Polycom Phone using sipXecs TLS transport
The following describes how to configure TLS transport for phones that support this feature. TLS transport can be used on a local LAN and also for remote workers including support for NAT traversal.
1. Server side configuration
If you have an admin account, you can simply download the Root CA from the sipXecs Web interface. Login to the Web interface and go to:
System / Certificates / Certificate Authorities
Let's assume that the FQDN for sipXecs is pbx.mydomain.com. The root CA will be named ca.pbx.mydomain.com.crt. Download this file and save it to the root folder of a Web server in your LAN.
If you do not have a local @eb server, you can ask the Linux administrator to copy the Root CA to the Web root of the sipXecs Web interface.
Example: cp /etc/sipxbpx/ssl/authorities/ca.pbx.mydomain.com.crt /var/sipxdata/configserver
To do this with a Microsoft IIS server see here
2. Setup the Polycom phone
On your Polycom handset, go to
Menu / Settings / Advanced
Enter your password. If you haven't changed this in the past, the default Polycom password is "456". Once you have entered the Advanced Settings, press the OK button to proceed to the Admin Settings. Use the scroll down arrow and look for the item SSL Security, then drill down to CA Certificates / Install Custom CA Certificate. You will be prompted to enter the http URL where you stored the CA. Enter the URL using the keypad:
*Example: http://192.168.1.10/ca.pbx.mydomain.com.crt *
or
*http://pbx.mydomain.com/ca.pbx.mydomain.com.crt *
Depending on whether you installed it on the LAN Web server or the sipXecs doc root. The Polycom phone will now download the root CA and will ask you to accept it. After accepting the certificate it will instantly get installed as your custom Polycom certificate.
Then press the Left arrow twice and go to Configure CA Certificates. Choose the first item in the list "Custom Certificate".
3. Setup TLS transport in sipXecs
Lastly configure Polycom SIP settings to use TLS as the transport protocol and change the port to 5061 using the sipXecs admin UI.
Enjoy TLS!