VoIP with DrayTek vigor IP PBX 2820 & Linksys SPA941

Posted on November 12, 2010 by Niall

Running a small business? Fed up of the limitations and cost of a fixed landline or ISDN 30 phone system?  Moving to a VoIP (Voice Over IP) system may seem daunting but is actually fairly simple.

In addition to your existing Internet connection you will need a SIP (Session Initiation Protocol) trunk, we’ve always used OrbTalk.  Once you have signed up they will send you the connection details you need to use when setting up the DrayTek vigor IP PBX 2820.

DrayTek vigor IP PBX 2820

The DrayTek vigor IP PBX 2820 modem router is an all in one ADSL modem, small business router and IP PBX all in one.  I was very impressed with the number of features this device has, including:

  • Dual WAN support (1x ADSL modem + 1 External WAN port)
  • 4 port switch (1x 1000Mb, 3x100Mb)
  • USB port for printer sharing or backup WAN via 3G dongle
  • PSTN phone line support
  • ISDN support

The ability to use dual WAN is great, we have a DSL connection for our main access but also a regular copper landline (for backup voice calls) and a failover 2mb ADSL connection.  The single Gigabit port is great to allow the connection of a server machine or in our case connection to our Gigabit switch.

Linksys SPA941

The SPA941 is actually a Cisco phone branded under Linksys.  According to Cisco it is also an end-of-line model even though availability online seems good at the end of 2010.

It’s a great IP phone, supporting 4 lines and a web interface for configuration.  There are also a nice set of hot keys on the phone for managing calls, putting people on hold and transferring calls between handsets.  The phone also supports direct connection to a SIP trunk so can be used at home if you don’t need PBX functionality.  It’s also very handy for testing your newly activated SIP trunk before configuring the PBX.

Testing the SIP trunk directly on the Linksys SPA941

To test out your new SIP trunk you can put the values directly into the SPA941.  The picture below shows the phones internal web config section, key fields have been highlighted.

SPA941 direct SIP connection

Let the phone reboot and the display should light up and allow you to make a test call to your mobile to confirm all is working.

Configuring the DrayTek vigor IP PBX 2820

The DrayTek actually has a pretty good IPPBX Wizard accessible from the routers web interface.  If you just want to cover the basics of getting VoIP calls setup I’ve outlined the key areas below.  I have assumed you can get yourself an active Internet connection setup first.

[IP PBX] -> [Line Setting] -> [SIP Trunk] to setup your SIP Trunk

Vigor2820 SIP Trunk Setup

[Sip Local Port] and [Proxy Port] are standard for most providers but check with yours.  [Profile Name] and [Display Name] are simply labels.  You should be able to fill in the rest of the details from your provider.

The last two fields we have setup define call handling.  All incoming calls are sent to extension 101 (reception) during office hours and outside office hours all the phones in the main office group will ring. (Groups are trivial to setup, I’m sure you can manage them later)

[IP PBX] -> [Extension]

Now you’ve setup the main SIP trunk you need to add one handset, in our case reception on extension 101

Vigor 2820 Extension Profile

As you can see its pretty self explanatory what needs filling out here, make sure you remember the password you set for the handset as you will need it when you register the handset with the PBX later.

Note: It may be better for a reception phone to forward to a different internal extension if busy rather than go to voicemail but you can choose settings suitable for your environment.

[IP PBX] -> [Dial Plan] -> [Digit Map]

Press 9 for an outside line?  This is where you set it up.

Important: If you do not enter a Dial Plan you won’t be able to make any external calls as the system does not know where to route external numbers.

Vigor2820 DialPlan Setup

The prefix number must be the first number entered and maps the call to the route specified, in this case dialling 9 first routes to VoIP1 (I’ve no idea why this isn’t named  “IP Provider” as we setup in our SIP Trunk?)

The Mode, strip, means that the first occurrence of the number 9 dialled will be removed, leaving the SIP Trunk provider to route the correct number.

Register SPA941 with the DrayTek vigor IP PBX 2820

Log into the web config page of the handset you want to be extension 101 and select Ext1 tab. Where before we entered the raw information from our SIP Trunk provider, this time we enter the details of the local LAN address of the PBX in the [Proxy:] field.  For the [User ID:] enter the extension you setup in [IP PBX] -> [Extension] and enter the [Password:] you chose too.  OK the changes and this should register the phone with the PBX.

