SOLVED - Zero Touch Configuration - Provisioning with HTTP(s) Authentication

Under port management I have the following configuration:

Service Insecure port Secure port
admin 80 443
UCP 81 4443
HTTP Provisioning 83 1443
RESTful API 85 2443
RESTful Apps 84 3443

Under provisioning protocols I have:
FTP disabled
TFTP disabled
HTTP(s) Authentication Both

Under Endpoint Manager template I have the provisioning address as https://username:password@FQDN:1443
On the Sangoma Portal I have the following Zero Touch config:
Redirection Type: IP/FQDN
IP/FQDN Protocol: https://
IP/FQDN address: username:password@FQDN:1443

If I change the https to http and the port to 83 the phones provision. When set to https and port 1443 the phones never pickup a config.

Am I missing something?
Is there a way to debug this? I do not see any error messages on the phones.

Thank you for your support.
Aaron

What firmware do you have on the phones? As HTTPS was only added in the last 2 months to support username and password auth.

Also in EPM you would not need to define https://username:password@FQDN:1443. Just pick HTTPS for provionsing and it will pick up the username, password and port for you when it builds the file.

The phones are on firmware 2.0.4.31

@tonyclewis Thank you for your help.

I changed the Provisioning Address in EPM to use External & Internal instead of Custom. I had custom so that I could verify the config url was accurate.
However, the phones still do not configure when using HTTPS as the Provisioning Protocol. As soon as I switch to HTTP, the phones pickup their configuration.

Has anyone successfully provisioned phones via HTTPS with authentication enabled?

Thanks again,
Aaron

Hi aaronstan,

As I mentioned before, I have been able to provision phones with HTTPS with autentication, to be more specific: Sangoma & Yealink.

Your setup seems to be properly done, but you did not answer my question:
Is your SSL certificate properly setup? I had my set up with LetsEncrypt.

I bet your cert is setup for one URL and your using a different URL or IP address for your URL in the phone.

As far as I can tell it is setup properly.
I am able to connect to the admin page via port 443 without issue.

When connecting with a web browser using HTTPS over port 1443 I am presented with a login prompt. Entering the https authentication username and password opens up an Apache HTTP Server Test Page.

The URL is consistent on all pages and I am never given an error for certificate mismatch.

Not sure what to tell you. It’s working here and for plenty of others. Is this a real cert or self signed.

The phone logs from the GUI and apache logs from the PBX should provide clues on what’s happening. You can always open a support ticket as you get free support on Sangoma Phones.

It’s a real cert from GoDaddy.

I feel like it must be a small glitch or typo somewhere but I can not track it down.

What phone logs are you referring to?

Thank you again for your help with this.

I am encountering something similar.
Zero Touch is pointing my phones to a FQDN over HTTPS
The Cert is Valid from Comodo for the FQDN.
Phones arent being redirected properly.
Had to manually go into the phone and edit the config location.

Having the same problem here…Poll Count increases but no go for ZTP

You would need to look at your Apache logs on your PBX. If the poll count on the portal is increasing that means it is getting to us and we are forward it.

Make sure in the portal you have setup things like the port and correct protocol and any username or password you have setup for phone provisioning on your PBX.

I have a bunch of Polycom’s which provision perfectly with HTTPS. Now with the Sangoma S700 if I put the credentials in my dhcp option 66 following the same format as in the redirect service the phone will grab the configuration and register with https.

Also found nothing in the logs. Is there an IP address or Port that comes from your redirection servers that i should allow in my primary firewall.

No the redirect server never touches your PBX. It truly just does a http or https redirect. Phone hits us and we tell it go here for you config. I just tested with https and works perfect for me.

Are you sure in the portal you have defined the URL correct and port.

yes positive…

Not sure what to tell you than. It’s working here for me and others. You can always open a support ticket and someone can take a look on our side what our logs show.

Also as mentioned in this thread looking at the logs on your phone in the GUI of your phone might show you something.

All, I setup my PBX (Distro v13) with https redirect from the portal last week and all the EPM settings properly configured. I can and do confirm what @dmanolis79, @bnakash, @aaronstan and originally @vianneyjs are saying about the redirect not working properly and/or consistently. I too initially experienced the same issues of the S500 phone not provisioning over https and while passing the user/password parameters. I did eventually get it to work. However, I cannot truly state what specifically I did to make it so.

However, I do believe there is an issue with the portal; because changes to the configuration does not seem to take effect immediately or several minutes or perhaps hours. Which makes me wonder if there’s a website caching issue with portal, pbx or both. Even now – just before writing this reply – removed device from EPM (which was configured for internal desk/extension roaming), deleted the cfg file, factory reset my s500 and the phone initial reboot automatically took on previous extension profile; without prompting for login. And now after another reset, phone provisions with extension, but shows unregistered. My S300 seems to do better job of applying changes. Firmware updates for example, applied far more easier on the S300 than the S500.

There are plenty of weird things being reported in this community which in my opinion does not warrant anyone’s experience being dismissed as “its your problem not mine” attitude. Now I am very new to the FreePBX, Sangoma Portal and Phones community, but I’ve been in IT for 18 years and over those years matured in troubleshooting problems. All things considered, @tonyclewis it would be wise to be a little more open minded to community problems. That’s NOT to say you haven’t been helpful, but maybe a little close minded to how the provisioning/devices may actually be working in real world.

I’d like to add FreePBX/PBXact, Sangoma Phones, Auto-Provisioning to my service offerings. But, I need to know the support being offered comes from a genuine desire to help and most importantly improvement of the product and services.

As the guy who wrote that, I’m 100% certain that there’s no caching from portal to the redirect server.

However, the only way to actually get to the bottom of what your problem is, is to get the system logs. They are not deleted as part of a factory reset. You will also see where it’s getting its provisioning information from.

Things that people forget are:

  • FreePBX PnP Server
  • DHCP Server telling the phone where to connect
  • Incorrect MAC removal in the portal.

But the simplest thing is to just grab the syslog and look in there. If you’re unsure, feel free to send me a PM with the syslog attached, and I’ll tell you where it got its configuration from.

exactly where is the sys log located? Also are the Sangoma phones picky with the SSL Certificate like the polycom are?

In one of the admin menus in the phones web interface.

Well. The certificate needs to be valid. If you consider that picky, then yes 8)