There are several ways a snom phone can get Caller ID Name for an inbound call.
The first is from the Invite message of the inbound call from the sending SIP end-point. If a "Name" part of the Caller ID exists then this will be used by the Snom phone to display the name on the screen.
The phone can also get a name from it's internal address book or an LDAP server if one is configured. However, it will only use this if there is no "Name" part of the Caller ID in the incoming Invite.
If you want to change this behaviour set this setting in the Snom phone's web interface:
To "off". Then an internal address book or LDAP server will take precedence.
More information here:
Snom Wiki
The first is from the Invite message of the inbound call from the sending SIP end-point. If a "Name" part of the Caller ID exists then this will be used by the Snom phone to display the name on the screen.
The phone can also get a name from it's internal address book or an LDAP server if one is configured. However, it will only use this if there is no "Name" part of the Caller ID in the incoming Invite.
If you want to change this behaviour set this setting in the Snom phone's web interface:
- Advanced => Behaviour => Prioritise PBX Number Lookup
To "off". Then an internal address book or LDAP server will take precedence.
More information here:
Snom Wiki
20/12: RTX4002 with Gigaset N300
This is an update to this article:
http://blog.provu.co.uk/item/96
Procedure for using an RTX4002 DECT repeater with a Gigaset N300 or N300A base station is:
Note: you can register 6 repeaters to a single base. Each repeater must be adjacent to the base, you cannot "daisy-chain" repeaters one after the other.
http://blog.provu.co.uk/item/96
Procedure for using an RTX4002 DECT repeater with a Gigaset N300 or N300A base station is:
- Power up the N300, register a handset, leave the repeater turned off.
- Using the handset, go into the settings menu, system option and select "Repeater Mode" so the box is ticked.
- Hold down the button on the front of the N300/N300A base station and keep it held.
- Still keeping the button held down, power up the RTX4002 repeater.
- The LED on the repeater should flash,
- Wait for the LED to be solidly lit - the repeater is now ready to use.
Note: you can register 6 repeaters to a single base. Each repeater must be adjacent to the base, you cannot "daisy-chain" repeaters one after the other.
24/08: Yealink Security Advisory
Category: Technical Hints
Posted by: chris
Yealink have recently issued "Technical Bulletin 01/11" which advises on security vulnerabilities. The bulletin advises users to upgrade phones to the latest firmware versions and also gives advice on the importance of changing default passwords.
We have attached the Technical Bulletin and a link to the location of latest firmware versions, http://www.yealink.co.uk/downloads/
ProVu Communications take the security of the products it sells very seriously and we would strongly advise that you follow the advice given by Yealink. If you need help or advice on any of these matters please do not hesitate to call our technical support team on 01484 840048
Additionally we may be able to help you deploy these changes to your Yealink handsets remotely using our Prosys phone management system. Prosys phone management will allow you to remotely access your CPE to change firmware versions and generate passwords amongst many other things. Again if you would like further information please contact ProVu Communications on 01484 840048.
We have attached the Technical Bulletin and a link to the location of latest firmware versions, http://www.yealink.co.uk/downloads/
ProVu Communications take the security of the products it sells very seriously and we would strongly advise that you follow the advice given by Yealink. If you need help or advice on any of these matters please do not hesitate to call our technical support team on 01484 840048
Additionally we may be able to help you deploy these changes to your Yealink handsets remotely using our Prosys phone management system. Prosys phone management will allow you to remotely access your CPE to change firmware versions and generate passwords amongst many other things. Again if you would like further information please contact ProVu Communications on 01484 840048.
Cisco Small Business phones (the SPA-3xx and SPA-5xx ranges) support central address books using LDAP.
The settings are notoriously difficult for people unfamiliar with LDAP to get right. Here is my example using an OpenLDAP server:
Cisco LDAP settings screenshot
So in my LDAP tree I'm using sn for surname and cn for first name.
Set up with Microsoft Active Directory shouldn't be too much different from this but the exact settings will just depend on your AD structure.
The settings are notoriously difficult for people unfamiliar with LDAP to get right. Here is my example using an OpenLDAP server:
Cisco LDAP settings screenshot
So in my LDAP tree I'm using sn for surname and cn for first name.
