the maximum silence length in seconds before VitalPBX ends
  the voicemail recording.
• Max Login Attempts – This is the maximum number of attempts users have to log
  into their voicemail box.
• Backup Deleted – This is the maximum number of deleted messages saved in the
  deleted folder.
• Max Messages – The maximum number of messages you can have per voicemail
  box. If set to 0, the voicemail box will be greetings only.
• Locale – This is the locale used for dates. For more locales, you will need to install
  them directly to the operating system. If you use multiple languages, we recommend
  not using letters for the date format.
• MP3 Attachments – This is an extended feature, only available when you have a
  Starter License or any of our licensing plans. This will convert the voicemail recordings
  to MP3 files when attaching them using the voicemail-to-email feature.
• Move Heard Msg – This will move heard voicemail messages to the OLD voicemail
  folder automatically.
• Force Name – This will force the users to record their names for their voicemail box.
• Force Greetings – Similar to Force Name, where callers will be forced to record a
  greeting.
• Use Directory – Allows you to find entries for forward/compose from the voicemail
  menu.
• Review Msg – This allows the callers to review their message prior to sending it to the
  extension’s voicemail box.
• Email Date Format – Here you can define the date format for outgoing emails. You
  must use standard strftime format string. The most common options are as follows.
• %A – Full day name.
• %a – Abbreviated day name.
• %d or %e – Day of the month in number.
• %B – Full month name.
• %b or %h – Abbreviated month name.
• %m – Month number.
• %Y – Full year with the century.
• %y – Year abbreviation without the century.

Additionally, you will find the Email Settings tab. This is the same as the template found under
the Email Templates module.

Here, you will find the template used for the voicemail-to-email feature. You can see the list of
variables you can use for the email body. If you made any changes, go ahead and Save and
Apply Changes.