Securing Linux Application Server

Last Updated : Jan 21, 2025 |

About this task

The Linux Application Server runs a 'Management' IP Office instance. A management IP Office is a single installation of selected IP Office features running on Linux with management and maintenance services enabled. All telephony functions are disabled and no licensing is required.

Procedure

  1. It is important to understand the information and recommendations of Certificates and Trust to determine the certificate and trust requirements of the server as options are offered during the initial ignition process.
  2. The ignition process will enforce a change to the Administrator and security passwords. It also updates the fall back accounts for Avaya one-X® Portal for IP Office, Voicemail Pro and Web Control (the local Linux administration web interface).
  3. Apply a password policy to the Web Control application using IP Office Web Manager menu Platform View > Settings > System Settings > Password Rules settings.
  4. Enable the setting IP Office Web Manager menu Platform View > Settings > System Settings > Authentication > Enable Referred Authentication. This will refer all Web Control logins to the local IP Office. The local Linux Administrator account credentials are only used under failure conditions.
  5. Use IP Office Manager to load the security settings of the IP Office Shell Server that co-resides on the Linux Application Server at the same IP address.
  6. Follow Securing the IP Office Platform Solution.
  7. Disable the HTTP backup/restore server using IP Office Web Manager setting Platform View > Settings > System Settings > Enable HTTP file store for backup/restore. An HTTPS backup/restore server is always active for this purpose.
  8. Disable any unused unsecure ports/protocols using Platform View > Settings > System Settings > Firewall Settings. This will apply filtering to all LAN 1 and LAN 2 traffic, regardless of source or destination.

    • The firewall support on the Linux Application Server do not replace the needs for an external firewall. For further information see Limiting IP Network Exposure.

  9. If not required, disable the Enhanced Access Security Gateway (EASG) support using the IP Office Web Manager setting Platform View > Settings > General > EASG Settings > Status.
  10. If required, administer a new server identity certificate on the IP Office Shell Server using the IP Office Manager System > Certificates > Identity Certificate > Set; this identity certificate will be automatically propagated to all TLS/HTTPS interfaces of the server. Alternatively, if the system is an Linux Application Server, the Platform View > General > Certificates > Identity Certificates settings can be used. For more information, see Certificates and Trust.
  11. If required, administer a new server identity certificate on the IP Office Shell Server using the IP Office Manager Certificates > Offer ID Certificate Chain > Set; this identity certificate will be automatically propagated to all TLS/HTTPS interfaces of the server.
  12. If Voicemail Pro is installed, follow the steps for Securing Voicemail Pro.
  13. If Avaya one-X® Portal for IP Office is installed, follow Securing Avaya one-X® Portal for IP Office.
  14. Any applications not used should be disabled using the Platform View > System > Services > Automatically Start. Note that IP Office and Management Services should never be disabled.
  15. Do not activate the server's Intelligent Platform Management Interface (IPMI) – this effectively grants physical access to the server.
Related information
Securing the IP Office Platform Solution