Register the SPA941 phone with the PBX

To check everything is working OK go back to the router / PBX web config and check [IP PBX] -> [PBX Status] -> [Extension Monitor]

Vigor2820 PBX Status

Here you can see we have registered three handsets with the PBX that are active and online.

From here you can add more handsets as extensions and create groups for departments.  There are a lot features on this IP PBX and even more on the router so head over to the DrayTek site for the full documentation.

Posted in Hardware, Networking, VoIP | 5 Comments

Small Business Security Review

Posted on November 4, 2010 by Niall

I’ve been doing some security reviews for a number of small companies over the last month or so, mainly companies operating in shared office space who don’t have a full time tech or support contract.  I knew there would be some holes but I was in for a surprise and this got me thinking about how computer security is presented in the media and tech community.

There were so many issues I created a top 10 of what I think are the biggest areas of risk for these small companies.  The following post is very long.

10. No Backups or encryption of laptops

A lot of the companies only buy laptops for employees now.  These laptops are used at work for business but are also taken home by employees, left in cars over night, used by their kids etc so most are in a bad state.  I think as an industry encrypting portable devices needs to be easier, especially for small companies who are frightened by ideas like encryption.

9. No anti virus

I’ve put this at number 9 as when was the last time your AV picked up a virus?  However when was the last time you got hit by spyware?  I think spyware / malware is more serious, but on a properly patched up to date system with a user running limited privileges suffering a virus is less of a problem these days. (I would still recommend virus scanning of emails for corporate users)

8. No domain

A lot of smaller companies don’t run a domain.  They might have a Server 2003 file server but with individual local accounts, and all the PCs all have half a dozen local accounts with matched up passwords to the file server.  While it’s not a bad thing if managed properly it is a lot more time consuming and there is a risk of leaving security holes open with so many places to set passwords.

7. WEP only wireless security

A couple of the businesses still ran WEP to secure their access points.  I know there is a lot written about the ease at which WEP can be broken and I’ve even had some geek fun breaking into my own WEP network using an external USB wi-fi card and a Linux live CD but in reality who actually does this?

If the media is too believed and you run WEP you’ll have shady men in black and geeky teenagers hacking your network bankrupting the company.  In reality who is going to want to hang out on an industrial estate to hack “bobs carpets” or “Industry incorporated ltd” to use their 2mb internet connection?  Of course once you are on the network you can proceed to attack file servers to try and access corporate files, but proper layered security would make that extremely difficult and you have that in place right?

I’d always recommend the best wireless security you can have but WEP is still better than nothing at all to deter the opportunist.

6. Every user is a local Administrator on all machines

Security isn’t just about keeping external bad guys out but there is also a risk from internal users who either maliciously or through incompetence can damage the IT systems.

Almost every single PC I looked at all the users on the machine were local administrators, fairly standard for Windows XP, but most Vista machines had UAC on but again users were local administrators.  More worrying was that of the companies that didn’t run domains had all users who accessed the file servers were local administrators.  This of course means that all users of the server can, by default as an administrator, change all files on that server and its operating configuration.

I’m not surprised to find a setup like this as it makes file access super easy, but super easy for people to access files you don’t want them too.

5. IUSR_<MachineName> is a local Administrator

Finding the IIS6 user account IUSR_<MachineName> in the local administrators group on a Server 2003 machine was a first.  It turned out that a 3rd party supplier had installed some software on the server that the company used for shipping invoicing and they had set it up like this.  When I asked why the users said “because it just worked like that?”

What the people installing the app and making this configuration change didn’t (or did!) realise is any web user arriving at the box requesting pages or details from the shipping app ran as a local administrator will all the inferred privileges.  Any error in the application or exploit in IIS (on an unpatched server) would be able to exploit the web box as the administrator!

4. Misconfigured SharePoint sites exposing corporate information

I’m no fan of SharePoint, mainly because it’s so complicated but it’s still important to secure.  Another company running reports through SharePoint from http://domain.co.uk/repots/trans/report.aspx had a nice report on the .aspx page, but browsing back down the directory path exposed all other directories and files.  This was because anonymous access was left on and the user that ran the report was the SharePoint administrator.

