TLS Client Certificate Authentication is what you're looking for. Polycom
signs the TLS certificate including the MAC address.
Setup rules in your F5 LTM (or maybe Apache) to enforce this:
1. Only deliver Polycom files to Polycom phones
2. Only deliver the files for MAC address X if the vendor-signed
certificate provided includes MAC address X.
I would stick with Option 66 (or 160) forever. But if you need to bootstrap the
phones with Option 66, then use permanently-configured settings thereafter, you
can actually modify the permanent settings by using a file like this. You have
to be sure to deliver this as the first file the Polycom phone downloads.
It's not clear in documentation, but Polycom actually has two config file
formats: the "master file", and the ordinary config file. SIP Server settings
are in the latter, but the "master file" can do special things like specify
other files to download, or -- in this case -- reconfigure the phone's
provisioning server settings.
<?xml version="1.0" standalone="yes" ?> <!-- Provisioning Configuration File
--> <provision> <device device.set="1" device.dhcp.bootSrvOptType.set="1"
device.dhcp.bootSrvOptType="2" device.prov.serverName.set="1"
device.prov.serverName="ftp://aaa.bbb.ccc.ddd <ftp://aaa.bbb.ccc.ddd>"
device.prov.serverType.set="1" device.prov.serverType="0"
device.prov.user.set="1" device.prov.user="abc" device.prov.password.set="1"
device.prov.password="def" /> </provision>
--- [email protected]
+1-229-316-0013
http://ecg.co/lindsey
> On Oct 16, 2015, at 15:53 , Carlos Alvarez <[email protected]> wrote:
>
> We don't sell/recommend Polycom, but we have quite a few customers coming to
> us from other VoIP carriers and they already have them. We have built a
> provisioning system that will use HTTP, and it works just fine, except we're
> not sure what the best way to secure it might be.
>
> The phones can do username/password, but then that means someone has to go
> put that into every single phone. From what we're able to find, there's no
> way for option 66 to assign this info permanently (meaning you can remove the
> option 66 settings after initial config). We don't think we can permanently
> leave option 66 in place because many customers have a mix of phones, and
> will need different settings for each type. Also we don't control their
> internal network, and forcing them to make a permanent change could be
> challenging.
>
> I'd love to hear how some of you in an ITSP/hosted environment are handling
> this.
>
> _______________________________________________
> VoiceOps mailing list
> [email protected]
> https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
