ScopTEL Extensions

Module 8 - ScopTEL IP PBX Software - Extensions Management


Security | Background


SIP Phones are SIP User Agents.

For security, SIP User Agents must register to the SIP Registrar via username and password authentication. It is typical for the SIP protocol ports to be open or forwarded to the ScopTEL server if a third party Firewall is implemented. When the SIP ports are exposed on the Firewall it is common for hackers to attempt brute force attacks on the server. Such attacks systematically request authentication using common dial plan Extensions and trivial passwords. Examples of such brute force attacks:
Extension range 100-3000
Systematic Password attempts using passwords 1000-3000
Systematic Password attempts using passwords 0000, 1234, 1111, 4321, 123456, 7654321
Therefore if a secure password policy is used it will prevent the overall majority of hackers from registering a SIP Extension or SIP Trunk with the server for fraudulent purposes.
Examples of secure SIP password policy
Minimum password length of 8 alpha numeric characters.
No Dictionary words
Minimum 2 Upper Case characters used
Minimum 2 numerals used
Passwords should be unique for each extension
The same policy enforcement should be in effect when configuring Voicemail Passwords except Voicemail Passwords cannot contain Alpha characters and must be numeric.
A poorly implemented Voicemail Password Policy can allow a hacker access to thru dial capabilities from a mailbox configured to allow outdial capabilities. Therefore Voicemail Passwords must be strict regardless of inconvenience caused to end users.
Voicemail Password should never match the extension number. Example: Extension 100, Voicemail Password 100
Voicemail Password should never be trivial.
Examples: 0000, 1234, 1111, 4321, 123456, 7654321

Security | Password Policies and Brute Force protection

To set a Global Password Security Policy navigate to Configuration > Telephony > Configuration > Security
The SIP and IAX2 Password Policy is set independently of the Global Voicemail Password Policy.
If the Options to automatically fix invalid password?[ ] is checked then non-compliant passwords will be made compliant after a commit.
Here are some recommended Settings


Security | Firewall Background

It is common for SIP Extensions to exist for Remote Extensions (Nomadic users). It is highly recommended that the server be protected from malicious attacks by enabling the Firewall.
Configuration>Network>Firewall>General>Server Type
Server type is default with “No Firewall”. Firewall types are “Single System, Gateway/Firewall”
If only one Network Interface exists then only “Single System” or “No Firewall”  is possible. If two Network Interfaces exist then the server can be configured as a 
“Gateway/Firewall”  which will enable outgoing NAT (Network Address Translation) and Firewall the configured WAN Interface.
In this screenshot the “Server Type” is configured as a “Single System” (Firewall is enabled). It is also recommended to set the “Server Type” and “Inbound Services (Permit)” options using the Configuration Wizard.
NOTE: Firewall rules only apply to Network Interfaces designated as WAN interfaces. LAN interfaces are never policed by the Firewall.




Security | Firewall Configuration Wizard

In this example the Firewall Configuration Wizard will be used to set the recommended Firewall Configurations.
From Configuration > Network > Firewall > General
Click on the “Configuration Wizard” button



Security | Firewall Wizard

In this example the Firewall Configuration Wizard will be used to set the recommended Firewall Configurations.
From Configuration>Network>Firewall>General
Click on the “Configuration Wizard” button
Choose the “Single System” option
Click “Next”



Security | Firewall Inbound Services

Which services will be allowed is dependent on network configurations and administrative security policies.



Security | Network Services Manager

From Configuration > Network > General Click on “Edit Services”
Click on Commit to write your changes to the relevant configuration files.
Any service which has had its configuration modified must be restarted after a commit to reload configuration into memory.
Choose which Services need to run when the OS reboots.
Network is mandatory.
Apply changes after editing services and start or restart the service if required.



Security | Voicemail

It is recommended to Enable:
Force a new user to record their Name
Force a new user to record their Greeting
This will force the user of a new mailbox to change their password and record each of their greetings before the mailbox can be managed. If the password is not changed all changes to the mailbox are lost.



