Avaya UNIStim Software Release 4.0 Notice
Contents
1. If tunnel establishment fails due to an invalid user ID or Password the user is re prompted to enter the credentials again The first time a tunnel is established with the corporate VPN Router if the Security banner text is configured in the Nortel VPN Router Profile the phone will display the VPN Security Banner The user has to accept the security information or the tunnel will not be established and user will be re prompted to accept it Once accepted the banner will not be re displayed again even if the phone reboots Nortel Page 18 of 101 The diagram below shows the Security Banner acceptance window Security Banner A WELCOME a L fill Accept Cancel If the authentication method chosen in the NVC is Main Mode using X 509 Certificates and no X Authentication then Both a root CA certificate and a device certificate must be installed on the phone For details on installing both Root CA certificates and device certificates into the IP Phone please refer to Appendix A Certificate Installation IP Clients UNIStim VPN Client License The operation of the NVC depends on the availability of a license If a license is available then the NVC operates in an Unrestricted mode If no license is available the NVC operates in a restricted mode where it can still establish a VPN tunnel to the corporate network but the telephony traffic will be blocked from traversi2. slip 47 11 62 20 Primary server IP address pl 4100 Primary server port number al 1 Primary server action code r1 10 Primary server retry count s2ip 47 11 62 21 Secondary server IP address p2 4100 Secondary server port number a2 1 Secondary server action code r2 10 Secondary server retry count xip 47 11 62 147 XAS server IP address xp 5000 XAS server port number Xa G XAS server action code 1140E prv GI Type level provisioning file specific to IP Phone 1140 Applies to all IP Phone 1140E within the network bt y Enable Bluetooth For additional information on configuring the IP phone with the Info Block and on auto provisioning in general please refer to the IP Phones Fundamentals document NTP NN43001 368 Info Block Feature Restriction Please note that support for provisioning the IP Phone via an Info Block in provisioning files was not extended to the Phase II IP Phone 2001 Phase II IP Phone 2002 and Phase Il IP Phone 2004 For these phones provisioning the IP Phone with an Info Block can be accomplished via DHCP only UNIStim software release 2 3 for IP Phones introduced provisioning with an Info Block via DHCP for the Phase II IP Phones Software 0604DBP or greater for the Phase II IP Phone 2001 2002 and 2004 supports the new Nortel specific option type Nortel i2004 B which allows the Info Block to be sent via DHCP For more details on provisioning the IP P
3. vpnmode agressive Authentication mode main vpnauth psk preshared key Authentication credential certificate X 509 certificate vpnxauth 0 none X Authentication type 1 password vpnpskuser Character string up to 64 characters PreShared Key PSK User ID vpnpskpwd Character string up to 64 characters PreShared Key PSK password vpnxauthuser Character string up to 64 characters X Authentication User ID vpnxauthpwd Character string up to 64 characters X Authentication password vpns1 Character string up to 64 characters IP address or FQDN of the primary VPN server vpns2 Character string up to 64 characters IP address or FQDN of the secondary VPN server vpndiffcpy y copy DSCP from inner packet Source of DSCP value for the tunnel traffic n use vpndiff value Determines if DSCP value is copied from inner packet to outer packet or if vpndiff is used vpndiff 0 255 If vondiffcpy n then this value is used for the DSCP value for the tunnel traffic vpnmotd 0 999 Message of the Day MOTD timer gt When certificate is provisioned both a CA root certificate and a device certificates must be installed in the phone Please refer to Appendix A Certificate Installation for details on installing a CA root certificaet and a device certificate into the phone if a FQDN is entered the remote user s local network must have access to DNS to resolve the entered name Typically in a home envir
4. PO screen again where if one wish they can search for additional PO s from which to pull additional licenses to add to the Keycode Once all the necessary PO have been reviewed selecting Go To Summary will take move KRS to the final summary screen showing the system ID list of MAC addresses PO s feature s and quantity selected going into the keycode If everything is correct in the summary clicking on Generate Keycode starts the actual keycode generation Generation of the keycode can take between 10 and 20 seconds When complete the KRS will show the Retrieve History screen At the time of this writing the only licensed feature in UNIStim Software release 4 0 is the NVC so there will only be one line item 12 Since it doesn t make sense to load multiple licenses for the same feature the quantity selected should always be the same as the number of MAC addresses Nortel Page 30 of 101 On the Retrieve History screen as shown below KRS will display keycode associated to each MAC address Welcome SuperF SuperL gt Log Out B Technical Support B Register B Product Control gt Product Registration gt Generate k gt Gen Temp Keycode gt Retrieve Keycode gt Retrieve Custom gt Reset Auth Code gt Remap Site gt Documentation Forms amp USER GUIDES gt Regenerate Keycode gt Migrate to Server Mode gt Delete Temp Keycode gt Log Note B Feature Manage B Administration
5. PRV files the association that the phone ultimately accepts will be the one in the highest priority file The precedence order of the PRV files from highest priority to lowest is device zone type then system as shown above A format has been defined which is similar to the existing auto provisioning info block items to provision the Node and TN values The new Node and TN provision string has the following format reg MACadar CallServerType ConnectServer NodelD TN Nortel Page 84 of 101 The items can be separated by spaces or commas or any combination of them The string is case insensitive so uppercase lowercase or mixed case is all acceptable MACaddr Delimiters in the MAC address can be dashes colons spaces or any combination thereof The following are examples of valid MAC address formats 00 13 65 FE F4 D4 00 13 65 FE F4 D4 00 13 65 FE F4 D4 001365FEF4D4 CallServerType Currently the implementation only supports the Communication Server 1000 thus the only supported CallServerType is CS1K ConnectServer Only values S1 and S1S2 are supported at this time NodelD The Node ID can be any number from 0 9999 TN The same format is used for the Terminal Number as would be entered via the TN prompt on the phone s display during registration So two formats exist Large system TN LLL SS CC UU or LLL SS CC UU Small system TN CC UU or CC UU The TN must be in one of the formats shown above
6. CA certificates and device certificates into the IP Phone please refer to Appendix A Certificate Installation Feature advisement The IP Phone is capable of supporting multiple certificates However as a security precaution all certificates installed into the phone subsequent to the initial certificate must be signed and authenticated by the initial certificate Therefore if a certificate is already installed in the phone for EAP TLS and you wish to enable DTLS which requires a UCM Nortel Page 39 of 101 root certificate you will need to remove the existing certificate install a new CA root certificate and then sign and reinstall the EAP TLS certificate 4 Secure Call Recording applies to the IP Phone 1110 1120E 1140E and 1150E Prior to UNIStim Software release 4 0 for the IP phones that support dual audio stream where the second audio stream is sent to a call recorder the duplicate audio stream was sent unencrypted to a call recorder Since the audio stream to the call recorder was not encrypted the audio stream could potentially be captured and be reconstructed by a third party This vulnerability compromised the confidentially and integrity of the communication UNIStim software release 4 0 now delivers the capability to encrypt the communication between the IP phone and the call recorder The DTLS with SRTP extensions protocol is used to establish the secure connection from the IP phone to the call recorder and to exchange
7. The numbers in the TN can be separated by spaces dashes or any combination thereof The numbers can either have leading zeros to fill the field size or not e g LLL can be 096 or just 96 Format errors resulting in no processing of the reg provisioning are silently discarded no error message is provided The reg item s must be at the end of the file s provisioning info data items No other provisioning info items should come after it them This is required to optimize the speed of the parsing The following is an example of a valid Node and TN provision string that could be included in any of the PRV files Set Auto Node and TN reg 00 1B BA F8 82 0D CS1K S1 123 096 1 22 01 reg 00 1B BA F8 82 0E CS1K S1 123 096 1 22 02 Nortel Page 85 of 101 Appendix E Provisioning the IP Phone with an Info Block via DHCP applies to the IP Phone 2001 2002 2004 2007 1110 1120E 1140E 1150E 1210 1220 1230 The new Nortel specific option type Nortel i2004 B that was introduced in UNIStim software release 2 2 and release 2 3 for IP Phones The Nortel i2004 B specific option type expands the number of parameters that can be provisioned to include all those previously provisioned in the existing option type of Nortel i2004 A plus more In software loads prior to UNIStim software release 2 2 for the IP Phone 2007 IP Phone 1110 IP Phone 1120E IP Phone 1140E and IP Phone 1150E and prior to UNIStim softw
8. realize that EAP MD5 is not available by default in the Microsoft Windows Server 2008 NPS but can be turned on Please refer to Microsoft support for more details on enabling EAP MD5 In addition minimally Service Pack 2 is required on the Windows Server 2008 NPS to support the IP Phones using MD5 access control PC Port resets during software upgrade applies to IP Phone 2002 2004 and 2007 The PC port on the IP Phone 2002 2004 and 2007 temporarily resets during software upgrades and phone resets due to configuration changes As a result traffic to and from the network and a PC connected to the IP Phone s PC port will be disrupted during these periods Minimal firmware required on the Algo 4900 USB ATA applies to IP Phone 1120E 1140E and 1150E The Algo 4900 USB ATA must have firmware version v1 00 32v or greater before connecting the adapter to the IP Phone A Windows based configuration tool to upgrade the ATA firmware version can be found at the Algo web site 16 In Windows Server 2008 IAS has been replaced with Network Policy Server NPS Nortel Page 53 of 101 http www algosolutions com products usbAT A fw download html Also note that the Algo 4900 USB ATA is classified as a high power USB device and must be connected to the phone through a powered USB hub If it is connected to the phone directly it will cause the phone to shut off service to the USB port completely Constant humming sound may be heard in Nortel USB
9. validated Plantronics Voyager 510 510S in which the headset may unexpectedly become unpaired If the unpair occurs during an active call all audio will be lost to and from the headset In such a situation the call will remain active and the user is recommended to switch to handset or handsfree Due to the severity of this issue Nortel does not recommend the use of the Plantronics Voyager 510 510S headset For a complete list of wired and wireless headsets that Nortel has confirmed provide acceptable audio quality when used in conjunction with Nortel IP Nortel Page 58 of 101 Phones please refer to the product bulletin Headsets for Nortel IP Phones P 2006 0084 Global Rev7 2 step upgrade may be required applies to IP Phone 1120E and 1140E One important note when upgrading the IP Phone 1120E and IP Phone 1140E to UNIStim software release 4 0 from any load previous to 0624C1B or 0625C1B respectively is that a 2 step upgrade will be required The IP Phone 1120E and 1140E cannot be upgraded directly to the newly released software if they are currently running software previous to 0624C1B and 0625C1B respectively Instead the phones must first be upgraded to 0624C1B and 0625C1B or newer recommend 0624C3G and 0625C3G Once the phones are running at least 0624C1B and 0625C1B software they will accept being upgraded to UNIStim software release 4 0 respectively 2 step upgrade may be required to load Asian fonts applies to IP Phone 2007
10. 2009 10 14 21 12 49 lt signedby gt lt uid gt 0011223344af lt uid gt lt keytype gt 3 lt keytype gt lt sequence gt 1 lt sequence gt lt datestamp gt 2009 10 14 21 12 49 lt datestamp gt lt regioncode gt Global lt regioncode gt lt eid gt lt eid gt lt feature gt lt code gt IpC LientSRSToken lt code gt lt data gt 4 lt data gt lt name gt IP client SRS feature token lt name gt lt expiry gt 2019 10 14 lt expiry gt lt userData gt lt param id SContract gt lt value gt 2010 10 14 lt value gt lt param gt _ amp Download Keycodes as ZIP Download Individual Keycode View Auth Code History v a v At this point the choice is to either download the individual keycode license view the authcode specifics or download all the keycodes as a single ZIP file To download the specific IP Clients keycode being displayed select Download Individual Keycode But to download all the keycode at once select Download Keycodes as ZIP Download and save the individual keycode file or the combined keycode ZIP file to the PC connected to KRS This file must now be transferred to the IP Phone provisioning server to load the keycode onto the IP Phone Expanding a Site and Licensing Additional Phones If the site is expanding and one needs to register additional MAC addresses one must create a new Site name within KRS to register the additional phones It is recommended however to use the original site name but add a
11. 76 of 101 stickiness y yes Enable stickiness provisioning is persistent in the event a n no new info block is not received cachedip y yes Enable cached IP n no igarp y yes Ignore GARP n no srtp y yes Enable SRTP PSK n no eap dis disable Disable or choose an EAP authentication method 1 2 md5 EAP MD5 peap PEAP MD5 tls EAP TLS eapid1 Character string up to 32 802 1x EAP device ID1 1 2 characters eapid2 Character string up to 32 802 1x EAP device ID2 1 2 characters eappwd Character string up to 32 802 1x EAP password 1 2 characters ca Character string up to 80 Certificate Authority CA server characters cahost Character string up to 32 Certificate Authority CA host name characters cadomain Character string up to 50 Certificate Authority CA domain name characters cdiff Value from 0 to 255 Diffserv code points for control messages mdiff Value from 0 to 255 Diffserv code points for media messages prov Character string up to 50 Provisioning server address or URL if the string is prefixed characters with http the phone will connect to a HTTP server otherwise the phone will connect to a TFTP server dns Character string up to 50 Primary DNS server URL characters dns2 Character string up to 50 Secondary DNS server URL characters ct Value from 0 to 15 for IP Contrast value Phone 1
12. Adapter applies to the IP Phone 1120E 1140E and 1150E A constant humming noise is sometime heard through the Nortel USB Adapter headset when either the Nortel Enhanced USB Headset Adapter or the Nortel Mobile USB Headset Adapter is connected to the IP Phone 1120E 1140E and 1150E The humming noise is within the headset adapter can be corrected with upgrading the headset adapter firmware to version 2 00 98 or greater Nortel USB Headset Adapter firmware version 2 00 98 is available for download from the Software Download link under Support and Training on the Nortel website located at http support nortel com The firmware is available for the IP Phone 1120E 1140E and 1150E models under Phones Clients and Accessories as file Adapter3v2 0098 zip To load the version 2 00 98 firmware onto the Nortel USB Headset Adapter perform the following procedure 1 Download the firmware file Adapter3v2 0098 zip from the Nortel Technical Support web site Load the file Adapter3v2 0098 zip onto a PC Uncompress unzip the file to obtain Adapter3v2 0098 exe Connect the Nortel USB Headset Adapter to the PC Start the Adapter3v2 0098 exe application to load the firmware onto the device ees IP Phone s performance will be diminished during broadcast storms applies to IP Phone 2001 2002 2004 2007 1110 1120E 1140E 1150E 1210 1220 and 1230 By default network traffic to the IP Phone will be accepted based on the packe
13. Authentication credential certificate X 509 certificate vpnxauth 0 none X Authentication type 1 password vpnpskuser Character string up to 64 PreShared Key PSK User ID characters vpnpskpwd Character string up to 64 PreShared Key PSK password characters vpnxauthuser Character string up to 64 X Authentication User ID characters vpnxauthpwd Character string up to 64 X Authentication password characters vpns1 Character string up to 64 IP address or FQDN of the primary VPN server characters vpns2 Character string up to 64 IP address or FQDN of the secondary VPN server characters vpndiffcpy y copy DSCP from inner Source of DSCP value for the tunnel traffic packet Determines if DSCP value is copied from inner packet n use vpndiff value to outer packet or if vpndiff is used vpndiff 0 255 If vpndiffcpy n then this value is used for the DSCP value for the tunnel traffic vpnmotd 0 999 Message of the Day MOTD timer dcpversion1 Character string of the last installed PKCS12 file dcpsource1 scep Method used to install device certificates pkcs1 2 dcpactive n Inactive Profile is active or not y Active dcppurpose1 Character string made up of Specifies which phone applications can use this device the following character certificate When certificate is provisioned both a CA root certificate and a device certificates must be installed in
14. Auto Force Full Force Half Enable Data 802 1Q DataVLAN No VLAN Enter VLAN ID Data Priority Bits Auto 0 1 2 3 4 5 6 7 PC Port Untag All Enable Stickiness Cached IP This Cached IP menu item is only presented if DHCP is provisioned to Yes Ignore GARP Enable SRTP PSK SRTP PSK Payload ID 96 115 120 Provision XXX XXX XXX XXX Provision Zone ID Enable Bluetooth Yes No This menu item is on the IP Phone 1140E and 1150E only The IP Phone 1120E IP Phone 1140E and IP Phone 1150E contain a password protection mechanism to lock out access to the Local Tools menu including the Network Configuration menu If enabled access to the Local Tools menu is password protected and the password is prompted by a pop up window One must type the password 26567 738 color set from the dial pad and press the center of the navigation cluster enter key to enter the Network Configuration menu When an incorrect password is entered the Local Tools menu is not opened To thwart password guessing only 3 incorrect password entries in a row are allowed After the 3 incorrect entry the password entry is ignored for 5 minutes During this period of time the password prompt is displayed and the entered digits accepted however the phone will not process the incoming digits The password prompt window simply closes and the behavior is identical to that of an incorrect password entry The user will assume the incorrec
15. Information Network Diagnostic Tools Ethernet Statistics IP Network Statistics USB Devices Advanced Diag Tools License Information VPN Statistics Certificate Information new Under the new Certificate Information menu three choices are presented Trusted Certificates Device Certificates and Certificate Revocation List The new choices as shown in the diagram below 1 Trusted Certificates 2 Device Certificates 3 Certificate Revocation List The Trusted Certificates and Device Certificates menu choices present a list of trusted certificates and device certificates respectively installed in the IP Phone The Certificate Revocation List presents a list of certificates that the phone has been provisioned to revoke Within each menu if one highlights a particular certificate the View softkey can be used to display more details on the particular certificate Nortel Page 49 of 101 Product Advisements The following is a list of advisements associated with UNIStim software release 4 0 Some advisements remain from previous releases of software whereas other advisements reflect new or changed behavior introduced with UNIStim software release 4 0 Advisements that are new to UNIStim software release 4 0 or have changed since previous releases of UNIStim software are prefixed with NEW NEW Phone appears locked when downloading large font files over the VPN applies to the IP Phone 1120E 1140
