Jump to content

VPN-less remote access - YeaLink

Recommended Posts

Hi all,


In the release notes for version Swyxware12:

In addition, the certified Yealink end devices, which have recently become part of the Swyx product portfolio, are optimally supported. For example, employees in the home office can be securely integrated into their company's communications environment without having to set up a Virtual Private Network (VPN). Yealink telephones can also be integrated into the corporate network via port authentication according to IEEE 802.1x. Swyx thus offers an authentication method for the highest security requirements.”

Anyone know how to set this up?  Neither the SWYX Admin Guide nor KB area has any info.


Many thanks.


Share this post

Link to post
Share on other sites

As far as I know, you need to setup a session border controller that helps the device connecting from outside.


The only "new" thing compared to older versions is


- that Yealink uses SIP, where the unify devices use CorNet.IP (I do not know about any session border controller that can handle CorNet.IP)


- that with SwyxWare 12.1, they only use port 5060 (Yealink connected to SwyxWare 11.x also uses port 65012 for uaCSTA) that makes SBC configuration a bit easier.


But anyway, it is far away from "plug and play" or worth calling it a feature.


And, to be honest, I would really think about using inexpensive VPN components instead. If you configure your SBC to use port 5060 into the internet, your SwyxServer will be INVITEd into fraudulent calls within hours, so don't forget to configure security features like fail2ban, geo-IP-blacklists, .... If you want to change the port to somewhere else, this may collide with the AutoProvisioning of Swyx - once you change any account setting on the Yealink manually, the device will not longer accept account settings via AutoProvisioning any more. There are some ugly ways to force Swyx' AutoProvisioning to deploy your own settings, but they are ugly ways and nothing officially supported. So in both ways, you will get in trouble if you update the server to a newer version and Swyx has changed everything (like they did on 12.0->12.1) without giving any information to the partners.


If you keep all of this in mind, I does work. We use this on our HostedPBX VPNless-offer, but the work we spend to figure out all all problems, bugs, ... is nothing I want to do if you are just talking about one single PBX.


Hope this helps

Share this post

Link to post
Share on other sites

Thanks a lot for the info.  We are indeed talking about a single PBX (with a standby).  At present our client's CEO has a UNIFY telephone at his home.  That connects over a site-to-site VPN.  Post-COVID, they anticipate more remote working so would like a dozen or so colleagues to have a similar set up (they already use SWYXIT).  Although we can preconfigure a VPN router for each home,  the challenge here is relying on these users to set up their WAN connections. 


When I noticed that section in the release notes,  I thought we may have a solution.  The client site doesn't currently use an SBC - the SWYX server sits in a DMZ with connections from SIP providers published (reverse-proxied) through the firewall.  


Not too concerned about auto-provisioning due to the small numbers, but looks complicated however we decide to tackle it.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

By using this site, you agree to our Terms of Use and have taken note of our Privacy Policy.
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.