SCOPTEL IP PBX Software - Managing Extensions¶
Security¶
Background¶
SIP Phones are SIP User Agents. For security, SIP User Agents must register to the SIP Registrar via username and password authentication. It is typical for the SIP protocol ports to be open or forwarded to the SCOPTEL server if a third party Firewall is implemented. When the SIP ports are exposed on the Firewall it is common for hackers to attempt brute force attacks on the server. Such attacks systematically request authentication using common dial plan Extensions and trivial passwords.
Examples of such brute force attacks :
Extension range 100 - 3000
Systematic Password attempts using passwords 1000 - 3000
Systematic Password attempts using passwords 0000 , 1234 , 1111 , 4321 , 123456 , 7654321 Therefore if a secure password policy is used it will prevent the overall majority of hackers from registering a SIP Extension or SIP Trunk with the server for fraudulent purposes.
Examples of secure SIP password policy
Minimum password length of 8 alpha numeric characters.
No Dictionary words
Minimum 2 Upper Case characters used
Minimum 2 numerals used
Passwords should be unique for each extension
The same policy enforcement should be in effect when configuring Voicemail Passwords except Voicemail Passwords cannot contain Alpha characters and must be numeric. A poorly implemented Voicemail Password Policy can allow a hacker access to thru dial capabilities from a mailbox configured to allow outdial capabilities. Therefore Voicemail Passwords must be strict regardless of inconvenience caused to end users.
Voicemail Password should never match the extension number. Example : Extension 100 , Voicemail Password 100
Voicemail Password should never be trivial. Examples : 0000 , 1234 , 1111 , 4321 , 123456 , 7654321
Password Policies and Brute Force protection¶
To set a Global Password Security Policy navigate to
Configuration > Telephony > Configuration > Security
The SIP and IAX2 Password Policy is set independently of the Global Voicemail Password Policy.
If the Options to automatically fix invalid password?[ ] is checked then non-compliant passwords will be made compliant after a commit.
Here are some recommended Settings
Firewall Background¶
It is common for SIP Extensions to exist for Remote Extensions (Nomadic users). It is highly recommended that the server be protected from malicious attacks by enabling the Firewall.
Configuration>Network>Firewall>General>Server Type
Server type is default with “No Firewall”. Firewall types are “Single System, Gateway/Firewall”
If only one Network Interface exists then only “Single System” or “No Firewall” is possible. If two Network Interfaces exist then the server can be configured as a “Gateway/Firewall” which will enable outgoing NAT (Network Address Translation) and Firewall the configured WAN Interface.
In this screenshot the “Server Type” is configured as a “Single System” (Firewall is enabled). It is also recommended to set the “Server Type” and “Inbound Services (Permit)” options using the Configuration Wizard.
NOTE: Firewall rules only apply to Network Interfaces designated as WAN interfaces. LAN interfaces are never policed by the Firewall.
Firewall Configuration Wizard¶
In this example the Firewall Configuration Wizard will be used to set the recommended Firewall Configurations.
From Configuration > Network > Firewall > General
Click on the “Configuration Wizard” button
Choose the “Single System” option
Click “Next”
Firewall Inbound Services¶
Which services will be allowed is dependent on network configurations and administrative security policies.
Network Services Manager¶
From Configuration > Network > General Click on “Edit Services”
Click on Commit to write your changes to the relevant configuration files.
Any service which has had its configuration modified must be restarted after a commit to reload configuration into memory.
Choose which Services need to run when the OS reboots.
Network is mandatory.
Apply changes after editing services and start or restart the service if required.
Voicemail¶
It is recommended to Enable : * Force a new user to record their Name * Force a new user to record their Greeting
This will force the user of a new mailbox to change their password and record each of their greetings before the mailbox can be managed. If the password is not changed all changes to the mailbox are lost.
Types¶
SIP Extension¶
SIP Extension (IP Extension using the SIP protocol) is allowed its own voicemail box and therefore requires a User license
IAX2 Extension¶
IAX2 Extension (IP Extension using the IAX 2 protocol) is allowed its own voicemail box and therefore requires a User license
Zap Extension¶
Zap Extension (analog FXS extension using Sangoma or Digium cards. Sangoma and Digium cards should not co-exist in the same server)
Voicemail Extension¶
Voicemail Extension (Voicemail box only) is allowed its own voicemail box and therefore requires a User license
Hotdesk Extension¶
A Hotdesk Extension is an Extension that logs into a physical Extension using the Hotdesk Feature Code, HotDesk Extension number and required password.
By logging into a physical Extension the HotDesk Extension can make and receive calls from any extension which allows the HotDesk Feature Code in its assigned Class of Service. Caller ID incoming and outgoing will be automatically manipulated to display HotDesk user information.
Is allowed its own voicemail box and therefore requires a User license
Virtual Extension¶
A Virtual Extension is a very advanced Extension type which allows a user to login to the SCOPTEL GUI and use the Realtime Monitor and customize Call Detail Reports and other types of reports.
A Virtual Extension is allowed its own voicemail box and therefore requires a User license
Advanced options can be configured to ring multiple destinations and automatically forward copies of voicemail messages to multiple extensions
User Options for Virtual Extensions include Follow Me, Camp - On, Personal IVR destinations
Custom Forwarding Rules can be defined for :
Call Forward Immediate
Call Forward Busy
Call Forward No Answer
Call Forward Unavailable (forward when physical extension is offline)
It is possible to Immediate Forward a Virtual Extension to make an Application available within an IVR context for inbound PSTN callers.
Ring Group Extension¶
A Ring Group Extension automatically Immediately Forward it’s calls to configured Follow Me destinations.
