.. _edge_config: ****************** Edge Configuration ****************** .. contents:: :local: Edge Server configuration ========================= .. _edge_config_sslcert: SSL Certificates ---------------- .. note:: This step is to be done on each host The Edge Solution must be configured with valid certificate for your domain. You have to put the: * **fullchain** certificate: here :file:`/etc/docker/ssl/xivo-edge.crt` and also here :file:`/etc/docker/ssl/xivo-edge.chain` (this last location is mandatory for the SIP Proxy service) * certificate key: here :file:`/etc/docker/ssl/xivo-edge.key` Make sure that the certificate key are given readonly permission to root and the folder is accessible for all users: .. code-block:: bash chmod +x /etc/docker/ssl chmod 404 /etc/docker/ssl/xivo-edge.key .. _edge_config_turnsecret: TURN Server Secret ------------------ You must generate a secret for the TURN server (in the following it will referred to as ````). Generate it with the following command: .. code:: bash openssl rand -hex 16 Keep this ````. You will need it to configure * the TURN Server * the xucserver on the *XiVO CC/UC* * and to generate the turn configuration on for asterisk (on XiVO Main and MDS) .. _edge_config_turnrelaypermission: TURN Server Relay Authorization ------------------------------- .. important:: You **MUST** follow this step on the TURN Server host. Otherwise the TURN relay **will not work**. You **must add to the TURN configuration** the **IP addresses it is allowed to relay traffic to**. Therefore you must add the permission for the IP of: * the XiVO * the MDS (if in XDS architecture) * and the Meetingroom (if installed) In order to do this: * lists the IP addresses towards which the **STUN/TURN Server** will be allowed to send traffic to. Which is at least: * the XiVO * (if applicable) the MDS * (if applicable) the Meetingroom * then add to the :file:`.env` file (of the server which will host **STUN/TURN Server** (coturn) service) a line with the following format:: TURN_ALLOWED_PEERS="--allowed-peer-ip= --allowed-peer-ip= --allowed-peer-ip= --allowed-peer-ip=" For example:: TURN_ALLOWED_PEERS="--allowed-peer-ip=192.168.240.2 --allowed-peer-ip=192.168.240.4 --allowed-peer-ip=192.168.250.3" .. _edge_config_3servers: 3 Servers Configuration ----------------------- .. note:: Follow this part if you configure the Edge Solution on 3 servers .. _edge_config_3serversschema: 3 Servers Example Schema ^^^^^^^^^^^^^^^^^^^^^^^^ .. figure:: images/edge_archi_3servers_example.png :alt: edge_archi_3servers_example Web Proxy ^^^^^^^^^ .. note:: This step is to be done on the server which will host the **Web Proxy** (nginx) service Create the :file:`.env` file with the following variables (replace values accordingly, and see example below): .. code-block:: bash cat > /etc/docker/edge/.env << EOF XIVOCC_TAG=2026.05 XIVOCC_DIST=latest XIVOCC_HOST= XIVO_HOST= EDGE_FQDN= EDGE_KAMAILIO_HOST= EOF **Example:** * given you install latest Luna version * and given the :ref:`edge_config_3serversschema` you should come up with: .. code-block:: ini XIVOCC_TAG=2026.05 XIVOCC_DIST=latest XIVOCC_HOST=LAN_IP1 XIVO_HOST=LAN_IP2 EDGE_FQDN=edge.mycompany.com EDGE_KAMAILIO_HOST=DMZ_IP2 .. _edge_config_3serverssipproxy: SIP Proxy ^^^^^^^^^ .. note:: This step is to be done on the server which will host the **SIP Proxy** (kamailio) service Create the :file:`.env` file with the following variables (replace values accordingly, and see example below): .. code-block:: bash cat > /etc/docker/edge/.env << EOF XIVOCC_TAG=2026.05 XIVOCC_DIST=latest EDGE_FQDN= XIVO_HOST= EDGE_HOST_IP= EOF .. important:: For a XDS installation you must: * add to the ``.env`` file a line per MDS (excluding XiVO PBX) with the following format:: XIVO_MDS_HOST_MDS1="=" For example: ``XIVO_MDS_HOST_MDS1="mds1=192.168.240.2"`` Mandatory step: You need to change any underscore in your mds naming to an hyphen For example, for an mds named media_server_1: ``XIVO_MDS_HOST_MDS1="media-server-1=192.168.240.2"`` * and add to the ``kamailio-edge.yml`` file a ``extra_hosts`` section for kamailio with these variables: For example: .. code-block:: yaml services: kamailio: image: "xivoxc/edge-kamailio:${XIVOCC_TAG}.