Avaya IX Workplace Softphone Setup for Avaya IP Office - Using Domain, FQDN and TLS with Certificates

Avaya IX Workplace Softphone Setup for Avaya IP Office - Using Domain, FQDN and TLS with Certificates

CommsPlus Distribution


Avaya IX Workplace Softphone Setup for Avaya IP Office - Using Domain, FQDN and TLS with Certificates


Program Avaya IP Office


System, System Tab


Use Preferred Phone Ports can be enabled if you require, this will mean you will need to use the port 411 to access the 46xxsettings.txt file of the system (this is referenced later in the document

It also means port 443 is not required to be used for port forwarding


Messaging Server should be set to Avaya Spaces (to allow instant messaging to be stored in Avaya Spaces)


Graphical user interface, applicationDescription automatically generated



System LAN1, VoIP Tab: SIP Registrar Enable  ticked


System LAN1, VoIP Tab: SIP Remote Extn Enable  ticked


System LAN1, VoIP Tab: SIP Domain Name - The entry should match the domain suffix part of the SIP Registrar FQDN below, for example, company.com.au 

(If the domain resolves to a different public IP address to the FQDN then enter the FQDN in the SIP Domain Name, for example avaya.companyname.com.au


System LAN1, VoIP Tab: SIP Registrar FQDN - This is the SIP registrar fully qualified domain name, for example, avaya.companyname.com.au, to which the SIP endpoint should send its registration request. This address must be resolvable by DNS to the internal IP address of the Avaya phone system and resolvable by DNS to the external IP address of the router that uses the same public IP address programmed in the Avaya phone system (this router will also contain the port forwarding to the Avaya phone system IP address)


System LAN1, VoIP Tab: UDP – enabled – set UDP Port to 5060 and Remote UDP Port to 5060


System LAN1, VoIP Tab: TCP – enabled – set TCP Port to 506and Remote TCP Port to 5060


System LAN1, VoIP Tab: TLS – enabled – set TLS Port to 5061 and Remote TLS Port to 5061


Graphical user interface, textDescription automatically generated











System LAN1, VoIP Tab: RTP Port Number Range - Minimum 46750, Maximum 50750


System LAN1, VoIP Tab: Port Number Range (NAT) – Minimum 46750, Maximum 50750


System LAN1, VoIP Tab: Enable RTCP Monitoring on Port 5005 – Enabled


System LAN1, VoIP Tab: Scope – RTP-RTCP


System LAN1, VoIP Tab: Initial Keepalives – Enabled


System LAN1, VoIP Tab: Periodic Timeout - 5


Graphical user interface, textDescription automatically generated


NOTE

As port 5060 is a default port, if you were to open port 5060 and port forward on the router to the Avaya phone system, you will receive registration requests from hackers. A suggestion would be to change the port 5060 UDP and TCP for both local and remote to a different port number (example 5066) be aware that if this was done after existing SIP phones (J Series and IX Workplace would need to be reset to default to connect to the system using the new port 5066 if previously using port 5060)


NOTE

The RTP Port Number Range can be changed if required

If changed then any existing port forwarding of the original range will also need to be changed to match the new range

RTP ports are used for voice traffic (2 ports from the range are used at random when a call is established for inbound/outbound voice traffic)










System LAN1, Network Topology Tab: STUN Server Address - IP Address of STUN Server 0.0.0.0


System LAN1, Network Topology Tab: Firewall/NAT Type – One-To-One NAT


System LAN1, Network Topology Tab: Binding Refresh Time (seconds) – 0


System LAN1, Network Topology Tab: Public IP Address – Customers Public IP Address


System LAN1, Network Topology Tab: Stun Port: 19302


System LAN1, Network Topology Tab: Public Port UDP – 5060 (this will be blanked out)


System LAN1, Network Topology Tab: Public Port TCP – 5060 (this will be blanked out)


System LAN1, Network Topology Tab: Public Port TLS – 5061 (this will be blanked out)


Graphical user interface, textDescription automatically generated


NOTE

A STUN server might be required on some networks. In our example we are not using a STUN Server Address and the Firewall/NAT Type is One-To-One NAT which means the internal port and external ports are the same

If you would like to use different ports for internal and external, then another Firewall/NAT Type would need to be selected to allow the external (Public Ports) to be configured















System, VoIP, VoIP Security: Set Media Security to Preferred


Graphical user interface, text, applicationDescription automatically generated


System, Avaya Cloud Services

If Avaya Spaces will not be used (which hosts the chat in IX Workplace then this can be Disabled so the chat functionality and Spaces Sign In will not display on the IX Workplace main screen 

Graphical user interface, applicationDescription automatically generated


System, Avaya Push Notification Services: Enable Apple Push Notification


Graphical user interface, text, application, emailDescription automatically generated


Create User


User, User Tab: Name – Enter Username


User, User Tab: Password – Enter Password (this password will be used by IX Workplace Softphone)


User, User Tab: Account Status – Enabled


User, User Tab: Full Name – Enter Full Name


User, User Tab: Extension – Enter Extension Number


User, User Tab: Email Address – Enter Email Address


User, User Tab: Profile – Power User (confirm the boxes are ticked as they show below)


