Getting Started

Security info#

Risks and hazards#

Misusing a UC system can result in the following hazards for the company and its users:

  • Abusive dialing of telephone numbers (e.g. 0900 service numbers)

  • Mining of company and personal information (e.g. call lists, voicemail messages).

  • Faking of fax and text messages

  • Mining of passwords used in the UC system (and possibly elsewhere)

  • Perturbing the communication systems (denial of service)

Encryption#

Encrypted data connections are a basic requirement for secure operation.

The XPhone Connect Server provides encrypted client-server connections:

  • Connection to the Connect Client: Communication takes place via TLS-secured WCF TCP binding. The underlying certificate is regenerated each time the XPhone Connect Server is started. The encryption algorithm used is Advanced Encryption Standard (AES) with a key length of 256 bits. No additional protocols are used (e.g. LDAP, SMTP, IMAP etc.). Encryption is activated by default.

  • Internal voice communication (Softphone Desktop, AnyDevice, Meetings, TeamDesk) is secured with SRTP. The encryption algorithm used is Advanced Encryption Standard (AES) with a key length of 256 bits. Voice communication to the exchange (PSTN) must be secured by the telephone system or the SBC.

  • Connection to the Outlook client: The Outlook client uses the same connection as the Connect client.

  • Connection to the Mobile Connect Client: SSL or TLS encryption of the IIS

  • Connection LDAP clients to the XPhone Connect Directory: SSL or TLS encrypted TCP connection

Server-server connections#

Encryptable connections

The following connections can be encrypted by XPhone Connect:

  • SMTP mail server

    Usage: Delivery of faxes, voicemails, missed call notifications. Encryption: SSL- or TLS-secured TCP connection.

  • IMAP server

    Use: Remote access of voicemails. Encryption: SSL- or TLS-secured TCP connection.

  • XPhone Connect Directory

    Use: Access to data sources such as Salesforce or the German telephone directory. Encryption: SSL- or TLS-secured TCP connection via HTTPS.

  • Active Directory via LDAPS

    Use: Data access via the XPhone Connect Directory and the AD connector. Encryption: SSL- or TLS-secured LDAP connection (LDAPS).

Server-to-server connections without encryption that can be influenced by XPhone Connect

  • TAPI interface to PBX systems

  • MAPI interface to Exchange

    Use: calendar synchronization, data access XPhone Connect Directory, remote voicemail access

  • XPhone Connect Directory

    Connections to database systems via ODBC data sources (e.g. Microsoft Dynamics CRM/NAV/AX)
    Access to HCL Notes databases

Unencrypted server-server connections

  • Connection to PBX systems

    If access protection cannot be adequately ensured via network mechanisms (e.g. Ethernet switching in the intranet), a VPN connection between XPhone Connect Server and the respective endpoint must be used.

Security protocols#

XPhone Connect supports a variety of modern security protocols to ensure secure communication and the protection of sensitive data:

  • HTTPS (HTTP Secure):

    Areas of application: Access to web interfaces, web services, Office 365 integration and analytics.

  • LDAPS (LDAP over SSL/TLS):

    Areas of application: Active Directory connector and Connect Directory (client interface).

  • WCF via TLS (Windows Communication Foundation):

    Areas of application: Communication between XPhone Connect Server and Client.
    WCF communication: All communication between XPhone Connect Client and XPhone Connect Server is protected by 256-bit AES encryption as standard. In addition to the user name/password, integrated Windows authentication is available for authentication (Windows Client)

  • TLS (Transport Layer Security):

    Areas of application: Secure access to specific data sources in the Connect Directory.

  • SRTP (Secure Real-Time Transport Protocol):

    Areas of application: Encrypted voice communication for Softphone Desktop, AnyDevice, TeamDesk and meetings.

  • DTLS (Datagram Transport Layer Security):

    Areas of application: Encrypted voice communication for Softphone Mobile.

  • mTLS (Mutual TLS):

    Areas of application: Secure server-to-server communication in federation scenarios.

  • IMAP/S, SMPT/S

    Areas of application: Mail interface (e.g. UM services)
    For communication with external mail servers (e.g. Microsoft Office 365), SMTP and IMAP can be encrypted directly by the XPhone Connect Server.

Password security#

  • Integrated Windows logon (Single Sign On)

    When using the integrated Windows login, no password is stored on the workstation, nor is it transferred from the Connect Client to the server. Authentication is guaranteed by the operating system. The password guidelines of the Windows system then apply.

  • XPhone Connect Server login

    If the Connect Client uses the XPhone Connect Server login, the client stores the password in encrypted form on the local machine. The same when using the Mobile App.

    For Windows operating systems, the operating system’s own Windows password store is used. The transfer of login name and password between client and server is encrypted. Sufficient complexity of the user password can be ensured by a server policy. If the password is repeatedly entered incorrectly, the login is blocked for a certain period of time.

  • Applications

    For increased security requirements, we also recommend using encrypted HTTP connections on the intranet, as browsers sometimes work with basic authentication and passwords are then transmitted in plain text over the network.

