Archives

HAast has changed considerably since version 2.1.  Did you remember to copy over the sync job definitions (probably from /etc/xdf/telium/haast.conf.d )  As for the event handlers (probably post-sync), we recommend that you use nodeprep to ensure data is properly updated and reconciled once it reaches the other node.  Most event handlers are a single line of code: e.g. “nodeprep -a 1200”

If you don’t have nodeprep installed (if you pieced together a cluster from old and new software), please email us and we will provide you with the missing software and sample event handlers.

If your cluster needs to withstand penetration testing (or the equivalent of exposing the management ports to the internet), then there are a number of steps you must take to harden your cluster.

1. Ensure you set complex id and passwords for the Asterisk management interface.
2. Set the Asterisk management interface to listen to localhost only.
3. Ensure you set complex credentials for HAast peerlink.
4. Protect the HAast GUI (https) interface with the htpasswd utility
5. Ensure you set complex credentials for rsync.
6. Ensure you set complex credentials for database(s) in use.
7. Limit database port access to localhost and the remote peer.
8. Set iptables rules to further limit interface/port combinations of the above to the peer and any trusted management workstations.
9. Set iptables connection rate rules to the max necessary for your cluster to operate.

The HAast GUI and ReST interface can be disabled altogether if you do not need that functionality. Note that the GUI and ReST interfaces do not use ANY 3rd party libraries; it is all hand coded in PHP and tested for stability and security. However, it is possible to overload or find a weakness in Apache HTTPD; in which case disabling the GUI and ReST interface is recommended.

If you do not need direct access to the HAast telnet interface, then you should set the HAast telnet interface to listen to the localhost address only. Once that change is made, you must SSH to the node first and then telnet to HAast in order to access the interface.

HAast is designed to support even the most heavily loaded systems. However, HAast on it’s own is not designed to withstand loads/connection attempts beyond what can be found in a normal production environment. In other words, HAast is not meant to withstand the challenges of penetration testing or open internet access without first hardening the cluster. The above hardening recommendations do add additional load to the cluster nodes, so in general we do not recommend implementing the above unless you have a real need to harden your cluster.

If you have chosen USB Dongle activation, then there a few more steps required to pair your new dongle with your license. Once your dongle arrives plug it into the computer and restart the HAast service. Reconnect to the product’s telnet interface and issue the “license usbdongle” command. For example:


[root@pbx_qa_17:/usr/local/haast] $ telnet 172.31.224.14 3001
Trying 172.31.224.14…
Connected to 172.31.254.14.
Escape character is ‘^]’.
HAast telnet interface on ‘PBX QA 17’
HAast>license usbdongle
Your USB dongle has been detected but is not yet paired with your license.
To pair your USB dongle with your license send the following dongle ID to
support@telium.io to receive a pairing code :
5010-5473-C839-94B9


Copy the pairing code and paste it into an email to support@telium.io and include your license number. We will reply with an activation code that you must enter. For example:


When ready enter the pairing code below (or . to abort)
activation code>46A9-9907-43DB-4F06
 
Your activation code has been accepted. Please restart the HAast service to use the activated license.


Now exit the telnet session and restart the HAast service. HAast will restart fully licensed and you are ready to use your licensed product. You can also verify the license by repeating the “license usbdongle” command, and it should indicate that the dongle has been paired to your license. For example


[root@pbxqa17:/usr/local/haast] $ telnet 172.31.224.14 3001
Trying 172.31.224.14…
Connected to 172.31.224.14.
Escape character is ‘^]’.
HAast telnet interface on ‘PBX QA 17’
HAast>license usbdongle
Serial number: 3040504215618650775
Paired: yes, on Tue Jun 14 17:52:40 2022 EDT
Locked out: no
HAast>


There are a few ways to address your problem.

First, you can limit access to the HAAst config files (or even entire /etc/xdg/telium directory) so that only the root user can read them. Using the chmod command will allow you to set these files to readonly (r – -) for root:

chmod 400 haast.conf

Second, you can also encrypt the password before placing it into the config file. For example, using md5sum we can generate a hash of your obvious password:

[root@qa14 dev]# echo "MyObviousPassword" | md5sum
7f1e7328e9c668dbc73485eecd91b7ba -

Then you would use 7f1e7328e9c668dbc73485eecd91b7ba as your password entered into the haast.conf file on both nodes.

