- About This Document
- Get Started
- Customize Standard Features
- Configure SIP and NAT
- Configure Security, Quality, and Network Features
- Provisioning
- Configure Dial Plan
- Configure Regional Parameters and Supplementary Services
- Cisco Unified IP Conference Phone 8831 for Third-Party Call Control Field Reference
- Related Documentation
Provisioning
Phones can be provisioned to download configuration profiles or updated firmware from a remote server when they are connected to a network, when they are powered up, and at set intervals. Provisioning is typically part of high-volume, Voice-over-IP (VoIP) deployments and limited to service providers. Configuration profiles or updated firmware are transferred to the device by using TFTP, HTTP, or HTTPS.
The conference phone accepts configuration profiles in XML format, or in a proprietary binary format generated by the SIP Profile Compiler (SPC) available from Cisco. The conference phone supports 256-bit symmetric key encryption to secure the XML content of the profiles. SPC compiled binary profiles can be encrypted when they are complied. Since firmware does not contain sensitive personal information, typically it is not encrypted.
Provisioning is described in detail in the Cisco Unified IP Conference Phone 8831 for Third-Party Call Control Provisioning Guide.
Redundant Provisioning Servers
The provisioning server may be specified as an IP address or as a fully qualified domain name (FQDN). The use of a FQDN facilitates the deployment of redundant provisioning servers. When the provisioning server is identified through a FQDN, the Cisco IP phone attempts to resolve the FQDN to an IP address through DNS. Only DNS A-records are supported for provisioning; DNS SRV address resolution is not available for provisioning. The Cisco conference phone continues to process A-records until the first server responds. If no server associated with the A-records responds, the Cisco Unified IP Conference Phone 8831 for Third-Party Call Control logs an error to the syslog server.
Retail Provisioning
The conference phone includes the web-based configuration utility that displays internal configuration and accepts new configuration parameter values. The server also accepts a special URL command syntax for performing remote profile resync and firmware upgrade operations.
In a retail distribution model, a customer purchases a Cisco voice endpoint device, and subsequently subscribes to a particular service. The customer first signs on to the service and establishes a VoIP account, possibly through an online portal. Subsequently, the customer binds the particular device to the assigned service account.
To do so, the unprovisioned Cisco Unified IP Conference Phone 8831 for Third-Party Call Control is instructed to resync with a specific provisioning server through a resync URL command. The URL command typically includes an account PIN number or alphanumeric code to associate the device with the new account.
In the following example, a device at the DHCP-assigned IP address 192.168.1.102 is instructed to provision itself to the SuperVoIP service:
In this example, 1234abcd is the PIN number of the new account. The remote provisioning server is configured to associate the phone that is performing the resync request with the new account, based on the URL and the supplied PIN. Through this initial resync operation, the phone is configured in a single step, and is automatically directed to resync thereafter to a permanent URL on the server. For example:
For both initial and permanent access, the provisioning server relies on the Cisco IP phone client certificate for authentication and supplies correct configuration parameter values based on the associated service account.
Automatic In-House Preprovisioning
Using the phone web user interface and issuing a resync URL is convenient for a customer in the retail deployment model, but it is not as convenient for preprovisioning a large number of units.
The Cisco Unified IP Conference Phone 8831 for Third-Party Call Control supports a more convenient mechanism for in-house preprovisioning. With the factory default configuration, the phone automatically tries to resync to a specific file on a TFTP server, whose IP address is offered as one of the DHCP-provided parameters. This lets a service provider connect each new Cisco IP phone to a LAN environment configured to preprovision phones. Any new Cisco IP phone connected to this LAN automatically resyncs to the local TFTP server, initializing its internal state in preparation for deployment. Among other parameters, this preprovisioning step configures the URL of the Cisco IP phone provisioning server.
Subsequently, when a new customer signs up for service, the preprovisioned Cisco Unified IP Conference Phone 8831 for Third-Party Call Control can be simply bar-code scanned, to record its MAC address or serial number, before being shipped to the customer. Upon receiving the unit, the customer connects the unit to the broadband link. On power-up the Cisco IP phone already knows the server to contact for its periodic resync update.
Use HTTPS
The Cisco Unified IP Conference Phone 8831 for Third-Party Call Control provides a reliable and secure provisioning strategy based on HTTPS requests from the phone to the provisioning server, using both server and client certificates for authenticating the client to the server and the server to the client.
To use HTTPS with the phone, you must generate a Certificate Signing Request (CSR) and submit it to Cisco. The Cisco Unified IP Conference Phone 8831 for Third-Party Call Control generates a certificate for installation on the provisioning server that is accepted by the conference phones when they seek to establish an HTTPS connection with the provisioning server.
