ScopTEL - Certificate Manager

Certificate Pre-Requisites

Self Signed Certificates are generally not supported by phone Manufacturer’s therefore it is recommended you check with your phone hardware vendor to see which Certificate Authorities are supported.

You will first have to use the ScopTEL Certificate Manager to create your own Certificate Signing Request in order to purchase a Signed Certificate from a supported Certificate Authority

Most Certificate Authorities will provide you with a Root Certificate and a Chained Certificate (Chained Certificates are not mandatory but are very commonplace).

Once you have the Root CA, Certificate Chain, and a Signed Certificate from a supported Certificate Authority you can use the ScopTEL Certificate Manager to create Certificates for the following purposes:

Encrypting GUI communications using SSL (HTTPS)

Encrypting Phone Provisioning files during phone download using SSL (HTTPS)

Encrypting SIP signalling with SSL (TLS)

Encrypting SIP audio streams with SSL (SRTP)

 

Creating the CSR – Certificate Manager

Click on Add a New CSR

Fill in all the required fields

If you are purchasing a Wildcard Certificate put a *. In from of your domain name in the Common Name Field

Example: *.yourdomain.com

When done click on the Key Settings Tab

Key Settings

Select a Digest Algorithm supported by your IP phone’s manufacturer

It is recommended to choose a Key Size of at least 2048 bits

Passphrase is not required

Click Add when done

Download your CSR

Copy and Paste your Certificate Request to your Certificate Authority when you your purchase your CA for Domain Validation.

Wait for your CA to send you your Certificate before generating your  Certificate

You will copy and paste the Private Key Data into your Server Authentication Certificate in a later step

Import a Certificate (Root CA)

Copy and Paste your CA’s Root CA into the text box and click Add

 

Give your Certificate a name

Select Import Certificate & Key = Signed Certificate

Then click on the Certificate & Key tab

 

Copy and Paste your CA’s Signed Certificate data into the Signed Certificate text box

Copy and Paste your CSR’s Private Key data into the Private Key text box

Click Add when done

Certificate Chain

Certificate Type = Intermediate and Chain Certificate

Certificate Name: Enter a name in the text field

Click on the Certificate tab

Copy and Paste the Certificate Chain data you received from your CA when they issued your Certificate

Click Add when done

Configuring the Server to Enable SSL (GUI)

Go to Server|Configuration and click on the Security (SSL) Tab

Enable SSL (GUI)?

For the Private Key select your Certificate

For the Certificate select the same Certificate

Highlight the Certificate Chain you created earlier

Click Save

The Web server will restart once you click save and you will have to login to your server replacing http://yourserver.com:5555/ with https://yourserver.com:5555/

Configuring the Server to use HTTPS Provisioning for your IP Phones

Go to Server|Configuration and click on the Provisioning Tab

From the HTTPS Provisioning Menu change the HTTP Protocol to HTTPS

Enter the LAN or WAN address specific to your server in each field (the screen shot only displays examples)

Click Save

The Web server will restart

Configuring Telephony – Channels - SIP Channel

Enable support for SIP TLS (Secure)

Select your Certificate

Highlight your Certificate Chain

Click Save

Commit your Telephony changes

Restart the Telephony Server using the Telephony Services menu

Configure the Firewall to allow 5060/udp 5060-5061/tcp 4569/udp 10000-20000/udp

After editing this rule use the Network Service Manager to restart the Firewall

Configuring Telephony – Extension – Phone Options

Edit an extension’s Phone Options so that it will use Transport Mode TLS and Enable SRTP encryption AES 80

Save and Commit your changes

Snom

In this example we are configuring  a template and only the options needed to secure communications on the phone.

Configure the Provisioning tab to use HTTPS by putting https in the provisioning URL and by selecting the  certificates you created earlier.

Then click on the Options tab when done

Options

Edit the path for the Certificate URL to include https and select the Certificates you created earlier

Then click on the Servers tab when done

Servers

Change both  the Registrar Port and Proxy Port to 5061

You must enter both the Registrar and SIP Proxy IP.  If you are using IP/DNS mapping use the the dummy address.

