Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

IX Workspace

IX Workspace

IX Workspace

Hello, we are in need of setting up remote users (Teleworkers). IPO R11, Preferred, with Teleworker licensing. Are there any documents that explain how to set this up? I see a lot of Client installation material but this client must interface with something to get to the IPO? Sorry, this is a first for us and any help is appreciated. Thank you!

RE: IX Workspace

There is a document called "IP Office SIP Extension" but I'm not sure if it covers remote workers.

But it's not too hard...
- set up SIP FQDN and SIP domain
- enter public I in IPO config
- get a matching certificate
- install the root certificate on the client device
- define remote ports for SIP and RTP
- forward the SIP/RTP ports and 443/411
- configure Avaya Spaces or enter the string to the settings file within the app.
- login with extension and password.

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN

RE: IX Workspace

I just got this all working after years of trying. We had issues with our firewall and settings in the IP office
You really need a valid SSL cert installed on your Ip office. We tried installing the self signed cert and had all kinds of issues. Iphone would not work
We had all kinds of issues getting the cert to install on older builds of IP office
Make sure your system is fully updated to the latest build of 11 FP4.
Get a multi domain SSL cert. You only two domains. ipoffice.domain.com and a sip domain "domain.com"
You can get multi domain SSL for two years with Commodo for 26 dollars
Now generating that is hard. Follow instructions on this link.
You do not need a SIP url and most SSL sites where you buy them don't support that
You need to add a DNS record for ipoffice.domain name and open up the correct ports on your firewall
I also had to choose Static port block. On Lan voip settings. Otherwise we could call and no speech. I searched many hours looking for answer and never found it
Finally after many attempts it is all working
Oh and setup Avaya Spaces to sync to your IP office and have every user login using email address.
It will auto configure their settings. It is crazy there are no clear instructions anywhere

There are all kinds of instructions but none of them work without doing all these things

RE: IX Workspace

HI there.

So I am suffering big time trying to get this to work, but with a dreaded and hated ASBCE.

I need a 3rd party cert, which I have created many times over and still cannot get it to work, and the response from Avaya is we do not support 3rd party certs.

The docs they provide are all for using the self signed, I have followed the doc to the letter, but cannot get it to give out the 3rd party cert.

Any suggestions or hail Mary's would be greatly appreciated, this Covid thing has now aged me.

Thanks in advance

RE: IX Workspace

Thanks for the feedback.

I generate a CSR on the SBC, and send the req file off, I then get a .crt file and a CA cert back from Gandi. Should I maybe not create this on the SBC, and generate it online? Also should I put the IP in the cert?

I have seen a few ports that refer to making the req in openssl, but have had no success with that either.

Thanks for the response

RE: IX Workspace

So I have for example the below:

CN - phone.mycompany.com
FQDN - phone.mycompany.com
sip Domain - phone.mycompany.com (this is set on the IPO and OneX)
SIP URI - SIP:phone.mycompany.com

So my Subject alternative would be like this? DNS:phone.mycompany.com (Do I put an IP Address in here?)
Would that look correct?

RE: IX Workspace

So this is what I am going to create:

The Subject alternative format will be: DNS:phone.mycompany.com, IP:, URI:sip:phone.mycompany.com
The next question is according to the docs, this needs to be on the IPO as well, the reason I say this this is because all my attempts thus far have always passed the self signed cert to the IX client, so if I only get a CA and a crt file back, will it work?

RE: IX Workspace

Cool, will give this 10th version a try and hopefully come right, thanks so much for your time.

RE: IX Workspace

I then assume the below relates to that step:

