.. _en-module009: ======================================================================== SCOPTEL IP PBX Software - Managing Extensions ======================================================================== .. only:: pdf .. contents:: .. only:: html `PDF Version `_ Security -------------- Background ^^^^^^^^^^^^ SIP Phones are SIP User Agents. For security, SIP User Agents must register to the SIP Registrar via username and password authentication. It is typical for the SIP protocol ports to be open or forwarded to the SCOPTEL server if a third party Firewall is implemented. When the SIP ports are exposed on the Firewall it is common for hackers to attempt brute force attacks on the server. Such attacks systematically request authentication using common dial plan Extensions and trivial passwords. Examples of such brute force attacks : * Extension range 100 - 3000 * Systematic Password attempts using passwords 1000 - 3000 * Systematic Password attempts using passwords 0000 , 1234 , 1111 , 4321 , 123456 , 7654321 Therefore if a secure password policy is used it will prevent the overall majority of hackers from registering a SIP Extension or SIP Trunk with the server for fraudulent purposes. Examples of secure SIP password policy * Minimum password length of 8 alpha numeric characters. * No Dictionary words * Minimum 2 Upper Case characters used * Minimum 2 numerals used * Passwords should be unique for each extension The same policy enforcement should be in effect when configuring Voicemail Passwords except Voicemail Passwords cannot contain Alpha characters and must be numeric. A poorly implemented Voicemail Password Policy can allow a hacker access to thru dial capabilities from a mailbox configured to allow outdial capabilities. Therefore Voicemail Passwords must be strict regardless of inconvenience caused to end users. * Voicemail Password should never match the extension number. Example : Extension 100 , Voicemail Password 100 * Voicemail Password should never be trivial. Examples : 0000 , 1234 , 1111 , 4321 , 123456 , 7654321 Password Policies and Brute Force protection ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * To set a Global Password Security Policy navigate to ``Configuration > Telephony > Configuration > Security`` * The SIP and IAX2 Password Policy is set independently of the Global Voicemail Password Policy. * If the Options to automatically fix invalid password?[ ] is checked then non-compliant passwords will be made compliant after a commit. * Here are some recommended Settings .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement1.png Firewall Background ^^^^^^^^^^^^^^^^^^^^ * It is common for SIP Extensions to exist for Remote Extensions (Nomadic users). It is highly recommended that the server be protected from malicious attacks by enabling the Firewall. * Configuration>Network>Firewall>General>Server Type * Server type is default with “No Firewall”. Firewall types are “Single System, Gateway/Firewall” * If only one Network Interface exists then only “Single System” or “No Firewall” is possible. If two Network Interfaces exist then the server can be configured as a “Gateway/Firewall” which will enable outgoing NAT (Network Address Translation) and Firewall the configured WAN Interface. * In this screenshot the “Server Type” is configured as a “Single System” (Firewall is enabled). It is also recommended to set the “Server Type” and “Inbound Services (Permit)” options using the Configuration Wizard. * NOTE: Firewall rules only apply to Network Interfaces designated as WAN interfaces. LAN interfaces are never policed by the Firewall. .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement2.png Firewall Configuration Wizard ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * In this example the Firewall Configuration Wizard will be used to set the recommended Firewall Configurations. * From Configuration > Network > Firewall > General * Click on the “Configuration Wizard” button * Choose the “Single System” option * Click “Next” .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement3.png .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement4.png Firewall Inbound Services ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Which services will be allowed is dependent on network configurations and administrative security policies. .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement5.png Network Services Manager ^^^^^^^^^^^^^^^^^^^^^^^^^^ From Configuration > Network > General Click on “Edit Services” * Click on Commit to write your changes to the relevant configuration files. * Any service which has had its configuration modified must be restarted after a commit to reload configuration into memory. * Choose which Services need to run when the OS reboots. * Network is mandatory. * Apply changes after editing services and start or restart the service if required. .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement6.png Voicemail ^^^^^^^^^^ It is recommended to Enable : * Force a new user to record their Name * Force a new user to record their Greeting This will force the user of a new mailbox to change their password and record each of their greetings before the mailbox can be managed. If the password is not changed all changes to the mailbox are lost. .