Crestron Flex Series User manual
Crestron Flex Phones
Security Reference Guide
Crestron Electronics, Inc.
The original language version of this document is U.S. English.
All other languages are a translation of the original document.
Crestron product development software is licensed to Crestron dealers and Crestron Service Providers (CSPs) under a
limited nonexclusive, nontransferable Software Development Tools License Agreement. Crestron product operating
system software is licensed to Crestron dealers, CSPs, and end-users under a separate End-User License Agreement.
Both of these Agreements can be found on the Crestron website at www.crestron.com/legal/software_license_
agreement.
The product warranty can be found at www.crestron.com/warranty.
The specific patents that cover Crestron products are listed online at www.crestron.com/legal/patents.
Certain Crestron products contain open source software. For specific information, please visit
www.crestron.com/opensource.
Crestron, the Crestron logo, and XiO Cloud are either trademarks or registered trademarks of Crestron Electronics, Inc.
in the United States and/or other countries. Bluetooth is either a trademark or registered trademark of Bluetooth SIG,
Inc. in the United States and/or other countries. Active Directory and Microsoft Teams are either trademarks or
registered trademarks of Microsoft Corporation in the United States and/or other countries. Wi-Fi is either a trademark
or registered trademark of Wi-Fi Alliance in the United States and/or other countries. Other trademarks, registered
trademarks, and trade names may be used in this document to refer to either the entities claiming the marks and names
or their products. Crestron disclaims any proprietary interest in the marks and names of others. Crestron is not
responsible for errors in typography or photography.
©2022 Crestron Electronics, Inc.
Contents
Overview 1
Ports and Protocols 3
Prerequisites 5
Operating Environment 5
Firmware Version 5
Device Access 5
Default Configuration Settings 5
Microsoft Teams Secure Deployment 6
Required Configuration 7
Create an Admin Account Password 7
Configure the Network 8
Wired Network Configuration 8
Wi-Fi Network Configuration 10
802.1XAuthentication 11
Set the Time and Date 14
Configure the Remote Syslog 15
Optional Configuration 17
Add Users and Groups 17
Configure Bluetooth Communications 17
Configure Automatic Updates 17
Configure a Connection to XiOCloud 18
Management Functions 20
Firmware Update 20
User and Group Management 20
Add a User 21
Delete a User 22
Add a Group 22
Delete a Group 23
ii • Contents Security Reference Guide — Doc. 9313A
Security Reference Guide — Doc. 9313A Crestron Flex Phones • 1
Overview
This document describes the steps needed to harden a Crestron® installation with Crestron Flex
Phones and assumes a basic understanding of security functions and protocols. This guide
provides information about the system configuration used for Crestron Flex Phones firmware
release 1.0.4.22 or later.
NOTE:The term "device"is used in this document to refer to all applicable Crestron Flex
Phone models unless specified otherwise.
The information in this guide pertains to the following device models:
Model Description
UC-P8-T Crestron Flex 8 in. Audio Desk Phone for Microsoft Teams® Software
UC-P8-T-I Crestron Flex 8 in. Audio Desk Phone for Microsoft Teams® Software,
International
UC-P8-T-HS Crestron Flex 8 in. Audio Desk Phone with Handset for Microsoft
Teams® Software
UC-P8-T-HS-I Crestron Flex 8 in. Audio Desk Phone with Handset for Microsoft
Teams® Software, International
UC-P8-T-C Crestron Flex 8 in. Video Desk Phone for Microsoft Teams® Software
UC-P8-T-C-I Crestron Flex 8 in. Video Desk Phone for Microsoft Teams® Software,
International
UC-P8-T-C-HS Crestron Flex 8 in. Video Desk Phone with Handset for Microsoft
Teams® Software
UC-P8-T-C-HS-I Crestron Flex 8 in. Video Desk Phone with Handset for Microsoft
Teams® Software, International
UC-P10-T Crestron Flex 10 in. Audio Desk Phone for Microsoft Teams® Software
UC-P10-T-I Crestron Flex 10 in. Audio Desk Phone for Microsoft Teams® Software,
International
UC-P10-T-HS Crestron Flex 10 in. Audio Desk Phone with Handset for Microsoft
Teams® Software
UC-P10-T-HS-I Crestron Flex 10 in. Audio Desk Phone with Handset for Microsoft
Teams® Software, International
UC-P10-T-C Crestron Flex 10 in. Video Desk Phone for Microsoft Teams® Software
UC-P10-T-C-I Crestron Flex 10 in. Video Desk Phone for Microsoft Teams® Software,
International
2 • Crestron Flex Phones Security Reference Guide — Doc. 9313A
Model Description
UC-P10-T-C-HS Crestron Flex 10 in. Video Desk Phone with Handset for Microsoft
Teams® Software
UC-P10-T-C-HS-I Crestron Flex 10 in. Video Desk Phone with Handset for Microsoft
Teams® Software, International
Security Reference Guide — Doc. 9313A Crestron Flex Phones • 3
Ports and Protocols
The following ports and protocols may be used by the device depending on the system design
and configuration.
