PureConnect

 View Only
Discussion Thread View
  • 1.  Polycom and TLS

    Posted 04-12-2019 07:29
    I'm trying to switch the Polycom Phones from UDP to TLS. Therefore I changed the registraion from "Default Registration Group" to "Default secure regsitration Group" in the "Managed IP Phone" configuration. I can see in the CIC logs that the Polycom is trying to connect to the "Station-TLS" Line as expected, but gets rejected by the CIC Server with the reason "SIPTLSInfoCallback : TLS warning: session=, where=4004 type=fatal, desc=unknown CA/230". This means, the CA of the certificate the Polycom presents to the CIC is not known by the CIC. Does the Polycom Hardpone need a special certificate with is no automatically provisioned by CIC, or is there another trick to get this running?

    #Security
    #SIP/VolP
    #Telephony

    ------------------------------
    Andreas Tikart
    Fiebig GmbH
    ------------------------------


  • 2.  RE: Polycom and TLS

    Posted 04-13-2019 10:26
    Hi Andreas,

    First thing, first. Does the Domain Name specified in the Stations-TLS registration line resolve to the Server(s) in question? Even if it does, has it been changed since Setup Assistant was run?

    When you run SUA, all the certificates are generated. The Line Certs are generated based on that Domain Name. If it's wrong (or has changed) then the Phones can't provision and register properly due to cert errors. Unfortunately, the fix isn't as simple as just changing the Domain Name on the line!

    I have some notes on fixing this and will dig them out for you.


  • 3.  RE: Polycom and TLS

    Posted 04-24-2019 08:55
    Since this is an HA System, we cannot use the default line certificate (according to the documentation), so we had decided to create a certificate for the line from a 3rd Party CA (our inhouce CA). Now we detected that during the provisioning process the root CA of our inhouse CA is not uploaded to the hardphone. If we upload the root CA manually using the touchscreen, all is working. So my Question is: how can we persuade the CIC provisioning server to rollout a 3rd Party root CA during polycom hardphone reboot?

    ------------------------------
    Andreas Tikart
    Fiebig GmbH
    ------------------------------



  • 4.  RE: Polycom and TLS

    Posted 04-24-2019 09:25
    Edited by Paul Simpson 04-24-2019 09:32
    Interesting, I haven't heard of that happening before. Can you post a link to the documentation that says that? Also, can you let us know which Release / Patch you are currently ruinning?

    As far as I know, the process is to set up a pair of DNS SRV records for _tcp._sips to point to the two servers in your Switchover pair. Then change the Registration group to use DNS SRV. (Same as you would for non TLS switchover setup.)

    As for the certificates themselves, these should be copied from one of the servers to the other when you initially configure Switchover in Setup Assistant.

    Regarding the use of an external CA. My understanding is that this is to allow an external CA to sign the certificates for the IC's CA to prove their authenticity. The certificates used within the system are still generated by IC and signed using it's certificate (now externally signed). I have never heard of anyone using an external CA entirely.

    When I get a chance, I will try to set up a test environment to verify the above - probably won't be for a week or two though (there are a lot of moving parts to get right.)

    Perhaps someone else can chip in on this?

    ------------------------------
    Paul Simpson
    Senior Technical Instructor
    ------------------------------



  • 5.  RE: Polycom and TLS

    Posted 04-24-2019 10:15
    Thanks for your fast response.

    In fact, we use certificates from our CA because we also connect the CIC to an Audiocodes SBC with TLS and we do not want the SBC to trust other CAs than Company has approved. 

    We used the document "PureConnect Security Features 2018 R5" page 60 "Certificate configuration overview using a third-party CA" Option "Switchover pair of CIC Servers with Polycom phones and SIP Gateways". In this document there is no step how to enroll the 3rd Party CA to the polycom phones, but without this step it isn't working.

    ------------------------------
    Andreas Tikart
    Fiebig GmbH
    ------------------------------



Need Help finding something?

Check out the Genesys Knowledge Network - your all-in-one access point for Genesys resources