Fortinet white logo
Fortinet white logo

FortiVoice Phone System Administration Guide

Working with system configurations

Working with system configurations

The System > Configuration submenu lets you configure the system time, system options, SNMP, email setting, GUI appearance, call data storage, single sign on, and Fortinet security fabric.

This topic includes:

Configuring the time and date

The System > Configuration > Time tab lets you configure the system time and date of the FortiVoice system.

You can either manually set the FortiVoice system time or configure the FortiVoice system to automatically keep its system time correct by synchronizing with Network Time Protocol (NTP) servers.

Note

For many features to work, including scheduling, logging, and certificate-dependent features, the FortiVoice system time must be accurate.
FortiVoice systems support daylight savings time (DST), including recent changes in the USA, Canada and Western Australia.

To configure the system time

  1. Go to System > Configuration > Time.
  2. Configure the following:

    GUI field

    Description

    System time

    Displays the date and time according to the FortiVoice system’s clock at the time that this tab was loaded, or when you last selected the Refresh button.

    Time zone

    Select the time zone in which the FortiVoice system is located.

    • Automatically adjust clock for daylight saving time changes: Enable to adjust the FortiVoice system clock automatically when your time zone changes to daylight savings time (DST) and back to standard time.

    Set date

    Select this option to manually set the date and time of the FortiVoice system’s clock, then select the Year, Month, Day, Hour, Minute, and Second fields before you click Apply.

    Alternatively, configure Synchronize with NTP server.

    Synchronize with NTP Server

    Select to use a network time protocol (NTP) server to automatically set the system date and time, then configure Server.

    • Server: Enter the IP address or domain name of an NTP server.

      You can add a maximum of 10 NTP servers. The FortiVoice system uses the first NTP server based on the selection mechanism of the NTP protocol.

      Click the + sign to add more servers.

      Click the - sign to remove servers. Note that you cannot remove the last server.

      To find the NTP servers that you can use, see http://www.ntp.org.

    Depending on your network traffic, it may take some time for the FortiVoice system to synchronize its time with the NTP server.

  3. Click Apply.

Configuring system options

The System > Configuration > Option tab lets you set the following global settings:

  • system idle timeout
  • originating host name or IP address used for email notifications
  • administration ports on the interfaces

To view and configure the system options

  1. Go to System > Configuration > Option.
  2. Configure the following:

    GUI field

    Description

    Idle timeout

    Enter the amount of time that an administrator may be inactive before the FortiVoice system automatically logs out the administrator.

    For better security, use a low idle timeout value, for example, 5 minutes.

    Web action host/IP

    Enter the host name or IP address from where a email notification is sent to you when a voicemail or fax is delivered to your extension. This IP address is included in the email notification. You can open the link to view or manage the voicemail or fax. If you leave this field empty, port1 IP will be used instead.
    The value entered here replaces the default Url host variable for customizing messages. See Customizing call report and notification email templates.

    Administration Ports

    Specify the TCP ports for administrative access on all interfaces.

    Default port numbers:

    HTTP port number: 80

    HTTPS port number: 443

    SSH port number: 22

    TELNET port number: 23

  3. Click Apply.

Configuring SNMP queries and traps

Go to System > Configuration > SNMP to configure SNMP to monitor FortiVoice system events and thresholds, or a high availability (HA) configuration for failover messages.

To monitor FortiVoice system information and receive FortiVoice traps, you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II). For more information, see FortiVoice MIBs.

The FortiVoice SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to FortiVoice system information and can receive FortiVoice traps.

The FortiVoice SNMP v3 implementation includes support for queries, traps, authentication, and privacy. Before you can use its SNMP queries, you must enable SNMP access on the network interfaces that SNMP managers will use to access the FortiVoice system. For more information, see Editing network interfaces.

This topic includes:

Configuring an SNMP threshold

Configure under what circumstances an event is triggered.

To set SNMP thresholds

  1. Go to System > Configuration > SNMP.
  2. Configure the following:

    GUI field

    Description

    SNMP agent enabled

    Enable to activate the FortiVoice SNMP agent. This must be enabled to accept queries from SNMP managers or send traps from the FortiVoice system.

    Description

    Enter a descriptive name for the FortiVoice system.

    Location

    Enter the location of the FortiVoice system.

    Contact

    Enter administrator contact information.

    SNMP Threshold

    To change a value in the four editable columns, select the value in any row. It becomes editable. Change the value and click outside of the field. A red triangle appears in the field’s corner and remains until you click Apply.

    Trap Type

    Displays the type of trap, such as CPU Usage.

    Trigger

    You can enter either the percent of the resource in use or the number of times the trigger level must be reached before it is triggered.

    For example, using the default value, if the mailbox disk is 90% or more full, it will trigger.

    Threshold

    Sets the number of triggers that will result in an SNMP trap.

    For example, if the CPU level exceeds the set trigger percentage once before returning to a lower level, and the threshold is set to more than one, an SNMP trap will not be generated until that minimum number of triggers occurs during the sample period.

    Sample Period(s)

    Sets the time period in seconds during which the FortiVoice SNMP agent counts the number of triggers that occurred.

    This value should not be less than the Sample Freq(s) value.

    Sample Freq(s)

    Sets the interval in seconds between measurements of the trap condition. You will not receive traps faster than this rate, depending on the selected sample period.

    This value should be less than the Sample Period(s) value.

    Community

    Displays the list of SNMP communities (for SNMP v1 and v2c) added to the FortiVoice configuration. For information about configuring a community, see either Configuring email setting or Configuring an SNMP v3 user.

    Enabled

    Displays the status of the SNMP community and allows you to change it.

    Name

    Displays the name of the SNMP community. The SNMP Manager must be configured with this name.

    Queries

    A green check mark icon indicates that queries are enabled.

    Traps

    A green check mark icon indicates that traps are enabled.

    User

    Displays the list of SNMP v3 users added to the FortiVoice configuration. For information about configuring a v3 user, see Configuring an SNMP v3 user.

    Enabled

    Displays the status of the SNMP v3 user and allows you to change it.

    Name

    Displays the name of the SNMP v3 user. The SNMP Manager must be configured with this name.

    Queries

    A green check mark icon indicates that queries are enabled.

    Traps

    A green check mark icon indicates that traps are enabled.

    Security Level

    Displays the security level.

  3. Click Apply.

Configuring an SNMP v1 and v2c community

An SNMP community is a grouping of equipment for SNMP-based network administration purposes. You can add up to three SNMP communities so that SNMP managers can connect to the FortiVoice system to view system information and receive SNMP traps. You can configure each community differently for SNMP traps and to monitor different events. You can add the IP addresses of up to eight SNMP managers to each community.

