Difference between revisions of "Proxy"

From "PTTLink Wiki"
Jump to navigation Jump to search
m
Tag: visualeditor
Line 1: Line 1:
=Description/Explanation =
+
 
 +
==Description/Explanation ==
  
 
Occasionally there is a need to have an Allstar Link Server in an 'itinerant' location (one that is non-permanent and possibly even moving). In such a situation it is certainly quite likely that the device's IP address may change quite often (perhaps even several times per hour or more). Also, the form of IP connectivity available to the device may not necessarily be suitable for normal Server operation (such as being behind NAT translation, firewalls, etc. that the Server owner has no control of). Normal operation requires farily stable IP addressing and full public access to at least UDP port 4569 (for IAX2 connectivity) to the Server. Typical examples of 'itinerant' environments include setting up a tiny portable node in a hotel room, utilizing the Internet connectivity provided by the hotel, or having a mobile node on a mobile data network that provides connectivity via some sort of NAT arrangement.
 
Occasionally there is a need to have an Allstar Link Server in an 'itinerant' location (one that is non-permanent and possibly even moving). In such a situation it is certainly quite likely that the device's IP address may change quite often (perhaps even several times per hour or more). Also, the form of IP connectivity available to the device may not necessarily be suitable for normal Server operation (such as being behind NAT translation, firewalls, etc. that the Server owner has no control of). Normal operation requires farily stable IP addressing and full public access to at least UDP port 4569 (for IAX2 connectivity) to the Server. Typical examples of 'itinerant' environments include setting up a tiny portable node in a hotel room, utilizing the Internet connectivity provided by the hotel, or having a mobile node on a mobile data network that provides connectivity via some sort of NAT arrangement.
Line 7: Line 8:
 
When such a relationship exists, all inbound traffic destined for Nodes on the Server Proxy Client is directed to the Server Proxy Server, which accepts and authenticates the traffic, then forwards it off to the Server Proxy Client via a direct (non-public) peering arrangement. Any traffic outbound from Nodes on the Server Proxy Client is directed to the Server Proxy Server, which forwards it to the appropriate location, thus requiring the Server Proxy Client only to be 'reachable' by the Server Proxy Server, and not all nodes on the entire Internet.
 
When such a relationship exists, all inbound traffic destined for Nodes on the Server Proxy Client is directed to the Server Proxy Server, which accepts and authenticates the traffic, then forwards it off to the Server Proxy Client via a direct (non-public) peering arrangement. Any traffic outbound from Nodes on the Server Proxy Client is directed to the Server Proxy Server, which forwards it to the appropriate location, thus requiring the Server Proxy Client only to be 'reachable' by the Server Proxy Server, and not all nodes on the entire Internet.
  
= Portal-Based Configuration for Server Proxy Clients =
+
== Portal-Based Configuration for Server Proxy Clients ==
  
 
Since any Allstar Link Server can be a Server Proxy Server, it can not be assumed that both the Server Proxy Client and the Server Proxy Server belong to the same Allstar Link User (or even the same organization, etc.). Therefore, designation and specification of these Proxy relationships are not allowed to be done directly from the Portal (it must be requested by email to Allstar Link Network Validation Staff by both the party that owns the Server Proxy Client, and the party that owns the Server Proxy Server). Once configured by the Staff, the Portal will automatically generate configuration for the Server Proxy Client appropriately. The Server Proxy Server configuration must always be done manually. This provides the ability for a Portal-Configured Server Proxy Client to be in a Proxy relationship with any appropriately configured Server Proxy Server.
 
Since any Allstar Link Server can be a Server Proxy Server, it can not be assumed that both the Server Proxy Client and the Server Proxy Server belong to the same Allstar Link User (or even the same organization, etc.). Therefore, designation and specification of these Proxy relationships are not allowed to be done directly from the Portal (it must be requested by email to Allstar Link Network Validation Staff by both the party that owns the Server Proxy Client, and the party that owns the Server Proxy Server). Once configured by the Staff, the Portal will automatically generate configuration for the Server Proxy Client appropriately. The Server Proxy Server configuration must always be done manually. This provides the ability for a Portal-Configured Server Proxy Client to be in a Proxy relationship with any appropriately configured Server Proxy Server.

Revision as of 05:46, 22 June 2018

Description/Explanation

Occasionally there is a need to have an Allstar Link Server in an 'itinerant' location (one that is non-permanent and possibly even moving). In such a situation it is certainly quite likely that the device's IP address may change quite often (perhaps even several times per hour or more). Also, the form of IP connectivity available to the device may not necessarily be suitable for normal Server operation (such as being behind NAT translation, firewalls, etc. that the Server owner has no control of). Normal operation requires farily stable IP addressing and full public access to at least UDP port 4569 (for IAX2 connectivity) to the Server. Typical examples of 'itinerant' environments include setting up a tiny portable node in a hotel room, utilizing the Internet connectivity provided by the hotel, or having a mobile node on a mobile data network that provides connectivity via some sort of NAT arrangement.

