Courseware:IT Connect - 06.0 Managing Devices

From innovaphone wiki
Revision as of 12:15, 10 April 2025 by Viktor.gruenauer (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This books describes the Devices App which can be used to manage all devices that belong to a single installation.

Load a new configuration

Before we take a closer look at the Devices App, it is time to load a new start configuration on your devices.

In fact, this will not change any of the existing configurations on your devices. However, it will allow Devices to upload new firmware and Apps to your devices, and we will see how that works in a minute.

So go ahead and load the start configuration files for this book onto your devices.

(Further Hints) As before, to open myApps, please use Start myApps with English UI

The Devices App

Devices mission is to manage all the devices that belong to a single installation.

When it starts, it shows a list of domains on the left side (because the Domains tab is active initially). After having run the Install, there is screenshot.png only one domain in there, which is the one you defined during the Install. In many projects, there will be no more domains. But in some projects, where you serve multiple customers with a single system (a.k.a. multi-tenant, for example when a hoster runs individual PBXs for many customers), more domains will appear here. During this course, we will not cover such scenarios.
(Further Hints) Note that the domains shown here are the those from the Identification of the PBX section of the Install (dvl-ckl2.net in our case), not the domains used in the DNS names (hq-dvl-ckl2.training.innovaphone.com and apps-dvl-ckl2.training.innovaphone.com in our case).
In the Devices tab, there is a list of devices known in this installation. You could limit this list to the devices which belong to a certain domain by selecting one or more particular domains in the Domains tab. Of course, in this course, it doesn't make a difference as we only have one domain.

But isn't there a domain called Unassigned devices? This of course is a pseudo domain which selects all devices that are connected to Devices but not in its device database. This for example may happen if a device was previously part of the installation but had been removed. If the device still connects to the Devices App, it is listed here.

Looking at the list in the Devices tab, we see screenshot.png a number of entries:
  • AP - apps.dvl-ckl2.net
    The application platform

  • PBX - hq.dvl-ckl2.net
    The PBX
  • hq IP Phone-IP112-jdu
    Jean Dupont's IP 112
  • ... and some more phones
Both the AP and the PBX are located on the IP411LEFT which you have set up using the Install. One is the PBX itself, the other the application platform running the apps (AP). As they run on different CPUs (well actually different CPU cores) and run different software, they are treated as separate devices in Devices.


Device related Functions

When you are in the Devices tab and a particular device is selected, a number of functions on that device are available in the right pane.

Edit

The Edit tab allows you to
  • change the devices nickname (as it is shown in Devices)
    You rename the device to your likes, the name has no significance
  • move the device to a different domain
    As mentioned earlier, this only makes sense if you are running multiple domains (i.e. tenants) in a single system. So in this course, this will not happen

Admin UI

This tab gives you access to the individual device admin user interface (also known as advanced UI).


Before v13r1, this was the only way to configure the system. Starting with v13r1, you still have full access to it, and you can use it to configure anything you want to. However, in many cases you won't need it anymore, since various Apps will do the work for you. Especially if you need to do some configuration on multiple devices to implement a specific feature, those Apps can do it for you in one place, making your life as an administrator much easier.

However, even if you decide to use the traditional admin user interface in some cases, Devices has some interesting benefits for you
  • you have a central and convenient place to find all your devices. No more remembered IP addresses or painful maintenance of browser shortcuts to your devices
  • there is no need any more to authenticate to each device individually. As soon as you are logged-in to myApps (and have the appropriate rights), you can access any device in your system without typing in passwords over and over again
  • accessing the individual device user interface even works, if the device is not reachable from your network

Accessing Remote Devices


Let us look at the last point in some more detail.

The technology used to provide you with the device's user interface is known as WebSocket. The devices you add to your installation will always try to establish a WebSocket connection to the Devices App on your App Platform. When the connection is up, Devices will tunnel all your usage of the user interface through this connection. This way, you can access devices even though they are located behind a remote NAT router. No special configuration on the remote NAT router is required (for example, no port forwardings).

This is a great tool if you need to maintain equipment in remote locations, such as if you have home offices or if you run a hosted PBX service and need to access remote phones.

Categories

You can assign categories to devices. If you like, categories are just names for groups of devices. Therefore, one application of such categories is to filter the device list.

For example, to filter all IP phones, you would
(Further Hints) Don't forget to uncheck the category again after trying this, so you see all devices again (note the little check-mark above the Categories tab header which reminds you of the fact that you have restricted your list to only some categories)!

Defining Categories

Before you can assign a category to a device, you must define the category. This is done in the Categories tab. Some useful categories are already created by the Install but you can screenshot.png add more.

Normally, categories are used for filtering in the list of devices. However, if you tick the screenshot.png Provisioning category check-mark, the category will also be available to select devices for provisioning of specific device configurations. We will come back to this later.

Note that while you can assign multiple categories to a device, you can only assign a single category with the Provisioning category check-mark to a device.

video2.png Create a new category ckl's devices for filtering and add it to your IP232:
  • switch to the Categories tab
  • click on + Add category
  • enter ckl's devices as name
  • do not tick the Provisioning category for device configuration deployment check-mark
  • click OK
  • switch to the Devices tab
  • select the hq IP Phone-IP232-ckl device
  • click on Categories
  • add ckl's devices to the Configuration of categories
  • then select the PBX - hq.dvl-ckl2.net device
  • also add ckl's devices to the Configuration of categories
  • switch back to the Categories tab
  • tick the new category in the category list
  • switch back to the Devices tab
  • you will see only your IP232 and the PBX listed
(Further Hints) When you select screenshot.png more than one category in the Categories tab then the Devices tab will show screenshot.png all devices which are in either of those categories. In other words: multiple categories are or-ed together.

