Editing ShoreTel System Prompts or WTF is a PHR file?

“Welcome to the ShoreTel Conferencing” sounds like a commercial announcement and many system owners want it changed! After all they just paid a big whack of money to own a brand new brilliantly simple phone system! Now when they have a client conference, they sound like they transferred the call to an outside third party service!  Though it is a smart move for ShoreTel marketing efforts, it is hardly the image a system owner wants to convey to their clients!  For this reason, we are often asked to change the prompt to something that sounds more like “Welcome to mycompany conferencing”. This seems like a reasonable enough request and something that should be easy to implement, right? Yet ShoreTel professional services gets about $600-$1000 for a custom prompt!  Is there a way around this?

The fact is, that it is not very easy to modify these prompts at all! Most ShoreTel vendors can’t even find the application to play the file let alone edit it as it is not a normal wav file! The file is actually a “phrase” file and is usually found with a .phr file extension.  On the ShoreTel SA-100, for example, you will find this in ftproot directory of the HQ server in the path \Inetpub\ftproot\tsu\phr\UCB. The UCB folder contains all the .phr  files for all the languages supported by the system. When the conference appliance boots up, these files are loaded onto the sever. (For you Unix heads, the appliance is a Linux platform, and you can find the files in the ShoreTel/Lib folder by entering ls -lt *.phr after changing the directory to the ShoreTel/Lib folder).  Remember, if you edit the prompts,  you will have to recreate this change  every time you upgrade the phone system and on all servers that use the conference appliance!

In the United States the correct file is the “en-us.phr” file.  If you play this file, you will understand very quickly that this is not going to be easy! The file is actually a “library” and actually contains all the “phrases” used by the system to prompt callers with audio help. The application software has to be able to set  pointers to the correct location in the .PHR phrase file.   This is similar to a format used by Dialogic back in the 80’s that set the standard for “indexed play mode” for all telephone applications.  This indicates that a phrase file must contain a unique id for each phrase in the library, so the .PHR file is more than an audio file!  Here is a list of the phrases in the .PHR file:

thank you for calling ShoreTel conferencing goodbye
a duplicate conference has been detected you will now be transferred
a duplicate conference has been detected please try again later or contact the conference host.
you will now be disconnected
sorry the key sequence entered is invalid
The conference has ended goodbye.
sorry all resources are busy please try again later or contact the conference administrator
ringsound welcome to ShoreTel conferencing, please enter an access code then press pound.
sorry that access code is invalid please try again
the conference is currently locked, please try again later or contact the conference host
you are the only person on this conference please stay on the line
the conference host has not joined the conference please stay on the line
to turn off the music please press one
please wait while your call is connected
sorry that access code is invalid good bye
at the tone please say your name and then press pound
please wait while your call is placed into the conference
has joined the conference
has left the conference
ringsound please enter the conference hosts voice mail password then press pound
if you are the conference host then you may enter the host access code followed by pound at any time
invalid password please try again or press star to join as a participant
this scheduled conference can not be started at this time as it is to early. please start it at its scheduled start time.
this scheduled conference can not be started as it is past the scheduled start time.
to start or stop recording
press pound for
this call is being recorded
the recording has been stopped
the recording can not be stopped because desktop sharing has been enabled
the recording can not start because of insufficient disk space
the recording can not start at this time
to unmute your line press pound one
to mute or unmute all lines press pound two
your line has been muted
your line has been unmuted
all lines have been muted
all lines have been unmuted
the conference has been locked
the conference has been unlocked
to lock or unlock the conference press pound five
to raise or lower your hand press pound six
your hand has been raised
your hand has been lowered
the participant names are not available
to list the participant press pound three
to return to the conference please press star
to join the conference as a participant please press star
you have been requested to join a conference please press one to be placed into the conference
to end the conference press pound 99
this scheduled conference will end in the next five minutes
this scheduled conference is starting
the conference has not yet started
please wait

It is possible to play the file using an editor like Audacity,  which will NOT recognize the file format if you double click it.   To overcome this you must  import the file as “raw data” by setting the file attributes on the import menu.  Set encoding to to ulaw and sampling to 8000 hz.   This will enable you to play the file.   That is the simple part, the trick here is to edit the audio prompts without destroying the index which is used by the application software to know how to pull the correct prompt from the phr file!   That is why professional services gets big bucks to change the prompt and why your average ShoreTel partner will not be able to help you!  Remember ShoreTel is also going to make the voice artist used is the same as the rest of the ShoreTel prompts (though some of the files in the existing en_us.phr file are clearly male voices left over from the development team).   All in all, this is a lot of work for somebody and worth every penny you pay for it!


ShoreTel VPN or MPLS? What works and saves money?

An IPsec Virtual Private Network or VPN, is sometimes used as a backup route for a Wide Area Network failure.  VPN’s are typically deployed as a “tunnel” through the Internet and as such are “point to point” solutions by definition.  Unfortunately that will not get the job done for a VoIP deployment!  If you have ever deployed ShoreTel over a VPN in a multi site network that has more than two sites,  you will note that it has problems.  The first problem you will note  is that the Switch Connectivity display within the ShoreTel ShorewareDirector management portal looks like a Christmas tree.  Normally in a finally tuned network you should see all green in the connectivity display.  In an IPsec VPN network, using a “hub and spoke” implementation or “point to point” links you will see lots of Red and Yellow boxes and switch connectivity will be inconclusive at best.

