Cisco SPA921 - Cisco - IP Phone User manual
Cisco Small Business
Voice System, Voice Gateways, and IP Telephones
PROVISIONING
GUIDE
© 2009 Cisco Systems, Inc. All rights reserved. OL-19687-01
CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower,
Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and
Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA,
CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems
logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink,
Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX,
Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert,
StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/
or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0903R)
Cisco Small Business IP Telephony Devices Provisioning Guide i
Contents
Chapter 1: Provisioning Cisco Small Business VoIP Devices 10
Residential Deployment Provisioning Requirements 10
Remote Endpoint Control 11
Communication Encryption 11
Provisioning Overview 12
Initial Provisioning 13
Deploying RC Units 13
Redundant Provisioning Servers 14
Retail Provisioning 14
Automatic In-House Preprovisioning 15
Configuration Access Control 16
Configuration Profiles 16
Downloading the SIP Profile Compiler (SPC) Tool 17
Provisioning States 18
Using HTTPS 19
How HTTPS Works 20
Server Certificate 20
Client Certificates 21
Certificate Structure 21
Provisioning Setup 23
Software Tools 23
Server Configuration 24
TFTP 24
HTTP 24
Enabling HTTPS 26
Syslog Server 28
Where to Go From Here 29
Chapter 2: Creating Provisioning Scripts 30
Configuration Profile and the SIP Profile Compiler 30
Open Format Configuration File 31
Cisco Small Business IP Telephony Devices Provisioning Guide ii
Contents
Configuration File Compression 36
File Encryption 36
Encrypting a File with the SPC 38
Proprietary Plain-Text Configuration File 40
Source Text Syntax 40
Comments 42
Macro Expansion 42
Conditional Expressions 44
Assignment Expressions 46
URL Syntax 46
Optional Resync Arguments 47
Using Provisioning Parameters 50
General Purpose Parameters 50
Enables 51
Triggers 51
Configurable Schedules 52
Profile Rules 53
Report Rule 55
Upgrade Rule 56
Data Types 57
Chapter 3: Provisioning Tutorial 63
Preparation 63
Basic Resync 64
TFTP Resync 64
Logging with syslog 66
Automatic Resync 67
Unique Profiles and Macro Expansion 68
URL Resolution 70
HTTP GET Resync 71
Secure Resync 72
Basic HTTPS Resync 72
Cisco Small Business IP Telephony Devices Provisioning Guide iii
Contents
HTTPS With Client Certificate Authentication 74
HTTPS Client Filtering and Dynamic Content 75
Profile Formats 77
Profile Compression 77
Profile Encryption 78
Partitioned Profiles 79
Parameter Name Aliases 80
Proprietary Profile Format 81
Chapter 4: Provisioning Field Reference 83
Configuration Profile Parameters 84
Firmware Upgrade Parameters 89
General Purpose Parameters 90
Macro Expansion Variables 91
Internal Error Codes 94
Appendix A: Example Configuration Profile 95
Appendix B: Acronyms 109
Appendix C: Where to Go From Here 113
Preface
Cisco Small Business IP Telephony Devices Provisioning Guide iv
About This Document
This guide describes the provisioning of Cisco Small Business Voice over IP (VoIP)
products. It contains the following sections:
•Purpose, page iv
•Document Audience, page v
•Organization, page v
•Finding Information in PDF Files, page vi
•Document Conventions, page ix
Purpose
The following Cisco Small Business VoIP products can be remotely provisioned or
preprovisioned using the information in this document:
•SPA9000—IP PBX with Auto-Attendant; can be used with the SPA400,
which provides a SIP-PSTN gateway
•Cisco Small Business Analog Telephone Adapters (ATAs):
-PAP2T—Voice adapter with two FXS ports
-SPA2102—Voice adapter with router
-SPA3102—Voice adapter with router and PSTN connectivity
-SPA8000—Voice adapter supporting up to eight FXS connections
-WRP400—Wireless-G ADSL gateway with two FXS ports
•Cisco Small Business IP phones:
-SPA901—One line, small, affordable, no display
-SPA921—One-line business phone
-SPA922—One-line business phone with Power over Ethernet (PoE)
support and an extra 10/100 Ethernet port for connecting another
device to the LAN
Preface
Cisco Small Business IP Telephony Devices Provisioning Guide v
-SPA941—Four-line business phone.
