Hello @Patrick-J,
as I answered the Resellers question in this case I may also share this with the community.
As already explained the URL with the Username and Password embedded only works for FTP but not for HTTP via a browser aka as for example was changed in Chrome:
The same is applicable for other browsers like IE or Edge.
Using FTP with a username / password combination can be seen in a wireshark trace like this:
220-Steffen Baier
220-EMEA T3 Senior Product Support Specialist Team Leader Voice, EMEA Escalatio
220-FileZilla Server 0.9.59 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
USER 580d
331 Password required for 580d
PASS test
230 Logged on
Using HTTP instead:
GET /phoneservice/configfiles/0004f275d2a6.cfg HTTP/1.1
Host: 10.252.122.65
Accept: */*
User-Agent: FileTransport PolycomVVX-VVX_410-UA/5.8.0.12848 Type/Application
HTTP/1.1 401 Unauthorized
X-Powered-By: RealPresence Resource Platform
Cache-Control: no-store,max-age=0,must-revalidate
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains;
Content-Security-Policy: default-src 'self';
WWW-Authenticate: Basic
Transfer-Encoding: chunked
Date: Tue, 10 Jul 2018 09:45:31 GMT
Server: false
0
GET /phoneservice/configfiles/0004f275d2a6.cfg HTTP/1.1
Authorization: Basic UGxjbVNwSXA6UGxjbVNwSXA=
Host: 10.252.122.65
Accept: */*
User-Agent: FileTransport PolycomVVX-VVX_410-UA/5.8.0.12848 Type/Application
HTTP/1.1 200 OK
X-Powered-By: RealPresence Resource Platform
Cache-Control: no-store,max-age=0,must-revalidate
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains;
Content-Security-Policy: default-src 'self';
Content-Length: 1643
Date: Tue, 10 Jul 2018 09:45:31 GMT
Server: false
Once you look at the transaction at a byte level you can still see the username / password combination:
Hypertext Transfer Protocol
GET /phoneservice/configfiles/0004f275d2a6.cfg HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /phoneservice/configfiles/0004f275d2a6.cfg HTTP/1.1\r\n]
[GET /phoneservice/configfiles/0004f275d2a6.cfg HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: GET
Request URI: /phoneservice/configfiles/0004f275d2a6.cfg
Request Version: HTTP/1.1
Authorization: Basic UGxjbVNwSXA6UGxjbVNwSXA=\r\n
Credentials: PlcmSpIp:PlcmSpIp
If you want a truly "secure" environment you would need to setup a secure staging LAN with only a limited DHCP scope and provision phones individually to provide them a new Username / Password. You could also add 802.1x on top for a fully secure environment.
Or you could use Polycom ZTP which has a fully secure HTTPS connectivity to the Polycom Cloud and make these changes to the Username / Password and them let the Phone connect to your Setup and the DHCP Server only provides the URL.
As the phone talks already HTTPS to the server this is the most secure way.
Best Regards
Steffen Baier
Polycom Global Services
----------------
If official support is required please check how to phone or open a case here
----------------
The title Poly Employee & Community Manager is a community setting and
does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.
----------------
Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