Set up with Microsoft Active Directory shouldn't be too much different from this but the exact settings will just depend on your AD structure.
In my Previous blogpost, I explained how to connect a digital keypad with ProTalk door unit. That was entertaining was is`nt :). Now lets add a push button to the previous scenario to make things more exciting.
The blogpost will go through the process of attaching all three components together. Each module comes with separate connection cables that can be found in packaging. You should have following cables with each module.
a. Audio/Video module:
>> 1 x 8 pin connector (CC8)
b. Digital Keypad:
>> 1 x 5 pin connector (CC5)
>> 1 x 3 pin connector (CC3)
c. Push Button:
>> 1 x 3 pin connector (CC3)
Lets start connecting these components step by
step.
1. Connect CC8 cable to 8 pin connector on Audio Video module.
2. Connect one end of CC5 to Output(CN2) and one end of CC3 cable to Input(CN1) connector on the keypad.
3. Connect CC3 cable to the Input(CN1) on the push button.
If everything is connected correctly, it should look something like this.
Now lets move forward to last few step.
4. Connect other end of CC3 cable connected to push button to LT(3 pin) connector on A/V module.
5. Connect second end of CC5 cable from keypad to EXP(5 pin) connector on the A/V module and CC3 cable to the Output(CN2) on the push button
6. Finally, last step is to connect the CC8 cable to the push button. One thing to keep in mind is, each cable from the 8 equate to "key 3-10" on the web interface. i.e.
black = 3rd pushbutton
orange = 4th pushbutton
green = 5th pushbutton
white = 6th pushbutton
red = 7th pushbutton
yellow = 8th pushbutton
brown = 9th pushbutton
blue = 10th pushbutton
Since our scenario just has one push button in place, I need only one out of 8 cables i.e. Black. So last step is to plug the stripped end of the black cable to the green screw terminal block on the push button.
Click here to see final connections.
Picture 1 Picture 2
Now log on to the web interface of the door unit and configure the unit to get things started.
The blogpost will go through the process of attaching all three components together. Each module comes with separate connection cables that can be found in packaging. You should have following cables with each module.
a. Audio/Video module:
>> 1 x 8 pin connector (CC8)
b. Digital Keypad:
>> 1 x 5 pin connector (CC5)
>> 1 x 3 pin connector (CC3)
c. Push Button:
>> 1 x 3 pin connector (CC3)
Lets start connecting these components step by
step.
1. Connect CC8 cable to 8 pin connector on Audio Video module.
2. Connect one end of CC5 to Output(CN2) and one end of CC3 cable to Input(CN1) connector on the keypad.
3. Connect CC3 cable to the Input(CN1) on the push button.
If everything is connected correctly, it should look something like this.
Now lets move forward to last few step.
4. Connect other end of CC3 cable connected to push button to LT(3 pin) connector on A/V module.
5. Connect second end of CC5 cable from keypad to EXP(5 pin) connector on the A/V module and CC3 cable to the Output(CN2) on the push button
6. Finally, last step is to connect the CC8 cable to the push button. One thing to keep in mind is, each cable from the 8 equate to "key 3-10" on the web interface. i.e.
black = 3rd pushbutton
orange = 4th pushbutton
green = 5th pushbutton
white = 6th pushbutton
red = 7th pushbutton
yellow = 8th pushbutton
brown = 9th pushbutton
blue = 10th pushbutton
Since our scenario just has one push button in place, I need only one out of 8 cables i.e. Black. So last step is to plug the stripped end of the black cable to the green screw terminal block on the push button.
Click here to see final connections.
Picture 1 Picture 2
Now log on to the web interface of the door unit and configure the unit to get things started.
Recently, we have successfully completed interop testing of the ProTalk SIP door unit with Broadsoft platform(not broadsoft certified).
Here is a quick how-to guide to configure ProTalk SIP door unit with Broadsoft Server.
Firstly, the firmware on the door unit has to be on VoIP version: 1.99.2. To check the firmware version, web browse to door unit and click on Service page.
Then set the device as follows:
Secondly, enter the user details. User name part is the only bit that is tricky. To get the username for door phone, look for "Line port" field under device configuration. Line port setting should be something like abc123_321@domain.co.uk. You only need to put name part of sip uri i.e. abc123_321 as username. Finally enter password and authentication password and press save changes to register the device. Click here to see a snapshot showing require Broadsoft server user details.
