Remote SIP Worker on Avaya J179 4

[effectivecommunicat]

Hi All,

Looking for assistance on making a secure remote worker (without SBCE and using NAT)on a J179. We have the 3rd party certificates installed and have port forwarded just the TLS 5061 and RTP/NAT ports. Equinox/IX Workplace works on a PC and iphone, but unable to get a J179 phone to connect and it sits on Acquiring Service. We have bumped up the security settings but verified the phone will connect using the FQDN that local DNS routes to the LAN IP inside the office (outside the office routes to the public IP and the same one IX Workplace is using). Anything else we may be missing or an idea of what to check?

effectivecommunicat
ACIS, ACSS Certified

 

[derfloh]

You need port 411 as well and I assume that the phone doesn't accept the certificate.

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN

 

[effectivecommunicat]

Thanks derfloh! Is there a way to verify/test the certificates were correctly configured? Again, thank you!

effectivecommunicat
ACIS, ACSS Certified

 

[derfloh]

WHO issued the certificate? Most public trusted CAs have a root CA and an intermediate CA. The phone has to load both certificates. Usually the phones load an autogenerated WebRootCA.pem from IPO. This one only holds one of the needed certificates.

You have to merge both CA certificates into a single file and upload it as WebrootCA.pem

In Wireshark you can see the certificates exchange.

You also have to make sure that the certificate of the IPO has the needed subject alternative names (SANs).

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN

 

[telecomtekperson]

Handy tool to verify your certificate.

https://www.sslshopper.com/ssl-checker.html

Also.

https://www.ipofficeassistance.com/create-3rd-party-certificate/

 

[effectivecommunicat]

Thanks! Used the site to verify the certificate was good and the 411 forwarding allowed the phone to connect.

I also opened port 443 in order to verify the certificate and Im wondering if I need to leave it open or if i should remove the port forwarding..?

Looking through the R11 Security Guidelines and wondering if anyone has any other suggestions besides changing all default passwords and enforcing strong/complex passwords for accounts and extensions. I noticed you can now restrict SIP extensions to a SIP UA Whitelist and considering that but not sure if that would be overkill.

Thanks again.

effectivecommunicat
ACIS, ACSS Certified

 

[Firebird Scrambler]

In the extension "User" field near to the bottom, have you got the "Enable Remote Worker" ticked?.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website =

http://somertel.myfreesites.net

linkedin

 

[derfloh]

Please trace with monitor what happens. Enable http

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN

 

[effectivecommunicat]

Sorry, maybe i should have been more clear. After port forwarding 411 everything is working correctly and the phone was able to connect. Thanks for all the assistance.

My follow up question was more on any specific suggestions on hardening the security.

effectivecommunicat
ACIS, ACSS Certified

 

[derfloh]

The SIP UA restriction is a good filter. With port 443 I am not sure tbh. IX Workplace loads the 46xxsettings.txt using 443.

I am not sure if J179 also can do it using port 411.

If you use Avaya DES it will probably work without 443.

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN

 

[effectivecommunicat]

Thank you!

effectivecommunicat
ACIS, ACSS Certified

 

[Pepp77]

You have to merge both CA certificates into a single file and upload it as WebrootCA.pem

We have found that the simplest solution when using a 3rd party cert is to load the certs (intermediate/crt and then pfx) to the system, then go to the webpage and open the cert, select copy to file and save it as WebRootCA.cer

Then use an openssl session to change it to WebRootCA.pem and then just upload that to the primary folder.

Command would be

openssl x509 -inform der -in WebRootCA.cer -out WebRootCA.pem

The above command is assuming the file is in the default folder location.

Edit - above command thanks to Smash



| ACSS SME |