Automatic in-house preprovisioning, Configuration access control, Using https – Linksys BUSINESS SPA922 User Manual

Linksys SPA9x2 Phone Administration Guide

59

Automatic In-House Preprovisioning

Provisioning Basics

Automatic In-House Preprovisioning

Using the web UI and issuing a resync URL is convenient for a customer in the retail deployment
model, but it is not as convenient for preprovisioning a large number of units.

The SPA9x2 supports a more convenient mechanism for in-house preprovisioning. With the
factory default configuration, a SPA9x2 automatically tries to resync to a specific file on a TFTP
server, whose IP address is offered as one of the DHCP-provided parameters. This lets a service
provider connect each new SPA9x2 to a LAN environment configured to preprovision SPAs. Any
new SPA9x2 connected to this LAN automatically resyncs to the local TFTP server, initializing its
internal state in preparation for deployment. Among other parameters, this preprovisioning
step configures the URL of the SPA9x2 provisioning server.

Subsequently, when a new customer signs up for service, the preprovisioned SPA9x2 can be
simply bar-code scanned, to record its MAC address or serial number, before being shipped to
the customer. Upon receiving the unit, the customer connects the unit to the broadband link,
possibly through a router. On power-up the SPA9x2 already knows the server to contact for its
periodic resync update.

Configuration Access Control

Besides configuration parameters that control resync and upgrade behavior, the SPA9x2
provides mechanisms for restricting end-user access to various parameters.

The SPA9x2 firmware provides specific privileges for login to a User account and an Admin
account. The Admin account is designed to give the service provider or VAR configuration
access to the SPA9x2, while the User account is designed to give limited and configurable
control to the end user of the device.

The User and Admin accounts can be independently password protected. The configuration
parameters available to the User account are completely configurable in the SPA, on a
parameter-by-parameter basis. Optionally, user access to the SPA9x2 web UI can be totally
disabled.

The Internet domains accessed by the SPA9x2 for resync, upgrades, and SIP registration for Line
1 can be restricted.

Using HTTPS

The SPA9x2 provides a reliable and secure provisioning strategy based on HTTPS requests from
the SPA9x2 to the provisioning server, using both server and client certificates for
authenticating the client to the server and the server to the client.

To use HTTPS with Linksys SPA9x2 phones, you must generate a Certificate Signing Request
(CSR) and submit it to Linksys. Linksys generates a certificate for installation on the provisioning
server that is accepted by SPA9x2 phones when they seek to establish an HTTPS connection
with the provisioning server.