Certificate Issue

[makemetrend]

What certificate should I use in Avaya Equinox Mobile and Windows? I have already the SystemManagerCA installed.

And also there's a weird events that I encountered. When i am onsite, i am using mobile data and succesfully registered on avaya equinox. But when I got home, using our wifi. I can't now connect.

please help me. thanks!

 

[kyle555]

No. It can be, but it's not a security best practice. B1 should be facing the internet, so the firewall would say something like "just about any public IP that isn't on a blacklist of naughty players is allowed to hit my DMZ VLAN, VLAN 10 where the B1 interface lives"

And then the rules to get to the other VLAN where A1 sits would be a little different and a little more stringent.

It'll still work. It's not a functional requirement, but it would make me doubt anything the network guy ever said again.

As long as the VM is live and the network is 'active' in the SBC, you don't need to do anything to see TCP SYN and ACK on the wire and you should be getting security incidents logged in the SBC at the very least - incidents to the effect of 'no match for subscriber flow' or something to tell you the SBC didn't know how to process the message for lack of programming.

 

[makemetrend]

hi kyle! It's been a while! and this giving me pain the ass haha!

intermittent registration still occur when I am on site it's so smooth we can register thru our mobile data but when I got home using our wifi, I did the registration once only but when I tried to logged in again there goes again the problem.

I thought turning off the SIP ALG in the FW will solved the problem..

Client thinks that in our side is the problem.

So what I did, I bypass their firewall and put the address of our B1 SBC and there goes it, I can register.

 

[makemetrend]

After 1239534 years, the problem was the SIP ALG and their public address smh

 

[JuanAvaya]

Hi guys
Following the original inquiry from noshut, what certificate should I install to my Android mobile in order to have it register via company's wifi?
It works perfectly from mobile network and external wifis however, I get a certificate issue from inside the company.

It used to work before but all of a sudden it stopped doing so. Nobody recalls making any change in the network/servers/etc.

 

[makemetrend]

you just need to install the SMGRca.crt on mobile devices

 

[JuanAvaya]

Is that the one you get from Services>Security>Certificates>Authority>CA Structure & CRLs... Download "xxx"? The tmdefaultca

 

[makemetrend]

Yup

 

[kyle555]

you may need a bit more than that.

it all depends what DNS is doing - like having sip.company.com resolve to the SM100 of SM inside and the SBC if you're outside.

One often overlooked thing is that if you name your SM as sm.customer.com, then the security module requests a cert from SMGR for the name "sm-sm100.customer.com"

Now, you can go and change that certificate to be for sip.customer.com if you want.

Consider: if you point your SIP hardphones to the IP of the SM 100 AND say TLSVERIFY=0 then the phone won't forcibly validate the FQDN of the cert. You don't have such luxury with android or ios - even if the cert is good for another 2 years, if you DNS lookup sip.customer.com and get an IP and try a TLS handshake with that IP and it presents a cert for sm-sm100.customer.com, your iphone craps out and has a cert problem.

There's also this psn re: certs.

https://downloads.avaya.com/css/P8/documents/101059875

Lots of things are changing.

 

[JuanAvaya]

Are certs only needed for TLS connections? We are not using TLS.
As you say, we are resolving the sm.customer.com inside and outside with DNS. Anyway, I tried with the ip address and the result is the same.

"Now, you can go and change that certificate to be for sip.customer.com if you want. "
Where or how do you handle that kind of info?

I'm new to certs, sorry