Crestron Control Devices
Function Destination Port From (Sender) To (Listener) Notes
Crestron-
CIP
41794/TCP Device Control
System
Crestron Internet Protocol
Crestron-
SCIP
41796/TCP Device Control
System
Secure Crestron Internet
Protocol
HTTPS 49200/TCP Remote
Device
Device Web APIfor Crestron HTML5
User Interfaces
Common Ports
Function Destination Port From (Sender) To (Listener) Notes
NTP 123/UDP Device NTP Server Network Time Protocol
(NTP)
SSH 22/TCP Admin
Workstation
Device Used for configuration
and console.
LDAP 389/TCP Device Admin Server
LDAPS 636/TCP Device Admin Server
HTTPS 443/TCP Admin or End
User
Workstation
Device Secure web configuration
HTTPS 443/TCP Device XiOCloud®
Service
For XiO Cloud services
only and not required for
device functionality. A
persistent connection is
made via AMQP over
WebSockets. HTTPS
services such as routing
lookups and file transfers
may be used.
4 • Crestron Flex Phones Security Reference Guide — Doc. 9313A
Function Destination Port From (Sender) To (Listener) Notes
HTTPS 443/TCP Device Microsoft
Portal
For Microsoft portal
services only and not
required for device
functionality. HTTPS
services such as routing
lookups and file transfers
may be used.
HTTPS 443/TCP Device Firmware
Server
Firmware upgrade path
HTTPS 443/TCP Device APKServer APKupgrade path
DHCP 67/UDP Device DHCP Server DHCP addressing
DHCP 68/UDP DHCP Server Device DHCP addressing
HTTP 80/TCP End User
Workstation
Device Web configuration
WPAD 80/TCP Device WPADFile
Server
Gets the PACfile from
the server.
Remote Syslog Configurable Device Remote Syslog
Server
Uses TLS
HTTPProxy Configurable Device Proxy Server
HTTPSProxy Configurable Device Proxy Server
Kerberos 88/TCP Device KDC(Key
Distribution
Center)
DNS 3/TCP/UDP Device DNSserver
Security Reference Guide — Doc. 9313A Crestron Flex Phones • 5
Prerequisites
In order to perform a secure configuration, the following prerequisites must be met.
Operating Environment
Crestron assumes the following about the operating environment of its systems:
lThe system is not capable of Multi-Factor Authentication (MFA). If your organization's
policy requires MFA, you cannot use the system.
lPhysical security is commensurate with the value of the system and the data it contains
and is assumed to be provided by the environment.
lAdministrators are trusted to follow and provide all administrator guidance.
Firmware Version
Crestron Flex Phones must be running firmware version 1.0.4.22 or later.
Device Access
The administrator can access and configure the device by using a web browser. Additionally,
some aspects of configuration can be performed via the XiOCloud® service. This document
describes device configuration using the web browser.
The device also provides local setup pages for commonly used configuration settings. The local
setup pages can be accessed from the touch screen display by tapping the gear icon on the home
page and then selecting Device Settings.
Default Configuration Settings
In order to configure the device, it must first be placed in its factory default state. A device can
be returned to this state as follows:
1. Disconnect the Ethernet cable from the LAN port that supplies the device power over PoE
(Power over Ethernet).
2. Reconnect the Ethernet cable to the LANport. The device starts to boot.
3. When the LEDlightbar below the touch screen display starts to flash green, press and
hold the Volume Up and Microphone Mute buttons simultaneously for at least 10 seconds.
A page is displayed asking whether a factory restore should be performed.
6 • Crestron Flex Phones Security Reference Guide — Doc. 9313A
4. Use the Volume Up or Volume Down buttons to select Yes, and then press the Microphone
Mute button to confirm the selection.
5. Wait 5 to 10 minutes for the self-recovery process to complete.
6. Proceed with the network configuration.
Microsoft Teams Secure Deployment
The device runs the Microsoft Teams® software app. For more information on how to securely
deploy Microsoft Teams across an enterprise, refer to docs.microsoft.com/en-
us/MicrosoftTeams/security-compliance-overview.
Security Reference Guide — Doc. 9313A Crestron Flex Phones • 7
Required Configuration
The following sections describe the configuration changes required for the device for a secure
deployment.
Create an Admin Account Password
The first time the web configuration interface is accessed, a Welcome page is displayed
prompting the user to log in with admin credentials.
Welcome Page
1. Enter the default admin account username (admin) and password (admin)in the
appropriate text fields.
2. Select Login. AChange Password page is displayed prompting the user to change the
admin account password.
