Avaya IX Workplace Softphone Setup for Avaya IP Office 500v2 - Using Domain, FQDN and TLS with Certificates
Program Avaya IP Office 500v2 System
System, System Tab
Use Preferred Phone Ports can be enabled if you require, this will mean you will need to use the port 411 to access the 46xxsettings.txt file of the system (this is referenced later in the document)
It also means port 443 is not required to be used for port forwarding
Messaging Server should be set to Avaya Spaces (to allow instant messaging to be stored in Avaya Spaces)
System LAN1, VoIP Tab: SIP Registrar Enable – ticked
System LAN1, VoIP Tab: SIP Remote Extn Enable – ticked
System LAN1, VoIP Tab: SIP Domain Name - The entry should match the domain suffix part of the SIP Registrar FQDN below, for example, company.com.au
(If the domain resolves to a different public IP address to the FQDN then enter the FQDN in the SIP Domain Name, for example avaya.companyname.com.au
System LAN1, VoIP Tab: SIP Registrar FQDN - This is the SIP registrar fully qualified domain name, for example, avaya.companyname.com.au, to which the SIP endpoint should send its registration request. This address must be resolvable by DNS to the internal IP address of the Avaya phone system and resolvable by DNS to the external IP address of the router that uses the same public IP address programmed in the Avaya phone system (this router will also contain the port forwarding to the Avaya phone system IP address)
System LAN1, VoIP Tab: UDP – enabled – set UDP Port to 5060 and Remote UDP Port to 5060
System LAN1, VoIP Tab: TCP – enabled – set TCP Port to 5060 and Remote TCP Port to 5060
System LAN1, VoIP Tab: TLS – enabled – set TLS Port to 5061 and Remote TLS Port to 5061
System LAN1, VoIP Tab: RTP Port Number Range - Minimum 46750, Maximum 50750
System LAN1, VoIP Tab: Port Number Range (NAT) – Minimum 46750, Maximum 50750
System LAN1, VoIP Tab: Enable RTCP Monitoring on Port 5005 – Enabled
System LAN1, VoIP Tab: Scope – RTP-RTCP
System LAN1, VoIP Tab: Initial Keepalives – Enabled
System LAN1, VoIP Tab: Periodic Timeout - 5
NOTE
As port 5060 is a default port, if you were to open port 5060 and port forward on the router to the Avaya phone system, you will receive registration requests from hackers. A suggestion would be to change the port 5060 UDP and TCP for both local and remote to a different port number (example 5066) be aware that if this was done after existing SIP phones (J Series and IX Workplace would need to be reset to default to connect to the system using the new port 5066 if previously using port 5060)
NOTE
The RTP Port Number Range can be changed if required
If changed then any existing port forwarding of the original range will also need to be changed to match the new range
RTP ports are used for voice traffic (2 ports from the range are used at random when a call is established for inbound/outbound voice traffic)
System LAN1, Network Topology Tab: STUN Server Address - IP Address of STUN Server 0.0.0.0
System LAN1, Network Topology Tab: Firewall/NAT Type – One-To-One NAT
System LAN1, Network Topology Tab: Binding Refresh Time (seconds) – 0
System LAN1, Network Topology Tab: Public IP Address – Customers Public IP Address
System LAN1, Network Topology Tab: Stun Port: 19302
System LAN1, Network Topology Tab: Public Port UDP – 5060 (this will be blanked out)
System LAN1, Network Topology Tab: Public Port TCP – 5060 (this will be blanked out)
System LAN1, Network Topology Tab: Public Port TLS – 5061 (this will be blanked out)
NOTE
A STUN server might be required on some networks. In our example we are not using a STUN Server Address and the Firewall/NAT Type is One-To-One NAT which means the internal port and external ports are the same
If you would like to use different ports for internal and external, then another Firewall/NAT Type would need to be selected to allow the external (Public Ports) to be configured
System, VoIP, VoIP Security: Set Media Security to Preferred
System, Avaya Cloud Services
If Avaya Spaces will not be used (which hosts the chat in IX Workplace then this can be Disabled so the chat functionality and Spaces Sign In will not display on the IX Workplace main screen
System, Avaya Push Notification Services: Enable Apple Push Notification
Create User
User, User Tab: Name – Enter Username
