Home » Linksys Manuals » Telephony » Linksys WIP310 » Manual Viewer

Linksys WIP310 SPA500 Series and WIP310 IP Phone Administration Guide - Page 156

Server Certificates, Client Certificates, American Encryption Standard AES

UPC - 745883580927

Add to My Manuals
Save this manual to your list of manuals

Page 156 highlights

Provisioning Basics Using HTTPS 6 To use HTTPS with Cisco IP phones, you must generate a Certificate Signing Request (CSR) and submit it to Cisco. The Cisco IP phone generates a certificate for installation on the provisioning server that is accepted by Cisco IP phones when they seek to establish an HTTPS connection with the provisioning server. The Cisco IP phone implements up to 256-bit symmetric encryption, using the American Encryption Standard (AES), in addition to 128-bit RC4. The Cisco IP phone supports the Rivest, Shamir, and Adelman (RSA) algorithm for public/ private key cryptography. Server Certificates Each secure provisioning server is issued an secure sockets layer (SSL) server certificate, directly signed by Cisco. The firmware running on the Cisco IP phone clients recognizes only these certificates as valid. The clients try to authenticate the server certificate when connecting via HTTPS, and reject any server certificate not signed by Cisco. This mechanism protects the service provider from unauthorized access to the Cisco IP phone endpoint, or any attempt to spoof the provisioning server. This might allow the attacker to reprovision the Cisco IP phone to gain configuration information, or to use a different VoIP service. Without the private key corresponding to a valid server certificate, the attacker is unable to establish communication with a Cisco IP phone. Client Certificates In addition to a direct attack on the Cisco IP phone, an attacker might attempt to contact a provisioning server using a standard web browser, or other HTTPS client, to obtain the Cisco IP phone configuration profile from the provisioning server. To prevent this kind of attack, each Cisco IP phone also carries a unique client certificate, also signed by Cisco, including identifying information about each individual endpoint. A certificate authority root certificate capable of authenticating the device client certificate is given to each service provider. This authentication path allows the provisioning server to reject unauthorized requests for configuration profiles. Cisco SPA 500 Series and WIP310 IP Phone Administration Guide 145

