Engineering Advisory 52609 Mutual Transport Layer Security Provisioning Using Microsoft ® Internet Information Services 6.0 March 2013 | 1725-47080-001 Rev. B 1 This engineering advisory explains how to configure Microsoft ® Internet Information Services (IIS) and Microsoft Certificate Authority to provision a Polycom ® SoundPoint ® IP, SoundStation ® IP, or VVX ™ phone using mutual Transport Layer Security (mutual TLS). This information applies to Microsoft IIS 6.0 on Windows Server® 2003 and the following Polycom phones: SoundPoint IP running SIP software version 3.2 or later SoundStation IP running SIP software version 3.2 or later VVX 1500 running SIP software version 3.2 or later VVX 500 running UC software version 4.1.0B or later VVX 600 running UC software version 4.1.2 or later The topics in this advisory include: Overview A graphical overview of the configuration. Mutual TLS Requirements Requirements before you start the configuration. Configuring Mutual TLS Provisioning Procedures to show you how to configure IIS and Microsoft Certificate Authority to provision a Polycom phone using mutual TLS. Troubleshooting Tips to help you troubleshoot configuration problems. Additional Information More information on HTTP and HTTPS provisioning. Overview In the following figure, IIS and Microsoft Certificate Authority have been configured to provision a Polycom phone using mutual TLS. IIS is configured to allow both HTTP and mutual TLS to co- exist on a single server.
50
Embed
Mutual Transport Layer Security Provisioning Using Microsoft ...
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Engineering Advisory 52609
Mutual Transport Layer Security Provisioning Using
Microsoft® Internet Information Services 6.0
March 2013 | 1725-47080-001 Rev. B 1
This engineering advisory explains how to configure Microsoft® Internet Information Services
(IIS) and Microsoft Certificate Authority to provision a Polycom® SoundPoint® IP, SoundStation®
IP, or VVX™ phone using mutual Transport Layer Security (mutual TLS).
This information applies to Microsoft IIS 6.0 on Windows Server® 2003 and the following Polycom
phones:
SoundPoint IP running SIP software version 3.2 or later
SoundStation IP running SIP software version 3.2 or later
VVX 1500 running SIP software version 3.2 or later
VVX 500 running UC software version 4.1.0B or later
VVX 600 running UC software version 4.1.2 or later
The topics in this advisory include:
Overview A graphical overview of the configuration.
Mutual TLS Requirements Requirements before you start the configuration.
Configuring Mutual TLS Provisioning Procedures to show you how to configure IIS and
Microsoft Certificate Authority to provision a Polycom phone using mutual TLS.
Troubleshooting Tips to help you troubleshoot configuration problems.
Additional Information More information on HTTP and HTTPS provisioning.
Overview
In the following figure, IIS and Microsoft Certificate Authority have been configured to provision
a Polycom phone using mutual TLS. IIS is configured to allow both HTTP and mutual TLS to co-
exist on a single server.
Engineering Advisory 52609
Mutual Transport Layer Security Provisioning Using Microsoft® Internet Information Services 6.0
2
Figure 1: A Polycom Phone Using Mutual TLS and Provisioned with Configured Microsoft IIS and Microsoft Certificate Authority
Engineering Advisory 52609
Mutual Transport Layer Security Provisioning Using Microsoft® Internet Information Services 6.0
3
Note: Purchasing a Certificate
You can simplify the configuration by purchasing a certificate for your IIS server from a well-known certificate authority (CA) instead of running the Microsoft Certificate Authority service.
Mutual TLS Requirements
Before you can configure Microsoft IIS and Microsoft Certificate Authority to provision a
Polycom phone using mutual TLS, ensure that you have the following:
Polycom SIP application 3.2 or later for mutual TLS feature.
Polycom bootROM 4.2.0 or later for MD5 digest HTTP authentication.
Web server capable of mutual TLS (client certificate checking). For the configuration
example in this bulletin, IIS is used.
One of the following:
○ HTTPS server certificate and root CA certificate if it is self-signed, or
○ A certificate from VeriSign® or another well-known root CA.
Polycom phone with a certificate installed at the factory.
To verify that the certificate is installed, on the Polycom phone, press the Menu button,
and then select Status > Platform > Phone. If a certificate is installed, “Device Certificate:
Installed” will be listed. If a certificate is not installed, “Device Certificate: Not Installed” will
be listed.
