6 Swyx Connectivity Setup Tool
SwyxWare is equipped with an automatically generated (SelfSigned) TLS certificate by default. The Swyx Connectivity Setup Tool (SCST) allows you to equip SwyxWare with an official trusted TLS certificate and optionally with a unique public server name (Fully qualified Domain Name, FQDN).
The TLS server certificate allows SwyxWare services and clients to ensure that you are communicating with the correct server in encrypted form. Swyx Control Center and the SwyxConfigDataStore service also use this TLS certificate on the provisioning interface for certified SIP phones, SwyxDECT 800 and the REST interface for client connections.
Currently, SCST does not support SwyxWare services installed on a machine other than SwyxServer.
RemoteConnector
You can define the settings for the RemoteConnector for SwyxIt! in the SCST.
The RemoteConnector for SwyxIt! is a SwyxWare service that enables and manages the connection of SwyxWare clients to SwyxServer from the Internet, see 26.1 Internet connection via RemoteConnector
settings of the RemoteConnector for SwyxIt! have no influence on the RemoteConnector for Yealink.
Connections to SwyxRemoteConnector are protected not only with a server certificate, but also with user-specific client certificates. This is why SwyxRemoteConnector uses its own X.509 root, server and client certificates. The RemoteConnector for SwyxIt! Certificates are independent of the TLS server certificate of the other SwyxWare services.
You can have RemoteConnector certificates (root and server certificate) generated and installed via SCST. You can generate client certificates manually for desired users or have them generated automatically for all users.
Split DNS in the internal network
The clients reaching SwyxServer on the internal network must also use the unique FQDN for which the TLS server certificate is issued.
It is not recommended that network traffic from clients on the internal network flow through their network's public IP and Internet router, rather than directly to SwyxWare. DNS queries for the IP address of the FDQN must be answered in your local network with the internal IP address of the SwyxServer.
|
Client type
|
Target SwyxServer Address
|
DNS configuration
|
|---|---|---|
|
External Clients
|
FQDN
|
External IP address
|
|
Internal clients
|
FQDN
|
Internal IP address of the SwyxServer
|
For this purpose, you need to set up a DNS service or server in your local network.
Swyx Connectivity Setup Tool can only be started after the SwyxWare installation and its initial configuration in the SwyxWare configuration wizard has been done.
On the SwyxDECT 800 base station (Ascom) you have to install the TLS root certificate yourself, see 6.5 Install TLS root certificate on DECT 800 base station
If you equip SwyxWare with a trusted TLS certificate, you must ensure that SwyxServer and all clients that connect to SwyxWare receive the correct date and time. See also service.swyx.net/hc/en/articles/360000014639-SwyxPhones-need-correct-time-for-connections-to-the-SwyxServer-
If you are running a Windows domain on your internal network, the date and time on the Windows server and clients are already correctly synchronized.
Application scenarios of SCST:
You can use SCST for the following purposes:
1) Obtain TLS certificate from Let's Encrypt (automatic certificate mode)
In this case SCST determines the currently used public IP address of SwyxServer and registers an FQDN within the SwyxON DNS service.
SCST requests for this FQDN a TLS server certificate free of charge from the service provider Let's Encrypt (letsencypt.org) and installs the certificate in the SwyxWare, see 6.1 Use TLS certificate from Let's Encrypt
The prerequisite for this is that online licensing is used, see 2 Online Licensing
Certified SIP phones (Yealink) support the TLS certificate from Let's Encrypt and do not require additional TLS configuration.
2) Use your own TLS certificate (manual certificate mode)
If you prefer to use your own TLS certificate or one purchased from a commercial certificate authority (CA), SCST will help you to install it, see 6.2 Use own TLS certificate
When selecting this option, note that you must be in charge of your own DNS zone and the public IP address of your network must be resolved by a unique registered FQDN.
Certified SIP phones (Yealink) support TLS certificates from recognized certificate authorities (CA): https://support.yealink.com/en/portal/docDetail?documentCode=90ef402d65392bc5
If you use a certificate from the listed certificate authority, no additional TLS configuration is required on Yealink devices.
If you use a certificate from the listed certificate authority, no additional TLS configuration is required on Yealink devices.
If your TLS certificate is not supported by Yealink, you need to install the corresponding root certificate on each SIP phone, see 6.6 Install TLS root certificate on Certified SIP phones
3) Configure SwyxRemoteConnector only
If you want to continue using the SelfSigned certificate, or if you already have a TLS certificate installed, you can also use SCST to set only the RemoteConnector parameters.