Graphical user interface, text, application, emailDescription automatically generated



User, Telephony, Supervisor Settings Tab: Login Code – Enter Login Code and Confirm Login Code


Graphical user interface, text, applicationDescription automatically generated


User, SIP Tab: SIP Name - Enter the telephone number to display on outbound calls


User, SIP Tab: Contact - Enter the telephone number to display on outbound calls


Graphical user interface, text, application, emailDescription automatically generated


Select OK to create the user















Create SIP Extension


Once the User has been created, if prompted

Create a SIP Extension

Enter the Phone Password to match the User Login Code

Select OK


Graphical user interface, text, applicationDescription automatically generated


Extension – Check and confirm there is a SIP Extension created to match the Users extension number


If not, then create a SIP Extension

Set the Base Extension number to match the User extension number

Set the Phone Password to match the User Login Code

Select the VoIP tab and Disable Allow Direct Media Path


TableDescription automatically generated with medium confidence


Graphical user interface, text, applicationDescription automatically generated


Select OK to create the Extension






Save Configuration and Reboot the System


Select File, Save Configuraiton

Select Immediate (to save and restart the system immediately) or When Free (to save and restart the system when all calls and lines are not in use)


Graphical user interface, text, applicationDescription automatically generated





Creating a Self-Signed Avaya Certificate


In Manager

Select File, Advanced, Security Settings

Select the system and login


Select System, Certificates Tab

Select Regenerate


Graphical user interface, text, application, emailDescription automatically generated



Set the Default Subject Name as the system name, example HarryIP500v2

Set the Subject Alternate Name(s) FQDN, Domain, InternalIP, PublicIP


Example: DNS:avaya.companyname.com.au, DNS:companyname.com.au, IP:192.168.86.200, IP:159.121.42.241


Select OK on the Regenerate Certificate window

Graphical user interface, text, application, emailDescription automatically generated


Select FileSave Security Settings

Select File, Close Security Settings

Select File, Open

Select the system and login


Select System, Certificates Tab the Issue To: will display the subject name

Graphical user interface, text, application, emailDescription automatically generated


Saving a Self-Signed Avaya Certificate


Select View

Select Details

Select Subject Alternative Name and confirm the details are correct

Graphical user interface, text, applicationDescription automatically generated


Select Copy to File


Select Next

Graphical user interface, text, application, emailDescription automatically generated







Select DER

Select Next

Graphical user interface, text, application, emailDescription automatically generated


Select Browse and select a destination to download the certificate to

Enter a File Name for the certificate: example: IP500v2Cert

Select Save

Select Next

Graphical user interface, text, application, emailDescription automatically generated


Select Finish

Graphical user interface, text, application, emailDescription automatically generated



Install Avaya Self-Signed Certificate on Windows PC


Open the certificate file

Select Install Certificate


Graphical user interface, text, application, emailDescription automatically generated


Select Local Machine

Select Next

Select Place all certificates in the following store

Select Browse and select Trusted Root Certification Authorities

Select OK

Select Next

Select Finish

Graphical user interface, text, application, emailDescription automatically generated



Graphical user interface, text, application, emailDescription automatically generated









On the internal network Browse to https://AvayaLocalIPAddress:411/46xxsettings.txt

On an external network Browse to https://FQDN:411/46xxsettings.txt

Confirm no certificate warnings appear and that the 46xxsettings file displays correctly

Graphical user interface, application, Word, websiteDescription automatically generated




Check 46xxsettings.txt File


Browse to http://AvayaLocalIPAddress/46xxsettings.txt


Confirm the first line has the correct details and is AUTOGENERATED


## IPOFFICE/11.1.1.1.0 build 18 192.168.86.200 AUTOGENERATED



Confirm the details in the below settings are correct.


# SIPXAUTOGENERATEDSETTINGS

IF $SIG_IN_USE SEQ H323 GOTO 96X1AUTOGENERATEDSETTINGS

SET RTP_PORT_LOW 46750

SET RTP_PORT_RANGE 4002

SET TLSSRVRID 1

SET ENABLE_G711A 1

SET ENABLE_G711U 1

SET ENABLE_G729 1

SET ENABLE_G722 0

SET ENABLE_G726 0

SET ENABLE_OPUS 0

SET DTMF_PAYLOAD_TYPE 101

SET SIPDOMAIN avaya.companyname.com.au

SET ENFORCE_SIPS_URI 0

SET DSCPAUD 46

SET DSCPSIG 34

SET TLSSRVR 192.168.86.200

SET TLSPORT 411

SET HTTPPORT 80

SET TRUSTCERTS WebRootCA.pem

SET COUNTRY Australia


# STIMULUSPHONECOMMONSETTINGS

SET SIP_CONTROLLER_LIST 192.168.86.200:5061;transport=tls

SET FQDN_IP_MAP "avaya.companyname.com.au=192.168.86.200"