${XIVOCC_DIST}" extra_hosts: - ${XIVO_MDS_HOST_MDS1} **Example:** * given you install latest Quantum version * and given the :ref:`edge_config_3serversschema` you should come up with: .. code-block:: ini XIVOCC_TAG=2026.05 XIVOCC_DIST=latest EDGE_FQDN=edge.mycompany.com XIVO_HOST=LAN_IP2 XIVO_MDS_HOST_MDS1="mds1=LAN_IP3" EDGE_HOST_IP=DMZ_IP2 STUN/TURN server ^^^^^^^^^^^^^^^^ .. note:: This step is to be done on the server which will host the **STUN/TURN Server** (coturn) service Create the :file:`.env` file with the following variables (replace values accordingly, and see example below): .. code-block:: bash cat > /etc/docker/edge/.env << EOF XIVOCC_TAG=2026.05 XIVOCC_DIST=latest EDGE_HOST_IP= XIVO_HOST= TURN_EXTERNAL_IP= TURN_SERVER_SECRET= TURN_REALM= TURN_ALLOWED_PEERS= EOF .. important:: Don't forget to fill in the ``TURN_ALLOWED_PEERS`` var following :ref:`edge_config_turnrelaypermission` **Example:** * given you install latest Luna version * and given the :ref:`edge_config_3serversschema` you should come up with: .. code-block:: ini XIVOCC_TAG=2026.05 XIVOCC_DIST=latest EDGE_HOST_IP=DMZ_IP3 XIVO_HOST=LAN_IP2 TURN_EXTERNAL_IP=DMZ_IP3 TURN_SERVER_SECRET= TURN_REALM=mycompany.com TURN_ALLOWED_PEERS="--allowed-peer-ip=LAN_IP2 --allowed-peer-ip=LAN_IP3 --allowed-peer-ip=LAN_IP4 --allowed-peer-ip=DMZ_IP3" .. _edge_config_1server: 1 Server Configuration ---------------------- .. note:: Follow this part if you configure the Edge Solution 1 server .. _edge_config_1serverschema: 1 Server Example Schema ^^^^^^^^^^^^^^^^^^^^^^^ .. figure:: images/edge_archi_1server_example.png :alt: edge_archi_1server_example .. _edge_config_1serverconf: Web Proxy, SIP Proxy and TURN Server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Create the :file:`.env` file with the following variables (replace values accordingly, and see example below): .. code-block:: bash cat > /etc/docker/edge/.env << EOF XIVOCC_TAG=2026.05 XIVOCC_DIST=latest XIVOCC_HOST= XIVO_HOST= EDGE_FQDN= TURN_SERVER_SECRET= TURN_REALM= EDGE_HOST_IP= TURN_EXTERNAL_IP= TURN_ALLOWED_PEERS= EOF .. important:: Don't forget to fill in the ``TURN_ALLOWED_PEERS`` var following :ref:`edge_config_turnrelaypermission` .. _edge_config_1server_xds-meetingroom: .. important:: For a XDS installation you must: * add to the ``.env`` file a line per MDS (excluding XiVO PBX) with the following format:: XIVO_MDS_HOST_MDS1="=" For example: ``XIVO_MDS_HOST_MDS1="mds1=192.168.240.2"`` Mandatory step: You need to change any underscore in your mds naming to an hyphen For example, for an mds named media_server_1: ``XIVO_MDS_HOST_MDS1="media-server-1=192.168.240.2"`` * and add to the ``kamailio-edge.yml`` file a ``extra_hosts`` section for kamailio with these variables: For example: .. code-block:: yaml services: kamailio: image: "xivoxc/edge-kamailio:${XIVOCC_TAG}.${XIVOCC_DIST}" extra_hosts: - ${XIVO_MDS_HOST_MDS1} **Example:** * given you install latest Quantum version * and given the :ref:`edge_config_1serverschema` you should come up with: .. code-block:: ini XIVOCC_TAG=2026.05 XIVOCC_DIST=latest XIVOCC_HOST=LAN_IP1 XIVO_HOST=LAN_IP2 EDGE_FQDN=edge.mycompany.com TURN_SERVER_SECRET= TURN_REALM=mycompany.com EDGE_HOST_IP=DMZ_IP1 TURN_EXTERNAL_IP=DMZ_IP1 XIVO_MDS_HOST_MDS1="mds1=LAN_IP3" TURN_ALLOWED_PEERS="--allowed-peer-ip=LAN_IP2 --allowed-peer-ip=LAN_IP3 --allowed-peer-ip=LAN_IP4 --allowed-peer-ip=DMZ_IP3" Start the services ------------------ To start the services run the following command (you have to run it on all servers if you are in a 3 servers installation): .. code:: bash edge-dcomp up -d .. _edge_config_xivocc_config: XiVO CC configuration ===================== .. note:: These steps are to be done on the XiVO