16. Manager If the software is included in the installation files some manual administrator configuration will still be required If the software is not included in the installation file the administrator can transfer these software loads to the CICM Element Manager configure the terminal s Recommended and Minimum software levels and the Element Manager will propagate the software to the CICM The user will be prompted to upgrade their software at their own convenience For details on using the CICM Element Manager to configure the recommended software and how to upgrade the IP Phones refer to the CICM Administration and Security NTP NTP NN10252 611 06 03 in the section titled Downloading firmware to the CICM Element Manager Nortel the Nortel logo and the Globemark are trademarks of Nortel Nortel is a recognized leader in delivering communications capabilities that enhance the human experience ignite and power global commerce and secure and protect the world s most critical information Serving both service provider and enterprise customers Nortel delivers innovative technology solutions encompassing end to end broadband Voice over IP multimedia services and applications and wireless broadband designed to help people solve the world s greatest challenges Nortel does business in more than 150 countries For more information visit Nortel on the Web at www nortel com Nortel Page 71 of 101 Appendix A Certificate Installa
17. PEAP TLS ID 1 ID 2 Password Enable VPN Protocol Mode Authentication PSK User ID PSK Password XAUTH Method XAUTH User ID XAUTH Password VPN Server 1 XXX XXX XXX XXX VPN Server 2 XXX XXX XXX XXX VPN DSCP VPN MOTD Timer Enable 802 1ab LLDP DHCP No Yes Set IP XxXX XXX XXX XXX Net Mask xxx XXX XXX XXX Gateway XXX XXX XXX XXX DNS1 IP xxx xxx XXX XXX DNS2 IP xxx xxx XXX XXX CA Server Domain Name Hostname S1 IP XXX XXX XXX XXX Port S1 Action Retry S1 PK FFFFFFFFFFFFFFFF S2 IP XXX XXX XXX XXX Port S2 Action Retry S2 PK FFFFFFFFFFFFFFFF Ntwk Port Speed Auto 10BT 100BT Nortel Page 91 of 101 Ntwk Port Duplex Auto Force Full Force Half XAS Mode Text Mode Graphical Secure Graphical XAS IP XXX XXX XXX XXX XAS Port Enable Voice 802 1Q VoiceVLAN No VLAN Auto Enter VLAN ID The Auto option in the Voice VLAN menu is only available if DHCP is provisioned to Yes above or if LLDP is enabled above VLAN Filter Ctrl Priority Bits Auto 0 1 2 3 4 5 6 7 Media Priority Bits Auto 0 1 2 3 4 5 6 7 Nortel Page 92 of 101 Enable Nortel Auto Qos DSCP Override This DSCP Override menu item is only presented if Enable 802 1ab LLDP is enabled above and Control DSCP or Media DSCP are not manually set below Control DSCP xxx Media DSCP xxx Enable PC Port PC Port Speed Auto 10BT 100BT PC Port Duplex
18. SRTP keys Once the connection is established and the keys exchanged the SRTP protocol is used for the actual media encryption and authentication Support for Secure Call Recording SCR is a joint effort between the IP Phone and the Nortel Call Recorder Quality Monitor CRQM solution The IP Phone s UNIStim Software must be at release 4 0 or greater and CRQM must be on release 7 0 or greater The model used to secure the media stream sent to the call recorder is called mirrored mode In this mode the decision on whether or not to encrypt the secondary media stream being sent to the call recorder is based on the secure state of the primary media stream If the primary media stream between the two calling parties is encrypted so too will be the media stream sent to the call recorder If the primary media stream is not encrypted the media stream sent to the call recorder will also not be encrypted The ability to encrypt the media stream send to the call recorder independent of the encryption status of the primary media stream is not available To auto provision SCR two new parameters have been are added to the provisioning Info Block The two new Info Block parameters that have been created to allow the SCR to be auto provisioned are provided in the table below Please refer to Appendix B for the complete list of parameters supported within the Info block mscr n do not encrypt the stream to the call Mirror mode encryption se
19. UNIStim software All telephony functionality including all features already delivered up to and including UNIStim release 3 0 will not be licensed Of the new features in UNIStim Software release 4 0 the following licensing rules will apply Nortel VPN Client NVC in the IP Phone 1100 series licensed feature Secure Signaling using DTLS not licensed by UNIStim software Included in the UNIStim software as a no charge update Secure Call Recording licensed feature But if the call recorder is the Nortel Call Recorder Quality Management CRQM product the license requirement in the Nortel Page 22 of 101 UNIStim software is removed A UNIStim software license will be required however if secure call recording is enabled with a 3 party call recorder DfO Enhancements not licensed Included in the UNIStim software to assist support personnel Certificate Support Enhancements not licensed Included in the UNIStim software as ano charge update At the time of this writing Secure Call Recording in UNIStim Software release 4 0 is only supported with the Nortel Call recorder Quality Management CRQM product Since there is no Secure Call Recording support with any 3 party call recorder there is no Secure Call Recording license offered at this time Therefore the only license available with UNIStim Software release 4 0 is the IP Clients UNIStim VPN Client license The IP Clients UNIStim VPN Client is
20. and Language selection Equipment Setup and VPN Select Data Files Prepare Phone for Configuration Autodiscover Phone Configure Phone Confirmation and Finish mo RU O Upon launching the Phone VPN Configuration Wizard the user is presented with the welcome screen At the welcome screen the user can select from a choice of languages English is the default The diagram below shows the welcome screen neat weer Nortel Page 8 of 101 Once the language is selected the Equipment Setup and VPN screen is presented as depicted below The Equipment Setup and VPN screen shows that the PC running the Phone VPN Configuration Wizard must either be plugged into the PC port of the IP Phone or into a multi port router or hub to which the IP Phone is also connected Please be advised that if a VPN client is running on the PC the VPN client on the PC must be disconnected to allow the Phone VPN Configuration Wizard to provision the IP Phone Once the Phone VPN Configuration Wizard finishes the VPN client running on the PC can be re established Once the PC that is running the Phone VPN Configuration Wizard is connected in one of the requested setup the next screen as depicted below asked the user to select the Data Files The data files are the configuration and provisioning files that were supplied by the System Administrator and which are stored somewhere on the PC The Select Data File screen asked the user to locate either the zip fi
21. between the remote IP Phone and the corporate network ensuring the integrity and confidentiality of enterprise communications Once the VPN tunnel has been established all of the telephone related IP traffic traverses within the tunnel including signaling media duplicate media and application gateway traffic Note that the IP traffic from the PC port of the telephone is excluded from the VPN tunnel The advantage of delivering a NVC within the phone is that it lowers the cost for deploying a teleworker environment With a NVC within the phone there is no longer the need to deploy a Customer Premise Equipment CPE VPN router The teleworker no longer has to install and configure a CPE VPN router This should simplify the configuration and administration of the solution since it is easier to deploy and provision The NVC within the phone is the client end of the tunnel The corporate end of the tunnel is terminated by an enterprise VPN router or gateway The NVC client currently supports interoperability with the following VPN termination devices Nortel Page 2 of 101 gt Nortel VPN Router NVR family running software release 8 00 or greater NVR software release 8 00 has been qualified on the NVR 1010 1050 1100 600 1600 17xx 27x0 4600 and 5000 Installation Typical home networks consist of one or more PCs connected either via wireless interfaces or Ethernet cables to a home router or hub which is then connected to the service prov
22. button Site Name System Id System ID search format 00 00 00 00 00 AA 00 00 00 00 00 BB 00 00 00 00 00 CC 00 00 00 00 00 DD 0000000000EE Search Create Cancel Before a keycode can be generated the system for which the keycode is to be generated must be registered To begin Registration one selects Create on the Product Registration Screen After which the screen as shown below will allow one to enter a site name that will be used to identify the system Please note that blank spaces are not allowed within the site name Once a site name is entered clicking on Continue advances to the next screen SOLUTIONS HOME gt TECH L SUPPORT Welcome SuperF SuperL gt Log Out B Technical Support B Register B Product Control gt Product Registration gt Generate Keycode gt Gen Temp Key gt Retrieve Keycode gt Retrieve Custom gt Reset Auth Code gt Remap Site Documentation Forms amp USER GUIDES Regenerate Keycode Migrate to Server Mode Delete Temp Keycode gt Log Nate A Nortel PRODUCTS SERVICES Se ae Te PARTNERS ABOUT NEWS amp EVENTS gt KEYCODE RETRIE gt IP CLIENTS gt PRODUCT REGISTRATION m KEYCODE RETRIEVAL SYSTEM This section enables you to register new products into the Keycode Retrieval System so that you can add or transfer features to the product in the future USER SuperF SuperL TYPE KRS Support Super
23. detailed earlier in this bulletin If a duplex mis match occurs as a result of the software upgrade the speed and duplex mode can forced by provisioning them via the Info Block This is possible because the auto negotiation will pick the correct speed but the wrong duplex mode Since the speed is correct but the duplex mode is wrong transmission can occur albeit of poor quality The duplex mismatch will impact the time taken for the phone to receive the Info Block but re transmission mechanisms built into the transmission protocols should allow the Info Block to eventually be received by the phone thus correcting the resetting of link speed and duplex mode to Auto Proportional spacing may not be optimal applies to IP Phone 2007 IP Phone 1110 1120E 1140E 1150E and 1210 The IP Phone 2007 IP Phone 1110 IP Phone 1120E IP Phone 1140E IP Phone 1150E and IP Phone 1210 support graphical fonts The supported fonts include hinting or intelligence to the font outline making the font more readable by preventing the letters in the font from becoming distorted and difficult to identify But in some rare instances the hinting may impact the proportional spacing resulting in characters appearing too close or too far apart Some models of Plantronics Bluetooth headset may unexpectedly become unpaired applies to IP Phone 1140E and 1150E An issue was uncovered with certain Plantronics Bluetooth headsets including the formerly
24. device certificates cannot be automatically renewed It is up to the Administrator to keep track of when device certificates will expire To update a device certificate that is about to expire a new certificate must be generated as a PKCS 12 file and loaded onto the phone The license keycode file is distributed to an IP Phone using the same procedure as the other provisioning files To support the loading if license keycodes onto the IP Phone a new section called LICENSING must be added to the phone s configuration file i e 1120e cfg 1140e cfg 1150e cfg The individual keycode license file name is ipctokenMAC cfg where MAC is the phone s 12 characters MAC address to which the license is associated The LICENSING section has three command lines e DOWNLOAD_MODE required command The DOWNLOAD_MODE can be either FORCED or AUTO If FORCED the VERSION command is ignored and the licenses files are always downloaded If AUTO the application looks at the VERSION and downloads the license files only if they are a newer version than what is currently stored on the phone e VERSION optional command if this command is not present version 0 is assumed The VERSION command specifies the version of the licenses being downloaded The version applies to all files listed in the LICENSING section When licenses are written to the phone s memory the value for the cfg file s VERSION field or 0 if VERSION is not in the file becomes
25. menu Since the Provision parameter in the network configuration menu can accept both a URL as well as an IP address the entry is a text based field causing the asterisk key to be accepted as an actual asterisk But since this is different from other parameters that accept only an IP address where the asterisk key is used to represent the dot the inconsistent behavior of this field can be confusing Therefore with UNIStim software release 3 2 the typing of the asterisk key in the Provision parameter in the network configuration menu has slightly changed Now if the asterisk key is pressed twice relatively quickly it will input the dot Pressing the asterisk key once will still input the asterisk character consistent with previous behavior Throughput may be slow for large file transfers on conversions from GigE to 100Mbit applies to the IP Phone 1120E 1140E and 1150E In networks in which a PC is connected to the IP Phone s PC port and the PC s NIC speed is 100Mbit but the network speed is at GigE large file transfers to the PC can take quite a long time This is an issue with large file transfers only which due to the speed mismatch between the two phone ports can overflow the buffers in the phone resulting in retransmissions Although the IP Phones support Ethernet flow control 802 3x the support is only implemented on the phone s PC port not on the phone s network port Ethernet flow control is a mechanism were the IP
26. mixed environment of phones that support Nortel i2004 B with Phase 0 and Phase1 phones one must either Ensure any option string that are defined are small enough that the DHCP message does not exceed 590 bytes or Service the Phase 0 and Phase 1 phones with a DHCP offer that excludes the Nortel i2004 B option Receiving a LLDP MED Network Policy TLV from the network infrastructure will cause the phone to ignore DSCP from the Communication Server 1000 Element Manager and the Info Block applies to IP Phone 2001 2002 2004 2007 1110 1120E 1140E 1150E 1210 1220 and 1230 Because of the precedence order in auto provisioning mode i e the value has not been overridden manually if the IP Phone receives a LLDP MED Network Policy TLV from the network infrastructure the phone will provision its DSCP from the LLDP MED Network Policy TLV and not from the Call Server or Info Block When the phone receives a Network Policy TLV from the network infrastructure it sets its voice VLAN L2 Priority and DSCP to the value specified in the VLAN ID field L2 Priority field and DSCP Value field respectively Thus if the Network Policy TLV is received any QoS values also received from the Call Server i e Telephony Manager and or Element Manager or Info Block it will be ignored New Special Note As already mentioned in this bulletin the new feature DSCP provisioning precedence override introduced in UNIStim software release 3 3 provides a wo
27. patch is MPLR21148 and is available from the Meridian PEP library at the www nortel com support web site The IP Phone 1110 IP Phone 1150E and IP Phone 1200 series are not supported on SRG200 400 Ris1 5 Nortel Page 66 of 101 Business Communications Manager BCM Call Server Release Notes Advisements BCM 200 400 4 0 Upgrading of the set software is dependent upon a BCM system patch that includes the set software Although UNIStim software release 4 0 for IP Phones is GA quality at the time of this writing the extent of BCM support is being confirmed The IP Phone 1110 IP Phone 1150E and IP Phone 1200 series are not supported on BCM 200 400 BCM 50 5 0 BCM 50 3 0 Upgrading of the set software is dependent upon a BCM system patch that includes the set software Although UNIStim software release 4 0 for IP Phones is GA quality at the time of this writing the extent of BCM support is being confirmed The IP Phone 1150E is not supported on BCM 50 5 0 Upgrading of the set software is dependent upon a BCM system patch that includes the set software Although UNIStim software release 4 0 for IP Phones is GA quality at the time of this writing the extent of BCM support is being confirmed The IP Phone 1150E is not supported on BCM 50 3 0 BCM450 5 0 Upgrading of the set software is dependent upon a BCM system patch that includes the set software Although UNIStim software release 4 0 fo
28. router User ID and Password correspond to the credentials configured on the RADIUS server Nortel Page 16 of 101 If the user IDs and Passwords are entered by the end user the user is also presented with the dialog box allowing the credentials to be stored permanently The diagram below shows the phone s screen prompts for entering the PSK User ID PSK Password and the request to save the password PSK User ID BkSpc Clear OK PSK Password BkSpe Clear OK Save PSK Password Yes No The Nortel VPN Router can be configured with an option to disallow saving of the user passwords on the NVC This option on the Nortel VPN Router takes precedence over provisioned passwords in the phone and over a user request to permanently save their password If this disallow option is configured passwords are removed from the phone s storage and the user must re enter credentials if the phone reboots for any reason Nortel Page 17 of 101 The diagram below shows the phone s screen prompts for entering the X Authentication User ID X Authentication Password and the request to save the password XAUTH User ID BkSpe Clear OK XAUTH Password BkSpc Clear OK Save XAUTH Password Yes No
29. the new stored version value against which any future comparisons are made e FILENAME required command the filename of the keycode file to be downloaded Recall that the individual keycode license file name is ipctokenMAC cfg where MAC is the phone s 12 characters MAC address to which the license is associated The FILENAME command uses the asterisk to represent the MAC address Each individual phone will upon reading this command substitute its one MAC address into the filename thereby assuring that the phone only downloads its unique keycode file Files can either be in the same folder as the configuration file or ina sub folder If they are in a subdirectory the path needs to be pre pended to each filename Below is an example of a LICENSING section in an 1140e cfg file Note that in this example the keycode licensing files are in a subdirectory named UNIStim LICENSING 14 It is assumed that the password has been provided by an out of band method e g email Nortel Page 44 of 101 The PKCS 12 certificate is downloaded to the IP Phone via the IP Phone s configuration file 1120e cfg 1140e cfg and 1150e cfg A new section called DEV_CERT must be added to the configuration file This section specifies the PKCS 12 file to be loaded The DEV_CERT section supports six command lines PROFILE required command The PROFILE command specifies the index of the DCP where the device certificate is to be installed PURPOS
30. the phone Please refer to Appendix A Certificate Installation for details on installing a CA root certificaet and a device certificate into the phone If a FQDN is entered the remote user s local network must have access to DNS to resolve the entered name Typically in a home environment this would be the service provider s DNS Nortel Page 80 of 101 a All applications v VPN d DTLS s SCR g GXAS e EAP TLS T Licensing dcprenew1 Integer value but also Number of days prior to certificate expiry that a supports the following certificate renewal is requested special values 1 Never 0 Immediately dcpdelete1 n No action If set to y forces the device certificate to be deleted y Delete dcpautocn1 0 Manual Automatically construct the Certificate Name using 1 Automatic cadomain and cahost dcpcaname1 Character string of 128 CA name included in the SCEP request to identify characters requested CA note that not all CA require the CA name dcphostnameoverride1 Character string of 128 Override hostname for this DCP only characters 1 Warning changing this parameter could impact the network connectivity and may require manual correction 2 Warning provisioning this parameter via TFTP HTTP or DHCP means that secure information is transferred in clear text Nortel Page 81 of 101 Appendix C Provisioning the IP