Polycom Root CA certificate
Patch for Microsoft server to use SHA2 256 or higher encryption. For more information,
see the related entry in the Troubleshooting section.
Configuring Mutual TLS Provisioning
The procedures in this section show you how to configure IIS and Microsoft Certificate Authority
to provision a Polycom phone using mutual TLS.
Configuring mutual TLS provisioning involves the following steps:
Mutual Transport Layer Security Provisioning Using Microsoft® Internet Information Services 6.0
41
2 The certificate will display. Click Install Certificate.
3 From the Certificate Import Wizard, do the following:
a Click Place all certificates in the following store, and then click Next.
Engineering Advisory 52609
Mutual Transport Layer Security Provisioning Using Microsoft® Internet Information Services 6.0
42
b From the Select Certificate Store window, double-click Trusted Root Certification
Authorities, and then click Local Computer. Then, select the Show Physical Stores
check box, and then press OK.
Note: Selecting the Local Computer Certificate Store
If you do not select the local computer certificate store, the server will not recognize any
Polycom client certificates.
Engineering Advisory 52609
Mutual Transport Layer Security Provisioning Using Microsoft® Internet Information Services 6.0
43
c Click Finish.
The Polycom Root CA certificate is now installed on your server.
To verify that the certificate is installed correctly, open the Certificates module in Microsoft
Management Console (MMC) and confirm that the Polycom Root CA is listed.
Engineering Advisory 52609
Mutual Transport Layer Security Provisioning Using Microsoft® Internet Information Services 6.0
44
Note: Installing Intermediate Certificates
If your root CA does not recognize the Polycom intermediate CAs, you may have to install the intermediate certificates, or configure Microsoft to automatically download the intermediate certificates. For more information, see Troubleshooting.
Enabling Mutual TLS on the IIS Server
To enable mutual TLS on the IIS server, you must set the IIS server to require a Client Certificate.
To enable mutual TLS on the IIS server:
1 Open Internet Information Services (IIS) Manager. Right-click the HTTPS virtual server
(for example, bootserver MTLS), and then select Properties.
Engineering Advisory 52609
Mutual Transport Layer Security Provisioning Using Microsoft® Internet Information Services 6.0
45
2 From the Properties window, click the Directory Security tab. In the Secure
communications area, click Edit.
Engineering Advisory 52609
Mutual Transport Layer Security Provisioning Using Microsoft® Internet Information Services 6.0
46
3 From the Secure Communications window, select the Require secure channel (SSL)
check box, and in the Client certificates area, click Require client certificates. Click OK.
4 At the server command prompt, type IISRESET to reset the IIS Server.
5 Reboot the phone.
The bootROM will now use HTTP with digest authentication, and the application will use
mutual TLS.
Engineering Advisory 52609
Mutual Transport Layer Security Provisioning Using Microsoft® Internet Information Services 6.0
47
Troubleshooting
If you have problems with the configuration, Polycom recommends consulting the
troubleshooting tips in this section before contacting Polycom Support.
How Can I Tell if Mutual TLS is Working?
In the serial log, you will see <MACaddress>.cfg being downloaded.
The first section of the log shows one-way SSL working correctly:
POLYCOM®, the Polycom logo and the names and marks associated with Polycom products are trademarks and/or service marks of Polycom, Inc. and are registered and/or common law marks in the United States and various other countries. All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient's personal use, without the express written permission of Polycom.
Disclaimer
While Polycom uses reasonable efforts to include accurate and up-to-date information in this document, Polycom makes no warranties or representations as to its accuracy. Polycom assumes no liability or responsibility for any typographical or other errors or omissions in the content of this document.
Limitation of Liability
Polycom and/or its respective suppliers make no representations about the suitability of the information contained in this document for any purpose. Information is provided "as is" without warranty of any kind and is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall Polycom and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive or other damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of business information), even if Polycom has been advised of the possibility of such damages.
Customer Feedback
We are striving to improve our documentation quality and we appreciate your feedback. Email your opinions and comments to [email protected].
Visit support.polycom.com for software downloads, product documents, product licenses, troubleshooting tips, service requests, and more.