So for HTTP provisioning in a hosted environment, how would you make it secure using Option 66 in a customers router.
Would you have to pass a variable with a password in the Option 66 string? eg http://http.provider.com?customer=999?password=password and would the polycoms automatically be able to upload log files etc using a method such as this? Does anyone have any ideas on running this securely? Robert On Thu, May 15, 2008 at 5:13 PM, Mark Hamilton <[EMAIL PROTECTED]> wrote: > Since, we're on the the topic of phones, and TFTPing.. if someone on this > thread has some knowledge of putting configs on Cisco IP Phone 7960, can > they please contact me off list? > > I've done the configs via tftp, etc but anything into the speaker/handset > relating to voice doesn't work. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robert > McNaught > Sent: May 15, 2008 6:41 PM > To: Asterisk Users Mailing List - Non-Commercial Discussion > Subject: Re: [asterisk-users] Polycom XML Files / asterisk > > Limiting to HTTP would be OK if every customer had a static IP - if > you have small offices, then they maybe on DSL without static IP, > which makes that difficult - you could of course force your users to > have static IPs. > > Robert > > On Thu, May 15, 2008 at 1:45 PM, Atis Lezdins <[EMAIL PROTECTED]> wrote: >> On Thu, May 15, 2008 at 10:08 PM, Robert McNaught >> <[EMAIL PROTECTED]> wrote: >>> The way I understood it is that TFTP does not allow you to set a >>> username and password in a URL >>> like tftp://username:[EMAIL PROTECTED] is not possible >>> when setting option 66 >>> >>> Is it not possible to require a username and password with HTTP? I >>> assumed that you could just like if you were protecting the web root >>> directory on a webserver to require authentication credentials, >>> although have never tried this. >> >> You can always limit access to HTTP for certain IP range. Isn't that >> enough? Then add auth in your request string - for example: >> http://provisioning.mysite.com/secure/234sdfsdf3247sd/- unless you >> enable directory listing, it should be at same security level as http >> with authentication or ftp (any of those can be sniffed) >> >> Another thing I like in HTTP - you can redirect config read to execute >> any script, write simple PHP that will generate resulting config, with >> lookup of correct extension by MAC. Much like DHCP. >> >> Regards, >> Atis >> >>> >>> Robert >>> >>> >>> >>> On Thu, May 15, 2008 at 10:43 AM, Anthony Francis <[EMAIL PROTECTED]> > wrote: >>>> I am confused how TFTP is less secure than HTTP. TFTP does not allow any >>>> browsing, ever. Neither technologies will allow the device to >>>> authenticate before downloading a configuration file, and both are >>>> easily secured by only permitting connections from specific hosts. >>>> >>>> Robert McNaught wrote: >>>>> Yes, perhaps a script would always be better than hand-touching these >>>>> files, and getting an XML editor only really makes it easier on the >>>>> eyes. >>>>> >>>>> On the same subject, I have noticed that Snom and Linksys phones do >>>>> not support FTP provisioning - only TFTP and HTTP. With TFTP being an >>>>> insecure option for a hosted architecture, is everyone moving to >>>>> provision Polycoms with HTTP, so that both can be auto-provisioned via >>>>> Option 66. >>>>> >>>>> One thing I found is that, with option 66 in a LAN router, you cannot >>>>> specify more than one protocol. >>>>> >>>>> Has anyone had any problems provisioning Polycoms with HTTP? >>>>> >>>>> >>>>> On Thu, May 15, 2008 at 1:35 AM, Philipp Kempgen >>>>> <[EMAIL PROTECTED]> wrote: >>>>> >>>>>> Robert McNaught schrieb: >>>>>> >>>>>> >>>>>>> Does anyone know how to apply a style sheet to the polycom automatic >>>>>>> provisioning XML files? >>>>>>> >>>>>> Why should applying a stylesheet be different than for any other >>>>>> XML files? >>>>>> >>>>>> >>>>>>> Even better, does anyone know of a web-based XML editor where you can >>>>>>> just edit the files from a browser directly ie entering in phone >>>>>>> number, display name, proxy address etc. From what I gather, most >>>>>>> people are just using Notepad to change the files then upload them, > or >>>>>>> vi from the command line, which is fiddly and time-consuming. >>>>>>> >>>>>> Just use your preferred editor. Nobody forces Notepad or vi upon you. >>>>>> >>>>>> Even better: Generate the config files with Perl/PHP/<insert favorite >>>>>> language>. >>>>>> >>>>>> >>>>>> Grüße, >>>>>> Philipp Kempgen >>>>>> -- >>>>>> Asterisk-Tag.org 2008, 26.-27. Mai -> http://www.asterisk-tag.org >>>>>> amooma GmbH - Bachstr. 126 - 56566 Neuwied -> http://www.amooma.de >>>>>> Geschäftsführer: Stefan Wintermeyer, Handelsregister: Neuwied B14998 >>>>>> >>>>>> _______________________________________________ >>>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>>>>> >>>>>> asterisk-users mailing list >>>>>> To UNSUBSCRIBE or update options visit: >>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>>>> >>>>> asterisk-users mailing list >>>>> To UNSUBSCRIBE or update options visit: >>>>> http://lists.digium.com/mailman/listinfo/asterisk-users >>>>> >>>> >>>> -- >>>> Thank you and have any kind of day you want, >>>> >>>> Anthony Francis >>>> Rockynet VOIP >>>> (303) 444-7052 opt 2 >>>> [EMAIL PROTECTED] >>>> >>>> >>>> _______________________________________________ >>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>>> >>>> asterisk-users mailing list >>>> To UNSUBSCRIBE or update options visit: >>>> http://lists.digium.com/mailman/listinfo/asterisk-users >>>> >>> >>> _______________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>> >>> asterisk-users mailing list >>> To UNSUBSCRIBE or update options visit: >>> http://lists.digium.com/mailman/listinfo/asterisk-users >>> >> >> >> >> -- >> Atis Lezdins, >> VoIP Project Manager / Developer, >> [EMAIL PROTECTED] >> Skype: atis.lezdins >> Cell Phone: +371 28806004 >> Cell Phone: +1 800 7300689 >> Work phone: +1 800 7502835 >> >> _______________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
