Provisioning Guide
Page 1
Linksys SPA Provisioning Guide Version 3.0 Corporate Headquarters Linksys 121 Theory Drive Irvine, CA 92617 USA http://www.linksys.com Tel: 949 823-1200 800 546-5797 Fax: 949 823-1100
Linksys SPA Provisioning Guide Version 3.0 Corporate Headquarters Linksys 121 Theory Drive Irvine, CA 92617 USA http://www.linksys.com Tel: 949 823-1200 800 546-5797 Fax: 949 823-1100
Provisioning Guide
Page 2
...contains implementation examples and techniques using Linksys, a division of this document at any legal arrangement between Linksys, a division of Cisco Systems, Inc. As well, Linksys reserves the right to assist you in some instances, other countries. Disclaimer - These ... not constitute any time. All rights reserved.Specifications are subject to the described solutions over time. Linksys SPA Provisioning Guide Copyright ©2007 Cisco Systems, Inc. Use of Proprietary Information and Copyright Notice: This document contains proprietary information that is a registered...
...contains implementation examples and techniques using Linksys, a division of this document at any legal arrangement between Linksys, a division of Cisco Systems, Inc. As well, Linksys reserves the right to assist you in some instances, other countries. Disclaimer - These ... not constitute any time. All rights reserved.Specifications are subject to the described solutions over time. Linksys SPA Provisioning Guide Copyright ©2007 Cisco Systems, Inc. Use of Proprietary Information and Copyright Notice: This document contains proprietary information that is a registered...
Provisioning Guide
Page 7
...vii It contains the following summarizes the Linksys VoIP products that can be remotely provisioned or preprovisioned using Linksys VoIP products and specifically for administrative staff responsible for remote provisioning and preprovisioning Linksys devices. can be used with the SPA400, which provides a... SIP-PSTN gateway • Linksys Analog Telephone Adapters (ATAs): • PAPT2T-Voice adapter with two FXS ports • SPA1001-Small VoIP adapter • SPA2102-Voice ...
...vii It contains the following summarizes the Linksys VoIP products that can be remotely provisioned or preprovisioned using Linksys VoIP products and specifically for administrative staff responsible for remote provisioning and preprovisioning Linksys devices. can be used with the SPA400, which provides a... SIP-PSTN gateway • Linksys Analog Telephone Adapters (ATAs): • PAPT2T-Voice adapter with two FXS ports • SPA1001-Small VoIP adapter • SPA2102-Voice ...
Provisioning Guide
Page 8
..., small, affordable, no display • SPA921-One-line business phone • SPA922-One-line business phone with Linksys provisioning scripts and configuration profiles. This chapter provides a systematic reference for connecting another device to the LAN • SPA941-Default ... in this document. This appendix defines the terms used to identify parameters that supports the remote provisioning options described in Chapter 4, "Provisioning Field Reference" Linksys SPA Provisioning Guide viii Version 3.0 Angle brackets () are the typographic conventions used in a field. Power...
..., small, affordable, no display • SPA921-One-line business phone • SPA922-One-line business phone with Linksys provisioning scripts and configuration profiles. This chapter provides a systematic reference for connecting another device to the LAN • SPA941-Default ... in this document. This appendix defines the terms used to identify parameters that supports the remote provisioning options described in Chapter 4, "Provisioning Field Reference" Linksys SPA Provisioning Guide viii Version 3.0 Angle brackets () are the typographic conventions used in a field. Power...
Provisioning Guide
Page 9
... 888 333-0244 Hours: 4am-6pm PST, 7 days a week • E-mail support [email protected] Version 3.0 Linksys SPA Provisioning Guide ix Related Documentation The following documentation provides additional information about features and functionality of Linksys ATAs: • AA Quick Guide •...; IVR Quick Guide • SPA Provisioning Guide The following documentation describes how to use other Linksys Voice System products: • SPA9000 Administrator Guide • LVS CTI ...
... 888 333-0244 Hours: 4am-6pm PST, 7 days a week • E-mail support [email protected] Version 3.0 Linksys SPA Provisioning Guide ix Related Documentation The following documentation provides additional information about features and functionality of Linksys ATAs: • AA Quick Guide •...; IVR Quick Guide • SPA Provisioning Guide The following documentation describes how to use other Linksys Voice System products: • SPA9000 Administrator Guide • LVS CTI ...