-SPA942—Four-line business phone. Power over Ethernet (PoE) support
and an extra 10/100 Ethernet port for connecting another device to the
LAN
-SPA962—Six lines, hi-resolution color display. Power over Ethernet
(PoE) support and an extra 10/100 Ethernet port for connecting another
device to the LAN
-SPA525G--Five lines, hi-resolution color display. Power over Ethernet
(PoE), 10/100 switch, BlueTooth, WiFi 802.11g, USB port, MP3 player.
-WIP310—One line, hi-resolution color display. WiFi 802.11g
Document Audience
This document is written for service providers who offer services using Cisco
Small Business VoIP products and specifically for administrative staff responsible
for remote provisioning and preprovisioning Cisco Small Business devices.
Organization
This document is divided into the following chapters and appendices.
Chapter Contents
Chapter 1, “Provisioning
Cisco Small Business
VoIP Devices”
This chapter introduces Cisco Small Business VoIP
products.
Chapter 2, “Creating
Provisioning Scripts”
This chapter describes how to work with Cisco
Small Business provisioning scripts and
configuration profiles.
Chapter 3, “Provisioning
Tutorial”
This chapter provides step-by-step procedures for
using the scripting language to create a
configuration profile.
Chapter 4, “Provisioning
Field Reference”
This chapter provides a systematic reference for
each parameter on the Provisioning tab of the
administration web server.
Preface
Cisco Small Business IP Telephony Devices Provisioning Guide vi
Finding Information in PDF Files
The guides for Cisco Small Business products are available as PDF files. The PDF
Find/Search tool within Adobe® Reader® lets you find information quickly and
easily online. You can perform the following tasks:
•Search an individual PDF file.
•Search multiple PDF files at once (for example, all PDFs in a specific folder
or disk drive).
•Perform advanced searches.
Finding Text in a PDF
Follow this procedure to find text in a PDF file.
STEP 1 Enter your search terms in the Find text box on the toolbar.
NOTE By default, the Find tool is available at the right end of the Acrobat toolbar. If the
Find tool does not appear, choose Edit > Find.
STEP 2 Optionally, click the arrow next to the Find text box to refine your search by
choosing special options such as Whole Words Only.
STEP 3 Press Enter.
STEP 4 Acrobat displays the first instance of the search term.
Appendix A, “Example
Configuration Profile”
This appendix contains a sample profile that you
may find helpful.
Appendix B, “Acronyms” This appendix provides the expansion of acronyms
used in this document.
Appendix C, “Where to
Go From Here”
This appendix provides links to resources for
information and support.
Chapter Contents
Preface
Cisco Small Business IP Telephony Devices Provisioning Guide vii
STEP 5 Press Enter again to continue to more instances of the term.
Finding Text in Multiple PDF Files
The
Search
window lets you search for terms in multiple PDF files that are stored
on your PC or local network. The PDF files do not need to be open.
STEP 1 Start Acrobat Professional or Adobe Reader.
STEP 2 Choose Edit > Search, or click the arrow next to the
Find
box and then choose
Open Full Acrobat Search.
STEP 3 In the
Search
window, complete the following steps:
a. Enter the text that you want to find.
b. Choose All PDF Documents in.
From the drop-down box, choose Browse for Location. Then choose the
location on your computer or local network, and click OK.
c. If you want to specify additional search criteria, click Use Advanced Search
Options, and choose the options you want.
d. Click Search.
Preface
Cisco Small Business IP Telephony Devices Provisioning Guide viii
STEP 4 When the Results appear, click + to open a folder, and then click any link to open
the file where the search terms appear.
