The process documented in this article can be used in any Lync 2010 or 2013 environment to setup a centralized provisioning server for managing Polycom SIP phones running Polycom Unified Communications Software (UCS).
This article is not intended to replace or accompany any official Polycom documentation. Instead this process alone can be used to deploy a basic provisioning server in a lab or testing environment when evaluating Polycom SIP phones, and much of the guidance contained reflects a non-production scenario. Also note that some of this guidance differs from instructions found in the official Polycom provisioning guides, most importantly the guidance to use a large number of parameters which no longer need to be defined for Lync interoperability as of the introduction of the Lync Base Profile.
Traditionally Lync Optimized devices (e.g. CX600) receive all of their provisioning information and software update packages directly from a Lync server. Although Qualified devices (e.g. VVX400) do also receive a lot of information in-band from the Lync Server, UCS devices contain a variety of configurable parameters available outside of what the Lync Server can provide itself. When looking to provision any of these out-of-band features, like Paging, or when dealing with device firmware updates then it is required to deploy a centralized server to provide this today.
The provisioning server is not a specific product or solution, it is basically just a centrally-accessible file store which contains certain files that the devices are programmed to look for. The phones will look for specific firmware files to perform an upgrade/downgrade and will download and upload configuration data in XML files.
Polycom UCS devices can utilize a variety of different file server platforms to store and manage both firmware packages and configuration files, no additional third-party software is required. In this article a basic FTP server will be used but the phones also support the TFTP, HTTP, and HTTPS protocols.
When a factory-reset device is first powered on it will check for specific DHCP Options that may be defined on the network which would provide a path to the provisioning server. If this information is found then it will connect to that file service, authenticate with a pre-configured username and password, and then look for one of two specific filenames stored in the root directory. First the device will look for a configuration filename matching its MAC address (e.g. 0004f28062d6.cfg) but if that does not exist then it will revert to loading the default master configuration file provided in the UCS distributable package (e.g. 000000000000.cfg). Regardless of which file is downloaded it will contain a defined parameter which tells the device where to locate firmware packages and what (if any) additional configuration files to look for. By default the firmware packages are stored at the root of the directory and each individual phone model is programmed to look for a specific filename unique to each model (e.g. 3111-46157-001.sip.ld). Additionally the device can also upload files to the directory to store device-side settings (e.g. ringtone) as well as diagnostic and call logs.
Configure Provisioning Server
Specifically Microsoft FTP services in Internet Information Server are used in this example, running on Windows Server 2012 on a dedicated host. Any standard FTP service (e.g. FileZilla, WarFTP) can be used. It is not recommended to use an existing Lync Server also as the FTP server, thus the guidance that a separate Windows host be utilized.
Before setting up the file server it is important to understand that the UCS firmware is pre-programmed with a default username and password which is used during authentication to the provisioning server. The default credentials use the same string for both the username and password and are stored in as case-sensitive so if the FTP server uses case-sensitive username and/or password make sure the uppercase and lowercase characters are used correctly. (Traditionally username are not case-sensitive while passwords are, but this may depend on the actual file server product used.)
Username PlcmSpIp Password PlcmSpIp
It can be difficult to discern if some of these characters are an i, L, or a 1. The leading ‘p’ is uppercase, followed by a lowercase ‘L’ ‘c’ ‘m’, then an uppercase ‘s’, lowercase ‘p’, uppercase ‘i’, lowercase ‘p’. The name comes from the string ‘Polycom Soundpoint Ip’.
If using a custom set of user credentials is desired then they can be changed manually on each phone prior to provisioning by accessing the Settings > Advanced > Administration Settings > Network Configuration > Provisioning Server menu.
For this lab environment the Windows Active Directory password policy was customized to disable strong password complexity requirements as the default password does not meet the complexity of the default Windows AD password policy. In a production environment it would not be advisable to alter the password complexity policy simply for this reason, but a different file server platform which is not AD-integrated could be used which may not have this same limitation.
- Create a new Active Directory user account (or a local user account in the event that the FTP Server is running on a standalone Windows server).
To facilitate simple access to the FTP site select a dedicated hostname and configure it for name resolution.
- Select a fully qualified domain name for the FTP server (e.g. ucs.schertz.name) and then create a new DNS Alias (CNAME) record in the proper zone pointing the physical server Host (A) record where the FTP service is installed and listening.
- Using the directions provided in TechNet to Build an FTP Site on IIS add the FTP Server role, as well as any prerequisite IIS Web Service roles in the event that IIS is not currently installed on the desired server.
- Launch Internet Information Services (IIS) Manager (inetmgr.exe) and expand the server object. Right-click Sites and select Add FTP Site.
- Enter a name for the new FTP site (e.g. ucs) and then select or create a local path to place the root directory of the site (e.g. c:\inetpub\ucs).
- On the Bindings and SSL Settings page disable secure sockets layer by selecting No SSL.
- On the Authentication and Information page enable Basic authentication and then select Specified Users in the ‘Allow access to’ drop-down list. Enter the desired user name (e.g. PlcmSpIp) in the field below, and enable both Read and Write permissions.
Because the devices need to be able to upload configuration data as well as download it then both Read and Write permissions are required.
Now that the FTP service has been prepared the root directory needs to be populated. This is a simple process given that every UCS package released by Polycom always includes the entire set of base files needed, so any version of UCS can be used to first populate the directory.
The desired software package can be downloaded from the Polycom Support site, either directly from the support page for a specific phone model, or from the Software Release Matrix page. Depending on the number of different device models which need to be supported multiple packages may be required, but the first package selected is sufficient to instantiate the directory.
As this article is using a Polycom VVX 400 for the examples then the current desired firmware version is 4.1.4.
- From the Polycom support site download the Polycom UC Software 4.1.4 release sig split.zip package. (It is recommended to always download the ‘split’ package, the ‘combined’ packages can be ignored).
- Expand the contents of the software package to the root of the defined FTP directory (e.g. c:\inetpub\ucs).
The package contains a number of directories and files but most of these can be ignored when dealing with Lync integration, including the directories which store sample configuration and localization files as well as the image and audio files. The important files are highlighted in the table below.
Name Description 0000000000.cfg Default Master SIP Configuration File *.sip.ld Firmware files for each unique phone model sip.ver Text file which stores the full version number for this package
- To insure that the phones have the appropriate rights to the directory add the desired user account (e.g. PlcmSpIp) to the root folder’s Access Control List and grant it Modify permissions.
An additional recommendation is to create dedicated directories to store call and diagnostic logs for each phone. By default they would all be written to the root directory which in larger deployments can lead to a lot of files being stored there, making it more difficult to weed through and manage files configuration files.
- Create new folders named calls and logs in the root directory.
- Edit the master configuration file (0000000000.cfg) using Notepad or an XML Text Editor of choice and enter the names of the new directories for the LOG_FILE_DIRECTORY and CALL_LISTS_DIRECTORY parameters.
Notice that the APP_FILE_PATH parameter is set to sip.ld by default. This tells the device to look in the root directory for the firmware files. If desired the firmware files can also be moved into a new subdirectory (e.g. \firmware) and then the proper parameter value would be “firmware/sip.ld”. For the purposes of this article, and for most deployments, the firmware files can be left in the default location.
For proper operation of the phones it is required to provide information about the location of critical network resources automatically to the phones via DHCP. In this example Microsoft DHCP Services are currently configured to hand out IP addresses to any network hosts. These options can be defined at either the server or scope level.
Provisioning Server Location
When receiving a dynamic IP address on the network the phone will by default look for the location of a provisioning server by first checking for the existence of DHCP Option 160. In the event that option 160 is not configured then it will fall back to looking for Option 66.
The preferred option 160 is specific to Polycom UCS devices while the secondary option 66 value is commonly shared with other SIP phones as well. Either option can be used with the UCS phones, thus the configuration of the existing network will typically drive the choice of which to utilize. In a lab or green-field environment where no other hosts are leveraging option 66 then this can be used and is commonly pre-defined as an available option on most DHCP servers. If some other devices are already leveraging option 66 then it may be best to utilize option 160 for these phones.
If planning to use option 160 with a DHCP server that does not already have it defined, like Microsoft Windows DHCP, then the option will first need to be created.
- Using DHCP Manager highlight the network type object (e.g. IPv4) and then select the Set Predefined Options action.
