×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Setting Up IP Office With FQDN and Security Cert
3

Setting Up IP Office With FQDN and Security Cert

Setting Up IP Office With FQDN and Security Cert

(OP)
Hey Fellas,

I'm having a hard time getting my IP Office running on AWS to work properly with an FQDN and a signed security certificate. I'm trying to do this so we can use Avaya IX Workplace app with our IPO and not have to download and install the self-generated IPO certs that come with it.

I have managed to get a signed certificate and load it on to my IPO, but am running into some problems:
1) When I load my 46xxsettings.txt or any other web page from my IPO using the domain name I purchased with my security cert. And when I load my 46xxsettings.txt file via web page the browser shows it as not secure.

2) I'm not able to sync my IX Workplace app to my IPO with the domain name. I can use the https://IPaddress/46xxsettings.txt link and that "untrusted cert" error is gone, but now my Workplace app is unable to login to a user and make calls properly.

I think where I'm stuck and what's causing all these issues is I have not properly tied my IP Office to my domain name and I cannot figure it out.banghead

I changed the hostname of my IP office to match my FQDN, and set up the DNS with my domain provider to point the domain to the public IP of my system. But somethings not right and I have not been able to find any guides on the web detailing how to do this.

Please help!

Thank you

RE: Setting Up IP Office With FQDN and Security Cert

(OP)
my SAN is my domain name. Should it be something else?

RE: Setting Up IP Office With FQDN and Security Cert

(OP)
Yes I added my FQDN to my LAN settings in SIP domain name and SIP registrar FQDN. I also updated the hostname in my 7070 portal under settings > system> network > host name

RE: Setting Up IP Office With FQDN and Security Cert

is your TLS enabled

If you look in your 46xxsettings.txt file is it auto generated or did you generate it and save it?

It has to have the TLS option in the J129 phone
something looking like this

SET SIP_CONTROLLER_LIST <YOURDOMAIN>:5061;transport=tls

also the SIP remote user option needs to be on (system - LAN - VoIP)

Joe
FHandw, ACSS (SME)

Remembering intrigrant 2019

RE: Setting Up IP Office With FQDN and Security Cert

(OP)
derfloh - I see my domain name in my 46xxsettings file.

Westi - I'm not concerned with TLS on desk phones. Only concerned about the cert for IX Workplace since it gives you trouble if you don't have a signed cert.

RE: Setting Up IP Office With FQDN and Security Cert

(OP)
Digging in this thread I learned that the IP Office does its own DNS lookups and does not respond to FQDN requests unless it can confirm the resolution itself.

I went to my system > DNS settings and realized my IPO was using the system default DNS from Amazon AWS and still had its AWS DNS name there. So I changed the DNS address to 8.8.8.8 and updated the DNS domain box to my domain name.

Now I'm getting somewhere, but still not working as it needs to. When I load my domain name I get a webpage from my IPO that says "URI contains invalid FQDN. DNS failure."

Looking into this error, others are saying it is caused by the IPO not being able to confirm its FQDN via DNS. Not sure how it's having a problem with this. I checked Google's DNS and my domain name resolves to the correct public IP of my IPO, and the public IP that NATs to my IPO is entered in the System > LAN > Network Topology > Public IP address setting. So the IPO knows what its public IP is! It should be able to confirm the DNS resolution is correct!! curse

RE: Setting Up IP Office With FQDN and Security Cert

so what error are you getting on IX workplace?

RE: Setting Up IP Office With FQDN and Security Cert

THe error "URI contains invalid FQDN. DNS failure" means the IPO cannot find a DNS server with the FQDN that resolves to it's own IP address, the DNS lookup is a local DNS not public.

“Some humans would do anything to see if it was possible to do it.
If you put a large switch in some cave somewhere, with a sign on it saying 'End-of-the-World Switch. PLEASE DO NOT TOUCH'.
The paint wouldn't even have time to dry.”

Terry Pratchet

RE: Setting Up IP Office With FQDN and Security Cert

@Gref6

When you access the system using a FQDN, in this case using http ot https to get the 46xxsettings.txt the IP office will check the DNS server in it's settings to see if the FQDN resolves to the IP address of the interface the request comes in on. If there is no match you get the "URI contains invalid FQDN. DNS failure" error.

