IX Workplace, certificates and TLS 3

[dsm600rr]

Hello all,

Thought I would start a new thread as my other was getting too cluttered and I think I may be getting close to getting this working.

I have exported the certificate here and re-named it: WebRootCA.pem

Does this certificate then get uploaded to:?

Next would be creating the Identity Cert for the IPO Itself. How does this look?

Once downloaded as "PEM-encoded" I would add that certificate to the IPO.

After all that, and I enable TLS should my J179's grab the certificate and re-register to the IPO? What about iPhones running the Workplace App?

Thank you!

ACSS

 

[dsm600rr]

Does the WebRootCA.pem downloaded from Web Manager just get placed in the "Primary" folder of embedded file manager?

When I try and place it in: "Primary > certificates > TCS > ADD" I receive the error "HTTP request failed: 403 Forbidden"

ACSS

 

[derfloh]

It is Usually autogenerated available. Just load

http://192.168.42.1/WebRootCA.pem

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: when I go to that address it does give me the option to Open or Save it. Is this what needs to be loaded on the external Devices (iPhones / Laptops)?

ACSS

 

[derfloh]

Yes... For sure you have to replace the IP of that of your IPO. And you have to disable HTTP Avaya Phones Only.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: Thank you. I have disabled "HTTP Avaya Phones Only" and enabled "SIP Remote Extension Enable"

When you say "you have to replace the IP of that of your IPO" where are you referring to?

How does my Identity Certificate look above?

Is there any other certificates needed other than the WebRootCA.pem and the Identity Certificate for the IPO? Does WebRootCA.pem just get downloaded and loaded to external PC's/Phones to run IX Workplace outside of my LAN?

Once I enable TLS will my J179's grab the correct certificates? I am assuming I will need to default them?



ACSS

 

[derfloh]

The phones will load 46xxsettings.txt and it references WebRootCA.pem.

If the IPO IP is 192.168.42.1 you can get the root certificate by loading

http://192.168.42.1/WebRootCA.pem

or

http://192.168.42.1:8411/WebRootCA.pem

If the IP is 172.30.20.1 you have to open

http://172.30.20.1/WebRootCA.pem

or

http://172.30.20.1:8411/WebRootCA.pem

Certificate looks correct.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: Thank you.

ACSS

 

[dsm600rr]

derfloh: The documentation says when creating the Identity Certificate to select the "Regenerate" Button and then to Download (PEM-encoded)

When selecting the "Regenerate" button I get this pop-up with the option to download:

Does this get loaded as well or only the .pem file?

Lastly, should I Change the Duration to 398 days?

ACSS

 

[derfloh]

Until the end of September 825 days will work. Certificates created later must not be valid more than 398 days.

The p12 file is fine. It contains the server certificate as well as the root certificate.

Only regenerate and apply works for primary servers. If you create a certificate for another machine the way you did it is correct. I.e. for IP500

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: Thank you. So in the IPO Security Settings > Import Certificate from File, I am only uploading the p12 file correct? Basically the cert.pem wont be used?


ACSS

 

[derfloh]

Exactly. The root cert will automatically added as trusted certificate authority and provided as WebRootCA.pem if you didn't upload your own own.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: Thank you Sir. Would be nice if the documentation mentioned some of these things.

When visiting

http://172.30.20.1/WebRootCA.pem

- is this the certificate that I download and install on remote devices (PC's / Cell Phones)?

Tomorrow I will load the p12 certificate to "IPO Security Settings > Import Certificate from File" and enable TLS. Is there anything else I may be missing? Will I need to facorty default my J179's to grab the certificates? Will all devices now use TLS?

ACSS

 

[dsm600rr]

I thought of one more question in reguards to creating my Internal DNS A-Record from ix.pfcommunications.com to the PBX.

LAN: 192.168.1.251 (Data VLAN)
WAN: 172.30.20.1 (Voice VLAN)
Internal DNS Server: (192.168.1.5) (Data VLAN)

Everything is programmed on the IPO on the Voice VLAN (DHCP Server for the phones, SIP Trunk, SIP Domain Name, SIP Registrar FQDN) and so on.

Will it work if we do an Internal A-Record from ix.pfcommunications.com to the 172.30.20.1? Or does the A-Record have to stay on the Data VLAN and go to 192.168.1.251? If so, will I need to update my Identity certificate from 172.30.20.1 to 192.168.1.251?

I have IX Workplace working Internally on the Data and Voice VLAN.

Thanks!

ACSS

 

[qtelcom]

Using a self signed cert? Just add both IP's in your SAN for the identity certificate. For real world 3rd party certs (GoDaddy, Verisign) Everything is done with DNS entries in the SAN, not IP's.

 

[derfloh]

You can add the voice VLAN IP as DNS A record. But you have to ensure that the clients (smartphones, computers with IX Workplace) are able to reach that IP.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

Thanks gents: I updated my Certificate SAN to: DNS:ix.pfcommunications.com, IP:172.30.20.1, IP:192.168.1.251, IP:50.245.XXX.XX, URI:sip:ix.pfcommunications.com

ACSS

 

[dsm600rr]

Ok so I added the certificate and enabled TLS - PBX did a re-boot and the phones logged back in.

How do I know everything worked? Should my J179's show a certificate? IX Workplace still works internally on my laptop.

I did see under "Advanced" > "Identity Certificate" shows "No Certificate Installed"

I am seeing a TLS Error from my Vantage Phone:

ACSS

 

[derfloh]

Is your 46xxsettings.txt autogenerated?

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: Yes it is.

ACSS