This document is subject to change without notice. Reproduction or transmittal of the entire or any part, in any form or by any means, electronic or print, for any purpose without the express written permission of Grandstream Networks, Inc. is not permitted. P a g e...
GXV33XX phone on public networks and it’s recommended not to do so. Web UI Access Protocols HTTP and HTTPS are supported to access the GXV3370/GXV3380/GXV3350 web UI and can be configured under web UI → System Settings → Security Settings → Web/SSH Access. To secure transactions and prevent unauthorized access, it is highly recommended to: 1.
Figure 2: GXV3370 Web UI Login Notes : • The factory default username for GXV3370/GXV3380 is “admin” and the default password is “admin”. • For the GXV3350 The default administrator username is “admin” and the default random password can be found at the sticker on the GXV3350.
• User Admin login has access to all of the GXV3370/GXV3380/GXV3350’s entire web UI pages and can execute all available operations. User login has limited access to the web UI pages. With user login, it is not allowed to configure the following settings: •...
Figure 5: Admin (left) and User (right) Web Access SSH Access The GXV3370/GXV3380/GXV3350 allows access via SSH. This is usually not needed unless the administrator or Grandstream support needs it for troubleshooting purpose. SSH access on GXV33XX is enabled by default with port 22 used. It’s recommended to disable it for daily normal usage. If SSH access needs to be enabled, changing the port to a different port other than the well-known port 22 is a good practice.
DEVICE CONTROL SECURITY From GXV3370/GXV3380/GXV3350 web UI → System Settings → Security Settings → Web/SSH Access, administrator can set whether the user can use specific features or install apps from LCD, shown as below. Figure 7: Limit Access to Advanced Settings and Apps on LCD Configures access control for keypad Menu settings on the Settings interface of the phone.
GUI Config Tool Settings The GUI config tool is an online tool designed to customize the configuration for devices. Here is the link to the GUI config tool: http://tools.grandstream.com:8081 Figure 8: GUI Config Tool Settings GUI From there, the administrator can build a customized file to remove access for certain apps and task bar features.
UI → Account → General Settings → Account Active to deactivate Account 1. Note that GXV3370/GXV3380/GXV3350 supports up to 16 SIP accounts. Below are the ports/protocols used on GXV33XX SIP accounts: •...
SIP TLS certificate, private key and password can be configured under GXV33XX web UI → System Settings → Security Settings → SIP TLS. Figure 11: SIP TLS Settings on GXV33XX When SIP TLS is used, the GXV33XX also offers additional configurations to check domain certificate and validate certificate chain.
Port_Value+10*N+9 Anonymous/Unsolicited Calls Protection If the user would like to have anonymous calls blocked, please go to GXV3370/GXV3380/GXV3350 web UI → Account → Account x → Call Settings and enable option “Intercept Anonymous Calls”. This will automatically block the SIP call if the caller ID is anonymous.
Figure 14: Settings to Block Unwanted Calls Answers the SIP request from saved servers when set to “Yes”, only the Only Accept SIP SIP requests from saved servers will be accepted; and the SIP requests Requests from Known from the unregistered server will be rejected. Servers The default setting is “No”.
SRTP To protect voice communication from eavesdropping, the GXV3370/GXV3380/GXV3350 phones support SRTP for media traffic using AES 128&256. It is recommended to use SRTP if server supports it. SRTP can be configured in web UI → Account → Codec Settings → RTP Settings.
NETWORK SECURITY OpenVPN ® and by default it’s disabled. It can be enabled and ® The GXV3370/GXV3380/GXV3350 supports OpenVPN used for secure remote connection as shown in the figure below: ® Figure 16: OpenVPN for Secure Network Access ® If the device is using OpenVPN to access network, it is recommended to use a different port other than ®...
Page 17
This enables/disables OpenVPN® functionality and requires the user to have access to an OpenVPN® server. The default setting is No. NOTE: To use OpenVPN® functionalities, users must enable OpenVPN® and Enable OpenVPN® configure all the settings related to OpenVPN®, including server address, port, OpenVPN®...
802.1X The GXV3370/GXV3380/GXV3350 supports EAPOL where access to switchports can be controlled with identity/password and certificate as shown on the figure below: Figure 18: 802.1X for GXV33XX Deployment By default, it’s disabled. When it’s enabled, there are 3 different mode for selection: EAP-MD5, EAP-TLS and EAP-PEAP.
Bluetooth devices. PC Port Mode The GXV3370/GXV3380/GXV3350 has dual switched 10/100/1000Mbps ports. LAN port is for network access and PC port has multiple mode. Assuming GXV33XX has network access, PC port mode has the following setting under web UI → Network Settings → Advanced Network Settings → PC Port Mode...
SECURITY FOR GXV33XX SERVICES Provisioning via Configuration File The GXV3370/GXV3380/GXV3350 supports downloading configuration file via HTTP/HTTPS/TFTP. Below figure shows the options for config file provisioning. Figure 21: GXV33XX Config File Provisioning We recommend users to consider the following options for added security when deploying the GXV33XX with provisioning.
Validate Certificate Chain: This configures whether to validate the server certificate when downloading the firmware/config file. If set to "Yes", the phone will download the firmware/config file only from the legitimate server. Figure 22: Validate Certification Chain GXV33XX supports uploading CA certificate to validate the server certificate and this setting is under GXV33XX web UI →...
Firmware Upgrading Similar to configuration file provisioning, GXV3370/GXV3380/GXV3350 supports downloading firmware file via HTTP/HTTPS/TFTP. The firmware file is encrypted and GXV33XX ensures only authentic, signed and untampered firmware file can run. Here are the recommended settings for firmware downloading.
TR-069 TR-069 is enabled by default, which means the connection request port 7547 is open for TR-069 session. If the user does not need TR-069 service, it’s recommended to disable it. When TR-069 is enabled and the service is to be used, users can also consider using a different connection request port other than the well- known port 7547 for security purpose.
FTP Server FTP server is disabled by default on GXV3370/GXV3380/GXV3350. It can be enabled from LCD menu → File Manager app. FTP service on GXV33XX uses port 2121. After the user enables FTP server and connects to it, GXV33XX files can be browsed as screenshots from a remote PC. It is recommended to disable the FTP server during normal usage, and only turn it on for specific purpose.
Figure 28: LDAP Settings Syslog The GXV3370/GXV3380/GXV3350 supports sending Syslog to a remote syslog server. By default, it’s sent via UDP and we recommend to change it to “SSL/TLS” so the syslog messages containing device information will be sent securely over TLS connection.
SECURITY GUIDELINES FOR GXV33XX DEPLOYMENT Often times the GXV3370/GXV3380/GXV3350 phones are deployed behind NAT. The network administrator can consider following security guidelines for the GXV33XX to work properly and securely. • Turn off SIP ALG on the router On the customer’s router, it’s recommended to turn off SIP ALG (Application Layer Gateway). SIP ALG is common in many routers intending to prevent some problems caused by router firewalls by inspecting VoIP packets and modifying it if necessary.