.. _en-module010: ======================================================================== SCOPTEL IP PBX Software - Automatic Provisioning System ======================================================================== .. only:: pdf .. contents:: .. only:: html `PDF Version `_ Background -------------- * The APS (Automatic Provisioning System) is used to create the required configuration files needed for many SIP end devices. The APS assigns SIP usernames and passwords, network options, time settings, QoS settings, dial plans , firmware upgrade policies, soft key programming, DSS/BLF programming, security settings, DTMF modes, LDAP settings, * Templates can be configured to simplify tedious configuration settings for as many supported SIP end points as required * Extensions you wish to assign to a MAC address must already exist so they must be created first before trying to assign then them to hardware using the APS. * Here is a list of supported vendors : * Yealink * Aastra * Polycom * Cisco * Sipura/Linksys/Cisco * Panasonic SIP and SIP DECT * VtechHospitality Phones * Snom * CyberdataIntercoms * Grandstream * SpectraLink * Alcatel * AudioCodes * LG-Ericsson Security ------------ * Hackers are routinely scanning IP addresses for open ports and if they find an IP address vulnerable to brute force scanning they will execute a remote Provisioning scan using the first 6 digits of popular vendor ID’s like Polycom, Yealink and then brute force the last 6 digits of a 12 digit MAC address. * By example a SCOPTEL server using the default HTTP listen port of 5555 can be attacked using this method. Other vendors are also vulnerable on whatever HTTP listen port they use to remotely provision IP phones. * TFTP is especially vulnerable on UDP port 69 because no specific path is required to the MAC.cfgfile. Only the .cfgvariable is required to harvest the MAC.cfgfile. TFTP should be denied on the Firewall whenever possible. * If you have enabled Telephony>Configuration>Security>Flood Protection and the SCOPTEL Firewall and Telephony Flood Protection (Fail2ban) Service then the remote attacker’s IP address will be blacklisted by the Firewall when a brute force attack is detected. * But if the remote attacker knows of a valid MAC address on the network then this MAC.cfgfile can easily be harvested unless HTTP Authentication is configured. The exact methodology won’t be published here as this should not be public knowledge. * Refer to: https://blog.scopserv.com/2018/10/securing-configuration-files-with-http-authentication/ IP/DNS Mapping explained -------------------------- The purpose of the IP/DNS Mapping it to replace a ‘dummy’ IP address or static IP address with a FQDN (Fully Qualified Domain Name) * FQDN’s are highly advantageous for the following reasons : * A public DNS A record can help a remote VoIP phone contact the SCOPTEL server’s public IP address in order to register its SIP account and update its provisioning settings. * A local DNS A record can help a local VoIP phone contact the SCOPTEL server’s public IP address in order to register its SIP account and update its provisioning settings. * If either the server’s LAN or WAN addresses changes the APS configurations will not require changing * Only the DNS A records will require any changes and since the phone will always use DNS lookups to re - register or reconfigure itself, downtime is kept to a minimum * In any of these scenarios the phone only is always configured with the same FQDN and if the DNS A record requires changing on the IP/DNS Mapping needs to be edited. Add a new Provisioning System ------------------------------ * From Configuration > Telephony > Provisioning click on “Add a new Provisioning System ” .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem1.png IP/DNS Mapping ----------------- * From the Tenant drop list selector choose Tenant>All (Global) so that all tenants can use the same IP/DNS Mapping. Or select the specific tenant you would like to restrict the IP/DNS Mapping to. * In this example the source IP address 1.1.1.1 is a dummy address which will be replaced with master88.commzilla.net in the /tftpboot/.cfg files. * When done editing Add the object and carry on adding hardware based templates and then add MAC address based objects using the templates. * This replacement is automatically done for all instances of 1.1.1.1 in any template or MAC based APS object as shown in these examples : .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem2.png .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem3.png Adding a new Hardware based template ------------------------------------- * From Configuration > Telephony > Provisioning click on “Add a new Provisioning System ” * From the Tenant drop list selector choose Tenant>All (Global) so that all tenants can use the same IP/DNS Mapping. Or select the specific tenant you would like to restrict the vendor template to. * From the Phone Model drop list select the matching hardware for the phones you will be deploying. * Make sure you click on the ‘Create Template’ checkbox. * Give this template a meaningful name * Click on the Provisioning tab .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem4.png General ----------- * Use the drop list selector to choose the installed firmware version of the device so this template will write compatible files. * Use the drop list to choose the preferred sync method. * Provisioning URL : enter the full path to the provisioning server in format : < http_protocol >://:< Listen_on_Port >/< TFTP_Alias >/ * Example : http://master 88.commzilla.net:5555/tftpboot/ * Firmware URL : Enter the full path to the provisioning server in format : < http_protocol >://:Listen_on_Port >/< TFTP_Alias >/< firmware _filename > * Example : http://master88.commzilla.net:5555/tftpboot/T48-35.83.0.50.rom * Click on the Server tab .