Extensions | Types


SIP Extension (IP Extension using the SIP protocol) is allowed its own voicemail box and therefore requires a User license
IAX2 Extension (IP Extension using the IAX2 protocol) is allowed its own voicemail box and therefore requires a User license
Zap Extension (analog FXS extension using Sangoma or Digium cards. Sangoma and Digium cards should not co-exist in the same server)
            Zap FXS extensions require a User license.
Voicemail Extension (Voicemail box only) is allowed its own voicemail box and therefore requires a User license 
Hotdesk Extension
A Hotdesk Extension is an Extension that logs into a physical Extension using the Hotdesk Feature Code, HotDesk Extension number and required password.
By logging into a physical Extension the HotDesk Extension can make and receive calls from any extension which allows the HotDesk Feature Code in its assigned Class of Service. Caller ID incoming and outgoing will be automatically manipulated to display HotDesk user information.
Is allowed its own voicemail box and therefore requires a User license.

Virtual Extension

A Virtual Extension is a very advanced Extension type which allows a user to login to the ScopTEL GUI and use the Realtime Monitor and customize Call Detail Reports and other types of reports.
A Virtual Extension is allowed its own voicemail box and therefore requires a User license
Advanced options can be configured to ring multiple destinations and automatically forward copies of voicemail messages to multiple extensions
User Options for Virtual Extensions include Follow Me, Camp-On, Personal IVR destinations
Custom Forwarding Rules can be defined for:
Call Forward Immediate
Call Forward Busy
Call Forward No Answer
Call Forward Unavailable (forward when physical extension is offline)
It is possible to Immediate Forward a Virtual Extension to make an Application available within an IVR context for inbound PSTN callers.

Ring Group Extension

A Ring Group Extension automatically Immediately Forward it’s calls to configured Follow Me destinations.
Advanced options can be configured to ring multiple destinations and automatically forward copies of voicemail messages to multiple extensions.
Is not allowed its own voicemail box and therefore does not require a User license • User Options for Virtual Extensions include Follow Me, Camp-On, Personal IVR destinations.
Custom Forwarding Rules can be defined for:
Call Forward Immediate
Call Forward Busy
Call Forward No Answer
Call Forward Unavailable (forward when physical extension is offline)
It is possible to Immediate Forward a Virtual Extension to make an Application available within an IVR context for inbound PSTN callers. Shared Device Extension
A Shared Extension can be configured so that multiple extensions can ring when the pilot DN is dialed but depending on the busy status of the extension(s) one or more extensions can ring but the busy extension will not ring.
Each Shared Extension requires its own Shared Device license.

Extensions | Add a new Phone

To create a SIP Extension navigate to Configuration > Telephony > Extensions
Click on “Add a New Phone”
You can also use the Add Multiple Extensions Wizard to add many Extensions



Extensions | Type

Choose “SIP”  from the list of  available Extension types 

Extensions | Extension Number and Name

Assign an unused Extension number
Enter a Full Name for this user <First Last> with no special characters and only one space
Select the desired Class of Service to apply to this user from the drop list
Click on the Authentication tab



Extensions | Authentication

The Username should match the numeric value of this Extension number
Since the Security Policy enforces a strict SIP/IAX2 Password Policy the first prerequisite is to enter a compliant alpha numeric password into the text box or use the Generate Password button to generate a random compliant password. Click on the Voicemail tab once the
Authentication text is entered.



Extensions | Voicemail

Enable Voicemail if required
To force a new mailbox owner to initialize their mailbox use the extension number in the password field (pre-requisite enable Force a new user to record their Name [x], Force a new user to record their Greeting [x] in the Voicemail Manager template).
Enable Message Waiting Indicator (MWI) to light the Voicemail light on the matching SIP hardware or softphone
Enable Email Notification if you want to enable voicemail to email (normally requires a pre-requisite SMTP Smart Relay configuration in the Server Manager)
Configure additional security options in the Advanced Settings section.
Click on Phone Options tab



Extensions | Phone Options

Host Mode should be left default and the IP address field should be ignored because this is an advanced field used for problematic Remote Extensions behind a NAT Router
If the SIP device is to be used on the LAN then the “Phone behind NAT” option should not be checked.
Transport Mode(s) are vendor specific but the majority of SIP User Agents support UDP. Allowing both modes will allow the server and user agent to negotiate the compatible mode in the SDP messages. UDP should be considered a pre-requisite
If the SIP device is to be used as a Remote Extension located behind a NAT router then the “Phone behind NAT” option should be checked. Checking this option is normally sufficient to ensure that the Remote Extension can register with the server and two way speech paths are possible (assuming that the Firewall is and global NAT options are configured correctly).
P-Asserted is highly recommended over the default RPID mode which has become a legacy method. PAI is required for connected line updates. You cannot enable both settings, only one option is allowed.
If you wish to activate TLS Transport Mode and Enable SRTP encryption then refer to: 



