Cisco Small Business Phones and LDAP directory

Cisco Small Business phones (the SPA-3xx and SPA-5xx ranges) support central address books using LDAP.

The settings are notoriously difficult for people unfamiliar with LDAP to get right. Here is my example using an OpenLDAP server:

Cisco LDAP settings screenshot

So in my LDAP tree I’m using sn for surname and cn for first name.

Set up with Microsoft Active Directory shouldn’t be too much different from this but the exact settings will just depend on your AD structure.

Automatic Redirection and Configuration

Just to clarify,

If you order a phone with provisioning server redirection from ProVu, then this service is fully automatic.
We just setup the profiles you require and our servers do the rest.

This means:

  1. We are happy to offer redirection or configuration, even on a single phone order
  2. Once we have setup a profile for your company, this happens automatically on any order. Nobody has to remember to do it
  3. We can do your shipments very quickly – we don’t open any boxes.
  4. We don’t do any copy and pasting or such time consuming. Nothing to mess up.

This isn’t new. Our systems have been fully automatic since 2005.

We are happy to provide phone redirection.

But you might also like to look at our hosted service prosys phone management system.

Connecting ProTalk SIP door phone with Digital keypad and Push button

In my Previous blog post, I explained how to connect a digital keypad with ProTalk door unit. That was entertaining was is`nt :). Now lets add a push button to the previous scenario to make things more exciting.

The blog post will go through the process of attaching all three components together. Each module comes with separate connection cables that can be found in packaging. You should have following cables with each module.

a. Audio/Video module:

>> 1 x 8 pin connector (CC8)

b. Digital Keypad:

>> 1 x 5 pin connector (CC5)
>> 1 x 3 pin connector (CC3)

c. Push Button:

>> 1 x 3 pin connector (CC3)

Lets start connecting these components step by step.

1. Connect CC8 cable to 8 pin connector on Audio Video module.

2. Connect one end of CC5 to Output(CN2) and one end of CC3 cable to Input(CN1) connector on the keypad.

3. Connect CC3 cable to the Input(CN1) on the push button.

If everything is connected correctly, it should look something like this.

Now lets move forward to last few step.

4. Connect other end of CC3 cable connected to push button to LT(3 pin) connector on A/V module.

5. Connect second end of CC5 cable from keypad to EXP(5 pin) connector on the A/V module and CC3 cable to the Output(CN2) on the push button

6. Finally, last step is to connect the CC8 cable to the push button. One thing to keep in mind is, each cable from the 8 equate to “key 3-10” on the web interface. i.e.

black = 3rd pushbutton
orange = 4th pushbutton
green = 5th pushbutton
white = 6th pushbutton
red = 7th pushbutton
yellow = 8th pushbutton
brown = 9th pushbutton
blue = 10th pushbutton

Since our scenario just has one push button in place, I need only one out of 8 cables i.e. Black. So last step is to plug the stripped end of the black cable to the green screw terminal block on the push button.

Click picuture 1 or 2 to see final connections.
Picture 2

NOTE: Microphone is part of front frame on Skyline units and not shown in pictures above. Please make sure to connect it to the sip module

Now log on to the web interface of the door unit and configure the unit to get things started.

ProTalk SIP Door Intercom with Broadsoft platform

Recently, we have successfully completed interop testing of the ProTalk SIP door unit with Broadsoft platform (not broadsoft certified).

Here is a quick how-to guide to configure ProTalk SIP door unit with Broadsoft Server.

Firstly, the firmware on the door unit has to be on VoIP version: 1.99.2. To check the firmware version, web browse to door unit and click on Service page.

Then set the device as follows:

  • SIP Proxy Server Address : as.broadsoft.com (provided by server provider)
  • SIP Proxy Server Port : 5060
  • SIP Registrar Server Address : as.broadsoft.com (provided by server provider)
  • SIP Registrar Server Port : 5060
  • Outbound proxy Address : IP address of outbound proxy server(provided by server provider)
  • Outbound proxy Port : 5060

Secondly, enter the user details. User name part is the only bit that is tricky. To get the username for door phone, look for “Line port” field under device configuration. Line port setting should be something like abc123_321@domain.co.uk. You only need to put name part of sip uri i.e. abc123_321 as username. Finally enter password and authentication password and press save changes to register the device. Click here to see a snapshot showing require Broadsoft server user details.

This should allow you to make and receive calls from Door unit.

For more information on ProTalk range click here

ProTalk SIP door unit now support Broadsoft platform

We are delighted to announces that the New ProTalk firmware support integration with Broadsoft platform.
<%ThickBox(http://www.provu.co.uk/products/protalk/protalk-doorphones/PT-Door01-medium.jpg|)%><%ThickBox(http://www.provu.co.uk/products/protalk/cityline/cityline.jpg|)%>

For more information please contact a member of ProVu staff at 01484840048 or look at our website for ProTalk Range .

Snom phones using SIPS/SRTP encryption with Asterisk 1.8

I’ve been looking forward to the time when Asterisk catches up with the rest of the SIP world and starts working with encrypted SIP and encrypted RTP (SIPS & SRTP respectively). Asterisk has supported it since the recent release of version 1.8 so I had to get it working.

