SSL Certificate Requirement
Release 2 of InfinityOne adds the capability of using an InfinityOne client application on an mobile device such as an iPhone. However, in order to do so, the InfinityOne server must have a valid, signed SSL (Secure Socket Layer) certificate installed. Because the use of SSL increases the level of security when passing traffic over the public internet, Apple mandates this for all its application developers, and is highly recommended for Android application developers. E-MetroTel installs the SSL and configures the network DNS server when you purchase an E-MetroTel SSL. (If you are installing your own SSL, it is recommended that you complete the certificate installation prior to InfinityOne installation and verify it is working prior to installing InfinityOne. However, given the variety of external dependencies (DNS server configuration, certificates and certificate chains) E-MetroTel is only able to provide billable support for third party SSL certificate installation.The use of an SSL certificate was not a prerequisite on the initial release of InfinityOne, but is mandatory from Release 2 onwards if you plan to support the Mobility client interface.
If you have installed the SSL as a prerequisite for using mobile clients in an existing InfinityOne deployment, it will be necessary to restart the InfinityOne service before the SSL can be used by the application. An SSL certificate purchased from E-MetroTel includes the installation of the SSL on the UCX and configuration of the internet DNS servers but does not restart the InfinityOne server as doing so will impact existing InfinityOne calls. Please ensure proper notification to users prior to performing this required step.
The hostname of the UCX Server / InfinityOne Server must match the name associated with the SSL certificate during the certificate installation process.
Allow Invalid Self-Signed Certificates (Temporary Access without SSL Certificate)
This procedure allows a temporary bypass of the commercial SSL certificate requirement. It has been added in order to simplify the installation process for customer trial and evaluation implementations. However, it reduces the level of security in the solution as it does not authenticate the client-server connection and does not encrypt the transmission, and should not be used for long term deployment. Furthermore, new versions of the Android OS will prevent the client from connecting when no SSL has been configured.
The process of purchasing, configuring, and installing an SSL certificate sometimes requires coordination of multiple groups within a company, and sometimes requires soliciting support from third parties if the UCX InfinityOne customer contracts its IT support to a different organization from its telephony support. Since there is no license required for implementing InfinityOne and using any of the supported clients on a UCX system, including mobile device clients, E-MetroTel has implemented a mechanism for temporarily bypassing the SSL certificate authentication process.
Note that this setting is not related to the UCX Self-Signed SSL Certificate configuration
This SSL Certificate bypass function is controlled by a single setting in the InfinityOne Administration settings, which can only be accessed after the Installation Wizard has been completed and the First Time Login of the Admin account has been completed. The setting for this bypass function is described in InfinityOne – SSL Certificate Bypass, which is intended only to be used for a short term period.
Upgrading from a Previous Release
If you are upgrading from a previous version of InfinityOne, take note of the following:
- The Host Name field in the InfinityOne Installation Wizard defaulted to the Host Name or IP address used to initiate the wizard. If that Host Name differs from the name that you plan to associate with the commercially signed SSL certificate, or if an IP address was originally used, then it will be necessary to change them on the InfinityOne system. Refer to InfinityOne Release 2 – Changing the Network Parameters.
Administering the InfinityOne Server
When you first start the process of installing and configuring the InfinityOne server, you will be required to use a browser based connection to the InfinityOne Administration pages. Once you have activated the InfinityOne server, you will use the browser to connect directly with the server for the initial configuration steps, and then have the option of downloading a desktop application to any Windows, Linux, or OSX (Mac) device.
All on-going management, administration, and changes to the InfinityOne Server can be done through an administrator account on either a web browser or the InfinityOne desktop application. The InfinityOne Mobility client does not support administrator level privilege access.
Enabling Remote Devices to Access the InfinityOne Server
In order to allow InfinityOne softphones (Desktop, Browser or Mobile) to access your InfinityOne Server from the public network, you should configure your router to forward the following ports to the IP address of your InfinityOne Server (by default 192.168.1.200):
If your InfinityOne Server is behind NAT, you must enter the public IP address of the UCX Server in the Public IP field on the PBX - PBX Configuration - XSTIM Settings page.
Rule Name | Port Number/Port Range | Port Type |
---|---|---|
Infinity One Site Port (signaling) | 21326 (default *) | TCP |
RTP (media) | 10000 – 13999 | UDP |
* If you use a non-default port number for the Site URL Por Number (configured in InfinityOne Installation Wizard or the InfinityOne Administration/General/Network settings), use the actual port number for the first rule in the table above.
Ensure Mobile Devices can use Push Notifications
Note that mobile devices use Push Notification technology to allow InfinityOne to send information such as ringing notifications, new mentions, etc. to the client device when the app is not active. The push servers used by InfinityOne are located in Canada. Therefore, for non-Canadian based customers, their firewall must not use geo-fencing technology to block the address based on its location being outside of the country. If such an entry exists in the firewall an exception must be provided to allow data to/from the push server address push-server.emetrotel.org.