Course13:IT Advanced Pro - Specific characteristics of the IPVA

From innovaphone-wiki

Jump to: navigation, search

What is different compared to a hardware gateway?


Things to watch out for with an IPVA

Now that we know how to create virtual machines so that we can run IPVAs in it, we look at some subtle differences between a PBX running in an IPVA compared to a PBX running on a hardware platform (i.e. a gateway). There are not many, but there are some.

Factory reset

We noted before that an IPVA does not have physical interfaces except for the virtual network adapter. However, it also does not have a reset button. So how can we reset an IPVA to factory defaults?

To understand how that works you need to know that resetting an innovaphone device to factory defaults means to bring its flash memory into the initial state. For an IPVA, the flash memory is emulated using a plain file on the host system. So to reset the IPVA to factory defaults, we must replace this file with the initial file we used when importing the virtual machine.

This file can be found in the IPVA package we downloaded earlier. Look for the hd-flash.vhd file screenshot.png in the ipva-vhd\bin\vhd\Virtual Hard Disks folder.

You then need to copy this file to the file that is used to emulate the IPVAs flash memory. You can find the name and location of this file in the screenshot.png virtual machine's settings for the hard drive on IDE Controller 1, Location 0.

Of course, instead of copying this file, you may also use a fresh and empty file. See section How to create a flash file in Setting up a virtual appliance on Hyper-V (IPVA) for an option to create such a file.


As we said before, the IPVA comes for free.

Well, not exactly. While running an IPVA does not require any licenses indeed, using PBX Port licenses only works on an IPVA, if the same amount of IPVA licenses are available too. Or to put it more simply: running an IPVA is free, but to use a PBX on an IPVA (which requires Port licenses to be able to register users) costs additional IPVA licenses.

You can see that in your current lesson config:
  • your IPVA1 is configured as a PBX
  • your IP111 is registered to the slave
  • a UC license is assigned to user ckl
To see the license usage on the PBX
  • go to the PBX / Config / General tab on the IPVA1
  • scroll down to the Licenses area
  • see in the Local column that screenshot.png 1 IPVA13 license is used (in addition to the Port13 and UC13 license you probably have expected)
For more information on all kinds of licenses, see the link_intern.png licensing guidelines - always good reading.

Built-in certificate

innovaphone's hardware devices have a built-in device specific certificate which is used for example when a TLS connection (e.g. HTTPS) is established from the device. It has the device's serial number as part of it's CN. It is issued by innovaphone Device Certification Authority or innovaphone Device Certification Authority 2 which are trusted certification authorities (CA) run by innovaphone.

An IPVA also has a device certificate, but as the serial number of the IPVA is not known in advance, the certificate is created by the IPVA itself upon startup. As such, it can obviously not be issued by innovaphone's certification authorities. It is therefore said to be self-signed.

While a self-signed certificate will do in many situations, it is of no use when the certificate is used to authenticate towards the other end of a connection. This is because it is not issued by a trusted CA and therefore can not be trusted itself.

A prominent example for such authentication is when a PBX registers to innovaphone's Push service. From v13r2, this is authenticated using the calling devices certificate. So this won't work with a self-signed certificate.

(Further Hints) The self-signed device certificate of an IPVA must be replaced with a trusted device certificate issued by innovaphone's CA.

Obtain a device certificate from innovaphone

The way you obtain a device certificate for your IPVA is through the link_intern.png site. The portal my.innovaphone is available for distributors, resellers and customers with access to the License Manager, RMA Manager, Configurator and other services with a uniform login.

There are only a few steps to obtain your IPVA's device certificate and we'll go through them in a minute. The portal requires a personalized login which you can easily screenshot.png create yourself. Once you have done so, the administrator of your company account would invite you to the company's account (or you create one yourself if you are the first person in your company using the portal). In real life, you always must use a personal account and never share your account with another individual!

However, for simplicity, in this training (and only in this training!) we will all use a single account which belongs to a pseudo company to obtain our device certificate. The account to be used is and the password is innovaphone-training.

(Further Hints) If you already have a personalized account for the portal, please be sure to log out from this account before you proceed!

To obtain the certificate, you a) need to add the MAC address to the my.innovaphone portal and then download the certificate to your device.

Here are the steps to add your IPVA's MAC address to the portal:
  • open link_intern.png Here in the training (and only in the training), please neither use your own account (if you already have one) nor create a new personal account!
  • instead, use the screenshot.png I already have a personal user account option with as E-mail and innovaphone-training as Password. You will be logged in to JOHN DOE'S TRAINING COMPANY
  • switch to the Licenses tab and screenshot.png select the DEFAULT project
  • then switch to the Devices tab and screenshot.png click on Add and Single device
  • enter your IPVA's MAC address (00-03-FF-07-1F-F1 in your case) as Device and proceed with Next
  • there are 3 options now:

    • somebody has already added this serial number to the portal during a previous training. The portal would screenshot.png flag the device as already imported. In this case, never mind, you're fine. Simply Cancel the add process

    • somebody has already added this serial number to the portal for a different company. An IPVA MAC address can not be defined in more than one company and the portal would screenshot.png flag the device as a duplicate. In this case, you can't use this MAC address and you must choose another one (e.g. 00-03-FF-07-1F-E1) in your IPVA1 setup.
      (Further Hints) Please do not modify the 4th and 5th byte of the MAC address in this case (07-1F in your case) as this will likely result in a conflict with a fellow trainee in your course

    • the serial number is unknown yet. The portal would let you screenshot.png add a comment (use IPVA1 as comment) and add with OK
(Further Hints) If you have modified your MAC address, then you must also update your Training Setup Device Definition and re-start the lesson (that is, load the start configuration for the second part of this lesson again, ipva2).

Now that you have added the MAC address to the portal, you can download and install the trusted device certificate to your IPVA.

On the IPVA's General / License tab:
  • click screenshot.png on This will open a dialog which instructs the device (IPVA1) to interact with the my.innovaphone portal
  • screenshot.png enter your personal user account credentials(well, John Doe's in this case: and innovaphone-training) into the form

    (Further Hints) You may or may not save your credentials for later use. You can as well type them in whenever you use this form

  • click on Download certificate to ask the portal for a trusted certificate (if this fails, you have most likely mistype the portal credentials or the MAC address you added to the DEFAULT project)
  • finally switch to the General/Certificates tab and screenshot.png see the new device certificate which has your MAC address in the Subject field and is signed by innovaphone's trusted CA
(Further Hints) If the Download certificate is not available in the dialog you opened above, your IPVA already has downloaded the certificate from before.

What about your own wildcard certificate?

As you have learned in a previous course, it is often necessary to fish-help.png install your own company's wildcard certificate on a PBX (or a reverse proxy).

So does that conflict with the device certificate we download from the my.innovaphone portal in the previous step?

In fact, if you upload your own (wildcard) certificate as Device Certificate in General/Certificates, the trusted certificate we downloaded before will vanish from the list in the Device certificate section and be replaced by the one you upload.

In screenshot.png this example, we uploaded a certificate for from the file all.pem).

However, the previous device certificate is not gone. It is just "shadowed" by the one we uploaded manually. You can see that if you remove the uploaded certificate (using the Clear button): the trusted certificate is still there and screenshot.png shown again. The IPVA will use the proper certificate automatically, depending on the use context. So the two certificates do not conflict.

Btw: the only way to get rid of the downloaded trusted certificate is a factory reset.

Section test

Now is a good time to do the section test in Section test (Specific characteristics of the IPVA).
Personal tools