Advanced options can be configured to ring multiple destinations and automatically forward copies of voicemail messages to multiple extensions.
Is not allowed its own voicemail box and therefore does not require a User license
User Options for Virtual Extensions include Follow Me, Camp - On, Personal IVR destinations.
Custom Forwarding Rules can be defined for :
Call Forward Immediate
Call Forward Busy
Call Forward No Answer
Call Forward Unavailable (forward when physical extension is offline)
It is possible to Immediate Forward a Virtual Extension to make an Application available within an IVR context for inbound PSTN callers.
Extension¶
Add a new Phone¶
To create a SIP Extension navigate to Configuration > Telephony > Extensions
Click on “Add a New Phone ”
You can also use the Add Multiple Extensions Wizard to add many Extensions
Extension Number and Name¶
Assign an unused Extension number
Enter a Full Name for this user <First Last> with no special characters and only one space
Select the desired Class of Service to apply to this user from the drop list
Click on the Authentication tab
Authentication¶
The Username should match the numeric value of this Extension number
Since the Security Policy enforces a strict SIP/IAX 2 Password Policy the first pre-requisite is to enter a compliant alpha numeric password into the text box or use the Generate Password button to generate a random compliant password. Click on the Voicemail tab once the Authentication text is entered.
Voicemail¶
Enable Voicemail if required
To force a new mailbox owner to initialize their mailbox use the extension number in the password field (pre-requisite enable Force a new user to record their Name [x], Force a new user to record their Greeting [x] in the Voicemail Manager template).
Enable Message Waiting Indicator (MWI) to light the Voicemail light on the matching SIP hardware or softphone
Enable Email Notification if you want to enable voicemail to email (normally requires a pre-requisite SMTP Smart Relay configuration in the Server Manager)
Configure additional security options in the Advanced Settings section.
Click on Phone Options tab
Phone Options¶
Host Mode should be left default and the IP address field should be ignored because this is an advanced field used for problematic Remote Extensions behind a NAT Router
If the SIP device is to be used on the LAN then the “Phone behind NAT” option should not be checked.
Transport Mode(s) are vendor specific but the majority of SIP User Agents support UDP. Allowing both modes will allow the server and user agent to negotiate the compatible mode in the SDP messages. UDP should be considered a pre-requisite
If the SIP device is to be used as a Remote Extension located behind a NAT router then the “Phone behind NAT” option should be checked. Checking this option is normally sufficient to ensure that the Remote Extension can register with the server and two way speech paths are possible (assuming that the Firewall is and global NAT options are configured correctly).
P - Asserted is highly recommended over the default RPID mode which has become a legacy method. PAI is required for connected line updates. You cannot enable both settings, only one option is allowed.
If you wish to activate TLS Transport Mode and Enable SRTP encryption then refer to : https://blog.scopserv.com/2016/09/how-to-use-the-SCOPTEL-certificate-manager-to-enable-tls-encryption/
Qualify is enabled by default and allows the server to monitor the Extension for Registration status and packet latency using OPTIONS messages. But not all SIP peers support OPTIONS so this might have to be unchecked depending on the device ( Cyberdata devices do not support OPTIONS)
DTMF mode is normally Automatic (RFC 2833 / Inband )
Only CODEC’s supported by the SIP end point should be enabled.
Incoming/Outgoing Call Limit can restrict the number of simultaneous calls supported by this Extension (default 8 ).
“SIP Alert (Auto Answer/Distinctive Ring)” is used to configure this SIP end point to receive an internal page if the SIP end point is a supported device.
For Cisco support refer to : https://blog.scopserv.com/2017/07/SCOPTEL-cisco-sip-phone-integration/
When done Click on the Caller ID tab
Caller ID¶
All Caller ID fields can be modified.
Default values will set the local and outgoing PSTN Caller ID to match the configured Extension Number and Name.
Un - checking either “Internal Call” or “External Call” checkboxes will allow the Caller ID configuration to be modified.
Note that “External Call” and “Emergency Call” Caller ID cannot be customized if the ITSP or PSTN provider’s trunks do not allow the Caller ID (ANI) to be re - written.
It is highly recommended that the “External Call“ and “Emergency Call” be modified to show either the published “BTN” of the customer or “DID” of the user. Failure to modify the defaults will result in only the Name and Extension number appearing on any outgoing external and emergency calls.
The Outgoing Line custom ANI is always overridden if Extension’s>Caller ID>Allow extension to override outgoing CallerID checkbox is enabled and Emergency Calls will also take precedence over the Outgoing Line if configured.
When done click on the User Options tab
User Options¶
User Options define call forwarding rules, language, Music On Hold source file directory, default ring time, Call Recording options, Fax Detection, etc…
Enabling any advanced options such as “Follow Me”, “Personal IVR”, “Camp-On”, “E911 Location” will add new tabs and options to this extension’s GUI interface and allow additional configurations.
NOTE: to activate an advanced rule like Follow Me, you must choose a call forwarding option and use the drop list to select it from the destination drop list.
When done click on Web Authentication
Web Authentication¶
The “Web Authentication” option allows the owner of an Extension to login to the SCOPTEL GUI and access several unique features including Voicemail playback and management. And its an optional feature and not mandatory to configure.
To access those features a unique login is created by checking the “Enable User Web GUI” and assigning a unique Username and Password for this Extension. The user logs into the same IP address and management port as the administrator but uses this login to access their personal GUI login.
Click on the “Security” tab when finished with this configuration.
Security¶
Blacklisted numbers can be added to the text field and a password can be enforced when another extension or PSTN channel attempts to call this extension. If the password is not entered correctly then the Extension cannot be called.
This setting is optional and rarely used.
Click “Add” when finished to complete adding this extension to the server.