The phone implements up to 256-bit symmetric encryption, using the American Encryption Standard (AES), in addition to 128-bit RC4. The phone supports the Rivest, Shamir, and Adelman (RSA) algorithm for public/private key cryptography.
Server Certificates
Each secure provisioning server is issued an secure sockets layer (SSL) server certificate, directly signed by Cisco. The firmware running on the Cisco IP phone clients recognizes only these certificates as valid. The clients try to authenticate the server certificate when connecting via HTTPS, and reject any server certificate not signed by Cisco.
This mechanism protects the service provider from unauthorized access to the Cisco IP phone endpoint, or any attempt to spoof the provisioning server. This might allow the attacker to reprovision the Cisco IP phone to gain configuration information, or to use a different VoIP service. Without the private key corresponding to a valid server certificate, the attacker is unable to establish communication with a Cisco IP phone.
Client Certificates
In addition to a direct attack on the phone, an attacker might attempt to contact a provisioning server using a standard web browser, or other HTTPS client, to obtain the phone configuration profile from the provisioning server. To prevent this kind of attack, each phone carries a unique client certificate, also signed by Cisco, including identifying information about each individual endpoint. A certificate authority root certificate capable of authenticating the device client certificate is given to each service provider. This authentication path allows the provisioning server to reject unauthorized requests for configuration profiles.
Obtain a Server Certificate
To obtain a server certificate:
Step 1 Contact a Cisco support person who will work with you on the certificate process. If you are not working with a specific support person, you can email your request to ciscosb-certadmin@cisco.com.)
Step 2 Generate a private key that will be used in a CSR (Certificate Signing Request). This key is private and you do not need to provide this key to Cisco support. Use open source “openssl” to generate the key. For example:
openssl genrsa -out <file.key> 1024
Step 3 Generate CSR a that contains fields that identify your organization, and location. For example:
openssl req -new -key <file.key> -out <file.csr>
You must have the following information:
- Subject field—Enter the Common Name (CN) that must be a FQDN (Fully Qualified Domain Name) syntax. During SSL authentication handshake, the Cisco Unified IP Conference Phone 8831 for Third-Party Call Control verifies that the certificate it receives is from the machine that presented it.
- Server's hostname—For example, provserv.domain.com.
- Email address—Enter an email address so that customer support can contact you if needed. This email address is visible in the CSR.
Step 4 Email the CSR (in zip file format) to the Cisco support person or to
ciscosb-certadmin@cisco.com. The certificate is signed by Cisco and given to you.
Manually Provision a Phone from the Keypad
Typically the conference phone is configured to be provisioned when first connected to the network and at configured intervals that are set when the phone is preprovisioned (configured) by the service provider or the VAR. Service providers can authorize VARs or advanced users to manually provision the phone by using the phone keypad.
The status of the provisioning process is indicated by the phone mute button blinking in the following patterns:
- Red/orange slow blink (1.0 seconds on, 1.0 seconds off): Contacting server, server not resolvable, not reachable, or down.
- Red/orange fast blink (0.2 seconds on, 0.2 seconds off, 0.2 seconds on, 1.4 seconds off): Server responded with file not found or corrupt file.
To manually provision the phone by using the keypad:
Step 1 Press Setup, then scroll to Profile Rule.
Step 2 Enter the profile rule by using the following format:
If no protocol is specified, TFTP is assumed. If no server-name is specified, the host that requests the URL is used as the server name. If no port is specified, the default port is used (69 for TFTP, 80 for HTTP, or 443 for HTTPS).
Step 3 Press the Resync softkey.
Sample Configuration File
Refer to the Cisco Unified IP Conference Phone 8831 for Third-Party Call Control Provisioning Guide.
Update Profiles and Firmware
Cisco conference phones support secure remote provisioning (configuration) and firmware upgrades. An unprovisioned phone can receive an encrypted profile specifically targeted for that device without requiring an explicit key by using a secure first-time provisioning mechanism using SSL functionality.
User intervention is not required to initiate or complete a profile update or firmware upgrade. If intermediate upgrades are required to reach a future upgrade state from an older release, the Cisco IP phone upgrade logic is capable of automating multi-stage upgrades. A profile resync is only attempted when the Cisco IP phone is idle, because this might trigger a software reboot and disconnect a call.
General purpose parameters manage the provisioning process. Each Cisco IP phone can be configured to periodically contact a normal provisioning server (NPS). Communication with the NPS does not require the use of a secure protocol because the updated profile is encrypted by a shared secret key. The NPS can be a standard TFTP, HTTP or HTTPS server with client certificates.
The administrator can upgrade, reboot, restart, or resync Cisco IP phones by using the phone web user interface. The administrator can also perform these tasks by using a SIP notify message.