For more information about the Find and Search functions, see the Adobe Acrobat
online help.
Preface
Cisco Small Business IP Telephony Devices Provisioning Guide ix
Document Conventions
The following typographic conventions are used in this document.
Typographic
Element
Meaning
Boldface Indicates an option on a menu or a literal value to be
entered in a field.
<parameter> Angle brackets (<>) are used to identify parameters that
appear on the configuration pages of the administration
web server. The index at the end of this document
contains an alphabetical listing of each parameter,
hyperlinked to the appropriate table in Chapter 4,
“Provisioning Field Reference”
Italic Indicates a variable that should be replaced with a literal
value.
Monospaced Font Indicates code samples or system output.
1
Cisco Small Business IP Telephony Devices Provisioning Guide 10
Provisioning Cisco Small Business VoIP
Devices
This chapter describes the features and functionality available when provisioning
Cisco Small Business IP Telephony Devices and explains the setup required. It
includes the following sections:
•Residential Deployment Provisioning Requirements, page 10
•Provisioning Overview, page 12
•Configuration Access Control, page 16
•Using HTTPS, page 19
•Provisioning Setup, page 23
•Where to Go From Here, page 29
Residential Deployment Provisioning Requirements
Cisco Small Business IP Telephony Devices are primarily intended for high-volume
deployments by VoIP service providers to residential and small business
customers. These devices are likely to be widely distributed across the Internet,
connected through routers and firewalls at the customer premises. Further, IP
Telephony Devices may serve as terminal nodes in business or enterprise
environments, where the units may be operated within a self-contained LAN
environment.
The IP Telephony Device can be seen as a remote extension of the service
provider back-end equipment. Remote management and configuration is required
to efficiently ensure proper operation of the IP Telephony Device at the customer
premises.
Provisioning Cisco Small Business VoIP Devices
Residential Deployment Provisioning Requirements
Cisco Small Business IP Telephony Devices Provisioning Guide 11
1
Device configuration varies according to the individual customer and with the
same customer over a period of time. The IP Telephony Device must be
configured to match the account service parameters for the individual customer.
Also, the configuration may need to be modified because of new service provider
features, modifications in the service provider network, or firmware upgrades in
the endpoint.
This customized, ongoing configuration is supported by the following features:
•Reliable remote control of the endpoint
•Encryption of the communication controlling the endpoint
•Streamlined endpoint account binding
Remote Endpoint Control
The service provider must be able to modify the configuration parameters in the IP
Telephony Device after the unit has been deployed to the customer premises. The
service provider must also be able to upgrade the firmware remotely, and both of
these operations must be reliable.
In a residential deployment, the end IP Telephony Device is typically connected to
a local network. The device accesses the Internet through a router using network
address translation (NAT). For enhanced security, the router may attempt to block
unauthorized incoming packets by implementing symmetric NAT, a packet filtering
strategy which severely restricts the packets that are allowed to enter the
protected network from the Internet.
Communication Encryption
The configuration parameters communicated to the IP Telephony Device may
contain authorization codes or other information that need to be protected from
unauthorized access. It is in the service provider’s interest to prevent unauthorized
activity by the customer, and in the customer’s interest to prevent from
unauthorized use of the account by other persons. For this reason, the service
provider may wish to encrypt the configuration profile communication between
the provisioning server and the IP Telephony Device, in addition to restricting
access to the administration web server for the device.
Provisioning Cisco Small Business VoIP Devices
Provisioning Overview
Cisco Small Business IP Telephony Devices Provisioning Guide 12
1
Provisioning Overview
The Cisco Small Business IP Telephony Devices support secure remote
provisioning and firmware upgrades. Configuration profiles can be generated by
by using common, open source tools that facilitate integration into service
provider provisioning systems. Supported transport protocols include TFTP, HTTP,
and HTTPS with a client certificate. Cisco Small Business provisioning solutions
are designed for high-volume residential deployment, where each IP Telephony
Device typically resides in a separate LAN environment that is connected to the
Internet with a NAT device.
