In the interests of Security, pbxnsip V3.3 changed the way Snom phones are auto provisioned by the PBX. You need to be aware of the changes to enable a smooth roll-out of Version 3.3

IP Phones Covered: SNOM 820, 370, 360, 320 and 300 series

pbxnsip V3.2 and below, would auto provision a phone by passing the MAC address of the phone in the provisioning URL, this could cause major issues should a third party learn of the URL and MAC address.

e.g. http://www.your-pbx.com/provisioning/snom320-mac-address.htm

This 'could' cause a security issue where a hijacker hijacks the phones identity. To do this they would know the PBX URL and MAC address. Any remote provisioning over the Internet is always vulnerable to third parties capturing phone details and miss-using the information, sometimes at great financial cost to the user.

V3.3 of pbxnsip now offers 2 ways to provision Snom IP Phones depending on the location you provision the phone from. The location is referred to as Local to your network or over the Internet. The first is 'LAN' based provisioning and the second is 'WAN' based provisioning. LAN = Local Area Network (within your office). WAN = Wide Area Network (Across the Internet)

'LAN' based PnP uses the MAC address of the phone to authenticate the phones identity.

NOTE: The MAC address is not passed in via the provisioning URL, this makes the provisioning of a phone in an office even stronger. Never underestimate the security topic, a local attack is probably worse than some outsider obtaining your password and phone details.

Phones connected over a VPN are also classed as 'LAN' based PnP phones.

NOTE: Phones connected over a standard local area network 'LAN' can be also be provisioned using the second method used for 'WAN' based provisioning (see WAN Provisioning below).

Click here to read about SNOM LAN based PnP

'WAN' based PnP uses HTTP Authentication to authenticate the identity of the user and configure the phone. The MAC address method is not supported for Internet based PnP.

HTTP Authentication requires a User Name and Password to authenticate the access requirements of the provisioning URL.

NOTE: The HTTP user name and password details must first be entered in the phone before use at the customer site under PnP provisioning.

Phones connected over the Internet (either Hosted or Home-worker) are classed as 'WAN' based PnP phones.

NOTE: The HTTP user name and password Authentication can be used inside the 'LAN' if required.

Click here to read about SNOM WAN based PnP

How can I provision a SNOM Phone from within the LAN?

Learn some PnP 'Know How'

When deploying SNOM Phones within your company or over a VPN to your company, you may use the MAC address method to identify and match a the phone to an extension.

The 'old' method in V3.2 and below would require the MAC address to be referred to in the provisioning URL. This method is no longer supported.

Technical Explanation: The 'new' way of obtaining the MAC address is by using the ARP cache (Address Resolution Protocol) of the Host. A table, usually called the ARP cache is stored with the devices IP Address and MAC Address (The physical machine address is also known as a Media Access Control). This makes it harder to spoof MAC Addresses as the IP Address and MAC address must be registered of situated on the LAN.

Normal Explanation: The 'new' way of obtaining the MAC address is where the PBX uses some useful information available to it via the network. The MAC address is obtained automatically.

You still have to declare a MAC address at extension level. This is carried out within the Registration tab of the extension.

Domain -> Extension -> Edit -> Registration Tab -> MAC Address Field

How can I provision a SNOM Phone from the Internet (WAN)?

Learn some PnP 'Know How'

When deploying SNOM Phones over the Internet the identity of the extension is carried out by using a User Name and Password.

The 'old' method in V3.2 and below would require the MAC address to be referred to in the provisioning URL. This method is no longer supported.

As the SNOM Phone is set to communicate with the pbxnsip using HTTP, the pbx will ask for authentication by way of Username and Password. The Snom phones are designed to hand over the predefined HTTP Client Username and Password.

The Snom phones firmware version must be at least 7.1.35 or 7.3.14.

Power up your Snom phone, obtain an IP Address (see SNOM guide), enter the IP Address in your web browser and open up the web pages of the Snom phone.

Click on the yellow left hand section called 'Advanced'. Now select the QOS/Security tab. Now scroll down to the bottom of the page until you find the HTTP Client Information.

Fill out the Username and Password details. (See Username and Password details below)

The Username is the extension number of your phone.

**** NOTE ****: In multi domain environments, the Username must contain the extension and domain. The domain does not have to be a fully qualified DNS domain, the PBX will first identify the domain and then look for the extension within the domain, if found it will request the HTTP Authentication details.

e.g. Multi domain environments = "extension@domain".

As the authentication type suggests (HTTP Authentication) you need to use the Web Password of the extension.

The old way in V3.2 or below was to use the SIP Password of the extension, but only once the phone was configured.



NOTE: To make things a little easier, you can now use either the extension level Web Password OR a set a new Domain level HTTP Password used only for Auto provisioning.

The Domain level setting 'Authentication Password' can be used to set 'ALL' password in 1 domain to be the same. This could make it easier to carry out domain level setting of phones. You would still be required to enter the extension@domain though!

You need to add the Setting URL in the Snom phone to be this...

http://my-domain.com:8081/provisioning/snom320.htm **
** where your domain 'my-domain.com' (or IP Address) has HTTP port set to port 8081 and the phone is a Snom 320. Depending on the phone type, you have to use the string "snom300.htm", "snom320.htm", "snom360.htm", "snom370.htm" or "snom820.htm".

How can I provision ALL SNOM Phones with a Username and Password?

Learn some PnP 'Know How'

When deploying SNOM Phones over the Internet the identity of the extension is carried out by using a User Name and Password. This means each phone is required to be set a User Name and Password.

The 'old' method in V3.2 and below would require the MAC address to be referred to in the provisioning URL. This method is no longer supported.



A special build of pbxnsip is available for the provisioning of phones from the files placed in the /provisioning directory, this should only be used to update phones with the Username and Password.

NOTE: This method does not allow for any authentication, therefore anyone accessing the provisioning URL with the correct file name and MAC address will be served the file.

You must create a file for each phone. The file name is important as this will identify the phone type and MAC Address.

The file name will be like so "snom320-000413123456.htm".

This file should set the Client HTTP User and Password field and also update the 'Update Settings URL' to point to the URL and naming convention.

Please contact pbxnsip Support or forum for more information.

Learn some PnP 'Know How'

The PBX needs to identify the extension used for Auto Provisioning. In the case where there are multiple domains on the system, the PBX must first decide which domain to check and use. This is why you need to assign the full Username as extension@domain

Yes, simply configure the phone in the same way as the WAN configuration and set the Settings URL in the phone as the HTTP URL of the PBX.

No, the PBX will use the MAC address found in some special data. This data is only available where the phone is communicating to the PBX from the same network. It will not work when the phone communicates from outside the local network e.g. over the Internet.

No, as from V3.3 you must use the Web Password of your extension OR the Domain level setting allowing for 1 password to be used for Plug and Play in each domain.

pbxnsip likes to keep the PBX up-to-date with security features. This new feature is a step in the right direction and wipes out the possibilities of a third party grabbing 'all' information on a phone and using it for free calls.

Please contact your account manager for this. There is a possibility to deploy a large scale update for Hosted servers.