All the users I asked had no idea they could drop back a level and see other reports; to them all they knew was the one URL to the report.aspx page.  They were genuinely surprised to learn that security through obscurity wasn’t actually worth anything.

3. No patch management

Personally I think 50% of all security problems could be avoided by having all your systems up to date with the latest patches, not only for Windows desktops and Servers but also for plugins and 3rd party apps.  Adobe flash is probably the biggest security patch needed after Windows OS patches.

When a new exploit is found a tool is developed to search the internet for vulnerable machines.  If you leave your machines unpatched you are an ideal target, and if running as a local administrator too it just makes the job of using your machine for other nefarious web attacks that much easier.

This is where SBS (Small Business Server) comes in handy, it now includes WSUS (Windows Server Update Services) and running with machines on the domain means that updates are automatically pushed out to users laptops and PCs as needed, an essential part of a security plan.

2. Bad password policy / Non expiring passwords

I know passwords have become a real pain in modern life.  A pin for your bank cards, passwords for online shopping sites, passwords at work and security tokens for physical access are all things to remember.

I know that larger organisations enforce password complexity, history and a lifespan, but even the Windows Server 2008 default complexity of 6 characters or more and two of the following; uppercase, number, special character, can be met with the following password: Password1

Couple this with most users just wanting to do their job and not have to remember passwords you have non expiring passwords (in small companies with no real admins) and people sharing accounts or passwords written on post-it notes stuck to monitors, it’s a terrible situation for security.

The only real solution is user training, and an understanding by management that computer security is important.  When something goes wrong they are usually looking to place blame, and if it’s down to a lax security policy or ignorance on the part of management I know exactly where I would lay that blame.

1. Backups never taken offsite

This is the winner for me, I’ve seen some massive holes in a company’s security while doing these reviews but when I asked the receptionist at one company what the Western Digital My Book was used for on her desk this was the conversation.

Me: Do you know what these external disks are for?

Receptionist: Oh, I they are connected to the server?

Me: The server is under your desk?

Receptionist: Yes, the last tech guy said they are for the backups.

Me: Oh good you have backups, who takes the disks home at night?

Receptionist: oh no, they live on my desk, they’ve never left the company, it’s the backup!

Me: Well what would you use as a backup if the building burnt down?

Receptionist: …?

Conclusion

As a computing professional I’ve been educated to make systems secure, run with least privilege, and only allow access where needed, but small companies on the whole follow none of these rules.

Which makes me consider how security is reported?  If you read any security blog or news report you are lead to believe that if you have an unsecure system as many of the companies I saw had you will have your corporate secrets stolen, machines used as botnets and virus infections galore.

I saw no of the signs of this, even when I got antivirus installed and scanned there were no infections.  There was also no unusual network activity after watching the traffic for a week and people hadn’t reported anything unusual.

Now I know that chances are you wouldn’t know you are compromised but it does seem worrying that many companies are running the risks of being exposed by running with the above security holes.

Posted in Security | Leave a comment

SQLBits 7

Posted on October 5, 2010 by Niall

I’m back from my first SQLbits held in York last week and it was a great experience, something I will be urging all computer professionals who interact with SQL Server to attend in future.

Unfortunately I couldn’t attend the full day deep-dives on the Thursday, but I paid to attend on the Friday and thanks to the great sponsors the Saturday was free.  SQLBits seemed very well organised and talking to attendees who had been before the standard was as good as ever.  The catering during the event was great with plenty available and nice touches like a free shuttle bus daily from the train station.

The event was about community learning and it delivered.  Two days of great sessions from the most senior and experienced SQL professionals, I was lucky enough to hear sessions from Brad McGehee, Brent Ozar, Thomas Kejser and Buck Woody.

I know there are other excellent speakers, some of the niche areas of SQL had outstanding speakers but I think the reason I personally like conferences so much is that these heavy weight speakers, people who write books on SQL and blog extensively on the subject, are available to chat and offer help and advice on helping you become a better SQL professional.

Coming from a programming background Brad McGehee session on SQL Server health checks was a good insight into how much work it takes to get your SQL Servers inline.  I was also impressed with the extensibility of SQL Server, particularly SSIS (SQL Server Integration Services) in Sascha Lorenz session on .Net developers and the BI stack.