- Click Add to create a new option and then enter a descriptive name (e.g. UCS Boot Server Name). Change the Data Type to String and then enter 160 as the Code value. If desired add a Description and then save the new option.
- Configure the Server Options under the same network scope and then select option 160 UCS Boot Server Name. For the data value use the format of <service type>://<fqdn> (e.g. ftp://ucs.schertz.name).
In the event that option 66 is to be used instead of option 160 then it can be defined in a Microsoft DHCP server by simply configuring the pre-defined option.
- Using DHCP Manager configure the Server Options under an existing IPv4 scope and then enable option 066 Boot Server Host Name. For the data value use the format of <service type>://<fqdn> (e.g. ftp://ucs.schertz.name).
Time Server Location
Providing the location of a time server on the network is critical to operation of the phones, so if DHCP Option 42 is not already defined then it should be added to the same scope.
- In the Server Options for the same scope enable 042 NTP Servers and then enter the IP address of at least one host which provides network time services (e.g. a Windows Active Directory Domain Controller).
Although the time server location will provide the accurate time required to perform authentication and registration processes the device will display the time in GMT by default. To show the correct local time on the phone’s display the standard time offset DHCP parameter can be used.
- In the Server Options for the same scope enable 002 Time Offset and then enter the desired offset in seconds as a hexadecimal value (e.g. 0xffffaba0).
To calculate the correct hexadecimal value the Windows Calculator can be used in Programmer mode. The following example is used for the Central Time Zone which is GMT -6.
- Enable Programmer Mode (Alt+3) and select Dec and Qword. Multiply the number of seconds in one hour (3600) by the desired offset value (make sure to include the negative sign if the time zone is earlier than GMT).
3600 x -6 = -21600
- Select Hex to convert the value to hexadecimal.
FFFF FFFF FFFF ABA0
- Select Dword to convert the string from 64 bits to 32 bits.
- Insert the 0x prefix and remove the space for the final value which should be used as the data in Microsoft DHCP.
Microsoft Vendor Class ID
For the purposes of this article it is assumed that the network is not pre-configured to support the Vendor Class DHCP Option 43 or Option 120 as documented in the article Configuring Lync Server for Phone Edition Devices. This option is leveraged by both UCS devices and Lync Phone Edition devices to download an internal, private certification authority (CA) certificate to establish TLS communications with the Lync Server as well as for supporting PIN Authentication. When option 43 is not defined on the network then the CA certificate must be provided by the provisioning server to support standard NTLM authentication with user credentials, but the Lync Server PIN Authentication feature would not be available.
At this point the example network configuration used for this article is simply using options 2, 42, and 160 as shown below.
Before moving on with additional customization make sure that the FTP server is discoverable, available and the desired user credentials are working correctly.
- Using the Windows Command Prompt use the ftp command to connect to the site using the configured FQDN, username, and password.
The next step is to connect the phone to the network to make sure that the provisioning server is available before customizing any specific behavior on the phones. It is recommended to perform a full factory reset of the device first so that the process in this article can be followed without any problems created by any unknown settings. To reset the phone to factory defaults follow the Factory Reset process at the end of this article. If the phone’s current firmware does not match the version currently stored on the FTP server then the phone will automatically download and install that version after the first time it connects.
- Connect the phone to the network and power it on. Once the startup process completes (and the firmware update process if triggered) and the main menu appears navigate to the Settings > Status > Platform > Configuration menu to check the provisioning server status.
If the configuration was successful then the phone should display the correct Boot Server and BootSrv Type options which were provided via DHCP. Because there are no custom settings yet defined then the Config value is blank. The three default configuration containers (SIP, Web, Local) should display zero parameters configured.
As previously mentioned the phones will not only attempt to pull down settings but also upload any local settings to the provisioning server directory. This allows the phones to backup any device-side settings to the central directory by creating two new files on the directory the first time they connect (if the files do not already exist).
- To illustrate this process navigate to the Settings > Basic > Ring Type menu and select a different ring (e.g. #10 Beeble). Within a few seconds the device should save this change up to the provisioning server. Viewing the FTP service logs should show the device connect to the FTP site and upload a single file.
2013-05-10 16:12:16 192.168.1.100 SCHERTZ\PlcmSpIp 192.168.1.30 21 STOR 0004f28062d6-phone.cfg 226 0 0 c87c3435-b5d5-45ed-9d16-b1b291df24fc /0004f28062d6-phone.cfg
2013-05-10 16:12:46 192.168.1.100 SCHERTZ\PlcmSpIp 192.168.1.30 21 QUIT – 221 0 0 c87c3435-b5d5-45ed-9d16-b1b291df24fc –
- Open the FTP root directory on the server and look for the newly created phone configuration file starting with the MAC address of the device and the suffix -phone. (e.g. 0004f28062d6-phone.cfg).
- Open the file in an XML or Text viewer to view the newly defined configuration parameter in the OVERRIDES section.
<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?>
<!– Application SIP PrairieDog 4.1.4.0296 29-Nov-12 02:40 –>
<!– Created 10-05-2013 11:12 –>
During the initial connection to the FTP server the phone should have also uploaded separate application and boot log files into the defined log directory. (Or at the root of the FTP directory in the event that the CALL_LISTS_DIRECTORY parameter was left undefined). These logs can be used to troubleshoot registration problems or other issues if needed. Be aware that if a separate log directory is defined the phone may initially create these two logs files in the root directory during the first connection, but after pulling down the custom setting will then create new log files in the specified directory. It is safe to delete any orphaned log files in the root directories in this case.
Configuring Global Settings
At this point a basic provisioning server has been established, but nothing has yet been done to facilitate Lync interoperability with the SIP phones. As covered in a previous article the UCS 4.1 software versions provide a Base Profile configuration which can be used to put the device into Lync mode. While this can be set manually on each phone, it is also possible to set this centrally.
The example configuration in this article will show how to centrally provision two phones so that once each is powered on from a factory-reset state they will automatically enable Lync mode, and populate some or all of the user credentials. The Polycom UC Administrator’s Guide covers many of the configurable parameters and can be used as a detailed reference for additional customization.
The general approach is to use a combination of files to provide various settings to the phones in an efficient manner. Any parameters which would be configured on all devices should be defined in a single, shared configuration file (separately from the master configuration file) while device-specific settings would be included in a separate file for each phone. This article will start with using just a single global configuration file and then move on to adding a per-device file to illustrate how either one or both scenarios can be leveraged.
For editing the configuration files it is recommended to use an XML editor as it is easy to make simple formatting mistakes when using a basic text editor which in turn could prevent the phones from importing the data correctly. XML Notepad 2007 from Microsoft is used throughout the examples in this article. (If installing XML Notepad 2007 on Windows Server 2012 make sure to install the .NET Framework 3.5 feature first which includes the prerequisite 2.0 components.)
Master Configuration File
Actual device settings are not defined in the master configuration file, instead this file can be configured to point the phone to additional configuration files which will store the desired settings. The names of these files need to be manually defined in the CONFIG_FILES parameter which supports one or more entries in a comma-separated list.
- In the FTP root directory edit the Master Configuration File (000000000000.cfg) and add the device-specific file mask entry following value to the CONFIG_FILE parameter and save the file.
Shared Configuration File
Now that a shared configuration file has been defined (shared.cfg) the file needs to be created and populated with the desired parameters. Basically any parameter where every phone in the environment needs to receive the same value is a candidate for including in this file. In this example file three things will be addressed that will impact every Polycom UCS phone that is placed on the network.
Most importantly the Base Profile will be set to Lync mode using the following set of parameters. Some of the official Polycom provisioning guides do not cover this base profile approach and instead recommend to include a group of about 30 different parameters for Lync interoperability. All of those settings are pre-programmed into the Lync Base Profile which was introduced in the 4.1.0 release, so there is no longer any need to define all those other settings.