By clicking on the Subcategories button on the lower left, you can even do a bit screenshot.png more complicated category selection where you select devices which are in one of the categories ticked and also in one or more of some other categories (shown as Subcategories in the UI).

Searching Devices


While we are at filtering the device list: you can also filter the device list ad-hoc using a search term in the device list

Remove

If you have physically removed a device from your installation, Devices will screenshot.png show it as missing. In this case, you can also remove it from the Devices database.

(Further Hints) Be sure though that the device is obsolete really. In many cases, when the device does not connect to Devices, there is some network issue that keeps the device from connecting. In a clean installation, no devices should be marked disconnected.

Adding a Gateway

When we look at the screenshot.png list of devices present in the system, we see some which were added by the Install (the PBX and AP) and some that were added by the admin (the phones when they were provisioned). Let us see now how extra gateway devices are added to the system.

The process of provisioning a gateway is quite similar to provisioning a phone. So you would
  • select a provisioning category for the new device
  • create a provisioning code
  • enter the code to the device
As opposed to the phones however, you first need to access the devices web user interface, as it does not have keys or something similar that would allow you to type in the code.

In that respect, the provisioning process resembles the Install we have used to set up the first device (the PBX). So the process here is
  • factory reset the device
  • video2.png determine its IP address using link_intern.png config.innovaphone.com, note that it takes roughly a minute befor the device is shown after factory reset
  • start the Install
  • define the basic IP properties
  • enter the provisioning code


We can try this out by adding our IP811 to our dvl-ckl2.training.innovaphone.com system. If you like, you can do the factory reset and IP address determination, but you don't have to. moodle was nice enough to set up your IP811 so it is in factory reset state already.

Also, when we start the Install, we want to make sure that it is started in English so that it matches the screen shots in this book and also that it uses moodle's specially crafted app store.

So here is the link to start the Install:
Start Install on IP811
In a real-life scenario, you would just type in the device's IP address of course.

The web page you will see is the same as when you ran the Install for the PBX. However, as you do not want to create a new system, you screenshot.png select the Add the device to an installation mode.

The next page will look familiar to you too. Here you need to define the basic IP settings. As you probably will remember, all values you need here are already correct, so you just screenshot.png don't change anything:
  • IP address is left empty as the device will receive its IP address with DHCP
  • Second DNS server and Second NTP server are left empty as there are no backup servers in the training installation
  • the firmware version (Select the version to update to) is set to 15r1 Training [xxxxxx]. This is a very common situation when adding a device: the firmware that runs on the device is older than the latest-greatest available. In this case, Install will download and install the up-to-date version automatically. However, if you don't want that to happen for whatever reason, you can select the empty entry in the firmware dropdown and Install will leave the firmware as-is. Here in the training. you can choose to go either way - we will update the device firmware for all devices in a later step anyway
The only thing you need to take care of is actually the thing that differs to the initial PBX Install: the field Provisioning code.

We screenshot.png obtain the provisioning code from Devices by
  • switching to the Devices tab
  • clicking + Provision a gateway
  • selecting an appropriate provisioning category (which is hq Gateway here in the training)
  • and defining a pretty name for the new device (which will be shown in the list of devices later on), for example my little IP811
Devices will screenshot.png create the provisioning code and we can cut & screenshot.png paste it to the Install that runs on our IP811.

When we click on Next then, the device will reboot with the updated network settings (well, potentially updated network settings, as discussed, we don't have to change anything here in the training).

When we click on Next then, the Install will show Waiting for provisioning for a short while and then screenshot.png we are done!

When we switch back to Devices, we see that our screenshot.png IP811 has been added to the list of devices.

Domain related Functions

When screenshot.png you are in the Domains tab and a particular domain is selected, a number of functions on that domain are available in the right pane.

Edit

The screenshot.png Edit tab seems to have a pretty obvious function: you can rename the domain and set its password.

However, it will probably be a rare occasion that you change the name of the domain. The Install has asked you for the PBX's Domain name during initial setup. This name (dvl-ckl2.net in your case) was then used in a lot of places and the domain name here in the Devices app is one of them. If you rename it here, you will no longer be able to provision a phone. Therefore, it is advisable to choose your domain name carefully, as it cannot be easily changed later.

You can change the password for the domain. This password is interesting if you are running a system with multiple clients (e.g. a hosted PBX solution). As mentioned earlier, you would set up a separate domain for each of your customers. The domain password would then be used by your customer to log on to your equipment so that they only have access to their own domain.

However, in a single customer installation (and also in this training), you wont need it.

Using your own Provisioning Server


In this and a previous topic (Managing Users), we used so-called provisioning codes to provision devices. Such codes are provided by a service which is run by innovaphone (http://config.innovaphone.com) and is thus not available if your installation has no internet access.

It is possible to run your own instance of this service. In this case, you would configure the URL to your instance in the URL to generate provisioning codes field. However, we will not cover this option in this course, so you should never configure it during the training.

Rental

With v13, innovaphone introduces a rental scheme. The Email address(es) for rental expiration warning, the Rental project name in my.innovaphone and the Invoice reference fields are related to this. However, as rental is not covered in this training, you can leave all of them empty.

Also, the screenshot.png Customer account and screenshot.png Rental tabs are related to them (and should, for the same reason, be left untouched in this course).

