Plantronics + Polycom. Now together as Poly Logo

Provisioning

defsdoor
Occasional Visitor

Provisioning

Hi

I'm trying to add Polycom handsets to our in house provisioning server.  As the provisioning server is internet facing we restrict providing username/password details to a single request unless the extension is marked as "password enabled" - the next provision request removes this flag automatically.

 

For other makes of handsets this is easy to achieve by simply leaving out the authentication settings (user/pass) and as they aren't specified they aren't altered,  but on a polycom handset (specifically IP7000) this results in the user being removed when the phone next provisions.

 

Is there any way to only provide the user/pass once, but still provide other settings ?  I've tried conditionally leaving out various sections of the config files but they all result in losing the user settings for that line.

 

 

Message 1 of 12
11 REPLIES 11
SteffenBaierUK
Polycom Employee & Community Manager

Re: Provisioning

Hello defsdoor,

welcome to the Polycom Community.

It is always useful to include the currently used SIP or UC Software version as issues experienced or a question asked may already be addressed in a newer release.

This also allows yourself and others to check against current software release notes, Administrator Guides or FAQ post’s.

The above is also stated in the "Must Read First" and is the absolute minimum requirement every new post should include. .

In addition providing us with this basic information gives Polycom an idea what Software Versions are used in the field and avoids wasting time trying to troubleshoot issues which have already been addressed.

Therefore the Polycom VoIP FAQ contains this post here:

Question: How can I find out my SIP or UC Software Version of my Phone?
Resolution: Please check here

 

You may want to attach some of the configuration you tested. Also does your server support a SIP CHECK-SYNC ?


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

----------------
The title Polycom Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 2 of 12
defsdoor
Occasional Visitor

Re: Provisioning

The software version is

Phone Information Phone Model SoundStation IP 7000 Part Number 3111-40000-001 Rev:J     UC Software Version 4.0.12.0926 BootROM Software Version 5.0.12.0033

 

 

I can send a sip notify should I want to - however at the moment I need to know if it is possible to partially configure the phone without wiping none referenced settings - specifically just the username and password fields as providing these always is a potential security risk.

 

Is there any sort of comprehensive provisioning documentation available ?

 

Also, is there somewhere to download just the files required to upgrade the firmware etc via tftp or http ?  I struggled to find the 3 different downloads that contained all the pieces required.

 

Message 3 of 12
SteffenBaierUK
Polycom Employee & Community Manager

Re: Provisioning

Hello defsdoor,

The community's VoIP FAQ contains this post here:

Oct 7, 2011 Question: How can I setup my Phone / Provisioning / Download / Upgrade / Update / Downgrade Software?
Resolution: Please check => here <=

 

The above explains in detail how to upgrade the software. It also shows how to do the SSIP7000

 

I am still not sure I can follow what your actual problem would be.

 

You can get the phone to download a configuration, providing whatever data, then modify the file on the fly and re-download the configuration again.


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

----------------
The title Polycom Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 4 of 12
defsdoor
Occasional Visitor

Re: Provisioning

I don't have a problem - I just don't want my config file to contain usernames and password - all the time.

 

My config files are created on the fly by a templating engine.  This engine knows if a handset is in "secure" mode or not and if not it gives out the username and password.

 

What I want to know is if there is anyway to do this in the polycom provisioning files.  My testing so far indicates that the config file is 100% destructive - any settings not defined are effectively erased so if I omit the username/password, or the entire reg section for a line, the "user" is removed (it logs this via syslog)

 

I'm provisioning, from an internet facing platform, several thousand handsets of many different makes and models and it is only the Polycoms that I am struggling with to do this particular requirement.

 

The reasons for wanting to send a config file without usernames/passwords in are it allows on the fly changes - such as speed dials, feature codes, wall paper changes etc.. etc..  but without having to send a config-sync SIP NOTIFY to all handsets - which would create major problems with simultaneous requests from 1000s of handsets.  Instead we set our other handsets up to sync periodically with random offsets.

 

If the polycom cannot work this way I just need to know so I can develop a one of sync-now only solution for the Polycoms.

 

Cheers

Message 5 of 12
Dakota
Occasional Advisor

Re: Provisioning

You are correct. You cannot do what you want to do with the provisioning or at least you couldn't when I last looked at this.

 

I am not sure if you are provisioning for your own SIP endpoints or not but if you are then you should consider using Mutual TLS for SIP. This way you could give me the username and passwords but I coudn't use them on anything other than the right device.

Message 6 of 12
SteffenBaierUK
Polycom Employee & Community Manager

Re: Provisioning

Hello all,

Polycom has been provisioning phones with various services providers for nearly 2 decades so I do not see what the actual issue is.

 

@defsdoor

 

What do you define as "secure" mode ?

 

When does the phone get into this state ?

 

Provisioning an empty parameter like 

 

reg.1.address=""

Will wipe the configuration as you provisioning an empty value.

 

I would suggest you work with an Polycom SE in your region to discuss various methods you can utilize. In addition we do offer encryption for configuration files.

 

The Admin Guide covers this in the "Encrypt Configuration Files" section and you must work with Polycom support to get access to the relevant tool.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

----------------
The title Polycom Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 7 of 12
defsdoor
Occasional Visitor

Re: Provisioning

Hi Stefan - I'm not sure if I can explain it any simpler - we define a handset as secure when it has provisioned with a username and password for the first time (or after a timeout period from when it was set to insecure.)

 

When a handset is not "secure" we hand out username and password details in our phone configs.

When it is "secure" we omit the authentication and any other sensitive data from the config files.

 

This means that sensitive data is only available to the first request from when a handset was set to "insecure".

 

If I omit the reg section in the Polycom configs, when the phone provisions it removes the "user".

If I omit the user/pass attributes the phone removes the "user".

 

What I am asking is simply is it possibile to omit sensitve data from a config without the "user" (or line) being removed.

 

If it isn't I will have to treat polycom handsets differently and only the phones to be push provisioned.

 

All the other makes/models that I provision are additive or replacement config elements only.  I.e. if you don't mention it in the config file it remains unchanged.

 

All our other handsets check for config changes every 6 hours (+ random delay).  The config they receive does not contain any sensitive data unless we have marked the handset as insecure - something we only do if moving the phone to a different user etc..

 

Message 8 of 12
SteffenBaierUK
Polycom Employee & Community Manager

Re: Provisioning

Hello defsdoor,

our phones need to "know" what they are provisioned with so if you remove settings after provisioning it will remove the user if you remove that information.

 

As already stated we been working with the service provider community for nearly 2 decades and this has never come up as an issue.

 

Using secure connections between the phone and the server should not be an issue.

 

Again I can only urge you to work with a Polycom reseller and/or a Polycom Sales engineer as there are REST API's for the VVX range and in addition config file encryption.


Best Regards

Steffen Baier

Polycom Global Services

----------------
The title Polycom Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 9 of 12
defsdoor
Occasional Visitor

Re: Provisioning

I know I can add SSL encryption using HTTPS to provision and obtain a signed server certificate from Polycom (perhaps you can let me know where I send the CSR ?) but, imho, it is naive to rely on this alone as the client side certificates could be obtained from firmware images etc..

 

I cannot do any form of SIP password securing as our VOIP platform doesn't support it.

 

I'd rather rely on not sending sensitive data when it is not necessary - and as I said, all the other phones I provision provision additively (CISCO, Yealink, Gigaset, Aastra etc..) - not fully destructively.  If the polycom handsets really do not have this ability I think it is a feature you should consider.

Message 10 of 12