This should allow you to make and receive calls from Door unit.
For more information on ProTalk range click here
Here is a quick how-to guide to configure ProTalk SIP door unit with Broadsoft Server.
Firstly, the firmware on the door unit has to be on VoIP version: 1.99.2. To check the firmware version, web browse to door unit and click on Service page.
Then set the device as follows:
- SIP Proxy Server Address : as.broadsoft.com (provided by server provider)
- SIP Proxy Server Port : 5060
- SIP Registrar Server Address : as.broadsoft.com (provided by server provider)
- SIP Registrar Server Port : 5060
- Outbound proxy Address : IP address of outbound proxy server(provided by server provider)
- Outbound proxy Port : 5060
Secondly, enter the user details. User name part is the only bit that is tricky. To get the username for door phone, look for "Line port" field under device configuration. Line port setting should be something like abc123_321@domain.co.uk. You only need to put name part of sip uri i.e. abc123_321 as username. Finally enter password and authentication password and press save changes to register the device. Click here to see a snapshot showing require Broadsoft server user details.
This should allow you to make and receive calls from Door unit.
For more information on ProTalk range click here
I've been looking forward to the time when Asterisk catches up with the rest of the SIP world and starts working with encrypted SIP and encrypted RTP (SIPS & SRTP respectively). Asterisk has supported it since the recent release of version 1.8 so I had to get it working.
Asterisk only supports a fairly fixed set of encryption options so you've got to set the phone up just right for it to work. I'd also say that SIPS & SRTP is very much new functionality in Asterisk so I'd treat it as for testing purposes only right now....although it's looking promising.
Snom phones have supported both SIPS & SRTP for years (in fact I think they were the first IP phones on the market to do so). So if any phone can get it right it should be them, perfect to test with.
I am using the following to test with:
- Current Debian Asterisk 1.8 packages maintained by Digium on Debian Squeeze (deb http://packages.asterisk.org/deb squeeze main)
- My actual Asterisk version at the time of writing is "1.8.4.1-1digium1~squeeze". Some older ones didn't work.
- Snom 300 with 8.4.31 firmware. It will not work with much older versions.
I'm not going to go into the setup of Asterisk itself as there is plenty of information on this out on the Internet, not to mention quite a lot of different ways of doing it. I will just mention that I am using a self-signed SSL certificate, this means you either have to leave server verification turned off on the phone (which it is by default on this firmware version) or import your own CA into the phone. Neither of which are ideal for a real world deployment, you'd buy a server certificate from a recognised CA in that case but for testing....
The important bits in Asterisk
OK so I will mention a couple of things in the Asterisk setup... all in sip.conf
- tlsenable=yes : in general section
- domain=ast18.provu.co.uk:5061 : this is needed for it to work
- transport=tls : used in the general section or in each sip peer/friend to turn on tls for SIPS
- port=5061 : in general or each sip peer/friend. 5061 is the usual port for SIPS
- encryption=yes : turns on SRTP, if you have set this then the SIP device(s) MUST use it, it's either on or off, not optional
There are more settings needed than this, please read the Asterisk documentation.
Snom phone setup
Everything is in identity 1, these are obviously examples only! You'll need to put your own Registrar in etc...
Login tab:
- Account: sip username
- Password: sip password/secret
- Registrar: ast18.provu.co.uk
- Outbound Proxy: sips:ast18.provu.co.uk:5061
- Authentication Username: sip username
SIP tab:
- Support Broken Registrar: on
RTP tab:
- RTP Encryption: on (should be default...)
- SRTP Auth-tag: AES-80
- RTP/SAVP: mandatory
That should be it. As mentioned the Snom phones do not verify the server certificates by default. If you want to turn this on then go to the "Certificates" page in the phone setup and click "Activate". But bear in mind you must either use a certificate from a known CA or import your own certificate into each phone manually. Certificates must be in DER format for this.
To confirm it's working, look for the little lock symbol on the phone screen during calls. It should look closed when the call is secure. For further confirmation you can do a pcap trace on the phone, open this up in Wireshark and then not be able to view the SIP packets or decode the audio to anything but white-noise.
