Local Provisioning For IP Phones

A short while ago VUCs Randulo tweeted that he had recently updated the firmware on his Polycom phones. He said that he did this using a local provisioning server setup temporarily just for the task. If you’re using a hosted IP-PBX then you may not have a suitable server running 24/7/365.

If you don’t run a provisioning server all the time then booting the phones can take a lot longer. On boot-up the phones simply fail to contact the provisioning server and eventually boot using their existing internal settings. But this means waiting through a series of time-outs, which is the principle source of delay.

In the phones core network configuration you can specify how many times the phone will try to contact the provisioning server before giving up, also the retry interval. This can partially mitigate the delay.

Polycom Server Settings Menu
Polycom Server Settings Menu

If you really want to get around this issue the only real solution is to run a provisioning server. It can be local to your network or remotely accessed.

Within my office I sometimes use a local provisioning server to test new firmware. I usually run Solar Winds freeware TFTP server on my Windows desktop. Once I’m happy with the release I upload it to an FTP server at my employers head office in the UK. All my Polycom phones reference this remote server, also the small herd of phones that I manage at various locations across the US.

If you oversee phones at various sites then, like me you may be forced to use remote access to effect central provisioning. Many phones support various connect schemes for provisioning. The most common are TFTP, FTP and HTTP. Some, like our Polycom units, also support secure versions of these protocols.

Securing a remote provisioning server is a serious matter. If that server is hacked then your phones configs could be compromised. With access to your config files a hacker has all your SIP credentials and can easily start making fraudulent use of your hosted PBX account.

Imagine a wily hacker hosting globally accessed conference calls. Costly? To paraphrase one newly-minted American celebrity…You betcha!

So choose your connection scheme wisely. FTP while convenient is not secure. FTP logins are passed in the clear and easily snooped using WireShark. If possible use SFTP or HTTPS instead. Many IP phone manufacturers also provide software tools to encrypt config files themselves, further protecting against hacks.

The security issue adds another dimension to the logic behind maintaining a local provisioning server. If this service is inside your LAN then you can take further steps to lock down unwanted access. Perhaps by restricting access to only IP addresses on your local subnet for example.

Yes, there may be merit in using a local provisioning server, but running hardware just for this purpose seems wasteful. That is, unless we choose that hardware wisely.

More on that matter to follow….