To configure an SNMP community

  1. Go to System > Configuration > SNMP.
  2. Under Community, click New to add a community or select a community and click Edit.

    The SNMP Community page appears.

  3. Configure the following:

    GUI field

    Description

    Enabled

    Enable to send traps to and allow queries from the community’s SNMP managers.

    Name

    Enter a name to identify the SNMP community. If you are editing an existing community, you cannot change the name.

    You can add up to 16 communities.

    Community Hosts

    Lists SNMP managers that can use the Setting in this SNMP community to monitor the FortiVoice system. Click Create to create a new entry.

    You can add up to 16 hosts.

    IP Address

    Enter the IP address of an SNMP manager. By default, the IP address is 0.0.0.0, so that any SNMP manager can use this SNMP community.

    Create

    (button)

    Click to add a new default entry to the Hosts list that you can edit as needed.

    Delete

    (button)

    Click to remove this SNMP manager.

    Queries

    Enter the Port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiVoice system. Mark the Enable check box to activate queries for each SNMP version.

    Traps

    Enter the Local Port and Remote Port numbers (162 local, 162 remote by default) that the FortiVoice system uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community. Enable traps for each SNMP version that the SNMP managers use.

    Enable each SNMP event for which the FortiVoice system should send traps to the SNMP managers in this community.

    Note

    Not all events will trigger traps because FortiVoice checks its status in a scheduled interval. For example, FortiVoice checks its hardware status every 60 seconds. This means that if the power is off for a few seconds but is back on before the next status check, no system event trap will be sent.

  4. Click Create.

Configuring an SNMP v3 user

SNMP v3 adds more security by using authentication and privacy encryption. You can specify an SNMP v3 user on FortiVoice so that SNMP managers can connect to the FortiVoice system to view system information and receive SNMP traps.

To configure an SNMP v3 user

  1. Go to System > Configuration > SNMP.
  2. Under User, click New to add a user or select a user and click Edit.

    The SNMPv3 User page appears.

    You can add up to 16 users.

  3. Configure the following:

    GUI field

    Description

    Enabled

    Enable to send traps to and allow queries from the user’s SNMP managers.

    User name

    Enter a name to identify the SNMP user. If you are editing an existing user, you cannot change the name.

    Security level

    Choose one of the three security levels:

    • No authentication, no privacy: This option is similar to SNMP v1 and v2.
    • Authentication, no privacy: This option enables authentication only. The SNMP manager needs to supply a password that matches the password you specify on FortiVoice. You must also specify the authentication protocol (either SHA1 or MD5).
    • Authentication, privacy: This option enables both authentication and encryption. You must specify the protocols and passwords. Both the protocols and passwords on the SNMP manager and FortiVoice must match.

    Authentication Protocol

    For Security level, if you select either Authentication option, you must specify the authentication protocol and password. Both the authentication protocol and password on the SNMP manager and FortiVoice must match.

    Privacy protocol

    For Security level, if you select Privacy, you must specify the encryption protocol and password. Both the encryption protocol and password on the SNMP manager and FortiVoice must match.

    Notification Hosts

    Lists the SNMP managers that FortiVoice will send traps to. Click Create to create a new entry. You can add up to 16 host.

    IP Address

    (button)

    Enter the IP address of an SNMP manager. By default, the IP address is 0.0.0.0, so that any SNMP manager can use this SNMP user.

    Create

    (button)

    Click to add a new default entry to the Hosts list that you can edit as needed.

    Delete

    (button)

    Click to remove this SNMP manager.

    Queries

    Double click the default port number (161) to enter the Port number that the SNMP managers use for SNMP v3 queries to receive configuration information from the FortiVoice system. Select the Enable check box to activate queries.

    Traps

    Double click the default local port (162) and remote port number (162) to enter the Local Port and Remote Port numbers that the FortiVoice system uses to send SNMP v3 traps to the SNMP managers. Select the Enable check box to activate traps.

    Enable each SNMP event for which the FortiVoice system should send traps to the SNMP managers.

    Note

    Not all events trigger traps because the FortiVoice system checks its status at a scheduled interval. For example, FortiVoice checks its hardware status every 60 seconds. This means that if the power is off for a few seconds but is back on before the next status check, no system event trap will be sent.

  4. Click Create.

FortiVoice MIBs

The FortiVoice SNMP agent supports Fortinet proprietary Management Information Base (MIB) as well as standard RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiVoice system configuration.

The FortiVoice MIBs are listed in FortiVoice MIBs. You can obtain these MIB files from Fortinet technical support. To communicate with the SNMP agent, you must compile these MIBs into your SNMP manager.

Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.

FortiVoice MIBs

FortiVoice traps

The FortiVoice system’s SNMP agent can send traps to SNMP managers that you have added to SNMP communities. To receive traps, you must load and compile the FortiVoice trap MIB into the SNMP manager.

All traps sent include the trap message as well as the FortiVoice system serial number and host name.

MIB fields

Trap

Description

fvTrapStorageDiskHighThreshold

Trap sent if log disk usage and mailbox disk usage become too high.

fvTrapSystemEvent

Trap sent when the system performs actions such as shutting down, rebooting, and upgrading.

fmlTrapHAEvent

Trap sent when an HA event occurs.

The Fortinet MIB contains fields reporting current FortiVoice system status information. The tables below list the names of the MIB fields and describe the status information available for each. You can view more details about the information available from all Fortinet MIB fields by compiling the MIB file into your SNMP manager and browsing the MIB fields.

System session MIB fields

MIB field

Description

fvSysModel

FortiVoice model number, such as 400 for the FortiVoice-400.

fvSysSerial

FortiVoice serial number.

fvSysVersion

The firmware version currently running on the FortiVoice system.

fvSysCpuUsage

The current CPU usage (%).

fvSysMemUsage

The current memory utilization (%).

fvSysLogDiskUsage

The log disk usage (%).

fvSysStorageDiskUsage

The storage disk usage (%).

fvSysEventCode

System component events.

fvSysload

Current system load.

fvSysHA

  • fvHAMode: Configured HA operating mode.
  • fvHAEffectiveMoce: Effective HA operating mode.

fmlHAEventId

HA event type ID.

fmlHAUnitIp

Unit IP address where the event occurs.

fmlHAEventReason

The reason for the HA event.

Configuring email setting

You can configure the FortiVoice system to send email notifications to phone users when they miss a phone call or receive a voicemail or fax.

Note

For phone users to receive the notifications, you need to add their email addresses when configuring the extensions. See Configuring extensions.

To configure email setting

  1. Go to System > Configuration > Mail Setting.
  2. Configure the following:

    GUI field

    Description

    Local Host

    Host name

    Enter the host name of the FortiVoice system, such as fortivoice-500F.