Let me know if anyone thinks it's worth me putting together a how-to with the full Asterisk config too.
Security of IP telephony systems is a hot topic at the moment, it has been for quite some time and is should always be at the forefront of anyone's mind when setting up such a system.
There are loads of methods and applications for securing PBXs and the like but something I often see overlooked is security of the actual phones themselves.
The usual threat is someone obtaining SIP credentials by looking at the phone's web interface. In some cases, IP phone devices have the password displayed in plain-text for all to see. Slightly better implemented GUIs have the password obfuscated when you look at the page but still readable by viewing the page source code in your web browser.
If ProVu ever become aware of any products we sell with either of these issues, we push the manufacturer make changes to hide the password at all times.
Further to this though, anyone installing IP phones should really set strong web interface usernames and passwords. I see phones put on public IP addresses or sometimes with port forwards (often for support purposes) that have no passwords set! This is like leaving the front door to your house wide open while you go out to work all day. Please remember to set a username and password. If a phone comes with a default username and password then do not leave this set as you can be certain the people who want to break into your phone will know default passwords for various phones.
ProVu can set usernames and passwords for phones using our provisioning services:
ProVu fulfilment services
cheers,
Paul.
There are loads of methods and applications for securing PBXs and the like but something I often see overlooked is security of the actual phones themselves.
The usual threat is someone obtaining SIP credentials by looking at the phone's web interface. In some cases, IP phone devices have the password displayed in plain-text for all to see. Slightly better implemented GUIs have the password obfuscated when you look at the page but still readable by viewing the page source code in your web browser.
If ProVu ever become aware of any products we sell with either of these issues, we push the manufacturer make changes to hide the password at all times.
Further to this though, anyone installing IP phones should really set strong web interface usernames and passwords. I see phones put on public IP addresses or sometimes with port forwards (often for support purposes) that have no passwords set! This is like leaving the front door to your house wide open while you go out to work all day. Please remember to set a username and password. If a phone comes with a default username and password then do not leave this set as you can be certain the people who want to break into your phone will know default passwords for various phones.
ProVu can set usernames and passwords for phones using our provisioning services:
ProVu fulfilment services
cheers,
Paul.
Over the last few weeks we have been taking lots of support calls from people with NAT issues with phones using Draytek routers.
The 2820 seems to be the main router affected but it could be others.
The problem manifests itself with SIP phones losing Registration to the SIP server with 408 time-out messages. In most cases it is weird in that some phones on the network will work fine and others wont.
The fix (which is confirmed by Draytek themselves to a couple of my customers) is to downgrade to firmware version "333".
This problem occurs even if you have the SIP ALG turned off. Please ensure the ALG is off as this can cause even more problems, it is usually off by default these days.
As a side note, please make sure you are not using a Draytek router with "voip" ports, the model number will usually have a "v" in it. These are not suitable for use with stand-alone SIP phones connected to the network, they are only use if you are ONLY using the built-in VoIP ports. There is no fix other than swapping the router out as far as I'm aware.
cheers,
Paul.
The 2820 seems to be the main router affected but it could be others.
The problem manifests itself with SIP phones losing Registration to the SIP server with 408 time-out messages. In most cases it is weird in that some phones on the network will work fine and others wont.
The fix (which is confirmed by Draytek themselves to a couple of my customers) is to downgrade to firmware version "333".
This problem occurs even if you have the SIP ALG turned off. Please ensure the ALG is off as this can cause even more problems, it is usually off by default these days.
As a side note, please make sure you are not using a Draytek router with "voip" ports, the model number will usually have a "v" in it. These are not suitable for use with stand-alone SIP phones connected to the network, they are only use if you are ONLY using the built-in VoIP ports. There is no fix other than swapping the router out as far as I'm aware.
cheers,
Paul.
01/04: SnomONE and Voipfone
I've just diagnosed an issue a customer had getting a Voipfone SIP trunk Registered on a SnomONE PBX.
The trick to getting this to work is:
SnomOne more info
The trick to getting this to work is:
- Turn on long SIP headers. Go to the admin, general settings page and set "Use Short SIP Headers" to "long"
- If you are using IP access control then you need to enable the IP range 195.189.172.1 - 195.189.173.254 to ensure Voipfone will work
SnomOne more info