Deploy the domain password on all devices

Apart from being used as described above, the domain password is also used as the administrator password for the individual device user interfaces (that is, when you access the device directly with the browser, we will talk about this later in more detail). When the screenshot.png Deploy the domain password on all devices check-mark is set, Devices will change this password. In real-life, this is a very good idea indeed (as a device with a non-secure device password is a security breach).

(Further Hints) However, in the training, it would be a problem if a student looses for whatever reason access to myApps and the trainer needs to fix it through the web UI. So never set this check mark in the training (Further Hints).

Enable automatic provisioning

An interesting case is when you upgrade an existing installation from pre-v13 to v13 or later. In this case, you will already have a number of devices and you need to add all of them to your Devices App. This can be automated and thereby greatly simplified by allowing automatic provisioning. See Automatic provisioning in fish-help.png Concept Provisioning for details.

Of course, here in the training course, we're not upgrading anything, so please keep it un-checked!

Link rental project in the Portal my.innovaphone

This is also related to the rental function and will not be used in this course.

Access Rights

In this tab, you can screenshot.png specify a list of domains that should also have access to the current domain. This is of course again useful in a multi-tenant system only. This way, you can specify a domain whose administrator also can manage some other domains. This might happen in a hosted-PBX scenario where a reseller manages some but not all of the PBXs in the hosting system.

In this training, we will not use it.

Update

This tab allow you to update the firmware and apps on your system.

Defining the Versions to be used



To run firmware and software updates you first need to define which version shall be used. This is done in the screenshot.png Update settings dialogue.

Let's see what it has:
  • first there are 4 URLs
    They are used to fetch the most up-do-date firmware (firmware.json), app (apps.json), IP270 (phoneplatform.json) and DECT handset (software.json) definitions. These are plain files and by default, they are downloaded from a site hosted by innovaphone (store.innovaphone.com/release/download), the so-called AppStore.
    As you already know, moodle has partially set this up differently for you (https://class.innovaphone.com/moodle2/webbuild/store.php/1-0/...)
  • existing definitions and
  • updated definitions, if found in the above mentioned files
When there are updated versions in your AppStore, the screenshot.png dialogue might look a bit scary first, but its not that difficult. You can screenshot.png tick the Apply available versions check-mark and click on Apply then.

If there would be no newer versions available, the form would say screenshot.png no newer versions available.


Applying new Firmware and Software

If you want to update your devices to the latest version as shown, you need to tick the Apply available versions check-mark and hit Apply. This actually does not initiate the firmware update. It just says that the new versions will be used if you do an update! You can also screenshot.png set a name for the new settings which helps you to determine later which version is installed on a particular device.

So far, no firmware or Apps update happened. To apply the versions you selected in the previous step, you need to screenshot.png create an update job.

You screenshot.png can define:
  • The Date and Time when the update shall begin
  • The Major version for the update
    Only devices which already run this major version are affected by the update (but see below)
  • an optional Category. If you select a category here, only devices in this category will be affected
  • an optional Exclude category. If you select a category here, devices in this category will not be affected even though they match the above Category
All devices which are currently connected to Devices (and match the criteria) will be updated at the selected date and time. When a device connects to Devices later on (for example because it has been added to the installation or it is simply turned on), the firmware it runs will be checked and an update will be initiated if it does not match.

In fact, Devices does not do the update itself. Instead, it tells the device to do so. Therefore, the device must have access to the server that has been set for the URLs in the Update settings before. Also, not all the devices will receive this request at the same time. Devices will initiate an update on 20 devices at the same time. Further devices will receive it once another device has completed the update.

Now you can create an update job that updates all of your devices to the latest-greatest version. Be sure to set the time a minute or so in the future, otherwise you may have to wait until to tomorrow for the update to happen wink

When you unfold the screenshot.png status area you will see how your devices do the update in real-time.

Note that eventually the Devices App will restart. This is because during the update, also the App Platform (more precisely, the App Services running on the App Platform) will be re-started for the update.


Special Updates

There screenshot.png some flags in an update job that slightly modify the behavior.

  • Devices can also update the boot code at the same time when the Update bootcode check-mark is ticked.
  • Also, Devices can upgrade devices to the latest major version by ticking the Major firmware upgrade check-mark.
  • If you do not want to update the version of the myApps Launcher, you can tick Do not update myApps Launcher software. This way, users are not forced to update their client.
  • If you want to create a update job to update your DECT handsets over the air, you need to enable the Update DECT handsets (IP64,IP65,D81,D83) check-mark.

(Further Hints) Note that a boot code update is recommended only if advised by innovaphone support or in an fish-help.png upgrade article in the wiki. Both are rare cases though.

(Further Hints) Please have a look in our fish-help.png IP-DECT Plus Training topic if you want to know more about over-the-air update of DECT handsets.

Updating an Update Job

To update to a newer firmware and Apps version as before, you can simply create a new update job. When there are multiple update jobs defined for a particular device category, Devices will only apply the newest one. This allows you to keep the history of older update jobs. Keeping older update jobs can be useful if you want to downgrade to a specific firmware build. You can simply rerun an update job by clicking screenshot.png the run again icon.


Keep in mind that before you create the new job, you must update your Update settings as described above (otherwise, the new job will behave like the old one).

To create a new job with the same settings as an existing one (except for the versions used), you can clone the current one by clicking on the screenshot.png little + sign.

However, if you always create new update jobs, over time many obsolete jobs will populate your Update view and this may become confusing. For this reason, when you are cloning a job, the option screenshot.png Delete old update job is available and checked by default. Of course, you can also delete the old ones eventually.