Finally it was great to see so many great vendors and sponsors there, Microsoft and Redgate I knew but discovered new ones, Quest software did a great lunch session and Fusion-IO gave away some killer PCI-E SSD cards.  I was lucky enough to pick up a cool (or hot) SQL Server 2008 R2 mug.

SQL Server 2008 R2 mug

Overall SQLBits rocked, great speakers, excellent location, friendly attendees and loads of prizes.  I can’t wait till the next one.

Posted in Conference, Microsoft, SQL Server | 4 Comments

Back to the UK for SQLBits

Posted on September 8, 2010 by Niall

So after a fun time in Boulder Colorado, USA I’m heading home to the UK again.  Just in time too as I thought I was going to miss the largest SQL server conference in Europe, SQLBits.

I’m really pleased that SQLBits is being held in York this year which is ridiculously close to where I live that it would be stupid not to go.  I’ve also been thinking that even if it were to be held in London for example and I’d need to get a hotel the cost as a professional developer is worth it for my career learning as well as a valuable networking and social event for computing folks.

Check out the SQLBits website http://sqlbits.com for full details but it breaks down like this:

  • Thursday – Pre-Conference day with 8 specialist seminars
  • Friday – 7 Wonders of SQL deep dive sessions
  • Saturday – Community conference day

The best is that on the Saturday, the community day, the day is free so there is no reason not to go.

Posted in Conference, SQL Server | 1 Comment

WCF POST test harness

Posted on August 25, 2010 by Niall

Writing RESTful JSON services with WCF is fun; in fact I do it for a living.  One thing that every developer finds useful is a small program for testing calls, trying new ideas etc so here is my C# test harness for handling POST requests.

private static void PostThis()
    {
      const string baseUrl = "http://127.0.0.1";
      const string port = ":81/";
      const string serviceEndpoint = "Rest.svc/";
      const string serviceAction = "Client/user@email.com/";

      //Create URL to POST request data too.
      string url = baseUrl + port +
                       serviceEndpoint + serviceAction;
      Console.WriteLine("Making POST request to: " + url);
      Uri address = new Uri(url);

      //Create webRequest
      HttpWebRequest request = WebRequest.Create(address)
                                           as HttpWebRequest;

      //the Method property of the request to POST
      request.Method = "POST";
      //Set the ContentType to json
      //our service is expecting WebMessageFormat.Json
      request.ContentType = "application/json; charset=utf-8";

      //define the parameters
      string data = "{\"password\":\"S3cretP@ssw0rd\"}";

      //Create a byte array from your parameters
      byte[] byteData = UTF8Encoding.UTF8.GetBytes(data);

      //Set the content length in the request headers
      //this may require back end service alterations
      request.ContentLength = byteData.Length;

      //Make the request by streaming the data
      using (Stream dataStream = request.GetRequestStream())
      {
        dataStream.Write(byteData, 0, byteData.Length);
        dataStream.Close();
      }

      try
      {
        //Receive the response
        HttpWebResponse response = request.GetResponse()
                                          as HttpWebResponse;

        //Get the response stream
        if (response != null)
        {
          StreamReader reader = new
                                StreamReader(response.GetResponseStream());

          //Write output to the console
          Console.WriteLine();
          Console.WriteLine("Response: ");
          Console.WriteLine(reader.ReadToEnd());

          //Final cleanup
          reader.Close();
          response.Close();
        }
      }
      catch (Exception ex)
      {
        //Display exceptions
        Console.WriteLine(ex.ToString());
      }

      Console.WriteLine("Press enter to quit");
      Console.ReadLine();
    }

Many examples exist on the web for making POST webRequests but most of them specify the incorrect ContentType for JSON WCF services, usually you will find this:

request.ContentType = “application/x-www-form-urlencoded”;

Instead for JSON services you need to use:

request.ContentType = “application/json; charset=utf-8″;

If you use the incorrect ContentType you will get the following http 400 error

“The remote server returned an error: (400) Bad Request”

Simply change the service endpoints constants at the top of the code to your details and test away. I like to run the code in a simple console application. I may do a separate post on the WCF service configuration if I get time.

Also, if you’re looking for a nifty tool to test JSON response data look no further than these guys http://jsonformatter.curiousconcept.com/

Posted in .Net, Microsoft, Testing, WCF | 2 Comments