Use of the HTTP client (see 96x1H-IPI.5.1.1400), optionally over TLS (see 96x1H-IPI.5.1.1500), will be supported to backup and restore user-specific data if initiated by higher-level procedures. Only one backup or restore attempt will be made per request. Retries are the responsibility of the initiating process.
If the parameter BRURI (see 96x1H-IPI.2.1.1200) is null, or if it begins with any character sequence other than “http://” or “https://”, a failure indication will be returned to the initiating process in response to all backup and restore requests.
For backup, the initiating process must supply the backup file and the file name, and the file will be sent to the server via an HTTP PUT message. A success or failure indication will be returned to the initiating process based on whether or not the file is successfully transferred to the server.
For restore, the initiating process must only supply the file name, and the file will be requested from the server via an HTTP GET message. The file will be returned to the initiating process if it is successfully obtained from the server, otherwise a failure indication will be returned.
Approved
for R6.1+
For deletion, the initiating process must only supply the file name, and the deletion of the file will be requested from the server via an HTTP DELETE message. A success indication will be returned to the initiating process if a 2xx HTTP status code is received, otherwise a failure indication will be returned.
Approved
For all operations, the URI used in the HTTP message will be constructed from the value of BRURI and from the file name, as follows. If the value of BRURI ends with “/”, the file name will be appended. Otherwise, a forward slash will be appended to the value of BRURI and then the file name will be appended.
Note:
A directory path and/or a port number can be included in BRURI as specified in IETF RFC 3986 [7.3-25c].
Approved
for R6.1+
If the authority component of BRURI contains a DNS name, and if a TCP connection cannot be established to the IP address that was previously used to attempt to establish a connection with the server, the telephone will attempt to re-resolve the DNS name. If a new IP address is received, the telephone will attempt to establish a connection to that address. If the telephone receives the same IP address from the DNS server that was used previously, or if a TCP connection cannot be established to the new IP address, a failure indication will be returned to the initiating process.
Note:
The authority component of a URI is specified in Sections 3 and 3.2 of IETF RFC 3986 [7.3-25c].
Approved
If TLS is used, the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite will be used.
Rationale:
The TLS_RSA_WITH_AES_128_CBC_SHA cipher suite is suggested in Section 3.1.1 of CSD PRD Single Server Solution – Modifications for Citigroup, COMPAS ID 122165.
Approved
If TLS is used and
Approved
if the value of BRURI does not begin with "https://string1:string2@..." (see 96xxIPI.5.1.1400),
Approved
if no digital certificates have been downloaded based on TRUSTCERTS, the IP address of the call server with which the telephone is registered and the telephone’s registration password will be included as the credentials in an Authorization request-header in each transmitted GET and PUT method. If at least one digital certificate has been downloaded based on TRUSTCERTS, the IP address of the call server with which the telephone is registered and the telephone’s registration password will be included as the credentials in an Authorization request-header in each transmitted GET and PUT method if and only if the value of BRAUTH is “1”.
When the call server IP address and the telephone’s registration password are included as the credentials in an Authorization request-header (see Section 14.8 of RFC 2616 [7.3-23b]), the “basic” authentication scheme will be used (see Section 2 of RFC 2617 [7.3-23d]), the call server IP address will be included first in dotted-decimal format, followed by a colon (hex 3A), followed by the telephone’s registration password.
Note:
The server is expected to get the telephone’s extension number from the backup/restore file name (see 96x1Tel.2.1.2000 in [7.1-6]). It is also up to the server to protect the user’s credentials once they are received via the secure TLS connection.
Rationale:
The registration credentials will be sent without regard to the setting of BRAUTH if no certificates have been downloaded because, as specified in 96x1H-IPI.5.1.1550, only server certificates signed by an Avaya Root CA certificate will be authenticated if no certificates have been downloaded.
Approved
Manual entry of HTTP authentication credentials will be supported for backup and restore operations. The credentials and the realm will be stored in non-volatile memory that will not be overwritten if new telephone software is downloaded. The default value of the credentials and the realm will be null, which will be set at manufacture and at any other time that user-specific data is removed from the telephone. If an HTTP backup or restore operation requires authentication and the realm in the challenge matches the stored realm, the stored credentials will be used to respond to the challenge without prompting the user. However, if the stored credentials are null, or if the realms do not match, or if an authentication attempt using the stored credentials fails, an HTTP Authentication or an HTTP Authentication Failure interrupt screen will be displayed as specified in 96x1H-IPI.5.1.1400, with the following displayed on the
R6.0
Prompt Line:
R6.1+
Status Line:
Approved
Enter backup/restore credentials
If an HTTP authentication for a backup or restore operation is successful and if the userid, password or realm used is different than those currently stored in the telephone, the new value(s) will replace the currently stored value(s).