Secondly the root CA certificate is provided to the phone so that it will trust the certificate issued to the Lync Server to allow for secure TLS communications. In the event that the DHCP server is already configured correctly with DHCP Options 43 and 120 then this parameter can be omitted from the configuration file. There is no need to pass a private CA certificate in this manner as UCS will utilize DHCP 43 to locate the Lync Certificate Provisioning service and automatically download the certificate.
sec.TLS.customCaCert.1=”—–BEGIN CERTIFICATE—– MIIDazCCAlOgAwIBAgIQUuNtVsIFbI5GvIJV0CDH3TANBgkqhkiG9w0BAQsFADBI MRQwEgYKC2d5H6ghLGQBGRYEbmFtZTEXMBUGCgmSJomT8ixkARkWB3NjaGVydHox
w6/GfOTi9Ce/qI7u20OpLZpPmp8HPiZhDPe5WkAe+BdhvmYTrOq6mfq24mfgSysS DPH/HAGcv81DVkOwsNMQrO+lggZAfl7t0BuobPdhvA4ELfF+XIejjoJ2XHueGxIR dfgh8erdcgh28or83/2Bv —–END CERTIFICATE—– “
And finally when DHCP Options 43 and 120 are not defined on the network then PIN Authentication is not available. By default the phone displays the PIN Authentication sign-in screen after the Lync base profile is selected, thus it would be ideal to disable the feature on the phone when not available to prevent a poor user experience. So if DCHP Options 43 and 120 are configured then this setting can also be omitted to utilize PIN Authentication. (Currently only the VVX 300 through 600 models support PIN Auth; any of the SoundPoint or SoundStation devices will ignore this parameter.)
- To create the customized shared file simply copy the text in the following box and then paste into a new text file.
<?xml version=”1.0″ encoding=”utf-8″ standalone=”yes”?>
<!–Sample Polycom Shared configuration file for UCS–>
<device device.set=”1” device.baseProfile.set=”1” device.baseProfile=”Lync“/>
<registration reg.1.auth.usePinCredentials=”0” sec.TLS.customCaCert.1=”—PASTE CERTIFICATE HERE—“/>
- Save the text file into the root of the FTP directory (e.g. “c:\inetpub\ucs\shared.cfg”)
To locate the certificate trusted by the environment’s Lync Server follow the directions in the first section entitled Retrieving the CA Certificate Hash in this previous article. Disregard the remainder of that article as it is outdated and applies to older UCS firmware versions (4.0) which pre-date the Lync Base Profile.
- Open the certificate file which was exported and saved in the other article and copy the entire contents of the file to the clipboard, including the BEGIN and END strings.
Then open the shared.cfg file in XML Notepad and then paste the contents of the clipboard directly into the sec.TLS.customCert.1 parameter and save the changes to the file.
The completed configuration file should look similar to the following example.
Note that the names used in the XML tags (e.g. LYNC, device, registration) have no special meaning and are only provided as a way to organize groups of parameters for easy reading. Any name could be used, or if desired all parameters could be defined under the primary Lync tag as the file hierarchy is also not important. The phone will simply read in all defined parameters in the file as long as at least one tag is defined. The device configuration file example in the next section will use this approach to illustrate that either format is acceptable.
At this point the phones have enough information to register to Lync Server and it would be possible to simply enter the SIP address and user credentials for a Lync User directly on the phone itself. Now is a good time to validate that this is functional in the environment before moving on to provisioning any additional account registration information.
- Reboot the phone by either disconnecting the power temporarily or by selecting the Settings > Advanced > Reboot Phone menu option.
After the device completes rebooting it should have picked up the new configuration options in the shared file which will trigger Lync mode then default to the displaying the Sign In menu.
- Using the phone’s keypad or on-screen keyboard enter the SIP Address, Active Directory Domain name, User name, and Password for the desired account. The Domain field can be populated with either the NetBIOS Domain Name (e.g. SCHERTZ) or the DNS Domain Name (e.g. schertz.name). In the User field if the user account’s sAMAccountName and Username are not identical in AD then make sure to use the value that matches the domain name format selected. (For additional details it is suggested to read through the Understanding Active Directory Naming Formats article.)
- Once the credentials are entered select the More button and then select the Sign In button. After a few seconds the phone should report a successful registration to Lync Server.
Depending on the configuration of the Lync user’s Line URI field the Line 1 button will either show the extension, full telephone number, or Display Name of the user account.
- To review the current configuration status on the phone navigate to the Settings > Status > Platform > Configuration menu to check the provisioning server status.
The Config value should show the name of the shared configuration file as well as the number of parameters imported from each source. The 5 parameters configured in the shared.cfg file are reflected in this screenshot.
Configuring Per-Device Settings
Moving on with the automatic provisioning process for the phones there are two options available for providing credentials to the phone instead of having to enter them manually into the device itself. One approach can be used to send the full set of credentials to the device, including the password, for a zero-touch administration scenario by defining per-line registration parameters. In this scenario the credentials cannot be viewed or managed directly on the device so this is typically intended for devices used in common areas or meetings rooms where the associated AD account can be configured with either no password expiry or the central configuration files can be updated with new password by an administrator.
The alternative approach is to pre-populate all but the password field in the phone’s actual Login Credential store. It is not possible to send the password using this approach but the rest of the credentials can be pre-configured. This would provide a near-complete provisioning process in which the end-user is responsible for entering only their password into the phone to complete the registration process, saving them from having to enter the rest of the information on the phone themselves.
In this section two unique device configuration files will be created for two separate phones. The VVX400 that has been used throughout this article will be configured using the scenario where the Login Credentials are pre-populated, except for the password. This would best match an information worker scenario where a user is assigned their own phone. Additionally a SoundPoint IP 331 will be used to illustrate a completely automated registration process which better suits shared or common area scenarios where the user credentials are centrally managed.
Master Configuration File
Just as before the new device files will need to be defined in the master configuration file so that the phone knows to download it. The CONFIG_FILES parameter supports multiple entries in a comma-separated list and special masks are understood by the software so that devices can locate files only intended that that specific device without having to specify the actual device file name for every phone which would simply not scale well beyond a handful of devices.
- In the FTP root directory edit the Master Configuration File (000000000000.cfg) and add the device-specific file mask entry of [MACADDRESS]-lync.cfg value to the existing CONFIG_FILE parameter by using a comma separator.
The string [MACADDRESS] is used in the master configuration file to tell a device to look for a file matching the defined pattern with its MAC address in the name. For example the entry ‘[MACADDRESS]-foo.cfg’ would tell a device with the MAC address of 01-02-03-aa-bb-cc to look specifically for a file named ‘010203aabbcc-foo.cfg’. Although most any name can be chosen the suffixes of -phone and -web are reserved for special files that the phone manages itself. The examples throughout this article will utilize -lync as the suffix for device-specific configuration files.
A suffix is required as the file cannot simply be named with only the MAC address (e.g. 010203aabbcc.cfg) as that filename is reserved for a device-specific master configuration file. That file would need to basically be a duplicate of the generic 000000000000.cfg file but with unique master configuration data specific to a device.
Device Configuration Scenario 1
The following set of parameters will be used for the VVX400 device file and will prep-populate the user’s SIP Address, user name, and domain name. Notice that although the SIP address is stored in a line registration parameter (reg.1.*) the remaining parameters will pre-populate the device’s Login Credentials store (device.logincred.*).
- To create the device file simply copy the text in the following box and then paste into a new text file.
<?xml version=”1.0″ encoding=”utf-8″ standalone=”yes”?>
<!–UCS Device Configuration file for Lync–>
<LYNC reg.1.address=”firstname.lastname@example.org” device.logincred.domain.set=”1” device.logincred.domain=”SCHERTZ” device.logincred.user.set=”1” device.logincred.user=”vvx400“/>
- Save the text file into the root of the FTP directory utilizing the desired device’s MAC address in the name (e.g. “c:\inetpub\ucs\0004f28062d6-lync.cfg”)
- Open the new file in XML Notepad and then replace the example SIP address and credentials with valid information for the desired Lync user account.
- If using the same phone which was manually registered in the previous step then reset the phone to factory defaults again by following the Factory Reset process at the end of this article. This will remove the current user and configuration and then automatically reapply all the settings defined on the FTP server.
Test Registration Scenario 1
- After resetting the phone view the current configuration status on the phone by navigating to the Settings > Status > Platform > Configuration menu.
The Config value will now show the names of both the shared configuration file and the device configuration file for this phone. The number of parameters imported from each file is reported as well.
- Return to the Home Screen on the phone and select More then Sign In.
- The resulting Sign In menu should show the pre-populated user information. Manually enter the password and then select More > Sign In. A successful registration should be reported just as seen in the earlier attempt.