Next, you will undoubtedly experience instances of “one way audio”. Again, this is because an IPsec VPN is a “point to point” solution, when you really require a fully messed solution that can handle more than unicast packet transfers. Additionally, as IPsec applies encryption based on a “shared key” so the two end points must possess the key! IPsec does not support Multicast or Broadcast and this make it less then desirable for a VoIP deployment. Unicast is when you address the source and destination IP address to a specific target device.  Broadcast is used when you must sent to all network devices because you do not know the destination address. Multicast is used when you send to a group of devices that monitor a target IP address for network management and service subscriptions. Using an IPsec point to point VPN might get your phones to register and enable you to make phone calls, but you will be plagued by network connectivity issues that will make your VoIP deployment problematic. Your technical support center or help desk phones will be constantly ringing with unhappy users and incomplete phone calls.

You don’t have to be a Network guru to understand a “hub and spoke” topology. All communications between devices at different sites (i.e. spoke end points) must traverse the hub site if they are to communicate between each other. This might work for unicast communication, but it is inefficient and invites disaster. For two sites (i.e. spokes) to communicate the have to go through the hub, unpacking and repacking, encrypting and decrypting, sharing keys before resending packets to the ultimate destination. Assuming you are using this configuration only as a backup during a real WAN disaster, this might be acceptable temporarily. Using IPsec VPN “hub and spoke” topology in a ShoreTel VoIP deployment, it is not very useful. We have two issues: first, IPsec does not support anything other than Unicast communication; and secondly “hub and spoke” is unworkable because “spoke to spoke” communication is required.

How do we solve this? Fortunately there are two strategies that fit the bill perfectly. First, GRE or ‘generic routing encapsulation’ should be used to support broadcast and multicast communications, a core component of any network deployment, especially those of a VoIP variety. Secondly, DMVPN or “dynamic multipoint virtual private network’ technology should be implemented to assure “spoke to spoke” communications. DMVPN, which employs mGRE (muti-point GRE) and Dynamic Next Hop Router Resolution protocol (DNHRP) technologies make it possible to deploy a ShoreTel VoIP solution over the public internet and achieve MPLS like connectivity at a fraction of the cost.  Given sufficient bandwidth, this should be more than adequate.

What about encryption you might ask?   ShoreTel, CISCO and most VoIP solutions provide encryption at the network and transport level anyway, so this component may not be needed.  If you are also moving data over this mesh, then you can use DMVPN in conjunction with IPsec to assure confidentiality, integrity and authentication (i.e. CIA).  The issue is that a fully meshed communications network is absolutely obtainable with VPN technology, but you have to implement the correct protocol to achieve the desired results!

WAN configuration is an exact science as is ShoreTel and CISCO VoIP technology. If you are fortunate to have that level of expertise in one individual or one vendor, then you are moving in the right direction with your VoIP deployment. If you need help in the WAN aspect of VoIP, then you need to call on DrVoIP. We can make the network.

Is there a RAT Virus in your phone system?

If you have a device on your network that you do not have root privileges for, then your entire enterprise is at risk for a Cybercrime! Do you want to know what a Trojan horse might look like? It might very well look like a Linux appliance provided by an outside manufacturer, delivered and installed on your network. This might be a network camera, firewall, phone system or monitoring device. As network security professionals we would never allow any device to be connected to our network, in which we did not have root administrative authority. IT Directors who budget for network security, intrusion prevention and detection and apply best practice to the care and feeding of their enterprise networks seem to overlook this very large potential security vulnerability. Every day, new networking equipment, appliances and hosts are connected to your network and nobody every questions the fact that you do not have root authority?

Most of the younger folks carrying an Android device have “rooted” their phone, why? Yet you will allow your company to install equipment for which you do not have root authority? Makes no sense to us? The fact is that most modern VoIP phone systems like those from ShoreTel and CISCO are delivered with key components built on Linux like platforms. These devices are placed on the network inside the firewall and perimeter security devices yet the root privilege is not available to the system owner. A very curious practice, would you not agree? Even if you have no clue about network security and hacking, would you allow someone to come into your place of business and install a “box” for which you have not access rights?

Anyone with root access could easily put programs on that appliance that could act unnoticed by network security devices. No virus protection would take note and the device would have complete access to the entire network. A common and popular hack is the RAT, a Trojan horse that can easily be placed on an unsuspecting users phone, computer, or other network device. These RAT’s or “remote access terminals” can be remotely controlled to turn on you microphone, camera and would have full access to all files and network resources. They become remotely controlled “bots” or computer zombies. The good news is that most modern virus protection will find these RAT’s if they are installed on a host computer. What about that appliance you just added to your network, the one you do not have root access privileges? You would never even know that RAT was there and you do not even have access permission to check!

Business owners, regardless of their personal level of technical savvy, need to question every device installed on their enterprise network. Who owns the box and who administers the box? Do you have root administrative authority on every device in your network? If not, why not?