Note:
The use of HTTP backup / restore is specified in Section 9.1 of [7.1-4] and Section 2.1.8 of [7.1-5].
Note:
The credentials and the realm are also cleared by the CLEAR procedure, see 96x1LA.6.2.600 in [7.1-5].
4.2 Virtual Private Network (VPN) Support
96x1H-IPI.4.2.200: VPN tunnel establishment
Approved
When VPN operation is initiated, based on the value of NVVPNCFGPROF, the other persistent parameters listed in the table below will be set to the value specified in the table below. If a value is not specified for a persistent parameter in the table below, the value of the parameter will not be changed. If the value of NVVPNCFGPROF is “0”, no values will be changed.
Checkpoint Security Gateway
Cisco PSK with XAUTH
Juniper PSK with XAUTH
Generic PSK
Cisco Cert with XAUTH
Juniper Cert with XAUTH
Nortel Contivity
NVVPNCFGPROF
2
3
5
6
8
9
11
NVIKECONFIGMODE
1
1
1
2
1
1
1
NVIKEID
“”
(null string)
NVIKEIDTYPE
11
11
3
3
11
9
11
NVIKEOVERTCP
1
NVIKEXCHGMODE
2
1
1
1
1
1
1
NVVPNAUTHTYPE
6
4
4
3
5
5
3
NVVPNSVENDOR
3
2
1
4
2
1
5
Note:
The parameter values specified above should also be enforced by the VPN local procedure (see 96x1Tel.2.1.2000in [7.1-6]) so that the user is not allowed to select a value that will be overridden when the VPN tunnel is established.
Note:
An NVVPNCFGPROF value of “1” (Avaya) was supported by 46xx VPN phones for Avaya Security Gateways, but it was not supported by the 96xx. “1” is still treated as a valid value, but it does not result in the values of any other parameters being changed.
Note:
NVVPNCFGPROF values of “4” (Cisco Hybrid XAUTH),”7” (Generic PSK with XAUTH), and “10” (Generic Cert with XAUTH) are documented in Appendix B (MIB object endptCFGProfile) of the 46xx VPN phone R/FS [7.1-28], and a value of 7 is also listed on p.18 of the VPNremote for 4600 Admin Guide [7.1-29b], but they are not documented anywhere else.
Approved
The telephone will then attempt to establish a VPN tunnel as specified by the following flowchart.
Approved
If the value of PROCSTAT is “0”, if the “*” button is pressed at any time while the following screen is being displayed, the Access Code Entry procedure (see 96x1H-IPI.3.1.300) will be invoked.
When VPN tunnel establishment is initiated, the VPN Tunnel Setup screen will be displayed on the reserved text lines as follows:
VPN tunnel setup: s secs
Program
where s is the number of seconds that have elapsed since VPN establishment began, and where “Program” aligns with the center button(s) and is only displayed if the value of VPNPROC is “2”. The “softkey” requirements of 96x1H-IPI.3.2.80 apply.
This text will remain on the topmost of the two lines until replaced by a subsequent display that uses both lines. Text will be displayed on the bottom line as specified below.
“Validating configuration...” will be displayed while the values of the VPN configuration parameters are being validated.
“Gateway n: cccccccc”, will be displayed initially for at least 1 second, wheren is the index and cccccccc is the nth value of NVSGIP (see the flowchart above) with which VPN tunnel establishment is currently being attempted.
“Authenticating...” will be displayed during authentication procedures.
“Exchanging keys...” will be displayed during IKE Phase 1 procedures after authentication.
“Building VPN tunnel...” will be displayed during IKE Phase 2 procedures.
If user input is required during VPN authentication, the screens and procedures specified in 96x1H-IPI.4.2.210 will be invoked as appropriate.
If a Welcome Banner or Client Legal Message is received from the VPN Security Gateway, any text contained between a string and a string will be processed as if it had been received in a configuration file (see 96x1PKG.2.4.100). The Welcome Banner will not be displayed on the telephone.
Note:
According to Section 4.5.2 of COMPAS ID 120840 [7.1-29a] and p.16 of [7.1-29b], the only third-party Security Gateways known to support a Welcome Banner were the Cisco VPN 3000 Series Concentrators (using PSK with XAUTH), but the documents do not indicate the message in which the Banner is received.
