[VoiceOps] Polycom provisioning for a hosted PBX environment

Mark R Lindsey lindsey at e-c-group.com
Fri Oct 16 16:23:00 EDT 2015 

TLS Client Certificate Authentication is what you're looking for.  Polycom signs the TLS certificate including the MAC address.

Setup rules in your F5 LTM (or maybe Apache) to enforce this:
	1. Only deliver Polycom files to Polycom phones
	2. Only deliver the files for MAC address X if the vendor-signed certificate provided includes MAC address X.

I would stick with Option 66 (or 160) forever. But if you need to bootstrap the phones with Option 66, then use permanently-configured settings thereafter, you can actually modify the permanent settings by using a file like this. You have to be sure to deliver this as the first file the Polycom phone downloads. 

It's not clear in documentation, but Polycom actually has two config file formats: the "master file", and the ordinary config file. SIP Server settings are in the latter, but the "master file" can do special things like specify other files to download, or -- in this case -- reconfigure the phone's provisioning server settings.

 <?xml version="1.0" standalone="yes" ?> <!--  Provisioning Configuration File   --> <provision>  <device device.set="1" device.dhcp.bootSrvOptType.set="1" device.dhcp.bootSrvOptType="2" device.prov.serverName.set="1" device.prov.serverName="ftp://aaa.bbb.ccc.ddd <ftp://aaa.bbb.ccc.ddd>" device.prov.serverType.set="1" device.prov.serverType="0" device.prov.user.set="1" device.prov.user="abc" device.prov.password.set="1" device.prov.password="def" />   </provision>

    --- mark at ecg.co
        +1-229-316-0013
        http://ecg.co/lindsey

> On Oct 16, 2015, at 15:53 , Carlos Alvarez <caalvarez at gmail.com> wrote:
> 
> We don't sell/recommend Polycom, but we have quite a few customers coming to us from other VoIP carriers and they already have them.  We have built a provisioning system that will use HTTP, and it works just fine, except we're not sure what the best way to secure it might be.
> 
> The phones can do username/password, but then that means someone has to go put that into every single phone.  From what we're able to find, there's no way for option 66 to assign this info permanently (meaning you can remove the option 66 settings after initial config).  We don't think we can permanently leave option 66 in place because many customers have a mix of phones, and will need different settings for each type.  Also we don't control their internal network, and forcing them to make a permanent change could be challenging.
> 
> I'd love to hear how some of you in an ITSP/hosted environment are handling this.
> 
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20151016/7f71a3cc/attachment.html>

More information about the VoiceOps mailing list