Qualify is enabled by default and allows the server to monitor the Extension for Registration status and packet latency using OPTIONS messages. But not all SIP peers support OPTIONS so this might have to be unchecked depending on the device
(Cyberdata devices do not support OPTIONS)
DTMF mode is normally Automatic (RFC 2833/Inband)
Only CODEC’s supported by the SIP end point should be enabled.
Incoming/Outgoing Call Limit can restrict the number of simultaneous calls supported by this Extension (default 8).
“SIP Alert (Auto Answer/Distinctive Ring)” is used to configure this SIP end point to receive an internal page if the SIP end point is a supported device.
For Cisco support refer to:
When done Click on the Caller ID tab




Extensions | Caller ID

All Caller ID fields can be modified.
Default values will set the local and outgoing PSTN Caller ID to match the configured Extension Number and Name.
Un-checking either “Internal Call” or “External Call” checkboxes will allow the Caller ID configuration to be modified.
Note that “External Call” and “Emergency Call” Caller ID cannot be customized if the ITSP or PSTN provider’s trunks do not allow the Caller ID (ANI) to be re-written.
It is highly recommended that the “External Call“ and “Emergency Call” be modified to show either the published “BTN” of the customer or “DID” of the user. Failure to modify the defaults will result in only the Name and Extension number appearing on any outgoing external and emergency calls.
The Outgoing Line custom ANI is always overridden if Extension’s>Caller ID>Allow extension to override outgoing CallerID checkbox is enabled and Emergency Calls will also take precedence over the Outgoing Line if configured.
When done click on the User Options tab



Extensions | User Options

User Options define call forwarding rules, language, Music On Hold source file directory, default ring time, Call Recording options, Fax Detection, etc
Enabling any advanced options such as “Follow Me”, “Personal IVR”, “Camp-On”, “E911 Location” will add new tabs and options to this extension’s GUI interface and allow additional configurations.
NOTE: to activate an advanced rule like Follow Me, you must choose a call forwarding option and use the drop list to select it from the destination drop list.
When done click on Web Authentication




Extensions | Web Authentication

The “Web Authentication” option allows the owner of an Extension to login to the ScopTEL GUI and access several unique features including Voicemail playback and management. And its an optional feature and not mandatory to configure.
To access those features a unique login is created by checking the “Enable User Web GUI” and assigning a unique Username and Password for this Extension. The user logs into the same IP address and management port as the administrator but uses this login to access their personal GUI login.
Click on the “Security” tab when finished with this configuration.



Extensions | Security

Blacklisted numbers can be added to the text field and a password can be enforced when another extension or PSTN channel attempts to call this extension. If the password is not entered correctly then the Extension cannot be called.
This setting is optional and rarely used.
Click “Add” when finished to complete adding this extension to the server.





    • Related Articles

    • ScopTEL IP PBX Software - Basic Installation Hierarchy for Telephony Server

      Basic Installation Hierarchy for Telephony Server Therefore the purpose of this document is to provide a visual walkthrough of a very basic but functional installation for one tenant. This tutorial does not include an overview of the overall network ...
    • Module 14 - ScopTEL IP PBX Software - Managing ACD

      Automatic Call Distribution (ACD)  | Background Automatic Call Distribution queues put callers into a queue and typically play Music on Hold or custom announcement messages to keep them informed or relaxed while they wait for an agent to become ...
    • Module 19 - ScopTEL IP PBX Software - Quality-of-Service-Training

      The use of IP as a foundation for converged networks has raised several issues for both enterprise IT departments and ISPs.  IP and Ethernet are connectionless technologies and do not guarantee bandwidth. The protocol will not differentiate network ...
    • Enable Instant Messaging (XMPP) Service on ScopTEL PBX

      We will look at how to setup an Instant Messaging server on ScopTEL PBX using a free and open source XMPP based IM server. Openfire is a real time collaboration (RTC) server dual-licensed under the Open Source GPL and commercially. It uses the only ...
    • Module 10 - ScopTEL IP PBX Software - Prompt Management

      Prompt Management Many telephony applications will require you to create audio prompts to be used for playback. Caveats Playback of WAV/wav source file with Microsoft encoded output is not supported by Asterisk using Microsoft or Asterisk conversion ...