Avaya

Modular Messaging Help

Home | Search | Site Index
Print | Back | Fwd | Legal | Close

 Getting Started 
 Installation 
 Administration 
 Maintenance 
 Reference 
Home > Getting started > Modular Messaging and security > Access mechanisms

Access mechanisms

Avaya Modular Messaging supports various access mechanisms, such as the following methods:

  • Access to mailboxes and messages.

  • Change greetings.

  • Configure features such as Call Me and Find Me.

Modular Messaging provides added functionality, including remote administration and desktop client access to mailboxes. To access mailboxes, Modular Messaging uses Microsoft Outlook or a Web browser that connects to the customer local area network (LAN). The system can support standard and Secure Sockets Layer (SSL) versions of IMAP4, POP3 and SMTP client access. You can network Modular Messaging with additional Modular Messaging and voice mail systems. To do so, use the Avaya Message Networking with the Avaya Message Server over the LAN. For more information on Modular Messaging networking for systems with Avaya Messaging Application Server (MAS) and Avaya Modular Messaging Server (MSS), see Networking.

If customers want to have remote LAN administration without desktop GUI access, the system administrator can configure the system in the following ways:

  • Disable client IMAP4, POP3, and LDAP access.

  • Administer an external firewall.

From a security viewpoint, this can lock down the system at the expense of functionality and productivity benefits. The system administrator can configure the firewall to allow traffic only from a specific IP address.

Customers must be aware that messages in user mailboxes, as in their voice mail systems, are neither stored nor backed up in encrypted form. Avaya recommends that customers take precautions to limit physical access to Modular Messaging and its backups.

Topics in this section include:

Telephone user interface access

Subscribers can use the telephone user interface (TUI) to access their mailboxes. For TUI access, Modular Messaging uses an IMAP4 log-in sequence with the MAS. Modular Messaging uses the mailbox ID and password that the caller provides. Callers must specify the correct mailbox ID. Depending on the configuration, the callers can specify a password. The callers must provide a password to verify that the mailbox ID is valid.

To increase security, administrators can use the following methods:

  • Use the minimum password length (6 to 15 alphanumeric characters).

  • Ensure that initial passwords do not use easily determined patterns based on mailbox number.

  • Use password aging.

  • Force password change the first time a user logs in.

  • Ensure that checks for unimportant passwords are always enabled. For example, users can never set the password to be the same as the mailbox ID.

Note: If administrators set a nonconforming password, for example a password that is shorter than the minimum password length, the TUI forces the subscriber to change the password when the subscriber logs in to the mailbox for the first time. The new password must conform to the password setting rules.

Client LAN access

The following clients can access the LAN:

E-mail clients

Depending on the system configuration, users can access their mailboxes with mail clients that use the standard POP3 and IMAP4 protocols. Microsoft Outlook and Outlook Express use these protocols. The Microsoft Outlook, Outlook Express, and the Client Add-in for Microsoft Outlook access the Modular Messaging MSS over the LAN through the second Ethernet port. These clients also use authenticated SMTP for sending messages and anonymous LDAP for directory access.

Depending on the system configuration, Modular Messaging can transport passwords in encrypted or nonencrypted form. If the channel uses SSL or Simple Authentication and Security Layer (SASL), Modular Messaging transports passwords in encrypted form. If the channel does not use SSL or SASL, Modular Messaging transports passwords as plain text.

Modular Messaging also supports SSL versions of the POP3, IMAP4, and SMTP protocols. Users can also enable SSL encryption while setting up their Modular Messaging account in Outlook with Avaya Plug-in and Outlook Express. In these configurations, the entire POP3, IMAP4, or SMTP conversation is encrypted. However, it uses the Challenge-Response Authentication Mechanism-Message Digest 5 (CRAM-MD5) authentication mechanism that does not expose the user password. If Modular Messaging does not use SSL, Outlook with Avaya Plug-in and Outlook Express transmit passwords as plain text across the corporate LAN when connecting to the MSS with POP3, IMAP4, or SMTP.

For clients connected to Modular Messaging with the Avaya Message Storage Server, the MSS requires SMTP user authentication. The user authentication verifies that the sender of a message is in the domain. This feature ensures that spammers cannot send messages from the system.

Anyone who can observe such packets in transit can access subscriber accounts and steal messages, or potentially commit toll fraud. For maximum password protection, follow the recommendations about using SSL encryption or use only clients that support CRAM-MD5 authentication. For example, you can use Outlook with the Avaya plug-ins. Customers who want to keep message content private can use only SSL-capable clients.

Modular Messaging also supports the SSL protocol for IMAP4, POP3, and SMTP. The SSL protocol provides communications privacy over the Internet. The protocol allows applications to communicate in a way that prevents eavesdropping, tampering, or message forgery. Administrators can enable IMAP4 access on the message server. Subscribers can also configure their e-mail clients to use Transport Layer Security (TLS). Subscribers can configure TLS to get an SSL operation over the standard IMAP4 port. The same applies to SMTP and POP3.

Modular Messaging Web Client

The Avaya Modular Messaging Web Client provides a Web-based visual client interface to the messages stored on the MSS. Subscribers can use a Web browser to access and manage their messages just as they do from standard e-mail applications. The Web server providing the Web Client interface uses IMAP4, SMTP, and LDAP protocols to access the MSS.

System administrators can configure the Microsoft Internet Information Services (IIS) on this Web server to support SSL. When IIS requires client SSL connections, the configuration secures all communication between the client and the Web server. When SSL is optional or not in use, the configuration secures password communication but not data. The Web server encrypts passwords through the CRAM-DM5 authentication mechanism. The Web server sends data as plain text.