If the interface has a private IP address (192.168.42.1) then the FQDN must resolve to 192.168.42.1. If you are using 8.8.8.8 as the DNS server it will not be able to resolve to this IP address as it will return the public IP and you get the error message. You need to set up "Split DNS" so internally the IP office uses your DNS server.

“Some humans would do anything to see if it was possible to do it.
If you put a large switch in some cave somewhere, with a sign on it saying 'End-of-the-World Switch. PLEASE DO NOT TOUCH'.
The paint wouldn't even have time to dry.”

Terry Pratchet

RE: Setting Up IP Office With FQDN and Security Cert

@Gref6

You purchased a signed certificate. Did you put this certificate into the Trusted Store of the IPO.

The IPO does not trust this certificate unless you do this.

The picture above with "the required certificate is not trusted" Your computer does not know what this certificate is. Download the certificate on your computer and install this to the Trusted Authenticated store. This will allow you to use "https://IPADDRESS/46xxsettings.txt"

This is not needed unless you want to download the settings file with HTTPS, you can use "http://IPADDRESS/46xxsettings.txt" to download the settings and certificate from the IPO but it will still use the Encrypted Sip Registration port 5061 and for presence https port 443/411.

Every time you change the IP, DNS and hostname will generate a new certificate for the IPO. You have your purchased a certificate and hopefully imported this certficate into the identity certificate section.

RE: Setting Up IP Office With FQDN and Security Cert

2
(OP)
Ekster "the DNS lookup is a local DNS not public"
THIS was the final puzzle piece for me. After creating a DNS resolution on the AWS system that resolved the FQDN to my IPOs private IP address then it all started working. Thanks Ekster and everyone else!

For those who may be searching for how to get an FQDN and signed security certificate working with IPO on AWS like me, here is a rough outline of the process:

- Purchase domain name and security cert from a certificate authority/domain provider. Use your domain provider DNS to set an A record pointing your domain to the public IP of your IPO/AWS server.

- Follow Avaya's guide here to create the cert signing request, then load the signed cert to your system. At the end when you apply the cert, the web manager did not work for me like the guide said. I had to apply my certs through Manager > Security Settings.

- In Manager LAN settings > VoIP set your domain name in SIP domain name and SIP registrar FQDN settings. Then in System > DNS settings keep the default AWS server as your DNS, and under DNS domain put your domain name there.

- If you are using server edition login to the 7071 web GUI, and update the hostname of the system to your domain name in settings > system > network > Host Name:

- Finally, in AWS DNS settings they call it "route 53" create a record that points your domain name to the private IP address of your AWS instance.

RE: Setting Up IP Office With FQDN and Security Cert

(OP)
Question here about SSL/TLS cert expirations, so my shiny new cert expires in a year. Do I need to manually renew it or does it typically auto-renew on the IPO as long as I have auto-renewal billing with my CA?

RE: Setting Up IP Office With FQDN and Security Cert

You will need to manually update the system with the new certificate as the old one will expire.


Another thing to watch out for is where the DNS settings are.

We had an engineer install server edition before the customers DNS server was available so he put 8.8.8.8 in the Web Manager under <Platform View/Settings/System/System DNS>. All was well, later when the customer had the DNS server up and running he finalised the Server Edition install/programming, went into <Manager/System/DNS> and changed the DNS settings to the customers server. Again all was well until we re-booted the server and all hell broke loose, all the IX Workplace clients fell over and we got the "URI contains invalid FQDN. DNS failure" error!

Turns out if the DNS setting in Platform View is different to the one in Manager/System/DNS and the system reboots the Platform View DNS is pushed through to the Manager settings.

In short the Linux Base O/S DNS overwrites the IP Office Application DNS setting in the config.



“Some humans would do anything to see if it was possible to do it.
If you put a large switch in some cave somewhere, with a sign on it saying 'End-of-the-World Switch. PLEASE DO NOT TOUCH'.
The paint wouldn't even have time to dry.”

Terry Pratchet

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close