Third, you can store sensitive config file information in the HAast keychain.   To use a keychain value in a configuration item simply replace the value with @KEYNAME. Applicable configuration items show @KEYNAME as an option in the documentation. Note that a KEYNAME can contain only letters, numbers, and underscore, and case of the letters is ignored.  See section 3.1 of the installation guide (as of Jan 2021) for further details of the keychain.

No! Unlike most of the other configuration generators, FreePBX does something a little unusual. Every time you add a module (or even upgrade a module) to your system FreePBX might change the structure of the database / add tables to hold the additional data.

So if you now sync from your primary node to your secondary node, settings would be lost because the associated tables/fields are missing on the secondary node. Conversely, if you now sync from your secondary node to your primary node, settings would be missing because the necessary source settings are absent. (See image below). This is why the HAAst installation guide and maintenance manual provide specific installation/upgrade instructions relating to FreePBX. Every year we have at least one customer that damages their FreePBX cluster because they did not follow the installation/maintenance guides.

Similarly, updating a module might change table structure, and that’s why we say to disable any automatic updates in FreePBX. Most other configuration generators are smart enough to detect a configuration mismatch between versions/modules, but FreePBX does not and will probably break (dialplan failure) unless the two nodes are kept identical (in terms of modules enabled/installed/versions).

Even if HAAst were to copy the metadata (table structure) as well, you would still have problems since the PHP code which makes up FreePBX will not understand the settings (if the code version doesn’t match the settings version). This may result in the PBX failing to process calls as the dialplan crashes, and/or failure to configure, and/or failing to complete an APPLY button push.

To read more about how to properly setup your nodes with FreePBX see sections 3.6 and 10.1.5 of the Detailed Installation Guide, and sections 7 and 8 of the Maintenance and Operations Guide.

If you have already corrupted your FreePBX setup and your cluster won’t process calls (due to dialplan fialure) see this forum post

Since Red Hat 8 uses SystemD, the best way to delay HAAst start is with a service timer. Create the file haast.timer in the /etc/systemd/system directory with the following contents

[Unit]
Description=Delay HAAst start by 1 minute on bootup

[Timer]
OnBootSec=1min
Unit=haast.service

[Install]
WantedBy=basic.target

Then, enable the HAAst timer and disable the service:

systemctl enable haast.timer
systemctl disable haast.service

And finally, in your haast.service file change the WantedBy line to read:

[Install]
WantedBy=haast.timer

Next inform systemd of your changes:

systemctl daemon-reload

And your HAAst start will delay by 1 minute on bootup. You can adjust the delay as you need.

If the Asterisk control file (wrapper) is exiting with code 3, that means Asterisk is taking too long to start. I recommend you disable the HAAst service and manually try to start the Asterisk service directly.

I suspect you will see a long and slow (or errored) start of Asterisk. The systemd service file included with Asterisk is not ideal for cluster use and can cause slow startup. If you are using systemd please try the service file offered by Telium here:

https://telium.io/topic/cant-start-asterisk-exit-code-158/

• This reply was modified 4 years, 3 months ago by WebMaster.

Telium has certified hardware which allow users to plug USB dongles into a stand-alone device and connect to that device over the network. This allows USB dongles to be plugged into one device on the network and appear local to another device (physical computer/virtual machine/container).

CoolGear USB-NET-4A USB over IP hub
The USB-NET-4A is available directly from CoolGear here: https://www.coolgear.com/product/usb-2-0-over-ip-network-4-port-hub-share-any-usb-device-over-tcpip-network or from Telium. This device is suitable for small and simple networks, and provides a budget dongle over IP solution. This device supports up to 4 dongles.

DongleServer from SEH Technology (** CURRENTLY UNDER REVIEW, NOT YET CERTIFIED **)
The DongleServer Pro/Max is available from retailers and distributors worldwide. For more information visit https://www.seh-technology.com/products/usb-dongleserver.html. This device is suitable for up to 20 dongles (per DongleServer), and offers a greater number of management and control options.

If any product is purchased from Telium then we include support for the device as described in FAQ 1075. If you chose to purchase the device elsewhere then we cannot answer any questions about the devices’ functionality, compatibility, drivers, etc. (Please direct those questions to your retailer of choice). If you would like Telium to support your device, including configuration, setup, connectivity to the guest, etc. when purchased elsewhere then you would have to purchase support from Telium as described in the above FAQ. Please ensure your design considers compatibility between all software/firmware/hardware in your project as Telium is not responsible for third party devices or vendors.