User, User Tab: Password – Enter Password (this password will be used by IX Workplace Softphone)
User, User Tab: Account Status – Enabled
User, User Tab: Full Name – Enter Full Name
User, User Tab: Extension – Enter Extension Number
User, User Tab: Email Address – Enter Email Address
User, User Tab: Profile – Power User (confirm the boxes are ticked as they show below)
User, Telephony, Supervisor Settings Tab: Login Code – Enter Login Code and Confirm Login Code
User, SIP Tab: SIP Name - Enter the telephone number to display on outbound calls
User, SIP Tab: Contact - Enter the telephone number to display on outbound calls
Select OK to create the user
Create SIP Extension
Once the User has been created, if prompted
Create a SIP Extension
Enter the Phone Password to match the User Login Code
Select OK
Extension – Check and confirm there is a SIP Extension created to match the Users extension number
If not, then create a SIP Extension
Set the Base Extension number to match the User extension number
Set the Phone Password to match the User Login Code
Select the VoIP tab and Disable Allow Direct Media Path
Select OK to create the Extension
Save Configuration and Reboot the System
Select File, Save Configuraiton
Select Immediate (to save and restart the system immediately) or When Free (to save and restart the system when all calls and lines are not in use)
Delete the 46xxsettings.txt File (manually configure 46xxspecials.txt file if required)
The 46xxsettings file is auto generated by the IP Office 500v2 system as default
It contains the details of the system programming
In Manager
Select File, Advanced, Embedded File Management
Select the system and login
Select System SD, SYSTEM, PRIMARY
Check the files in the Primary folder and confirm there is not one named 46xxsettings
If there is a 46xxsettings file, then download the file first, then delete the file
NOTE
Systems on older versions had this file as default
The file could have been created and programmed with manual settings on an existing system
If this file is in the Primary folder, it will be used instead of the auto generated file
This will mean the details in the system programming (such as SIP Domain and FQDN) will not be reflected in this 46xxsettings file unless the file has been manually updated to reflect the new programming
It is recommended to delete the 46xxsettings file from the Primary folder
Any manual settings that were in the deleted 46xxsettings or any manual settings required can be added to the 46xxspecials file
The command GET 46xxspecials.txt appears as the last line of the auto-generated 46xxsettings.txt file requested by phones, which means phones will check this file for any manual settings
The 46xxspecials.txt file needs to be manually created and then placed in the Primary folder
To obtain an example, you can browse to http://AvayaLocalIPAddress/46xxspecials.txt to obtain an empty file.
Save and edit that file with the manual settings required before uploading it back to the Primary folder
Check 46xxsettings.txt File
Browse to http://AvayaLocalIPAddress/46xxsettings.txt
Confirm the first line has the correct details and is AUTOGENERATED
## IPOFFICE/11.1.1.1.0 build 18 192.168.86.200 AUTOGENERATED
Confirm the details in the below settings are correct
# SIPXAUTOGENERATEDSETTINGS
IF $SIG_IN_USE SEQ H323 GOTO 96X1AUTOGENERATEDSETTINGS
SET RTP_PORT_LOW 46750
SET RTP_PORT_RANGE 4002
SET TLSSRVRID 1
SET ENABLE_G711A 1
SET ENABLE_G711U 1
SET ENABLE_G729 1
SET ENABLE_G722 0
SET ENABLE_G726 0
SET ENABLE_OPUS 0
SET DTMF_PAYLOAD_TYPE 101
SET SIPDOMAIN avaya.companyname.com.au
SET ENFORCE_SIPS_URI 0
SET DSCPAUD 46
SET DSCPSIG 34
SET TLSSRVR 192.168.86.200
SET TLSPORT 411
SET HTTPPORT 80
SET TRUSTCERTS WebRootCA.pem
SET COUNTRY Australia
# STIMULUSPHONECOMMONSETTINGS
SET SIP_CONTROLLER_LIST 192.168.86.200:5061;transport=tls
SET FQDN_IP_MAP "avaya.companyname.com.au=192.168.86.200"
SET AUTH 1
SET MEDIA_PRESERVATION 1
SET PRESERVED_CONNECTION_DURATION 120
SET MEDIAENCRYPTION 1,9
# EQNXAUTOGENERATEDSETTINGS
SET AUDIO_DEVICE_CALL_CONTROL_ENABLED 1
GOTO NONAUTOGENERATEDSETTINGS
# EQNXIOSSPECIFICSETTINGS
SET PUSH_NOTIFICATION_ENABLED 1
SET TELEPHONY_PUSH_NOTIFICATION_SERVICE_URL "https://avaya.companyname.com.au:411/PushNotification"
Creating a Self-Signed Avaya Certificate
In Manager
Select File, Advanced, Security Settings
Select the system and login