8 • Crestron Flex Phones Security Reference Guide — Doc. 9313A
Change Password Page
3. Enter and confirm a new password that meets the validation rules shown (8-32
characters, contains at least 1 number, 1 uppercase letter, 1 lowercase letter, and 1 special
character).
4. Select Save to return to the Welcome page.
5. Enter the admin account username and new password created in step 3.
6. Select Login. Upon successful login, the web configuration user interface is displayed.
Configure the Network
The following sections provide information about the tasks necessary to configure the network.
Wired Network Configuration
To configure the device to communicate on the LAN over Ethernet, the following changes must
be made. If DHCP is available on the local network, then no additional configuration changes are
necessary. If DHCP is not available or if the administrator wishes to manually set the network
configuration, then the IP address, subnet mask, default gateway, and DNS server settings must
be set.
To configure the wired network settings for the device:
1. Select the Settings tab.
2. Expand the System Setup accordion.
3. Click the +(plus)icon next to Network to display time and date settings for the device.
Security Reference Guide — Doc. 9313A Crestron Flex Phones • 9
Settings - Network (Wired Network Settings)
4. Enter the following information for the wired network configuration.
lNetwork Configuration
oPrimary Static DNS:Enter a primary DNSserver address to use for
DNSname lookups.
oSecondary Static DNS:Enter a secondary DNSserver address to use for
DNSname lookups.
10 • Crestron Flex Phones Security Reference Guide — Doc. 9313A
lPrimary LAN
oDHCP:Turn off the toggle to turn off DHCP.Turning off DHCPallows the
wired network to be configured manually.
oIPAddress:If DHCPis turned off, enter the desired device IPaddress on the
network.
oSubnet Mask:If DHCPis turned off, enter the desired device subnet mask
address on the network.
oDefault Gateway:If DHCP is turned off, enter the desired gateway router
address on the network.
5. Configure any other wired network settings as needed (such as VLAN,PCPort Mode,CDP,
LLDP, and so forth) for your deployment.
6. Select Save Changes from the Action menu.
Wi-Fi Network Configuration
To configure the device to communicate to the LANover Wi-Fi™ communications, the following
changes must be made. If DHCP is available on the local network, then no additional
configuration changes are necessary. If DHCP is not available or if the administrator wishes to
manually set the network configuration, then the domain, IP address, subnet mask, default
gateway, and DNS server settings must be set.
To configure the Wi-Fi network settings for the device:
1. Select the Settings tab.
2. Expand the System Setup accordion.
3. Click the +(plus)icon next to Network to display time and date settings for the device.
Settings - Network (Wi-Fi Network Settings)
4. Turn on the Wi-Fi toggle to turn on the Wi-Fi adapter.
Security Reference Guide — Doc. 9313A Crestron Flex Phones • 11
5. Enter the following information for the Wi-Fi network configuration.
lDHCP:Turn off the toggle to turn off DHCP.Turning off DHCPallows the Wi-Fi
network to be configured manually.
lDomain:If DHCPis turned off, enter the fully qualified Wi-Fi domain name on the
network.
lIPAddress:If DHCPis turned off, enter the desired device IPaddress on the
network.
lSubnet Mask:If DHCPis turned off, enter the desired device subnet mask address
on the network.
lDefault Gateway:If DHCP is turned off, enter the desired gateway router address
on the network.
lPrimary DNSServer:Enter a primary DNSserver address to use for DNSname
lookups.
lSecondary DNSServer:Enter a secondary DNSserver address to use for DNSname
lookups.
6. Select Save Changes from the Action menu.
802.1XAuthentication
802.1X is an IEEE network standard designed to enhance the security of both wireless and wired
Ethernet networks. This device supports 802.1X on its primary wired Ethernet interface only. If
the network requires 802.1X, the device must be configured for 802.1X before being put on the
network.
Configure 802.1XSettings
To configure 802.1Xsettings for the device:
1. Select the 802.1x Configuration tab to display settings for configuring
802.1Xauthentication.
12 • Crestron Flex Phones Security Reference Guide — Doc. 9313A
802.1x Configuration
2. Turn on the IEEE802.1x Configuration toggle to turn on 802.1Xauthentication.
3. Select the desired 802.1Xauthentication method from the Authentication Method drop-
down menu:
lSelect EAP-TLSCertificate to authenticate using a client certificate.
lSelect EAPMSCHAPV2 to authenticate using a username and password.
4. If EAPMSCHAPV2 is selected for Authentication Method, enter the username and
password required for the client authentication.
5. Turn on the Enabled Authentication Server Validation toggle to turn on server validation. If
turned on, the 802.1Xsupplicant will validate the authentication server's certificate.
6. If Enabled Authentication Server Validation is turned on and if your server supports OCSP
(Online Certificate Status Protocol), turn on the OCSPmode toggle to require a valid
OCSPstapling response for all not-trusted certificates in the server certificate chain.
