Configuring TLS and SRTP on Avaya J-100 SIP Phone (J-139, J159, J169, J179, J189)

Introduction

The Avaya J-100 phone Series of SIP Phones provides a PoE enabled Gigabit ethernet interface and supports SIP communication to the UCX including the use of sRTP for media encryption. A variant of this phone adds on-hook security options to make it ideal for secure communications environments. The phones also provide superior audio quality with the amplified handsets and customization with low power requirements in a Session Initiation Protocol (SIP) environment. 

J100 models:

J139

J159

J169

J179

J189

Supported Functions

The Avaya SIP phone when registered to the UCx supports basic phone functions including message waiting indication. Advanced phone features are not supported, for example: Contact list, Speed dial, History, Paging, Auto answer, Forward button, etc.

This document focuses on the configuration of the sRTP capability from the Web Admin GUI of the J-100 SIP telephone and the corresponding UCX configuration. For any additional configuration of J-100 capabilities such as VLANs, DHCP options and other basic network functions refer to Avaya's document for Installing and Administering Avaya J100 Series IP Phones.

Pre-Requisites

In order to use the Avaya J-100 Series telephone, you will need 

• An E-MetroTel Universal Extension license for each J-100 Series device.
• UCX Release 7.0 or higher
• An installed DTLS Certificate on the UCX 
• A copy of the UCX DTLS certificate downloaded to your PC

Configuration Process

Configure the UCX 

Completing the UCX configuration first will prevent the UCX IP Block List functionality from blocking login requests from the subnet of the J-100 Series phone because of a series of unexpected login requests.until the SIP credentials are set on the UCX.

1. Open a Web-based Configuration Utility session with the UCX
2. Navigate to the PBX / Settings /SIP Settings page
3. Add the following values to the Other SIP Settings section at the bottom of the page:
   • tlsenable = yes
   • tlsbindaddr = 0.0.0.0 (if using an Galaxy appliance) Or tlsbindaddr = 0.0.0.0:5960 (if using UCX Cloud)
   • tlscertfile = /var/lib/asterisk/keys/ucx.pem
   • tlscafile = /var/lib/asterisk/keys/ca.crt

Configure the UCX SIP Extension(s)

For each SIP extension that requires security:

1. Create the SIP Extension (refer to Adding a SIP Extension)
2. In the Device options of the Extension configuration page, set the following values:
   • Transport = TLS Only
   • Enable Encryption = Yes (SRTP only)

Configure the J-100 Series phone (J139, J159, J169, J179, J189)

Enable the phone's Web Admin GUI

1. When the phone has powered on, say No to the Auto Provisioning screen.
2. Press the Admin softkey
3. Enter the passcode (default is 27238 which spells craft on the key pad)
4. Scroll to the bottom of list to the Web Server entry and press the Select softkey
5. Use the left-right keys to set the Web Server to On
6. Press the Save softkey
7. Press the Back softkey and the phone will restart
8. Once the phone has re-booted and you know the IP address of the phone proceed to step 11.
9. Press the center button of the phone twice
10. The second line of the display will show the phone's IP address
11. Now you are able to access the phone's Web GUI interface

Access the phone's Web Admin GUI

1. Launch a web browser pointing to the IP address of the phone
2. Enter the username and password for the Web GUI. (default values are admin and 27238)
3. If this is the first time logging in to the phone, it will prompt for a new password
4. Navigate to the appropriate GUI page and set it to a value you wish to use.
5. In the Environment Setting / Environment Setting section,set the following values:
   • Aura Environment = Disable
   • Discover AVAYA Environment = Disable
   • IP Office Environment = Disable
   • 3PCC Environment = Enable
   • 3PCC Server Mode = Generic
6. In the Management / Device Enrollment Service section,set the following values
   • ​DES Discovery = Disable
7. In the Management / Plug and Play (PNP) Provisioning section,set the following values
   • ​PNP Configuration = Disabled​
8. In the Network / Advanced section,set the following values
   • ​TLS = "Only 1.2"
9. In the Certificates / Trusted certificates Configuration / Trusted Certificate / Import section, import /select the ca.crt file you downloaded from the UCX in the pre-requisite section above
10. In the Certificates / Trusted certificates Configuration / Trusted Certificate / Match Identity to Trust Certificate section set the value to No
11. Navigate to the Settings / Avaya Spaces / Spaces Access Mode (you may need to click on the Expand All button at the top of the page to access this)
12. In the IP configuration / IP Version section, set the following:
    • IP Mode = IPv4 only
    • Note that if you press SAVE after changing this value, and the phone will immediately reboot
13. Navigate to the SIP / SIP Global Settings and set the following:
    • SIP Domain = UCX IP address
    • Enable PPM = No
    • Proxy Policy = Manual (use Phone Admin...))
    • SIP Proxy Server = UCX.IP.Address:5061;transport=tls (if using an Galaxy appliance) Or = UCX.IP.Address:5961;transport=tls (if using UCX Cloud)
    • Number of proxy server to register simultaneously = 1
    • Authentication User ID Field = enabled
    • Registration Interval = 120 (WHATEVER YOU PREFER)
14. Navigate to the SIP / Codecs and DTMF
    • OPUS = Disable
    • G.726 = Disable
15. Navigate to the SIP SRTP
    • Media Encryption = aescm128-hmac80
    • Encrypt RTCP = Yes  
16. Press SAVE after before proceeding
17. Navigate to the SIP / SIP Account
    • Display Name = Extension Number
    • SIP user ID = Extension Number
    • Authentication User ID = Extension Number
    • Password = Phone Secret from UCX GUI configuration page
18. Press the Login button

Adjust Firewall settings on the UCX for sRTP Communication