Finally, you can also simply edit an existing job. However, the edited job will retain its existing history and the firmware to be deployed will not be changed (even if you have changed your Update settings before). Therefore, to deploy new firmware, you must create a new job (or clone an old one).

Private Firmware and Apps Sources

As discussed before, the version definitions are fetched from a site hosted by innovaphone, store.innovaphone.com. This of course means that you can not control their contents. As shown, you can select when to upgrade to the latest-greatest version. But you can not select which one this shall be.

However, an administrator can choose to provide his own version of these files and host them on a local web server. They must be reachable both by HTTP and HTTPS. In other words, if you want to provide your own definitions, you also have to provide the binaries.

The content can be created easily:
  • open http://store.innovaphone.com/release/download.htm
  • click on Preselection
  • click on innovaphone/15r1 and firmware/15r1
  • click on Apply selection
  • click on Download package
This will download the complete content you need for your own store server. You would then modify the 4 URLs in the Update settings dialog to have them point to your own server.


Installing and updating myApps

Windows


myApps for Windows needs to be installed initially using the myApps installer (.msi) available in the AppStore (see myApps for Windows in the Software section of link_intern.png store.innovaphone.com). You can either download and execute the msi on the target computer or use your favorite software rollout tool (see MSI Parameters and install options in fish-help.png Concept myApps platform services ).

However, myApps for Windows can do automated updates for you. When Devices does a successful firmware update to a PBX device, it will screenshot.png note the firmware build number as well as the AppStore URL in the PBX. Whenever a myApps client connects to the PBX, the up-to-date myApps version will be fetched from the AppStore and installed.

For such updates, trace files called myAppsInstall.txt and myAppsUpdateService-...txt will be written to %windir%\Temp.

iOS and Android

iOS and Android installs and updates are done using their respective App Stores (Apple App Store or Google Play Store).

Client Settings

You can define screenshot.png administrative settings for all myApps clients connected to this PBX. These settings can either be enforced so that the user cannot change them, or alternatively you can set a default setting.

Please note that some settings work only for myApps for Windows, some for all myApps clients. Therefore, please fish-help.png consult the wiki for more information.

NB: if you wonder how to access this information: it is available when you select your PBX in the Devices list and then click on the Admin UI tab. There you navigate to PBX/Config/myApps. We will look into this so-called advanced UI later in the course.

Softphone Registration

Some configuration options can also be collected by the softphone screenshot.png from the same page. In particular, you can configure settings for the Recording app that applies to all softphones.

Backup

Devices can do regular backups for all of your devices. This is done in the screenshot.png Backup tab.

  • will create device backups on a regular basis
  • optionally limited to a device category or for all devices except a certain category
  • which will be sent to an external WebDAV server (more precisely, to a web server which allows the HTTP PUT verb)
  • multiple backups for the same device can be kept
It is recommended to save the backups to a WebDAV server that is not part of the PBX system itself. However, if such a web server is not available, the Backup Files App on the application platform can be used.

For each backup job you created, you will see screenshot.png its state, when you click on the screenshot.png little caret (^) on the right of its entry in the list of backups.

Using the Backup Files App for backup


Although it is safer to backup a system outside of the system, an internal backup is better than none wink

Therefore, the Files App allows you to store files and hence also backups.

Well, technically, yes. Practically, there is a little problem. As the Files App is a regular App among others, sending a backup to the Files App would also backup the content of the Files App itself to the Files App. Next time you do it, the backup you did the last time would be part of this content and so forth - so your backups would grow dramatically over time.

For this reason, the Install has created two instances of the Files App for you:
  • one for regular use (called Files)
  • one only to put backups on it (called Backup Files)
Now you can exclude the Backup Files instance from your regular backups.

The work flow is quite simple:
  • you start the Backup Files App
  • you create a folder
  • you share it
  • for the share, you specify a user and a password
  • you look up the new folder's URL
  • and you use this (along with the user and password) in your backup job

First video2.png add the Backup Files App to your home screen and open it. Here is video2.png how to create a folder for your backups in Backup Files:
  • in the Backup Files App, click on the screenshot.png create directory icon on the upper right edge and create a folder called backups
  • tick the screenshot.png little check-mark on the upper right. All items in your current folder are now ticked. Make sure that only your new folder is ticked (which is easy, as you probably only have one wink)
    (Further Hints) You can also long-click/press on a directory icon to select it
  • click on the screenshot.png Share symbol on the upper right
  • select screenshot.png Share with user and password as access mode
  • enter backups as User and pwd as Password ((Further Hints) please, in real life, choose a better password!)
  • click on Share, the folder is now available via HTTP/WebDAV using the credentials you have set
  • to learn the URL used to access the folder, first click on the folder to open its content and then on the screenshot.png little i (for Info) on the upper right
  • take note of the URL shown. It should be
    https://apps-dvl-ckl2.training.innovaphone.com/dvl-ckl2.net/backup-files/root/backups
(Further Hints) You might have observed that the User and Password fields are not mandatory. If you leave both empty, it doesn't mean that you can access without any authentication. Instead, the files will not be available via HTTP/WebDAV easily. Instead, you need to specify a per-file unique fileskey as part of the URL. The URL then looks something like
https://apps-dvl-ckl2.training.innovaphone.com/dvl-ckl2.net/backup-files/UI/backups/<file>&fileskey=8!7LdfPhWnySfV!a