7. Select trusted CAs (Certificate Authorities) from the Trusted Certificate Authorities
selections to be used for server validation.
NOTE:For more information on configuring trusted certificate authorities, refer to
Configure Trusted Certificate Authorities on page 13.
lSelect the check box to the left of a CA to select it as a trusted CA.
lEnter a search term into the text field at the top of the CA menu to search for and
display CAs that match the search term.
8. Select Save Changes from the Action menu.
Security Reference Guide — Doc. 9313A Crestron Flex Phones • 13
Configure Trusted Certificate Authorities
Trusted Certificate Authorities (CAs) can be added or deleted from the device for use with
802.1Xand remote Syslog server validation.
To configure Trusted Certificate Authorities on the device:
1. Select Manage Certificates from the Actions menu.
Actions Menu
The Manage Certificates dialog box is displayed.
Manage Certificates Dialog Box
14 • Crestron Flex Phones Security Reference Guide — Doc. 9313A
2. To add a new certificate:
a. Select the tabs at the top of the dialog box to select the desired CAtype that will be
added (Root,Intermediate,Machine, or Web Server). The same settings are
provided for each CA type.
b. Select Add [CAType] Certificate, where [CA Type] is the selected CAtype.
c. Navigate to the CAfile on the host computer.
d. Select the CAfile, and then select Open. Asuccess message is displayed if the
upload is successful, and the certificate will be added to the table for its respective
CAtype.
3. To delete a certificate, select the trash can button to the right of the certificate's table
row, and then select OKwhen prompted to confirm the deletion.
Set the Time and Date
All devices use NTP to synchronize their clock. By default, the device is configured to receive time
data from pool.ntp.org. Acustom NTPserver can be used instead.
NOTE:The device does not support using secure NTPservers at this time.
To customize the time and date settings on the device:
1. Select the Settings tab.
2. Expand the System Setup accordion.
3. Click the +(plus)icon next to Time/Date to display time and date settings for the device.
Settings - Remote Syslog
4. Enter the following information for the time and date configuration:
lCustom Time Server:Enter the IP address or Fully Qualified Domain Name
(FQDN)of the custom NTPserver.
lDate Format:Use the drop-down menu to select the format that the date will
display on the device.
Security Reference Guide — Doc. 9313A Crestron Flex Phones • 15
lTime Format:Select the time format that the time will display on the device (12 hour
or 24 hour).
lTime Zone:Use the drop-down menu to select the correct time zone for the device.
5. Select Save Changes from the Action menu.
Configure the Remote Syslog
Devices do not send audit logs to a remote Syslog server by default. Aconnection to a remote
Syslog server must be turned on and configured manually.
To turn on sending audit logs to a remote Syslog server:
NOTE:The remote server host must have a system log server with applicable security
certificates and sufficient disk space to store the active system log. The host must also be
configured to archive older system logs and to offload them over time. If TLS is turned on, a
TLS-enabled server with the appropriate certificates is required.
1. Select the Settings tab.
2. Expand the Remote Syslog accordion to display settings for the remote Syslog.
Settings - Remote Syslog
3. Turn on the Syslog toggle.
16 • Crestron Flex Phones Security Reference Guide — Doc. 9313A
4. Enter the following information for the remote Syslog configuration:
lRemote Server Address:Enter the IP address or Fully Qualified Domain Name
(FQDN)of the remote Syslog server.
lRemote Server Port:Enter the web port of the remote Syslog server.
lLog Level:Select one of the following log levels to determine which messages are
logged to the remote Syslog. All messages of that log level or above will be logged.
NOTE:For examples of common events that can trigger messages for specific
logging levels, refer to the UC-P8 and UC-P10 Series Desk Phones Product
Manual.
oDEBUG:Logs all "debug"messages and above to the Syslog.
oINFO:Logs all "info"messages and above to the Syslog.
oWARNING:Logs all "warning" messages and above to the Syslog.
oERROR:Logs all "error"messages and above to the Syslog.
lSyslog Keyword Filter:(Optional) Enter keywords to filter the Syslog entries by
those keywords. Multiple keywords should be entered as a comma-delimited list
without any spaces (for example, "SIP,registration,codec").
lTrusted Certificate Authorities:If TLSis turned on, select trusted CAs (Certificate
Authorities) from the provided CAs to be used for server validation.
NOTE:For more information on configuring trusted certificate authorities, refer
to Configure Trusted Certificate Authorities on page 13.
oSelect the check box to the left of a CA to select it as a trusted CA.
oEnter a search term into the text field at the top of the CA menu to search for
and display CAs that match the search term.
5. Select Save Changes from the Action menu.
This manual suits for next models
18
Table of contents
Other Crestron IP Phone manuals