The obvious benefit of this scenario is that the end-user was only required to enter their password which greatly reduces the time and complexity involved in entering a full set of credentials as well as having to understand exactly what to enter in terms of domain names. In the event that the password changes on the AD user account the phone will remain connected to Lync and still be able to register even after rebooting the phone. This is because after the initial registration with user credentials the phone will be issued a client certificate by the Lync Server and then use TLS-DSK for all subsequent authentication attempts. This works even in the absence of DHCP 43/120 options which is only required for PIN Authentication to be used as the initial registration process.
Device Configuration Scenario 2
The following set of parameters will be used for the SoundPoint IP 331 device file to fully provision the entire set of user credentials to a phone and trigger an automatic registration. Using this approach requires that the previously used Login Credential feature of the phone is disabled and the user credentials are stored in the registration parameters for a specific phone line (reg.1.*).
- To create the first device file simply copy the text in the following box and then paste into a new text file.
<?xml version=”1.0″ encoding=”utf-8″ standalone=”yes”?>
<!–UCS Device Configuration file for Lync–>
<LYNC reg.1.auth.useLoginCredentials=”0” reg.1.address=”email@example.com” reg.1.auth.domain=”SCHERTZ” reg.1.auth.userId=”spip331” reg.1.auth.password=”Pass123” />
- Save the text file into the root of the FTP directory utilizing the desired device’s MAC address in the name (e.g. “c:\inetpub\ucs\0004f2a6af1b-lync.cfg”)
- Open the new file in XML Notepad and then replace the example SIP address and credentials with valid information for the desired Lync user account.
- If using the same phone which was manually registered in the previous step then reset the phone to factory defaults again by following the Factory Reset process at the end of this article. This will again remove any existing configuration and then automatically reapply all the settings defined on the FTP server.
Test Registration Scenario 2
Because the full set of credentials have been supplied in the line registration parameters then the phone should have automatically registered successfully after resetting.
- The main screen should show the Lync user’s phone number indicating that the registration is active. To validate this navigate to the Status > Lines > Line Information menu.
- The latest configuration status on the phone can be confirmed by navigating to the Settings > Status > Platform > Configuration menu to verify the provisioning server status.
The SoundPoint IP models do not currently support PIN Authentication so the parameter to disable that feature will not be recognized, resulting in 1 error reported in the shared configuration file.
Managing Firmware Updates
When new firmware versions are published for different Polycom SIP phones the associated package can be downloaded and easily added to the provisioning server’s root directory. Make sure never to simply copy over all the files though as this might overwrite a customized master configuration file and break the integration; only use the firmware files provided in the package.
- Open the software release package and extract only the .sip.ld files copying them into the FTP root directory (or wherever the firmware files are stored on the provisioning server if a custom directory was configured).
As long as the firmware file stored on the server is a different version, newer or older, than what the device currently has installed then it will download and update the firmware automatically at the next reboot.
The following table can be used as a reference for the latest recommended versions of each model phone for Lync interoperability. The uncompressed file size of each firmware image is also provided as a way to help identify which release package an individual file might be from.
Device Firmware File 4.1.0i 4.1.2b 4.1.4 SoundPoint IP 321 2345-12360-001.sip.ld 3,793 KB SoundPoint IP 331 2345-12365-001.sip.ld 3,793 KB SoundPoint IP 335 2345-12375-001.sip.ld 3,793 KB SoundPoint IP 450 2345-12450-001.sip.ld 4,452 KB SoundPoint IP 550 2345-12500-001.sip.ld 3,851 KB SoundPoint IP 560 2345-12560-001.sip.ld 3,851 KB SoundPoint IP 650 2345-12600-001.sip.ld 3,851 KB SoundStation IP 5000 3111-30900-001.sip.ld 4,087 KB SoundStation Duo 3111-19000-001.sip.ld 4,846 KB VVX 300 3111-46135-002.sip.ld 50,159 KB VVX 310 3111-46161-001.sip.ld 50,159 KB VVX 400 3111-46157-002.sip.ld 50,159 KB VVX 410 3111-46162-001.sip.ld 50,159 KB VVX 500 3111-44500-001.sip.ld 58,517 KB VVX 600 3111-44600-001.sip.ld 58,517 KB
All of the devices listed above are currently qualified for both Lync 2010 and 2013 environments when running on at least the firmware versions indicated.
143 thoughts on “Provisioning Polycom SIP Phones”
Great post. Can you please shed some light on the Exchange calendar integration for VVX 600? Right now, I have followed the instructions and modified features,cfg and applications.cfg to include Exchange EWS information but I am not getting the calendar information.
The configuration is no different that what I covered in a previous article. This only works when the user credentials are stored in the phone's Login Credential section and is not available if you are only using PIN Authentication (just like Lync Phone Edition).
Any updates on this Calendar issue? i am using the VVX 600 as well, and am provisioning with a server. I am also storing my NTLM creds in the phone. Error is Status: Exchange Calendar regestration has failed
I'm not sure what the issue is but if you are using the same credentials for Lync and Exchange and storing them in the phone's Login Credentials' menu then it should work using the standard Exchange Web Services URL for your deployment.
Thanks, usefull post & a good walk through.
Had one weird issue though with our DHCP scope and the vvx600…
DHCP was being provided by a non-windows device & I manually crafted and added teh 43/120 options to DHCP. Everything looked good, a CX600 could provision itself correctly from scratch & all the Lync tools correctly validated client sign-in & the DHCP options, however the VVX600 just wouldn't talk to Lync…
If I added a DHCP helper to the phone vlan to point at a Windows server everything worked perfectly. I did some packet captures using a HUB & the only difference between the two DHCP servers was that Windows returned option 43 before 120 in it's ACK reply, whereas the "non-working" DHCP server returned 120 followed by 43 (all in the same packet).
Do you know if the VVX devices are sensitive to the order that they expect the DHCP options to be returned to them?
What DHCP product are you using on the network? All products I've used will provide 43 before 120 so it's possible that the phone is not handling the opposite order correctly.
It was a Mitel phone system (Running a hybrid phone topology at the moment)
Hey Jeff, do you know if you can use the Polycom SoundPoint 650's SideCars in Lync 2010/2013? I'm curious if they can be setup as a Shared Line/Bridge Line for quick call transfering?
Yes, these are supported but the software does not currently support shared or bridged line capabilities. Adding the sidecars will simply provide contact presence, one-button calling, and easy call transfer capabilities with multiple Lync contacts today.
Hi Jeff. This post was very helpful to me while configuring a VVX 310 and Soudpoint IP 321 I purchased for evaluation. I have them both registering to Lync 2013 and able to make calls. The problem is they can't receive calls from PSTN. The Lync diagnostic report shows the response code 488 and the header message "6000, reason="Instant Messaging disabled by policy". Any ideas?
Rick, that is odd. Are the PSTN calls coming through a media gateway or SIP trunking service?
We have a Net UX 2000 gateway with ISDN PRI service to the PSTN.
Update. There appears to be an interaction the Lync encryption setting and our gateway that prevents calls to the Polycom IP phones from completing. I changed the media encryption setting in Lync as suggested here http://lyncdup.com/2012/10/how-to-enable-lync-med… and the PSTN to phone calls started working. This also solves the problem where media bypass didn't work from the gateway to internal phones.
We are having the same 488 issue. Out of interest, did you have to do reboots and stuff after making the changes?
we have some serious issues to get our SL8440s to get up and running with Lync 2010.
After line registration it is possible to perform just one single call.
Afterwards we get the following error:
Registration failed User: "username", Error Code:480 Temporarily not available
CTcpSocket::TlsListenThread: SSL_get_error Error code=5
It seems like Lync is "forgetting" our registration to the system after one successfull call.
Have you ever seen this kind of problem?
We tried various firmware files (4.1.0; 4.2.0; 4.4.0) and always got the same error.
Thank you in advance!
No, I have not seen that before. I suggest contacting SpectraLink for support.
I'm using Lync 2013 and I was able to connect my VVX 500 phones following your guide.
However, today I logged out my phone and tried to log it back in and I started to get that message on the screen:
Line 1: username [SIP] (Not Registered)
*SIP:Server-1:domain.name (Not Registered 0)
How to avoid that?
If you are registering to the same Lync environment that should not happen, I suggest performing a factory reset of the phone and running through the provisioning steps again.
Yes, check your configuration. Somehow the phone now thinks it needs a vanilla SIP (not Lync) config (BroadSoft, FreeSwitch, etc.)
