Avaya client gets certificate from AADS
Avaya client gets certificate from AADS
(OP)
I have two questions:
1) how to skip manual installation of certificate on clients? how to make it automatically where client gets certificate from AADS or other server?
2) what's the best security wise choice, to use SMGR certificate or public cert?
1) how to skip manual installation of certificate on clients? how to make it automatically where client gets certificate from AADS or other server?
2) what's the best security wise choice, to use SMGR certificate or public cert?
RE: Avaya client gets certificate from AADS
RE: Avaya client gets certificate from AADS
The term "client" is very obscure. For Avaya Workplace (formerly Equionox) clients on Windows life is relatively easy. You can issue personal certificates through Microsoft using auto-enrollment (assuming they have network access). Note the Microsoft setup will need to make sure the key is exportable. Otherwise you can create the certificate and provide it to the end user in a PKCS12 (cert/key/chain) for them to use.
For hard phones, Avaya has provided Device Enrollment Services (DES). Documentation could be better however you zip up the 46xxsettings.txt file, CA certificates for the phones, any PKCS12 files, and upgrade script files (needed for the phone to then get to the 46xxsettings.txt) and load them into DES.
Alternatively for hard phones you can use SCEP on-net then send them off-net. Microsoft SCEP will need to be configured for password re-use and you may have to read up on the SCEP settings in the 46xxsettings.txt file. Starting with System Manager 8.1.3 you can use System Manager as your SCEP server (although I haven't tried it yet).
RE: Avaya client gets certificate from AADS
When I try SMGR certificate (I install SMGR pem cert file on client device) or public certificate (don't install any cert on client), but there is no MTLS as SBC TLS server profile (peer verification is set to none), so I can see client sending certificate () on SBC trace..
when I use SMGR cert and enable peer verification, client can't register and experience cert error.
Avaya documents show no peer verification needed for TLS server profile, and also for subscriber flow no TLS client profile administered!
So I'm confused with security concept here and the whole scenario..
RE: Avaya client gets certificate from AADS
If you're in a highly secure environment, or inside an enterprise with all the machines - cell phones included - joined to a domain with identity certificates, you can use peer verification/mutual TLS authentication.
That way, your SIP remote worker setup won't esablish a handshake with the client unless the client in certmgr.msc has an identity certificate provided by the company for them. Then, you'd be trusting the company's CA cert in the server profile. That way you'll never get INVITE:01145411231231232132@yourPublicIP coming into your SBC - the hackers don't have a cert issued by TheCustomer.com's private internal CA.
You can use that, but as a pre-requisite you'd have to have all the endpoints with an identity cert. If the deployment use case was laptops for work from home but those laptops are joined to the domain or otherwise administered centrally, then it's as easy as you adding the company CA cert to trust for peer verification.
But we don't want to get too far into that - give them the MSI for IX Workplace, let them automate deployment of the client, use Zang to autoconfig based on email address to AADS and you're done as far as managing end user client configurations. If they already have identity certs on each machine and want to bring it to the table, sure, but they've already done the heavy lifting.
Don't forget to read and follow the security best practices for 8.0
RE: Avaya client gets certificate from AADS
Another point, is it possible save cert to aads trust store where client can be prompted to choose and download it? i checked trustcerts option but not helping..