I’ve been looking into a P-Series "Software Edition" install lately and I’m struggling to find any reason to use this over a physical appliance or a proper UCaaS setup. It seems to just combine the worst parts of both.
The install is the main red flag. You have to give the script root access to your box, but then it essentially uses that access to lock you out. It forces the installation of a bunch of OS-level libraries pulled directly from Yeastar's own servers instead of standard distribution points. Once it’s done, it sets up a "support" account that’s stuck what seems like a fairly restricted shell. I don't mind them moving the SSH port or disabling password auth, but they've done it in a way that makes it incredibly difficult for the actual owner to manage the underlying OS.
If you need to run EDR agents, vulnerability scanners, or standard endpoint monitoring, you're basically forced to use your hosting provider recovery console just to regain the access needed to install them. You shouldn't have to perform a manual rescue operation on your own VM just to get a security agent running. It completely breaks any standard automated deployment or SOE workflow.
Then there’s the firewall. There is a daemon running in the background that manages iptables, and it comes pre-loaded with firewall rules. On paper, they’re seem to be for things like their global anti-hacking database, updates and remote infrastructure, but it's a fairly crude whitelisting of a huge range of Alibaba Cloud IPs on every single port. You can delete them in the web UI, but since the system is architected to rely on those foreign-hosted services for its features, you’re stuck choosing between breaking their functionality or leaving a permanent hole in your perimeter.
The biggest issue for me is maintenance. Because the PBX software is tied to those unverified library versions, you can’t really run a standard apt upgrade or patch the OS without risking updates messing with the those non-standard libraries they pull during the install process. You’re basically stuck with a frozen box that you can’t independently verify or update easily.
It feels like a product for an MSP that wants the cheapest possible "set and forget" option, but if you’re in a place that actually has security requirements beyond blocking public internet access and hoping for the best, it's an issue. You don’t hold the keys to the server by default, and you can’t maintain a standard security baseline without getting into brawls with how the install process has configured the operating system.
If I wanted a black box I couldn't touch, I’d have just bought the hardware appliance. This "Software Edition" just feels like an appliance wearing a VM's skin. Has anyone actually managed to get one of these into a state where it passes scrutiny from an organisation that cares, or is it just not built for that level of scrutiny?