    Local domain name

    Enter the local domain name of the FortiVoice system, such as example.com.

    Mail Queue

    Maximum time for email in queue (1-240 hours)

    Enter the maximum number of hours that deferred email messages can remain in the deferred email queue, during which the FortiVoice system periodically retries to send the message. After it reaches the maximum time, the FortiVoice system sends a final delivery status notification (DSN) email message to notify the sender that the email message was undeliverable.

    Time interval for retry (10-120 minutes)

    Enter the number of minutes between delivery retries for email messages in the deferred mail queues.

    Relay Server

    Configure an SMTP relay, if needed, to which the FortiVoice system will relay outgoing email. This is typically provided by your Internet service provider (ISP), but could be a mail relay on your internal network.

    Relay server name

    Enter the domain name of an SMTP relay.

    Relay server port

    Enter the TCP port number on which the SMTP relay listens. This is typically provided by your Internet service provider (ISP).

    Use SMTPs

    Enable to initiate SSL- and TLS-secured connections to the SMTP relay if it supports SSL/TLS. When disabled, SMTP connections from the FortiVoice built-in MTA or proxy to the relay will occur as clear text, unencrypted.

    This option must be enabled to initiate SMTPS connections.

    Authentication Required

    Select the checkbox and click the arrow to expand the section and configure:

    • User name: Enter the name of the FortiVoice system account on the SMTP relay.
    • Password: Enter the password for the FortiVoice system user name.
    • Authentication type: Available SMTP authentication types include:
      • AUTO (automatically detect and use the most secure SMTP authentication type supported by the relay server)
      • PLAIN (provides an unencrypted, scrambled password)
      • LOGIN (provides an unencrypted, scrambled password)
      • DIGEST-MD5 (provides an encrypted hash of the password)
      • CRAM-MD5 (provides an encrypted hash of the password, with hash replay prevention, combined with a challenge and response mechanism)

    Test

    (button)

    After you have entered the relay server information, you can click the Test button to test if the relay server is accessible.

    To further test mail delivery, click Advanced Group, and enter the sender (MAIL FROM) and recipient (RCPT TO) email addresses. EHLO (Extended HELO) information is filled in by default.

    Click Test to display the test results.

    Customize Email Template

    View and reword the default email history report and notification email templates. For more information, see Customizing call report and notification email templates.

  3. Click Apply.

Customizing the GUI appearance

The System > Configuration > Appearance tab lets you customize the default appearance of the GUI and voicemail interface with your own product name, product logo, corporate logo, and language.

To customize the GUI appearance

  1. Go to System > Configuration > Appearance.
  2. Click the arrow to expand Administration Interface and User Portal Interface.
  3. Configure the following:

    GUI field

    Description

    Administration Interface

    Product name

    Enter the name of the product. This name will precede Administrator Login in the title on the login page of the GUI.

    Product icon

    Click Change to browse for the product icon. The icon must use the .ico format and size (width x height) 16 x 16 pixels.

    Top logo

    Click Change to upload a graphic that will appear at the top of all pages in the GUI. The image size (width x height) must be 460 x 36 pixels.

    For best results, use an image with a transparent background. Non-transparent backgrounds will not blend with the underlying theme graphic, resulting in a visible rectangle around your logo graphic.

    Note

    Uploading a graphic overwrites the current graphic. The FortiVoice system does not retain previous graphics. If you want to revert to the current graphic, use your web browser to save a backup copy of the image to your management computer, enabling you to upload it again at a later time.

    Click Reset to return to the default setting.

    Default UI language

    Select the default language for the display of the GUI.

    You can configure a separate language preference for each administrator account. For details, see Configuring administrator accounts.

    Default theme

    Select the default theme for the GUI.

    User Portal Interface

    User Portal login

    Enter a word or phrase that will appear on top of the user portal login page, such as User Portal Login.

    Login user name hint

    Enter a hint for the user name, such as Your Email Address. This hint will appear as a mouse-over display on the login name field.

    User Portal theme

    Select a theme for the user portal GUI.

    Default UI language

    Select the language in which user portal pages will be displayed. By default, the FortiVoice system will use the same language as the GUI.

    User Portal top logo

    Click Change to upload a graphic that will appear at the top of all user portal pages. The image size (width x height) must be 460 x 36 pixels.

    For best results, use an image with a transparent background. Non-transparent backgrounds will not blend with the underlying theme graphic, resulting in a visible rectangle around your logo graphic.

    Note

    Uploading a graphic overwrites the current graphic. The FortiVoice system does not retain previous or default graphics. If you want to revert to the current graphic, use your web browser to save a backup copy of the image to your management computer, enabling you to upload it again at a later time.

    Click Reset to return to the default setting.

  4. Click Apply to save the changes or Reset to return to the default setting.

Selecting the call data storage location

The System > Configuration > Storage tab lets you configure local or remote storage of call data such as the recorded calls, faxes, and voicemails.

FortiVoice systems can store call data either locally or remotely. FortiVoice systems support remote storage by a network attached storage (NAS) server using the network file system (NFS) protocol.

NAS has the benefits of remote storage which include ease of backing up the call data and more flexible storage limits. Additionally, you can still access the call data on the NAS server if your FortiVoice system loses connectivity.

Note

If the FortiVoice system is a member of an active-passive HA group, and the HA group stores call data on a remote NAS server, disable call data synchronization to prevent duplicate call data traffic. For details, see Configuring the HA mode and group.

Note

If you store the call data on a remote NAS device, you cannot back up the data. You can only back up the call data stored locally on the FortiVoice hard disk. For information about backing up call data, see Backing up the configuration.

Tested and supported NFS servers

  • Linux NAS (NFS v3/v4)
    • Red Hat 5.5
    • Fedora 16/17/18/19
    • Ubuntu 11/12/13
    • OpenSUSE 13.1
  • FreeNAS
  • Openfiler
  • EMC VNXe3150 (version 2.4.2.21519 (MR4 SP2))
  • EMC Isilon S200 (OneFS 7.1.0.3)

Untested NFS servers

  • Buffalo TeraStation
  • Cisco Linksys NAS server

Unsupported NFS Servers

  • Windows 2003 R2 /Windows 2008 Service for NFS

To configure call data storage

  1. Go to System > Configuration > Storage.
  2. Configure the following:

    GUI field

    Description

    Local

    Select to store call data on the FortiVoice system's local disk or RAID.

    NAS

    Select to store call data on a remote network attached storage (NAS) server.