You can close the Backup Files App now.
Back in Devices, create the video2.png appropriate backup job which does a backup for all your devices on each day:
  • go back to the Devices App
  • add a new backup job
  • set a Description so that you can easily recall what this backup job does, e.g. backup everything
  • tick all Backup weekdays
  • set the Backup time so that it will be done in 2 minutes from now
  • you may want a full week of daily backups, so set Keep backups to 7
  • you may or may not set a Prefix for the filename, in the training please use everything
  • set the Webserver URL to https://apps.dvl-ckl2.training.innovaphone.com/dvl-ckl2.net/backup-files/root/backups/
    (right, this is exactly the URL you obtained when sharing your backup folder in the Backup files App before)
  • set the Webserver username to backups
  • set the Webserver password to pwd
  • no Category name restriction
  • no Exclude category
  • hit OK

When the time has come, you will see screenshot.png backup progress in Devices and screenshot.png a number of backups appearing in the backups folder in the Backup Files App.

Backup now

You can also do an immediate backup using the screenshot.png backup now icon.

Restore

Restoring a system is not that trivial. If you run in to a situation where you need to do a partial or complete restore, refer to fish-help.png Restore an App Platform in our wiki or contact mail.bmp presales@innovaphone.com for advice.

Delete

You can of course delete a domain.

However, this will also delete all domain related information (such as categories and devices), so it is rarely a good idea to delete a domain.

Device Configuration

Devices can deploy configurations to all the devices which belong to an installation. Various aspects of device configuration can be controlled and different settings can be deployed based on device categories.

A defined configuration will be pushed to the device when
  • it is added to the domain
  • a category is assigned to it
  • a configuration job relevant to it is modified

Creating a new device configuration

To create a device configuration, you select the domain and the Device configuration tab and screenshot.png click on the + Define device configuration button. You then can screenshot.png select the type of configuration you want to add.

The specifics of the available types of configuration jobs are described in the next sub chapters. However, all types share the following properties:
  • Description: a free text with no relevance other than reminding you of what the job is intended to do
  • Apply to all devices: if this check-mark is set, the configuration applies to all devices.
  • Categories: a list of provisioning categories (as defined in the Categories tab of Devices - see Device related Functions/Categories above - and assigned to individual devices in the Devices tab), if Apply to all devices is not checked. Configuration jobs are only executed for devices which have at least one of the listed categories assigned. If you are sure that the settings shall be deployed to all devices in your installation, tick the Apply to all devices check-mark. Otherwise, you must select at least one category
Some types have optional properties. They are screenshot.png deployed only when checked. Otherwise, possibly existing current settings for these properties on the device are not modified.

Alarm server

innovaphone devices can send messages reflecting possible issues (so-called events and alarms) to a central service (known as screenshot.png the Events App). The administrator then has the possibility to browse through the messages generated by all these devices in a single place.

In addition to that, log messages reflecting normal operation can be sent to a central service which helps administrators to understand what is going on.

The Alarm server type of device configuration let's you screenshot.png configure the URLs of those two services. The URL for the log messages server is optional.

How to configure


(Further Hints) Install has created a useful device configuration of this type. So let us screenshot.png look at screenshot.png what it has created.
  • in most installations, all devices should send these messages to the same alarm and event service. For this reason, Install has set the Description to Global (indicating that this configuration applies to all devices)
  • it also ticked the Apply to all devices check-mark
  • the Alarm server URL is configured and points to https://apps-dvl-ckl2.training.innovaphone.com/dvl-ckl2.net/events/innovaphone-alarms.
    As you might recall, this URL points to the App Platform on your IP411LEFT. This is because one of the Apps installed is the Events App, which provides the service to collect alarm and event messages and it often makes sense to use it
  • also,the Logging URL is configured. As this property is optional, the corresponding check-mark is ticked. The URL is https://apps-dvl-ckl2.training.innovaphone.com/dvl-ckl2.net/events/innovaphone-logging. This is a different service provided by the Events App intended to collect log messages. To clear the option, the checkbox has to be ticked and an empty value has to be configured.
Alarm/Event messages as well as Log messages are sent with HTTP(S) to the Events App. The Install has configured the user events with a random password both here in the Alarm server configuration and in the setup of the Events App on your App Platform.
(Further Hints) The Events App handles events/alarms as well as logs. This is why the Install configures URLs to the same App and uses the same credentials for all.

Certificates

The Certificates configuration type allows you to screenshot.png manage the certificate trust list of your devices. You basically have two options:

  • You can specify an URL where certificates (more precisely, the public keys of such certificates) which should be trusted can be downloaded
  • you can upload certificates (again, more precisely, their pubic keys) to be trusted
In both cases, the file format is PEM (a text file format that can contain one ore more public keys).

The Install has configured an instance of such a configuration job screenshot.png in an interesting way.

First it has configured a few URLs which basically point to static content hosted by innovaphone:
  • https://download.innovaphone.com/certificates/ca.pem lets you trust the certificates built-in to all the innovaphone hardware devices (these certificates are known to be derived from innovaphone Device Certification Authority or innovaphone Device Certification Authority 2)

  • https://download.innovaphone.com/certificates/ca-unverified.pem lets you trust the certificates issued from the my.innovaphone portal for IPVAs (see fish-help.png New innovaphone Unverified Device CA for a reasoning why these are treated differently)
Then, an URL has been configured that points to dynamic content:
  • https://download.innovaphone.com/certificates/innovaphone.pem lets you trust the then-current certificate used by the innovaphone sites (known as *.innovaphone.com)
The latter is dynamic content as such officially signed certificates usually expire after a year at latest and must be replaced by another one then. This is why Devices will re-evaluate those URLs about every 24 hours.

