Deploying Deskphones for Lync? You Want This Switch!

Test-CsPhoneBootstrap said that we were doing the right thing. Jeff Schertz’s guide to configuring Lync for Lync Phone Edition devices said that we were doing the right thing. Elan Shudnow’s post about Cisco switches and PIN authentication said we were doing the right thing.

But our Lync Phone Edition devices just were NOT authenticating.

One of my network guys mirrored one of the wall ports for me, and I alternated between the happily-authenticating AudioCodes 420HD and the stubborn Polycom CX3000, capturing WireShark traces I could barely read (I’ve since gotten to know the handshake process those LPE devices need way better than I ever wanted to). But what a pain.

msxfaq.de, long-time Exchange and now Lync MVP Frank Carius’ mostly-German variety shop of Lync and Exchange experience to the rescue – most specifically, his page on port mirroring. He recommends the NetGear ProSafe Plus series, the least expensive of which is the 5-port, non-PoE (Power over Ethernet) version, the GS105E. If you can read German, he explains several other options, along with exploring how you might connect to it without using Adobe AIR (and Windows) and some possible security implications of it having a default, hardcoded password to a web interface (theoretically, someone could break in and set up mirroring). If you can’t read German, it’s still good for screenshots of how to set up the port mirroring on the ProSafe Plus switches.

I, on the other hand, found the GS108PE, with 4 PoE ports and 4 regular ones to be the right balance between cost and convenience. This means up to four phones plugged in at once, and without power adapters. The non-PoE (and less expensive) versions will require you to use the phones’ power adapters. Later, if you want VLANs, VLANs you can have.

Port Mirroring Screenshot

Port Mirroring made easy – too bad about the Adobe AIR interface…

As for the secret web interface that is a vulnerability on the GS105E, it does not appear to be present on the GS108PEv2 I have. Also, the management software does not spot the switch when I search from a computer on another subnet. I repeated Frank Carius’ experiment with the firmware for the GS108PEv2, version 1.00.12, downloaded from NetGear support, and did not turn up any hard coded credentials. Out of curiosity, I did a quick skim of the GS105PE’s latest firmware (1.3.0.1, dated June 2014), and did not spot any obvious hard-coded credentials, but did see a lot of HTML JavaScript, hinting at a web interface…

Because of this possible security issue with the hard-coded usernames and passwords, I recommend the GS108PE or GS105PE instead of the GS105E.

Make sure that you don’t get one of the non-“Plus” versions – they’re somewhat less expensive, but don’t have the mirroring available. I made this mistake, initially getting the GS108P.

So, if the model number ends in P, it does not have the smarts required to configure mirroring; if it ends in just E, it doesn’t have PoE (and might contain some risky firmware), and if it ends in PE, it does it all and will make your phone evaluation and troubleshooting easier.

As for WireShark, DHCP, certificates, certificate chains, comparing multiple phones at once and how we finally got Lync Phone Edition to work right with our ancient Cisco ACE load balancers, that’s another post. Or three.

Advertisements

5 thoughts on “Deploying Deskphones for Lync? You Want This Switch!

  1. Thanks fore the update and the PM about the new Firmware for my GS105E. It looks like the 1.3.0.1 does no longer use “plain test” Passwords in the Firmware. Hopefullly they are now better encrypted. Thanks for Setting a link to my msxfaq. BTW about 10% of my Readers are using Google/bing Translation to read that stuff.

    Like

  2. Pingback: Lync Phone Edition PIN Authentication and Cisco ACE Load Balancer – It’s About the Certificate Chain Group | Mandie's Memos
  3. Any Cisco 2940 (the super-tiny 4port FE + 1x FE optics port) or a cheap used 2950 Catalyst can be bought on Ebay for some euros, and those are (I think) still lightyears more professional (with an upgrade to the last supported IOS version, downloadable from Cisco.com for Layer2 switches for free after a free registration) then any today brand new noname SOHO junk.

    Like

    • Oh, I agree that those Cisco switches certainly are more professional (as in, you have to know something about Cisco) and more suitable for long-term continuous use, but they are not terribly convenient, which is what I and probably most Lync admins are looking for in a little device to help us do phone testing and troubleshooting – configuring port mirroring is not trivial like it is on the NetGear ProSafe Pluses, and neither the 2940 nor the 2950 appear to have PoE, which I think is essential for a cheap little switch to troubleshoot Lync phones.

      Took a quick look at eBay – those old 2950’s ARE really cheap! If you’ve got a nice mirroring configuration worked out for the 2940 or 2950 that anyone who reads IOS and thinks “but what does an expensive smartphone have to do with port mirroring?” could just copy and paste, post it somewhere and please link here!

      Like

      • Yes, agree that these cheap C2940 / 2950s have no PoE. In that case a used (and also sort of cheap) C3550 may be used. Yes, the PoE-version of the 3550 supports a cisco-prorietary pre-standard PoE, but it has a workaround, can be easily found via google and after applied it works. I tested it with Polycom CX500.

        I think any IT people (who will ever touch switches or routers during his career) should know some (very) basic Cisco IOS, as managed network equipments became very widespread in the last 5 years (not that exotic, as initially were 10 years ago).

        Regarding the config, thats all you need:
        http://goo.gl/tnVeFZ

        Like

Write your own memo:

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s