    Storage type

    Select a type of NAS server:

    • NFS: To configure a network file system (NFS) server. For this option, enter the following information:
      • Hostname/IP address: The IP address or fully qualified domain name (FQDN) of the NFS server.
      • Port: The TCP port number on which the NFS server listens for connections. The range is from 0 to 65535.
      • Directory: The directory path of the NFS export on the NAS server where the FortiVoice system will store call data.
    • iSCSI Server: To configure an Internet Small Computer Systems Interface (iSCSI) server. For this option, enter the following information:
      • Initiator name as username: Select to use the iSCSI initiator node name as the user name of the FortiVoice system account on the iSCSI server.
      • Username: The user name of the FortiVoice system account on the iSCSI server.
      • Password: The password of the FortiVoice system account on the iSCSI server.
      • Hostname/IP address: The IP address or fully qualified domain name (FQDN) of the iSCSI server.
      • Port: The TCP port number on which the iSCSI server listens for connections. The range is from 0 to 65535.
      • Encryption key: The key that will be used to encrypt data stored on the iSCSI server. Valid key lengths are between 6 and 64 single-byte characters.
      • iSCSI ID: The iSCSI identifier in the format expected by the iSCSI server, such as an iSCSI Qualified Name (IQN), Extended Unique Identifier (EUI), or T11 Network Address Authority (NAA).

    Status: When available, it indicates if the iSCSI share was successfully mounted on the FortiVoice file system. This field appears only after you configure the iSCSI share and click Apply. Status may take some time to appear if the iSCSI server is slow to respond.

    If Not mounted appears, the iSCSI share was not successfully mounted. Verify that the iSCSI server is responding and the FortiVoice system has both read and write permissions on the iSCSI server.

    Test

    (button)

    Click to verify the NAS server Setting are correct and that the FortiVoice system can access that location. The test action basically tries to discover, login, mount, and unmount the remote device.

    This button is available only when NAS server is selected.

    Click here to format this device

    Click here to check file system on this device

    Note

    If the iSCSI disk has never been formatted, the FortiVoice system needs to format it before it can be used. If the disk has been formatted before, you do not need to format it again, unless you want to wipe out the data on it.

    These two links appear when you configure an iSCSI server and click Apply.

    Click a link to initiate the described action (that is, format the device or check its file system). A message appears saying the action is being executed. Click OK to close the message and click Refresh to see a Status update.

    Configuring single sign on

    Fortinet Single Sign-On (FSSO) is the authentication protocol by which users can transparently authenticate to Fortinet devices. The authentication system (FortiAuthenticator, ADFS, or Centrify) identifies and authenticates users based on their authentication from a different system.

    The FortiVoice SSO configuration involves the participation of a network authentication system, such as FortiAuthenticator. The network authentication system can be integrated with the FortiVoice system to poll administrator logon information and send it to the FortiVoice system.

    FortiAuthenticator is used as the example authentication system here. For more information, see FortiAuthenticator Administration Guide.

    For other systems, refer to their user manuals for configuration information.

    You need to have both systems open and switch between the two to exchange authentication information.

    After you complete the FortiVoice SSO configuration and log into the FortiVoice system, the Single Sign On button will appear on the login page. You can click it and enter the login credential of the FortiAuthenticator user account created for the FortiVoice administrator with single sign on authentication type.

    Note that after SSO is enabled:

    • All administrator login authentication is controlled by the FortiAuthenticator system. Disabled administrator accounts should not be authenticated by FortiAuthenticator.
    • The FortiVoice administrator portal must be accessed using HTTPS (such as https://fortivoice_ip_or_hostname).
    • Logging out of FortiVoice administrator portal will also log out of the FortiAuthenticator system.

    To configure FortiVoice SSO

    1. On the FortiAuthenticator system:
      1. Go to Authentication > SAML IdP > General and enable SAML IDP (Identity Provider).
      2. Go to Authentication > SAML IdP > Service Providers.
      3. Click Create New to add a SAML service provider and click the Copy idp_entity_id icon.
    2. On the FortiVoice system:
      1. Go to System > Configuration > Single Sign On.
      2. Select Enabled.
      3. Click Retrieve from URL and paste the IDP entity ID you copied.
      4. Click OK to get the IDP metadata from the FortiAuthenticator.
      5. Refresh your browser. The FortiVoice service provider metadata is generated.
      6. Click Download to save the FortiVoice service provider metadata.
      7. Click Apply.
      8. Go to System > Administrator to create an administrator account with single sign on as the authentication type. For more information, see Configuring administrator accounts.
    3. On the FortiAuthenticator system:
      1. Go to the SAML service provider you have created.
      2. Click Import SP metadata and browse for the FortiVoice service provider metadata you saved and click OK.
      3. Enable SAML request must be signed by SP.
      4. Click OK to save the service provider configuration.
      5. Open the SAML service provider you have created.
      6. Click Create New under SAML Attribute.
      7. In SAML attribute, enter "urn:oid:0.9.2342.19200300.100.1.3".
      8. In User attribute, select an option and click OK, then OK.
      9. Go to User Management > Local Users and create a user account for the FortiVoice administrator with single sign on authentication type and use the FortiVoice administrator name as the account user name.

Configuring FortiVoice to join the Security Fabric

The FortiVoice system can connect to an upstream FortiGate device and become an integrated cluster member of the Security Fabric. This integration allows you to access FortiFone phone details from two FortiGate GUI menus.

Prerequisites

  • Verify that the account that you are using to log in to the FortiVoice GUI has the REST API access mode enabled in System > Administrator > Administrator.

  • Verify that the FortiGate device is using version 7.2.2 or later.

  • Verify that the FortiGate device is operating in NAT mode.

To configure FortiVoice to join the Security Fabric
  1. In the GUI of the FortiVoice phone system, go to System > Configuration > Security Fabric.
  2. Select Enabled to allow the FortiVoice system to become a Security Fabric member.
  3. For Upstream IP Address, enter the IP address and port number of the root FortiGate device.
  4. For Management IP/FQDN, enter the IP address and port number of the FortiVoice system.
  5. Click Apply.
  6. If the connection is successful, the Authorization status shows This device has been authorized by upstream. The Security Fabric FortiGate establishes a connection with the FortiVoice system using the IP address and port number specified.

  7. The FortiGate admin GUI needs to authorize the FortiVoice system to join the Security Fabric. See details in the FortiVoice section of the FortiOS Administration Guide.
  8. After configuring and authorizing the FortiVoice system, FortiVoice sends all information about provisioned FortiFone phones to the FortiGate device.
  9. To log in to the FortiGate device, click the Click here to log into upstream device link.

