Tftp Provisioning; Remote Endpoint Control And Nat; Http Provisioning - Cisco 8800 Series Manual

Cisco IP Phone Provisioning

TFTP Provisioning

The phones support TFTP for both provisioning resync and firmware upgrade operations. When devices are
deployed remotely, HTTPS is recommended, but HTTP and TFTP can also be used. This then requires
provisioning file encryption to add security, as it offers greater reliability, given NAT and router protection
mechanisms. TFTP is useful for the in-house preprovisioning of a large number of unprovisioned devices.
The phone is able to obtain a TFTP server IP address directly from the DHCP server through DHCP option
66. If a Profile_Rule is configured with the filepath of that TFTP server, the device downloads its profile from
the TFTP server. The download occurs when the device is connected to a LAN and powered up.
The Profile_Rule provided with the factory default configuration is &PN.cfg, where &PN represents the phone
model name.
For example, for a CP-8841-3PCC, the filename is CP-8841-3PCC.cfg.
For a device with the factory default profile, upon powering up, the device resyncs to this file on the local
TFTP server that DHCP option 66 specifies. The filepath is relative to the TFTP server virtual root directory.

Remote Endpoint Control and NAT

The phone is compatible with network address translation (NAT) to access the Internet through a router. For
enhanced security, the router might attempt to block unauthorized incoming packets by implementing symmetric
NAT, a packet-filtering strategy that severely restricts the packets that are allowed to enter the protected
network from the Internet. For this reason, remote provisioning by using TFTP is not recommended.
VoIP can coexist with NAT only when some form of NAT traversal is provided. Configure Simple Traversal
of UDP through NAT (STUN). This option requires that the user have:
• A dynamic external (public) IP address from your service
• A computer that is running STUN server software
• An edge device with an asymmetric NAT mechanism

HTTP Provisioning

The phone behaves like a browser that requests web pages from a remote Internet site. This provides a reliable
means of reaching the provisioning server, even when a customer router implements symmetric NAT or other
protection mechanisms. HTTP and HTTPS work more reliably than TFTP in remote deployments, especially
when the deployed units are connected behind residential firewalls or NAT-enabled routers. HTTP and HTTPs
are used interchangeably in the following request type descriptions.
Basic HTTP-based provisioning relies on the HTTP GET method to retrieve configuration profiles. Typically,
a configuration file is created for each deployed phone, and these files are stored within an HTTP server
directory. When the server receives the GET request, it simply returns the file that is specified in the GET
request header.
Rather than a static profile, the configuration profile can be generated dynamically by querying a customer
database and producing the profile on-the-fly.
When the phone requests a resynch, it can use the HTTP POST method to request the resync configuration
data. The device can be configured to convey certain status and identification information to the server within
the body of the HTTP POST request. The server uses this information to generate a desired response
configuration profile, or to store the status information for later analysis and tracking.
Cisco IP Phone 8800 Series Multiplatform Phone Administration Guide for Release 11.3(1) and Later
TFTP Provisioning
35