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem5.png Server --------- * In the Registar boxes enter the dummy IP address created for the IP/DNS Mapping * Click on the Network tab .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem6.png Network ---------- * Use NAT option is recommended so that rport may be enabled. * STUN Server : not recommended * Enable Link Layer Discovery Protocol (LLDP ) is an optional open standard Layer 2 protocol that allows automatic VLAN membership. * Enable Cisco Discovery Protocol (CDP ) is an optional Cisco Layer 2 protocol that allows automatic VLAN membership. * Click on Date and Time tab when done .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem7.png Date and Time --------------- * Modify the Date and Time configuration if needed * Click on Phone Options .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem8.png Phone Options -------------- Modify settings like : * The Phone Language for the end user interface * Country Tone * Set Custom Tones * Any other preferred options * Click on DSS Keys .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem9.png DSS Keys Vs Programmable Keys ----------------------------------------------------------------- .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem10.png DSS Keys ----------- * DSS Keys are the * Enable Enhanced DSS Keys (EDK) support to enable SCOPTEL PBX Features in the drop lists * Deal Type recommendation is Attended Transfer for proper PBX Features functionality * Expansion Module type and Number of Expansion Modules assigned is dependent on additional hardware and optional. * Key 1 is used for the Extension assignment. Leave the Label blank and the Line drop list set to Line 1. NOTE : each line key can process 8 concurrent calls. There is no need to have more than one Key assignment per Extension. Remaining Key buttons can be allocated for BLF, Key Event, Speed Dials, Features, DTMF events, Directory lookups, etc... * Click on Programmable Keys when you are done editing. .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem11.png Programmable Keys --------------------- * Programmable Keys can be reassigned from their Factory Defaults * Click On Security tab when done .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem12.png Security ----------- * It is recommended to change the Admin Password * It is quite common for a user to experience ghost calls on their phones. This happens when a firewall binds the default SIP signaling port udp / 5060 of the phone with the public interface of the firewall as a badly implemented SIP ALG. * Public tools like http://blog.sipvicious.org/ are often used to port scan public IP addresses on port 5060 looking for devices with weak security to exploit. When this happens we often see and hear the ghost calls. To prevent this it is recommended to : * Disable Allow Direct IP Call * Enable Accept SIP Trust Server Only * On the Line Key assignment use a non standard UDP port between the values of udp / 10000 - 20000 * NOTE that the Local SIP Port cannot be configured in any template and must be assigned to the APS MAC configuration. * Click on the Multicast Paging tab when done .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem13.png .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem14.png Multicast Paging -------------------- * Multicast Paging is beyond the scope of this document. * Refer to : https://blog.scopserv.com/2018/02/how-to-setup-paging-in-SCOPTEL/ * When you are finished setting up Multicast Paging click on the PBX Services tab .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem15.png PBX Services --------------- * PBX Services allow you to configure the URL for the phones to do internal Directory Lookups * Click on the LDAP tab when done .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem16.png LDAP ------- * LDAP configuration is beyond the scope of this document * Refer to : https://blog.scopserv.com/2012/08/setting-up-an-ldap-directory-server-on-SCOPTEL-pbx/ * Once you have completed your template Click on the Add button .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem17.png Adding a MAC address and assigning an Extension ------------------------------------------------ * From Configuration > Telephony > Provisioning click on “Add a new Provisioning System ” .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem18.png Assigning a MAC address ^^^^^^^^^^^^^^^^^^^^^^^^^^ * You must use the Tenant selector to choose a dedicated Tenant. You cannot use Tenant ‘All (Global) * Use the Phone Model drop list selector to find matching hardware for your phone deployment * Choose from an already configured template * Enter the unique MAC address of your hardware in the MAC Address field * Click on Lines when done .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem19.png Lines -------- * In the template example only one DSS Key was given a Line 1 assignment, so we will only configure Line 1 * Use the drop list selector to assign an unassigned Extension * Enter the Label (Phone Display) text you wish to display on the phone’s LCD screen * In order to support P - Asserted CallerID connected line updates you must change the default Caller ID Source selection to PAI - FROM * You may change the Local SIP Port to any custom value from 10000 - 20000 to reduce the likelihood of ghost calls * You may optionally enable SRTP Voice Encryption but this has pre - requisite configurations that must be done in advance. Refer to : https://blog.scopserv.com/2016/09/how-to-use-the-SCOPTEL-certificate-manager-to-enable-tls-encryption/ * Click on the PBX Services tab when done .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem20.png PBX Services -------------- * Using the drop list selector choose the Extension you assigned to Line 1 * Click on Add when done .