Adding DHCP Option 43 for IP Phones in Switch(es)

%3CLINGO-SUB%20id%3D%22lingo-sub-109337%22%20slang%3D%22en-US%22%3EAdding%20DHCP%20Option%2043%20for%20IP%20Phones%20in%20Switch(es)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-109337%22%20slang%3D%22en-US%22%3E%3CP%3ERecently%20I%20had%20a%20situation%20where%20there%20is%20no%20OS-based%20(Windows%2FLinux)%20DHCP%20server%2C%20however%20DHCP%20service%20is%20running%20only%20in%20Switch(es).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIP%20Phones%20require%20DHCP%20Option%2043%20in%20order%20for%20them%20to%20be%20able%20to%20locate%20Lync%2FSFB%20server's%20Certificate%20Provisioning%20Service%2C%20download%20and%20install%20the%20Root%20CA's%20certificate%20automatically.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20had%20to%20provide%20DHCP%20Option%2043%20Hex%20value%20to%20network%20engineers%20so%20that%20they%20can%20configure%20it%20in%20Switch(es).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20easiest%20way%20to%20retrieve%20it%20is%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EGo%20to%20the%20folder%20path%20where%20DHCPUtil.exe%20is%20and%20run%20the%20following%20command%3B%3C%2FLI%3E%3C%2FOL%3E%3CP%3EPS%20C%3A%5CProgram%20Files%5CCommon%20Files%5CMicrosoft%20Lync%20Server%202013%26gt%3B%20%3CSTRONG%3E.%5CDHCPUtil.exe%20-sipserver%20lyncserver.thetnaing.com%3C%2FSTRONG%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CU%3E%3CSTRONG%3EOutput%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FP%3E%3CP%3ESIP%20Server%20FQDN%20%3A%20lyncserver.thetnaing.com%3CBR%20%2F%3ECertificate%20Provisioning%20Service%20URL%20%3A%20%3CA%20href%3D%22https%3A%2F%2Flyncserver.thetnaing.com%3A443%2FCertProv%2FCertProvisioningService.svc%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flyncserver.thetnaing.com%3A443%2FCertProv%2FCertProvisioningService.svc%3C%2FA%3E%3C%2FP%3E%3CP%3EOption%20120%3A%3CBR%20%2F%3E00096570736C796E63303109657073696C6F6E6871056C6F63616C00%3C%2FP%3E%3CP%3EVendor%20Class%20Identifier%3A%20MS-UC-Client%3CBR%20%2F%3EOption%2043%20(for%20vendor%3DMS-UC-Client)%3A%3CBR%20%2F%3EFull%20Option%2043%20value%20(Length%3A%20184)%20%3A%20%3CSTRONG%3E010C4D532D55432D436C69656E740205687474707303196570736C796E6330312E657073696%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EC6F6E68712E6C6F63616C040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663%3C%2FSTRONG%3E%3CBR%20%2F%3Esub-option%201%20%3CUC%20identifier%3D%22%22%3E%3A%204D532D55432D436C69656E74%3CBR%20%2F%3Esub-option%202%20%3CURL%20scheme%3D%22%22%3E%3A%206874747073%3CBR%20%2F%3Esub-option%203%20%3CWEB%20server%3D%22%22%20fqdn%3D%22%22%3E%3A%206570736C796E6330312E657073696C6F6E68712E6C6F63616C%3CBR%20%2F%3Esub-option%204%20%3CPORT%3E%3A%20343433%3CBR%20%2F%3Esub-option%205%20%3CRELATIVE%20path%3D%22%22%20for%3D%22%22%20cert%3D%22%22%20prov%3D%22%22%3E%3A%202F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E%3CBR%20%2F%3E737663%3C%2FRELATIVE%3E%3C%2FPORT%3E%3C%2FWEB%3E%3C%2FURL%3E%3C%2FUC%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%202.%20Provide%20your%26nbsp%3B%3CSPAN%3EDHCP%20Option%2043%20Hex%20value%20you%20got%20it%20from%20output%20above%20to%20network%20engineers.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3CSTRONG%3E010C4D532D55432D436C69656E740205687474707303196570736C796E6330312E657073696%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EC6F6E68712E6C6F63616C040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ENow%20the%20IP%20Phones%20are%20able%20to%20locate%2C%20download%20and%20install%20the%20root%20certificate%20automatically%20and%20successfully.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20634px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F20623i034F9AB7C3A29687%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%221.jpg%22%20title%3D%221.jpg%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIt's%20worth%20to%26nbsp%3Btake%20note%20that%20%22PIN%20Authentication%22%20menu%20appears%20only%20after%20you%20configured%20DHCP%20Option%2043.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-109337%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDeployment%20%26amp%3B%20Operations%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDesktop%20Client%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDevices%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESign-in%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1024781%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20DHCP%20Option%2043%20for%20IP%20Phones%20in%20Switch(es)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1024781%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4698%22%20target%3D%22_blank%22%3E%40thet%20naing%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%20and%20thanks%20for%20your%20guidance.%20Actually%20I%20have%20done%20the%20same%20and%20given%20the%20comand%20lines%20to%20the%20%22Network%20engineers%22%20who%20manage%20our%20Cisco%20routers%20(DHCP%20server%20for%20the%20subnetwork)%20and%20it%20seems%20that%20the%20config%20command%20line%20with%20the%20full%20sub-options%20is%20too%20long%20because%2C%20our%20IP%20Phones%20are%20getting%20a%20truncated%20value%20of%20the%20CertProvisioning%20URL%20string%2C%20therefore%20never%20get%20the%20to%20find%20the%20service.%20The%20engineer%20argues%20that%20in%20principle%20the%20whole%20line%20has%20been%20accepted%20by%20the%20Cisco%20config%20but%20the%20reality%20shows%20that%20the%20parameter%20is%20incomplete.%20Is%20there%20a%20limiting%20parameter%20for%20the%20cisco%20config%20line%20number%20of%20characters%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20any%20idea%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlfredo%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Recently I had a situation where there is no OS-based (Windows/Linux) DHCP server, however DHCP service is running only in Switch(es).

