Manualshelf

Installation guide

ManualsBrandsAastra ManualsComputer equipment6700i Series
79808182838485868788
26/1531-ANF 901 14 Uen E10 2014-01-22 81
S
ECURITY
The benefit having the SBC server certificate signed by a commercial
CA (Verisign, Thawte, GeoTrust, Comodo or CyberTrust) is that these
root CAs are pre loaded in the phone firmware. A root CA is required
prior to the TLS handshake with the Configuration Server when HTTPS
is used as download protocol.
The following example shows how to get it working with an SBC that has
a self-signed server certificate (meaning that the root CA is the server
who has the server certificate). The drawback is that the phone needs to
boot up in the office before it can be brought home in order to load the
root CA, which is used when the phone boots up and access the config-
uration server via https at home. However, the phone will loose the
loaded CA on “Factory Reset” or if a new firmware is found in the config-
uration server.
1. Setup a webserver like Apache and create the path matching the
configuration server setting in the phone configuration. If Apache is
used the /var/www/html/ is the root for the path set in the phone. So
here you create the directories inOffice/ and atHome/.
2. The InOffice directory shall consist of model specific configuration
files, aastra.cfg and the phone FW (see above). Note, that the root
certificates are loaded but not used as the setting is TCP for SIP
and RTP for media.
Phone aastra.cfg file:
#Only changes from the aastra template is described
action uri startup:
”http://$$PROXYURL$$:22222/Startup?user=$$SIPUSERNAME$$”
services script: https://$$PROXYURL$$:22222/Services?user=$$SIPUSER-
NAME$$&voicemailnr=<voice mail number>
#download protocol HTTP,HTTPS,FTP,TFTP
download protocol:HTTP
http server:<webserver IP address>
http port:80
http path:inOffice
https server:<SBC outside IP address>
https port:444 #SBC TLS port relay to webserver
https path:atHome
https client method:"TLS 1.0"
https user certificates:CA.pem #root CA
sip transport protocol: 1 #1-UDP,2=TCP,4=TLS
sips trusted certificates: CA.pem #root CA
sip srtp mode: 0 #0-RTP,2-SRTP only
sip proxy ip: 192.168.110.20
sip proxy port: 5060
sip registrar ip: 0.0.0.0
sip registrar port: 5060