Then click on the PBX Services tab when done

Change the GUI Protocol selection to HTTPS

In the GUI Server (hostname or IP) field enter the required IP address or Fully Qualified Host Name of the server

Click Add when done

Adding or Editing a Snom MAC address

Choose the desired Tenant

Choose the Desired Phone Model

Choose the desired Template

Enter the Phone's MAC address

Click on the Lines tab when done

Lines

Click on the Lines tab

Assign an extension to Line 1 (other lines are optional)

Enable Secure RTP (SRTP) must be checked

Only Accept SRTP (secure) calls must be checked

Enable TLS transport must be checked

Save your changes

Commit APS changes

Reboot the phone so it downloads its new configuration files after committing your changes.

Polycom

In this example we are configuring  a template and only the options needed to secure communications on the phone.

Configure the Provisioning tab to use HTTPS by putting https in the provisioning URL and by selecting the  certificates you created earlier.

Then click on the Lines tab

Lines

Enable SRTP (secure) calls?

Then click on the Servers tab

Servers

Change the SIP Transport to TLS

Change the SIP Proxy Port to 5061

Click on the PBX Services Tab when done

PBX Services

Change the GUI Protocol to use HTTPS

And edit the GUI Server (Hostname or IP) to match your required configuration.

Click Add when done

Provision MAC addresses for your Polycom phones and apply the template to each required phone

Commit Telephony changes

Commit APS changes

Reboot the phone so it can download its required configuration files

 

Edit the MAC address object of your Polycom phone

Select the desired Tenant

Choose the correct Phone Model from the list

Choose the Phone Template you configured with HTTPS parameters

Click on the Lines tab and assign an extension

Save your settings

Commit Telephony changes

Commit APS changes

Reboot the phone to download the configuration files

Yealink

In this example we are configuring  a template and only the options needed to secure communications on the phone.

Configure the Provisioning tab to use HTTPS by putting https in the provisioning and Firmware URL and by selecting the  certificates you created earlier.

Then click on the Server tab

Server

Enter the IP address or IP/DNS Mapping address

Change the Registrar Port to 5061

Then click on the PBX Services tab

PBX Services

Change the GUI Protocol to use HTTPS

And edit the GUI Server (Hostname or IP) to match your required configuration.

Add or Edit the MAC address object of your Yealink phone

Select the desired Tenant

Choose the correct Phone Model from the list

Choose the Phone Template you configured with HTTPS parameters

Click on the Lines tab and assign an extension

Choose Transport: TLS

Enable Voice Encryption (SRTP)

Save your settings

Applying Changes to Extensions and mac.cfg files

Commit Telephony changes

Commit APS changes

Reboot the phone to download the configuration files. You can use Tools|Telephony|Mass Phone Reboot

If you want to force a sync of a registered Polycom phone you can do so manually in the Asterisk CLI with this command:

sip notify polycom-check-cfg <ip address of peer>

Verifying Operation

In the Asterisk CLI

sip*CLI> sip show tcp

Address                                         Transport       Type

192.168.192.191:12501                 TLS     Client

192.168.192.191:11880                 TLS              Server

192.168.192.6:2057                        TLS              Server

192.168.192.6:2075                        TLS              Server

 

Transport TLS confirms that the peer is configured to use TLS.

If you want to check the validity of your SSL Certificate use this URL :

https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp

 

 

• Related Articles

• General-Presentation-ScopTEL-ENGLISH

  ScopServ – The Company  ScopServ is a Canadian firm founded in 2004, specializing in information technology.  It designs high-end corporate applications and holds the intellectual property rights for its products and solutions.  A strong actor in ...

• ScopTEL Telephony Feature List

  ScopTEL Telephony Feature List ScopTEL has many applications and many Enterprise PBX features. This is a list of PBX Features. Feature Name Extended Description Fax Server Fax to Email Email to Fax (Clientless) Per User Licensing Model Customizable ...

• ScopSERV Introduces New Telephony Import/Export Manager to Migrate Multi Tenants

  Overview In the past backing up and restoring a telephony configuration meant overwriting any existing telephony configuration. While this is expected behaviour for a backup and restore it didn't offer any convenience for administrators wanting to ...

• Module 8 - ScopTEL IP PBX Software - Extensions Management

  Security | Background SIP Phones are SIP User Agents. For security, SIP User Agents must register to the SIP Registrar via username and password authentication. It is typical for the SIP protocol ports to be open or forwarded to the ScopTEL server if ...

• ScopTEL IP PBX Software - Basic Installation Hierarchy for Telephony Server

  Basic Installation Hierarchy for Telephony Server Therefore the purpose of this document is to provide a visual walkthrough of a very basic but functional installation for one tenant. This tutorial does not include an overview of the overall network ...