1

I have a few SIP Phones that are located of site and connect to my PBX over the internet to make calls. For some reason one of these phones has become unprovisioned. In my office phones get provisioned by the server via TFTP. The ones that I have off site I pre-provisioned manually before I sent them off-site (I'm in Florida the phone is in New Jersey).

Whats the best way to provision these over the internet? TFTP is very insecure.

Sending the plain text profiles with the SIP Account and Password over the internet is out of the question. The phones have been off-site for about 6 months without any issues. Im using Trixbox and Cisco 7940 Phones.

Jorge Fernandez
  • 143
  • 6

1 Answers1

3

Your best bet would be to set up a site-to-site secure VPN and let the phones download their configuration via TFTP over the VPN.

The fundamental problem in this situation is that, even if you had a "secure" protocol over which to download the configuration, you would still have to provide the phone with some kind of security credentials (public/private key pair, username and password, whatever) in order to let the server authenticate it and release the confidential information.

The standard Cisco approach to this problem is described in their documentation about encrypted phone configuration files. It is possible to do such a thing, but unfortunately (and inevitably) you have to take care of key distribution beforehand.

pino42
  • 915
  • 5
  • 11
  • Site-to-site VPN would be the best. Unfortunately the phones are located at the users home and they connect their computers over an SSL VPN. Which doesn't work for the phones... Ill look into the Cisco approach even though it seems like over kill since at this point I'm only handling 2 phones. – Jorge Fernandez Nov 05 '12 at 18:31
  • 1
    This setup with no VPN for the phones does mean the communications between the phones and your PBX can be intercepted in theory. And the PBX has to be open to the Internet to allow these remote users, which also means attacks on your PBX trying to get free calling. Be careful. – Koos van den Hout Nov 13 '12 at 10:20