Deploying a Reverse Proxy for Voice AI
In some limited cases, you may need to deploy a reverse proxy to sit between our Twilio based Trunk and your SBC/PBX. This is usually required if your network has difficulty accepting traffic from the 4 signalling IPs Twilio utilise per region. By deploying a Reverse Proxy you will be able to filter the traffic and have a single IP address signalling your PBX.
Please note: this is not a recommended solution. By adding a reverse proxy, you are adding a single point of failure for the signalling - Twilio has edge resilience for it’s signalling to prevent downtime and interference.
Deployment Location
You will need to deploy this reverse proxy outside of your network, ideally using a cloud service like AWS on one of their EC2 instances with an elastic IP assigned. The IP address you use should be whitelisted by your network, and you should validate that it can reach into your network to send signalling and RTP traffic.
Due to the critical nature of this system, Talkative cannot host a reverse proxy on your behalf. Any reverse proxy should be managed by the owner of the PBX it is targeting, this allows for emergency maintenance and qualified telecom engineers to have access to it.
The following document assumes you are using AWS EC2 instances for your reverse proxy and that you are comfortable with editing config using shell access.
Provision EC2 Instance with Elastic IP
In AWS, navigate to the EC2 section and create a new EC2 instance using Ubuntu 22.04 LTS. The instance size you require will depend on the level of traffic you expect. We recommend starting with a t3.small for MVP purposes. This can be resized later as required.
Once you have provisioned the EC2, go to the Elastic IP section from the EC2 console and attach an Elastic IP - this will be the IP address you will receive your signalling traffic from. You will also need to allow SSH traffic so you can administer your reverse proxy.
Security Group to allow Signalling and Media traffic
Create a security group and assign it to the EC2 instance. This security group should allow UDP traffic to port 5060. If you wish, you may restrict traffic to the Twilio Signalling IP addresses which can be found here: https://www.twilio.com/docs/sip-trunking/ip-addresses - additionally, you will need to allow UDP access to ports 10000 - 20000 for RTP traffic.
Ensure all outbound traffic is allowed. If you wish you can restrict this to just signalling and RTP egress.
Install Asterix
For this Reverse Proxy, we will use Asterix. Asterix is an Open Source PBX which can support acting as a reverse proxy. To start SSH into your server and run the following commands:
sudo apt update
sudo apt install -y asterisk
sudo systemctl enable asterisk
sudo systemctl start asterisk
sudo systemctl status asteriskDisabling Redundant Modules (RADIUS and Chan SIP)
You may see a warning appear in the console:
radcli: can't open /etc/radiusclient-ng/radiusclient.confThis is a harmless warning as we are not using RADIUS, but as we also need to disable a legacy SIP driver, we can resolve this in the same file.
Run the following command:
sudo nano /etc/asterisk/modules.confin this file, add:
noload => res_radius.so
noload => chan_sip.soand then restart Asterix:
sudo systemctl restart asteriskThis will disable the RADIUS and Chan SIP modules.
After making changes to a configuration file, you will need to restart Asterix for them to take effect. You may do this after each file, or, wait until all the config files have been updated and then restart once at the end. Restarting after each config change will highlight errors that have been made when editing the config file, you may wish to do this if you are unfamiliar with working in the shell.
Configure the RTP Range
Edit the RTP ports to match the ports set in the AWS Security Group. To do this, run:
sudo nano /etc/asterisk/rtp.confThe following values may already exist, so you may need to edit them, rather than adding them:
[general]
rtpstart=10000
rtpend=20000Configure PJSIP
We need to configure the connections to both Twilio and to the SBC/PBX we can do this by editing the pjsip config file. To edit it run:
sudo nano /etc/asterisk/pjsip.confThe following changes need to be made in the same file, they will be listed under separate headers for clarity, but the changes will be in the same file, so no need to exit the file. The following excerpts are examples, some additional configuration or variation to these configs may be needed.
