Securing Server Edition Servers

Last Updated : Aug 30, 2023 |

Procedure

  1. It is important to understand the information and recommendations of Certificates and Trust to determine the certificate and trust requirements of the server as options are offered during the initial ignition process.
  2. The ignition process will enforce a change to the Administrator and security passwords. It also updates the fall back accounts for Avaya one-X® Portal for IP Office, Voicemail Pro and Web Control (the local Linux administration web interface).
  3. All security administrator account passwords of all other systems in the Server Edition solution need to be the same. This can be done using IP Office Manager security settings General > General to change individual settings.
  4. All Service User account credentials used for central management of all systems need to be the same. This can be done using IP Office Web Manager Security Manager Service Users | Synchronize Service User and System Password.
  5. Apply a password policy to the Web Control application using IP Office Web Manager menu Platform View > Settings > System Settings > Password Rules settings.
  6. Enable the setting IP Office Web Manager menu Platform View > Settings > System Settings > Authentication > Enable Referred Authentication. This will refer all Web Control logins to the local IP Office. The local Linux Administrator account credentials are only used under failure conditions.
  7. Disable the HTTP backup/restore server using IP Office Web Manager setting Platform View > Settings > System Settings > Enable HTTP file store for backup/restore. An HTTPS backup/restore server is always active for this purpose.
  8. Enable the internal server firewall to apply DoS and DDos attack filters using IP Office Web Manager setting Platform View > Settings > System Settings > Firewall Settings.

    • Note: The firewall support on Server Edition does not replace the need for an external firewall. For further information see Limiting IP Network Exposure.

  9. Disable any unused unsecure TCP or UDP ports using IP Office Web Manager setting Platform View > Settings > System Settings > Firewall Settings settings. This will apply filtering to all LAN 1 and LAN 2 traffic, regardless of source or destination.
  10. If the ingress ports utilized by all IP Office operations conform to the following table, the setting Platform View > Settings > System Settings > Firewall Settings > Enable Filtering can be activated:

    Protocol

    Ports

    TCP

    22, 25, 37, 143, 389, 411, 443, 445, 514, 993, 1433, 1434, 1718:1720, 4097, 4560, 5060:5061, 5222, 5269, 5443, 5800:5899, 6514, 7070:7071, 7443, 8005, 8063, 8084, 8087, 8135, 8411, 8444, 8666, 8443, 8805, 9092, 9094, 9095, 9443, 9444, 9888, 32768:65280

    UDP

    37, 53, 67, 68, 123, 161, 162, 389, 500, 514, 520, 1024:65535

    For more information on IP Office port/protocol usage, see the relevant IP Office port matrix which can be found at https://support.avaya.com/security.

  11. If not required, disable the syslog receiver on the Primary server's Platform View > Settings > General tab.
  12. If not required, remove the syslog client on the Secondary and each Expansion System using the IP Office Manager setting System > System Events > Alarms > Syslog.

    • Removing the syslog destination will stop audit trail and security events being sent to the Primary Server.

  13. If not required, disable the Enhanced Access Security Gateway (EASG) support using the IP Office Web Manager setting Platform View > Settings > General > EASG Settings > Status.
  14. If required, administer a new server identity certificate using IP Office Web Manager:
    1. The new identity certificate should be in a 'p12' or 'pfx' file.
    2. Set Platform View > Settings > General > Certificates > Renew automatically.
    3. Ideally, all certificates used to sign the new identity certificate should be in the same file.
    4. If the signing certificates are in separate files, use Certificates > Add to upload each one.
    5. Set Certificates > Offer ID Certificate Chain active.
    6. Use Certificates > Offer ID Certificate Chain > Set to upload the identity certificate file.
    7. The identity certificate will be automatically propagated to all TLS/HTTPS interfaces of the server, any signing certificates will be placed in the Trusted Certificate Store (TCS). For more information, see Certificates and Trust on page 33.
  15. Follow Securing the IP Office Platform Solution.
    1. If Voicemail Pro is installed, follow Securing Voicemail Pro.
    2. If Avaya one-X® Portal for IP Office is installed, follow Securing Avaya one-X Portal for IP Office.
    3. Any applications not used should be disabled using the Platform View > System > Services > Automatically Start. Note that IP Office and Management Services should never be disabled.
  16. Do not activate the server's Intelligent Platform Management Interface (IPMI) – this effectively grants physical access to the server.
Related information
Securing the IP Office Platform Solution