Provisioning Guide
Page 11
...business or enterprise environments, where the units may be seen as a remote extension of time. Version 3.0 Linksys SPA Provisioning Guide 1-1 Remote management and configuration is generically referred to extend the central office phone line termination into the customer ...as a SPA. Unless otherwise noted, the instructions in this document apply equally to a traditional phone line terminal. Residential Deployment Provisioning Requirements Linksys ATAs, such as a media conversion endpoint, offering the consumer a telephone port analogous to the SPA9000, Linksys Analog...
...business or enterprise environments, where the units may be seen as a remote extension of time. Version 3.0 Linksys SPA Provisioning Guide 1-1 Remote management and configuration is generically referred to extend the central office phone line termination into the customer ...as a SPA. Unless otherwise noted, the instructions in this document apply equally to a traditional phone line terminal. Residential Deployment Provisioning Requirements Linksys ATAs, such as a media conversion endpoint, offering the consumer a telephone port analogous to the SPA9000, Linksys Analog...
Provisioning Guide
Page 12
...binding. Remote Endpoint Control The service provider must be generated using common, open source tools, facilitating integration into service provider provisioning systems. Supported transport protocols include TFTP, HTTP, and HTTPS with firmware release 2.0, 256-bit symmetric key encryption of ...packets that device without requiring an explicit key. Release 2.0 supports a secure first-time provisioning mechanism using network address translation (NAT). Linksys provisioning solutions are designed for that are allowed to enter the protected network from unauthorized activity by...
...binding. Remote Endpoint Control The service provider must be generated using common, open source tools, facilitating integration into service provider provisioning systems. Supported transport protocols include TFTP, HTTP, and HTTPS with firmware release 2.0, 256-bit symmetric key encryption of ...packets that device without requiring an explicit key. Release 2.0 supports a secure first-time provisioning mechanism using network address translation (NAT). Linksys provisioning solutions are designed for that are allowed to enter the protected network from unauthorized activity by...
Provisioning Guide
Page 13
... are provided to initiate or complete a profile update or firmware upgrade. The NPS can be customized to periodically contact a normal provisioning server (NPS). Remote firmware upgrade is not an RC unit the web page displays Not Customized. The status of customization for volume... deployments of the SPA with Release 5.x. Initial Provisioning Linksys ATAs provide convenient mechanisms for use of SPA endpoints. The service provider must then support secure remote configuration of the...
... are provided to initiate or complete a profile update or firmware upgrade. The NPS can be customized to periodically contact a normal provisioning server (NPS). Remote firmware upgrade is not an RC unit the web page displays Not Customized. The status of customization for volume... deployments of the SPA with Release 5.x. Initial Provisioning Linksys ATAs provide convenient mechanisms for use of SPA endpoints. The service provider must then support secure remote configuration of the...
Provisioning Guide
Page 14
...not available for performing remote profile resync and firmware upgrade operations. The server also accepts a special URL command syntax for provisioning. The remote provisioning server is configured to an IP address through a resync URL command. In the following is a sample template for ...authentication and supplies correct configuration parameter values based on the URL and the supplied PIN. Resync_Periodic * "30"; Redundant Provisioning Servers The provisioning server may be specified as an IP address or as a fully qualified domain name (FQDN). Only DNS A-records are ...
...not available for performing remote profile resync and firmware upgrade operations. The server also accepts a special URL command syntax for provisioning. The remote provisioning server is configured to an IP address through a resync URL command. In the following is a sample template for ...authentication and supplies correct configuration parameter values based on the URL and the supplied PIN. Resync_Periodic * "30"; Redundant Provisioning Servers The provisioning server may be specified as an IP address or as a fully qualified domain name (FQDN). Only DNS A-records are ...
Provisioning Guide
Page 15
...the extension .cfg (for example, spa2102.cfg). The User and Admin accounts can be totally disabled. The configuration profile can be simply bar-code scanned, to record its periodic resync update. Chapter 1 Provisioning Linksys VoIP Devices Provisioning Overview Automatic In-House Preprovisioning Using the...User account is not as one of units. Optionally, user access to the SPA administration web server can be disabled, via provisioning. The manufacturing reset control using the IVR can also be used in the configuration profile, this LAN automatically resyncs to a...