 

IP Phones require DHCP Option 43 in order for them to be able to locate Lync/SFB server's Certificate Provisioning Service, download and install the Root CA's certificate automatically. 

 

I have had to provide DHCP Option 43 Hex value to network engineers so that they can configure it in Switch(es). 

 

The easiest way to retrieve it is:

 

  1. Go to the folder path where DHCPUtil.exe is and run the following command;

PS C:\Program Files\Common Files\Microsoft Lync Server 2013> .\DHCPUtil.exe -sipserver lyncserver.thetnaing.com

 

Output

SIP Server FQDN : lyncserver.thetnaing.com
Certificate Provisioning Service URL : https://lyncserver.thetnaing.com:443/CertProv/CertProvisioningService.svc

Option 120:
00096570736C796E63303109657073696C6F6E6871056C6F63616C00

Vendor Class Identifier: MS-UC-Client
Option 43 (for vendor=MS-UC-Client):
Full Option 43 value (Length: 184) : 010C4D532D55432D436C69656E740205687474707303196570736C796E6330312E657073696
C6F6E68712E6C6F63616C040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663
sub-option 1 <UC Identifier>: 4D532D55432D436C69656E74
sub-option 2 <URL Scheme>: 6874747073
sub-option 3 <Web Server FQDN>: 6570736C796E6330312E657073696C6F6E68712E6C6F63616C
sub-option 4 <Port>: 343433
sub-option 5 <Relative Path for Cert Prov>: 2F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E
737663

 

          2. Provide your DHCP Option 43 Hex value you got it from output above to network engineers.

 010C4D532D55432D436C69656E740205687474707303196570736C796E6330312E657073696
C6F6E68712E6C6F63616C040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663

 

Now the IP Phones are able to locate, download and install the root certificate automatically and successfully. 

1.jpg

It's worth to take note that "PIN Authentication" menu appears only after you configured DHCP Option 43. 

1 Reply

@thet naing 

 

Hello and thanks for your guidance. Actually I have done the same and given the comand lines to the "Network engineers" who manage our Cisco routers (DHCP server for the subnetwork) and it seems that the config command line with the full sub-options is too long because, our IP Phones are getting a truncated value of the CertProvisioning URL string, therefore never get the to find the service. The engineer argues that in principle the whole line has been accepted by the Cisco config but the reality shows that the parameter is incomplete. Is there a limiting parameter for the cisco config line number of characters?

 

Thanks for any idea

 

Alfredo