  10. You can access FortiFone phone details from the following FortiGate GUI menus. For more details, see the FortiOS Administration Guide.
    • Security Fabric > Asset Identity Center

    • Policy & Objects > Addresses

Related Videos

sidebar video

Configuring FortiVoice NFS Storage

  • 346 views
  • 2 years ago
sidebar video

Configuring FortiVoice iSCSI Storage

  • 637 views
  • 2 years ago

Working with system configurations

Working with system configurations

The System > Configuration submenu lets you configure the system time, system options, SNMP, email setting, GUI appearance, call data storage, single sign on, and Fortinet security fabric.

This topic includes:

Configuring the time and date

The System > Configuration > Time tab lets you configure the system time and date of the FortiVoice system.

You can either manually set the FortiVoice system time or configure the FortiVoice system to automatically keep its system time correct by synchronizing with Network Time Protocol (NTP) servers.

Note

For many features to work, including scheduling, logging, and certificate-dependent features, the FortiVoice system time must be accurate.
FortiVoice systems support daylight savings time (DST), including recent changes in the USA, Canada and Western Australia.

To configure the system time

  1. Go to System > Configuration > Time.
  2. Configure the following:

    GUI field

    Description

    System time

    Displays the date and time according to the FortiVoice system’s clock at the time that this tab was loaded, or when you last selected the Refresh button.

    Time zone

    Select the time zone in which the FortiVoice system is located.

    • Automatically adjust clock for daylight saving time changes: Enable to adjust the FortiVoice system clock automatically when your time zone changes to daylight savings time (DST) and back to standard time.

    Set date

    Select this option to manually set the date and time of the FortiVoice system’s clock, then select the Year, Month, Day, Hour, Minute, and Second fields before you click Apply.

    Alternatively, configure Synchronize with NTP server.

    Synchronize with NTP Server

    Select to use a network time protocol (NTP) server to automatically set the system date and time, then configure Server.

    • Server: Enter the IP address or domain name of an NTP server.

      You can add a maximum of 10 NTP servers. The FortiVoice system uses the first NTP server based on the selection mechanism of the NTP protocol.

      Click the + sign to add more servers.

      Click the - sign to remove servers. Note that you cannot remove the last server.

      To find the NTP servers that you can use, see http://www.ntp.org.

    Depending on your network traffic, it may take some time for the FortiVoice system to synchronize its time with the NTP server.

  3. Click Apply.

Configuring system options

The System > Configuration > Option tab lets you set the following global settings:

  • system idle timeout
  • originating host name or IP address used for email notifications
  • administration ports on the interfaces

To view and configure the system options

  1. Go to System > Configuration > Option.
  2. Configure the following:

    GUI field

    Description

    Idle timeout

    Enter the amount of time that an administrator may be inactive before the FortiVoice system automatically logs out the administrator.

    For better security, use a low idle timeout value, for example, 5 minutes.

    Web action host/IP

    Enter the host name or IP address from where a email notification is sent to you when a voicemail or fax is delivered to your extension. This IP address is included in the email notification. You can open the link to view or manage the voicemail or fax. If you leave this field empty, port1 IP will be used instead.
    The value entered here replaces the default Url host variable for customizing messages. See Customizing call report and notification email templates.

    Administration Ports

    Specify the TCP ports for administrative access on all interfaces.

    Default port numbers:

    HTTP port number: 80

    HTTPS port number: 443

    SSH port number: 22

    TELNET port number: 23

  3. Click Apply.

Configuring SNMP queries and traps

Go to System > Configuration > SNMP to configure SNMP to monitor FortiVoice system events and thresholds, or a high availability (HA) configuration for failover messages.

To monitor FortiVoice system information and receive FortiVoice traps, you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II). For more information, see FortiVoice MIBs.

The FortiVoice SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to FortiVoice system information and can receive FortiVoice traps.

The FortiVoice SNMP v3 implementation includes support for queries, traps, authentication, and privacy. Before you can use its SNMP queries, you must enable SNMP access on the network interfaces that SNMP managers will use to access the FortiVoice system. For more information, see Editing network interfaces.

This topic includes:

Configuring an SNMP threshold

Configure under what circumstances an event is triggered.

To set SNMP thresholds

  1. Go to System > Configuration > SNMP.
  2. Configure the following:

    GUI field

    Description

    SNMP agent enabled

    Enable to activate the FortiVoice SNMP agent. This must be enabled to accept queries from SNMP managers or send traps from the FortiVoice system.

    Description

    Enter a descriptive name for the FortiVoice system.

    Location

    Enter the location of the FortiVoice system.

    Contact

    Enter administrator contact information.

    SNMP Threshold

    To change a value in the four editable columns, select the value in any row. It becomes editable. Change the value and click outside of the field. A red triangle appears in the field’s corner and remains until you click Apply.

    Trap Type

    Displays the type of trap, such as CPU Usage.

    Trigger

    You can enter either the percent of the resource in use or the number of times the trigger level must be reached before it is triggered.

    For example, using the default value, if the mailbox disk is 90% or more full, it will trigger.

    Threshold

    Sets the number of triggers that will result in an SNMP trap.

    For example, if the CPU level exceeds the set trigger percentage once before returning to a lower level, and the threshold is set to more than one, an SNMP trap will not be generated until that minimum number of triggers occurs during the sample period.

    Sample Period(s)

    Sets the time period in seconds during which the FortiVoice SNMP agent counts the number of triggers that occurred.

    This value should not be less than the Sample Freq(s) value.

    Sample Freq(s)

    Sets the interval in seconds between measurements of the trap condition. You will not receive traps faster than this rate, depending on the selected sample period.

    This value should be less than the Sample Period(s) value.

    Community

    Displays the list of SNMP communities (for SNMP v1 and v2c) added to the FortiVoice configuration. For information about configuring a community, see either Configuring email setting or Configuring an SNMP v3 user.

    Enabled

    Displays the status of the SNMP community and allows you to change it.

    Name

    Displays the name of the SNMP community. The SNMP Manager must be configured with this name.

    Queries

    A green check mark icon indicates that queries are enabled.

    Traps

    A green check mark icon indicates that traps are enabled.

    User

    Displays the list of SNMP v3 users added to the FortiVoice configuration. For information about configuring a v3 user, see Configuring an SNMP v3 user.

    Enabled

    Displays the status of the SNMP v3 user and allows you to change it.

    Name

    Displays the name of the SNMP v3 user. The SNMP Manager must be configured with this name.

    Queries

    A green check mark icon indicates that queries are enabled.

    Traps

    A green check mark icon indicates that traps are enabled.

    Security Level

    Displays the security level.

  3. Click Apply.

Configuring an SNMP v1 and v2c community

An SNMP community is a grouping of equipment for SNMP-based network administration purposes. You can add up to three SNMP communities so that SNMP managers can connect to the FortiVoice system to view system information and receive SNMP traps. You can configure each community differently for SNMP traps and to monitor different events. You can add the IP addresses of up to eight SNMP managers to each community.