...the extension .cfg (for example, spa2102.cfg). The User and Admin accounts can be totally disabled. The configuration profile can be simply bar-code scanned, to record its periodic resync update. Chapter 1 Provisioning Linksys VoIP Devices Provisioning Overview Automatic In-House Preprovisioning Using the...User account is not as one of units. Optionally, user access to the SPA administration web server can be disabled, via provisioning. The manufacturing reset control using the IVR can also be used in the configuration profile, this LAN automatically resyncs to a...
Provisioning Guide
Page 16
... available on a case-by release 1.0 in Figure 1-1. This section describes the high-level provisioning flow supported by -case basis. SPA Provisioning Flow Chapter 1 Provisioning Linksys VoIP Devices plain-text file containing parameter-value pairs into an encrypted CFG file. SPA Provisioning Flow Firmware release 1.0 provides basic features in support of the SPC tool for...
... available on a case-by release 1.0 in Figure 1-1. This section describes the high-level provisioning flow supported by -case basis. SPA Provisioning Flow Chapter 1 Provisioning Linksys VoIP Devices plain-text file containing parameter-value pairs into an encrypted CFG file. SPA Provisioning Flow Firmware release 1.0 provides basic features in support of the SPC tool for...
Provisioning Guide
Page 17
... configured in one of the specific SPA and prvserv is specified by a profile path. • Edit Profile_Rule parameter. Service provider customization The provisioning parameters are customized for example, prserv/spa2102.cfg. The indicated TFTP server carries the desired Profile_Rule entry in Table 1-1. The Profile_Rule parameter must be accomplished in this unit: Profile_Rule...
... configured in one of the specific SPA and prvserv is specified by a profile path. • Edit Profile_Rule parameter. Service provider customization The provisioning parameters are customized for example, prserv/spa2102.cfg. The indicated TFTP server carries the desired Profile_Rule entry in Table 1-1. The Profile_Rule parameter must be accomplished in this unit: Profile_Rule...
Provisioning Guide
Page 18
... file might contain: Profile_Rule [--key $A] tftp.callme.com/profile/$B/spa2102.cfg; The encryption key and random directory location can only be targeted to each SPA by compiling the CFG file with the provisioning server. With symmetric key cryptography, a single secret key is ...through this strongly encrypted profile. Linksys generates a certificate for authenticating the client to the server and the server to the provisioning server. This provides an initial level of symmetric encryption algorithms. The SPA implements up to Linksys. How HTTPS Works Starting ...
... file might contain: Profile_Rule [--key $A] tftp.callme.com/profile/$B/spa2102.cfg; The encryption key and random directory location can only be targeted to each SPA by compiling the CFG file with the provisioning server. With symmetric key cryptography, a single secret key is ...through this strongly encrypted profile. Linksys generates a certificate for authenticating the client to the server and the server to the provisioning server. This provides an initial level of symmetric encryption algorithms. The SPA implements up to Linksys. How HTTPS Works Starting ...
Provisioning Guide
Page 19
...SPA, to gain configuration information, or to authenticate the server certificate when connecting via HTTPS, and reject any attempt to spoof the provisioning server. A certificate authority root certificate capable of the chain, with a Linksys SPA. The firmware running on the SPA clients ...recognizes only these certificates as valid. Version 3.0 Linksys SPA Provisioning Guide 1-9 Without the private key corresponding to a valid server certificate, the attacker is unable to each SPA also carries a unique client...
...SPA, to gain configuration information, or to authenticate the server certificate when connecting via HTTPS, and reject any attempt to spoof the provisioning server. A certificate authority root certificate capable of the chain, with a Linksys SPA. The firmware running on the SPA clients ...recognizes only these certificates as valid. Version 3.0 Linksys SPA Provisioning Guide 1-9 Without the private key corresponding to a valid server certificate, the attacker is unable to each SPA also carries a unique client...
Provisioning Guide
Page 20
... service providers for client authentication purposes. 1-10 Linksys SPA Provisioning Guide Version 3.0 Using HTTPS Chapter 1 Provisioning Linksys VoIP Devices Figure 1-2 SPA Configuration and Provisioning Certificate Chain SPA Configuration-Provisioning Certificate Chain Sipura Technology, Inc Provisioning Server Root Authority 1 CERT PKEY Compiled into SPA Firmware Signs Provisioning Server Certificates SPA Root CA Certificate List SPA Firmware Load...