• This reply was modified 4 years, 3 months ago by WebMaster.
• This reply was modified 4 years, 3 months ago by WebMaster.
• This reply was modified 4 years, 3 months ago by WebMaster.

The Free Edition is more for testing compatibility and basic functionality. It’s also (surprisingly) popular with small office / home office installations. It’s not meant to be a platform for capacity testing / full load testing.

We do offer a full-featured trial (Commercial Unlimited edition) for larger installations, see our FAQ at https://telium.io/faq1001 for more details.

UPDATE: As of August 2020 we now off subscriptions (monthly or annual) which might need your needs. It can be cheaper if you just want a quick trial but don’t plan to buy. (If you plan to buy then the trial edition may be cheaper)

If you want to contact sales@telium.io they can help you get started with a full-featured trial.

• This reply was modified 4 years, 2 months ago by WebMaster.

Licensing is a three step process:

The first step is to request a license file after installation, which you can do by telnetting to the telephony server on port 3001 (for HAast/HAfs) or 3000 (for SecAst) and generate a license request file. For example:


telnet localhost 3001

HAAst telnet interface on ‘Ford Motor Company Lansing Call Center PBX’
HAAst>license request
To create a license request, enter the information specified below. To abort
the request enter a . as the answer to any question.
 
Enter the name of your organization as it will appear in your license?
organization>My Company
Enter a description for the local node (eg: pair 1 server B, or Texas,
or Rack 1 upper)?
description>Los Angeles Colocation
Virtual machine detected. Automatically selecting Commercial Unlimited
edition (Flex Edition not available in virtual machines).
What type of license activation would you like to use: USB dongle Cloud, or
Volume license server [U, C, V]? (Hardware Fingerprint option not available
in virtual machines. See http://telium.io/activation for more information)
activation>u
The license request has been successfully completed and placed in file:
‘/usr/local/haast/haast.licenserequest’
Send this file to support@telium.io to receive your license file
HAAst>


This will create a file called haast.licenserequest in your /usr/local/haast directory (or hafs.licenserequest, or secast.licenserequest in the associated directory).

Second, you need to send that file to support@telium.io and we will reply with a license file (and optionally send you a USB dongle if you chose that activation type).

Third and final step is to copy the license file we send you to your telephony server. If you chose USB Dongle activation then there is one extra step: plug in the dongle and issue the “license usbdongle” command and send the code on screen to support@telium.io We will reply shortly thereafter with the pairing code for the dongle.

When you are all done restart the HAast (or HAfs or SECast) service and you will see in the event log, or from the web GUI, or from the telnet interface, that the system is running as the commercial edition (whichever edition you purchased)

Assuming your nodes are 192.168.0.10 and 192.168.0.11, then issue the following commands on both nodes:


firewall-cmd –new-zone=haast –permanent
firewall-cmd –reload
firewall-cmd –zone=haast –permanent –add-source=192.168.0.10/32
firewall-cmd –zone=haast –permanent –add-source=192.168.0.11/32
firewall-cmd –zone=haast –permanent –add-port=3001/tcp
firewall-cmd –zone=haast –permanent –add-port=3002/tcp
firewall-cmd –zone=haast –permanent –add-port=873/tcp
firewall-cmd –zone=haast –permanent –add-port=3306/tcp


If you want to know exactly what the above does, here is a line-by-line description:

1. Create a new firewall zone called “haast” and make it permanent (survive the next reboot)
2. Add the local IP address as a trusted source in zone haast
3. Add the remote IP address as a trusted source in zone haast
4. Add the port 3001 (HAAst telnet interface) as accessible from the trusted sources
5. Add the port 3002 (HAAst peerlinkinterface) as accessible from the trusted sources
6. Add the port 873 (sync) as accessible from the trusted sources
7. Add the port 3306 (sync) as accessible from the trusted sources

Other users reading this post must consider their network topology and adjust the above to fit their needs. For example, if you setting up a firewall BETWEEN nodes, or IN FRONT of nodes, or ON the nodes.

As well, if you use our subscription service you must ensure TCP port 443 (outbound) is open from each node.