To configure an SNMP community

  1. Go to System > Configuration > SNMP.
  2. Under Community, click New to add a community or select a community and click Edit.

    The SNMP Community page appears.

  3. Configure the following:

    GUI field

    Description

    Enabled

    Enable to send traps to and allow queries from the community’s SNMP managers.

    Name

    Enter a name to identify the SNMP community. If you are editing an existing community, you cannot change the name.

    You can add up to 16 communities.

    Community Hosts

    Lists SNMP managers that can use the Setting in this SNMP community to monitor the FortiVoice system. Click Create to create a new entry.

    You can add up to 16 hosts.

    IP Address

    Enter the IP address of an SNMP manager. By default, the IP address is 0.0.0.0, so that any SNMP manager can use this SNMP community.

    Create

    (button)

    Click to add a new default entry to the Hosts list that you can edit as needed.

    Delete

    (button)

    Click to remove this SNMP manager.

    Queries

    Enter the Port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiVoice system. Mark the Enable check box to activate queries for each SNMP version.

    Traps

    Enter the Local Port and Remote Port numbers (162 local, 162 remote by default) that the FortiVoice system uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community. Enable traps for each SNMP version that the SNMP managers use.

    Enable each SNMP event for which the FortiVoice system should send traps to the SNMP managers in this community.

    Note

    Not all events will trigger traps because FortiVoice checks its status in a scheduled interval. For example, FortiVoice checks its hardware status every 60 seconds. This means that if the power is off for a few seconds but is back on before the next status check, no system event trap will be sent.

  4. Click Create.

Configuring an SNMP v3 user

SNMP v3 adds more security by using authentication and privacy encryption. You can specify an SNMP v3 user on FortiVoice so that SNMP managers can connect to the FortiVoice system to view system information and receive SNMP traps.

To configure an SNMP v3 user

  1. Go to System > Configuration > SNMP.
  2. Under User, click New to add a user or select a user and click Edit.

    The SNMPv3 User page appears.

    You can add up to 16 users.

  3. Configure the following:

    GUI field

    Description

    Enabled

    Enable to send traps to and allow queries from the user’s SNMP managers.

    User name

    Enter a name to identify the SNMP user. If you are editing an existing user, you cannot change the name.

    Security level

    Choose one of the three security levels:

    • No authentication, no privacy: This option is similar to SNMP v1 and v2.
    • Authentication, no privacy: This option enables authentication only. The SNMP manager needs to supply a password that matches the password you specify on FortiVoice. You must also specify the authentication protocol (either SHA1 or MD5).
    • Authentication, privacy: This option enables both authentication and encryption. You must specify the protocols and passwords. Both the protocols and passwords on the SNMP manager and FortiVoice must match.

    Authentication Protocol

    For Security level, if you select either Authentication option, you must specify the authentication protocol and password. Both the authentication protocol and password on the SNMP manager and FortiVoice must match.

    Privacy protocol

    For Security level, if you select Privacy, you must specify the encryption protocol and password. Both the encryption protocol and password on the SNMP manager and FortiVoice must match.

    Notification Hosts

    Lists the SNMP managers that FortiVoice will send traps to. Click Create to create a new entry. You can add up to 16 host.

    IP Address

    (button)

    Enter the IP address of an SNMP manager. By default, the IP address is 0.0.0.0, so that any SNMP manager can use this SNMP user.

    Create

    (button)

    Click to add a new default entry to the Hosts list that you can edit as needed.

    Delete

    (button)

    Click to remove this SNMP manager.

    Queries

    Double click the default port number (161) to enter the Port number that the SNMP managers use for SNMP v3 queries to receive configuration information from the FortiVoice system. Select the Enable check box to activate queries.

    Traps

    Double click the default local port (162) and remote port number (162) to enter the Local Port and Remote Port numbers that the FortiVoice system uses to send SNMP v3 traps to the SNMP managers. Select the Enable check box to activate traps.

    Enable each SNMP event for which the FortiVoice system should send traps to the SNMP managers.

    Note

    Not all events trigger traps because the FortiVoice system checks its status at a scheduled interval. For example, FortiVoice checks its hardware status every 60 seconds. This means that if the power is off for a few seconds but is back on before the next status check, no system event trap will be sent.

  4. Click Create.

FortiVoice MIBs

The FortiVoice SNMP agent supports Fortinet proprietary Management Information Base (MIB) as well as standard RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiVoice system configuration.

The FortiVoice MIBs are listed in FortiVoice MIBs. You can obtain these MIB files from Fortinet technical support. To communicate with the SNMP agent, you must compile these MIBs into your SNMP manager.

Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.

FortiVoice MIBs

FortiVoice traps

The FortiVoice system’s SNMP agent can send traps to SNMP managers that you have added to SNMP communities. To receive traps, you must load and compile the FortiVoice trap MIB into the SNMP manager.

All traps sent include the trap message as well as the FortiVoice system serial number and host name.

MIB fields

Trap

Description

fvTrapStorageDiskHighThreshold

Trap sent if log disk usage and mailbox disk usage become too high.

fvTrapSystemEvent

Trap sent when the system performs actions such as shutting down, rebooting, and upgrading.

fmlTrapHAEvent

Trap sent when an HA event occurs.

The Fortinet MIB contains fields reporting current FortiVoice system status information. The tables below list the names of the MIB fields and describe the status information available for each. You can view more details about the information available from all Fortinet MIB fields by compiling the MIB file into your SNMP manager and browsing the MIB fields.

System session MIB fields

MIB field

Description

fvSysModel

FortiVoice model number, such as 400 for the FortiVoice-400.

fvSysSerial

FortiVoice serial number.

fvSysVersion

The firmware version currently running on the FortiVoice system.

fvSysCpuUsage

The current CPU usage (%).

fvSysMemUsage

The current memory utilization (%).

fvSysLogDiskUsage

The log disk usage (%).

fvSysStorageDiskUsage

The storage disk usage (%).

fvSysEventCode

System component events.

fvSysload

Current system load.

fvSysHA

  • fvHAMode: Configured HA operating mode.
  • fvHAEffectiveMoce: Effective HA operating mode.

fmlHAEventId

HA event type ID.

fmlHAUnitIp

Unit IP address where the event occurs.

fmlHAEventReason

The reason for the HA event.

Configuring email setting

You can configure the FortiVoice system to send email notifications to phone users when they miss a phone call or receive a voicemail or fax.

Note

For phone users to receive the notifications, you need to add their email addresses when configuring the extensions. See Configuring extensions.

To configure email setting

  1. Go to System > Configuration > Mail Setting.
  2. Configure the following:

    GUI field

    Description

    Local Host

    Host name

    Enter the host name of the FortiVoice system, such as fortivoice-500F.