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement7.png Types ^^^^^^^^ **SIP** Extension +++++++++++++++++++ * **SIP** Extension (IP Extension using the SIP protocol) is allowed its own voicemail box and therefore requires a User license **IAX2** Extension +++++++++++++++++++ * **IAX2** Extension (IP Extension using the IAX 2 protocol) is allowed its own voicemail box and therefore requires a User license **Zap** Extension ++++++++++++++++++++ * **Zap** Extension (analog FXS extension using Sangoma or Digium cards. Sangoma and Digium cards should not co-exist in the same server) **Voicemail** Extension ++++++++++++++++++++++++++ * **Voicemail** Extension (Voicemail box only) is allowed its own voicemail box and therefore requires a User license **Hotdesk** Extension +++++++++++++++++++++++ * A Hotdesk Extension is an Extension that logs into a physical Extension using the Hotdesk Feature Code, HotDesk Extension number and required password. * By logging into a physical Extension the HotDesk Extension can make and receive calls from any extension which allows the HotDesk Feature Code in its assigned Class of Service. Caller ID incoming and outgoing will be automatically manipulated to display HotDesk user information. * Is allowed its own voicemail box and therefore requires a User license Virtual Extension +++++++++++++++++++ * A Virtual Extension is a very advanced Extension type which allows a user to login to the SCOPTEL GUI and use the Realtime Monitor and customize Call Detail Reports and other types of reports. * A Virtual Extension is allowed its own voicemail box and therefore requires a User license * Advanced options can be configured to ring multiple destinations and automatically forward copies of voicemail messages to multiple extensions * User Options for Virtual Extensions include Follow Me, Camp - On, Personal IVR destinations * Custom Forwarding Rules can be defined for : * Call Forward Immediate * Call Forward Busy * Call Forward No Answer * Call Forward Unavailable (forward when physical extension is offline) * It is possible to Immediate Forward a Virtual Extension to make an Application available within an IVR context for inbound PSTN callers. Ring Group Extension +++++++++++++++++++++ * A Ring Group Extension automatically Immediately Forward it’s calls to configured Follow Me destinations. * Advanced options can be configured to ring multiple destinations and automatically forward copies of voicemail messages to multiple extensions. * Is not allowed its own voicemail box and therefore does not require a User license * User Options for Virtual Extensions include Follow Me, Camp - On, Personal IVR destinations. * Custom Forwarding Rules can be defined for : * Call Forward Immediate * Call Forward Busy * Call Forward No Answer * Call Forward Unavailable (forward when physical extension is offline) * It is possible to Immediate Forward a Virtual Extension to make an Application available within an IVR context for inbound PSTN callers. Shared Device Extension +++++++++++++++++++++++++ * A Shared Extension can be configured so that multiple extensions can ring when the pilot DN is dialed but depending on the busy status of the extension(s) one or more extensions can ring but the busy extension will not ring. * Each Shared Extension requires its own Shared Device license. Extension --------------- Add a new Phone ^^^^^^^^^^^^^^^^ * To create a SIP Extension navigate to Configuration > Telephony > Extensions * Click on “Add a New Phone ” * You can also use the Add Multiple Extensions Wizard to add many Extensions .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement8.png Type ^^^^^^^^ Choose “SIP” from the list of available Extension types .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement9.png Extension Number and Name ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * Assign an unused Extension number * Enter a Full Name for this user with no special characters and only one space * Select the desired Class of Service to apply to this user from the drop list * Click on the Authentication tab .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement10.png Authentication ^^^^^^^^^^^^^^^^^^ * The Username should match the numeric value of this Extension number * Since the Security Policy enforces a strict SIP/IAX 2 Password Policy the first pre-requisite is to enter a compliant alpha numeric password into the text box or use the Generate Password button to generate a random compliant password. Click on the Voicemail tab once the Authentication text is entered. .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement11.png Voicemail ^^^^^^^^^^ * Enable Voicemail if required * To force a new mailbox owner to initialize their mailbox use the extension number in the password field (pre-requisite enable Force a new user to record their Name [x], Force a new user to record their Greeting [x] in the Voicemail Manager template). * Enable Message Waiting Indicator (MWI) to light the Voicemail light on the matching SIP hardware or softphone * Enable Email Notification if you want to enable voicemail to email (normally requires a pre-requisite SMTP Smart Relay configuration in the Server Manager) * Configure additional security options in the Advanced Settings section. * Click on Phone Options tab .