Configuration profiles are generated by using common, open-source tools that integrate with service provider provisioning systems. (Provisioning is described in detail in the Cisco Unified IP Conference Phone 8831 for Third-Party Call Control Provisioning Guide.)
Allow and Configure Profile Updates
The profile updates can be allowed at specified intervals. Updated profiles are sent from a server to the phone by using TFTP, HTTP, or HTTPS.
To configure a profile update:
Step 1 Click Admin Login > advanced > Voice > Provisioning.
Step 2 Under Configuration Profile in the Provision Enable field, choose Yes.
Step 3 Enter the parameters defined in the table:
Allow and Configure Firmware Updates
The firmware updates can be allowed at specified intervals. Updated firmware is sent from a server to the phone by using a TFTP or HTTP. Security is less of an issue with a firmware upgrade, because firmware does not contain personal information.
To configure a firmware update:
Step 1 Click Admin Login > advanced > Voice > Provisioning.
Step 2 Under Firmware Upgrade in the Upgrade Enable field, choose Yes.
Step 3 Enter the parameters defined in the table:
|
|
---|---|
Allows firmware update operations independent of resync actions. Defaults to Yes. |
|
The interval applied in the event of an upgrade failure. The firmware upgrade error timer activates after a failed firmware upgrade attempt and is initialized with this value. The next firmware upgrade attempt occurs when this timer counts down to zero. The default is 3600 seconds. |
|
A firmware upgrade script that defines upgrade conditions and associated firmware URLs. It uses the same syntax as Profile Rule. (See “Manually Provision a Phone from the Keypad” section for the Upgrade Rule syntax.) The default is (empty). |
Firmware Upgrade
The 3PCC supports single one image upgrade by tftp/http/https.
Step 1 Put the 3PCC image cp-8831-sip.9-3-3-5-3PCC.bin.sgn on the tftp/http/https download directory.
Step 2 Configure Upgrade Rule on the ‘Provisioning’ tab in the web page, with the valid URL format:
Note A device (with new base and DCU) may not be downgraded to an earlier firmware release, such as 9.3(3). For details, refer to the hardware information and the firmware/hardware compatibility information in the current Cisco Unified IP Conference Phone 8831 for Third-Party Call Control Release Notes.
Firmware Upgrade With a Browser Command
An upgrade command entered into the browser address bar can be used to upgrade firmware on a phone. The phone updates only when it is idle. The update is attempted automatically after the call is complete.
To upgrade the conference phone CP-8831-3PCC via URL on web browser enter this command:
Configure a Custom Certificate Authority
Digital certificates can be used to authenticate network devices and users on the network. They can be used to negotiate IPSec sessions between network nodes.
A third party uses a Certificate Authority certificate to validate and authenticate two or more nodes that are attempting to communicate. Each node has a public and private key. The public key encrypts data. The private key decrypts data. Because the nodes have obtained their certificates from the same source, they are assured of their respective identities.
The device can use digital certificates provided by a third-party Certificate Authority (CA) to authenticate IPSec connections. See the Cisco Unified IP Conference Phone 8831 for Third-Party Call Control Provisioning Guide for more information.
The phones support a set of preloaded Root Certificate Authority embedded in the firmware:
- Cisco Small Business CA Certificate
- CyberTrust CA Certificate
- Verisign CA certificate
- Sipura Root CA Certificate
- Linksys Root CA Certificate
On the phone web user interface:
Step 1 Click Admin Login > advanced > Voice > Info.
Step 2 Select Download Status and scroll to Custom CA Status and see the following fields:
– Last provisioning succeeded on mm/dd/yyyy HH:MM:SS; or
– Last provisioning failed on mm/dd/yyyy HH:MM:SS
– Installed—Displays the “CN Value,” where “CN Value” is the value of the CN parameter for the Subject field in the first certificate.
– Not Installed—Displays if no custom CA certificate is installed.
General Purpose Parameters
The general purpose parameters GPP_* are used as free string registers when configuring the conference phone to interact with a particular provisioning server solution. The GPP_* parameters are empty by default. They can be configured to contain diverse values, including the following:
- Encryption keys
- URLs
- Multistage provisioning status information
- Post request templates
- Parameter name alias maps
- Partial string values, eventually combined into complete parameter values.
The GPP_* parameters are available for macro expansion within other provisioning parameters. For this purpose, single-letter upper-case macro names (A through P) are sufficient to identify the contents of GPP_A through GPP_P. Also, the two-letter upper-case macro names SA through SD identify GPP_SA through GPP_SD as a special case when used as arguments of the key URL option.
These parameters can be used as variables in provisioning and upgrade rules. They are referenced by prepending the variable name with a ‘$’ character, such as $GPP_A.
To configure general purpose parameters, navigate to Admin Login > advanced > Voice > Provisioning.