31. voice stream Provisioning this value to 8 tells the phone to use the value it receives from the LLDP Network Policy TLV or from the call server vmp Value from 0 to 8 802 1Q media p bit for voice stream Provisioning this value to 8 tells the phone to use the value it receives from the LLDP Network Policy TLV or from the call server vlanf y yes Enable VLAN filter on voice stream n no nis a auto negotiation Network port speed 1 10 10 Mbps 100 100 Mbps nid a auto negotiation Network port duplex 1 f full duplex h half duplex pc y yes Enable PC port n no pcs a auto negotiation PC port speed 10 10 Mbps 100 100 Mbps pcd a auto negotiation PC port duplex f full duplex h half duplex dq y yes Enable 802 1Q for PC port n no dv y yes Enable VLAN for data n no dvid Value from 1 to 4094 VLAN ID for data VLAN dp Value from 0 to 8 802 1Q p bit for data stream Provisioning this value to 8 tells the phone to use the value it receives from the LLDP Network Policy TLV or from the call server pcuntag y yes Enable stripping of tags on packets forwarded to PC port n no Id y yes Enable 802 1ab LLDP 1 n no pk1 Character string of16 S1 PK 2 Nortel Page 75 of 101 character representing 16 hexadecimal digits pk2 Character string of 16 S2 PK 2 character representing 16 hexadecimal digits Nortel Page
32. without 802 1Q VLANs With Auto VLAN enabled if VLAN information is provided within the DHCP option type VLAN A the phone will use the VLAN information to provision a voice VLAN However if no VLAN A option type is provided by DHCP the phone will assume that no VLAN is to be provisioned Although the default configuration for voice VLAN has changed the new default configuration will not be applied to field upgrades A limitation of the new functionality is that it could only apply to new phones being shipped from the factory with UNIStim software release 2 2 or greater The default configuration of Auto will not be applied to field upgrades Upgrading software does not change any pre established values already in the phones But as mentioned above to allow phones already deployed in the field to change the source of their VLAN information with UNIStim software release 3 2 a new parameter called vvsource has been added to the Info Block to allow VLAN source to be auto provisioned Important Note While these changes provide greater flexibility the change might impact the deployment of new phones into the network Manually provisioned link speed and duplex mode restored to Auto after software upgrade applies to IP Phone 2001 2002 2004 2007 1120E 1140E and 1150E In UNIStim software release 1 3 for IP Phones including 0604DAX for Phase II Phones 0621C3N for IP Phone 2007 0623C3F 0624C3F 0625C3F and 0627C3F for I
33. 100 series Value from 7 to 39 for IP Phone 2007 br Value from 0 to 15 Brightness value Nortel Page 77 of 101 blt 5 seconds 1 minute 5 minutes 10 minutes 15 minutes 30 minutes 1 hour 2 hours always on Backlight timer dim dimt sst yes no 53 lt yS AKON Off 5 seconds 1 minute 5 minutes 10 minutes 15 minutes 30 minutes 1 hour 2 hours Off 1 minute 5 minutes 10 minutes 15 minutes 30 minutes Haak GS N Sjo NS AR GNH G 1 hour Nj 2 hours As of UNIStim software release 3 4 the previously supported dim parameter is no longer supported since its functionality is superseded by the dimt parameter The phone will still accept the dim parameter to prevent errors when reading existing provisioning files but the parameter will be ignored in favor of the new dimt parameter Phone inactivity timer to dim the screen IP Phone 2007 only Phone inactivity timer to initiate the slide show IP Phone 2007 only bt y yes n no Enable Bluetooth IP Phone 1140E and 1150E only zone Character string up to 8 characters Zone ID file Character string up of the following character 2 read zone file t read type file d read device file For system specific provisioning file specifies what other provisioning files to read Nortel Page 7
34. 11 22 33 44 aa i B Feature Manage B eAuth Code Management B Reports B Utility B Contact Global Support After all the MAC addresses have been entered either manually or from a file a summary screen as shown below will be presented to allow the user to review the list of MAC addresses a T Produet Registration J This section enables you to register new products into the Keycode Retrieval B Technical Support System so that you can add or transfer features to the product in the future B Register USER SuperF Super TYPE KRS Support Super User B Product Control ae a GROUP All Customer Groups gt Product Registration gt Generate Ke de Current Summary gt Gen Temp h gt Retrieve Keycode Site Name MDa gt Retrieve Custom ERE marb STATES gt Reset Auth Code State Prov California City Ben Lomond gt Remap Site gt Documentation Forms amp USER GUIDES Step Review the following configuration Click Save to confirm and save the configuration gt Regenerate Keycode gt Migrate to Server Mode MAC Address gt Delete Temp Keycode 00 11 22 33 44 aa gt Log Note 00 11 22 33 44 ab B Feature Manage 00 11 22 33 44 ac B Administration oo 11 22 33 44 ad B eAuth Code 00 11 22 33 44 ae Management B Reports B Utility B Contact Global Support Save Cancel 00 11 22 33 44 af Once the user is satisfied that all the MAC addresses are correct click Save to confirm and
35. 15 2 120 0 Prov XXX XXX XXX XXX Prov Zone ID End of Menu The IP Phone 1110 IP Phone 1210 IP Phone 1220 and IP Phone 1230 contain a password protection mechanism to lock out access to the Local Tools menu including the Network Configuration menu If enabled access to the Local Tools menu is password protected and the password is prompted by a pop up window One must type the password 26567 738 Nortel Page 97 of 101 color set from the dial pad and press the center of the navigation cluster enter key to enter the Local Tools menu When an incorrect password is entered the Local Tools menu is not opened To thwart password guessing only 3 incorrect password entries in a row are allowed After the 3 incorrect entry the password entry is ignored for 5 minutes During this period of time the password prompt is displayed and the entered digits accepted however the phone will not process the incoming digits The password prompt window simply closes and the behavior is identical to that of an incorrect password entry The user will assume the incorrect password has been entered and try again Thus even if the correct password is guessed during the 5 minute period it will be ignored This effectively reduces the guess entry rate to 3 guesses every 5 minutes Once the password has been entered access to the Local Tools menu remains active for 5 minutes During the 5 minutes the menu can be freely navigated exited and entered without be
36. 345 678 12 Decryption Fail 0 13 Authentication Fail 2 14 Bytes Sent 201 345 753 15 Bytes Revd 410 852 091 16 Last Rekey 6 03 45 ago 17 Total Rekey 8 VPN Feature Advisements 1 When using Main Mode using X 509 Certificates and no X Authentication The root CA certificate must be the CA certificate which issued the VPN Router certificate The device certificate s key usage must include DigitalSignature The device certificate s Extended Key Usage EKU must either not be present or contain the value anyExtendedKeyUsage For Nortel VPN Router compatibility if a Subject Alternate Name is present it should not include a FQDN or USER_FQDN An IP address is permitted The VPN Router certificate is subject to the same Key Usage and Extended Key Usage as the phone s device certificate The VPN router s public IP address must appear in the VPN Router certificate s Subject Common Name CN or the Subject Alternate Name The phone will always send an ID Payload of type IPV4 ADDRESS containing the local IP address configured on the phone Nortel Page 21 of 101 e The phone requires that the VPN Server configuration on the phone match the received ID Payload e If the active VPN Server is configured as an IP address then the ID Payload must provide the same IP address e If the active VPN Server is configured as an FQDN then the ID Payload must provide an exact match to the configured FQDN 2 The IP Phone is c
37. 5ACE6 50 IP Phone 1140E Graphite with Icon Keycaps RoHS NTYSO5BCE6 50 IP Phone 1140E Graphite with English keycaps RoHS NTYSO5BCGS 01 IP Phone 1140E GSA RoHS The below Figure 1 provides an explanation of where to identify the PEC and Hardware Release Number on the white product label located on the back of the IP Phone CPC Code Serial Number Peano Manufacturing SEG bode Pa icococco date vyyy mmidd and week M yyyyww 2D Barcode Hardware Release number MAC Address Figure 1 IP Phone Product Label If UFTP software download is used within the Communication Server 1000 environment Nortel recommends that the software image for the IP Phone 1120E and IP Phone 1140E on the signaling server be upgraded minimally to UNIStim software release 3 1 Communication Server 1000 release 5 0 and greater will interpret denial of software downgrade responses from the new hardware phones However Communication Server 1000 prior to release 5 0 require patch MPLR23154 to interpret correctly the phones denial of software downgrade responses Failure to install the patch introduces the risk that the call server may continuously try and downgrade the software thereby denying service to the phone If TFTP software download is used and the TFTP server is not upgraded to UNIStim software release 3 1 or greater the TFTP server will continuously try and downgrade the software in the phone The new hardware phone will pre
38. 8 of 101 hd Character string up of the following character w wired b Bluetooth n none Headset type ar arl y yes n no cr critical ma major mi minor cr critical ma major mi minor Enable Auto recovery Auto recovery level Log level ssh y yes n no Enable SSH sshid Character string between 4 and 12 characters SSH user ID 2 sshpwd Character string between 4 and 12 characters SSH password 2 bold y yes n no Enable bold on font display menupwd String between and 21 characters containing only numeric digits asterisk and hash i e only the dialpad symbols Administrator password 2 vvsource n no VLAN a auto VLAN via DHCP Iv auto VLAN via VLAN Name TLV Im auto VLAN via Network Policy TLV Source of VLAN information srtpid ntqos 96 115 120 y yes n no Payload type ID Enable Nortel Automatic QoS dscpovr y yes n no DSCP Precedence Override vpn y enable n disable Enable the Nortel VPN Client NVC within the phone vpntype T Nortel VPN Only Nortel VPN devices are supported at this time Nortel Page 79 of 101 vpnmode agressive Authentication mode main vpnauth psk preshared key
39. Adding Asian languages to an IP Phone 2007 that has software version 0621C3N UNIStim software release 1 3 or earlier requires a 2 step process since the configuration file format has changed to support the new font downloads 1 One must first upgrade the IP Phone 2007 software to using TFPT with the former configuration files BasicConfig folder or upgrade the software from the call server 2 Once the IP Phone 2007 is running the new software one must update the TFTP server to the new configuration files AsianConfig folder to download the Asian font files Running SRTP PSK with Communication Server 1000 release 5 0 requires a patch applies to IP Phone 2001 2002 2004 2007 1110 1120E 1140E and 1150E In association with Communication Server 1000 release 5 0 UNIStim software since release 2 0 delivered media stream protection using SRTP UNIStim Keys USK However running SRTP using PreShared Keys PSK is still a valid option in the IP Phones But if one wishes to run SRTP PSK with Communication Server Release 5 0 patch MPLR24632 is required on the Communication Server 1000 8 The Communication Server 1000 patch is located in the Meridian PEP library at the www nortel com support web site Current release of SRTP PSK is not backward compatible with older version of SRTP PSK applies to IP Phone 2001 2002 2004 2007 1110 1120E 1140E and 1150E As stated above running SRTP using PreShared Keys PSK is still a va
40. B eAuth Code Management B Reports B Utility B Contact Global Support lt a KEYCODE RETRIEVAL SYSTEM In this section you can search for a System or Site and retrieve the history and any corresponding keycodes USER SuperF SuperL TYPE KRS Support Super User 5 erour All Customer Groups Site Id Site Name CAMPUS_1 Product List F_ Associated System Id 00 11 22 33 44 44 Associated System Id 00 11 22 33 44 AB Associated System Id 00 11 22 33 44 AC Associated System Id 00 11 22 33 44 AD Associated System Id 00 11 22 33 44 AE Associated System Id 00 11 22 33 44 AF Current Configured Feature s IP client SRS feature token 4 units Auth Codes Used UNIStim One Year Standard 759528988 License w ma Note that each MAC address keycode can be viewed by selecting the individual MAC from the Product List dropdown box If selected a summary will be displayed as shown below indicate Current Configured features the line items or authcodes last used creation date and the keycode itself Nortel Page 31 of 101 Po Current Keycode Keycode Number 6 Last Update Date 2009 10 14 21 12 49 0 Created By Customer Name Customer ID Nortel Order COEO 4 vaste contents please select the box heading first i e Keyoode and then drag lt xml version 1 0 standalone yes gt A lt keycode gt lt signedby gt CKLT 1 3 Generic Development Nortel Internal Use ONLY zcarsOss 11121
41. D gt n a ID X authentication n a lt Xauth password gt n a password VPN Server 1 IP address or IP address or IP address or lt FQDN gt lt FQDN gt lt FQDN gt VPN Server 2 Optional Optional Optional CA root certificate n a n a Required Device certificate n a n a Required Provisioning Auto provisioning the NVC presents some unique challenges for remote deployments since the corporate provisioning server cannot be accessed by the remote phone until after the VPN is fully configured There are three options for provisioning a phone for a remote VPN deployment 1 Pre provision the phone using auto provisioning within the corporate network prior to deploying remotely 2 Provision the phone remotely using the new Nortel Phone VPN Configuration Wizard PC Application or 3 Manually Provision the phone using the phone s Network Configuration menu To auto provision the NVC in the IP phone new Info Block parameters have been introduced with UNIStim Software release 4 0 The new parameters to allow the NVC to be auto provisioned are provided in the table below Please refer to Appendix B for the complete list of parameters supported within the Info Block vpn y enable Enable the Nortel VPN Client NVC within the m disable phone vpntype 1 Nortel VPN Only Nortel VPN devices are supported at this Nortel Page 5 of 101 time
42. E 1150E It has been discovered that when using the VPN feature on home based phones that the phone may appear locked when downloading large files such as font files to the phone This issue is due to Internet delay and the fact that the phone s TFTP client is inefficient to transfer large files across the Internet Unfortunately the IP Phone does not have a progress indication to inform the user that the download is still in progress and in fact the phone is not locked Users should be advised to wait should the phone be downloading font files over the Internet As a temporary measure one can also look to the back of the phone at the link activity LED to confirm still network activity is still occurring and in fact that the phone is not locked NEW A USB Hub cannot be used to simultaneously connect a mouse and a keyboard to the USB port of the IP Phone 2007 applies to the IP Phone 2007 only The USB port on the IP Phone 2007 will not support the connection of both a mouse anda keyboard connected via a USB hub The USB port on the IP Phone 2007 is restricted to supported either a USB mouse or a USB keyboard but not both simultaneously 2 step upgrade may be required to load UNIStim Software release 4 0 on the IP Phone 2007 applies to the IP Phone 2007 only Due to changes in the memory structure of the IP Phone 2007 a 2 step upgrade may be required to load UNIStim software release 4 0 onto the IP Phone 2007 if the upgrade is perfo
43. E required command The PURPOSE command specifies which application s can use the device certificate defined in the DCP Supported values for PURPOSE are shown in the table below To specify multiple purposes simply add each application s value for example to use the same certificate for both VPN and GXAS enter the value 24 16 8 To indicate that the device certificate can be used by all applications enter the value of negative one 1 Note Ce IP La ae supported in UNIStim supported in UNIStim DOWNLOAD_MODE required command The DOWNLOAD_MODE can be either FORCED or AUTO If FORCED the VERSION command is ignored and the licenses files are always downloaded If AUTO the application looks at the VERSION and downloads the license files only if they are a newer version than what is currently stored on the phone VERSION optional command if this command is not present version 0 is assumed The VERSION command specifies the version of the certificates being downloaded When certificates are written to the phone s memory the value for the Cfg file s VERSION field or 0 if VERSION is not in the file becomes the new stored version value against which any future comparisons are made S Please note that since negative one means that the device certificate can be used by all applications it cannot be combined with other values Nortel Page 45 of 101 e FILENAME required command the filename of th
44. Fundamentals NTP NN43001 368 For information on the UFTP software upgrade process for the Communication Server 1000 please refer to the IP Line Fundamentals NTP NN43100 500 Upgrading the software in a Survivable Remote Gateway SRG 200 400 and SRG50 environment For information on the software upgrade process for the SRG200 400 please refer to the Main Office Configuration Guide for SRG200 400 Rls1 5 NTP 553 3001 207 For information on the software upgrade process for the SRG50 please refer to the Main Office Configuration Guide for SRG50 Ris 2 0 NTP 553 3001 207 Upgrading the software in a Business Communications Manager BCM environment Upgrading of the software is dependent upon a BCM system patch that includes the set software This is applicable to all BCM platforms BCM system patches will be delivered initially as atomic patches that are individually installable These patches will be rolled up into a monthly Smart Update which includes all atomic patch content since the previous Smart Update Patches and Smart Updates are posted for partner access on the www nortel com support web site under Voice Multimedia amp Unified Communications then under the respective BCM platform Upgrading the software in a Communication Server 2100 CICM environment Nortel Page 70 of 101 Depending on the MR level the IP Phone software will either be included in the installation files or will need to be transfer to the CICM Element
45. IStim VPN Client license includes a one year warranty period for access to software updates Software updates delivered within the one year warranty period will be made available as a no charge update Software updates delivered beyond the one year warranty period will require that the IP Clients UNIStim VPN Client license be refreshed for an additional year by ordering IP Clients UNIStim VPN Client Refresh Nortel Page 33 of 101 Diagnostics With the introduction of Licensing in UNIStim Software release 4 0 a complete new menu item has been added to the phone s local diagnostics capabilities The below diagram shows the new menu item 1 IP Set and DHCP Information 2 Network Diagnostic Tools 3 Ethernet Statistics 4 IP Network Statistics 5 USB Devices 6 Advanced Diag Tools 7 License Information 8 VPN Statistics 9 Certificate Information Nortel Page 34 of 101 The new menu Licensing Information screen as shown below provides information on the status of the phone s license as well as the features that are licensed and the number of token the licensing currency that the license contains and number of token being used 1 License Mode Node Locked Status Active License Type Standard License Warranty 2009 12 31 FW Build Date 2009 03 31 FW Warranty Date 2009 03 31 Tokens Allocated 2 Tokens Remaining 0 4 Licensed Features 2 VPN 2 SCR 3rd Party 0 disabled The St