Web Subscriber Options

Modular Messaging Web Subscriber Options is a Web-based visual interface that subscribers can use to change default mailbox settings. Web Subscriber Options provides the same functionality as Subscriber Options does. The application can reside on the MAS or on another server. Subscribers access Web Subscriber Options through a Web browser. Using Web Subscriber Options, a subscriber can set up the subscriber mailboxes and the mailbox interaction with Modular Messaging to do the following:

  • Screen incoming calls
  • Receive notification when a new voice message, text message, or fax arrives
  • Redirect unanswered calls to a different location, and vary that location according to the time of day
  • Play different greetings if the subscriber telephone is busy or unanswered
  • Manage Personal Distribution Lists
  • Sort messages by the TUIs used
  • Set the time zone
  • Enable multilingual call answering for the subscriber mailbox

Web Subscriber Options encrypts passwords. Web Subscriber Options sends an unencrypted response to the client. Administrators can configure Web Subscriber Options and Web Service to require SSL. The SSL encrypts the communication between the client browser and the Web Subscriber Options server. SSL provides Web Subscriber Options with a secure channel.

Modular Messaging can support Web Subscriber Options on a separate server or on the MAS. In both configurations, the client browser talks to the Web server through port 80 for unencrypted configurations and through port 443 for configurations encrypted with SSL. When Web Subscriber Options is installed on a separate server, the server talks to the MAS through port 82 on the MAS for the Web service that implements the functionality.

For more information about Web Subscriber Options, see the Help for Web Subscriber Options.

Subscriber Options

Avaya also provides the Subscriber Options desktop utility. In Subscriber Options, client users can change their passwords and general mailbox options over the LAN. A new password set in Subscriber Options transmits to the MAS in encrypted format. The MAS then decrypts and encrypts the password using the Triple Data Encryption Standard (3DES) before sending it to the MSS. The MSS decrypts and encrypts the password using 3DES with a different key before storing the password.

Lightweight Directory Access Protocol access

Modular Messaging MSS provides encrypted Lightweight Directory Access Protocol (LDAP) interfaces that can access directory data. There is no need to use LDAP with SSL or SASL when the subscriber uses anonymous access to acquire a subscriber directory. The system provides full channel encryption through SSL and login and password access through SASL. For more information, see Trusted server administration.

Dial-up modem access

Modular Messaging servers provide dial-up modem access. Avaya Services personnel use the dial-up modem access for troubleshooting and maintenance. The MAS provides a modem for Remote Access Server (RAS) connectivity. Only Avaya Services personnel can use the remote access services. Avaya regulates the access restrictions. Users can use RAS to perform administrative tasks over Windows Terminal Services, also known as Remote Desktop Connection. The MSS supports Secure Shell (SSH) for remote login access and SFTP file transfer over a LAN. All transmissions through this channel are encrypted using SSH.

The MSS also includes an onboard Remote Maintenance Board (RMB) that provides dial-up modem access to the Avaya Services personnel. Access Security Gateway (ASG) controls use of this modem. The gateway employs a challenge-and-response mechanism for authentication. Remote services technicians establish an IP connection over the modem. The technicians can then use the following on that IP connection:

  • SSH to gain shell access with certain credentials

  • HTTPS to run Web forms

  • SFTP to transfer log files

Each protocol is encrypted securing the modem connection. The Access Security Gateway (ASG) reduces the possibility of unauthorized remote access to the MSS. For more information about ASG, see Adjuncts.

Avaya recommends that customers invest in security adjuncts that usually use one-time passcode algorithms. These security adjuncts discourage hackers. To reduce system vulnerability to toll fraud, outward restrict the port that connects to the Remote Maintenance Board (RMB). For more information about RMB, see Remote Maintenance Board (RMB) CYN23AP and CYN24AP PCI Version Release 1.0 Reference (585-310-263, pdf). This document is available to certified personnel through the Avaya Web site.

You can also set up a Point-to-Point Protocol (PPP) server for remote access to the MSS. You can configure the PPP service to enable remote access for local and networked machines. Administrators must administer the PPP protocol login (sappp). The PPP logins are used mainly for maintenance. For more information about how to administer PPP logins, see the Installation and Upgrades guide (pdf).

Maintenance ports are a prime target for fraud. Hackers use various devices to dial into the port numbers. They hack passwords to gain control over the administrative commands. Hackers can then manipulate system settings to commit fraud or cause other damage to the system. Many security risks arise when incoming callers use the system. Other endpoints in your system can be dialed as internal calls and can be used either from voice mail, automated attendant, or remote access. Usually, toll hackers target the administration port to gain control over the maintenance and administration capabilities of the system. To enhance the security of your system, you must monitor entering and leaving the system, and system administration. For more information about how to connect the MSS Remote Maintenance Board (RMB), see the Installation and Upgrades guide (pdf).

Message Networking access

This topic discusses Message Networking (MN) for Modular Messaging systems with Avaya MSS.

The Avaya Message Networking system is a network integrator. Message Networking allows the Avaya Modular Messaging system to communicate with other messaging servers that use supported industry-standard and Avaya proprietary protocols. Remote systems can send messages from subscribers on their systems to the Modular Messaging system using plain-text, nonauthenticated SMTP. Messages transmitted in this manner are subject to "eavesdropping" through LAN sniffing. The message content can contain .wav audio files.

Secure the LAN segments between networked systems so unprivileged users cannot intercept packets during transit. The remote nodes can send directory updates through LDAP. This LDAP connection can be administered to require the use of SSL.

For more information on MN system features and functionality, see the Message Networking documentation CD-ROM or contact your sales representative.

Top of page

Home | Search | Site Index | Print | Back | Fwd | Legal | Close

©2007 Avaya Inc. All rights reserved. Last modified: