26/1531-ANF 901 14 Uen S 2019-10-18 72
S
ECURITY
19.5 HOW TO ENABLE SECURITY FOR HOME WORKER ON
MITEL 6700, 6800 AND 6900
If MiVoice Border Gateway (MBG) is used as Session Border Controller (SBC), follow
the Applicaton note MiVoice Border Gateway (MBG) - How to configure Teleworker
68xxi with MX-ONE in the CPI library.
If Ingate is used as SBC, follow the Installation Guide How to Install an Ingate Solution
for Mitel Teleworker Solutions in Stand-alone mode or DMZ/LAN mode behind existing
Firewall in the CPI library.
The principle used here is to configure the SBC to have secure communication on the
outside towards the home worker Mitel 6900/6800/6700 terminal and insecure commu-
nication on the inside towards MX-ONE.
The TLS setup described here will be persistent TLS. If your deployment requires an
even more secure setup, ‘persistent mutual TLS’, then also read the Appendix, “Tele-
worker with persistent mutual TLS”.
Please note that persistent mutual TLS is used default method when MiVoice Border
Gateway (MBG) is used as SBC.
Furthermore the assumption is that the user would like to be able to use the terminal in
the office and to bring the terminal home (home worker). For this reason two configu-
ration server directories are set up, inOffice accessible via http and atHome accessible
via https.
The only setting required by the end user is to change the Configuration Server via
phoneUI: Options > Admin Menu > [6739i; Advanced] > Cfg. Svr., choose HTTP or
HTTPS in the Download Protocol list. Activate setting by requesting Options >
Restart.
The benefit having the SBC server certificate signed by a commercial CA (Verisign,
Thawte, GeoTrust, Comodo or CyberTrust) is that these root CAs are pre loaded in the
phone firmware. A root CA is required prior to the TLS handshake with the Configura-
tion Server when HTTPS is used as download protocol.
The following example shows how to get it working with an SBC that has
anon-commercial CA signed server certificate.The SBC has a root CA that signs its
server certificate. The drawback is that the phone needs to boot up in the office before
it can be brought home in order to load the root CA, which is used when the phone
boots up and access the configuration server via https at home. However, the phone
will loose the loaded CA on “Factory Reset” or if a new firmware is found in the config-
uration server.
1. Setup a webserver like Apache and create the path matching the configuration
server setting in the phone configuration. If Apache is used the /var/www/html/ is
the root for the path set in the phone. So here you create the directories inOffice/
and atHome/.
2. The InOffice directory shall consist of model specific configuration files,
aastra.cfg/startup.cfg and the phone FW (see above). Note, that the root certifi-
cates are loaded but not used as the setting is TCP for SIP and RTP for media.
Phone aastra.cfg/startup.cfg file:
#Only changes from the aastra template is described
action uri startup:
”http://$$PROXYURL$$:22222/Startup?user=$$SIPUSERNAME$$”
services script:
https://$$PROXYURL$$:22222/Services?user=$$SIPUSERNAME$$&voice-
mailnr=<voice mail number>
To Next Page
Loading...