96x1H-IPI.4.2.210: VPN user authentication
Approved
If credentials are required for VPN user authentication and if the values of both NVVPNUSER and NVVPNPSWD are non-null, an authentication attempt will be made using those values. However, if the value of NVVPNUSER contains the string “$SERIALNO”, it will be replaced by the value of SERIALNO (see 96x1H-IPI.2.1.1400), and if the value of NVVPNUSER contains the string “$MACADDR”, it will be replaced by the value of MACADDR (see 96x1H-IPI.2.1.100) without the colon separators.
Note:
The 46xx VPN phone uses the strings %MACADDR% and %SERIALNUM% to include the telephone’s MAC address or serial number in NVVPNUSER.
Rationale:
The strings with the dollar signs are used in MYCERTCN and MYCERTDN, and are supported by the Spark implementation as well. While both versions could be supported for complete backwards compatibility, it would also require ongoing duplicate testing. Better to pick one and be done with it.
Approved
If credentials are required for VPN user authentication and the value of NVVPNUSER is null, the VPN User Name Entry screen will be displayed.
If credentials are required for user authentication and the value of NVVPNUSER is not null but the value of NVVPNPSWD is null and the value of NVVPNUSERTYPE is “1”, the VPN User Name Editing screen will be displayed.
Button-oriented telephones will operate as specified below. Touchscreen telephones will operate similarly, but they will display the on-screen keyboard (see Section 1.8.1 in [7.1-3b,d]) and a single screen will be used for entry, editing and reuse, with a single input field that corresponds to the top line of text in the text entry screens specified below.
Note:
On the on-screen keyboard, the Enter softkey is labeled with a check mark () and there is no Clear softkey – multiple destructive backspaces must be used to clear existing data.
Approved
The VPN User Name Entry screen will be displayed on the reserved text lines as follows:
If a character is entered, the VPN Username Editing screen will be displayed, with the entered character displayed instead of the value of NVVPNUSER (which will still be null at this point).
The VPN User Name Editing screen will be displayed on the reserved text lines as follows:
where cccccc is either the value of NVVPNUSER or the single character entered on the VPN User Name Entry screen, “|” is the cursor, “Bksp” aligns with the leftmost button under the display, “Clear” aligns with the center button(s), and “Enter” aligns with the rightmost button. The “softkey” requirements of 96x1H-IPI.3.2.80 and the alphanumeric text entry requirements of 96x1H-IPI.3.2.100 apply.
Note:
96x1H-IPI.3.2.100 specifies the use of the leftmost button under the display as a destructive backspace.
Approved
If the last remaining character is deleted by a press of the Bksp “softkey” or if the Clear “softkey” is pressed, the “softkeys” will be deactivated, the input buffer and the value of NVVPNUSER will be set to null, and the VPN User Name Entry screen will be displayed.
If the Enter “softkey” is pressed, the characters will be saved as the value of NVVPNUSER, and the VPN Password Reuse or the VPN Password Entry screen will be displayed as specified below.
Approved
If a VPN password is stored in memory, the VPN Password Reuse screen will be displayed on the reserved text lines as follows:
VPN password=********
Clear Enter
where ******** is eight asterisks (a cursor is not displayed), “Clear” aligns with the center button(s), and “Enter” aligns with the rightmost button. The “softkey” requirements of 96x1H-IPI.3.2.80 apply.
If the Clear “softkey” is pressed, the VPN password stored in memory will be deleted, the “softkeys” will be deactivated, and the VPN Password Entry screen will be displayed as specified below.
If the Enter “softkey” is pressed, if NVVPNPSWDTYPE is “1”, the entered VPN password will be stored as the value of NVVPNPSWD, otherwise the entered VPN password will be stored in volatile memory.VPN user authentication will be attempted using the value of VPNUSER and the entered VPN password, and the VPN Tunnel Setup screen will be redisplayed as specified in 96x1H-IPI.4.2.200.
Note:
For button-oriented telephones, the VPN Password Reuse screen is not a text entry screen, so the requirements in 96x1H-IPI.3.2.100 do not apply.
Rationale:
The above screen allows a previously-entered password to be re-used without revealing the number of characters that it contains.
Approved
If a VPN password is not stored in memory, the VPN Password Entry screen will be displayed on the reserved text lines as follows:
VPN password=|
Use dialpad for text entry
where “|” is the cursor. If the value of NVVPNPSWDTYPE is “3”, the numeric-only password text entry requirements of 96x1H-IPI.3.2.100 will apply, otherwise, the alphanumeric password text entry requirements of 96x1H-IPI.3.2.100 will apply.