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement12.png Phone Options ^^^^^^^^^^^^^^^ * Host Mode should be left default and the IP address field should be ignored because this is an advanced field used for problematic Remote Extensions behind a NAT Router * If the SIP device is to be used on the LAN then the “Phone behind NAT” option should not be checked. * Transport Mode(s) are vendor specific but the majority of SIP User Agents support UDP. Allowing both modes will allow the server and user agent to negotiate the compatible mode in the SDP messages. UDP should be considered a pre-requisite * If the SIP device is to be used as a Remote Extension located behind a NAT router then the “Phone behind NAT” option should be checked. Checking this option is normally sufficient to ensure that the Remote Extension can register with the server and two way speech paths are possible (assuming that the Firewall is and global NAT options are configured correctly). * P - Asserted is highly recommended over the default RPID mode which has become a legacy method. PAI is required for connected line updates. You cannot enable both settings, only one option is allowed. * If you wish to activate TLS Transport Mode and Enable SRTP encryption then refer to : https://blog.scopserv.com/2016/09/how-to-use-the-SCOPTEL-certificate-manager-to-enable-tls-encryption/ .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement13.png * Qualify is enabled by default and allows the server to monitor the Extension for Registration status and packet latency using OPTIONS messages. But not all SIP peers support OPTIONS so this might have to be unchecked depending on the device ( Cyberdata devices do not support OPTIONS) * DTMF mode is normally Automatic (RFC 2833 / Inband ) * Only CODEC’s supported by the SIP end point should be enabled. * Incoming/Outgoing Call Limit can restrict the number of simultaneous calls supported by this Extension (default 8 ). * “SIP Alert (Auto Answer/Distinctive Ring)” is used to configure this SIP end point to receive an internal page if the SIP end point is a supported device. * For Cisco support refer to : https://blog.scopserv.com/2017/07/SCOPTEL-cisco-sip-phone-integration/ * When done Click on the Caller ID tab .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement14.png Caller ID ^^^^^^^^^^^^ * All Caller ID fields can be modified. * Default values will set the local and outgoing PSTN Caller ID to match the configured Extension Number and Name. * Un - checking either “Internal Call” or “External Call” checkboxes will allow the Caller ID configuration to be modified. * Note that “External Call” and “Emergency Call” Caller ID cannot be customized if the ITSP or PSTN provider’s trunks do not allow the Caller ID (ANI) to be re - written. * It is highly recommended that the “External Call“ and “Emergency Call” be modified to show either the published “BTN” of the customer or “DID” of the user. Failure to modify the defaults will result in only the Name and Extension number appearing on any outgoing external and emergency calls. * The Outgoing Line custom ANI is always overridden if Extension’s>Caller ID>Allow extension to override outgoing CallerID checkbox is enabled and Emergency Calls will also take precedence over the Outgoing Line if configured. * When done click on the User Options tab .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement15.png User Options ^^^^^^^^^^^^^^ * User Options define call forwarding rules, language, Music On Hold source file directory, default ring time, Call Recording options, Fax Detection, etc... * Enabling any advanced options such as “Follow Me”, “Personal IVR”, “Camp-On”, “E911 Location” will add new tabs and options to this extension’s GUI interface and allow additional configurations. * NOTE: to activate an advanced rule like Follow Me, you must choose a call forwarding option and use the drop list to select it from the destination drop list. * When done click on Web Authentication .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement16.png Web Authentication ^^^^^^^^^^^^^^^^^^^^ * The “Web Authentication” option allows the owner of an Extension to login to the SCOPTEL GUI and access several unique features including Voicemail playback and management. And its an optional feature and not mandatory to configure. * To access those features a unique login is created by checking the “Enable User Web GUI” and assigning a unique Username and Password for this Extension. The user logs into the same IP address and management port as the administrator but uses this login to access their personal GUI login. * Click on the “Security” tab when finished with this configuration. .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement17.png Security ^^^^^^^^^^ * Blacklisted numbers can be added to the text field and a password can be enforced when another extension or PSTN channel attempts to call this extension. If the password is not entered correctly then the Extension cannot be called. * This setting is optional and rarely used. * Click “Add” when finished to complete adding this extension to the server. .. image:: ../assets/trainings/Module9ScopTELExtensionsManagement18.png