Redundant Provisioning Servers; Syslog Server; Enable The Firewall - Cisco 8800 Series Manual

Cisco IP Phone Configuration
# Certificate Authority (CA):
SSLCACertificateFile /etc/httpd/conf/spacroot.crt
For specific information, refer to the documentation for an HTTPS server.
The Cisco Client Certificate Root Authority signs each unique certificate. The corresponding root certificate
is made available to service providers for client authentication purposes.

Redundant Provisioning Servers

The provisioning server can be specified as an IP address or as a Fully Qualified Domain Name (FQDN). The
use of an FQDN facilitates the deployment of redundant provisioning servers. When the provisioning server
is identified through an FQDN, the phone attempts to resolve the FQDN to an IP address through DNS. Only
DNS A-records are supported for provisioning; DNS SRV address resolution is not available for provisioning.
The phone continues to process A-records until a server responds. If no server that is associated with the
A-records responds, the phone logs an error to the syslog server.

Syslog Server

If a syslog server is configured on the phone through use of the <Syslog Server> parameters, the resync and
upgrade operations send messages to the syslog server. A message can be generated at the start of a remote
file request (configuration profile or firmware load), and at the conclusion of the operation (indicating either
success or failure).
The logged messages are configured in the following parameters and macro expanded into the actual syslog
messages:
• Log_Request_Msg
• Log_Success_Msg
• Log_Failure_Msg

Enable the Firewall

We have improved phone security by hardening the operating system. Hardening ensures that the phone has
a firewall to protect it from malicious incoming traffic. The firewall tracks the ports for incoming and outgoing
data. It detects incoming traffic from unexpected sources and blocks the access. Your firewall allows all
outgoing traffic.
The firewall may dynamically unblock normally blocked ports. The outgoing TCP connection or UDP flow
unblocks the port for return and continued traffic. The port is kept unblocked while flow is alive. The port
reverts to blocked state when flow terminates or ages out.
The legacy setting, IPv6 Multicast Ping Voice > System > IPv6 Settings > Broadcast Echo continues to
work independently of the new firewall settings.
Firewall configuration changes generally don't result in a phone restart. Phone soft restarts generally don't
affect firewall operation.
The firewall is enabled by default. If it is disabled, you can enable it from the phone web page.
Cisco IP Phone 8800 Series Multiplatform Phone Administration Guide for Release 11.3(1) and Later
Redundant Provisioning Servers
125