In a situation like this, it is possible to set up a Proxy relationship between such a Server and a Server located in a permanent position with a permanent IP address and good connectivity. For the purposes of explanation, the Server in the 'itinerant' location/situation will be referred to as the Server Proxy Client, and the Server that is in the Permanent/Stable location/situation will be referred to as the Server Proxy Server.

When such a relationship exists, all inbound traffic destined for Nodes on the Server Proxy Client is directed to the Server Proxy Server, which accepts and authenticates the traffic, then forwards it off to the Server Proxy Client via a direct (non-public) peering arrangement. Any traffic outbound from Nodes on the Server Proxy Client is directed to the Server Proxy Server, which forwards it to the appropriate location, thus requiring the Server Proxy Client only to be 'reachable' by the Server Proxy Server, and not all nodes on the entire Internet.

Portal-Based Configuration for Server Proxy Clients

Since any Allstar Link Server can be a Server Proxy Server, it can not be assumed that both the Server Proxy Client and the Server Proxy Server belong to the same Allstar Link User (or even the same organization, etc.). Therefore, designation and specification of these Proxy relationships are not allowed to be done directly from the Portal (it must be requested by email to Allstar Link Network Validation Staff by both the party that owns the Server Proxy Client, and the party that owns the Server Proxy Server). Once configured by the Staff, the Portal will automatically generate configuration for the Server Proxy Client appropriately. The Server Proxy Server configuration must always be done manually. This provides the ability for a Portal-Configured Server Proxy Client to be in a Proxy relationship with any appropriately configured Server Proxy Server. Manual Configuration for Server Proxy Clients

First, you must configure a peering arrangement with the Server Proxy Server.

This is done by adding the following into the /etc/asterisk/iax.conf file:

[radio-proxy]
type=user
deny=0.0.0.0/0.0.0.0
permit=<Server Proxy Server IP Address>/255.255.255.255
context=radio-secure-proxy
disallow=all
allow=g726aal2
transfer=no

[radio-proxy-out]
type=peer
host=<Server Proxy Server IP Address>
username=<First (or only) node number on this Server to be proxied>
secret=<Agreed-Upon Password for specified node (for Proxy peering)>
auth=md5
disallow=all
allow=g726aal2
transfer=no

You must put in an appropriate register statement for all nodes on the Server Proxy Client allowing registration with the Server Proxy Server using Agreed-Upon Passwords.

If the Server Proxy Server is the Allstar Network Registration Server, then the IP Address will be 67.215.233.178, the Username and Password will be node number and node password of one of the nodes on the system that is registered with it, and no additional registration line is necessary, since there already is one for that node.

The following needs to be added to the /etc/asterisk/rpt.conf file:

[nodes]
<Stuff that was already there, etc....>
_20XX = radio-proxy-out/0%s
_21XX = radio-proxy-out/0%s
_22XX = radio-proxy-out/0%s
_23XX = radio-proxy-out/0%s
_24XX = radio-proxy-out/0%s
_25XX = radio-proxy-out/0%s
_26XX = radio-proxy-out/0%s
_27XXX = radio-proxy-out/0%s
_28XXX = radio-proxy-out/0%s
_29XXX = radio-proxy-out/0%s

The following needs to be added to the /etc/asterisk/extensions.conf file:

[radio-secure-proxy]
exten => _0X.,1,Goto(allstar-sys|${EXTEN:1}|1)

Plus, for each node on the system (also to be put in the radio-secure-proxy section):

exten => <Node Number>,1,rpt,<Node Number>|X

Configuration for Server Proxy Servers

First, you must configure a peering arrangement with the Server Proxy Client. This is done by adding the following into the /etc/asterisk/iax.conf file for each node in the peering arrangement:

[<Node Number>]
type=friend
host=dynamic
username=radio-proxy
secret=<Agreed-Upon Password for the Proxy peering>
auth=md5
context=radio-in
disallow=all
allow=g726aal2
transfer=no

The following needs to be done to the /etc/asterisk/extensions.conf file:

The following section needs to be added:

[radio-in]
exten => _0N.,1,Rpt(${EXTEN:1}|F)
exten => _0N.,n,Hangup

The following section needs to replace the existing [radio-secure] section:

[radio-secure]
exten=_20XX,1,Rpt,${EXTEN}
exten=_21XX,1,Rpt,${EXTEN}
exten=_22XX,1,Rpt,${EXTEN}
exten=_23XX,1,Rpt,${EXTEN}
exten=_24XX,1,Rpt,${EXTEN}
exten=_25XX,1,Rpt,${EXTEN}
exten=_26XX,1,Rpt,${EXTEN}
exten=_27XXX,1,Rpt,${EXTEN}
exten=_28XXX,1,Rpt,${EXTEN}
exten=_29XXX,1,Rpt,${EXTEN}

The following needs to be added to the [allstar-sys] section:

exten => _9.,1,Rpt(${EXTEN:2}|X|${EXTEN:1:1})
exten => _9.,n,Hangup

The following needs to be added to the /etc/asterisk/rpt.conf file:

[proxy]
ipaddr=<Public IP address of this Server Proxy Server>

The Server Proxy Server will be able to determine (from the IP address as distributed in the /var/lib/asterisk/rpt_extnodes file), the nodes for which it needs to provide Proxy service.