I want to deploy a large number of Polycom SIP Phones in a Lync Environment. Accessing the FTP Server to get the configuration files prooves to be a problem. We cannot use the default FTP user since its a production environment and changing the password policy is not possible. We cannot provide the FTP credentials via DHCP option since they are transmitted in clear text and therefore not secure. Is there another way than to manually enter the FTP Credentials on every phone? (TFTP is also not an option)
There are a couple options here, listed in order of preference: (1) You can boot up the phone initially in a staging environment when they would load an initial on-time configuration that would set the custom provisioning username and password, and then move the phone to the production network which would redirect it to the production provisioning server with the remainder of your settings. (2) Work with a Polycom partner to leverage the Zero-Touch Provisioning (ZTP) service available for the phones. (3) Use HTTPS for provisioning with Mutual TLS leveraging the manufactured-installed client certificate oh the phones. (4) The configuration files can be encrypted using a staging environment to load the encryption keys into the phones, but this is the most complex.
The phone also supports plain-old http. If you do need to authenticate, then you can put a username/password into each phone via Admin TUI. If the phone is challenged at the HTTP server, it will then use those credentials (MD5 encryption I believe).
True, but that require configuring each phone manually to update the credentials which is not ideal for large deployments.
I followed this article and something does not work for me. I am at the point where I created shared.cfg file. I did not enter <registration reg.1.auth.usePinCredentials="0" sec.TLS.customCaCert.1="—PASTE CERTIFICATE HERE—"/> in the file because I have options 43 and 120 configured in the DHCP server.
After hardware reset, it prompts me to login with the phone number and a PIN number. It fails to login. After that I can select to login to Lync and it shows my email. I guess it means it detected my info while I tried to login using number and PIN. After I login with user name and password, I can change my status to DND and it changes it on my PC. It means that I am connected, right? In about a minute or two I receive message that tells me that Lync Sign In failed and it tells me that I have to login again.
Can you help me with this?
If you have DHCP 43/120 defined then you have no need to create any configuration files (at least initially). I suggest using the basic out-of-the-box method with a reset-to-factory-defaults device and make sure that registration works as it should before attempting to setup and configuration files for additional, no registration feature you may want to control.
This is a great post. I have concern that if I have multiple version of Polycom in system. Could I add all UCS version into same FTP server? Can all Polycom phone version register correctly?
Thanks a lot
You can mix versions for different device models if you like but you can only have one file (version) per device.
Mean that the device can choose which file that is right to them for register, am I correct?
And from your post, I understand that some old version of Polycom phone can also register to Lync system too. Is that correct?
Thanks a lot Jeffschertz, you help me out a lot by your post. vote for you
Yes, the full list of Lync qualified devices is listed here: http://technet.microsoft.com/en-us/lync/gg278164….
Hi – Do you know how I might be able to get all Polycom IP phones to reboot at the same time remotely to pick up a new .cfg?
I am finding it impossible to find this information (assuming it's possible), and just wondered if there was some way to do this system wide?
There are a few methods available or doing this. You could create a custom script and leverage the SIP NOTIFY message to trigger a reboot of the phone. Or you can use the 'prov.update' parameter in a centralized configuration to schedule update checks every 24 hours (e.g. some time in the middle of the night).
From Polycom Admin Guide:
0 or 1 0
If set to 1, always reboot when a NOTIFY message is received from the server with event equal to
If set to 0, only reboot if any of the files listed in <MAC-address>.cfg have changed on the FTP server
when a NOTIFY message is received from the server with event equal to check-sync.
Please help me out this problem. I can use CX600 connect and sign in to Lync 2013 normally, make call from phone to PC and vice versa. However, I cannot register with VVX500 and IP560, sign in by PIN and user credential to Lync 2013, eventhough I done all steps as you refer.
I really confuse about those Polycom phone. And I think that is really unfair for customers, because I read a lot of post I see that so much customers stuck in those Polycom like VVX500, IP 560…without any solutions
Thanks for your help a lot
I suggest that you contact your official support channel which will be glad to assist in getting the phones registered. The qualified devices do not operate 100% identically to the Optimized (LPE) devices so although one works on your network it does not mean that both will. There are a few unique requirements to each platform.
Great article as always. I wonder if there are plans to USB tether the VVX phones like we can with the Aries phones? I had an indication from one of the UK based Lync MVPs (at Polycom) that this was being worked on.
Also, is it possible to sign into Lync remotely using the VVX phones? The Aries phones can do it by signing in while tethered to a PC. It just gets the public Edge certificate. I am guessing that this might be tricky as well because the phone wouldn't have had any base config first and it won't have a DHCP server pointing to any of the options.
Yes, the upcoming UCS 5.0 firmware release will add the first set of ‘Better Together’ capabilities to the VVX handsets, as demonstrated in this video. Also external registration has already been supported for over a year on the VVX phones and doesn’t require any unique DHCP settings or anything different from Lync Phone Edition devices.
could you point me to an article using the VVX 600 externally. It works in my office but cannot get it to work when plugged into my home network. The CX600 phone that I have works fine internally and externally. Any ideas?
The configuration is no different. Most likely your Lync server certificate configuration is causing this issue. You may be using an untrusted certificate on the external Edge interface in which the phone cannot automatically download and trust when connecting from the Internet. When connected internally a few mechanisms are leveraged by the phone to locate and down the certificate chain used on the internal Lync servers.
Thanks Jeff. You're a star! I don't suppose you know when UCS 5 will be out?
we provisioned Spectralink 8440 Handset with Lync 2013. The Handset contains the newest firmware. Updates to the Handset works great. IM/Presence work fine. External calls work but with a delay of 20-25sec. On internal calls there is no signaling on the handsets. All other Phones (Polycom CX500/600) works fine.
The Handset doesn´t ring when there is a incoming call.
The log of Lync 2013 shows a SIP 488 "not accetable here" during invite to the handset. To the other devices not.
Any ideas ?
Thanks for help.
Ralf, I have not used the latest firmware since SpectraLink became their own company so I'm not familiar with any changes or issues in the latest releases.
I stumbled onto your page via the almighty Google. What I was looking for was hinted at by you in regards to using a /firmware directory.
This blog post is an excellent writeup and has a very clean and easy to follow information flow. Nice work!
I would like my phones to FTP to the provisioning server and immediately be told to use another directory for firmware, logs and calls. When I configure the sip.ld with a specific path there is no problem getting the new application, logs go where I tell them and calls (lists) go where I tell them. There is only one hitch.
Polycom phones (in this test I am using SPIP335's) BootROM updates appear to only search the FTP root for their specific 2345-12375-002.bootrom.ld or the base bootrom.ld files. Logs initially upload to the root of the FTP as well.
I have read the 601 page admin guide – which seems to be not so detailed as the 601 pages would have one believe! For example, it sure would be nice to understand those log files fully… first entry appears to be time, but that "Admin" guide never really covers that! I have also read several other tech papers from Polycom, but I am at a loss as to properly doing what you hinted at. I know this is 5 months old, but maybe just maybe you can point me in the right direction?
If you are referring to the one-time upgrade of the BootROM when moving from 3.x to 4.x firmware then this may be correct; I've not tested that process using a firmware files subdirectory. Best practice is to leave all sip.ld files in the root directory as in most cases there is really no reason to subdivide these files into a separate directory.
hi guys does anybody knows how to fix the sync issue between lync favorites to the home screen on polycom vvx 310 ?
basicly when you put a user on the favorites it should be showing on ur home screen on polycom vvx310 but it does only work if you sign in and sign out . how could i change this to when i do someting on lync it will sync auto with the phones ?
Are you using the Unified Contact Store with Exchange 2013 in your Lync 2013 environment? If so you need to trigger a re-registration of the phone to Lync to pick up changes to contacts which are actually stored in Exchange instead of Lync directly.
Is there a way to change the default username and password for the VVX line of phones (the username/password you use to access the web interface of the phone)?
You can change the passwords for the default user and admin accounts, but not the account names themselves.
Jeff, Is this article still valid for the latest firmware?
is this configuration support polycom soundpoint 650
Yes, as long as 4.1.x software or newer is used on the device then all of these settings are applicable.
polycom soundpoint ip 650 can't sign in lync " url call is disabled " but it was configured and see ftp server and has ip from dhcp
We have Lync 2013 Environment. How do you update firmware for phones that require different firmware? For example, we want to use VVX500 phones for users and IP 5000 phones for Conference Rooms. VVX phones need 5.xx firmware to work with Lync server. IP 5000 phones need 4.1xx firmware.
