Interesting, I haven't heard of that happening before. Can you post a link to the documentation that says that? Also, can you let us know which Release / Patch you are currently ruinning?
As far as I know, the process is to set up a pair of DNS SRV records for _tcp._sips to point to the two servers in your Switchover pair. Then change the Registration group to use DNS SRV. (Same as you would for non TLS switchover setup.)
As for the certificates themselves, these should be copied from one of the servers to the other when you initially configure Switchover in Setup Assistant.
Regarding the use of an external CA. My understanding is that this is to allow an external CA to sign the certificates for the IC's CA to prove their authenticity. The certificates used within the system are still generated by IC and signed using it's certificate (now externally signed). I have never heard of anyone using an external CA entirely.
When I get a chance, I will try to set up a test environment to verify the above - probably won't be for a week or two though (there are a lot of moving parts to get right.)
Perhaps someone else can chip in on this?
------------------------------
Paul Simpson
Senior Technical Instructor
------------------------------
Original Message:
Sent: 04-24-2019 08:55
From: Andreas Tikart
Subject: Polycom and TLS
Since this is an HA System, we cannot use the default line certificate (according to the documentation), so we had decided to create a certificate for the line from a 3rd Party CA (our inhouce CA). Now we detected that during the provisioning process the root CA of our inhouse CA is not uploaded to the hardphone. If we upload the root CA manually using the touchscreen, all is working. So my Question is: how can we persuade the CIC provisioning server to rollout a 3rd Party root CA during polycom hardphone reboot?
------------------------------
Andreas Tikart
Fiebig GmbH
Original Message:
Sent: 04-13-2019 10:25
From: Paul Simpson
Subject: Polycom and TLS
Hi Andreas,
First thing, first. Does the Domain Name specified in the Stations-TLS registration line resolve to the Server(s) in question? Even if it does, has it been changed since Setup Assistant was run?
When you run SUA, all the certificates are generated. The Line Certs are generated based on that Domain Name. If it's wrong (or has changed) then the Phones can't provision and register properly due to cert errors. Unfortunately, the fix isn't as simple as just changing the Domain Name on the line!
I have some notes on fixing this and will dig them out for you.
------------------------------
Paul Simpson
Senior Technical Instructor
Original Message:
Sent: 04-12-2019 07:28
From: Andreas Tikart
Subject: Polycom and TLS
I'm trying to switch the Polycom Phones from UDP to TLS. Therefore I changed the registraion from "Default Registration Group" to "Default secure regsitration Group" in the "Managed IP Phone" configuration. I can see in the CIC logs that the Polycom is trying to connect to the "Station-TLS" Line as expected, but gets rejected by the CIC Server with the reason "SIPTLSInfoCallback : TLS warning: session=, where=4004 type=fatal, desc=unknown CA/230". This means, the CA of the certificate the Polycom presents to the CIC is not known by the CIC. Does the Polycom Hardpone need a special certificate with is no automatically provisioned by CIC, or is there another trick to get this running?
#Security
#SIP/VolP
#Telephony
------------------------------
Andreas Tikart
Fiebig GmbH
------------------------------