Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting Up IP Office With FQDN and Security Cert 3

Status
Not open for further replies.
Gref6

Gref6

IS-IT--Management
May 24, 2016
15
US
Hey Fellas,

I'm having a hard time getting my IP Office running on AWS to work properly with an FQDN and a signed security certificate. I'm trying to do this so we can use Avaya IX Workplace app with our IPO and not have to download and install the self-generated IPO certs that come with it.

I have managed to get a signed certificate and load it on to my IPO, but am running into some problems:
1) When I load my 46xxsettings.txt or any other web page from my IPO using the domain name I purchased with my security cert. And when I load my 46xxsettings.txt file via web page the browser shows it as not secure.

2) I'm not able to sync my IX Workplace app to my IPO with the domain name. I can use the link and that "untrusted cert" error is gone, but now my Workplace app is unable to login to a user and make calls properly.

I think where I'm stuck and what's causing all these issues is I have not properly tied my IP Office to my domain name and I cannot figure it out.[banghead]

I changed the hostname of my IP office to match my FQDN, and set up the DNS with my domain provider to point the domain to the public IP of my system. But somethings not right and I have not been able to find any guides on the web detailing how to do this.

Please help!

Thank you
 
Sort by date Sort by votes
my SAN is my domain name. Should it be something else?
 
Upvote 0 Downvote
Yes I added my FQDN to my LAN settings in SIP domain name and SIP registrar FQDN. I also updated the hostname in my 7070 portal under settings > system> network > host name
 
Upvote 0 Downvote
is your TLS enabled

If you look in your 46xxsettings.txt file is it auto generated or did you generate it and save it?

It has to have the TLS option in the J129 phone
something looking like this

SET SIP_CONTROLLER_LIST <YOURDOMAIN>:5061;transport=tls

also the SIP remote user option needs to be on (system - LAN - VoIP)

Joe
FHandw, ACSS (SME)

Remembering intrigrant 2019
 
Upvote 0 Downvote
derfloh - I see my domain name in my 46xxsettings file.

Westi - I'm not concerned with TLS on desk phones. Only concerned about the cert for IX Workplace since it gives you trouble if you don't have a signed cert.
workplace_cert_error_qkoi5s.jpg
 
Upvote 0 Downvote
Digging in this thread I learned that the IP Office does its own DNS lookups and does not respond to FQDN requests unless it can confirm the resolution itself.

I went to my system > DNS settings and realized my IPO was using the system default DNS from Amazon AWS and still had its AWS DNS name there. So I changed the DNS address to 8.8.8.8 and updated the DNS domain box to my domain name.

Now I'm getting somewhere, but still not working as it needs to. When I load my domain name I get a webpage from my IPO that says "URI contains invalid FQDN. DNS failure."

Looking into this error, others are saying it is caused by the IPO not being able to confirm its FQDN via DNS. Not sure how it's having a problem with this. I checked Google's DNS and my domain name resolves to the correct public IP of my IPO, and the public IP that NATs to my IPO is entered in the System > LAN > Network Topology > Public IP address setting. So the IPO knows what its public IP is! It should be able to confirm the DNS resolution is correct!! [curse]
 
Upvote 0 Downvote
THe error "URI contains invalid FQDN. DNS failure" means the IPO cannot find a DNS server with the FQDN that resolves to it's own IP address, the DNS lookup is a local DNS not public.

“Some humans would do anything to see if it was possible to do it.
If you put a large switch in some cave somewhere, with a sign on it saying 'End-of-the-World Switch. PLEASE DO NOT TOUCH'.
The paint wouldn't even have time to dry.”

Terry Pratchet
 
Upvote 0 Downvote
@Gref6

When you access the system using a FQDN, in this case using http ot https to get the 46xxsettings.txt the IP office will check the DNS server in it's settings to see if the FQDN resolves to the IP address of the interface the request comes in on. If there is no match you get the "URI contains invalid FQDN. DNS failure" error.

If the interface has a private IP address (192.168.42.1) then the FQDN must resolve to 192.168.42.1. If you are using 8.8.8.8 as the DNS server it will not be able to resolve to this IP address as it will return the public IP and you get the error message. You need to set up "Split DNS" so internally the IP office uses your DNS server.

