AudioCodes Mediant 800B MSBR User Manual page 647

Mediant 800B MSBR
1. When you power up the device, the device acquires an IP address for its WAN
Ethernet interface from a DHCP server.
2. The device establishes an HTTPS connection with AudioCodes HTTPS Redirect
server, using the factory default URL, "redirect.audiocodes.com". For security,
communication between the device and the HTTPS Redirect server is encrypted
(HTTPS) and setup with mutual authentication. The device uses a special factory-set
certificate to authenticate itself with the HTTPS Redirect server and to verify
authenticity of the latter. The device is shipped with a factory-configured Zero
Configuration certificate (TLS Context):
•
Certificate signed by "Zero Conf" CA.
•
Trusted Storage with the following:
♦
♦
a. The device verifies the TLS certificate of the Redirect server, using the certificate
authority (CA) certificate "Zero Conf", preconfigured on the device during
production.
b. If the Redirect server requests validation of the client certificate, the device
provides it.
Note:
validity periods (01/01/2000 to 01/01/2030) and thus, validation verifications succeed
even when the device has incorrect time settings.
3. The device sends an HTTPS Get request with its MAC address to the Redirect server.
4. If the Redirect server is configured to service the device (i.e., based on the device's
MAC address), it replies with an HTTPS 301/302 Moved Permanently / Found redirect
response that contains the URL of the provisioning server were the provisioning files
to be downloaded are located; otherwise, it responds with an HTTPS 404 Not Found
response.
5. If the device receives a 301/302 redirect response, it updates its time and date
(obtained from the X-Timestamp header in the redirect response) and establishes an
HTTP/S connection with the new URL (provisioning server). If the redirect URL (where
the configuration file is stored) also uses HTTPS, the device can use a regular
certificate or the Zero Configuration certificate to authenticate itself and validate the
server's certificate if a trusted root certificate (regular) is configured. This is configured
by the ini file parameter AupdUseZeroConfCerts, or CLI command configure system >
automatic-update > use-zero-conf-certs. If the server requests a client certificate, the
device presents its "Zero Conf" certificate (signed by the "Zero Conf" CA).
6. The device sends an HTTPS Get request to the provisioning server. The request
contains an HTTP User-Agent header that identifies the device (model, MAC address,
and firmware version).
7. The provisioning server sends a 200 OK response with a CLI file for configuring the
device. This file can be the CLI Script file or the CLI Startup Script file. The type of file
depends on your implementation of Zero Configuration and automatic provisioning,
specific to your deployment needs. You can contact your AudioCodes sales
representative for an explanation on various design concepts for implementing Zero
Configuration. For information on the differences between these two files, see 'Files
Provisioned by Automatic Update' on page 634.
One option is for the provisioning server to send a CLI Startup Script file with the 200
OK response. The file would typically contain only configuration settings for the
Automatic Update feature. This would include URLs of provisioning server(s) from
where the device can download the software (.cmp file), configuration (CLI Script file),
and/or auxiliary files (such as Call Progress Tone file). The device applies the settings
Version 6.8
Certificate of "Zero Conf" CA
Certificates of "well-known" CAs (e.g., VeriSign)
The certificates issued to both the device and Redirect server have very long
47. Automatic Provisioning Mechanisms
647 Mediant 800B MSBR