    By default, the XPhone Connect Server uses a security certificate that is generated during installation. This can be replaced by an existing certificate in the company.

    The Microsoft Internet Information Server is used to publish XPhone Connect applications on the Internet.

  • Web-Administration

    • Activate the SSL encryption of the Microsoft IIS.

    • Change the administrator password of the XPhone Connect Server. Ensure a high password complexity.

    • Secure the network connection between the web server and XPhone Connect Server using the methods already described, which apply to all types of Ethernet connections.

  • Mobile App

    The Mobile App accesses the Microsoft IIS via HTTP. SSL must always be activated for this access.

  • Windows client applications

    The (intranet) connection between the Windows client and XPhone Connect Server is encrypted. Passwords are neither stored in plain text on the workstation nor transmitted via the network.

    If possible, only use the integrated Windows login. If the XPhone Connect Server login must be used, establish the necessary password security using a password policy.

  • Voicemail remote access

    Remote access allows access to voicemails that are stored in the e-mail system or in the internal message memory. Access is secured via a PIN (minimum length can be configured under System settings > UM > Voicemail > General).

    If remote access is not required, it must be blocked for the relevant user group. The Connect to caller option allows you to be connected to a caller via the PBX system. If this feature is not required, it must be deactivated.

    PINs that remain at a (generally) known default value for a long time after setup are critical. For this reason, there is no product-specific default value in XPhone Connect. Instead, the default value must be set by the administrator in the Web-Administration. The option The voicemail PIN for new users is pre-set with an empty PIN is only recommended if it is ensured that all users set their PIN immediately after the system has been set up.

  • Voicemail player

    XPhone Connect contains a voicemail player for listening to voicemail messages sent by e-mail. This application plays voice messages (WAV file) from the e-mail attachment via any telephone. Playback is performed on the UC server by the voicemail player service.

    • The connection setup for playback is not secured via authentication. The player may only be used on the intranet. We recommend not using the voicemail player and deactivating the corresponding server service if you have corresponding security requirements.

  • TAPI

    XPhone Connect has a TAPI service provider (TSP), with which it is possible for TAPI-compatible applications to use the telephony services of the XPhone Connect Server.

    The XPhone Connect TAPI can be used via a special server account as well as via all user accounts. The server account provides access to all lines assigned to users. Make sure you use a sufficiently complex password for this account. As this password is only configured once and is never used interactively, a large number of digits can be selected from a large number of characters. WPA keys for WLAN are a good example.

    Users only have access to the lines that are assigned to them. An exception is the use of the TSP on terminal servers, where protection against unauthorized monitoring of external lines is not possible in principle. On the terminal server, only TAPI control functions (e.g. dial/hang up) are protected against cross-user access. Please note that the Deactivate setting (under Settings/CTI/TAPI) only deactivates the central server account and not the TAPI function as a whole. To deactivate the TAPI function completely, the corresponding licenses must be removed.

Security mechanisms in the context of the MobileApp#

The XPhone Connect satellite and the Microsoft web server (IIS) can be outsourced to a DMZ for security reasons. However, the XPhone Server can also contain all components on one system.

XPhone Connect satellite

  • A current Debian image with the latest kernel is made available with every major release. An update of an XCC satellite via aptitude or similar is currently not supported.

  • The Linux image of the satellite used is secured by iptables or firewall. Only the RTP sockets required for media transmission are open.

  • Communication between XPhone Server and XCC satellites takes place exclusively via TCP.

  • The management bridge between XPhone Server and XCC Satellite is also secured via iptables (gRPC).

    • Connection is TLS secured.

    • XPhone Server and satellite exchange certificates on the first connection, after which the satellite only accepts connections from this XPhone Server

    • The iptables allow TCP packets through on port 3280. Secured by the fact that only packets with the source IP of the XPhone server are allowed through.

  • The XCC satellite can only be reached from the XPhone host via SSH.

XPhone Connect Call Controller (local or outsourced to satellites)

  • Media data streams are only transmitted encrypted via SRTP (internal communication, not in the direction of the PBX). Other UDP packets are discarded by the media controller used.

  • The UDP ports for the media connection are dynamic and are closed at the end of the call.

  • Communication via SIP (TCP) can only take place between XPhone Server and XCC Satellite. Communication from/to the outside is also prevented by iptables.

  • In addition, SIP communication is limited exclusively to known IP networks (list of known IP addresses / ACL). SIP communication from other networks is rejected.

Mobile web application on Microsoft IIS (Microsoft Internet Information Services)

  • Communication between the mobile app and IIS is encrypted using the customer’s own certificates (including VoIP signaling)

XPhone Connect Server

  • The XPhone server sends push notifications in encrypted form, either via a proxy server or directly to the Apple, Google and C4B push services.

Your opinion matters!

Be it praise, helpful ideas, or a tip about an error – we truly appreciate every message.
Just send us an email at doku@c4b.de. And help us make this documentation even better.
Thank you very much for your support!