Hey all,
I am haveing some trouble provisioning my Polycom IP650 via https.
I have gone through the instructions for mutual TLS provisioning for IIS6 and made a couple of modifcations for IIS7.5 but no joy.
I have looked at as many posts as I can find but any people who seem to have similar problems have no resolution.
I'll try to give as much info about the setup and problem here but ANY help or information is greatly appreciated.
Anyway here goes:
IIS7.5 configured to use digest authentication and https (If I configure this to run over http the phone will pull the config but not over https)
Polycom certificate install on server and set to trusted root CA - I would be happy to just use digest authentication and not client certificate so site is set to "accept client certificate" and not "require".
The certificate we are using is geotrust equifax and as per the manual it should be accepted.
In case it is not I downloaded the root CA cert to the phone directly but still not working.
To confirm the SSL site is working I can do 2 things, browse to it via web browser and enter credentials or use CURL to download a sample file, both of these work perfectly.
At the moment I am unable to to use WGET but because CURL works with --digest switch I think this is issue with WGET and not my misuse.
Using wireshark I can see the phone try to communicate but no data actually gets sent, just a loop of client helo, server helo and key exchange.
Any help at this point would be greatly appreciated and if anyone needs more info please let me know.
Oh and also just updated to latest SIP and boot rom and still not working :)
Solved! Go to Solution.
Hello nbrophy,
Polycom UCS / SIP Software does currently not support wildcard certificates.
Best Regards
Steffen Baier
Polycom Global Services
Hello Nbrophy,
welcome to the Polycom Community.
I would suggest to use syslog to troubleshoot and set the Log Level for CURL and Copy Utilities to a Event 2 Level and try the provisioning again.
Check the log against the SSL authentication.
Best Regards
Steffen Baier
Polycom Global Services
Steffen,
Thanks for the prompt reply, does the phone support snmp or is it syslog only.
Currently have nothing for syslog in our environment, could you reccomend a lightweight app might would suit?
Thanks again,
Nick
Hello Nick,
I personally use 3CDaemon which was developed by 3CX but I am unsure how easy you can find this.
Any simple syslog app should do and we do not support SNMP.
Best Regards
Steffen Baier
Polycom Global Services
Thanks Steffen,
I'll give a look for it, in the mean time if you think of anything else that might be causing it not to communicate I would appreciate it if you let me know.
I have a feeling it has to do with the certificate but only because it works fine without it.
Once I get a syslog app up and running i'll share results here.
Thanks again,
Nick
Steffen,
Thanks for your advice last week, i think I am close to a solution now and I was wondering if you could help me confirm.
Please see the output from phone syslog below:
SSL: certificate subject name '*.ourcompanyname.com' does not match target host name 'prov. ourcompanyname .com'
Do you know if the phones support wildcard certificates?
Hello nbrophy,
Polycom UCS / SIP Software does currently not support wildcard certificates.
Best Regards
Steffen Baier
Polycom Global Services
Thanks for the quick reply Steffen.
At least now we know the problem.
Thanks,
Nick