An IP Telephony Device can be configured to resynchronize its internal
configuration state to a remote profile periodically and on power up. A 256-bit
symmetric key encryption of profiles is supported. In addition, an unprovisioned IP
Telephony Device can receive an encrypted profile specifically targeted for that
device without requiring an explicit key. Secure first-time provisioning is provided
through a mechanism that uses SSL functionality.
NOTE Remote customization (RC) units are customized by Cisco so that when the unit is
started, it tries to contact the Cisco provisioning server to download its customized
profile.
User intervention is not required to initiate or complete a profile update or
firmware upgrade. Remote firmware upgrade is achieved via TFTP or HTTP, but
not using HTTPS because the firmware does not contain sensitive information that
can be read by a customer. The upgrade logic is capable of automating multi-
stage upgrades, if intermediate upgrades are required to reach a future upgrade
state from an older release. A profile resync is only attempted when the IP
Telephony Device is idle, because this may trigger a software reboot.
General purpose parameters are provided to help service providers to manage
the provisioning process. Each IP Telephony Device can be configured to
periodically contact a normal provisioning server (NPS). Communication with the
NPS does not require the use of a secure protocol because the updated profile is
encrypted by a shared secret key. The NPS can be a standard TFTP, HTTP or
HTTPS server.
Provisioning Cisco Small Business VoIP Devices
Provisioning Overview
Cisco Small Business IP Telephony Devices Provisioning Guide 13
1
Initial Provisioning
Cisco Small Business IP Telephony Devices provide convenient mechanisms for
initial provisioning, based on two deployment models:
•Retail distribution
In this model, the customer purchases the IP Telephony Device from a retail
outlet and subsequently requests VoIP service from the service provider.
The service provider must then support secure remote configuration of the
unit.
•Bulk distribution
In this model, the service provider issues the IP Telephony Device to the
customer as part of the VoIP service contract (RC units). The service
provider acquires IP Telephony Devices in bulk quantity, and either
preprovisions the IP Telephony Devices in-house or purchases RC units
from Cisco.
Deploying RC Units
The in-house preprovisioning step can be eliminated by using RC units.
Customization of RC units reduces the need to handle the units prior to shipping to
end customers. It also discourages the use of Cisco Small Business IP Telephony
Devices with a different service provider.
In this scenario, the MAC address of each RC unit is associated with a customized
profile on a provisioning server that is maintained by Cisco for the Service
Provider that purchased the units. The RC unit is preprovisioned by Cisco with the
connection information for the Cisco Small Business provisioning server. When the
RC unit is started, it tries to contact the Cisco Small Business provisioning server
and download its customized profile.
The status of customization for an RC unit can be determined by using the
administration web server and viewing the Info tab > Product Information page,
Customization section. An RC unit that has not been provisioned displays Pending.
An RC unit that has been provisioned displays the name of the company that owns
the unit. If the unit is not an RC unit the web page displays Open.
Cisco Small Business offers RC units to service providers for volume deployments
of endpoints. Through customization, the manufacturing default values of a select
number of parameters can be customized to meet the needs of individual service
providers.
Provisioning Cisco Small Business VoIP Devices
Provisioning Overview
Cisco Small Business IP Telephony Devices Provisioning Guide 14
1
The following is a sample template for an RC unit:
Restricted Access Domains "domain.com, domain1.com, domain2.com";
Primary_DNS * "x.y.w.z";
Secondary_DNS * "a.b.c.d";
Provision_Enable * "Yes";
Resync_Periodic * "30";
Resync_Error_Retry_Delay * "30";
Profile_Rule * "http://prov.domain.com/sipura/profile?id=$MA";
The Restricted Access Domain parameter is configured with the actual domain
names of up to a maximum of five domains. The Primary_DNS and
Secondary_DNS parameters are configured with the actual domain names or IP
addresses of the DNS servers available to the RC unit.