Do I need two different ftp servers, or is there a way to do it on one server?
Eric, you can mix and match the different firmware files for each phone to use the version you want for each model. Take a look at the UCS Administrators Guide for a list of the model #s and their associated *.sip.ld firmware files. ANother approach might be to use the Lync Server to manage the VVX phones and then only populate the SSIP 5000 firmware on the provisioning server.
Thank you for your reply. I opened http://plcmtechnet.com/documents/en/voice/ucs/5-0… and I cannot find a list of model numbers and their associated *.sip.ld firmware files. Can you point me to the right direction?
Just making sure that all I have to do it upload V5.x firmware files for VVX phones on ftp server and add associated *.sip.ld firmware file for IP 5000 phone. Is this correct?
There is a list about a third of the way down in this article: http://blog.schertz.name/2012/10/updating-polycom…
Got it. Thank you for your help.
One more question. After I updated phones to v5.x, I tried to use Lync server to update phones with newest 5.02. Unfortunately, phones lose options that I added in custom.cfg file. For example, one of the options that I enabled was BToE. When new firmware comes from Lync update, BToE is not enabled anymore. It looks like it resets it to default values.
Any way around?
Some of the BToE parameters and their default where changed in that release, so I would recommend wiping the configuration on the phone and updating your custom config with only the needed settings.
I downloaded 5.0.2 for VVX split. After that, I downloaded 4.1.0 Rev I for IP 5000.
I deleted all files except 00000000.cfg and custom.cfg files from ucs folder. Extracted files for 5.0.2 firmware and copied them into the ucs folder. After that I extracted 4.1.0 firmware and copied 3111-30900-001.sip.ld file into the ucs folder.
VVX phones work without any problems. IP 5000 phone gives message "Image is not compatible" and rebooting without stopping. Not sure how to break rebooting.
Greetings, Jeff! I am running into problems with a SoundPoint IP 450 and Lync 2013. I am attempting to use the base Lync option on the phone and have DHCP options 4 (time), 6 (DNS), 15 (DN), 42 (NTP), 43 (MSUCClient), 119 (DNS Search) and 120 (UCSipServer) configured on the DHCP server.
I have successfully tested the DHCP options using the test-CsPhoneBootstrap option from a machine on the same subnet as the phone and I am able to get a Polycom VVX 500 working using all the same parameters. However, the recalcitrant 450 continually fails to download the internal Root CA certificate. With the sip logging turned up to debug, it appears that the phone is not getting the 43 options from the DHCP server. The log entry
"CreateFailOverProxyList : 'Auto Discovery' 0 DHCP servers recieved"
is immediately followed by DNS SRV record lookups (the appropriate SRV records are in place). Then the phone methodically trys to register with each of the seven IP addresses that are returned. After the first attempt fails due to the untrusted certificate, the phone attempts to download the server root certificate, but fails:
"MakeTlsConnection: Fetching server root certificate"
"CTrans::TCPFail workingServer 1 -> 2 0x94e85010"
SoundPoint IP 450
Assembly: 2345-12450-001 Rev:E
3 Enterprise Front-End servers
2 Back-End servers
2 Edge servers
2 Office Web Apps servers
1 Reverse Proxy server
1 Edge hardware load-balancer (KEMP)
1 Internal hardware load-balancer (KEMP)
DNS/DHCP on 2 Active Directory servers
I am sort of baffled as to what to try next. Can you point me in the right direction?
Hope you can shed some light on an issue I've been running into. I've deployed a Polycom IP Soundstation 650 series phone for a user of mine. The phone is registered to Lync 2013, inbound/outbound calling works and inbound calls that are transferred to another Lync user works. The only calling scenario that fails is dialing a Lync user directly from the phone. At first i noticed the 4 digit extension was not normalizing via the Lync dial plan to e.164 which I was able to resolve.
So now when I dial the user, the phone rings once and then disconnects and the called user receives a missed call notification. Lync logging does not show the call at all, but it does show the Unified messaging transfer. The strange thing is that after the call is placed, the phone displays +15134449999 and then changes to the called users SIP URI firstname.lastname@example.org and then fails.
Have you ever run into this before? sorry for the long comment 🙂
If your Dial Plan normalization patterns include any (Polycom) unsupported characters this can prevent the phone from handling the call correctly. Take a look at this forum discussion: http://community.polycom.com/t5/VoIP/Trouble-with…
Thanks for the reply Jeff.
The numbers seem to normalize correctly (lync dial plans being used are very standard).
the e.164 normalization on the phone changes to SIP URI on the phone display when the number is dialed and then fails. It almost seems like the phone is not able to dial by SIP URI.
This is a really helpful blog. Thanks a lot for the good work.
Here's my issue.
We're on Lync 2013. Basically we're using 3 hard phones models.
Initially we had to buy SP331 but in our environment, it's not practical to use SP 331 due to password expiration, etc. Basically we wanted PIN authentication. So we went for VVX300 with firmware version 5.0.1
it works well. We have only one centralized provisioning server. Now they're released new firmware versions for VVX300 and SP331. I want to update both phone models via same ftp server. but configuration files are different. How can I do this? what'd be the configurations? How it identifies the phone model?
Also now we can update VVX300 phones via Lync server 2013. that's only the firmware. how i can update the config file? what's the purpose of DHCP option 66 and 160? which one used for firmware update and which one for config update?
Hope to have a complete explanation from you.
Thank you very much.
The approach here would be to only place the SPIP firmware (.sip.ld) files on the provisioning server and then upload the VVX CAB files to the Lync Server. If the VVX phones do not see their firmware files stored on the provisioning server they still use it for configuration data just fine. you don't want to place firmware files in BOTH locations for the VVX phones, just one or the other.
Another question. Is there any plan to update SP331 with PIN authentication? That'd be really helpful.
Well, good news and bad news here: the latest 4.1.1 release for SPIP phones is now available which includes PIN Authentication (which VVX has had for a while now). But unfortunately the SPIP 3xx models do not have the processing power to support PIN authentication, so it is only available on the SPIP 450 models and up, as well as also on the SSIP 5000/Duo phones.
Can you also please provide how to configure the DHCP options on a cisco switch
You can find those directions on Elan's blog: http://www.shudnow.net/2011/05/02/configuring-lyn…
Hello Jeff, Great post. We have recently purchased the CX600 and are planning on rolling it out throughout the business. We use MS Lync and can connect via USB easily. What we now need to do is provision each phone for an additional SIP client. Do you know if this is possible. We know there is no web interface but are hoping there is another way.
I'm not sure what you are asking. If you mean an additional user, this is not possible in LPE as only a single Lync user can be signed in at any given time. If you are talking about a different SIP platform, this is also not possible as LPE devices only support Lync and not any other SIP telephony platforms.
[…] was following Polycom’s instructions and Jeff Schertz’s post on configuring an FTP Provisioning server for the Polycom VVX range. In large deployments, when you […]
Is there a way to edit the master file to not roll back firmware versions, the scenario I have is we want to use the provisioning server to download UCS5.x.x.x from 4.x.x and an configuration file for customisations for new shipping devices, after this we want Lync server to handle the firmware updates and leave the provisioning server for updating their config files. The issue I have is when Lync server updates the firmware, the provisioning server detects the latest version is different and rolls it back
Adam, you can't use both firmware update processes at the same time like that, otherwise you'll have an upgrade/downgrade loop like you are seeing.
Great information! Currently working with a hosted provider to get their Lync server to work with our IP 550s. We are part of the way there, but no Lync client inter-operability.
Can you advise if using Lync 2013, CRM 2013 if the IP 550s should be able to dial the phone when clicking on a phone number link in CRM? It works with a CX600, but we have yet to get any Lync functionality with the 550s.
No, there is no ‘better together’ tethering support for SoundPoint IP phones with Lync.
Jeff, Great post.
Do you know if BLF (Busy Lamp Field) works with Lync? or is there an equivalent for the same.
How about Paging/PTT? I am trying to see if we can replace the existing Intercom functionality with Paging/PTT.
BLF scenarios are covered in Lync by simply watching others user’s presence. Paging is built into the VVX phones by default and can be enabled from the admin menu.
We were hoping to enable paging on our new S4B deployment using VVX 410 phones. Well it works, but there is a big problem in that it changes the S4B user status (presence) of every user currently logged into one of the phones to ‘In a Call’ during the page, then ‘Available’ after the page is complete, regardless of what their previous status was – totally wiping out everyone’s ‘REAL’ status.
