Sep 22 2017 08:35 AM - edited Sep 23 2017 06:05 AM
Recently I had a situation where there is no OS-based (Windows/Linux) DHCP server, however DHCP service is running only in Switch(es).
IP Phones require DHCP Option 43 in order for them to be able to locate Lync/SFB server's Certificate Provisioning Service, download and install the Root CA's certificate automatically.
I have had to provide DHCP Option 43 Hex value to network engineers so that they can configure it in Switch(es).
The easiest way to retrieve it is:
PS C:\Program Files\Common Files\Microsoft Lync Server 2013> .\DHCPUtil.exe -sipserver lyncserver.thetnaing.com
Output
SIP Server FQDN : lyncserver.thetnaing.com
Certificate Provisioning Service URL : https://lyncserver.thetnaing.com:443/CertProv/CertProvisioningService.svc
Option 120:
00096570736C796E63303109657073696C6F6E6871056C6F63616C00
Vendor Class Identifier: MS-UC-Client
Option 43 (for vendor=MS-UC-Client):
Full Option 43 value (Length: 184) : 010C4D532D55432D436C69656E740205687474707303196570736C796E6330312E657073696
C6F6E68712E6C6F63616C040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663
sub-option 1 <UC Identifier>: 4D532D55432D436C69656E74
sub-option 2 <URL Scheme>: 6874747073
sub-option 3 <Web Server FQDN>: 6570736C796E6330312E657073696C6F6E68712E6C6F63616C
sub-option 4 <Port>: 343433
sub-option 5 <Relative Path for Cert Prov>: 2F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E
737663
2. Provide your DHCP Option 43 Hex value you got it from output above to network engineers.
010C4D532D55432D436C69656E740205687474707303196570736C796E6330312E657073696
C6F6E68712E6C6F63616C040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663
Now the IP Phones are able to locate, download and install the root certificate automatically and successfully.
It's worth to take note that "PIN Authentication" menu appears only after you configured DHCP Option 43.
Nov 21 2019 11:16 AM
Hello and thanks for your guidance. Actually I have done the same and given the comand lines to the "Network engineers" who manage our Cisco routers (DHCP server for the subnetwork) and it seems that the config command line with the full sub-options is too long because, our IP Phones are getting a truncated value of the CertProvisioning URL string, therefore never get the to find the service. The engineer argues that in principle the whole line has been accepted by the Cisco config but the reality shows that the parameter is incomplete. Is there a limiting parameter for the cisco config line number of characters?
Thanks for any idea
Alfredo