Using the Voicemail Pro client, the password for the default administration account 'Administrator' must be changed to a 'strong' password of 8 or more characters. Any unused accounts must be deleted.
For Server Edition and Linux Application Server, all authentication is referred to the 'local' IP Office – the default administration account is only used under failure conditions. For Linux Application Server, the local IP Office is a management instance running on the server itself. See User Accounts and Rights of Access for more information.
Using the Voicemail Pro client, configure the password using Preferences > General > Voicemail Password. This password must match the password entered in the IP Office Manager setting Security > System > Unsecured Interfaces > Voicemail Password. The password must be 31-characters.
For new systems, a suitable 31-character password is automatically generated and used on the first connection between the IP Office and Voicemail Pro services.
Existing systems upgraded to IP Office R11.1 FP1 can continue to use their existing shorter password but are forced to a 31-character password on any change.
The IP Office configuration setting System > Voicemail > Voicemail IP Address must not be left at 255.255.255.255, but set to the IP Address of the Voicemail Pro server.
Only users and groups that are entitled to use voicemail should have their mail box activated. All others should be disabled using the Voicemail Pro client disable mailbox feature.
Disabling the mailbox will also disable IMAP, MAPI, email and Web Voicemail integrations for that user
All mailboxes must be protected by a Voicemail Code, except when connecting from trusted extensions (by the use of the User > Source Numbers). The recommended minimum is 4 digits for internal use, 9 when the mailbox can be accessed externally.
The mailbox Voicemail Code policy should be enforced by setting the voicemail Default Telephony Interface to Intuity in the Voicemail Pro client, and minimum PIN Length to 4 or 9 using the IP Office Manager setting System > Voicemail > Voicemail Code Complexity.
Note: If IP Office voicemail TUI is used, the users are not forced to set a new Voicemail Code on initial mailbox access.
To prevent Toll fraud via the outdialing feature, it can be disabled on the IP Office configuration System > Voicemail tab in IP Office Manager. Where outcalling is required, call barring steps must be used, see Preventing Unwanted Calls.
To prevent Toll fraud via call flows, all call flows must have adequate protection against dialing unauthorized numbers. Where external calling is required, call barring steps must be used. See Preventing Unwanted Calls
Where a phone is in an uncontrolled area, the default Trusted Source Number for Voicemail access should be removed, so that all IP Office voicemail access requires entering the Voicemail Code, even from the user's home extension.
Disable all unused services such as SMTP and MAPI.
If the SMTP send feature is used, authentication should be used. TLS is always enforced.
If the IMAP4 server feature is used, TLS should be used.