Since the advanced status information that S4B provides was one of the major selling points for us, this is a no-go. Very disappointing.
(tested up to UC firmware 126.96.36.19941)
How to collect the diagnostic log from Polycom IP 650? Thanks
The phone will upload its logs to the provisioning server using its MAC address as the file name.
You could also use the multikey
Up, Down, Left, and Right arrow keys
Thanks for being so precise in your post, Very much appreciated.
I have 120 New in Box Polycom CX600 Link phones. I am not using a Link Server and would like to use them as traditional SIP phones and connect them to Phones.com using my SIP credentials for my company.
Can this be done? And is there a straightforward procedure for doing so?
Any and all help will be greatly appreciated.
This cannot be done. These devices are Lync clients only and cannot register to any other telephony platform. The VVX phones would work in that scenario though (Lync or other SIP platforms).
any idea why the Polycom VVX 300 might not pick up DHCP option 160?
This is what I currently have configured under DHCP options:
002 Time Offset
004 Time server
006 DNS server
042 NTP server
160 UCS Boot Server name.
I have configured option 160 just as you have described (ftp://vvx.domain.name) but the phone does not seem to read option 160. When I check the phone option Basic -> Platform -> Configuration I see https://user:email@example.com (which is the default setting)
When I check Settings -> Advanced -> Network configuration -> Provisioning Server I see that the server address is empty.
I then check the TCP/IP parameters and see that it DOES read the DHCP settings because the time zone is set to GMT+1 as I have specified, and it does get an IP address from the DHCP server.
However, when I configure the same server name under DHCP option 66 it works instantly.
But unfortunately we cannot use DHCP option 66 in our Production network because this is already in use for other purposes.
I forgot to mention, the firmware I am running on the VVX 300 is Polycom_UC_Software_5_2_0_release
Another update, provisioning via DHCP option 160 does work for a VVX 600 phone running the same firmware version.
It should work the same on any VVX model as the firmware codebase is identical between all of them. I suggest opening a support ticket to troubleshoot this further.
Option 160 wasn’t working for us at all, found a single mention in a Polycom article that if the VVX is delivered with the Lync profile you need Option 161. Have set this up as well and it worked immediately.
In Windows server the IIS supports, secure FTP (FTPS or FTP over TLS/SSL) does VVX phones works with these protocols ?
I have not tested those protocols using IIS (have with other platforms) so unsure.
Hi, I have set up my provisioning server and am trying to configure different ringtones on Polycom VVX500 phone. I have got so far as seeing that the phone may need to know “Alert-info”. I cant seem to see this is in SIP invite message. I found online that others have used the values of “internal, external and directory”.
Has anyone done this before?? Below is my config:
[…]  Provisioning Polycom SIP Phones http://blog.schertz.name/2013/05/provisioning-polycom-sip-phones/ […]
I’ve been following your blog for a while and its really an excellent source for solutions.
I have been deploying hundreds of VVX500 phones in our lync 2013 environment and we are constantly plagued with the problem of intermittent logouts. We are using UC5.1.1. Do you face this issue?
Also, we are using the CommonAreaPhone profile on the lync for the phones. Is there a way where i can input the extension id and pin into the configuration file so that the phone will auto login when it powers up?
Thanks in advance!
I would upgrade some phones to the more recent 5.2 release to see if that resolves the de-registration issues. Also 5.3 is right around the corner and offers further improvements.
To pass the Phone Number and PIN to the phones via the provisioning server XML configuration files you can use a combination of the following parameters, based on if you just want to set the PIN and still allow NTLM to be used on the phone by other users, or if you want to force PIN auth only:
I tried this on 5.2 and 5.3 and I can not get this feature to work. The phone boots and shows the name of the person allocated to the line, but shows as unregistered. Logging into the phone manually via ext and pin works.
Hi, I had the same issue as well and finally found it is caused by the settings about provisioning polling:
prov.polling.enable = 1
prov.polling.mode = random
after I disable the prov.polling = 0 the phones will not reboot again during the midnight.
As per the Polycom UC Software Version 5.4.0 Administration Guide saying:
Note: Only provision files when polling
If prov.startupCheck.enabled=’0’ then Polycom phones do not look for the sip.ld or the
configuration files when they are rebooted, lose power, or restarted. Instead, they look only when
receiving a checksync message, a polling trigger, or a manually started update from the menu or web
Some files such as bitmaps, .wav, the local directory, and any custom ringtones are downloaded each
time as they are stored in RAM and lost with every reboot.
But I tried to unplug/replug the power cable or press the reboot button, the phone will automatically login BToE as my user accounts as well. Our environment has the DHPC option enabled and provisioning server setup. I guess that enables the auto-login
This page is bible for Provisioning Polycom phones :).
Just a question. We have huge number of devices running in 3.x. I replaced FW in the root directory with latest 4.x and rebooted the devices…Its all upgrading but not connecting to Provisioning server.. (Stays in a stage where it looks like a brand new device with new all option)
All become normal if I do a second manual reboot. (Connects to Provisioning, Registering with Call server,Showing custom Home page).
Do you have any idea about this behavior? Thanks.
Hi Jeff – great post, i am having difficulty getting our VVX phones to pick up the language settings from the provisioning server, it takes all the other setting but this. I need to to role it out to Spain, France, Germany and the Uk so I need it to be able to pick up these setting from the server. Thanks O.
I have a question about best practices for rolling out updates to a fleet of phones. Do most people configure their environment in such a way to allow for phased rollouts (per floor/department/etc.) or do most people simply have a single provisioning server for all the phones and updates are rolled out in a single phase?
thanks for this very interesting website. 🙂
We have now start with Lync Polycom Phones VVX500 and i using the provisioning server and i works fine.
But now the details start and some guys ask, if it is possible to deploy different configurations to different subnet or vlan. Most interest are to set different http access passowrds. Is this possible?
Firstly, excellent article here, I’ve been meaning to tell you how much this article helps people new to the provisioning arena. I’m also looking forward to your on November 18th, that’ll be another step in the right direction for Polycom Provisioning. I did want to note that anyone looking for true easy-to-use HTTP/HTTPS provisioning should take a look at Event Zero’s solution. We support all VVX, SoundPoint, RealPresence, Soundstation, and the CX5500 phones at this time. I am one of the lead engineers on the project and it is a solution sanctioned by Polycom (they helped us build it). Anyone that is looking for an easy-to-use provisioning system for any number of phones should take a look…it’ll make your life MUCH easier, I promise. People can ping me at J.Weaver@EventZero.com if there are questions around what it can do. Thanks again, again, nice work here.
Hi Jeff, this is quite a good one, we are currently implementing the Lync server 2013 with Skype for business client, using VVX410 phones as our handsets.
In the polycom provisioning server, in order to centralized the solution for some users’ requirement for Push-To-Talk, I created some cfg file copied from the original 000000000.cfg file, and modify the file name to the macaddress.cfg and added the push-to-talk function into that.
But after those macaddress.cfg file created for those users, the phones will automatically log out during every mid-night, but not particular time.
For exclude the possible reason I did a test just copied the 00000000000.cfg file but did not change the content in it. Their phones still logged out during mid-night.
At last I remove those cfg files from the provisioning server, their phones not reboot anymore, so we have to get their phones’ IP address but not only mac address, to login the webpage to manage the push-to-talk.
May I know is it a known defect that will automatically log out the VVX410 if a customized macaddress.cfg file created in Provisioning server?
I’ve never seen that behavior before so if it’s still happening I suggest opening a support ticket.
jeff – great article as always
the IIS link to build the FTP site seems to be bad
here is a working link
Great article, just one question. The phones i have deployed now work great, but they keep saying that there are updates available on the server. and its when i go to Lync Device Update. that is shows this. I have removed all firmware off my provisioning server, yet its still finding an update somewhere. and its an old update. my phones are currently running 5.4.2 and this update is 5.4.0 any ideas where its getting this from? i am going crazy!
The SfB Online Device Update services are configured by default to push the latest qualified version (5.4.0 at this time). You’ll need to disable the Device Updates parameter on your O365 tenant: http://imaucblog.com/archive/2016/01/07/skype-for-business-online-ip-phone-manageability/
Hi Jeff. Great Articule about provisioning.