If a character is entered, the VPN Password Editing screen will be displayed on the reserved text lines as follows:
VPN password=*|
Bksp Clear Enter
where “|” is the cursor, “Bksp” aligns with the leftmost button under the display, “Clear” aligns with the center button(s), and “Enter” aligns with the rightmost button. The “softkey” requirements of
96x1H-IPI.3.2.80 and the same text entry requirements of 96x1H-IPI.3.2.100 continue to apply.
If the last remaining asterisk is deleted by a press of the Bksp “softkey” or if the Clear “softkey” is pressed, the “softkeys” will be deactivated, the input buffer will be set to null, and the VPN Password Entry screen will be displayed as specified above.
If the Enter “softkey” is pressed, if NVVPNPSWDTYPE is “1”, the entered VPN password will be stored as the value of NVVPNPSWD, otherwise the entered VPN password will be stored in volatile memory. VPN user authentication will then be attempted using the value of VPNUSER and the entered VPN password, and the VPN Tunnel Setup screen will be redisplayed as specified in 96x1H-IPI.4.2.200. If the value of NVVPNPSWDTYPE is “3” or “4”, the password will be deleted from memory.
Note:
The meaning of the values of NVVPNPSWDTYPE are as follows:
1: The password may be alphanumeric and will be stored in non-volatile memory as the value of NVVPNPSWD.
2: The password may be alphanumeric and will be stored in volatile memory that will be cleared when the telephone resets.
3: The password may be numeric-only and will be stored in volatile memory that will be cleared immediately after the first time the password is used (this is for use with numeric-only one-time token devices such as RSA’s SecurID).
4: The password may be alphanumeric and will be stored in volatile memory that will be cleared immediately after the first time the password is used (this is for use with alphanumeric one-time token devices).
5: The password may be alphanumeric and will be stored in volatile memory that will be cleared when the user invokes VPN Sleep Mode and when the telephone resets.
Approved
If VPN user authentication fails, the VPN Authentication Failure screen will be displayed on the reserved text lines as follows:
VPN authentication failed
Continue
where Continue aligns with the center button(s) under the display. The “softkey” requirements of 96x1H-IPI.3.2.80 apply for button-oriented telephones.
If the value of NVVPNUSERTYPE is “1” and the Continue “softkey” is pressed, the VPN Username Editing screen will be displayed. If the value of NVVPNUSERTYPE is “2” and the Continue “softkey” is pressed, any stored password will be set to null and the VPN Password Entry screen will be displayed.
96x1H-IPI.4.2.220: VPN tunnel failure
Approved
If an existing VPN tunnel fails, VPNACTIVE will be set to “0”, IPADD will be set to null, DNSSRVR will be set to the value of EXTDNSSRVR, DOMAIN will be set to null, the backlight will be turned on, the display will be cleared and the name/logo image will be displayed as specified in 96x1H-IPI.3.1.100.
If the value of PROCSTAT is “0”, if the “*” button is pressed at any time while the following screens are being displayed, the Access Code Entry procedure (see 96x1H-IPI.3.1.300) will be invoked.
The VPN Tunnel Failure screen will be displayed on the reserved text lines as follows:
VPN tunnel failure
Retry Details Sleep
where “Retry” aligns with the leftmost button under the display, “Details” aligns with the center button(s), and “Sleep” aligns with the rightmost button. The “softkey” requirements of 96x1H-IPI.3.2.80 apply for button-oriented telephones.
If the Retry “softkey” is pressed, the procedures specified in the flowchart in 96x1H-IPI.4.2.200 will be initiated.
If the Details “softkey” is pressed, the VPN Failure Details screen will be displayed.
If the Sleep “softkey” is pressed, the display backlight will be turned off and the VPN Sleep Mode screen will be displayed as specified in 96x1H-IPI.4.2.230.
Note:
If the VPN Sleep Mode screen is displayed, the user will not be able to return to view the detailed reason for the VPN tunnel failure.
Approved
The VPN Failure Details screen will be displayed on the reserved text lines as follows:
Failure text
Restart Program Back
where “Restart” aligns with the leftmost button under the display, “Program” aligns with the center button(s) and is only displayed if the value of VPNPROC is “2”, and “Back” aligns with the rightmost button. The “softkey” requirements of 96x1H-IPI.3.2.80 apply for button-oriented telephones.
Failure text will be one of the following, based on the reason for failure. If VPN tunnel establishment fails, Failure text will be based on the reason for failure with the last value of NVSGIP.