Finally, if you have enabled Let's Encrypt during the Install (which you have in this course), another dynamic URL is configured:
  • https://apps-dvl-ckl2.training.innovaphone.com/dvl-ckl2.net/letsencrypt/root.pem lets you trust the certificate issued by the Let's Encrypt service for your device. This certificate is renewed even more frequently, currently every 3 months


Exercise: Trusting all root certificates

Why do we need to trust certificates?

You might ask yourself why we need to maintain a trust list on the devices anyway. After all, your browser doesn't need a trust list to know which web site certificates are good and which are bad.

Well, in fact, the browser also needs and therefore has its own trust list. It just maintains it "under the hood" so that you might not know.

For example, the popular Firefox browser has a list that is hardwired into it's source code and chances are that this lists gets updated whenever you get a new version of the browser. This is described www.png in the Firefox wiki.

Luckily enough, the current list of certificates trusted by Firefox (again, more precisely, their public keys) is available as a text file in PEM format. This list is called PEM of Root Certificates in Mozilla's Root Store with the Websites (TLS/SSL) Trust Bit Enabled and is available from a Firefox website as https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites.

So let us try the following:
  • open the screenshot.png Certificates configuration job that the Install has created
  • screenshot.png change
    • the Description to Almost Global and
    • untick the Apply to all devices check-mark
    • add all categories except hq Gateway in to the list of Categories
  • click on OK
You will now see that the modified configuration screenshot.png is applied to all your phones but not to the PBX (this is due to our changed category settings) nor to the AP (this is because APs do neither have nor need a trust list currently).

Now we create an almost-copy of this configuration job specially crafted for the PBX:
  • click on + Define device configuration to create the copy

  • select screenshot.png Certificates as configuration type

  • screenshot.png use FF Trustlist for GWs as Description

  • select hq Gateway as single entry for the Categories list

  • add screenshot.png the entries also present in the original certificate configuration job as Sources for certificates
    • https://download.innovaphone.com/certificates/ca.pem
    • https://download.innovaphone.com/certificates/ca-unverified.pem
    • https://download.innovaphone.com/certificates/innovaphone.pem
    • https://apps-dvl-ckl2.training.innovaphone.com/dvl-ckl2.net/letsencrypt/root.pem

  • add the URL of the Firefox trust list file to the Sources for certificates (lucky you, 5 URLs are possible and the Install only uses 4): https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites

  • then click on OK at the end of the page
After a few seconds, as the certificates need to download, the new configuration job is screenshot.png only applied to your gateways. Again, this is due to our category settings.

To see the list of certificates retrieved from the Firefox site:
  • open the new configuration again
You will notice that the SSL certificate trust list (which shows you a snapshot of all the certificates learned by evaluating the above mentioned URLs as well as those added manually) got much longer. This is because all those certificates trusted by the Firefox browser now are included.

Some questions remaining?
You might think: why did we do all this fuzz with creating two different configuration jobs for certificates, why not simply adding the Firefox list to the original job?

Well, there are two answers to this. First of all, we wanted you to get a little familiar with creating configuration jobs wink

And also, you should be aware that the list of trusted certificates is stored - amongst other things - in a special flash segment known as VARS. This has a fixed limited size and this size is larger on gateways compared to phones. In fact, the Firefox list would flood the entire VARS segment on a phone, so we want to avoid this.

Then, you could think why is the entire list from Firefox not configured by the Install in the first place? This is because it is usually not needed. There are only a few places were an innovaphone device strictly requires the validity of the certificate presented by a calling client (that is, requires to trust it). This is mainly when clients are registering with the PBX or through the reverse proxy. However, in these cases, the certificates sent by the calling devices is usually issued by innovaphone's device certificate authority (know as innovaphone Device Certification Authority, innovaphone Device Certification Authority 2 and innovaphone Unverified Device CA). These are included in the certificates installed to the trust list by the Install.

It is therefore much more likely that you will use this mechanism one day to deploy the root certificate of a customer driven certificate authority when certificates issued by this CA are installed on all the devices.

Media

innovaphone devices which can terminate voice (a.k.a. media) have a number of settings which influence the way media-data is sent or received.

The Media type of device configuration lets you screenshot.png configure these settings.

How to configure


(Further Hints) Install has created a useful device configuration of this type. So let us screenshot.png look at screenshot.png what it has created.
  • in most installations, all devices which can handle media should use the same media configuration. For this reason, Install has set the Description to Global (indicating that this configuration applies to all devices)

  • it also ticked the Apply to all devices check-mark for this reason.
    Not all devices can handle media (or more precisely, can terminate a media stream). For example, the App Platform currently never works as a media endpoint. However, Devices is smart enough to not apply configurations to devices which do not provide the configuration options. So it will silently not apply this media configuration to an App Platform - even though the Apply to all devices check-mark is ticked

  • the STUN server is set to stun.innovaphone.com.
    This is a public STUN server operated by innovaphone. If the customer runs his own STUN server, or if the customer's SIP- or Internet-provider has one, it is better to use these. However, if they don't or if you don't know, the setting created by the Install will do

  • in contrast, the TURN server is set to hq-dvl-ckl2.training.innovaphone.com. As you will recall, this points to your own PBX.
    The thing you need to understand here is that a TURN server is consuming a substantial amount of both CPU and network traffic resources. It is therefore not an option to use a service operated by innovaphone. Instead, it would be best to use a TURN server that is provided by the customer's SIP-provider or by the customer itself. However, such services rarely exist nowadays. Therefore, the Install has enabled your own TURN server on your PBX and has set the TURN server to this PBX.