    Local domain name

    Enter the local domain name of the FortiVoice system, such as example.com.

    Mail Queue

    Maximum time for email in queue (1-240 hours)

    Enter the maximum number of hours that deferred email messages can remain in the deferred email queue, during which the FortiVoice system periodically retries to send the message. After it reaches the maximum time, the FortiVoice system sends a final delivery status notification (DSN) email message to notify the sender that the email message was undeliverable.

    Time interval for retry (10-120 minutes)

    Enter the number of minutes between delivery retries for email messages in the deferred mail queues.

    Relay Server

    Configure an SMTP relay, if needed, to which the FortiVoice system will relay outgoing email. This is typically provided by your Internet service provider (ISP), but could be a mail relay on your internal network.

    Relay server name

    Enter the domain name of an SMTP relay.

    Relay server port

    Enter the TCP port number on which the SMTP relay listens. This is typically provided by your Internet service provider (ISP).

    Use SMTPs

    Enable to initiate SSL- and TLS-secured connections to the SMTP relay if it supports SSL/TLS. When disabled, SMTP connections from the FortiVoice built-in MTA or proxy to the relay will occur as clear text, unencrypted.

    This option must be enabled to initiate SMTPS connections.

    Authentication Required

    Select the checkbox and click the arrow to expand the section and configure:

    • User name: Enter the name of the FortiVoice system account on the SMTP relay.
    • Password: Enter the password for the FortiVoice system user name.
    • Authentication type: Available SMTP authentication types include:
      • AUTO (automatically detect and use the most secure SMTP authentication type supported by the relay server)
      • PLAIN (provides an unencrypted, scrambled password)
      • LOGIN (provides an unencrypted, scrambled password)
      • DIGEST-MD5 (provides an encrypted hash of the password)
      • CRAM-MD5 (provides an encrypted hash of the password, with hash replay prevention, combined with a challenge and response mechanism)

    Test

    (button)

    After you have entered the relay server information, you can click the Test button to test if the relay server is accessible.

    To further test mail delivery, click Advanced Group, and enter the sender (MAIL FROM) and recipient (RCPT TO) email addresses. EHLO (Extended HELO) information is filled in by default.

    Click Test to display the test results.

    Customize Email Template

    View and reword the default email history report and notification email templates. For more information, see Customizing call report and notification email templates.

  3. Click Apply.

Customizing the GUI appearance

The System > Configuration > Appearance tab lets you customize the default appearance of the GUI and voicemail interface with your own product name, product logo, corporate logo, and language.

To customize the GUI appearance

  1. Go to System > Configuration > Appearance.
  2. Click the arrow to expand Administration Interface and User Portal Interface.
  3. Configure the following:

    GUI field

    Description

    Administration Interface

    Product name

    Enter the name of the product. This name will precede Administrator Login in the title on the login page of the GUI.

    Product icon

    Click Change to browse for the product icon. The icon must use the .ico format and size (width x height) 16 x 16 pixels.

    Top logo

    Click Change to upload a graphic that will appear at the top of all pages in the GUI. The image size (width x height) must be 460 x 36 pixels.

    For best results, use an image with a transparent background. Non-transparent backgrounds will not blend with the underlying theme graphic, resulting in a visible rectangle around your logo graphic.

    Note

    Uploading a graphic overwrites the current graphic. The FortiVoice system does not retain previous graphics. If you want to revert to the current graphic, use your web browser to save a backup copy of the image to your management computer, enabling you to upload it again at a later time.

    Click Reset to return to the default setting.

    Default UI language

    Select the default language for the display of the GUI.

    You can configure a separate language preference for each administrator account. For details, see Configuring administrator accounts.

    Default theme

    Select the default theme for the GUI.

    User Portal Interface

    User Portal login

    Enter a word or phrase that will appear on top of the user portal login page, such as User Portal Login.

    Login user name hint

    Enter a hint for the user name, such as Your Email Address. This hint will appear as a mouse-over display on the login name field.

    User Portal theme

    Select a theme for the user portal GUI.

    Default UI language

    Select the language in which user portal pages will be displayed. By default, the FortiVoice system will use the same language as the GUI.

    User Portal top logo

    Click Change to upload a graphic that will appear at the top of all user portal pages. The image size (width x height) must be 460 x 36 pixels.

    For best results, use an image with a transparent background. Non-transparent backgrounds will not blend with the underlying theme graphic, resulting in a visible rectangle around your logo graphic.

    Note

    Uploading a graphic overwrites the current graphic. The FortiVoice system does not retain previous or default graphics. If you want to revert to the current graphic, use your web browser to save a backup copy of the image to your management computer, enabling you to upload it again at a later time.

    Click Reset to return to the default setting.

  4. Click Apply to save the changes or Reset to return to the default setting.

Selecting the call data storage location

The System > Configuration > Storage tab lets you configure local or remote storage of call data such as the recorded calls, faxes, and voicemails.

FortiVoice systems can store call data either locally or remotely. FortiVoice systems support remote storage by a network attached storage (NAS) server using the network file system (NFS) protocol.

NAS has the benefits of remote storage which include ease of backing up the call data and more flexible storage limits. Additionally, you can still access the call data on the NAS server if your FortiVoice system loses connectivity.

Note

If the FortiVoice system is a member of an active-passive HA group, and the HA group stores call data on a remote NAS server, disable call data synchronization to prevent duplicate call data traffic. For details, see Configuring the HA mode and group.

Note

If you store the call data on a remote NAS device, you cannot back up the data. You can only back up the call data stored locally on the FortiVoice hard disk. For information about backing up call data, see Backing up the configuration.

Tested and supported NFS servers

  • Linux NAS (NFS v3/v4)
    • Red Hat 5.5
    • Fedora 16/17/18/19
    • Ubuntu 11/12/13
    • OpenSUSE 13.1
  • FreeNAS
  • Openfiler
  • EMC VNXe3150 (version 2.4.2.21519 (MR4 SP2))
  • EMC Isilon S200 (OneFS 7.1.0.3)

Untested NFS servers

  • Buffalo TeraStation
  • Cisco Linksys NAS server

Unsupported NFS Servers

  • Windows 2003 R2 /Windows 2008 Service for NFS

To configure call data storage

  1. Go to System > Configuration > Storage.
  2. Configure the following:

    GUI field

    Description

    Local

    Select to store call data on the FortiVoice system's local disk or RAID.

    NAS

    Select to store call data on a remote network attached storage (NAS) server.