Section	Page
Getting Started	13
Overview of the Phones	13
Cisco SPA 500S Attendant Console	14
Network Configurations	15
Cisco SPA 9000 Voice System	16
Cisco Unified Communications 500 Series for Small Business	17
Other SIP IP PBX Call Control Systems	17
Prerequisites	17
Upgrading Firmware	18
Determining the Current Firmware Version	18
Determining Your IP Address	19
Downloading the Firmware	20
Installing the Firmware	21
Using the Web Administration User Interface	22
Understanding Administrator and User Views	24
Accessing Administrative Options	24
Understanding Basic and Advanced Views	25
Using the Web Administration Tabs	25
Roadmap to Web UI Features	25
Viewing Phone Information	28
Using IVR on the Cisco SPA 501G IP Phone	28
Configuring Lines and Extensions	31
Configuring Lines	31
Shared Line Appearances	31
Configuring a Line	32
Configuring Shared Line Appearance	33
Assigning Busy Lamp Field, Call Pickup, and Speed Dial Functions to Unused Lines on a Cisco SPA 500 Series IP Phone	34
Configuring Unused Line Keys for Call Park on the Cisco SPA 525G (MetaSwitch)	37
Configuring Unused Line Keys to Access Services	38
Configuring Line Key LED Patterns on the Cisco SPA 500 Series IP Phone	39
Configuring Extensions	42
Customizing Cisco SPA and Wireless IP Phones	43
Configuring Phone Information and Display Settings	43
Configuring the Phone Name	44
Configuring Voice Mail	44
Customizing the Startup Screen	45
Changing the Display Background (Cisco SPA 500 Series)	46
Configuring the Screen Saver	48
Configuring the LCD Contrast	50
Configuring Back Light Settings (Cisco SPA 525G)	51
Configuring Linksys Key System Parameters	51
Enabling Call Features	52
Enabling Anonymous Call and Caller ID Blocking	52
Enabling Automatic Call Distribution (ACD)	53
Enabling Call Back	53
Enabling Call Park and Call Pickup	54
Enabling Call Transfer and Call Forwarding	54
Enabling Call Waiting	55
Enabling Conferencing	55
Enabling Dial Assistance	56
Enabling Do Not Disturb	56
Enabling the Missed Call Shortcut	57
Logging Missed Calls (Cisco SPA 500 Series)	57
Enabling Paging (Intercom)	58
Enabling Secure Call	60
Enabling Service Announcements	60
Configuring Phone Features	61
Customizing Phone Softkeys	61
Configuring the Message Waiting Indicator	68
Configuring Ring Tones	68
Configuring RSS Newsfeeds on the Cisco SPA 525G IP Phone	72
Configuring Audio Settings	73
Enabling Wireless (Cisco SPA 525G only)	75
Enabling Bluetooth (Cisco SPA 525G only)	75
Enabling SMS Messaging	76
Enabling the Web Server	77
Configuring Lightweight Directory Access Protocol (LDAP) for the Cisco SPA 500 Series	78
Configuring BroadSoft Settings (Cisco SPA 500 Series)	82
Configuring BroadSoft Directory	82
Configuring Synchronization of Do Not Disturb and Call Forward	83
Configuring XML Services	84
Configuring Music On Hold	86
Configuring Extension Mobility with a BroadSoft Server	87
Configuring Video Surveillance on the Cisco SPA 525G	88
Configuring the User Name and Account on the Camera	89
Entering Camera Information Into the Cisco SPA525G Web Administration Interface	89
Viewing the Video	90
Configuring SIP, SPCP, and NAT	91
Session Initiation Protocol and Cisco IP Phones	91
SIP Over TCP	92
SIP Proxy Redundancy	93
RFC3311 Support	93
Support for SIP NOTIFY XML-Service	94
Configuring SIP	94
Configuring SIP Parameters	94
Configuring SIP Timer Values	98
Configuring Response Status Code Handling	101
Configuring RTP Parameters	101
Configuring SDP Payload Types	103
Configuring SIP Settings for Extensions	106
Configuring SPCP on the Cisco SPA 525G	114
Configuring SPCP on the Cisco SPA 50XG	115
Network Address Translation (NAT) and Cisco IP Phones	115
NAT Mapping with Session Border Controller	116
NAT Mapping with SIP-ALG Router	116
Configuring NAT Mapping with a Static IP Address	116
Configuring NAT Mapping with STUN	117
Determining Whether the Router Uses Symmetric or Asymmetric NAT	119
Configuring Security, Quality, and Network Features	121
Setting Security Features	121
SIP Initial INVITE and MWI Challenge	122
SIP Over TLS	122
SRTP and Securing Calls	123
Ensuring Voice Quality	125
Supported Codecs	125
Bandwidth Requirements	126
Factors Affecting Voice Quality	127
Configuring Voice Codecs	130
Configuring Domain and Internet Settings	133
Configuring Restricted Access Domains	133
Configuring DHCP, Static IP, and PPPoE Information	134
Setting Optional Network Parameters	137
Configuring VLAN Settings	138
Using the IP Phones in a VLAN	138
Configuring SSL VPN on the Cisco SPA 525G	140
Configuring the VPN on the Security Appliance	141
Configuring the VPN on the Cisco SPA 525G	141
Provisioning Basics	144
Provisioning Capabilities	145
Provisioning Configuration from Phone Keypad	145
IP Phone Configuration Profiles	147
Obtaining the SPC Tool	148
General Purpose Parameters	149
Sample Configuration File	149
Upgrading, Resyncing, and Rebooting Phones	150
Upgrading Firmware on a Phone	150
Firmware Upgrade Parameters	151
Resyncing a Phone	152
Rebooting a Phone	153
Redundant Provisioning Servers	153
Retail Provisioning	153
Automatic In-House Preprovisioning	154
Configuration Access Control	155
Using HTTPS	155
Server Certificates	156
Client Certificates	156
Obtaining a Server Certificate	157
Configuring Regional Parameters and Supplementary Services	158
Advanced Scripting for Cadences, Call Progress Tones, and Ring Tones	159
Example 1: Normal Ring	159
Example 2: Distinctive Ring (short,short,short,long)	159
Example 1: Dial Tone	160
Example 3: SIT Tone	160
Example 1: SIT Tone	161
Call Progress Tones	162
Distinctive Ring Patterns	162
Control Timer Values (sec)	163
Configuring Supplementary Services (Star Codes)	164
Entering Star Code Values	164
Activating or Deactivating Supplementary Services	169
Vertical Service Announcement Codes (SPA 500 Series)	169
Bonus Services Announcement description	170
Outbound Call Codec Selection Codes	171
Miscellaneous Parameters	172
DTMF Parameters	172
Localizing Your IP Phone	173
Managing the Time and Date	174
Configuring Daylight Savings Time	175
Selecting a Display Language	176
Creating a Dictionary Server Script	178
Configuring Dial Plans	179
About Dial Plans	179
Digit Sequences	181
Digit Sequence Examples	183
Acceptance and Transmission of the Dialed Digits	185
Dial Plan Timer (Off-Hook Timer)	186
Interdigit Long Timer (Incomplete Entry Timer)	187
Interdigit Short Timer (Complete Entry Timer)	188
Editing Dial Plans on the IP Phone	189
Resetting the Control Timers	190
Configuring the Cisco SPA 500S Attendant Console	191
Cisco SPA 500S Features	192
Setting Up the Cisco SPA 500S Attendant Console	193
Configuring the Cisco SPA 9000 for the Cisco SPA 500S	194
Configuring the BroadSoft Server for the Cisco SPA 500S	194
Configuring the Asterisk Server for the Cisco SPA 500S	195
Configuring the Cisco SPA 500S	196
Unit/Key Configuration Scripts	197
Configuring BroadSoft Busy Lamp Field Auto-Configuration	200
Attendant Console Parameters	201
Monitoring the Cisco SPA 500S	202
Cisco SPA 500S Unit Monitoring Notes	203
Creating an LED Script	204
LED Script	204
LED Script Examples	205
LED Pattern	205
Cisco SPA 500 Series and Wireless IP Phone Field Reference	207
Info Tab	208
System Information	208
Network Configuration (SPCP)	210
VPN Status	210
Product Information	211
Phone Status	211
Ext Status	213
Line/Call Status	213
Downloaded Ring Tone	215
System Tab	215
System Configuration	216
Internet Connection Type and Static IP Settings	217
PPPoE Settings	218
Optional Network Configuration	218
VLAN Settings	220
Wi-Fi Settings (Cisco SPA 525G only)	221
Bluetooth Settings (Cisco SPA 525G only)	221
VPN Settings	221
SIP Tab	222
SIP Parameters	222
SIP Timer Values (sec)	226
Response Status Code Handling	228
RTP Parameters	229
SDP Payload Types	231
NAT Support Parameters	234
Linksys Key System Parameters	236
Provisioning Tab	236
Regional Tab	236
Call Progress Tones	237
Distinctive Ring Patterns	240
Control Timer Values (sec)	241
Vertical Service Activation Codes	241
Vertical Service Announcement Codes	247
Outbound Call Codec Selection Codes	247
Time (Cisco SPA 525G Only)	250
Language (Cisco SPA 525G only)	250
Miscellaneous	250
Phone Tab	256
General	256
Line Key	259
Miscellaneous Line Key Settings	260
Line Key LED Pattern	261
Supplementary Services	263
Ring Tone (Cisco SPA 500 Series)	265
Ring Tone (WIP310)	266
Auto Input Gain (dB)	266
Multiple Paging Group Parameters	267
Extension Mobility	268
BroadSoft Settings	268
XML Service	269
Lightweight Directory Access Protocol (LDAP) Corporate Directory Search	270
Programmable Softkeys	272
Ext Tab	274
General	275
Share Line Appearance	275
NAT Settings	276
Network Settings	276
SIP Settings	277
Call Feature Settings	280
Proxy and Registration	282
Subscriber Information	285
Audio Configuration	286
Dial Plan	289
User Tab	290
Call Forward	290
Speed Dial	291
Supplementary Services	291
Camera Settings	291
Web Information Service Settings (Cisco SPA 525G)	291
Audio Volume	292
Screen (Cisco SPA 525G)	292
Attendant Console Tab (Cisco SPA 500 Series)	294
General	294
Unit 2	295
Attendant Console Status	296
Cisco SPA 525G-Specific Tabs	297
Wi-Fi	297
Bluetooth (Cisco SPA 525G)	297
Personal Address Book	297
Call History	297
Speed Dials	298
Firmware Upgrade	298
Where to Go From Here	299