    Both the TURN username and the TURN password must match the settings in the TURN server that is used. The Install, when it enabled the TURN server on the PBX, used turn as username and turn.dvl-ckl2.net as password

  • the remaining fields are left empty so that the firmware defaults are used. These should work well in most installations.

    You may want to ask your network administrator though, if layer 3 wikipedia.ico Quality of service is used in your installation. If so, make sure that the values for TOS priority - RTP data and TOS priority - signaling fish-help.png match with the settings used in your networking gear

  • one of the fields which have been left empty by the Install is TURN extern. While it is indeed not strictly required, it is pretty useful if you intend to provide conferencing for external users (a.k.a. Webaccess). In this case, you can face participants with difficult network setups and in these cases, the TURN extern feature can help a lot. For more details see the topic "Conference infrastructure" in the fish-help.png Plus training

Phone

VoIP phones (such as your IP111/112/222/232) need a number of settings to be able to register with your PBX.

The Phone type of device configuration lets you screenshot.png configure these settings.

How to configure


(Further Hints) Install has created a useful device configuration of this type. So let us screenshot.png look at screenshot.png what it has created.
  • the settings needed to register with a PBX obviously depend on the PBX to register with. For different domains, you will have different PBXs. For this reason, Install has set the Description to dvl-ckl2.net (indicating that this configuration applies to phones registered to your PBX).

    In larger installations, you may have more than one PBX. In this case, phones will need to register with one of those. So, strictly speaking, the settings depend less on the domain, but on the PBX used for registration. Therefore, you could arguably say that hq-dvl-ckl2.training.innovaphone.com would have been an even better choice. However, in this course (and in many installations), there is only one PBX and so it doesn't matter

  • these settings are intended for IP phones only. Therefore, only hq IP Phone is set as category and Apply to all devices is not ticked

  • the Primary gatekeeper is set to the value you noted in your setup.xls as DNS name of this PBX: hq-dvl-ckl2.training.innovaphone.com.

    You may think that you could also use your PBX's IP address here. This would indeed work - as long as you do not want to register with your PBX from remote locations (such as home offices or mobile devices on the Internet). So it is better to use the DNS name, if you have one

  • the Secondary gatekeeper would be the DNS name (or IP address) of a hot standby device for the PBX. However, the Install does not support this configuration and we do not cover it in this course, so it is left empty here

  • the Gatekeeper ID is set to the value you noted in your setup.xls as Domain name: dvl-ckl2.net

  • the Dial tone is the tone users hear when they go off-hook on a phone before they dial the digits and is country specific. Users expect a different dial tone in a PBX compared to the public networks. In most countries, EUROPE-PBX is a good choice for this. For some countries however, there are country specific options (such as for example ITALY-PBX and ITALY-PUBLIC). The Install sets that to EUROPE-PBX but there are situations where you need to change this to accommodate user expectations

  • the Preferred coder defines the voice compression method (a.k.a. as codec) which should be used in your installation whenever possible. You don't need to know much about about codecs, simply keep in mind that OPUS-WB is best. This is why the Install has configured it this way.

    In some cases, where you must make sure to save on bandwidth, you may consider using OPUS-NB. All other options are only rarely used, for example if you encounter interoperability issues with 3rd party devices

  • the same goes true for Framesize [ms] (20), Exclusive (not ticked), SRTP key exchange (SDES-DTLS) and SRTP cipher (AES128/32). These should be set differently only in very special circumstances when you know what you are doing (or the innovaphone support has advised doing so)

  • the Recording URL is used only if you intend to do voice recording (e.g. in a call center) and is not covered in this course. It would contain the URL of the recording service (which probably would be the Recording App, not installed by Install). Also, as you would normally only select some devices for which recording should be enabled, this property is optional and the Install has not ticked its check-mark

  • there are also some screenshot.png Advanced settings and they are by default hidden with good reason. None of them are ticked in the device config created by Install:

    • Silence compression, Audio only, No DTMF detection and No physical location should be ticked only if you know what you are doing (or the innovaphone support has advised doing so)

    • No transfer on hangup disables the automatic transfer of the two remote parties if you have 2 calls on a phone (one connected and one on hold). This is merely a matter of user expectation, so configure it according to those

    • Protect configuration at phone stops users from modifying the phone configuration directly on the phone

    • Hide complete configuration additionally does not even display the phone configuration on the phone

    • Hide administration configuration at phone only shows user preference related configurations options on the phone, no administration settings
      For more information on configuration hiding, you may want to have a look at fish-help.png Concept Fine grained function hiding. However, this is neither used nor discussed further in this course

Analogue phone/fax

Analog phones do not register themselves with the PBX. Instead, the FXS interfaces used to attach the phone do so. So they need a number of settings to be able to register with your PBX, very similar to the Phone settings we discussed before.

So the Analog phone/fax type of device configuration lets you screenshot.png configure these settings.

How to configure


(Further Hints) Install has created a useful device configuration of this type. So let us screenshot.png look at screenshot.png what it has created.