Asterisk only supports a fairly fixed set of encryption options so you’ve got to set the phone up just right for it to work. I’d also say that SIPS & SRTP is very much new functionality in Asterisk so I’d treat it as for testing purposes only right now….although it’s looking promising.

Snom phones have supported both SIPS & SRTP for years (in fact I think they were the first IP phones on the market to do so). So if any phone can get it right it should be them, perfect to test with.

I am using the following to test with:

  • Current Debian Asterisk 1.8 packages maintained by Digium on Debian Squeeze (deb http://packages.asterisk.org/deb squeeze main)
  • My actual Asterisk version at the time of writing is “1.8.4.1-1digium1~squeeze”. Some older ones didn’t work.
  • Snom 300 with 8.4.31 firmware. It will not work with much older versions.

I’m not going to go into the setup of Asterisk itself as there is plenty of information on this out on the Internet, not to mention quite a lot of different ways of doing it. I will just mention that I am using a self-signed SSL certificate, this means you either have to leave server verification turned off on the phone (which it is by default on this firmware version) or import your own CA into the phone. Neither of which are ideal for a real world deployment, you’d buy a server certificate from a recognised CA in that case but for testing….

The important bits in Asterisk

OK so I will mention a couple of things in the Asterisk setup… all in sip.conf

  • tlsenable=yes : in general section
  • domain=ast18.provu.co.uk:5061 : this is needed for it to work
  • transport=tls : used in the general section or in each sip peer/friend to turn on tls for SIPS
  • port=5061 : in general or each sip peer/friend. 5061 is the usual port for SIPS
  • encryption=yes : turns on SRTP, if you have set this then the SIP device(s) MUST use it, it’s either on or off, not optional

There are more settings needed than this, please read the Asterisk documentation.

Snom phone setup

Everything is in identity 1, these are obviously examples only! You’ll need to put your own Registrar in etc…

Login tab:

  • Account: sip username
  • Password: sip password/secret
  • Registrar: ast18.provu.co.uk
  • Outbound Proxy: sips:ast18.provu.co.uk:5061
  • Authentication Username: sip username

SIP tab:

  • Support Broken Registrar: on

RTP tab:

  • RTP Encryption: on (should be default…)
  • SRTP Auth-tag: AES-80
  • RTP/SAVP: mandatory

That should be it. As mentioned the Snom phones do not verify the server certificates by default. If you want to turn this on then go to the “Certificates” page in the phone setup and click “Activate”. But bear in mind you must either use a certificate from a known CA or import your own certificate into each phone manually. Certificates must be in DER format for this.

To confirm it’s working, look for the little lock symbol on the phone screen during calls. It should look closed when the call is secure. For further confirmation you can do a pcap trace on the phone, open this up in Wireshark and then not be able to view the SIP packets or decode the audio to anything but white-noise.

Let me know if anyone thinks it’s worth me putting together a how-to with the full Asterisk config too.

Skyline/Cityline Door Unit connection with Digital Keypad

This blog post explains connecting and configuring of a  Digital Keypad

Connections are quite simple. Cityline Keypad comes with two different cables.

1 X 3 pin connector
1 X 5 pin connector

Step 1: Connect the 3 and 5 pin connector to INPUT and OUTPUT connections on the cityline keypad board. Click here for diagram

Step 2: Connect 3 pin connector to connection LT (point 19 on this picture) of the Audio/Video module

Step3: Connect 5 pin connection to EXP connection or connection 18(Please refer to digram in step 2).

Step 4: Finally to be able to dial numbers from keypad,
login to the web interface of the door unit and go to Basic Parameters.

Change the following settings:

1. Keyboard to position : 1
2. Under mode of keyboard choose Direct choice number (phone)

Thats it. Now enter the number and press the A button to dial it.

To unlock the door using keypad, configure unlock codes under Relays section of web gui and save changes. Finally press the B (Bell) button and enter to code to unlock door.

If you don’t want a unit with a keypad and only interested in 1 or 2 button door entry products please look at the our ProTalk range.

IP phone web interface security

Security of IP telephony systems is a hot topic at the moment, it has been for quite some time and is should always be at the forefront of anyone’s mind when setting up such a system.

There are loads of methods and applications for securing PBXs and the like but something I often see overlooked is security of the actual phones themselves.

The usual threat is someone obtaining SIP credentials by looking at the phone’s web interface. In some cases, IP phone devices have the password displayed in plain-text for all to see. Slightly better implemented GUIs have the password obfuscated when you look at the page but still readable by viewing the page source code in your web browser.

If ProVu ever become aware of any products we sell with either of these issues, we push the manufacturer make changes to hide the password at all times.

Further to this though, anyone installing IP phones should really set strong web interface usernames and passwords. I see phones put on public IP addresses or sometimes with port forwards (often for support purposes) that have no passwords set! This is like leaving the front door to your house wide open while you go out to work all day. Please remember to set a username and password. If a phone comes with a default username and password then do not leave this set as you can be certain the people who want to break into your phone will know default passwords for various phones.

ProVu can set usernames and passwords for phones using our provisioning services:

ProVu fulfilment services

cheers,
Paul.