Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ShoreTel IP480, IP480g, and IP485g - Setting NTP

Status
Not open for further replies.

IPOthermia

Vendor
Nov 22, 2006
191
US
Since the ShoreTel forum looks a bit dead, I am hopeful the Mitel forum is now the place.

I have IP480g and IP485g phones. Mitel documentation claims NTP can be set via DHCP and/or by using custom.txt files from the NTP server.
We have exhausted reasonable efforts to make either the DHCP or custom.txt options work. We have proven that neither actually does.

Mitel's is now saying 'the phones are working as designed'. In spite of their documentation to the contrary.

Problem with NTP asking for time all over the world (Mitel's default behavior) is a security issue. PCI DSS mentions this specific issue in their list of SAQ questions. Bad actors hosting an NTP for the world could use the information to pinpoint your network for DDOS or other attacks since all the phones on your network are shouting to the world "HERE WE ARE, WE ARE OVER HERE! (and here is the public IP Address).

The other problem is even if we block NTP at the firewall, then our firewall needs to keep processing bogus attempts from every phone several times a minute, and the network noise will fill up security logs that are intended for real traffic and monitoring. Not just blocking poor performance from sloppy firmware written by Mitel.

My main goal here is to inform the public and apply pressure to Mitel to fix their firmware so that it actually works as documented.

Thanks...
 
I don't work on these phones.

But a quick google search shows adding option 004 with the IP address of your (S)NTP server should work.

How are you assigning the NTP server address using DHCP? Something different than this?

Have you used wireshark to capture the DHCP discover, offer, request and ack? You may not be getting serviced by the DHCP server you think you are?

Have you verified you can contact the NTP server from the voice vlan? From a windows machine in the voice subnet use the command: w32tm /stripchart /computer:pool.ntp.org /dataonly /samples:1
Substitute your NTP server address for 'pool.ntp.org'
It should return the correct time.

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top