“Need gateway IP address” (if the value of NVSGIP is null or 255.255.255.255, or if a response is not received using any other IP address).
“Need DNS server IP address” (to resolve gateway DNS name).
“Need IKE ID/PSK” (if the value of NVVPNAUTHTYPE is “3” or “4” but the value of NVIKEID or NVIKEPSK is null).
“Need phone certificate” (if the value of NVVPNAUTHTYPE is “5” or “7” but an identity certificate is not stored in the telephone).
Approved
“Invalid configuration” (for any configuration problem not covered above).
“No DNS server response”.
“Bad gateway DNS name” (DNS server could not resolve gateway DNS name).
“Gateway certificate invalid” (during IKE).
“Phone certificate invalid” (during IKE).
“IKE Phase 1 no response”.
“IKE ID/PSK invalid”.
“IKE Phase 1 failure” (unable to negotiate ISAKMP Security Association).
“IKE Phase 2 no response”.
“IKE Phase 2 failure” (unable to negotiate IPsec Security Association).
“IKE keep-alive failure”.
“IKE SA expired”.
“IPsec SA expired”.
If the Restart “softkey” is pressed, the telephone will initiate a reset.
If the Program “softkey” is pressed (when labeled), the Access Code Entry procedure will be invoked (see 96x1H-IPI.3.1.300).
If the Back “softkey” is pressed, the VPN Tunnel Failure screen will be displayed.
If the cause of failure is “No DNS server response”, “IKE Phase 1 no response”, or
“IKE keep-alive failure”, if no button is pressed within 60 seconds, the procedures specified in the flowchart in 96x1H-IPI.4.2.200 will be initiated.
Rationale:
Establishment of the VPN tunnel is automatically retried for failures that may have been caused by a temporary network, server or gateway outage.
96x1H-IPI.4.2.230: VPN Sleep Mode
Approved
If VPN Sleep Mode is invoked, the VPN tunnel will be terminated, VPNACTIVE will be set to “0”, if the value of NVVPNPSWDTYPE is “5” the VPN user password stored in volatile memory will be set to null, IPADD will be set to null, DNSSRVR will be set to the value of EXTDNSSRVR, DOMAIN will be set to null, the display of the telephone and any attached button modules will be cleared and all backlights will be turned off, the name/logo image will be displayed as specified in 96x1H-IPI.3.1.100, and the VPN Sleep Mode screen will be displayed.
The VPN Sleep Mode screen will be displayed on the reserved text lines as follows:
VPN tunnel terminated
Wake Up
where “Wake Up” aligns with the center button(s) under the display.
If any button on the telephone is pressed, or if the touchscreen is touched, or if the handset is lifted, the VPN Tunnel Inactive screen will be displayed and all backlights will be turned on as specified in 96x1H-IPI.3.1.100.
Rationale:
The VPN Sleep Mode screen will be visible on telephones with gray-scale displays, but it will not be visible on telephones with color displays because the backlight will be off, so all buttons and the handset act the same as the Wake Up “softkey”.
Sleep Mode is provided primarily for VPN telephones located in bedrooms, so that the backlight can be turned off at night if the VPN tunnel is terminated, since the idle timer does not apply to startup procedures. Sleep Mode is invoked after the user has logged off from the call server (see Step 4 of 96x1Tel.2.1.300, Step 23UR of 96x1Tel.2.1.400, and Step 17UR of 96x1Tel.2.1.500 in [7.1-6]), but since the VPN tunnel is terminated, unnamed registration (which usually supports only limited outgoing calls), if enabled, will also be terminated.
Approved
The VPN Tunnel Inactive screen will be displayed on the reserved text lines as follows:
VPN tunnel terminated
Activate Sleep
where “Activate” aligns with the leftmost button under the display, and “Sleep” aligns with the rightmost button. The “softkey” requirements of 96x1H-IPI.3.2.80 apply for button-oriented telephones.
If the Activate “softkey” is pressed, the procedures specified in 96x1H-IPI.4.2.200 will be initiated.
If the Sleep “softkey” is pressed, all backlights will be turned off and the VPN Sleep Mode screen will be displayed.
If the value of PROCSTAT is “0”, if the “*” button is pressed while the VPN Tunnel Inactive screen is being displayed, the Access Code Entry procedure (see 96x1H-IPI.3.1.300) will be invoked.
Rationale:
The VPN Tunnel Inactive screen is provided in case the handset is accidentally bumped or a button is pressed while the telephone is in Sleep Mode, so that the telephone can be immediately returned to Sleep Mode if desired.
