Security Certificates - 9.1

With the release of IP Office 9.1 there have been enhancements made to the way security is handled. When deploying an IP Office Server Edition or Select Server Edition for a customer it is best practice to have them provide a fully qualified domain name or a machine name to use for the security certificate. The IP Office can be configured with a valid host name and the certificate can be imported into the Trusted Root Certification Authority certificate store. When accessing the system by the proper host name with the certificate properly stored there will be no security warnings while accessing the page.

When defining the hostname for the IP Office you need to either enter the FQDN that will be used to access the system or the IP address that will be used to access the system. In the case of my example I used the IP address of 192.168.11.11 as the host name. If you are using a fully qualified domain name (FQDN) or a server name (NetBIOS) you will want to make sure it resolves with your DNS server or you will see a certificate mismatch error.

To use a self-signed certificate we will select “Generate New”:

After you click Next you will see the following warning:

The certificate will now be generated. 

Once the certificate has been created it is available for download. For a Windows Certificate Store you need to download the DER-Encoded certificate:

Once you have downloaded the certificate click Apply. The process will take several minutes, after which you will be logged out of the system.  Be sure to add the certificate you downloaded to your Trusted Root Certification Authority. If you're working with a domain this can be pushed to client systems using a group policy, or it can be added to machines individually using the Microsoft Management Console.

IP Office Startup and default passwords

When the IP Office is powered on it will look for any attached hardware. This means that any attached hardware should be powered on prior to connecting power to the IP Office. When started up for the first time the IP Office will automatically build extensions and users for any recognized extension port, starting with extension/user 201. The IP Office will number extension from left to right on the IP Office then left to right on any attached modules, starting at Module 1 and working up. A hunt group (number 200) will be created with the first ten users as members. All detected lines are included in Line Group 0 and a short code on 9 is created to provide access to the default routing table. Embedded voicemail is also configured on startup. Every user on the IP Office receives a mailbox. This is also true when Voicemail Pro is enabled.

The system name for the IP Office will be the MAC Address of the LAN1 port. As I previously mentioned the default IP addresses are 192.168.42.1 and 192.168.43.1 for LAN1 and LAN2, with a netmask of 255.255.255.0. A DHCP Server is built into the IP Office that is automatically configured to assign up to 200 IP addresses. The range is 192.168.42.2-201 and 192.168.43.2-201 for LAN1 and LAN2 respectively. If the IP Office detects that there is another DHCP server on the network it will disable the internal DHCP server.

The IP Office also builds a few default usernames and passwords. They are as follows:

IP Office Administration: Administrator / Administrator

IP Office Security Settings: security / securitypwd

Remote Access Dialin: RemoteManager / password

System Password (for upgrades): password (no username)

A number of other defaults are created as well. These include usernames that are used by the system for various functions as well as a few different levels of administration access. You can see the full list of users in the Security Settings. For obvious reasons you should consider changing some of these passwords. Do not change any of the passwords for system-level users (EnhTcpaService, SCN_Admin, IPDECTService, and SMGRB5800Admin). To change these passwords you need to open Manager and click File -> Advanced -> Security Settings. Log in using the Security Settings information. You can change the default passwords and create new users with various permissions from this screen.  In the event that you do not have any passwords for your IP Office you can use a physical connection to the RS-232 port on the back of the IP Office control unit. You can connect to the RS-232 port by configuring a terminal to connect at 38,400/8/N/1, Flow Control Off, TTY or VT100. The command type to use is at, followed by the type at-securityresetall. The IP Office will prompt for a complex response after which all passwords will be defaulted.