Twilio
[global]
type=global
user_agent=Talkative-Twilio-Proxy
[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0:5060
external_media_address=YOUR_EIP_HERE
external_signaling_address=YOUR_EIP_HERE
local_net=10.0.0.0/8
local_net=172.16.0.0/12
local_net=192.168.0.0/16
; ---------- Twilio SIP Domain ----------
[twilio-aor]
type=aor
contact=sip:YOUR_TWILIO_DOMAIN.sip.twilio.com:5060
[twilio-auth]
type=auth
auth_type=userpass
username=YOUR_TWILIO_USERNAME
password=YOUR_TWILIO_PASSWORD
[twilio-endpoint]
type=endpoint
transport=transport-udp
context=from-twilio
disallow=all
allow=ulaw,alaw
aors=twilio-aor
outbound_auth=twilio-auth
from_domain=YOUR_TWILIO_DOMAIN.sip.twilio.com
direct_media=no
rtp_symmetric=yes
force_rport=yes
rewrite_contact=yes
[twilio-identify]
type=identify
endpoint=twilio-endpoint
match=TWILIO_SIGNAL_IP_1
match=TWILIO_SIGNAL_IP_2
match=TWILIO_SIGNAL_IP_3
match=TWILIO_SIGNAL_IP_4Change the values which have been capitalised above. YOUR_EIP_HERE is the elastic SIP IP you assigned to the EC2. The twilio details will have been provided to you, and the elastic SIP Signalling IPs for your configured region should be added at the end.
SBC/PBX
; ---------- Customer SBC/PBX ----------
[sbc-aor]
type=aor
contact=sip:SBC_PUBLIC_IP_OR_FQDN:5060
[sbc-endpoint]
type=endpoint
transport=transport-udp
context=from-sbc
disallow=all
allow=ulaw,alaw
aors=sbc-aor
direct_media=no
rtp_symmetric=yes
force_rport=yes
rewrite_contact=yes
[sbc-identify]
type=identify
endpoint=sbc-endpoint
match=SBC_PUBLIC_IPReplace the values with your SBC/PBX IP address or FQDN
Reload and verify the configuration values:
sudo asterisk -rx "pjsip reload"
sudo asterisk -rx "pjsip show endpoint sbc-endpoint"
sudo asterisk -rx "pjsip show endpoint twilio-endpoint"Setup Dialplan Bridge
We need to configure a bridge to funnel the calls to their intended destination. We can do this in the extensions config file. To load this run:
sudo nano /etc/asterisk/extensions.confat the bottom of this file add:
[from-twilio]
exten => _X.,1,NoOp(Inbound from Twilio to SBC)
same => n,Dial(PJSIP/${EXTEN}@sbc-endpoint,60)
same => n,Hangup()
[from-sbc]
exten => _X.,1,NoOp(Outbound from MBG to Twilio)
same => n,Dial(PJSIP/${EXTEN}@twilio-endpoint,60)
same => n,Hangup()then reload the configuration using:
sudo asterisk -rx "dialplan reload"Testing & Configuration
Once this has been configured, it will now be the target for both your Voice AI transfers and will be used to establish a connection to our SIP Trunk. You may wish to view the realtime connection logs in Asterix, you can do this by running:
sudo asterisk -rvvvvvTesting from SBC/PBX to Talkative
In your SBC/PBX setup a SIP Trunk targeting the Elastic SIP IP as the trunk address - use the same SIP credentials you were provided before. Then attempt to connect a call. You should see the call pass through Asterix and connect to the Voice AI routes. Please note, you may need to update your Route mapping rules in Talkative to match the elastic SIP IP of the reverse proxy.
Testing from Talkative to SBC/PBX
After placing a call to Talkative Voice AI you may return the call using a transfer tool. Please note, your new PBX address in the transfer tool should be the reverse proxy IP address. Additionally you may use a Voice Assist config to test the DIAL works correctly.
Conclusion
With this guide, you will be able to proxy your calls through your Asterix instance allowing you control of the call flow from Twilio - including manipulating the source sender and utilising a single Signalling IP address should you have issues with multiple signalling IPs.
We recommend connecting to our Twilio Trunk directly where possible. This solution should be used as a last resort as it may cause latency, scaling and resiliency issues which we cannot support with.