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem21.png Provisioning --------------- * Security is a critical so before proceeding refer to : https://blog.scopserv.com/2018/10/securing-configuration-files-with-http-authentication/ * The SIP Server Address is used for the Auto Provisioning Feature Code at Telephony Settings : Configuration>Provisioning. It must be an address physically assigned to the server * The TFTP server address must be an address physically assigned to the server and should be the address bound to the interface running DHCP. * The Server Hostname must have a matching DNS A record on the DNS Server supporting this network. * If ‘Enable Auto - Create support if configuration doesn't exist’ is enabled when DHCP detection detects a supported device it’s MAC address will be added to the APS MAC address list. If this option is enabled then configuring the Whitelist should be considered mandatory for security purposes. * Supported devices are : Aastra Snom Polycom Yealink .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem22.png In addition to manually configuring MAC addresses for supported SIP devices SCOPTEL also supports several mass deployment methods * Text import of MAC addresses from a file * Network Scan of selected IP addresses on selected subnets * DHCP detection of new devices when the SCOPTEL DHCP server is the only DHCP server on the LAN SCOPTEL Minimum Package Requirements * scopserv_yum install nmap (if nmap is not already installed) * scopserv-network-2.6.4-1.nodist. scopserv.noarch.rpm * scopserv-server-2.6.4-1.nodist. scopserv.noarch.rpm * scopserv-telephony 25-2.6.52-1.el5.scopserv.noarch.rpm Text import of MAC addresses from a file ----------------------------------------- * From the APS Main Page click on Import MAC * Enter a list of MAC addresses or copy and paste from a ASCII file * Click Next * A New SIP device list appears showing that the MAC vendor ID matches supported hardware (in this case 3 new Polycom phones) * Press Next .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem23.png .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem24.png * Since the system cannot know the model number of each device you must select a matching model number from the list for each MAC address using the drop down list selections * Click Next * Click Finish to add the new MAC’s to the APS list .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem25.png .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem26.png Network Scan of selected IP addresses on selected subnets ----------------------------------------------------------- * This method will only add un-configured MAC addresses to the APS list * Click on Network Auto - Discovery (Scan) .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem27.png * Enter the first available IP address on a valid subnet (normally the first IP address in a DHCP pool) * Enter the last available IP address on a valid subnet (normally the last IP address in a DHCP pool) * Choose the Network Interface that services the valid subnet * Choose the desired tenant * Enter the IP address of the SIP Server (usually the IP address of the Network Interface servicing the local subnet) * Click Next .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem28.png * The new window will show a list of detected MAC addresses .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem32.png Automatic Addition of Supported Devices via DHCP Classes ------------------------------------------------------------ Pre-requisites : ^^^^^^^^^^^^^^^^^^^^^^ Network Module Pre-requisites : +++++++++++++++++++++++++++++++++++++ * Network>DHCP Server must be enabled and properly configured By creating DHCP Classes a default list of supported devices will be added by known Vendor ID. * Each Class will use default provisioning options for each supported hardware vendor * This simplifies the editing of options like TFTP option 66 or 150 depending on vendor .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem34.png After creating the Default Classes the Classes must be added to the DHCP Subnet .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem35.png * Commit Network changes * Restart the DHCP Server Service to enable the changes .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem36.png Telephony Module Pre-requisites : +++++++++++++++++++++++++++++++++++++ * Telephony>Configuration>Channels>SIP Channel>Auto-Create Peers=yes * WARNING Auto-Create Peers can be vulnerable to malicious SIP attacks so the server should not have SIP ports exposed to the public (firewall your SIP ports to external subnets and follow SCOPSERV security best practices) .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem37.png * Telephony>Configuration>Provisioning * Change the Unprovisioned Feature PIN to a complex number for security * Enter the SIP Server address required for registration * Save and Commit changes .. image:: ../assets/trainings/Module10ScopTELAutomaticProvisioningSystem38.png USAGE ^^^^^^^^^^^^ * Plug a supported SIP device into the voice subnet * Wait for it to boot (it may reboot after it downloads its configuration from the server for the first time) * Once the phone boots up you should see its MAC address in the APS list as an unprovisioned device * Once the phone displays UNPROV on its display you can begin the registration process * Dial any phone number to hear the password prompt * Enter the Provisioning PIN number defined in Telephony>Configuration>Provisioning using the keypad * Enter a defined but unused extension number using the keypad when prompted * Edit the MAC address in the APS list and change any required settings like the template used, name, soft key assignments etc . * Commit * Reboot the phone to download the final configurations