“Some humans would do anything to see if it was possible to do it.
If you put a large switch in some cave somewhere, with a sign on it saying 'End-of-the-World Switch. PLEASE DO NOT TOUCH'.
The paint wouldn't even have time to dry.”

Terry Pratchet
 
Upvote 0 Downvote
@Gref6

You purchased a signed certificate. Did you put this certificate into the Trusted Store of the IPO.

The IPO does not trust this certificate unless you do this.

The picture above with "the required certificate is not trusted" Your computer does not know what this certificate is. Download the certificate on your computer and install this to the Trusted Authenticated store. This will allow you to use "
This is not needed unless you want to download the settings file with HTTPS, you can use " to download the settings and certificate from the IPO but it will still use the Encrypted Sip Registration port 5061 and for presence https port 443/411.

Every time you change the IP, DNS and hostname will generate a new certificate for the IPO. You have your purchased a certificate and hopefully imported this certficate into the identity certificate section.
 
Upvote 0 Downvote
Ekster "the DNS lookup is a local DNS not public"
THIS was the final puzzle piece for me. After creating a DNS resolution on the AWS system that resolved the FQDN to my IPOs private IP address then it all started working. Thanks Ekster and everyone else!

For those who may be searching for how to get an FQDN and signed security certificate working with IPO on AWS like me, here is a rough outline of the process:

- Purchase domain name and security cert from a certificate authority/domain provider. Use your domain provider DNS to set an A record pointing your domain to the public IP of your IPO/AWS server.

- Follow Avaya's guide here to create the cert signing request, then load the signed cert to your system. At the end when you apply the cert, the web manager did not work for me like the guide said. I had to apply my certs through Manager > Security Settings.

- In Manager LAN settings > VoIP set your domain name in SIP domain name and SIP registrar FQDN settings. Then in System > DNS settings keep the default AWS server as your DNS, and under DNS domain put your domain name there.

- If you are using server edition login to the 7071 web GUI, and update the hostname of the system to your domain name in settings > system > network > Host Name:

- Finally, in AWS DNS settings they call it "route 53" create a record that points your domain name to the private IP address of your AWS instance.

 
Upvote 0 Downvote
Question here about SSL/TLS cert expirations, so my shiny new cert expires in a year. Do I need to manually renew it or does it typically auto-renew on the IPO as long as I have auto-renewal billing with my CA?
 
Upvote 0 Downvote
You will need to manually update the system with the new certificate as the old one will expire.


Another thing to watch out for is where the DNS settings are.

We had an engineer install server edition before the customers DNS server was available so he put 8.8.8.8 in the Web Manager under <Platform View/Settings/System/System DNS>. All was well, later when the customer had the DNS server up and running he finalised the Server Edition install/programming, went into <Manager/System/DNS> and changed the DNS settings to the customers server. Again all was well until we re-booted the server and all hell broke loose, all the IX Workplace clients fell over and we got the "URI contains invalid FQDN. DNS failure" error!

Turns out if the DNS setting in Platform View is different to the one in Manager/System/DNS and the system reboots the Platform View DNS is pushed through to the Manager settings.

In short the Linux Base O/S DNS overwrites the IP Office Application DNS setting in the config.



“Some humans would do anything to see if it was possible to do it.
If you put a large switch in some cave somewhere, with a sign on it saying 'End-of-the-World Switch. PLEASE DO NOT TOUCH'.
The paint wouldn't even have time to dry.”

Terry Pratchet
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

dbb1234
  • Question
IP Office v12 Certificate Expiration 1
Replies
4
Views
546
dbb1234
dbb1234
TN94z
  • Question
IP Office 11.1.3.1 with IP Flex - Sending caller ID
Replies
7
Views
503
TN94z
TN94z
pccsipoffice
  • Locked
  • Question
Setting up a ip office for PRI and a mode problem.
Replies
6
Views
213
pccsipoffice
pccsipoffice
digital12188
  • Locked
  • Question
IP Office SE 11.1 SP3 with Enghouse/Zeacom Call center
Replies
1
Views
224
derfloh
derfloh
Dimorus
  • Locked
  • Question
ip office 406 and ip office 400 analog phones (downgrade)
Replies
4
Views
173
ipohead
ipohead

Part and Inventory Search

Sponsor

Back
Top