Match case Limit results 1 per page

Provisioning Basics

Using HTTPS

Cisco SPA 500 Series and WIP310 IP Phone Administration Guide

145

To use HTTPS with Cisco IP phones, you must generate a Certificate Signing

Request (CSR) and submit it to Cisco. The Cisco IP phone generates a certificate

for installation on the provisioning server that is accepted by Cisco IP phones

when they seek to establish an HTTPS connection with the provisioning server.

The Cisco IP phone implements up to 256-bit symmetric encryption, using the

American Encryption Standard (AES), in addition to 128-bit RC4. The Cisco IP

phone supports the Rivest, Shamir, and Adelman (RSA) algorithm for public/

private key cryptography.

Server Certificates

Each secure provisioning server is issued an secure sockets layer (SSL) server

certificate, directly signed by Cisco. The firmware running on the Cisco IP phone

clients recognizes only these certificates as valid. The clients try to authenticate

the server certificate when connecting via HTTPS, and reject any server

certificate not signed by Cisco.

This mechanism protects the service provider from unauthorized access to the

Cisco IP phone endpoint, or any attempt to spoof the provisioning server. This

might allow the attacker to reprovision the Cisco IP phone to gain configuration

information, or to use a different VoIP service. Without the private key

corresponding to a valid server certificate, the attacker is unable to establish

communication with a Cisco IP phone.

Client Certificates

In addition to a direct attack on the Cisco IP phone, an attacker might attempt to

contact a provisioning server using a standard web browser, or other HTTPS

client, to obtain the Cisco IP phone configuration profile from the provisioning

server. To prevent this kind of attack, each Cisco IP phone also carries a unique

client certificate, also signed by Cisco, including identifying information about

each individual endpoint. A certificate authority root certificate capable of

authenticating the device client certificate is given to each service provider. This

authentication path allows the provisioning server to reject unauthorized requests

for configuration profiles.