Wednesday, December 3, 2008

Some of you may be familiar with some work I did in the past to simplify the deployment of remote extensions using a combination of openvpn on a 3cx server and a SNOM 370 IP phone. In this case, we used the built in vpn client on the SNOM 370 to connect back to the 3cx server running OpenVPN and provide simple and secure remote extension setup. If you want to read more on this you can find it here... http://3cxblog.worksighted.com/2008/09/first-post-test.html


This work still left us faced with the problem that, while this is great for 1 model of phone on the market today, what about everyeone else? And what if a company already has a VPN infrastructure in place (like many companies do) and perhaps does not want to (or is not permitted to) leverage a secondary OpenVPN infrastructure? How are these users to deal with remote extensions?


The inherent design of SIP w/ RTP makes it reasonably complicated to "easily" traverse firewalls since we are dealing with a lot of 2-way connectionless traffic. It becomes somewhat "hit-and-miss" to get remote extensions working properly (for the lay user anyway). Throw into this mix the fact that many ISP are now offering their own voice services and in some cases bocking service or degrading quality for users not on their voice solutions and we have a nice recipe for a solution that's more complicated than it's worth.


If a true VPN exists from Site A to Site B, the implementation of the remote extension become quite simple since we have full internal visibility between the phone and the 3cx server. While this is typical for branch offices where they can justify VPN endpoint devices at each site, what about the typical home tele-worker who needs an extension? We certainly cannot justify expensive equipment at user's homes and, as well, certainly do not want to deal with attempting to modify users home equipment to create patch work VPNs or battle against dynamic IPs and port-forwards. Yikes!


What we need is a simple, easy to deploy, easy to manage, inexpensive vpn solution for remote workers.


Enter the "pocket" vpn appliance....


It seemed to me that what we needed was a tiny hardware VPN appliance that could sit in front of a remote phone and provide true, IPSEC VPN capabilities, irrelevant of the phone being used.
After spending some time hunting around I came across this interesting product from ZyXEL. The ZyWALL Personal Firewall P1. It is a tiny, wallet sized, IPSEC VPN appliance designed for mobile workers. Now, they are intending it to function for a PC, but I see no reason why it couldn't work for an IP phone. Take a look here....
http://www.zyxel.com/web/product_family_detail.php?PC1indexflag=20040908175941&display=6244&CategoryGroupNo=0E8EA8FA-AF7D-434F-A527-F337AB9A3A51


I realize there would likely be some complexities getting this to work with different brands of VPN concentrators at the head-end, but in concept, I believe this to be fairly do-able. It would provide drastically simplified deployment of remote phones as well as security and encryption.
I'm interested to hear what others have to say about this possibility. Obviously it does not need to be this particular product, but something similar anyway.


Happy 3CXing!!!!


Best,

Mike

2 comments:

Matt Landis said...

Mike,
Very interesting. We actually have one of these zyxel unit in Landis Computer's research department to be checked out for exactly the reasons you outlined.

matt

Kevin said...

The ZyWall P1 seems to have been discontinued. Anyone know of a similar product?