Manualshelf

Installation guide

ManualsBrandsShoreTel ManualsComputer equipmentShoreWare
61626364656667686970
64 Planning and Installation Guide ShoreTel 14.2
Network Requirements and Preparation Session Initiation Protocol (SIP)
3
The ShoreTel Headquarters server software installation process generates its own self-signed CA
certificate when it first boots up. This root certificate uses a 2048-bit RSA key-pair and is valid for 30
years.
ShoreTel IP phones download the Headquarters Certificate Authority X.509 certificate when
provisioning into the system. Using that certificate, the phone is able to connect to the voice switches
via SIPS, and to the server using HTTPS. The phones also have a pre-installed, unique certificate,
signed by ShoreTel, that allows the voice switches and servers to authenticate the phone.
The following architecture also ensures system security:
Access to ShoreTel 400-Series IP phones is restricted to the Headquarters server and Shoretel
equipment. The only open in-bound ports are Secure Session Initiation Protocol (SIPS) and
secure-shell (ssh) ports.
Call signaling between 400-Series IP phones and voice switches is encrypted, and participants are
authenticated using standards-based security.
If enabled in ShoreTel Director, voice encryption uses standard SRTP AES-128 encryption. In this
case, voice media is encrypted on all calls, with the following exceptions:
Media in calls between 400-Series IP phones and older ShoreTel IP phone models is not
encrypted.
Media in calls that include non-Shoretel equipment is not encrypted.
Media in calls to softphone and to Windows-based voicemail, auto attendant, workgroups, and
account codes is not encrypted.
For 400-Series IP phones, Directory, History, visual voicemail, extension assignment, and user
preference settings are communicated between the Headquarters server and the phones through
Hypertext Transfer Protocol Secure (HTTPS).
Low-level maintenance access to the ShoreTel 400-Series IP phone is limited to secure-shell (ssh)
access from the Headquarters server (or any server that has a copy of the Headquarters server’s
private ssh key). Password-based login is not permitted. Login to the phone is permitted from
some models of the controlling voice switch.
Session Initiation Protocol (SIP)
Deploying SIP does not involve special network requirements. The general system requirements
should be adequate for SIP support. Note the following considerations:
If third-party SIP devices (SIP phones) have a static configuration, they are supported behind NAT
(Network Address Translation).
WARNING!
The root private keys, which are the basis for securing all connections, are stored in the Headquarters
server in <drive>:/Shoreline Data/keystore. Because exposure of these private keys could
invalidate the security of the system, access to this data must be physically restricted.