We have already setup a provisioning server which is working great for a total of +600 VVX500. However, every week, on Wednesdays and Thursdays evening (around 20:30h) a set of phones stop working. When you ping them they lose pings and it is imposible to use them Web interface is not availalbe during the outage.
We have seen that the polling is set to 23:30h in a random way until 1:30am. The outage stops around 9:30 am and suddenly all the affected phones come back to normality: no packets lost and full operative. We have seen a significant number of tar.qz files in the provisioning server (around 2Mb each), but we do not know why they have been generated.
Any ideas that may help us?
I’ve never heard of that issue; I suggest opening a support ticket if you have not done so already.
Any advice on best practice for global provisioning? We are setting up a folder structure and changing the DHCP scope to point to the correct folder per site. Is there a better way? Anyway to leverage a master 000000000000.cfg file and have specific folders for custom settings per site?
Setting up a folder per region is very straightforward but I’m just curious if having 60 000000000000.cfg files and folders is really the best way to approach this task.
The approach you’ve used is the best option for your scenario.
[…] Provisioning Polycom SIP Phones (Blog) […]
Please i need support for DHCP.
we configured DHCP server for Polycom Phones.
we have Avaya Access switch at my network.
when i assigned voice VLAN member for single port at Avaya Access switch and connected Polycom phone it is takin IP from Voice VLAN and working fine.
but when i connected to other Port which is member of PC and Voice VLAN it is taking IP from PC VLAN instead of Voice VLAN.
All Avaya switch are support LDAP.
is there any specific configuration need to run on Avaya switch for Polycom phones ?? if yes what is that.
we are using Polycom CX700_A model phones
You’ll need to use this configuration to support VLAN assignment on the older CX phones: http://blog.schertz.name/2011/01/manual-vlan-configuration-for-lync-phone-edition/
Hi, I had a question for you, I have made some changes with a polycom vvx 411 that is connected to fluentstream. I am totally blind and also for simplistic reasons I am writing information to the .cfg files. I export the web.cfg and allsettings.cfg and set the prov server to just “”. Every time I reboot the phone it comes back in the files, but in the webgui it is still blank. It is also removed from the full phone backup. Where is theis pesky setting hiding. Acustic fence is also doing the same thing. All codecs and log changes I make are sticking.
I suggest backing up the Configuration (export all and device conf) and then perform a factory reset. Then reintroduce the desired parameters one by one (or a few at a times if you have a lot) to make sure that unwanted parameters are gone.
Your blog helped me a lot for making VVX phones deployment through provisioning server.
However, I am looking for an option to disable the favourite contacts on the VVX 410 homescreen and changing the 911 emergency number to local emergency number through .cfg file.
I was not able to figure out which values needs to be add or change in .cfg files.
It would be great if you help me on this.
Thanks in advance.
You can enable Enhanced Flexible Line Keys to manually configure this; just leave the configuration blank. Settings > Basic > Custom. I don’t know if the 911 configuration is possible though.
Can we do this method without knowing the admin password for the device?
Because my customer have a VVX600, he changed the password but can’t remember what he changed it to.
If you know any other solutions for my problem, I’m all ears.
Thanks a lot
You’ll need to perform a factory reset on the phone using the MAC address as the password. I’ve documented this process in the last sections of this article: http://blog.schertz.name/2014/06/resetting-polycom-phones/
XML Notepad 2007: the version found on download.Microsoft.com is literally more than 10 years old now, and has many issues with loading and handling the 4 Megabyte .XSD XML schema definition coming in the Polycom software ZIP file. I found out recently, that an enthusiastic person has started to maintain this application, and fixed many bugs continuously. Are you using the old MSFT original version of this tool, or the newer one which is confusingly called via the same name, but has higher build number?
PLEASE ADD DHCP OPTION 161 to your article and describe it as a deviation from Option 160!
Many devices are shipped with Lync SKU and such devices will only search for Option 161, so many IT people tear out all their hair to find out why the phone does not find the provisioning server using only Option 160.
Any ideas how to disable details from private meetings showing on the Phones, we use VVX600 and VVX500, with config pulled from our provisioning server?
This is a feature currently available in the Trio 880, but not yet in the VVX platform.
Great blog and great information! I have a FTP server provisioning a custom config for VVX telephones. It works great on VVX501, and partially on VVX201. The 201 wont set the admin-password, and I can’t figure out why! I would think that the admin-password setting was universal on the VVX phones?
The configline I’m using is:
Do you have any idea?
It is the same on all VVX phones so I can only wonder if there is something wrong with the configuration file itself. I’ve seen the phones fail to read a seemingly correct configuration file before and I’ll just create a fresh XML file and reenter the configuration parameters manually and then it’ll work fine.
IF/when you use a Firmware folder, and create subfolders for firmware, so firmware/188.8.131.527 as an example. Where do you need to move/copy the updated Config, Languages and VVXLocalization folders that are in the split zip file to? Do you need to keep them in the firmware/184.108.40.2067 folder, or do you need to keep them in the FTP root folder?
I like organizing and maintaining previous versions in case of rollback, but I can’t seem to find where to keep those 3 folders located. I suspect Config needs to go to the Root, but something tells me that Language and VVXLocalization should go with the firmware version. yes no, what’s best or correct?
I have not experimented with moving those folders but anything referenced in the 000000000000.cfg file must be updated if that folder is moved out of the root.
Great blog. I have gone through many of you documents in configuring our Skype environment. I have followed your procedures for firmware updates however when the phones reboot they do not receive the updated firmware. If I perform a reset to factory defaults on the phone then it picks the update up. Can you think of any reason for this behavior?
Don’t know what is causing that but it’s not normal. It’s possible there is something in the configuration files preventing future updates.
Hi Mr Schertz,
is it possible to hash the login credentials on VVX and Trio endpoints ? Plain text passwords in the .cfg is a security nightmare. Is PIN Authentication working if you use Exchange calendar integration ?
I want to auto provision the phones, so no user has to interact with the phone on delivery.
No, and for this reason I never suggest to provision passwords in this manner. ALl other fields can be populated but the password should be entered on the device (or remotely via the web management UI over HTTPS).
Thanks Jeff for this amazing post.
I am having issues with IP 330 Polycom Soundpoint and Filezilla.
I cannot access the web configuration interphase using the ip address of the phone on my laptop although they are in the same network and can be ping by the laptop on CMD
I tried to setup the phone to see the FTP server on my laptop but to no avail.
mac – 0004f2214eed
bootblock – 2.7.0
bootrom – 3.2.3.0021
ver – 220.127.116.114
Managing Firmware Updates – It was mentioned that “as long as the firmware file stored on the server is a different version, newer or older, than what the device currently has installed then it will download and update the firmware automatically at the next reboot.”
1) Should the old .sip.ld files be deleted once the new ones are pasted in the directory?
2) Once the firmware update files are pasted in the directory…will the phones automatically install the update and reboot after a period of time?
1. The files always have the same name, per device model, so you can’t have more than a single firmware version in the same directory.
2. The phones only check for new firmware during initial boot-up, so if you want to force the update single power cycle the phone.
Thanks for this. I’m having a strange problem and cannot figure it out.
a. When I use option 160 with the IP for my FTP server, it works fine.
b. When i use option 160 with a string and “ftp://polycomprov” the phone fails to see the option 160 and doesn’t get the config.
Polycomprov resolves to my server running the FTP. It’s the same IP as what works above in example a. Its seems that only IP’s work whereas hostnames or cnames do not work for me. I’m at an absolute loss to explain it..any ideas?
Use the FQDN instead of only the hostname; DNS resolution is likely failing.
Hi there Jeff,
Great article and I followed it to the letter to configure my first Polycom phone. We run an online Exchange and Skype for Business Online with On-Prem AD. I still can’t seem to sign into the phone, model is a VVX 501. I have also created the required CNAMEs in both my internal and external DNS. The phone stays at Fetching user certificate then times out. I get a SIP/2.0 403 Forbidden. Please help?
FANTASTIC Blog Post! Your guide helped me SO much at a new job. Thank you thank you thank you
I have a question related to Trio (8800 and 8500), VVX 501 and 601 phones and provisioning. Is it possible to provision these 4 models together? The Trios will have a different configuration, the VVX 501 will be Common Area Phones and the 601 will be our regular desk phone. So basically 3 different configurations. Is this possible from one Central Provisioning server?
Yes, you can manage all Poly phones using a single provisioning server.