Redundant Provisioning Servers
The provisioning server may be specified as an IP address or as a fully qualified
domain name (FQDN). The use of a FQDN facilitates the deployment of redundant
provisioning servers. When the provisioning server is identified through a FQDN,
the IP Telephony Device attempts to resolve the FQDN to an IP address through
DNS. Only DNS A-records are supported for provisioning; DNS SRV address
resolution is not available for provisioning. The IP Telephony Device continues to
process A-records until the first server responds. If no server associated with the
A-records responds, the IP Telephony Device logs an error to the syslog server.
Retail Provisioning
The firmware for each IP Telephony Device includes an administration web server
that displays the internal configuration and accepts new configuration parameter
values. The server also accepts a special URL command syntax for performing
remote profile resync and firmware upgrade operations.
In a retail distribution model, a customer purchases a Cisco Small Business voice
endpoint device, and subsequently subscribes to a particular service. The
customer first signs on to the service and establishes a VoIP account, possibly
through an online portal with an Internet Telephony Service Provider (ITSP).
Subsequently, the customer binds the particular device to the assigned service
account.
Provisioning Cisco Small Business VoIP Devices
Provisioning Overview
Cisco Small Business IP Telephony Devices Provisioning Guide 15
1
To do so, the unprovisioned IP Telephony Device is instructed to resync with a
specific provisioning server through a resync URL command. The URL command
typically includes an account PIN number or alphanumeric code to associate the
device with the new account.
http://192.168.1.102/admin/resync?https://prov.supervoip.com/cisco-init/
1234abcd
In this example, a device at the DHCP-assigned IP address 192.168.1.102 is
instructed to provision itself to the SuperVoIP service at prov.supervoip.com. The
PIN number for the new account is 1234abcd. The remote provisioning server is
configured to associate the IP Telephony Device that is performing the resync
request with the new account, based on the URL and the supplied PIN. Through
this initial resync operation, the IP Telephony Device is configured in a single step,
and is automatically directed to resync thereafter to a permanent URL on the
server. For example:
https://prov.supervoip.com/cisco
For both initial and permanent access, the provisioning server relies on the client
certificate for authentication and supplies correct configuration parameter values
based on the associated service account.
Automatic In-House Preprovisioning
Using the administration web server and issuing a resync URL is convenient for a
customer in the retail deployment model, but it is not as convenient for
preprovisioning a large number of units. In this case, you can use automatic in-
house preprovisioning.
With the factory default configuration, an IP Telephony Device automatically tries
to resync to a specific file on a TFTP server, whose IP address is offered as one of
the DHCP-provided parameters. A service provider can connect each new IP
Telephony Device to a LAN environment that is configured for preprovisioning. Any
new IP Telephony Device connected to this LAN automatically resyncs to the local
TFTP server, initializing its internal state in preparation for deployment. This
preprovisioning step configures the URL of the provisioning server, among other
parameters.
Subsequently, when a new customer signs up for service, the preprovisioned
device can be simply bar-code scanned, to record its MAC address or serial
number, before being shipped to the customer. Upon receiving the unit, the
customer connects the unit to the broadband link, possibly through a router. On
power-up the IP Telephony Device already knows the server to contact for its
periodic resync update.
Provisioning Cisco Small Business VoIP Devices
Provisioning Overview
Cisco Small Business IP Telephony Devices Provisioning Guide 16
1
Configuration Access Control
Besides configuration parameters that control resync and upgrade behavior, the IP
Telephony Device provides mechanisms for restricting end-user access to various
parameters.
The firmware provides specific privileges for login to a User account and an
Admin account. Both can be independently password protected.
•Admin Account: Allows the service provider to configure the device. The
Admin account has full access to all IVR functions and to all administration
web server parameters.
•User Account: Allows the user of the device to access basic interactive
voice response (IVR) functions and to configure a subset of the
administration web server parameters.