... service providers for client authentication purposes. 1-10 Linksys SPA Provisioning Guide Version 3.0 Using HTTPS Chapter 1 Provisioning Linksys VoIP Devices Figure 1-2 SPA Configuration and Provisioning Certificate Chain SPA Configuration-Provisioning Certificate Chain Sipura Technology, Inc Provisioning Server Root Authority 1 CERT PKEY Compiled into SPA Firmware Signs Provisioning Server Certificates SPA Root CA Certificate List SPA Firmware Load...
Provisioning Guide
Page 21
... obtain license keys. Once programmed, the feature remains enabled permanently. Version 3.0 Linksys SPA Provisioning Guide 1-11 Chapter 1 Provisioning Linksys VoIP Devices Provisioning Setup Provisioning Setup This section describes setup requirements for provisioning a SPA and includes the following software tools are useful for provisioning Linksys ATAs : • Open source gzip compression utility, used when generating configuration profiles...
... obtain license keys. Once programmed, the feature remains enabled permanently. Version 3.0 Linksys SPA Provisioning Guide 1-11 Chapter 1 Provisioning Linksys VoIP Devices Provisioning Setup Provisioning Setup This section describes setup requirements for provisioning a SPA and includes the following software tools are useful for provisioning Linksys ATAs : • Open source gzip compression utility, used when generating configuration profiles...
Provisioning Guide
Page 22
...HTTP server directory. The supplied information conveys manufacturer, product name, current firmware version, and product serial number. 1-12 Linksys SPA Provisioning Guide Version 3.0 In this file on that the unit resyncs to this case, a separate explicit profile encryption can be used to... expands to /spa2102.cfg, which means that TFTP server. The Profile_Rule provided with the profile filepath on the local TFTP server, if that a configuration file is common to rely on the provisioning server required when using HTTP without danger of unauthorized use this information ...
...HTTP server directory. The supplied information conveys manufacturer, product name, current firmware version, and product serial number. 1-12 Linksys SPA Provisioning Guide Version 3.0 In this file on that the unit resyncs to this case, a separate explicit profile encryption can be used to... expands to /spa2102.cfg, which means that TFTP server. The Profile_Rule provided with the profile filepath on the local TFTP server, if that a configuration file is common to rely on the provisioning server required when using HTTP without danger of unauthorized use this information ...
Provisioning Guide
Page 23
... individual SSL client certificates. In addition, Linksys also provides a Linksys CA Client Root Certificate to recognize authorized provisioning servers, and reject non-authorized servers. When these elements from a SPA2102: User-Agent: Linksys/SPA-2102-2.0.5 (88012BA01234) Provisioning Setup Enabling HTTPS For increased security managing remotely deployed units, the SPA supports HTTPS for each newly...
... individual SSL client certificates. In addition, Linksys also provides a Linksys CA Client Root Certificate to recognize authorized provisioning servers, and reject non-authorized servers. When these elements from a SPA2102: User-Agent: Linksys/SPA-2102-2.0.5 (88012BA01234) Provisioning Setup Enabling HTTPS For increased security managing remotely deployed units, the SPA supports HTTPS for each newly...
Provisioning Guide
Page 24
...obtain the serial number of a unique client certificate. The location for storing the provisioning server signed certificate, its associated private key, and the Linksys CA client root...0x0003 Cipher Suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 1-14 Linksys SPA Provisioning Guide Version 3.0 It can then provide the certificate information to a CGI for SSL...
...obtain the serial number of a unique client certificate. The location for storing the provisioning server signed certificate, its associated private key, and the Linksys CA client root...0x0003 Cipher Suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 1-14 Linksys SPA Provisioning Guide Version 3.0 It can then provide the certificate information to a CGI for SSL...
Provisioning Guide
Page 25
... the scripting language to create a configuration profile. Define a term used in this document. Look up the expansion for completing different provisioning tasks. A message can be generated at the start of a remote file request (configuration profile or firmware load), and at the... conclusion of the operation (with Linksys provisioning scripts Chapter 2, "Creating Provisioning Scripts" and configuration profiles. Where to Go From Here The following table summarizes the location of specific information in...
... the scripting language to create a configuration profile. Define a term used in this document. Look up the expansion for completing different provisioning tasks. A message can be generated at the start of a remote file request (configuration profile or firmware load), and at the... conclusion of the operation (with Linksys provisioning scripts Chapter 2, "Creating Provisioning Scripts" and configuration profiles. Where to Go From Here The following table summarizes the location of specific information in...