Set Tls Profiles; Support Mutual Tls Authentication - Polycom CX5500 Administrator's Manual

Polycom CX5500 Unified Conference Station Administrator's Guide

Set TLS Profiles

By default, all Polycom-installed profiles are associated with the default cipher suite and use trusted and
widely recognized CA certificates for authentication. Use the table
Application to set parameters. You can change the cipher suite, CA certificates, and device certificates for
the two platform profiles and the six application profiles. You can then map profiles directly to the features
that use certificates.
Set a TLS Profile for each TLS Application
Central Provisioning Server
Specify the TLS profile to use for each application (802.1X and
Provisioning)
Specify the TLS profile to use for each application (other
applications)
Web Configuration Utility
To specify the TLS profile to use for a specific application, navigate to Settings > Network > TLS, and expand the
TLS Applications menu.
Local Phone User Interface
To specify the TLS profile to use for a specific application, navigate to Settings > Advanced > Admin Settings >
TLS Security > TLS Applications, select the TLS application, and choose a TLS Profile to use.

Support Mutual TLS Authentication

Mutual Transport Layer Security (TLS) authentication is a process in which both entities in a
communications link authenticate each other. In a network environment, the phone authenticates the
server and vice-versa. In this way, phone users can be assured that they are doing business exclusively
with legitimate entities and servers can be certain that all would-be users are attempting to gain access
for legitimate purposes.
This feature requires that the phone being used has a Polycom factory-installed device certificate or a
custom device certificate installed on it. See the section, Digital Certificates.
Prior to SIP 3.2, and in cases where the phones do not have device certificates, the phone will
authenticate to the server as part of the TLS authentication, but the server cannot cryptographically
authenticate the phone. This is sometimes referred to as Server Authentication or single-sided
Authentication.
Mutual TLS authentication is optional and is initiated by the server. When the phone acts as a TLS client
and the server is configured to require mutual TLS, the server will request and then validate the client
certificate during the handshake. If the server is configured to require mutual TLS, a device certificate and
an associated private key must be loaded on the phone.
The device certificate, stored on the phone, is used by:
●
HTTPS device configuration, if the server is configured for Mutual Authentication
Polycom, Inc.
Set a TLS Profile for each TLS
template > parameter
device.cfg > device.sec.TLS.profileSelection.*
device.cfg >sec.TLS.profileSelection.*
1.1.0
183