Select System, Certificates Tab
Select Regenerate
Set the Default Subject Name as the system name, example HarryIP500v2
Set the Subject Alternate Name(s) FQDN, Domain, InternalIP, PublicIP
Example: DNS:avaya.companyname.com.au, DNS:companyname.com.au, IP:192.168.86.200, IP:159.121.42.241
Select OK on the Regenerate Certificate window
Select File, Save Security Settings
Select File, Close Security Settings
Select File, Open
Select the system and login,
Select System, Certificates Tab the Issue To: will display the subject name
Saving a Self-Signed Avaya Certificate
Select View
Select Details
Select Subject Alternative Name and confirm the details are correct
Select Copy to File
Select Next
Select DER
Select Next
Select Browse and select a destination to download the certificate to
Enter a File Name for the certificate: example: IP500v2Cert
Select Save
Select Next
Select Finish
Install Avaya Self-Signed Certificate on Windows PC
Open the certificate file
Select Install Certificate
Select Local Machine
Select Next
Select Place all certificates in the following store
Select Browse and select Trusted Root Certification Authorities
Select OK
Select Next
Select Finish
On the internal network Browse to https://AvayaLocalIPAddress:411/46xxsettings.txt
On an external network Browse to https://FQDN:411/46xxsettings.txt
Confirm no certificate warnings appear and that the 46xxsettings file displays correctly
Install Avaya Self-Signed Certificate on Android
Download and Install IX Workplace from the Google Play Store
Email the certificate.cer (unzipped) to the mobile
Download the certificate on the email received on the mobile
Open Settings and Select Security, Advanced, Encryption & Credentials, Install a Certificate
Select CA Certificate
Select Install Anyway
Select the certificate (this should display in FILES IN DOWNLOADS)
The certificate will be installed
Open Settings and Select Security, Advanced, Encryption & Credentials, User Credentials
The certificate will display here
Open Settings and Select Security, Advanced, Encryption & Credentials, Trusted Credentials
Select USER and the certificate will display here
Open IX Workplace App and allow access to microphone, video, contacts, etc and agree to the EULA
Install Avaya Self-Signed Certificate on iPhone
Download and Install IX Workplace from the App Store
Email the certificate to the iPhone mobile
Download/Install the certificate (this will save as a profile)
NOTE: you might need to use the native Apple Email App to open the email
Install the profile – Select Settings>General>Profiles & Device Management and select Install the profile
Allow the certificate – Select Settings>General>About>Certificate Trust Settings
Under “Enable full trust for root certificate” – turn on trust for the certificate
Trust Settings. Under "Enable full trust for root certificates," turn on trust for the certificate.
NOTE: if you have issues opening and saving the app then try a different email client/app
Open IX Workplace App and allow access to microphone, video, contacts, etc and agree to the EULA
IX Workplace Login
Open the IX Workplace software
Select Configure my account
Enter your email address
(If the email is registered with a company in Avaya Spaces)
Select Next
If your email address is not registered with Avaya Spaces
Select the settings icon and select Use Web Address
Or use port 411 if the above fails to connect https://avaya.companyname.com.au:411/46xxsettings.txt
Select Next
Enter the User Password (not login code)
Select Next
The tutorial will display
Select Next to view the tutorial pages and Done when finished to close the tutorial
Or select
NOTE
You can then select the settings icon (top right)
Select support and Open Tutorial to view the tutorial again
Confirm the green tick icon in the top left displays to confirm the IX Workplace has registered with the system and presence is working
Confirm there are no red warning icons on the top bar
If the red warning icons displays, then select the icon to view details of the error
Example: If an update is required, apply the update and the IX Workplace will re-login
Any error will require troubleshooting to fix the issues
System Status
In Manager
Select File, Advanced, System Status
Login to System Status and select Extensions to check and confirm the IX Workplace has registered to the system