Knowledgebase › Provisioning Polycom, Yealink, and Grandstream phones from FreePBX

Provisioning Polycom, Yealink, and Grandstream phones from FreePBX

Hand-configuring a SIP phone through its web UI is fine for one phone. For five, ten, or fifty — you want auto-provisioning: the phone boots, fetches its config from your PBX, registers, and just works. This article covers the auto-provisioning workflow for the three vendors most LYLIX customers use: Polycom, Yealink, and Grandstream.

What auto-provisioning does

The phone boots. It looks up a configuration server URL (either from DHCP option 66, from a built-in default, or from a manually- entered URL during initial setup). It downloads its config file from that URL — typically named by the phone's MAC address (e.g. 0004f2123456.cfg). It applies the config and reboots into the configured state.

FreePBX®'s Endpoint Manager module is the canonical tool. It maintains per-MAC config files for all your provisioned phones, serves them over HTTP/HTTPS/FTP/TFTP, and templates the configs from your extensions.

Install Endpoint Manager

Endpoint Manager is a commercial FreePBX module — you'll need to buy a license from Sangoma. Once licensed:

  1. Admin → Module Admin
  2. Check Online for the Endpoint Manager module
  3. Install and Apply Config
  4. Activate the license under Admin → System Admin → License

Open the module: Settings → Endpoint Manager → Global Settings.

Open-source alternative: OSS Endpoint Manager

The community maintains an open-source fork (OSS-EndPoint) covering the most common phones. Less polished but free; available via the module admin's third-party repos.

Global Settings — set these once

  • External IP / FQDN: your PBX's public hostname or IP. This is what the phones will use as the SIP server.
  • Internal IP / FQDN: typically the same as external for a single-network deployment.
  • Provisioning Protocol: HTTPS recommended. Phones need to trust the cert; use a real Let's Encrypt cert (see the Let's Encrypt article), or distribute your CA root to the phones.
  • Provisioning Username / Password: HTTP Basic auth for the provisioning URL. Phones include these in the request; nobody else can pull configs.
  • Timezone: matches your PBX timezone.
  • Time Server: pool.ntp.org works; phones use it for clock sync.

Save.

Create a "template" per phone model

Each phone model has slightly different config syntax (Polycom uses XML; Yealink and Grandstream use key=value text). Endpoint Manager has built-in templates for major models.

  1. Brands tab — pick the vendor (Polycom, Yealink, Grandstream, etc.).
  2. Find your specific model in the list.
  3. Click to load the template; tweak it if needed (timeout values, codec preferences, ringtones). Defaults are usually fine.
  4. Save.

Map extensions to phones

  1. Extensions Mapping tab.
  2. Find the extension you created earlier (1001, 1002, etc.).
  3. Pick the phone's brand, model, and template you saved.
  4. Enter the phone's MAC address (printed on the back of the phone — 12 hex digits, often shown as 00:04:f2:12:34:56 or 0004f2123456).
  5. Save.

Endpoint Manager generates a per-MAC config file at the provisioning URL.

Point the phone at the provisioning server

Polycom

  1. From the phone's menu: Settings → Advanced → Admin Settings → Network Configuration → Provisioning Server (Admin password default is 456 on most models; change it).
  2. Set:
    • Server Type: HTTPS (or HTTP, TFTP, FTP — match what you configured in EPM)
    • Server Address: provisioning.yourpbx.com (the URL EPM shows; usually https://provisioning.yourpbx.com/pbxprov/)
    • Server User / Password: from Global Settings
  3. Save. Phone reboots, fetches config, registers.

Yealink

  1. Web UI: open http://<phone-IP>/. Default admin/admin (change it immediately).
  2. Settings → Auto Provision.
  3. Set the Server URL to the EPM URL (HTTPS recommended).
  4. Enter the provisioning username/password.
  5. Click Auto-provision Now. Phone fetches config, reboots.

Grandstream

  1. Web UI: open http://<phone-IP>/. Default admin/admin (change it).
  2. Maintenance → Upgrade and Provisioning.
  3. Set Config Upgrade Via to HTTPS (or HTTP).
  4. Config Server Path: provisioning.yourpbx.com/pbxprov/
  5. HTTP/HTTPS Username and Password: from EPM Global Settings.
  6. Save and Apply, then Reboot.

DHCP option 66 — provisioning without touching each phone

If you control the DHCP server at the site, set DHCP option 66 (also called "TFTP server name" or "Boot file server") to your provisioning URL. Phones plugged into that network will discover the URL automatically and provision on first boot — zero-touch deployment.

Example for ISC dhcpd:

option tftp-server-name "https://provisioning.yourpbx.com/pbxprov/";

For pfSense / OPNsense, the DHCP options UI exposes this directly.

Common gotchas

  • HTTPS cert mismatch: phones validate the TLS cert. If you used self-signed, phones reject it. Use Let's Encrypt or distribute your CA root to each phone manually.
  • NAT / firewall: phone is behind NAT, RTP doesn't traverse correctly. See SIP behind NAT.
  • MAC address typo: phone fetches the wrong config or no config. Triple-check; some phones display the MAC on the boot screen briefly.
  • Wrong template: phone provisions but registers with default codecs or wrong features. Check the EPM template settings; some models have model-revision- specific quirks.
  • Phone caches old config: after a config change in EPM, force a re-provision either by rebooting the phone or sending a "check config" SIP NOTIFY from the EPM UI.

Hardening — once it works, lock it down

  • Change the phone's web UI password on every phone. Don't ship with admin/admin or 456.
  • Disable phone web UI after provisioning if you don't need ongoing access. EPM template can do this.
  • Restrict provisioning URL access by source IP if you can — only phones at known locations need access to the provisioning server.
  • Rotate provisioning credentials annually, re-provision all phones.
  • SIP over TLS rather than UDP if any phones are at sites outside your trusted network. EPM template can enable TLS per-extension.

Multi-site deployments

If you're rolling out 20+ phones across multiple sites:

  1. Pre-configure DHCP option 66 at each site to point at the PBX.
  2. Add all phones to EPM Extensions Mapping in advance with their MACs.
  3. Phones ship to sites, plug in, provision themselves on first boot, hit the SIP server.
  4. Local IT confirms each one registers; nothing else for them to do.

That's the zero-touch dream. Getting there takes one careful setup; once it works for one phone, it works for all of them.

FreePBX® and Asterisk® are registered trademarks of Sangoma Technologies Corporation. Polycom, Yealink, and Grandstream are trademarks of their respective owners.

Also Read

Voicemail-to-email when it never arrives — DKIM/SPF, msmtp, sendmail tracing (Views: 3)
FreePBX upgrade failed — recovery, rollback, and how to avoid it next time (Views: 4)
Call queues that actually work — priority routing, agent skills, fallback destinations (Views: 5)
One-way audio and choppy calls — a structured diagnosis walkthrough (Views: 3)
Yealink autoprovisioning — DHCP option 66, AutoP URL, encrypted configs (Views: 5)

« « Back

Powered by WHMCompleteSolution