CC. For :ref:`xivouc_addon` mode see :ref:`edge_config_xivoucaddon` section. On XiVO CC server (the server which hosts the xucmgt/xucserver and nginx) add the following variables in the ``/etc/docker/compose/custom.env`` file: * add XUC_INTERNAL_HOST= * change XUC_HOST to the EDGE FQDN * and add the TURN_SERVER_SECRET with the ```` value (the ```` is the secret generated for during :ref:`edge_config_turnsecret`) * specify the ``REPORTING_HOST`` to the XiVO CC LAN IP address in order for SpagoBI report to work (note that SpagoBI work only if you access them via the internal LAN IP address). * in order for the history to work add the RECORDING_SERVER_HOST= * **Optionally** you can override ice gathering timeout (by default 500 milliseconds) to a shorter/greater value thanks to ``ICE_GATHERING_TIMEOUT_MS`` .. code-block:: ini XUC_INTERNAL_HOST= XUC_HOST= TURN_SERVER_SECRET= REPORTING_HOST= RECORDING_SERVER_HOST= RECORDING_SERVER_PORT=9400 * then you need to recreate components containers .. code-block:: bash xivocc-dcomp up -d .. _edge_config_xivoucaddon: XiVO UC Embdedded Configuration ------------------------------- .. important:: This section applies only if you are in the :ref:`xivouc_addon` mode. To configure the UC applications part of a XiVO, add the following variables in the :file:`/etc/docker/compose/custom.env` file: * change XUC_HOST to the EDGE FQDN * and add the TURN_SERVER_SECRET with the ```` value (the ```` is the secret generated for during :ref:`edge_config_turnsecret`) .. code-block:: ini XUC_HOST= TURN_SERVER_SECRET= * then you need to recreate components containers .. code-block:: bash xivocc-dcomp up -d XiVO Configuration ================== .. note:: These steps are to be done on the XiVO If you are using the :ref:`xivouc_addon` mode you must also follow the section :ref:`edge_config_xivoucaddon` STUN/TURN server configuration ------------------------------ On the XiVO you need to configure the STUN/TURN server address. .. warning:: Your Edge installation must be up and running when you do this step. As soon as you change this configuration all WebRTC users **won't work** without the Edge Solution. * In the XiVO Admin webi :menuselection:`Services -> IPBX -> General Settings -> SIP Protocol` tab **Network** * In parameter :guilabel:`XiVO Edge FQDN` enter the **TURN server** address with format ``FQDN:3478`` or ``IP:3478`` (you must put port **3478**). **Warning:** this FQDN must be resolvable and reachable from the XiVO & Public Internet. * 1 Server deployment: use the server public IP address or FQDN (i.e. ``edge.mycompany.com`` or ``DMZ_IP1`` in 1 Server Schema) * 3 Servers deployment: use the TURN server public IP address or FQDN (i.e. ``DMZ_IP3`` in 3 Servers Schema) * Click save: it will reload the SIP and the RTP configuration of the XiVO (Main and MDS if any) * Then **on each XiVO/MDS** run the following script to generate the credentials for the TURN server (the ```` is the secret generated during :ref:`edge_config_turnsecret`): .. code-block:: bash xivo-edge-gen-turn-cred * This script will generate new turn username and password in :file:`/etc/asterisk/rtp.d/01-xivo-edge-turn-cred.conf` * You then need to reload the rtp configuration .. code-block:: bash asterisk -rx 'module reload res_rtp_asterisk.so' .. note:: The turn address ``turnaddr`` is generated by confgend (see conf in file :file:`/etc/asterisk/rtp.conf`). Fail2ban -------- .. important:: If you configure the Edge Solution for a XDS installation you must do it on each MDS. You need to add Kamailio's ip address to protect it from being banned and resulting in complete block of webrtc users. * Edit file :file:`/etc/fail2ban/filter.d/asterisk-xivo.conf` and add to the ``ignoreregex`` section: * In *3 Servers Schema* replace ```` by ``DMZ_IP2`` * In *1 Server Schema* replace ```` by ``DMZ_IP1`` .. code-block:: ini ignoreregex = * Finally restart fail2ban service: .. code-block:: bash systemctl restart fail2ban.service