IAUG and PasswordPro Reflections

by David Lover | Arrow Systems Integration

As many of you know, last week was one of our biggest events of the year. Our participation at IAUG (International Avaya User Group) is always a big deal and our presence there is definitely noticed. We always have a large number of breakout sessions. Out of the 15 time slots available, I presented during 9 of them. I know Andrew Prokop had almost as many (emphasis on the word almost J), and Dave Franz, John Waber, Mark Wechsler, and others had sessions as well.

We had an awesome booth setup this year. This year, we managed to get the Arrow SAM Car to be right in the booth. It was a definite draw. Even if people didn’t know who we were, they all stopped by to see why this amazing Corvette would be sitting in the exhibitor booth of an Avaya partner. It was all about showing how to take commodity, off the shelf components, combined in a creative, innovative way, to change people’s business. In this case, it was about changing people’s lives. It was impressive, and the team did a great job of connecting the dots to why it is so important for them to work with a partner who thinks further ahead than other partners. If you haven’t the full story of the SAM Project, please take a few minutes to check this out.

Along the theme of Systems Integration, one of the products that we were showing was PasswordPro. You guys all know it as the portal that helps us comply with our company’s security policy in a way that doesn’t add a crazy number of headcount in the helpdesk. PasswordPro enforces administrator defined password complexity and aging policies. It’s what doesn’t let you choose horrible passwords on your Avaya Aura SIP phone and associated adjuncts. It lets you reset forgotten Aura passwords without having to call the helpdesk, all in a VERY timely fashion. It lets us age and expire old passwords so that a hacker doesn’t get an unlimited amount of time to break into your account. And trust me they do. From the minute we put our Session Border Controller on the network, we are vulnerable to getting hacked by several different IP addresses throughout the world. Fortunately, strong rate limiting, SIP packet inspecting, and protocol scrubbing firewalls built into our Avaya SBC, coupled with strong user passwords, reduce them to just an annoying list of mitigated attacks in our system logs.

This week, our appdev team rolled out a significant new feature. It’s actually our most requested add-on feature, beyond the capabilities that we already have. PasswordPro now has the ability to manage voicemail passwords. In this first release, we can support Modular Messaging 5.2 and any version of Avaya Aura Messaging. For those of you that have a SIP phone, you can now reset a forgotten voicemail password directly from PasswordPro. No need to open a ticket with the help desk. The magic of this is that any Avaya Aura user, managed by System Manager, can be externally managed through a set of developer API’s (Application Programmer Interfaces). PasswordPro uses those secure Web Services to access the assigned user profiles and manipulate specific data about that user (in our case, the user passwords).

You may be asking yourself, why doesn’t the manufacturer do this advanced password management themselves? Great question. But instead of just sitting there, stuck, complaining that the manufacturer hasn’t added a specific feature you want, Avaya lets you extend and expand the capabilities of their platform through these exposed API’s. This actually is what lets Systems Integrators like Arrow SI, do something unique. It separates us from most of our competition AND it lets you set yourself apart from YOUR competition.

Are there caveats to this? Of course. First, it’s important to know that Avaya does NOT expose access to the Modular Messaging or Aura Messaging directly. Other vendors that offer voicemail password support, need to request special permission and NDA to be allowed to “Hack” the platforms. These vendors access the system directly with the appropriate security encryption keys and get into the database directly. I personally find this to be VERY dangerous and WILDLY unsecure. As of Avaya System Manager 6.3.0, Avaya now lets developers access the user data through the User Manage Web Services API. There’s no need to hack the system. No worries about a developer accidentally corrupting the database. It’s all documented and supported. The downside to this approach is that the user must be managed as an actual System Manager User. This is a no brainer for SIP users, but not a lot of customers have begun managing their non-SIP users (ie H.323, Digital, analog, etc) through System Manager. They will all have to do this way eventually, but it’s still a bleeding-edge concept for many of them.

If you’re curious about what PasswordPro is all about, we actually have a free trial available. This was a hit at IAUG, where we had a ton of interest, and we want to extend it to all of our customers who are interested in seeing it in their own environment. We’ve seen a lot of people wanting to try it within IT or a small department of 20-30 people, but there are no trial user limits. Let us know if you’re interested in the trial or go here and we’ll take it from there.

Share this article

The thoughts and opinions in these blogs belong to the individual blogger and do not necessarily represent the views or opinions of Arrow Systems Integration.