46. NORTEL Product Bulletin Bulletin Number P 2009 0143 Global Date 3 Nov 2009 UNIStim Software Release 4 0 for IP Phones including 0621C7A for IP Phone 2007 0623C7C 0624C7C 0625C7C and 0627C7C for IP Phone 1110 1120E 1140E and 1150E respectively and 062AC7C for IP Phone 1210 1220 and 1230 REVISION HISTORY Date Revision Summary of Changes 3 Nov 09 Original bulletin This is the original publication Introduction Nortel is pleased to announce the availability of UNIStim software release 4 0 for IP Phones UNIStim software release 4 0 makes available software version 0621C7A for the IP Phone 2007 In addition UNIStim software release 4 0 makes available software version 0623C7C 0624C7C 0625C7C and 0627C7C for the IP Phone 1110 IP Phone 1120E IP Phone 1140E and IP Phone 1150E respectively Finally UNIStim software release 4 0 makes available software version 062AC7C for the IP Phone 1210 IP Phone 1220 and IP Phone 1230 Nortel recommends an upgrade to these releases of software for all applicable IP Phones and Call Servers at the earliest convenience These releases are being provided as a no charge update to all customers although some of the new functionality delivered in UNIStim software release 4 0 can only be activated with a purchased license No UNIStim Software release 4 0 is being offered for the Phase II IP Phone 2001 Phase II IP Phone 2002 and Phase II IP Phone 2004 Nort
47. P Phone 1110 1120E 1140E and 1150E respectively Nortel introduced greater low level network control available through the phones configuration menus The greater control included allowing the link speed and the duplex mode on the IP phones to be provisioned independently for both the network port and the PC port Nortel Page 57 of 101 By delivering this greater network control the software unfortunately has to reset link speed and duplex mode back to Auto after an upgrade Regrettably preservation of the forced manual override could not be maintained during the upgrade What this means is that if the IP Phone is running software prior to UNIStim software release 1 3 and if the link speed was manually provisioned to force the link to 10Mbit Full Duplex or 100MBit Full Duplex after upgrading the software to UNIStim software release 1 3 or greater including the current UNIStim software release 3 0 the link speed and duplex mode is reset to Auto representing Auto negotiation With the phone now configured for Auto negotiation a duplex mode mis match will occur if the other end of the link is still provisioned to force the link to 10Mbit Full Duplex or 100MBit Full Duplex But with UNIStim software release 3 1 for IP Phones the means to provision the network port speed and the network port duplex mode has been added to the Info Block see feature 3 Auto Provisioning Support for Network Port Soeed and Network Port Duplex Mode
48. P VLAN 0 N 1 Y 0 The LLDP VLAN menu is only presented if LLDP is enabled above if 0 DHCP 0 N 1 Y 0 The DHCP menu is only presented if DHCP is provisioned to Partial or Full above else if 1 VOICE VLAN ID VLANFILTER 0 N 1 Y 0 Cirl pBits 0 7 8 Au 8 Media pBits 0 7 8 Au 8 PC Port 0 OFF 1 ON 1 This menu item and submenus are not available on the IP Phone 2001 if 1 Speed 0 A 1 10 2 100 0 if 1 or 2 Duplex 0 A 1 F 2 H 0 Data 802 1Q 0 N 1 Y 1 if 1 DATA VLAN 0 N 1 Y 0 if 1 DATA VLAN Cfg 0 A 1 M 0 This DATA VLAN Cfg menu item is only presented if LLDP is enabled above if 1 DATA VLAN ID Data pBits 0 7 8 Au 8 PCUntagAIllI 0 N 1 Y 0 Cached IP 0 N 1 Y 0 This Cached IP menu item is only presented if DHCP is provisioned to Yes above and Voice VLAN is not provisioned as Auto GARP Ignore 0 N 1 Y 0 PSK SRTP 0 N 1 Y 0 PayID 0 96 1 115 2 120 0 Nortel Page 100 of 101 Appendix K Restore to Factory Defaults The UNIStim software release 3 0 for IP Phones introduced the ability to restore an IP Phone to a factory default configuration This can be useful when redeploying an IP Phone from one location to another when starting to use an IP Phone with unknown history or to reset to a known baseline configuration With UNIStim software release 3 0 and greater the following keypad sequence is used to reset all provisioning para
49. Phone can request a brief pause from the transmitting Ethernet device if the IP Phone buffers are about to overflow Ethernet flow control cannot be implemented on the phone s network port since it impacts the phone s voice quality As a result in environments were the network is GigE but the PC NIC is only 100Mbit large file transfers from the network to the PC can take quite a long time On the other hand since Ethernet flow control is implemented on the phone s PC port in environments were the PC NIC is GigE but the network is only 100Mbits large file transfers should be well managed by the phone s Ethernet flow control mechanism Nortel Page 55 of 101 Incompatibility between older IP Phones and the Nortel i2004 B option string applies to Phase 0 IP Phone 2004 Phase 1 IP Phone 2002 and Phase 1 IP Phone 2004 only A compatibility issue was found with the new Nortel i2004 B option type and the older Phase 0 IP Phone 2004 NTEX00 Phase 1 IP Phone 2002 NTDU76 and Phase 1 IP Phone 2004 NTDU82 Even thought these older phones ignore the Nortel i2004 B option type the length of the DHCP frame causes problems for the older phones Since the list of all the parameters that can be provisioned via the Nortel i2004 B options is extensive the length of the DHCP frame can be quite large The older phones will only accept a DHCP message to a maximum of 590 bytes far short of the maximum DHCP message size of 1456 bytes Ina
50. Phone with an Info Block via TFTP or HTTP applies to the IP Phone 2007 1110 1120E 1140E 1150E 1210 1220 1230 The IP Phones can receive the Info Block inside one or more provisioning files that can be retrieved from a TFTP or HTTP server Multiple provisioning files are supported by the phone SYSTEM provisioning file provides provisioning information to all IP Phones that support the auto provisioning feature e g system prv ZONE provisioning file provides provisioning information to IP Phones that belong to a unique defined zone or group e g headqrtr prv TYPE provisioning file provides provisioning information to all the IP Phones of a particular model types i e 1140E prv DEVICE provisioning file provides provisioning information to a specific single device based on the device s MAC address i e 001365FEF4D4 prv The provisioning files contain the provisioning Info Block only The IP Phone continues to use the configuration file s for obtaining software and font file updates The provisioning files are text based file which contains parameters that require provisioning An example of using hierarchal provisioning files using system zone and type provisioning files is as per the following system prv System level provisioning file Applies to all phones fFile zt read lt zone gt prv and lt type gt prv zone headqrtr Zone id unid Main tower Unique
51. Phones PEC Description Software file NTDU96xxxxxx IP Phone 2007 0621C7A bin NTYSO2xxxxxx IP Phone 1110 0623C7C bin NTYS0O3xxxxxx IP Phone 1120E 0624C7C bin NTYSO5xxxxxx IP Phone 1140E 0625C7C bin NTYSO6xxxxxx IP Phone 1150E 0627C7C bin NTYS18xxxxxx IP Phone 1210 062AC7C bin NTYS19xxxxxx IP Phone 1220 062AC7C bin NTYS20xxxxxx IP Phone 1230 062AC7C bin IP Phone 2004 NTEX00 Phase 1 IP Phone 2002 NTDU76 and Phase 1 IP Phone 2004 NTDU82 cannot load these releases Nortel Page 63 of 101 Call Server Compatibility and Requirements These software releases are compatible with the below Nortel Call Servers Note that the IP Phone 1200 series is only supported on Communication Server 1000 release 5 5 and greater SRG 50 release 3 0 BCM 50 release 3 0 BCM 450 release 1 0 and Communication Server 2100 CICM 10 1 MR2 Communications Server 1000 Call Server Release Notes Advisements CS 1000 6 0R IP Line 6 00 18 SS Linux App 6 00 018 Nortel recommends an upgrade to these software releases at the earliest opportunity The following patches are required to support the DTLS feature on this platform 1 nortel cs1000 tps 6 00 18 23 002 1386 000 or greater 2 nortel cs1000 csv 6 00 18 23 001 i386 000 or greater Please refer to NTP NN43001 315 Linux Platform Base and Applications Installation and Commissioning for patch installation instructions CS 1000 5 5J IP L
52. TFTP server instead in order to restore or upgrade the software from BootC a manual TFTP download from BootC must be performed The Manual TFTP Download from BootC Procedure is documented in the IP Phones Fundamentals NTP NN43001 368 Regardless caution should be exercised to avoid power disruptions during software upgrades Nortel Page 61 of 101 Quality Improvements In addition to delivering the enhancements listed above the UNIStim software release 4 0 for IP Phones also continues to improve the overall quality of the IP Phone software through the delivery of ongoing resolution of CRs and closed cases Numerous quality improvements have been delivered and 6 customer cases have been closed in UNIStim 4 0 UNIStim software release 4 0 for IP Phones close the following cases Case Title Slight chance that the IP Phone 2004 may freeze when ending an IP Call 090708 75234 Recording IPCR call Problem with the IP Phone 2004 obtaining an IP address when 802 1Q is 090824 03336 enabled 090805 92397 Issue with Mouse Cursor on the IP Phone 2007 when backlight turns off 090713 78022 Issue with menu access when Lock Menu is enabled 090519 43214 SSH challenge prompt causes issue on IP Phone 1100 series 090728 87526 Concern with lowest ring tone setting on the IP Phone 1120E Nortel Page 62 of 101 IP Phone Compatibility UNIStim software release 4 0 for IP Phones is compatible with the following IP
53. User GROUP All Customer Groups Step Please enter the Site Name for your site Press the Continue button after finishing Required Field Note Site Name must NOT contain Blank Spaces Site Name Campus_1 Continue Cancel K3 Page 26 of 101 At present for IP Clients UNIStim VPN Client licenses one must register the MAC address of each IP Phone onto which a license is to be installed The MAC addresses can be provided to KRS using one of two methods 1 using a comma delimited file of MAC addresses to KRS or 2 manually typing in each MAC address To use a comma delimited file of MAC addresses select the Browse button to locate the file on the computer connected to KRS as shown on the diagram below Once the comma delimited file of MAC addresses has been selected click Continue em ID file a file with a li Step Please select t separated MAC Addresses Or Click Continue ta m y define each MAC Addre ed with this Site Name Note This is the only chance you will have to upload a file All other MAC Addresses will have to be added manually one at a time x and requirement of MAC Addresses on a single line og 00 00 00 00 00 44 00 00 00 00 00 BB 00 00 00 00 00 CC 00 00 00 00 00 DD 0000000000EE B Feature Manage System ID File D Profiles sswan Desktop lF Browse gt inist B eAuth e B Utility B Contact Global Support To manually type in each MAC address inste
54. a license that is required to activate a Nortel VPN Client NVC in the UNIStim based IP Phone 1100 series as described in the Nortel VPN Client section earlier in this document The IP Clients UNIStim VPN Client license includes a one year warranty period for access to software updates Software updates delivered within the one year warranty period will be made available as a no charge update Software updates delivered beyond the one year warranty period will require that the IP Clients UNIStim VPN Client license be refreshed for an additional year by ordering IP Clients UNIStim VPN Client Refresh Ordering The IP Clients UNIStim VPN Client licenses can be order as a merchandise item At the time of this writing the Enterprise Configurator has not been updated to allow the IP Clients UNIStim VPN Client license to be included with new system installs Unfortunately the IP Clients UNIStim VPN Client licenses must be order as a merchandise item for new installs until such time as the Enterprise Configurator is updated The PEC for the IP Clients UNIStim VPN Client is PEC CPC Description NTYSO1EAE6 N0214767 IP Clients UNIStim VPN Client includes one year warranty period for access to software updates The purchase order for IP Clients UNIStim VPN Client licenses contains the eAuth code to allow the generation of the actual license The license is created in Nortel s Keycode Retrieval System KRS The below diagram depi
55. ad leave the System ID File field blank and simply click Continue The next screen simply request information on the System location Once it is entered click Continue If the MAC addresses were supplied by a comma delimited file after entering the location information the next screen displayed is a summary screen But if the MAC addresses were not supplied by a comma delimited file after entering the location information the next screen as depicted below allows the user to enter the MAC addresses manually The MAC addresses are entered one at a time in the field labeled MAC Address ID After each MAC address is entered click on Add which will then bring up a new blank MAC Address ID field to allow the entry of the next MAC address This process should be repeated until all the MAC addresses have been entered When all the MAC addresses have been entered click on Continue Nortel Page 27 of 101 curren summary gt Gen Temp Keycode f a L Site Name CAMPUS 1 gt Retrieve Keycode Ci Ben T gt Retrieve Custom ity i an amann m gt Reset Auth Code Country UNITED STATES State Prov California gt Remap Site gt Documentation Forms amp USER GUIDES Step Add systems to the site by entering a MAC address in a text box gt Regenerate Keycode below and pressing Add Click the Continue button when you are done gt Migrate to Server Mode MAC Address 0 ACTION gt Delete Temp Keycode gt Log Note 00
56. and enabling DTLS to encrypt the call control between the IP Phone and the Communication Server 1000 please refer to the IP Line Fundamentals NTP NN43100 500 Nortel Page 38 of 101 Diagnostics To assist in diagnosing any potential service outages the IP Set Information screen under Local Diagnostics has been expanded to include DTLS information IP Set Information screen will now show an expanded section 10 Servers Information with the following additional information e Static Config indicates whether the signaling connection to S1 S2 both or neither is configured to use DTLS e Session Info indicates whether the current signaling connection is using DTLS Active or not Inactive Certificate DN the certificate Distinguished Name DN sent from the call server Certificate Issuer the Issuer of the certificate Last Error description of last error if any including Authentication Failed Timeout None and N A The below diagram shows the expanded 10 Server s Information menu item DTLS Data Static Config None Session Info Inactive Certificate DN Certificate Issuer Last Error N A Certificate Establishing a secure DTLS connection between the IP Phone and the call server is dependent on the installation of a root CA certificate onto the IP Phone The root certificate and a device certificate must be installed on the phone For details on installing both Root
57. apable of supporting multiple certificates However as a security precaution all certificates installed into the phone subsequent to the initial certificate must be signed and authenticated by the initial certificate Therefore if a certificate is already installed in the phone for EAP TLS and you wish to enable VPN Main Mode using X 509 Certificates and no X Authentication you will need to remove the existing certificate install a new CA root certificate and then sign and reinstall the EAP TLS certificate 3 A license is required to allow the Nortel VPN Client NVC in the UNIStim based IP Phone 1100 series to operate in unrestricted mode Without a valid license the NVC will operate in restricted mode and not allowed any telephony operations to occur within the tunnel To allow telephony operations within the tunnel a valid license is required to allow the NVC to operate in unrestricted mode Please refer to the following section for details on IP Phone licensing 4 A VPN tunnel between the IP Phone and the corporate network is terminated at the corporate network end by enterprise VPN equipment Separate provisioning and or licenses may be required on the enterprise VPN equipment to allow the NVC connection 2 Application and Feature Licensing applies to the IP Phone 1110 1120E 1140E and 1150E UNIStim Software release 4 0 introduces application and feature licensing to control the activation of specific applications and features in the
58. applies the keycode to the product Nortel KRS is available via Support and Training on the Nortel website located at http support nortel com KRS is located under Online Self Service The home page of KRS is the login and Product Select page as shown in the diagram below If you do not already have a KRS account click on Customer Registration and follow the instructions to request an account Nortel Page 24 of 101 NORTEL SOLUTIONS PRODUCTS SERVICES SUPPORT amp TRAINING PARTNERS HOME gt TECHNICAL SUPPORT gt ONLINE SELF SERVICE gt KEYCODE RETRIEVAL SYSTEM KRS Welcome Steve Swan gt Log Out B Security Advisories B My Profile B Products by Category B Products A Z B Online Self Service B My Support Center gt My Products gt My Bookmarks gt My Email Alerts gt What s New B Helv Usina This Site KEYCODE RETRIEVAL SYSTEM KRS 3 You may need to be registered in order to obtain keycodes for some products After the Onli approximately 5 business days to validate your registration information and provide access t gt CUSTOMER REGISTRATION Nortel Employees should refer to the following instructions in order to register for access gt EMPLOYEE REGISTRATION Ei STEP 1 U Choose the login location you would like to use for access to the Keycode Retrieval System GLOBAL LOGIN v Bi STEP 2 Choose the appropriate product whose keycodes you would like to ac
59. are release 2 3 for the Phase II IP Phone 2001 2002 and 2004 the IP Phones could obtain only limited provisioning parameters via Nortel specific DHCP options The Nortel specific DHCP option types supported included e Nortel i2004 A is a unique identifier for provisioning Nortel call server information into the IP Phone e VLAN A is a unique identifier for provisioning 802 1Q VLAN information into the IP Phone With the introduction of the UNIStim software release 2 2 and greater for the IP Phone 2007 IP Phone 1110 IP Phone 1120E IP Phone 1140E and IP Phone 1150E73 and UNIStim software release 2 3 and greater for the Phase II IP Phone 2001 2002 and 2004 a new Nortel specific option type is introduced Nortel i2004 B The new Nortel i2004 B specific option type expands the number of parameters that can be provisioned to include all those previously provisioned in the existing option type of Nortel i2004 A plus more The existing option type of Nortel i2004 A will continue to be supported for backward compatibility In fact the new software will accept both option types although it is recommended to either remain with the existing option type or move to the new option type but not both In the event that the IP Phone receives both option types values provisioned with the new option type of Nortel i2004 B will have a higher priority than values provisioned with the old option type Nortel i2004 A DHCP option type VLAN A continues to
60. atus is used to convey information about the license The following statuses are available Active License is valid or feature is within the evaluation period Released A licensed feature has been de commissioned and the license has been released Invalid License File Licensing file is invalid No License File No license file has been loaded onto the phone No Token Needed All licensed features have been de commissioned Alarms The license feature provides notification messages on the phone s display if there is no license available to enable features or the license has expired or the evaluation period has ended These notifications messages allow the administrator to diagnose why a licensed feature is not working on the phone License notification messages will be displayed in a pop up window on top of the phone s telephony screen The notification messages can be dismissed by pressing the stop key or by lifting the handset Once a notification message is dismissed the phone will close the pop up window The notification messages will be displayed ever 24 hours at 1 00 am until the licensing offense is fixed or removed The 1 00 am trigger is the default and can be changed by the phone administrator via the phone configuration system If no licensed feature is enabled the phone will not display any of the license notifications messages described in this section The following diagrams depict the various license noti
61. be supported DHCP support for provisioning the IP Phones requires DHCP to send a class identifier option with the valid option type in each DHCP Offer and DHCP Acknowledgement 23 IP Phone 1210 1220 and 1230 were introduced with UNIStim software release 2 2 for IP Phones and support Nortel i2004 B from initial release Nortel Page 86 of 101 The IP Phone supports both vendor specific sub ops and site specific options The new software now supports 42 Nortel specific DHCP options as listed below Newly claimed options are in bold where as the reclassified options are in italics e 21 DHCP vender specific options 128 131 144 157 188 191 205 219 223 224 227 230 232 235 238 241 244 247 249 251 and 254 e 21 DHCP site specific options 128 131 144 157 188 191 205 219 223 224 227 230 232 235 238 241 244 247 249 251 and 254 The vendor specific field of the DHCP response is parsed to extract the provisioning information The format of the Nortel i2004 B DHCP option type is Nortel i2004 B param1 value1 jparam2 value2 param3 value3g An example DHCP provisioning string is as per the following Nortel i2004 B slip 47 11 62 20 p1 4100 al 1 r1 255 s2ip 47 11 62 21 p2 4100 a2 1 r2 2 xip 47 11 62 147 xp 5000 xa g menulock p vq y vcp 3 vmp 4 vlanf y pc y pcs a pcd a dq y dv y dvid 60 dp 5 pcuntag y The list of all the parameters that can be provisio
62. ble 0 N 1 Y 0 DHCP 0 N 1 Y 1 if 0 Set IP xxx xXX XXX XXX Netmsk XXX XXX XXX XXX Def GW XXX XXX XXX XXX DNS1 IP XXX XXX XXX XXX DNS2 IP XXX XXX XXX XXX CA Server Domain Name Hostname S1 IP XXX XXX XXX XXX S1 Port S1 Action S1 Retry Count S2 IP XXX XXX XXX XXX S2 Port S2 Action S2 Retry Count Speed 0 A 1 10 2 100 0 if 1 or 2 Duplex 0 A 1 F 2 H 0 Cfg XAS 0 N 1 Y 1 if 1 XAS IP XXX XXX XXX XXX Nortel Page 96 of 101 Voice 802 1Q 0 N 1 Y 1 if 1 Voice VLAN 0 N 1 Y 0 if 1 VLAN Cfg 0 Auto 1 Man 1 This VLAN Cfg menu is only presented if DHCP is provisioned to Y above or if LLDP Enabled is provisioned to Y above if 1 VLAN ID VLAN Filter 0 N 1 Y 0 Ctrl pBits 0 7 8 Au 8 Media pBits 0 7 8 Au 8 NT AutoQOS 0 N 1 Y 0 DSCP Ovride 0 N 1 Y 0 This DSCP Override menu item is only presented if LLDP Enable is enabled above and neither the Control DSCP or Media DSCP are not manually set below CTRL DSCP 0 63 xxx Media DSCP 0 63 xxx PC Port 0 Off 1 On 1 if 1 Speed 0 A 1 10 2 100 0 if 1 or 2 Duplex 0 A 1 F 2 H 0 Data 802 1Q 0 N 1 Y 1 if 1 VLAN ID Data pBits 0 7 8 Au 8 PCUntagAII 0 N 1 Y 1 Stickiness 0 N 1 Y 1 Cached IP 0 N 1 Y 0 This Cached IP menu item is only presented if DHCP is provisioned to Y above GARP Ignore 0 N 1 Y 0 SRTP PSK 0 N 1 Y 0 PayID 0 96 1 1
63. blished The credentials required to establish the VPN tunnel is dependant on the authentication method chosen for the tunnel establishment The table below lists the security credentials required for each mode Mode Security Credentials Required Aggressive Mode with a PreShared Key and no X User ID and Password Authentication Aggressive Mode with a PreShared Key and with User ID Password XAuthentication X Authentication User ID and XAuthentication Password Main Mode using X 509 Certificates and no X CA root certificate and device certificate Authentication If the authentication method chosen in the NVC is Aggressive Mode with a PreShared Key and no X Authentication then only a User ID and Password are required If Aggressive Mode with a PreShared Key and with X Authentication is chosen then in addition to the User ID and Password the XAUTH User ID and XAUTH Password are also required All the user IDs and Passwords can be provisioned into the phone either manually or by auto provisioning If the user IDs and Passwords are provisioned into the phone the end user will not be prompted to enter the credentials But if the user IDs and passwords required by the chosen authentication method are not provisioned into the phone the user is prompted to enter them prior to the establishment of the tunnel XAUTH User ID and XAUTH Password correspond to the Groupld and Password respectively configured on Nortel VPN
64. cess PRODUCT FAMILY x GO E FOR KEYCODE SUPPORT a Aut 2 If you do already have an account select IP Clients from the PRODUCT FAMILY pull down list which will then prompt you to enter your user ID and password After logging into the IP Clients KRS product family the default screen is the Product Registration page as shown below Nortel Page 25 of 101 Welcome SuperF SuperL gt Log Out B Technical Support B Register B Product Control gt Product Registration nerate Ke gt Gen Temp Key gt Retrieve Keycode gt Retrieve Custom gt Reset Auth Code gt Remap Site gt Documentation Forms amp USER GUIDES gt Regenerate Keycode gt Migrate to Server Mode gt Delete Temp Keycode gt Log Note B Feature Manage B Administration B eAuth Code Management B Reports lt KEYCODE RETRIEVAL SYSTEM This section enables you to register new products into the Keycode Retrieval System so that you can add or transfer features to the product in the future KRS Support Super USER SuperF SuperL TYPE User GROUP All Customer Groups il Step Query available sites by entering text in any combination of the two query fields and then click the Search button Matching sites will be displayed in the result list Note that the result list will show only the first 50 sites that satisfy the query so you may need to further refine your query Create a new site by clicking the Create
65. cts the ordering process for one or more IP Clients UNIStim VPN Client licenses 8 Licensing may apply on the CRQM At publication time Secure Call Recording is only supported with the Nortel Call recorder Quality Management CRQM product As such at this time there is no Secure Call Recording license since there is no Secure Call Recording support with any 3 party call recorder Nortel Page 23 of 101 A Customer purchases licensed services a either asa C SAP OM sends non stock merchandise items L PO of licenses to KRS or through EC D Customer inputs MAC B SAP Order addresses of IP Phones Management on which the licensed generates a PO for service will operate KRS requested services creates multiple license keycodes one per MAC address Licensed Service E License keycodes are moved to the F Phone s specific Provisioning Server license keycode is installed on the phone by the Provisioning Server License Generation As mentioned above Nortel KRS is used to generate the license keycodes An overview of the KRS system is as follows e Customer logs into KRS and initially registers their system e Customer selects Generate Keycode e Customer selects licenses features from Purchase Order PO and generates keycode e KRS generates the license keycode and saves the result to its database The license keycode is also displays to the customer e Customer downloads the license keycode and
66. d using SCEP to be associated with a specific device certificate profile DCP e allow the definition of the number of days prior to expiry when the phone should attempt to renew the device certificate automatically default is 90 days e eliminate the need to be prompted for the CA fingerprint during renewal the user is still prompted for the CA password e automatically repeat the prompt for certificate renewal on an hourly basis if the password prompt times out e provide more control over the attributes of the requested device certificate e provide the ability to force a device certificate to be deleted e allow the CA Server configuration to supports a URL containing an FQDN hostname instead of only an IP address PKCS 12 Nortel Page 43 of 101 New with UNIStim Software release 4 0 for IP Phones is the support for PKCS 12 Device Certificates PKCS 12 is a standard which allows a device certificate and its private key to be encrypted for secure transmission A PKCS 12 file is encrypted by a user defined password when it is created Then to extract the device certificate with its private key the recipient must know the password After the PKCS 12 file is downloaded the user is prompted to enter the password If the prompt times out the installation is aborted The advantage to using PKCS 12 rather than SCEP is that with PKCS 12 an administrator has full control over the device certificate attributes But realize that PKCS 12 installed
67. e device certificate file to be downloaded The individual device certificate file name is MAC pfx or MAC p12 where MAC is the phone s 12 characters MAC address to which the certificate is associated The FILENAME command uses the asterisk to represent the MAC address Each individual phone will upon reading this command substitute its one MAC address into the filename thereby assuring that the phone only downloads its specific device certificate file Below is an example of a DEV_CERT section in a configuration file In this example a PKCS 12 device certificate will be downloaded into DCP 2 and will be marked as being available for all applications The version associated with the device certificate will be marked as 5 Finally the in the filename is substituted with the phone s MAC address e g 001365ff7d69 pfx so that each phone will download its own unique device certificate DEV_CERT DOWNLOAD_MODE AUTO RSION 000005 ENAME pfx 2 1 Device Certificate Profiles DCP Also new with UNIStim Software release 4 0 for IP Phones is the support for Device Certificate Profiles DCP A DCP provides the ability to support mixed SCEP and or PKCS 12 device certificates installs by specifying the installation method for each certificate independent of each other A DCP also allows arbitrary sharing of device certificates across one or more applications The number of DCP supported is dep
68. e maximum DHCP message size of 1456 bytes In a mixed environment of phones that support Nortel i2004 B with Phase 0 and Phase1 phones one must either Ensure any option string that are defined are small enough that the DHCP message does not exceed 590 bytes or Service the Phase 0 and Phase 1 phones with a DHCP offer that excludes the Nortel i2004 B option Nortel Page 88 of 101 Appendix F IP Phone Provisioning Precedence Rule and Stickiness Control applies to the IP Phone 2007 1110 1120E 1140E 1150E 1210 1220 1230 The IP Phone 2007 IP Phone 1110 IP Phone 1120E IP Phone 1140E IP Phone 1150E IP Phone 1210 IP Phone 1220 and IP Phone 1230 can obtain provisioning information from multiple sources when the parameter source is defined as AUTO from the Auto Provisioning page The sources of automatic provisioning information include LLDP when the phone is connected to an 802 1ab enabled network switch DHCP Provisioning file transferred via TFTP or HTTP Call server and or associated telephony manager using UNIStim It is assumed that each network provisioning parameter will be supplied by one and only one source However if the phone receives network configuration information from multiple sources a precedence rule is applied to determine the one source the phone selects for its provisioning information The precedence rule from highest priority to lowest priority for IP Phone provisioning is as follows e Manual
69. e phone e VERSION optional command if this command is not present version 0 is assumed The VERSION command specifies the version of the licenses being downloaded The version applies to all files listed in the LICENSING section When licenses are written to the phone s memory the value for the configuration file s VERSION field or 0 if VERSION is not in the file becomes the new stored version value against which any future comparisons are made e FILENAME required command the filename of the keycode file to be downloaded Recall that the individual keycode license file name is ipctokenMAC cfg where MAC is the phone s 12 characters MAC address to which the license is associated The FILENAME command uses the asterisk to represent the MAC address Each individual phone will upon reading this command substitute its one MAC address into the filename thereby assuring that the phone only downloads its unique keycode file Files can either be in the same folder as the configuration file or ina sub folder If they are in a subdirectory the path needs to be pre pended to each filename Below is an example of a LICENSING section in an 1140e cfg file Note that in this example the keycode licensing files are in a subdirectory named UNIStim LICENSING LICENSING DOWNLOAD_MODE FORCED VERSION 000001 FILENAME UNIStim LICENSING ipctoken cfg Warranty The IP Clients UN
70. el Page 1 of 101 UNIStim software release 4 0 for IP Phones is available for download from the Software Download link under Support and Training on the Nortel website located at http support nortel com The software is available by phone model under Phones Clients and Accessories These software loads have not been introduced as the default loads for the IP Phones shipped from Nortel UNIStim software release 4 0 for IP Phones delivers enhancements to Nortel s IP Telephony Solution and delivers general quality improvements The enhancements available include Nortel VPN Client NVC in the IP Phone 1100 series Feature and Application Licensing Secure Signaling using DTLS Secure Call Recording DfO Enhancements Enhancements to Certificate Support Enhancements 1 Nortel VPN Client applies to the IP Phone 1120E 1140E and 1150E UNIStim Software release 4 0 introduces an integrated Nortel VPN Client formally known as the Contivity VPN Client inside the IP Phone 1100 series The Nortel VPN Client NVC is supported on all the IP Phone 1100 series phones except the IP Phone 1110 The NVC allows the IP Phone to be deployed remotely and maintain a connection back to the corporate network by establishing a Virtual Private Network VPN tunnel The NVC feature can be used by telecommuters or remote workers to maintain a corporate phone connection from their remote location The VPN tunnel guarantees a secure connection
71. endant on the phone model The number of profiles supported by phone model is shown in the table below Model Number of supported DCP IP Phone 2007 3 IP Phone 1100 series except 6 the IP Phone 1110 IP Phone 1110 5 IP Phone 1200 series 5 One device certificate can be installed with each supported DCP DCP provisioning parameters all include the prefix dcp and include a suffix with the DCP index 1 to maximum number of profiles For example dcpsource1 is the Source SCEP or PKCS 12 for DCP 1 Nortel Page 46 of 101 Device Certificate Profiles DCP can only be configured using auto provisioning Each DCP can be configured for SCEP PKCS 12 and configured as Active or Inactive By default DCP 1 is configured as active with SCEP whereas all remaining DCP area configured as inactive with PKCS 12 An inactive PKCS 12 DCP is automatically activated if a PKCS 12 device certificate is successful installed using the DEV_CERT configuration option Several new Info Block parameters that have been created to allow the DCP to be auto provisioned Some of the new DCP parameters are common to both SCEP and PKCS 12 device certificate configuration where as some of the new DCP parameters apply only to SCEP device certificate configuration The new Info Block parameters that have been created to allow the DCP to be auto provisioned are provided in the two tables below Please refer to Appendix B for the compl
72. er VLAN ID The Auto option in the Voice VLAN menu is only available if DHCP is provisioned to Yes above or if LLDP is enabled above respectively VLAN Filter Cirl Priority Bits Auto 0 1 2 3 4 5 6 7 Media Priority Bits Auto 0 1 2 3 4 5 6 7 Enable Nortel Auto QoS Nortel Page 94 of 101 DSCP Override This DSCP Override menu item is only presented if Enable 802 1ab LLDP is enabled above and Control DSCP or Media DSCP are not manually set below Control DSCP xxx Media DSCP xxx Enable PC Port PC Port Speed Auto 10BT 100BT PC Port Duplex Auto Force Full Force Half Enable Data 802 1Q DataVLAN No VLAN Enter VLAN ID Data Priority Bits Auto 0 1 2 3 4 5 6 7 PC Port Untag All Enable Stickiness Cached IP This Cached IP menu item is only presented if DHCP is provisioned to Yes above Ignore GARP Enable SRTP PSK SRTP PSK Payload ID 96 115 120 Provision Xxx XXX XXX XXX Provision Zone ID The IP Phone 2007 contains a password protection mechanism to lock out access to the Local Tools menu including the Network Configuration menu If enabled access to the Local Tools menu is password protected and the password is prompted by a pop up window One must type the password 26567 738 color set from the dial pad and press the OK softkey to enter the Local Tools menu When an incorrect password is entered the Local Too
73. ertain USB mice do not work with IP Phone 2007 applies to IP Phone 2007 only It has been discovered that certain USB Mice do not work with the IP Phone 2007 If the mouse does not transit information in the Production Vendor and Manufacturing fields of the USB communication exchange the mouse will not be recognized by the IP Phone 2007 Note that failure to send the above mentioned information is in violation of the USB communication exchange standard Most leading brands of mice do send the required information Contrast adjustments Local amp TPS contrast adjustments are not synchronized applies to IP Phone 1110 1120E 1140E and 1150E The IP Phone 1110 1120E 1140E and 1150E graphical display contrast control can be adjusted either locally on the phone or through the call server TPS control The Communication Server 1000 TPS does not yet synchronize its contrast setting with the local control This means if the local control is used exclusively then whenever the phone has a power cycle the TPS contrast setting is restored and the user may need to adjust contrast again The local contrast control on the IP Phone 1110 1120E 1140E and 1150E is accessed by a double press of the Services key and selecting 1 Preferences then 1 Display Settings in the menu The TPS contrast control is accessed with a single press of the Services key then selecting Telephone Options then Contrast Ad
74. ete list of parameters supported within the Info Block The new Info Block parameters that have been created to allow the DCP parameters common to both SCEP and PKCS 12 to be auto provisioned are provided below dcpversion1 Character string of the last installed PKCS12 file dcpsource1 scep Method used to install device certificates pkcs1 2 dcpactive n Inactive Profile is active or not y Active dcppurpose1 Character string made up of the Specifies which phone applications can use this following character device certificate a All applications v VPN d DTLS s SCR g GXAS e EAP TLS T Licensing Each of the above parameters are replicated an additional 5 times for IP Phone 1100 series except the IP Phone 1110 an additional 4 times for the IP Phone 1110 and the IP Phone 1200 series and an additional 2 times for the IP Phone 2007 The additional parameters will have the same name as above except the character 1 on the end will be replaced by the character 2 3 etc up to the maximum number of DCP supported The new Info Block parameters that have been created to allow the DCP parameters that apply only to SCEP to be auto provisioned are provided below These SCP specific parameters provide control over SCEP device certificate renewal and deletion Nortel Page 47 of 101 dcprenew1 Integer value but also supports the Number of days pri
75. fication messages that can be displayed on the phone Nortel Page 35 of 101 1 No license is available for the licensed feature UL 01410 1 00 am Licensing for phone features is not available Contact your administrator Es fi eee OS G 2 License is about to expire QOL 00 4234 a C 01 10 1 00 am Licensing for phone features will expire on 2009 12 31 Contact your administrator ca ee a 3 The license has expired UL 01 10 1 00 am Licensing for phone features has expired Contact your administrator ca a es ee Nortel Page 36 of 101 4 Evaluation Period is about to expire OL UUU 1234 B 01 10 1 00 am Evaluation period will expire on 2009 12 31 Contact your administrator ca Cc C 5 Evaluation Period has expired DOL UU 1234 ee C 01410 1 00 am Evaluation period has expired Contact your administrator ESS ES aE Evaluation Period UNIStim 4 0 Software provides the capability to evaluate a license feature without committing to an initial license purchase Every licensed feature can be enabled for a period of 30 days license free But once the 30 day evaluation period has passed the feature will require a license to allow its continued operation The 30 day evaluation period is initiated the first time a licensed feature is enabled Once the licensed feature is enabled the 30 day time will continue to count down even if the feature i
76. ght Recorder The Flight Recorder captures base system performance on a regular interval including register usage and buffer usage Overload Protection Overload Protection consists of monitoring several key components of the IP Phone including e CPU usage is monitored for normal warning and critical threshold levels e Memory is monitored for normal warning and critical threshold levels e Flash File System is monitored for normal warning and critical storage threshold levels e Stack usage is monitored for normal warning and critical threshold levels Nortel Page 41 of 101 e Message queues are monitored for normal warning and critical threshold levels Task Monitor Task Monitor checks the status of a set of essential tasks running on the IP Phone If any of these essential tasks are suspended or deleted for any reason the event is logged as Critical Auto Recovery Overload protection and task monitoring take advantage of the Auto Recovery feature already built into the IP Phone software Recall that Auto Recovery was delivered in UNIStim software release 3 0 as part of the Enhanced Diagnostics capabilities Auto Recovery allows the phone to auto reboot should it encounter a critical event If Auto Recovery is enabled and the overload protection reaches a critical threshold or if the task monitor finds a suspended or deleted task the phone will reboot Auto recovery is enabled by default If support staff wishes to disable Auto
77. he key sequence of mute 5 6 mute If successful the phone will display Listening Mode on the screen Once the phone is in listening mode the next screen of the Phone VPN Configuration Wizard guides the user to discover the IP Phones that are in Listening Mode The user is prompted to start the discovery process by pressing the Autodiscover Phone button The Autodiscover Phone screen is shown in the diagram below Nortel Page 12 of 101 gt buen weer The Autodiscover process will find all phones in listening mode on the network In most case only there will only one phone discovered the phone that the user placed in Listening Mode But if for whatever reason several phones are found in Listening Mode the user will be prompted to select the phone they wish to provision from a list The phone s MAC address is used as the selection mechanism to decide which phone is to be configured The diagram below depicts the Autodiscovery mechanism in progress and indicates that one phone has been discovered Nortel Page 13 of 101 If a phone cannot be discovered the Phone VPN Configuration Wizard warns that no phones can be found with the Phone not found screen shown below If repeated attempts fail to discover a phone in Listening Mode please contact your network administrator ie Once a phone has been discovered the Phone VPN Configuration Wizard is ready to configure the phone The Configure Phone screen as depicted be
78. hone with an Info Block via DHCP please refer to Appendix E Nortel Page 83 of 101 Appendix D Auto Provisioning the IP Phone s Node and TN ina Communication Server 1000 Environment applies to the IP Phone 2007 1110 1120E 1140E 1150E 1210 1220 1230 The introduction of auto provisioning on the IP Phone 2007 the IP Phone 1100 series and the IP Phone 1200 series also provides a centralized method of provisioning the Node and TN fields for these IP Phones when they are connected on a Communication Server 1000 system Prior to the availability of UNIStim software release 3 0 for IP Phones if the Node and TN values in the phone were un initialized the only means to provision the Node and TN value was for the phone installer to manually enter these values at the phone when prompted to do so on the phone s display With the delivery of UNIStim software release 3 0 for IP Phones the phones will now accept a list of Node and TN values associated to particular MAC addresses The Node and TN value is assigned to an appropriate phone by the phone recognizing its own MAC address within the list of Node and TN values The phone will accept the Node and TN information when contained in any of the existing PRV files including e Device file XXXXXXXXXXXX PRV e Zone file ZZZZZZZZ PRV e Type file TTTTT PRV e System file SYSTEM PRV If the phone s MAC address is found in more than one valid association across the different
79. hree authentication modes 1 Aggressive Mode with a PreShared Key and no X Authentication 2 Aggressive Mode with a PreShared Key and with X Authentication and 3 Main Mode using X 509 Certificates and no X Authentication The table below lists the security credentials required for each mode Mode Security Credentials Required Aggressive Mode with a PreShared Key and no X User ID and Password Authentication Aggressive Mode with a PreShared Key and with User ID Password XAuthentication X Authentication User ID and XAuthentication Password Main Mode using X 509 Certificates and no X CA root certificate and device certificate Authentication The authentication mode established by the corporate security policy will determine which parameters must be provisioned The table below lists the various parameters that must be provisioned for valid VPN configurations Nortel Page 4 of 101 VPN Parameter Aggressive Mode with a PreShared Aggressive Mode with a PreShared Main Mode using X 509 Certificates Key and no X Key and with X and no X Authentication Authentication Authentication VPN type Nortel Nortel Nortel VPN mode Aggressive Aggressive Main VPN authentication PSK PSK certificate type PSK user ID lt user ID gt lt user ID gt n a PSK password lt user password gt lt user password gt n a X authentication None Password none X authentication user n a lt Xauth user I
80. ider termination equipment typically a DSL or Cable modem Adding the NVC phone to the home network is in most cases as simple as plugging in the Ethernet cable provided with the phone between the phone and an Ethernet connection on the router and or DSL cable modem Note that since the phone does not have a wireless interface the phone must be connected using an Ethernet cable thus if the router or DSL cable modem device is wireless it must have a least one physical Ethernet connector for the NVC phone solution to work The following diagrams depict the typical connection scenario Although the PC may be able to be plugged directly into the router or hub Nortel recommends plugging the PC into the PC port on the phone By plugging the PC into the PC port of the phone the phone can better control the QoS of the voice during calls by prioritizing the telephone traffic over the PC traffic Internet Router Hub Modem When the DSL Cable modem was installed the number of devices that can operate on the network may have been restricted by either the service provider the installer or by the Some DSL Cable modems incorporate the router or hub allowing the PC to be directly connected to the DSL Cable modem Nortel Page 3 of 101 modems physical hardware If this is the case please refer to the modem s user guide or contact your service provider Authentication Modes The NVC within the IP phone currently supports t
81. ine 5 5 12 SS 5 5 12 Nortel recommends an upgrade to these software releases at the earliest opportunity The DTLS and SCR features are not supported on this platform CS 1000 5 00W IP Line 5 00 31 SS 5 00 31 Nortel Nortel recommends an upgrade to these software releases at the earliest opportunity The DTLS and SCR features are not supported on this platform The IP Phone 1200 series is not supported on this platform Page 64 of 101 Survivable Remote Gateway SRG Call Server Release Notes Advisements SRG 50 3 0 Nortel recommends an upgrade to these software releases at the earliest opportunity No SRG50 patches are required to support the Enhanced Software Download feature that allows the IP Phone software supported on the SRG50 to remain in synch with the Communication Server 1000 Main office In addition if the Main Communication Server 1000 is on release 4 5 or later no patch is necessary on the Communication Server 1000 to upgrade the IP Phone But if the Main Communication Server 1000 is on release 4 0 a Communication Server 1000 patch is required on the Main to allow the SRG50 to upgrade the IP Phone software The patch is MPLR21148 and is available from the Meridian PEP library at the www nortel com support web site The IP Phone 1150E is not supported on the SRG50 5 0 SRG 50 2 0 Nortel recommends an upgrade to these software releases at the ear
82. ing and TraceRoute utilities operate inside the tunnel When VPN is disabled or failed and no tunnel is available the Ping and TraceRoute operate consistent with previous operation using the external address outside the tunnel Within the IP Network Statistics menu if VPN is enabled five new statistics are available The new statistics monitor the packets sent and received on the VPN virtual interface When the VPN status is neither Operational nor Connecting the new statistics are not shown The new menu VPN Statistics provides information on the operational status of the VPN presents some key VPN parameters and list statistical counters for the VPN service If the VPN feature is not enabled this menu item is greyed out The below diagram provides an example of the VPN Statistics screen 7 Ping and TraceRoute will still be sent via the physical interface even if the VPN is enabled if the source address is the phone s inner IP Address and the destination address is either the local subnet or subnet of the VPN gateway Nortel Page 20 of 101 1 VPN Status Enabled amp Operational Restricted 2 Virtual IP 10 4 5 6 3 Gateway vpn example com 4 Gateway Type Nortel 5 VPN DSCP Manual 67 6 MOTD Timer 0 7 IKE Mode Aggressive PSK XAUTH PSK User JDoe XAUTH User KSmith 8 IPSec Transforms AES128 SHA1 9 Uptime 10 days 15 23 45 10 Packets Sent 1 234 567 11 Packets Revd 2
83. ing of the set software is dependent upon CICM performing Succession regression test activities on UNIStim software release 4 0 for IP Phones to verify their performance on this CICM product Although UNIStim software release 4 0 for IP Phones is GA quality at the time of this writing the extent of CICM support is being confirmed The IP Phone 1200 series are not supported on CICM 9 0 Nortel Page 68 of 101 System Compatibility and Requirements System Notes Advisements Nortel Application Gateway 2000 6 3 and higher These software releases provide support to interwork with Nortel Application Gateway 2000 AG2000 release 6 3 The Nortel Application Gateway solution continues to deliver on IP Telephony s promise of convergence with important enhancements to the powerful packaged applications on the IP Phone s desktop applications that are simply not possible to deliver with the traditional digital telephone With the Nortel Application Gateway IP Phone communication is truly transformed into a new feature rich communications experience For more information on the capabilities introduced with AG2000 please refer to the Product Bulletin P 2008 0005 Global The AG2000 does not support the IP Phone 1150E Nortel Secure Multimedia Controller SMC 1 0 These software releases continue to provide support to interwork with Nortel Secure Multimedia Controller SMC 2450 The SMC 2450 is a purpose b
84. ing prompted again for the password When the 5 minutes expires the menu is closed The password must be reentered to access the Local Tools menu Nortel Page 98 of 101 Appendix J IP Phone Configuration Menu on Phase II IP Phone 2001 Phase Il IP Phone 2002 and Phase II IP Phone 2004 The single line based configuration menu structure below presents the complete configuration menu now available on the Phase II IP Phone 2001 Phase II IP Phone 2002 and Phase II IP Phone 2004 EAP Enable 0 N 1 Y 0 if 1 DevicelD Password LLDP Enable 0 N 1 Y 0 DHCP 0 N 1 Y 1 if 0 SET IP XXX XXX XXX XXX NETMSK xxx xXxx XXX XXX DEF GW xXXX XXX XXX XXX S1 IP xxx XXX XXX XXX S1 PORT S1 ACTION S1 RETRY COUNT S2 IP XXX XXX XXX XXX S2 PORT S2 ACTION S2 RETRY COUNT else if 1 DHCP 0 Full 1 Partial 1 if 1 S1 IP XXX XXX XXX XXX S1 PORT S1 ACTION S1 RETRY COUNT S2 IP XXX XXX XXX XXX S2 PORT S2 ACTION S2 RETRY COUNT Speed 0 A 1 10 2 100 0 if 1 or 2 Duplex 0 A 1 F 2 H 0 Cfg XAS 0 N 1 Y 1 if 1 XAS IP XXX XXX XXX XXX Nortel Page 99 of 101 Voice 802 1Q 0 N 1 Y 1 if 1 VOICE VLAN 0 N 1 Y 0 if 1 VLAN Cfg 0 Auto 1 Man 1 The VLAN Cfg menu is only presented if DHCP is provisioned to Partial or Full above or if LLDP is enabled above if 0 LLDP MED 0 N 1 Y 0 The LLDP MED menu is only presented if LLDP is enabled above if 0 LLD
85. inue To generate a keycode one must either have a numeric authorization code or one can search for a specific Purchase Order PO The example screen below depicts searching for a PO Click Go to PO after entering the PO number 1 KRS also supports wildcard searching By entering the first few characters of a PO number all PO s with that string that are associated with your customer account will be returned Nortel Page 29 of 101 Product Registration eroup All Customer Groups F gt Generate Keycode Step 1 Select your Site Name 00 11 22 00 11 00 11 Site Name 00 11 dd to validate your Auth Code and add it be to a validated Auth Code Search for Purchase Order Nortel Order Go to PO ate Customer PO ltest Alternate Other Order lt Once the correct PO is found the next screen will show a list of each licensed feature on the PO On this licensed feature screen the user can select the quantity of each licensed feature required within the keycode Please note that KRS requires that the quantity selected be evenly divisible by the number of registered MAC addresses For example if 6 MAC addresses were registered then one must select multiples of 6 i e 6 12 18 24 etc Once the quantity of each licensed feature has been specified click on Continue KRS will then show a summary of the current PO selection Clicking on Continue returns the user to the select
86. justment 19 The patch is not required on Communication Server 1000 Release 5 0 and greater Nortel Page 60 of 101 Volume adjustments are not persistent across phone resets applies to IP Phone 2001 2002 2004 2007 1110 1120E 1140E 1150E 1210 1220 and 1230 Even though the speech volume and ringer volume is controlled by the IP phone the user selected preferences are stored by the Communication Server 1000 Prior to release 5 0 of the Communication Server 1000 the server did not save the user selected preferences across a phone reboot Thus if the phone rebooted for whatever reason the speech volume and ringer volume would be reset to their default values Upgrading to release 5 0 or greater of the Communication Server 1000 corrects this issue Power disruption during software upgrade will corrupt the upgrade applies to IP Phone 2001 2002 2004 2007 1110 1120E 1140E 1150E 1210 1220 and 1230 During a software upgrade if a power disruption is experienced by the phone the software upgrade will fail In some instances a power disruption during an upgrade may also corrupt the existing software on the phone If this corruption should occur the phone will fail over into its boot code known as BootC BootC will automatically try to restore the phone s software from the image on a call server But for the IP Phone 2007 the IP Phone 1100 series and the IP Phone 1200 series if the phone s software was obtained from a
87. le containing the configuration and provisioning files or the directory where the configuration and provisioning files are located Nortel Page 9 of 101 vaun NGALA vanoa Once the data files configuration and provisioning files are located the Prepare Phone for Configuration Screen provides instructions for placing the phone into Listening Mode Listening Mode allows the phone to listen for the Phone VPN Configuration Wizard to establish a connection and transfer the data files The Prepare Phone for Configuration screen is depicted below wun b Nortel Page 10 of 101 The IP Phone must now be power cycled and when the IP Phone is rebooting the user must watch the phone screen for when the Nortel text banner not the Nortel icon is displayed The Nortel text banner will be displayed for roughly 5 seconds During this 5 second window the user must press the key sequence of mute 5 6 mute on the phone as shown on the Prepare Phone for Configuration screen If successful the phone will display Listening Mode on its screen If the phone did not successfully entering Listening Mode the user can answer No on the Prepare Phone for Configuration Screen The Phone VPN Configuration Wizard will ask the user to try again and after two unsuccessful attempts the Phone VPN Configuration Wizard will assume the phone cannot be placed in Listening mode because the software release on the phone is prior to UNISti
88. lid option in the IP Phones But one important note when upgrading the IP Phones to the current releases of software is to realize that the current releases of SRTP PSK is not compatible with older versions of SRTP PSK The minimum software releases for which the current release of SRTP PSK is backward compatible is UNIStim software release 1 3 for IP Phones including software version 0604DAX for the Phase II IP Phone 2001 Phase II IP Phone 2002 and Phase II IP Phone 2004 software version 0621C3N for the IP Phone 2007 and software 18 The patch is not required on Communication Server 1000 Release 5 5 Nortel Page 59 of 101 0623C3G 0624C3G 0625C3G and 0627C3G for the IP Phone 1110 1120E 1140E and IP Phone 1150E respectively One way speech path behind NAT routers applies to IP Phone 2001 2002 2004 2007 1120E 1140E and 1150E A problem exists with some NAT routers that cause one way speech path This problem is addressed by the application of patch MPLR21030 on the Communication Server 1000 Release 4 5 and 4 0 The Communication Server 1000 patch is located in the Meridian PEP library at the www nortel com support web site Backlight Interaction with USB devices applies to IP Phone 2007 1120E 1140E and 1150E Some USB devices i e Mice or Keyboards send regular coordinate update messages to the phone even when the device is not being used This can cause the sleep mode for the backlight to not be properly invoked C
89. liest opportunity No SRG 50 patches are required to support the Enhanced Software Download feature that allows the IP Phone software supported on the SRG 50 to remain in synch with the Communication Server 1000 Main office In addition if the Main is Communication Server 1000 release 4 5 or later no patch is necessary on the Communication Server 1000 to upgrade the IP Phone But if the Main is Communication Server 1000 release 4 0 a Communication Server 1000 patch is required on the Main to allow the SRG 50 to upgrade the IP Phone software The patch is MPLR21148 and is available from the Meridian PEP library at the www nortel com support web site The IP Phone 1110 IP Phone 1150E and IP Phone 1200 series are not supported on SRG 50 2 0 Nortel Page 65 of 101 SRG 200 400 1 5 Nortel recommends an upgrade to these software releases at the earliest opportunity No SRG patches are required to support the Enhanced Software Download feature that allows the IP Phone software supported on the SRG 200 400 1 5 to remain in synch with the Communication Server 1000 Main office In addition if the Main is Communication Server 1000 release 4 5 or later no patch is necessary on the Communication Server 1000 to upgrade the IP Phone But if the Main is Communication Server 1000 release 4 0 a CS1000 patch is required on the Main to allow the SRG 200 400 to upgrade the IP Phone software The
90. low prompts the user to start the configuration process by pressing the Configure Phone button Nortel Page 14 of 101 After the phone has been successfully configured the Confirmation and Finish screen is presented The Confirmation and Finish screen is shown below At this point the phone is ready to connect to the corporate network iiini euu y ene Tunnel Establishment Once the IP Phone has been provisioned either centrally or remotely the phone is ready to be deployed and establish a VPN tunnel back to the corporation If the NVC is enabled when the phone boots the VPN tunnel establishment is indicated to the user by the message Nortel Page 15 of 101 Start VPN lt server name gt where the lt server name gt is either the provisioned IP address or the Fully Qualified Domain Name FQDN of the corporate VPN server If the server name is specified as a FQDN the phone must first resolve the IP address of the VPN server by performing a DNS lookup The phone must also check to ensure all required user security credentials are loaded into the phone If any of the credentials are missing the user is prompted to enter them If the VPN server s IP address is known and all required credentials are available in the phone the VPN tunnel setup process is initiated between the IP Phone and the corporate VPN server Once the tunnel is established the following message is displayed on the phone s screen VPN Tunnel Esta
91. ls menu is not opened To thwart password guessing only 3 incorrect password entries in a row are allowed After the 3 incorrect entry the password entry is ignored for 5 minutes During this period of time the password prompt is displayed and the entered digits accepted however the phone will not process the incoming digits The password prompt window simply closes and the behavior is identical to that of an incorrect password entry The user will assume the incorrect password has been entered and try again Thus even if the correct password is guessed during the 5 minute period it will be ignored This effectively reduces the guess entry rate to 3 guesses every 5 minutes Once the password has been entered access to the Local Tools menu remains active for 5 minutes During the 5 minutes the menu can be freely navigated exited and entered without being prompted again for the password When the 5 minutes expires the menu is closed The password must be reentered to access the Local Tools menu Nortel Page 95 of 101 Appendix IP Phone Configuration Menu on IP Phone 1110 IP Phone 1210 IP Phone 1220 and IP Phone 1230 The single line based configuration menu structure below presents the complete configuration menu now available on the IP Phone 1110 IP Phone 1210 IP Phone 1220 and IP Phone 1230 EAP 0 N 1 M 2 P 3 T 0 if 1 or 2 or 3 ID 1 also if 1 or 2 ID 2 Password LLDP Ena
92. m release 4 0 The Phone VPN Configuration Wizard will then guide the user through the steps to use the Phone VPN Configuration Wizard to actually upgrade the phone s software The diagram below depicts the screen presented to guide the user through the software upgrade procedure if the phone did not successfully entering Listening Mode gt buen were To upgrade the IP Phone s software the Provisioning server address in the Network Configuration menu needs to be modified to point to the PC running the Phone VPN Configuration Wizard The steps required are detailed in the Prepare Phone for Configuration screens depicted above and below Initially the Provisioning server address parameter has to be located as instructed in the screen above After which the parameter has to be modified to point to the PC running the Phone VPN Configuration Wizard The Nortel Page 11 of 101 Wizard provides the IP address of the PC that needs to be entered into the Provisioning server address parameter as shown in the below a PT Once the phone has been upgraded to UNIStim software release 4 0 the phone should be able to enter listening mode The IP Phone will reboot after the new software is downloaded Again during reboot the user must watch the phone screen for when the Nortel text banner not the Nortel icon is displayed The Nortel text banner will be displayed for roughly 5 seconds During this 5 second window the user must press t
93. meters to a factory default CZ ISIEISI9 MACI Where MAC corresponds to the MAC address of the IP Phone which can be found on a label on the back of the IP Phone Since a MAC address can contain the letters A through F the letters A B and C can be entered via the 2 key on the dialpad and letters D E and F can be entered via the 3 key For example an IP Phone with MAC address 00 19 E1 E2 17 12 would be reset to factory default when the sequence 73639001 93132171 2 is entered on the keypad Please note that the keypad sequence will only be accepted by the phone after the IP Phone has finished its boot up procedure Nortel Page 101 of 101
94. name will be automatically filled with NTIPP012345 where the final 6 characters are the last 6 hex characters from the phone s MAC address When the phone boots with the above configuration a CA root certificate will be requested from the CA Server Once the CA root certificate is received the prompt CA Fingerprint will be displayed on the phone s screen The installer must press the Accept softkey to install the CA root certificate Once accepted the certificate will be saved on the phone and the prompt will never appear again Nortel Page 72 of 101 After the CA root certificate is installed a Device certificate must be installed Depending on the CA Server configuration the user may be prompted to enter a challenge password If no challenge password is required the installer must simply select the OK softkey Once the challenge password is entered or the OK softkey is pressed the phone will then request a device certificate and Waiting for Approval will be displayed on the phone s screen Depending on the CA Server configuration it may be necessary for the installer to manually approve the certificate request using the CA Server After the certificate is approved automatically or manually the Waiting for Approval prompt will be removed If for any reason the approval fails and while the phone is actually waiting for approval an Abort key will appear to allow the installer a chance to abo
95. ned via the Nortel i2004 B options is provided in the following table Note that not all parameters need be specified in the option string If the option is included the parameter will be provisioned with the value specified If the option is not included the parameter will retain its default value or the value that was previously provisioned for said parameter Feature Advisements A compatibility issue was found with the new Nortel i2004 B option type and the older Phase 0 IP Phone 2004 Phase 1 IP Phone 2002 and Phase 1 IP Phone 2004 Even thought these older phones ignore the Nortel i2004 B option type the length of the DHCP frame causes problems for the older phones Since the list of all the parameters that can be provisioned via the Nortel i2004 B options is extensive the length of the DHCP frame can be quite large The older phones will only accept a DHCP message to a maximum of 590 bytes far short of RFC 3942 states that DHCP site specific options 128 to 223 are hereby reclassified as publicly defined options The IP Phone supports 9 vender specific options in this range and will continue to do so for backward compatibility However as suggested in RFC3942 the use of these options should be discouraged to avoid potential future collisions Carriage returns have been added to the DHCP configuration string for readability only A true DHCP configuration string would contain no such carriage returns Nortel Page 87 of 101 th
96. network identification menulock p Menu lock mode vq y Enable 802 10 for voice vcp 3 802 1Q control p bit for voice vmp 4 802 10 media p bit for voice vlanf y Enable VLAN filter pe y Enable PC port pcs a PC port speed pcd a PC port duplex dq y Enable 802 10 for PC port lidp y Enable 802 lab LLDP pkl ffffffffffffffff force pkl to ff SMC will update pk2 f fffffffffffffLfIf force pkl to ff SMC will update stickiness y Enable stickiness cachedip n E Enable cached IP igarp n Ignore GARP srtp n Enable PSK SRTP eap peap Enable 802 1x EAP eapidl DEV1024 802 1x EAP device ID 1 eapid2 TOW2234 802 1X EAP device ID 2 eappwd D3c6v5 802 1x EAP password Nortel Page 82 of 101 cdiff 13 DiffServ code point for control mdiff 12 DiffServ code point for media prov 47 11 232 115 Provisioning server IP address dns 47 11 20 20 Primary DNS server IP address dns2 47 11 20 21 Secondary DNS server IP address ct 20 Contrast value br 18 Brightness value blt 1 Backlight timer dimt 3 Set dim timer to 5 minutes hd w Headset type bold y Enable font display in bold headartr prv Zone level provisioning file Applies to all phones within the headquarters zone
97. ng the tunnel Restricted mode still allows the phone to connect to the corporate network to obtain configuration and provisioning information from the corporate network including licensing information but will prevent all voice services from operating For details on the licensing please refer to the Application and Feature Licensing section later in this document Diagnostics With the introduction of VPN service in UNIStim Software release 4 0 the phone s local diagnostics capabilities has also been revamped Some menu items have been expanded and a complete new menu item has been added The below diagram shows which menu items have been expanded and which menu item are new Nortel Page 19 of 101 1 IP Set and DHCP Information expanded 2 Network Diagnostic Tools changed behavior 3 Ethernet Statistics 4 IP Network Statistics expanded 5 USB Devices 6 Advanced Diag Tools 7 License Information 8 VPN Statistics new 9 Certificate Information Within the IP Set and DHCP Information menu if VPN is enabled four new parameters are now available to show the inner IP Address and associated information The four new parameters are VPN IP Address VPN Mask VPN Gateway IP and VPN Server URL If the VPN status is not Operational these new items are not shown Within the Network Diagnostics Tools menu if VPN is enabled the behavior of Ping and TraceRoute are modified When the VPN is Operational the P
98. oning parameter is AUTO the IP Phone can receive the value from automatic provisioning sources based on the precedence rule If one manually changes the parameter the attribute value is MANUAL If the attribute is MANUAL the provisioning information from automatic provisioning sources is ignored except for the standard DHCP parameters If one enables DHCP then the phone s IP address the subnet mask and the default gateway address which the IP Phone obtains from the DHCP server overwrites any manually configured value Provisioning information from a provisioning source with high priority will overwrite the provisioning information from a provisioning source with low priority Manual provisioning always has the highest priority If one configure stickiness and the current provisioning source does not provide the provisioning information for the particular parameter the last received provisioning value is used The default value of the stickiness attribute is AUTO The Phase II IP Phones IP Phone 2001 IP Phone 2002 and IP Phone 2004 do not support the precedence rule therefore the phones use the last value received Nortel Page 90 of 101 Appendix G IP Phone Configuration Menu on the IP Phone 1120E IP Phone 1140E and IP Phone 1150E The full screen based configuration menu structure below presents the complete configuration menu now available on the IP Phone 1120E IP Phone 1140E and IP Phone 1150E EAP Mode Disable MD5
99. onment this would be the service provider s DNS Nortel Page 6 of 101 Since the NVC can be auto provisioned a change to the auto provisioning menu has occurred within group 1 A VPN checkbox has been added For the VPN feature one is not allowed to manually override individual VPN parameters There is only one checkbox for the entire feature set Either the entire set of VPN parameters is auto provisioned or the entire set of VPN parameters is manually provisioned The new VPN auto provisioning menu check box is as follows 01 EAP Settings VPN W For detail on the changes to the Network Configuration menu to allow manual provisioning of the VPN parameters please refer to Appendix G IP Phone Configuration Menu on the IP Phone 1120E IP Phone 1140E and IP Phone 1150E Nortel Phone VPN Configuration Wizard Since a remotely deployed phone must have an active VPN service to connect to the corporate network and since auto provisioning of the IP phone s VPN service requires a corporate connection such a situation presents a dilemma So to allow the IP Phone to be provisioned at the remote site a PC application called the Nortel Phone VPN Configuration Wizard is being made available The Phone VPN Configuration Wizard can run on either MS Windows XP or Vista and on Mac OS The Phone VPN Configuration Wizard is available for download from the Software Download link under Support and Training on the N
100. or to certificate expiry that a following special values certificate renewal is requested 1 Never 0 Immediately dcpdelete1 n No action If set to y forces the device certificate to be y Delete deleted dcpautocn1 0 Manual Automatically construct the Certificate Name 1 Automatic using cadomain and cahost dcpcaname1 Character string of 128 characters CA name included in the SCEP request to identify requested CA note that not all CA require the CA name dcphostnameoverride1 Character string of 128 characters Override hostname for this DCP only Below are a couple of examples of provisioning DCP The first example shows the configuration of DCP 1 for VPN using SCEP and the configuration of DCP 2 for DTLS and SCR using SCEP dcpsource1 scep dcpactive1 y dcppurpose1 v dcprenew1 60 dcpsource2 scep dcpactive2 y dcppurpose2 ds This second example shows the configuration of DCP 1 for all applications using a PKCS 12 download device certificate dcpsource1 pkcs12 dcpactivel y dcppurpose1 a dcpactive2 n DAN Update the Appendix on Certificates Diagnostics UNIStim Software release 4 0 introduces a new diagnostic screen to view the X 509 certificates installed in the phone as well the phone s view the phone s certificate revocation list The new Certificate Information choice is depicted in the diagram below Nortel Page 48 of 101 IP Set and DHCP
101. ortel website located at http support nortel com The software is available for the IP Phone 1100 series models under Phones Clients and Accessories The Phone VPN Configuration Wizard uses the same configuration and provisioning files used to auto provision a phone on the corporate network These required configuration and provisioning files need to be loaded onto the PC at the remote location along with the Phone VPN Configuration Wizard The Phone VPN Configuration Wizard greatly simplifies the provisioning of the NVC on the IP Phone For phones with UNIStim Software release 4 0 already installed to provision the NVC and the entire phone for that matter a user need only e Start the Nortel Phone VPN Configuration Wizard e Select a zip file containing configuration and provisioning files this file should have been sent to the user by their system administrator Nortel Page 7 of 101 e Press a short key sequence on the phone e Click a button on the Phone VPN Configuration Wizard to start configuration e Wait for configuration to complete If the phone does not already have UNIStim release 4 0 already installed the Phone VPN Configuration Wizard can also act as a file server allowing this application to update the phone s software The following paragraphs will walk thought the few steps required to use the Phone VPN Configuration Wizard Using the Phone VPN Configuration Wizard involves seven simple steps including Welcome
102. pens and some messages are likely to be lost Nortel Page 42 of 101 e Info A separate Security log has also been defined It is used for logging security related events only Traffic Monitor The Traffic Monitor checks the IP traffic inbound packet rate The IP phone has a DoS filter to protect the phone from Denial of Service DoS attacks High threshold low threshold and holdoff time have been setup for unicast multicast and broadcast packets The DoS checking function will check the rate of the received packets If the high threshold is reached the Ethernet driver will turn off packet reception for the holdoff time After the holdoff time if the rate of the traffic is lower than the low threshold the Ethernet driver will turn back on the packet reception 6 Certification Enhancements applies to the IP Phone 1110 1120E 1140E 1150E 1210 1220 and 1230 UNIStim Software release 4 0 for IP Phones introduces enhancements to the existing certificate support in the phones as well as introduces a new method for installing and managing device certificates on the phone SCEP Enhancements In UNIStim Software release 3 0 support for Simple Certificate Enrollment Protocol SCEP was introduced to allow the IP phone to request both a CA root certificate and then a device certificate to be loaded into the IP Phone With UNIStim Software release 4 0 the phone s support for SCEP has been enhanced to e allow certificates installe
103. provisioning e Automatic provisioning using Link Layer Discovery Protocol LLDP from an 802 1ab enabled network switch e Automatic provisioning using Info Block contained within provisioning files and transferred via TFTP or HTTP Provisioning files contain their own precedence order based on the file type Info Block carried by the Device specific provisioning file Info Block carried by the Zone specific provisioning file Info Block carried by the Type specific provisioning file Info Block carried by the System specific provisioning file e Automatic provisioning using Info Block contained within DHCP option strings and transferred via DHCP Acknowledge message DHCP provision contain its own precedence order based on the DHCP option Info Block carried by the Nortel i2004 B DHCP option Former provisionable parameters carried by the Nortel i2004 A DHCP option Note that VLAN A option is still supported with both Nortel i2004 B DHCP and Nortel i2004 A DHCP options e Automatic provisioning from the call server and or associated telephony manager using UNIStim e Last automatic provisioned value e Factory default Automatic provisioning defines provisioning control for each parameter One can either manually or automatically provision each parameter Each provisioning parameter provides an attribute that specifies if the parameter was previously provisioned manually or automatically Nortel Page 89 of 101 If the provisi
104. r IP Phones is GA quality at the time of this writing the extent of BCM support is being confirmed The IP Phone 1150E is not supported on BCM 450 5 0 BCM450 1 0 Upgrading of the set software is dependent upon a BCM system patch that includes the set software Although UNIStim software release 4 0 for IP Phones is GA quality at the time of this writing the extent of BCM support is being confirmed The IP Phone 1150E is not supported on BCM 450 1 0 Nortel Page 67 of 101 Communication Server 2100 Centrex IP Client Manager CICM Call Server Release Notes Advisements CICM 10 1 MR2 Upgrading of the set software is dependent upon CICM performing regression test activities on UNIStim software release 4 0 for IP Phones to Suepeesian verify their performance on this CICM product Although UNIStim software release 4 0 for IP Phones is GA quality at the time of this writing the extent of CICM support is being confirmed The IP Phone 1210 is not supported on CICM 10 1 CICM 10 0 Upgrading of the set software is dependent upon CICM performing regression test activities on UNIStim software release 4 0 for IP Phones to ASueceesian verify their performance on this CICM product Although UNIStim software release 4 0 for IP Phones is GA quality at the time of this writing the extent of CICM support is being confirmed The IP Phone 1200 series are not supported on CICM 10 0 CICM 9 0 Upgrad
105. recovery perhaps to analyze an unexpected occurrence of a critical event then Auto recovery can be disabled either through the Advanced Diagnostics Tool Menu under Local Diagnostics menu or disabled via auto provisioning Common Alarming Common Alarming sends UNIStim message to the call server when overload protection detects a state change Whenever an IP phone changes states from Normal to Warning and from Warning to Critical the IP Phone send a General Information UNIStim message to the call sever Whenever an IP phone changes state form Critical to Warning or from Warning to Normal the IP phone send a General Information UNIStim message to clear the alarm Common Logging Common Logging provides the ability to log information into the phone s flash file system By logging all error and info messages into the flash file system it provides a persistent storage of messages allowing the IP Phone to be checked after an event has occurred to determine if a problem exists The log file is 64KB circular buffer Five severity levels for logging are defined The five severity levels are e Critical e Major e Minor e Warning 13 Message queues are used for message sending and receiving between critical tasks If the receiving speed is not fast enough to receive all messages at one time the extra messages will be pended in the message queue to wait to be received If the waited messages are greater than the length of the queue overflow hap
106. retry count s2ip Value from 0 0 0 0 to Secondary server IP address 255 255 255 255 p2 Value from 1 to 65535 Secondary server port number a2 Value from 0 to 255 Secondary server action code r2 Value from 0 to 255 Secondary server retry count dhcp y yes Enable DHCP n no xip Value from 0 0 0 0 to XAS server IP address 255 255 255 255 xp Value from 0 to 65535 XAS server port number xa Character string made up of XAS server action code XAS Mode and Phone Mode the following character g graphical XAS mode Note that there is no explicit character to select text mode f full screen XAS mode Instead the lack of specifying graphical g implies the XAS s secure XAS mode mode is text h hidden Phone mode r reduced Phone mode Also note that there is no explicit character to select Full phone mode Instead the lack of specifying either hidden h or reduced r implies the phone is to be provisioned for Full phone mode Please be careful not to confuse Full Screen XAS mode f with Full phone mode Note that hidden Phone mode and reduced Phone mode are supported on the IP Phone 2007 only unid Character string up to 32 Unique network identification characters Nortel Page 74 of 101 menulock f full lock Menu lock mode p partial lock u unlock vq y yes Enable 802 1Q for voice 1 n no vcp Value from 0 to 8 802 1Q control p bit for
107. rk around to this advisory Phones default for Auto VLAN changed to Enabled And Auto VLAN now supports a No VLAN option applies to IP Phone 2001 2002 2004 2007 1110 1120E 1140E 1150E 1210 1220 and 1230 In software loads prior to UNIStim software release 2 2 for IP Phone 2007 1110 1120E 1140E 1150E 1210 1220 and 1230 and in software loads prior to UNIStim software The Phase 0 IP Phone 2004 Phase 1 IP Phone 2002 and Phase 1 IP Phone 2004 are now End of Life EOL products Nortel Page 56 of 101 release 2 3 for Phase II IP Phone 2001 2002 and 2004 one had to manually provision whether the phone was to be installed in an 802 1Q VLAN environment or not The default configuration for the phone was assuming that the phone was not being deployed into an environment supporting a Voice VLAN The default source for VLAN assignment was no VLAN For the phones to be deployed into a voice VLAN environment the phone had to be manually provisioned with either a Voice VLAN ID or manually provisioned to accept and Auto VLAN assignment With UNIStim software commencing with release 2 2 and 2 3 and continuing with UNIStim software release 3 1 the default configuration for the phone now has Auto VLAN assignment via DHCP enabled But realizing that not all phones will be deployed in an 802 1Q VLAN environment the Auto VLAN assignment support has also been updated to support both an 802 1Q VLAN environment and an environment
108. rmed with TFTP If the IP Phone 2007 is currently running UNIStim software release 3 2 or greater then one will be able to upgrade using TFTP directly to UNIStim software release 4 0 But if the IP Phone 2007 is running any software prior to UNIStim software release 3 2 and the upgrade is performed with TFTP then the phone must first be upgraded to UNIStim software release 3 2 before subsequently upgrading to UNIStim software 4 0 The 2 step up upgrade is not required if the upgrade is performed from the call server using UFTP Nortel Page 50 of 101 Minimum allowable software on the new IP Phone 1120E and new IP Phone 1140E with hardware changes applies to the new IP Phone 1120E and 1140E Recent hardware changes in the IP Phone 1120E and IP Phone 1140E restrict the minimal allowable software version on these phones The new hardware phones will absolutely accept an upgrade to UNIStim software release 4 0 But the new hardware IP Phone 1120E and new hardware IP Phone 1140E will NOT accept a downgrade to any software version previous to UNIStim software release 3 1 0624C6J and 0625C6UJ respectively Nortel Page 51 of 101 The new hardware is introduced with the following specific PEC and hardware release numbers PEC Hardware Description Release NTYSO3ADE6 01 IP Phone 1120E Graphite with Icon Keycaps RoHS NTYSO3BDE6 01 IP Phone 1120E Graphite with English keycaps ROHS NTYSO3BDGS 01 IP Phone 1120E GSA RoHS NTYSO
109. rt the process Once approved phone will be ready to use the device certificate For additional information on installing certificates into the IP phone please refer to the IP_ Phones Fundamentals document NTP NN43001 368 2 For the Microsoft CA Server MSCEP installation allows the option of configuring a challenge password If configured the user must access http www lt lt ca_url gt gt certsrv mscep mscep dll with a web browser to obtain a temporary password For the EJBCA CA Server the password if any defined for the End Entity for each phone must be entered Nortel Page 73 of 101 Appendix B IP Phone Info Block applies to the IP Phone 2001 2002 2004 2007 1110 1120E 1140E 1150E 1210 1220 1230 The list of all the parameters that can be provisioned via the Info Block is provided in the table below Note that not all parameters need be specified in the Info Block If the option is included the parameter will be provisioned with the value specified If the option is not included the parameter will retain its default value or the value that was previously provisioned for the parameter if the stickiness parameter is also set Parameter Value Description stip Value from 0 0 0 0 to Primary server IP address 255 255 255 255 p1 Value from 1 to 65535 Primary server port number al Value from 0 to 255 Primary server action code r1 Value from 0 to 255 Primary server
110. s subsequently disabled In other words the 30 day evaluation period is a one time opportunity 3 Secure Signaling using DTLS applies to the IP Phone 2007 1110 1120E 1140E 1150E 1210 1220 and 1230 UNIStim software release 4 0 delivers the capability to encrypt the signaling communication between the IP phone and the call server using standards based Datagram Transport Layer Security DTLS DTLS guarantees a secure connection between the telephone and the call server ensuring the integrity and confidentiality of call control Nortel Page 37 of 101 At the time of this writing the only Nortel call platform also supporting DTLS is the Communication Server 1000 Support for DTLS was also introduced with Communication Server 1000 Release 6 0 Prior to UNIStim software release 4 0 and Communication Server 1000 release 6 0 in order to secure the signaling between the IP Phone and the Communication Server 1000 one had to deploy the Secure Multimedia Controller SMC 2450 As of release 6 0 of the Communication Server 1000 DTLS is the preferred signaling encryption solution and the should be used in place of the SMC As such the SMC 2450 has been retired For more details on the retirement of the SMC 2450 please refer to bulletin 2009009738 Rev 1 Manufacture Discontinued MD Notification for Secure Multimedia Controller SMC 2450 To support DTLS signaling encryption the Communication Server 1000 must be on release 6 0 or grea
111. save the configuration If the Save is successful a Thank You confirmation will be displayed Registration is now complete and one is ready to generate the keycode by selecting Generate Keycode from the side bar on the left The Generate Keycode page will be presented as shown below Nortel Page 28 of 101 SOLUTIONS PRODUCTS SERVICES Se ae mee PARTNERS ABOUT NEWS amp EVENTS HOME gt TECHNICAL SUPPORT KEYCODE RETRIEVAL gt IP CLIENTS gt GENERATE KEYCODE gt Generate Keycode gt Retrieve Keycode gt Documentation Forms amp Step 1 Enter the Site Name for which you want to generate the keycode USER GUIDES Then select continue to proceed gt Migrate to Server Mode H eAuth Code Enter Site Name campus _ Management B Contact Global Support a rere aia ere a HEL welcome KEYCODE RETRIEVAL SYSTEM BT2 F BT2 L aes _ Generate Keycode With Auth Code amp Purchase Order COEO B Technical Support This section allows a Nortel Networks customer to generate a keycode with an auth code or a purch A Register order COEO B Product Control USER BT2 F BT2 L TYPE External Site Admin User gt Product Registration GROUP All Customer Groups k On the Generate Keycode page the system for which a keycode is to be generated must be identified The system is identified by entering the system ID i e the same site name used when the system was registered Once the system ID is entered click on Cont
112. suffix to distinguish between the two registrations All the remaining steps as outlined above now still apply to the new registration For more details on using KRS for IP Clients licensing please refer to the P Clients Keycode Retrieval System KRS User Guide A copy of the IP Clients Keycode Retrieval System KRS User Guide can be retrieved from the KRS system After selecting IP Clients from the PRODUCT FAMILY list log into KRS using with your user ID and password Once logged in select the Documentation Forms amp User Guides link from the sidebar on the left Nortel Page 32 of 101 Loading Licensing Files onto the IP Phones The license keycode file is distributed to an IP Phone using the same procedure as the other provisioning files To support the loading if license keycodes onto the IP Phone a new section called LICENSING must be added to the phone s configuration file i e 1120e cfg 1140e cfg 1150e cfg The individual keycode license file name is ipctokenMAC cfg where MAC is the phone s 12 characters MAC address to which the license is associated The LICENSING section has three command lines e DOWNLOAD_MODE required command The DOWNLOAD_MODE can be either FORCED or AUTO If FORCED the VERSION command is ignored and the licenses files are always downloaded If AUTO the application looks at the VERSION and downloads the license files only if they are a newer version than what is currently stored on th
113. t password has been entered and try again Thus even if the correct password is guessed during the 5 minute period it will be ignored This effectively reduces the guess entry rate to 3 guesses every 5 minutes Once the password has been entered access to the Local Tools menu remains active for 5 minutes During the 5 minutes the menu can be freely navigated exited and entered without being prompted again for the password When the 5 minutes expires the menu is closed The password must be reentered to access the Local Tools menu Nortel Page 93 of 101 Appendix H IP Phone Configuration Menu on the IP Phone 2007 The full screen based configuration menu structure below presents the complete configuration menu now available on the IP Phone 2007 EAP Mode Disable MD5 PEAP TLS ID 1 ID 2 Password Enable 802 1ab LLDP DHCP No Yes Set IP XXX XXX XXX XXX Net Mask xxx xxx XXX XXX Gateway XXX XXX XXX XXX DNS1 IP XXX XXX XXX XXX DNS2 IP xxx xxx XXX XXX CA Server Domain Name Hostname S1 IP XXX XXX XXX XXX Port S1 Action Retry S1 PK FFFFFFFFFFFFFFFF S2 IP XXX XXX XXX XXX Port S2 Action Retry S2 PK FFFFFFFFFFFFFFFF Ntwk Port Speed Auto 10BT 100BT Ntwk Port Duplex Auto Force Full Force Half Phone Mode Hidden Full Reduced XAS Mode Text Mode Graphical Full Screen Secure Graphical Secure Full Screen XAS IP XXX XXX XXX XXX Port Enable Voice 802 1Q VoiceVLAN No VLAN Auto Ent
114. ter But please note that Communication Server 1000 release 6 0 also requires the following patches to support the DTLS 1 nortel cs1000 tps 6 00 18 23 002 i386 000 or greater 2 nortel cs1000 csv 6 00 18 23 001 i386 000 or greater Please refer to NTP NN43001 315 Linux Platform Base and Applications Installation and Commissioning for patch installation instructions DTLS support can be activated by either provisioning DTLS directly on the IP Phone or dynamically from the associated call server To activate DTLS directly from the IP Phone the server configuration parameters specifically the S1 and S2 Action Byte value must be provisioned A value of 7 triggers a DTLS session DTLS support can also be auto provisioned in the Info Block Again the a value of 7 provisioned into the a1 and a2 parameters will trigger a DTLS session for connection to the primary call server and secondary call server respectively However the most likely scenario is that DTLS will be activated dynamically by the call server During the initial establishment of a UNIStim session the call server will request that the phone switch to secure DTLS mode If the phone is running UNIStim software release 4 0 or greater it is capable of supporting a DTLS connection and the phone will dynamically switch to using secure DTLS to communicate between the IP phone and the call server For information on using DTLS on the Communication Server 1000 environment
115. tion applies to the IP Phone 2007 1110 1120E 1140E 1150E 1210 1220 1230 CA Root Certificate Installation The recommended means to install the CA root certificate on the phone is to use the configuration file e g 1140e cfg An example of the modified configuration file is shown below where cacert pem contains the PEM format CA root certificate USER_KEYS DOWNLOAD_MODE AUTO PROTOCOL TFTP VERSION 1 FILENAME cacert pem When the phone boots and connects to the TFTP server the phone will download the certificate The installer will then be prompted to accept the fingerprint of the certificate file Once accepted the certificate is saved and the phone will be ready to use the CA root certificate Device Certificate Installation Simple Certificate Enrollment Protocol SCEP is used to request both the CA root certificate and then the Device certificate To successfully install the certificates the following phone parameters must be configured either manually or using auto provisioning CA Server Enter the URL of the SCEP interface of the CA Server As an example for a Microsoft CA server this would be http www lt lt ca_url com gt gt certsrv mscep mscep dll Domain Name The domain to which the phone will belong e g acme com Hostname The name assigned to the phone For some authentication servers i e Microsoft IAS this must match a username that can be authenticated in the server If left blank the host
116. ts destination MAC address The phone will therefore accept in addition to all unicast packets sent to the phones MAC address all broadcast and multicast packets as well If the network environment results in a high amount of broadcast or multicast traffic the IP Phone s performance may be impacted If Voice 802 1Q is enabled on the phone the phone can then be provisioned to filter some or all of the broadcast or multicast traffic If VLAN Filter is enabled packets will be accepted by the phone based on the packet s destination MAC address as well as the packet s VLAN tag Untagged packets and packets with a VLAN tag different from the Voice VLAN ID will be prevented from reaching the phone This will protect the voice application Nortel Page 54 of 101 from excessive traffic sent to the broadcast address or to the multicast addresses But please be aware if VLAN filtering is enabled on the phone one must ensure that voice packets are tagged with the appropriate VLAN ID as they exit the network switch else the packets will be dropped by the filter Change in behavior of entering an asterisk to manually provision the Provision parameter in the network configuration menu applies to the IP Phone 2007 1120E 1140E and 1150E In UNIStim software prior to release 3 2 the asterisk key could not be used to input the dot for defining an IP address in the Provision parameter in the network configuration
117. ttings recorder y encrypt the audio stream to the call recorder based on the encryption status of the primary stream callrec n Nortel default Call recorder vendor o other Nortel Page 40 of 101 SCR cannot be manually provisioned As such there have been no additions to the Network Configuration menu nor any changes to the auto provisioning menu to support manual provisioning of SCR SCR requires that the IP Phone and the call recorder share security credentials to establish a secure connection The Nortel call recorder ships with a Nortel certificate installed allowing out of the box secure connections with the Nortel CRQM solution However if the customer wishes to use their corporate Certificate Authority CA then a customer root certificate must be installed on the phone Please refer to Appendix A Certificate Installation for details on installing certificates into the phone For additional information on Nortel CRQM solution and its support for Secure Call Recording please refer to 5 Designed for Operability Enhancements applies to the IP Phone 1110 1120E 1140E and 1150E The UNIStim Software release 4 0 introduces Design for Operability DfO enhancements to assist support personnel with IP Phone diagnostic The enhanced diagnostic capabilities include e Flight Recorder e Overload Protection e Task Monitor e Common Alarming e Common Logging e Traffic Monitor Fli
118. uilt application firewall delivering an integrated inside threat security solution to protect Nortel s IP phones and multimedia communication servers The SMC 2450 creates a Secure Multimedia Zone around the converged infrastructure to protect against Denial of Service attacks and other security threats while pre configured policy settings simplify deployment and ensure the integrity and availability of the business critical converged multimedia infrastructure For more information on the capabilities introduced with Nortel SMC 2450 please refer to the SMC 2450 Product bulletin P 2006 0131 Global and the SMC 2450 Sales and Marketing bulletin SM 2006 0132 Global Nortel Page 69 of 101 IP Phone Software Upgrade Methods Communication Server Dependent Upgrading the software in a Communication Server 1000 environment The Phase II IP Phones 2001 2002 and 2004 only support the UFTP software upgrade process for the Communication Server 1000 The IP Phone 2007 1110 1120E 1140E 1150E 1210 1220 and 1230 supports remote software upgrades through both a TFTP process and the more automated UFTP process direct from the Communication Server 1000 Note that the IP Phone 1200 series is only supported on Communication Server 1000 Release 5 5 or later Therefore the software can be upgraded by either UFTP or TFTP For information on the TFTP software upgrade process for the Communication Server 1000 please refer to the IP Phones
119. vent the downgrade resulting in the phone being denied service Nortel Page 52 of 101 In a Communication Server 1000 environment containing SRG and SRG5O branch office systems the umsUpgradeAll Main Office system command should not to be executed when the branch office sites has the new hardware IP Phone 1120E or the new hardware IP Phone 1140E and the IP phone software at the Main Office precedes UNIStim software release 3 1 Two SRG atomic patches exist to allow the SRG and SRG50 platforms respectively to interpret denial of software downgrade responses from the new hardware phones Failure to install the patches introduces the risk that the call server may continuously try and downgrade the software thereby denying service to the phone For SRG 200 and SRG 400 release 1 5 the denial of software downgrade support is included in atomic patch BCM R400 294 SRG 4 8 1 0 and later For SRG5O release 3 0 the denial of software downgrade support is included in atomic patch BCM050 R300 SRG 194 1 and later This patch is not available for SRG50 release 2 0 For complete details on the minimal allowable software for the new hardware changes in the IP Phone 1120E and IP Phone 1140E please refer to product bulletin P 2009 0015 Global EAP MD5 and Microsoft Windows Server 2008 applies to IP Phone 2001 2002 2004 2007 1110 1120E 1140E 1150E 1210 1220 and 1230 If access control is enabled on the IP Phone and MD5 is chosen as the EAP mode
Download Pdf Manuals
Related Search