3rd party Certificate
NOTE: This is needed only when 3rd party Certificate Authority is used for generating Identity Certificates for SBCE and IP Office
The procedure to generate such certificate is out of scope of this doc, it is customer’s responsibility, but we give an example how to bring it to a format that can be installed on IPO or SBCE.
1. Make sure you have the ID certificate from the 3rd party CA in PEM format.
2. Make sure you have the certificates of all Intermediate CA and the Root CA. These can be requested or even publicly downloaded from the 3rd party CA.
3. Make sure you have the private key
4. Upload all files to a linux box (IPO or SBCE for example) using WinSCP
5. Verify if all files are present:
[root@sipp cert]# ls
idcert.pem IssuingCA.pem key.pem RootCA.pem
6. Verify you have all files for the full trust chain:
[root@sipp cert]# openssl x509 -in idcert.pem -text|grep "Subject:\|Issuer:"
Issuer: C=HU, L=Budapest, O=Avaya, OU=IPO, CN=Issuing CA - Agardi
Subject: C=HU, ST=Hungary, L=Budapest, O=Avaya, OU=IPO, CN=ipo11.example.com
[root@sipp cert]# openssl x509 -in IssuingCA.pem -text|grep "Subject:\|Issuer:"
Issuer: C=HU, L=Budpest, O=Avaya, OU=IPO, CN=Root CA - Agardi
Subject: C=HU, L=Budapest, O=Avaya, OU=IPO, CN=Issuing CA - Agardi
[root@sipp cert]# openssl x509 -in RootCA.pem -text|grep "Subject:\|Issuer:"
Issuer: C=HU, L=Budpest, O=Avaya, OU=IPO, CN=Root CA - Agardi
Subject: C=HU, L=Budpest, O=Avaya, OU=IPO, CN=Root CA - Agardi
7. Verify ID certificate has proper Subject Alternative Name:
[root@sipp cert]# openssl x509 -in idcert.pem -text|grep "Subject Alternative" -A 1
X509v3 Subject Alternative Name:
DNS:ipo11.example.com, DNS:example.com, IP Address:, IP Address:
NOTE: Subject Alternative Name field has to contain the followings depending on the product
 SBCE: SIP Domain, SIP registrar FQDN, external IP address of the IP Office
 IPO: SIP Domain, SIP registrar FQDN, external and internal IP address of the IP Office
8. Create a PEM file that contains the whole chain starting from the ID cert till the Root CA:
[root@sipp cert]# cat idcert.pem IssuingCA.pem RootCA.pem > certchain.pem
9. Create a PKCS12 file that contains the whole chain starting from the ID cert till the Root CA and the private key:
[root@sipp cert]# openssl pkcs12 -export -out cert.p12 -in certchain.pem -inkey key.pem

RE: IX Workspace

I had the IX client working with the remote users VPN back to the local LAN. Now for some reason the IX client is saying:

"No SIP Servers configured" and they can't login to the client?

Any help is much appreciated, thank you!

RE: IX Workspace

Should I just remove it and copy it in again? Thank you for your help!

RE: IX Workspace

remote? Not sure what you mean? Sorry, any help is appreciated, thank you!

RE: IX Workspace

I can pull the 46xxsettings.txt from the URL but I am not sure what SIP server settings I should be checking?

RE: IX Workspace

This is what I found:

SET SIP_CONTROLLER_LIST proxy1:5060;transport=tls,proxy2:5060;transport=tls

Not sure if this looks correct? Or how to "set it" like you suggest?

RE: IX Workspace

Not using an SBC, all my users have VPN to local LAN? Was just logging into client with http://X.X.X.X/46xxsettings.txt

Thank you so much for your help on this. This is new to me so I am not sure what to put in the SIP Domain name or the SIP Registrar FQDN? I assume that whatever we put in here needs to be resolved to the IP Office IP address?

RE: IX Workspace

I think that would be great if you could assist remotely. I have Zoom if you want me to send you an invite? Let me know if that will work. I need your email. Thank you again, this would be so good to get this working.

RE: IX Workspace

Sent you a post on your website

RE: IX Workspace

Anybody using Namecheap for their domain and certs and having issues with the SIP domain not being valid in IX Workplace when TLS is activated?

From my experience, they don't support addind URI:sip:example.com in the Subject Alternative Name.

If in the CSR, I have stuff like:

commonName = iposrv.example.com
emailAddress = admin@example.com
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
DNS.1 = iposrv.example.com
DNS.2 = example.com
URI.1 = sip:mtl-lab.com

When they generate the cert, and I open it with Windows, I see the cert as valid, but now the SAN looks like this:


Why does it automatically add www in front of example.com?! Also don't know why they removed DNS:example.com and URI:sip:example.com, so now IX Workplace complains the SIP domain is invalid.

RE: IX Workspace

We have a client what is using the APP and it works good on cellular data, however it doesn't work on WIFI at all. I know on the older versions you could force it to use cellular but I don't see any choice for that on the new version. Any help will be greatly appreciated

RE: IX Workspace

You need a multidomain cert. You have to have example.com and iposrv.example.com SSL certs usually add the www.example.com even on a single name cert

RE: IX Workspace

I'm trying to create one with Let's Encrypt, but it's a total pain in the ass.

For the DNS-01 validation, you gotta create a TXT record on your DNS like _acme-challenge.example.com with some gibberish string of caracters like dj38fnskkvwmdqwidqndnwuindmmgfe039i3_2ee in the content.

Simple on the surface, yet I don't know what I'm doing wrong but the record is clearly not showing up and because of this, the validation is not working. I even changed nameservers to Cloudflare, thinking this may help, but nope.

All I want to do is generate a wildcard cert to run some tests....

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close