SET AUTH 1

SET MEDIA_PRESERVATION 1

SET PRESERVED_CONNECTION_DURATION 120

SET MEDIAENCRYPTION 1,9



# EQNXAUTOGENERATEDSETTINGS

SET AUDIO_DEVICE_CALL_CONTROL_ENABLED 1

GOTO NONAUTOGENERATEDSETTINGS

# EQNXIOSSPECIFICSETTINGS

SET PUSH_NOTIFICATION_ENABLED 1

SET TELEPHONY_PUSH_NOTIFICATION_SERVICE_URL "https://avaya.companyname.com.au:411/PushNotification"






Install Avaya Self-Signed Certificate on Android


Download and Install IX Workplace from the Google Play Store

Email the certificate.cer (unzipped) to the mobile

Download the certificate on the email received on the mobile


Open Settings and Select Security, Advanced, Encryption & Credentials, Install a Certificate

Select CA Certificate

Select Install Anyway


Select the certificate (this should display in FILES IN DOWNLOADS)

The certificate will be installed


Open Settings and Select Security, Advanced, Encryption & Credentials, User Credentials

The certificate will display here


Open Settings and Select Security, Advanced, Encryption & Credentials, Trusted Credentials

Select USER and the certificate will display here


Open IX Workplace App and allow access to microphone, video, contacts, etc and agree to the EULA


Install Avaya Self-Signed Certificate on iPhone


Download and Install IX Workplace from the App Store

Email the certificate to the iPhone mobile


Download/Install the certificate (this will save as a profile) 

NOTE: you might need to use the native Apple Email App to open the email


Install the profile – Select Settings>General>Profiles & Device Management and select Install the profile

Allow the certificate – Select Settings>General>About>Certificate Trust Settings

Under “Enable full trust for root certificate” – turn on trust for the certificate

Trust Settings. Under "Enable full trust for root certificates," turn on trust for the certificate.


If not showing
Once cert downloaded from the Mail app
Settings > General > VPN & Device Management
Select cert install the certificate


NOTE: if you have issues opening and saving the app then try a different email client/app


Open IX Workplace App and allow access to microphone, video, contacts, etc and agree to the EULA







IX Workplace Login

Open the IX Workplace software



Select Configure my account



Graphical user interface, text, application, chat or text messageDescription automatically generated















Enter your email address 

(Ithe email is registered with a company in Avaya Spaces)

Note: You will need to have setup Avaya Spaces, this is covered in a separate guide


Select Next





Graphical user interface, applicationDescription automatically generated













If your email address is not registered with Avaya Spaces


Select the settings icon and select Use Web Address


Graphical user interface, text, applicationDescription automatically generated















Enter https://avaya.companyname.com.au/46xxsettings.txt 


Or use port 411 if the above fails to connect https://avaya.companyname.com.au:411/46xxsettings.txt


Select Next



Graphical user interface, textDescription automatically generated









Enter the User Extension Number


Enter the User Password (not login code) 


Select Next



Graphical user interface, text, applicationDescription automatically generated












Graphical user interface, websiteDescription automatically generated













The tutorial will display

Select Next to view the tutorial pages and Done when finished to close the tutorial

 

Or select Skip to close the tutorial


NOTE

You can then select the settings icon (top right)

Select support and Open Tutorial to view the tutorial again





Confirm the green tick icon in the top left displays to confirm the IX Workplace has registered with the system and presence is working


Confirm there are no red warning icons on the top bar


If the red warning icons displays, then select the icon to view details of the error


Example: If an update is required, apply the update and the IX Workplace will re-login



Graphical user interface, text, applicationDescription automatically generated






System Status


In Manager

Select File, Advanced, System Status

Login to System Status and select Extensions to check and confirm the IX Workplace has registered to the system














































Troubleshooting


If this is not a new system, ensure there is no 46xxsettings.txt file in the Primary folder.


Delete the 46xxsettings.txt File (manually configure 46xxspecials.txt file if required)


The 46xxsettings file is auto generated by the IP Office 500v2 system as default.

It contains the details of the system programming.


In Manager

Select File, Advanced, Embedded File Management

Select the system and login.

Select System SD, SYSTEM, PRIMARY

Check the files in the Primary folder and confirm there is not one named 46xxsettings

If there is a 46xxsettings file, then download the file first, then delete the file.


NOTE

Systems on older versions had this file as default.

The file could have been created and programmed with manual settings on an existing system.


If this file is in the Primary folder, it will be used instead of the auto generated file.


This will mean the details in the system programming (such as SIP Domain and FQDN) will not be reflected in this 46xxsettings file unless the file has been manually updated to reflect the new programming.


It is recommended to delete the 46xxsettings file from the Primary folder.


Any manual settings that were in the deleted 46xxsettings or any manual settings required can be added to the 46xxspecials file.


The command GET 46xxspecials.txt appears as the last line of the auto-generated 46xxsettings.txt file requested by phones, which means phones will check this file for any manual settings.


The 46xxspecials.txt file needs to be manually created and then placed in the Primary folder


To obtain an example, you can browse to http://AvayaLocalIPAddress/46xxspecials.txt to obtain an empty file.

Save and edit that file with the manual settings required before uploading it back to the Primary folder


Graphical user interface, applicationDescription automatically generated