    Storage type

    Select a type of NAS server:

    • NFS: To configure a network file system (NFS) server. For this option, enter the following information:
      • Hostname/IP address: The IP address or fully qualified domain name (FQDN) of the NFS server.
      • Port: The TCP port number on which the NFS server listens for connections. The range is from 0 to 65535.
      • Directory: The directory path of the NFS export on the NAS server where the FortiVoice system will store call data.
    • iSCSI Server: To configure an Internet Small Computer Systems Interface (iSCSI) server. For this option, enter the following information:
      • Initiator name as username: Select to use the iSCSI initiator node name as the user name of the FortiVoice system account on the iSCSI server.
      • Username: The user name of the FortiVoice system account on the iSCSI server.
      • Password: The password of the FortiVoice system account on the iSCSI server.
      • Hostname/IP address: The IP address or fully qualified domain name (FQDN) of the iSCSI server.
      • Port: The TCP port number on which the iSCSI server listens for connections. The range is from 0 to 65535.
      • Encryption key: The key that will be used to encrypt data stored on the iSCSI server. Valid key lengths are between 6 and 64 single-byte characters.
      • iSCSI ID: The iSCSI identifier in the format expected by the iSCSI server, such as an iSCSI Qualified Name (IQN), Extended Unique Identifier (EUI), or T11 Network Address Authority (NAA).

    Status: When available, it indicates if the iSCSI share was successfully mounted on the FortiVoice file system. This field appears only after you configure the iSCSI share and click Apply. Status may take some time to appear if the iSCSI server is slow to respond.

    If Not mounted appears, the iSCSI share was not successfully mounted. Verify that the iSCSI server is responding and the FortiVoice system has both read and write permissions on the iSCSI server.

    Test

    (button)

    Click to verify the NAS server Setting are correct and that the FortiVoice system can access that location. The test action basically tries to discover, login, mount, and unmount the remote device.

    This button is available only when NAS server is selected.

    Click here to format this device

    Click here to check file system on this device

    Note

    If the iSCSI disk has never been formatted, the FortiVoice system needs to format it before it can be used. If the disk has been formatted before, you do not need to format it again, unless you want to wipe out the data on it.

    These two links appear when you configure an iSCSI server and click Apply.

    Click a link to initiate the described action (that is, format the device or check its file system). A message appears saying the action is being executed. Click OK to close the message and click Refresh to see a Status update.

    Configuring single sign on

    Fortinet Single Sign-On (FSSO) is the authentication protocol by which users can transparently authenticate to Fortinet devices. The authentication system (FortiAuthenticator, ADFS, or Centrify) identifies and authenticates users based on their authentication from a different system.

    The FortiVoice SSO configuration involves the participation of a network authentication system, such as FortiAuthenticator. The network authentication system can be integrated with the FortiVoice system to poll administrator logon information and send it to the FortiVoice system.

    FortiAuthenticator is used as the example authentication system here. For more information, see FortiAuthenticator Administration Guide.

    For other systems, refer to their user manuals for configuration information.

    You need to have both systems open and switch between the two to exchange authentication information.

    After you complete the FortiVoice SSO configuration and log into the FortiVoice system, the Single Sign On button will appear on the login page. You can click it and enter the login credential of the FortiAuthenticator user account created for the FortiVoice administrator with single sign on authentication type.

    Note that after SSO is enabled:

    • All administrator login authentication is controlled by the FortiAuthenticator system. Disabled administrator accounts should not be authenticated by FortiAuthenticator.
    • The FortiVoice administrator portal must be accessed using HTTPS (such as https://fortivoice_ip_or_hostname).
    • Logging out of FortiVoice administrator portal will also log out of the FortiAuthenticator system.

    To configure FortiVoice SSO

    1. On the FortiAuthenticator system:
      1. Go to Authentication > SAML IdP > General and enable SAML IDP (Identity Provider).
      2. Go to Authentication > SAML IdP > Service Providers.
      3. Click Create New to add a SAML service provider and click the Copy idp_entity_id icon.
    2. On the FortiVoice system:
      1. Go to System > Configuration > Single Sign On.
      2. Select Enabled.
      3. Click Retrieve from URL and paste the IDP entity ID you copied.
      4. Click OK to get the IDP metadata from the FortiAuthenticator.
      5. Refresh your browser. The FortiVoice service provider metadata is generated.
      6. Click Download to save the FortiVoice service provider metadata.
      7. Click Apply.
      8. Go to System > Administrator to create an administrator account with single sign on as the authentication type. For more information, see Configuring administrator accounts.
    3. On the FortiAuthenticator system:
      1. Go to the SAML service provider you have created.
      2. Click Import SP metadata and browse for the FortiVoice service provider metadata you saved and click OK.
      3. Enable SAML request must be signed by SP.
      4. Click OK to save the service provider configuration.
      5. Open the SAML service provider you have created.
      6. Click Create New under SAML Attribute.
      7. In SAML attribute, enter "urn:oid:0.9.2342.19200300.100.1.3".
      8. In User attribute, select an option and click OK, then OK.
      9. Go to User Management > Local Users and create a user account for the FortiVoice administrator with single sign on authentication type and use the FortiVoice administrator name as the account user name.

Configuring FortiVoice to join the Security Fabric

The FortiVoice system can connect to an upstream FortiGate device and become an integrated cluster member of the Security Fabric. This integration allows you to access FortiFone phone details from two FortiGate GUI menus.

Prerequisites

  • Verify that the account that you are using to log in to the FortiVoice GUI has the REST API access mode enabled in System > Administrator > Administrator.

  • Verify that the FortiGate device is using version 7.2.2 or later.

  • Verify that the FortiGate device is operating in NAT mode.

To configure FortiVoice to join the Security Fabric
  1. In the GUI of the FortiVoice phone system, go to System > Configuration > Security Fabric.
  2. Select Enabled to allow the FortiVoice system to become a Security Fabric member.
  3. For Upstream IP Address, enter the IP address and port number of the root FortiGate device.
  4. For Management IP/FQDN, enter the IP address and port number of the FortiVoice system.
  5. Click Apply.
  6. If the connection is successful, the Authorization status shows This device has been authorized by upstream. The Security Fabric FortiGate establishes a connection with the FortiVoice system using the IP address and port number specified.

  7. The FortiGate admin GUI needs to authorize the FortiVoice system to join the Security Fabric. See details in the FortiVoice section of the FortiOS Administration Guide.
  8. After configuring and authorizing the FortiVoice system, FortiVoice sends all information about provisioned FortiFone phones to the FortiGate device.
  9. To log in to the FortiGate device, click the Click here to log into upstream device link.

  10. You can access FortiFone phone details from the following FortiGate GUI menus. For more details, see the FortiOS Administration Guide.
    • Security Fabric > Asset Identity Center

    • Policy & Objects > Addresses