I am sure that this is a popular topic I would appreciate any help or information
Recently hacking and fraud has become the norm, therefore we are rethinking if are current provisioning strategy is up to speed, we are responsible for approximately 4000 Polycom IP phones.....
We currently have a FTP server with all the provisioning files which includes the phones unique registration credentials.
Unfortunately to my knowledge there is no way of keeping the passwords encrypted on the FTP server so this is issue number one if someone is successful of hacking into our FTP server they got everything they need.
The files transferring from the FTP server to the phones while transferring if someone is able to hack into the network and capture the packets they could very easily extract the passwords.
Therefore I'm coming to you to ask which solutions are the most recommended and is there any providers selling just this part as a service helping provisioning or do you have any products from Polycom itself providing so doing mass provisioning and management.
welcome to the Polycom Community.
You could utilize HTTPS or FTPS Provisioning or encrypt the configuration Files.
You will need to contact Polycom Support as described in this documentation => here <=
Polycom Global Services
We are attempting what we thought would be simpler, having the phones connect to the provisioning server via FTP(S) to download their configuration files. We're not concerned about the phone encrypting its log or settings files when it sends them back to the provisioning server, we just want the phones to authenticate and download securely to prevent "man-in-the-middle" attacks.
Based on the list of Certificate Authorities (in this doc) trusted by SoundPoint phones we purchased a GeoTrust certificate and configured our FTP server (vsftpd) to use that cert and force SSL for login and data transfer. We confirmed this works with an FTP(S) client application (Transmit on Mac).
However when we configure a SoundPoint 331 to use FTP(S) it tells us it can't contact the boot server. Prior to forcing SSL we had vsftp running as a normal (no SSL) FTP server and verified that this phone could connect via FTP to the same server and download its config files.
Can you tell us what we're doing wrong? Thanks in advance for any wisdom you can pass our way.
Oops I think we figured out the problem. I was thinking "FTP(S)" meant explicit SSL on port 21. The Soundpoint refers to implicit SSL on port 990 as "FTP(S)" and the version of vsftpd we're running doesn't support implicit SSL. Going to try to upgrade to a newer version of vsftpd that does support implicit SSL and try again. Will post back if it works.