The service provider can restrict the user account in the following ways:
•The service provider can choose which configuration parameters are
available to the User account.
•The service provider can completely disable any user access to the
administration web server.
•The factory reset control using the IVR can be disabled via provisioning.
•The Internet domains accessed by the device for resync, upgrades, and SIP
registration for Line 1 can be restricted.
Configuration Profiles
The configuration profile defines the parameter values for a specific IP Telephony
Device. The configuration profile can be used in two formats:
•Open (XML-style) format
The XML-style format lets you use standard tools to compile the parameters
and values. To protect confidential information in the configuration profile,
this type of file is generally delivered from the provisioning server to the IP
Telephony Device over a secure channel provided by HTTPS.
Provisioning Cisco Small Business VoIP Devices
Provisioning Overview
Cisco Small Business IP Telephony Devices Provisioning Guide 17
1
•Proprietary, plain-text format
The plain-text configuration file uses a proprietary format, which can be
encrypted to prevent unauthorized use of confidential information. By
convention, the profile is named with the extension .cfg (for example,
spa962.cfg). The SIP Profiler Compiler (SPC) tool is provided for compiling
the plain-text file containing parameter-value pairs into an encrypted CFG
file. The SPC tool is available from Cisco for the Win32 environment
(spc.exe) and Linux-i386-elf environment (spc-linux-i386-static). Availability
of the SPC tool for the OpenBSD environment is available on a case-by-
case basis. For more information, see Downloading the SIP Profile
Compiler (SPC) Tool, page17.
Downloading the SIP Profile Compiler (SPC) Tool
STEP 1 Go to Cisco.com, enter the model number in the search box, and then click Go.
STEP 2 In the Filter Results By list on the left side of the Search Results page, find Task ,
and then choose Download Software.
STEP 3 Click the Download Software link, which is usually the first link in the filtered list.
STEP 4 When the Select Software Type page appears, choose Profile Compiler (SPC)
Tool.
STEP 5 In the next step, choose the latest release of firmware.
STEP 6 Follow the instructions on the screen to continue through the steps in the
download process.
Provisioning Cisco Small Business VoIP Devices
Provisioning States
Cisco Small Business IP Telephony Devices Provisioning Guide 18
1
Provisioning States
The provisioning process involves four provisioning states, as described in the
following table.
Flow Step Step Description
MFG-RESET Manufacturing Reset: The device returns to a fully unprovisioned
state. All configurable parameters regain their manufacturing
default values.
Manufacturing reset can be performed through the following IVR
sequence: ****RESET#1#
Allowing the end user to perform manufacturing reset
guarantees that the device can always be returned to an
accessible state.
SP-CUST Service Provider Customization: The Profile_Rule parameter is
configured to point to a device-specific configuration profile,
using a provisioning server that is specific to the service
provider.
There are three methods:
•Auto-configuration via local DHCP server. A TFTP server
name or IPv4 address is specified by DHCP on the local
network. The indicated TFTP server carries the desired
Profile_Rule entry in the CFG file /spa962.cfg
•Enter a resync URL. A URL starts a web browser and
requests a resync to a specific TFTP server by entering the
following URL syntax: http://x.x.x.x/admin/resync?prvserv/
device.cfg
where x.x.x.x is the IP address of the IP Telephony
Device and prvserv is the target TFTP server, and device.cfg
is the name of the configuration file on the server.
•Edit Profile_Rule parameter. Open the provisioning pane on
the web interface, and enter the TFTP URL in the
Profile_Rule parameter: for example, prserv/spa962.cfg.
•The spa962.cfg file modifies the Profile_Rule to contact a
specific TFTP server and to request a MAC-address
specific CFG file. For example, the following entry contacts a
specific provisioning server, requesting a new profile unique
to this unit:
Profile_Rule tftp.callme.com/profile/$MA/
spa962.cfg;
This manual suits for next models
16
Table of contents
Other Cisco VoIP manuals
