Hello All,
I am receiving various crm software integration requests: Salesforce, ACT!, etc... as well as custom integration requests. In researching solutions to these requests I am finding a class of Asterisk add-on software products that are incompatible with Thirdlane Multi-Tenant Edition (MTE). I am considering writing a piece of software to provide a compatibility layer and wanted some feedback to see if anyone would find this useful, or if people are accomplishing this some other way.
Problem:
Many third party asterisk add-on software providers utilize the Asterisk Manager Interface (AMI), however Asterisk's manager interface is inherently single tenant. The usernames and passwords contained in manager.conf give different types of access (read, call, etc..), but if you grant read you are granting it system wide. Thus, it would be insecure to allow one tenant ANY manager access, they would then have that access to other tenants.
How some products are addressing (or not addressing) this shortcoming:
FOP2 - has its own server that runs between the AMI and the flash clients. this server limits access for logins to a subset of system functionality. The fop2 server has unlimited access to the manager interface.
iSymphony - has its own server that runs between the AMI and the java clients, much like fop2.
camrivox - relies on unfettered access to the AMI, eliminating any possibility of more granular permissions. This line of asterisk integration products are incompatible with MTE. http://www.camrivox.com/products/Asterisk/ This line of products include outlook and salesforce integration.
**Does anyone have any other case studies that don't fall into one of these two models?
So currently the market solutions include packaging a proxy/multiplexing server in with an integration product to provide multi-tenant support. Any integration products that do not come with that functionality are not compatible with MTE.
What i was thinking of was writing a proxy server, which would provide an interface to clients that was indistinguishable from a standard Asterisk Manager Interface. However, it would have its own configuration, through which you could filter client requests in the direction from the client to the AMI and filter messages like events in the direction from the AMI to the client. eg: they would only receive events related to sip users, queues, conference rooms, etc that are relevant to them. This could potentially allow the majority of the market of Asterisk software which requires access to the Manager Interface to be compatible with MTE.
It is a shame for MTE users to not have access to the rich growing market of third party integration solutions.
Any thoughts?
Alex, have you received this as a feature request in the past and is it on any list of future enhancements?
Thanks,
Ken
Thanks Moshe, that is
Thanks Moshe, that is interesting.
The thirdlane dialer supports connecting to:
* a standard asterisk manger interface, which would be insufficiently secure in a multi-tenant environment
* a thirdlane proxy interface, which is potentially sufficiently secure although I don't know anything about the inner workings of this proxy or what it is vulnerable to.
"Thirdlane Dialer can communicate with Asterisk using Thirdlane PBX as a proxy or directly via Asterisk Manager Interface (AMI)."
OutCall is free open source Asterisk/Outlook Integration software that requires access to an Asterisk Manager Interface.
phone integration vs. pbx integration
There is a discussion to be had about the trade-offs between integrating at the phone level vs. the pbx level. There are calls that don't even hit phones etc... that indicates integration at the pbx level isn't going anywhere. For the consumer there is a clear advantage to owning phones and software that are compatible and can work with any voip provider, Asterisk or other.
From Thirdlane's Dialer web
From Thirdlane's Dialer web page:
Advantages of Thirdlane Dialer
When used with Thirdlane PBX, Thirdlane Dialer is the only Asterisk dialer with no need for access to the Asterisk Manager Interface. This makes Thirdlane Dialer easier to configure, and (most importantly) more secure - no more Asterisk Manager credentials on users' desktops!
Alex or Eric, can you confirm
Alex or Eric, can you confirm some details about how Thirdlane's built in crm screenpops handles this?
The applet which runs in the client's browser connects to the Asterisk Manager Interface.
com.thirdlane.applet.PopManagerApplet.class archive=pop.jar, astjava.jar
Does this use the md5 challenge authentication mechanism or just transfer the password in clear text?
Thirdlane dialer isn't using
Thirdlane dialer isn't using AMI however on mte it have one major fault that you don't get incoming calls screen pops for calls behind nat except if you do port forward (don't remember port number) and only to one computer where the port is forwarded. Which in return causes crm screen pop integration very tough at best or completely impossible. Since the local dialer is the one initiating the url screen pop not the AMI (not supporting outlook screen pops or tapi)
On the other hand using phone side software like flexor from camrivox eliminates using AMI or a proxy and it integrates with any type of CRM
I have implemented it the last couple of months and so far the feedback is great
I did a packet capture, I
I did a packet capture, I found that the CRM screen-pop uses the challenge and the Conference manager interface uses clear text. Can we update the conference manager to use the challenge as well?
Thanks Remi. So to recap
Thanks Remi. So to recap thirdlane's features:
* dialer - secure when used in conjunction with Thirdlane's Proxy and not the AMI
* conference manager - TL sends the AMI administrator credentials to the client over http/https and then the client sends the administrator credentials to the AMI as clear text
* crm links - TL sends the AMI administrator credentials to the client over http/https and then the client uses md5 challenge authentication to authenticate with the AMI
So the dialer is secure in that it has... well as thirdlane advertised:
"no more Asterisk Manager credentials on users' desktops!"
However both the conference manager and the crm links both put Asterisk Manager credentials on users desktops.
Alex, are you planning on fixing thes security holes by pointing both the conference manager and the crm links page to the Thirdlane Proxy like the dialer, instead of the AMI?
not the case.. neither the
not the case.. neither the conf manager or the crm link actually communicate over http/https. They communicate over the TCP/5038 port. The thirdlane 'proxy' is nothing of the sort. The TL dialer simply sends outbound commands to https://your.ip.com/asterisk/util.cgi .. its by no means an AMI proxy for listening to incoming AMI message events.
eeman, you mis-read.. here it
eeman, you mis-read.. here it is spelled out clearer:
The client's browser downloads web pages, conference manager/crm link applets from webmin/thirdlane over http/https.
Once the applet is loaded in the browser, the applet connects to the AMI on TCP/5038 and supplies credentials, thus those credentials must be present on the desktop computer and accessible by the applet, and, more insecure-ly, accessible by a malicious user.
As far as the dialer, the main point is that it supports authenticating with Thirdlane with an extension username and password instead of authenticating with AMI using AMI credentials.
Straight from the dialer page:
"Thirdlane Dialer can communicate with Asterisk using Thirdlane PBX as a proxy... This makes Thirdlane Dialer easier to configure, and (most importantly) more secure - no more Asterisk Manager credentials on users' desktops!"
its not the same thing.. the
its not the same thing.. the dialer does not require access to the AMI in order to achieve its goal. for the crm screenpop or the conf manager tool, it must receive a constant stream of ami events. Im not saying the design of a proxy isnt desirable, Ive been asking for that forever; I'm just saying dont misread what the dialer does as some ready-to-go proxy that the other applications can use, they just arent related at all.
I've asked for something similar to what isymphony uses for their client. Until something like that is created I really cant roll out those ami-based features in MTE. Think of the AMI port as the bare exposed dragon scale of Smaug in the hobbit. Left untended it can result in a lot of calamity.
Any outcome to this?
I have also had a few people ask me if Salesforce will work with our hosted pbx which is MTE
Regards,
Andrew
Use camrivox for polycom or snom it runs off the phones local network so your server remain secure without the need to add any server
I have been using it for a while now and it works great
It works with outlook, salesforce not sure about act since it runs on tapi but you could ask em