Watch out! Install has created two configuration settings of this type: dvl-ckl2.net Analog Phone and dvl-ckl2.net Fax Device. Make sure you open the first one.
  • the Description has been set to dvl-ckl2.net Analog Phone for the reason explained earlier for the Phone type of settings
  • the categories used must make sure that only FXS interfaces used for an analog phone are configured. Therefore, the Install has created a category hq Analog Phone and added only this to the Categories. The Apply to all devices check-mark is therefor not checked
  • Primary gatekeeper, Secondary gatekeeper, Gatekeeper ID, Dial tone, Preferred coder, Framesize [ms], Exclusive, SRTP key exchange, SRTP cipher and Recording URL are the same as for the Phone configuration
  • the Fax device check-mark is unique to the Analog phone/fax type of device configuration. It must be ticked for any fax device for it to work properly. If turned on, a special Fax transmission protocol (T.38) is enabled and the feature codes are turned of (as a fax device won't use them anyway and also this disables call waiting on a fax line which would disturb an active fax transmission). It must be un-checked for an analog phone
  • there are only a screenshot.png few Advanced settings: Silence compression, No DTMF detection and No physical location. They are the same as for the Phone configuration
Fax Devices
Fax devices are pretty much similar to analog phones, but there are differences. To accommodate these differences, the Install has created a second device configuration of the same type called dvl-ckl2.net Fax Device. The only differences are
  • the category used is hq Fax Device
  • the Preferred coder is G711 (as only G711 can transport fax information when T.38 is not available one of the two ends of the fax transmission)
  • the Fax device check-mark is ticked

NTP settings

It should be clear that knowing the correct local time is important for a PBX system. However, apart from displaying it on the phone for the user's benefit, you need to understand that it is also a requirement for virtually all encryption functions to work. Therefore, an innovaphone PBX and all their related devices must have proper NTP settings.

The NTP settings type of device configuration lets you screenshot.png configure those.

NTP settings (the time server and also the time zone) are typically set via DHCP using the respective DHCP options (NTP option number 42 (not joking!) and TZ option number 8). If this is the case in all locations, then the NTP settings configuration is not needed in fact. However, it doesn't hurt as innovaphone devices will prefer DHCP options over locally configured ones. The settings in this configuration will then serve as a default if either NTP or TZ (or both) are not provided via DHCP.

How to configure

(Further Hints) Install has created a useful device configuration of this type. So let us screenshot.png look at screenshot.png what it has created.

  • the configuration is set to be applied to the categories hq App Platform, hq Gateway und hq IP Phone by the Install. This makes sense as all devices must have a valid time server configuration. In fact, an even more straight forward configuration would have been to list no categories at all and tick the Apply to all devices check-mark instead

  • NTP server 1 and NTP server 2 are the DNS names or IP addresses of the primary and secondary time server. The Install has placed here what you had specified as NTP server address when the Install was run.

    (Further Hints) If DHCP is used, this will be the IP address of your local NTP server which was supplied to your PBX via DHCP. In the training it is the IP address of your IP411RIGHT (172.31.31.1) for exactly that reason

    If you want to disregard the setting received from DHCP, then you can tick the Overwrite DHCP check-mark
  • The Timezone string is not set by the Install. This is because it is not asked for during the Install and the default (MES) is suitable in many cases. See fish-help.png Services/NTP for details regarding possible values for the Timezone string
You may ask yourself why the Install did not tick the Apply to all devices check-mark. Instead it explicitly listed a number of categories. This is because even though all devices must have a valid NTP configuration it does not make sense to apply the same configuration to each device. NTP settings are location dependant, typically. In other words: you want a different configuration in each location. This is why the Install has selected all the categories related to hq. See fish-help.png Obtaining the current time for innovaphone devices using NTP for more information on how to find a suitable time server.

TLS profile

VoIP systems usually work with full encryption of voice streams and other data. TLS is one of the protocols used for this.

The TLS profile type of device configuration lets you screenshot.png configure these settings.

How to configure

The short answer is: you don't!

This is why the Install has not created such a configuration type at all.

In some more detail: modifying the TLS profile is rarely a good idea. There is a huge number of settings for TLS and modifying is for experts only. innovaphone has therefore created 4 profiles which implement different Security levels: Normal, Fast, High Security and Strict.

Of course, High Security and Strict seem to be good choices. However, as often in life, better things are not for free. In this case, when selecting high security or strict, you will impose much higher CPU load on all the devices. Especially on a PBX or on a media-gateway, this will significantly reduce performance so that you can only accommodate much less users with a certain type of device.

On the other side, when you run your system with a lot of users (and perhaps already out of spec as far as user numbers are concerned), you may benefit from the fact that Fast security settings result in a notable reduction of CPU usage. For sure though, fast in this case also means less secure.

We recommend to use Normal settings always unless you really know what you do (see fish-help.png IP4/General/TLS for some more detail). This is also the default and therefore, the Install has not configured a device configuration of type TLS profile at all.

In any case, if you intend to work with a non-standard profile, you should use those on all devices uniformly. To make sure this happens, you should tick the Apply to all devices check-mark.

DECT handsets

Some parameters can be distributed to DECT handsets (IP64 and IP65 only) over-the-air. We explain this feature in our IP-DECT topic in the fish-help.png Plus Training and fish-help.png our wiki.

(Further Hints) The firmware version of the IP64 and IP65 must be at least 4.3.2.

How to configure

  • Language: You can select the language displayed on the phone's menu.
  • Date format: You can choose how the date is displayed in the phone menu.
  • Voicemail number: You can configure your voicemail number. This allows you to call your voicemail box by pressing and holding 1 on the phone keypad. We recommend that you configure screenshot.png the voicemail prefix followed by the letter N. N is a variable that contains the user's calling party number. This allows each user to call their own voicemail box.