Polycom RealPresence Clariti Advanced

Transcription

1 SOLUTION GUIDE February A Polycom RealPresence Clariti Advanced

2 Copyright 2018, Polycom, Inc. All rights reserved. No part of this document may be reproduced, translated into another language or format, or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Polycom, Inc America Center Drive San Jose, CA USA Trademarks Polycom, the Polycom logo and the names and marks associated with Polycom products are trademarks and/or service marks of Polycom, Inc. and are registered and/or common law marks in the United States and various other countries. All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient's personal use, without the express written permission of Polycom. Disclaimer While Polycom uses reasonable efforts to include accurate and up-to-date information in this document, Polycom makes no warranties or representations as to its accuracy. Polycom assumes no liability or responsibility for any typographical or other errors or omissions in the content of this document. Limitation of Liability Polycom and/or its respective suppliers make no representations about the suitability of the information contained in this document for any purpose. Information is provided "as is" without warranty of any kind and is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall Polycom and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive or other damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of business information), even if Polycom has been advised of the possibility of such damages. End User License Agreement BY USING THIS PRODUCT, YOU ARE AGREEING TO THE TERMS OF THE END USER LICENSE AGREEMENT (EULA). IF YOU DO NOT AGREE TO THE TERMS OF THE EULA, DO NOT USE THE PRODUCT, AND YOU MAY RETURN IT IN THE ORIGINAL PACKAGING TO THE SELLER FROM WHOM YOU PURCHASED THE PRODUCT. Patent Information The accompanying product may be protected by one or more U.S. and foreign patents and/or pending patent applications held by Polycom, Inc. Open Source Software Used in this Product This product may contain open source software. You may receive the open source software from Polycom up to three (3) years after the distribution date of the applicable product or software at a charge not greater than the cost to Polycom of shipping or distributing the software to you. To receive software information, as well as the open source software code used in this product, contact Polycom by at OpenSourceVideo@polycom.com (for video products) or OpenSourceVoice@polycom.com (for voice products). Customer Feedback We are striving to improve our documentation quality and we appreciate your feedback. your opinions and comments to DocumentationFeedback@polycom.com. Polycom Support Visit the Polycom Support Center for End User License Agreements, software downloads, product documents, product licenses, troubleshooting tips, service requests, and more.

3 Contents Polycom RealPresence Clariti Solution Overview... 5 Planning the RealPresence Clariti Solution...6 RealPresence Clariti Solution Architecture... 6 RealPresence Clariti Solution Use Case...7 Company Network Introduction... 7 Scheduling a Meeting...7 Connecting to Meetings...7 RealPresence Clariti Solution Components Preparing for System Installation RealPresence Clariti Solution Software Installation and Network Configuration...16 Configuring RealPresence Resource Manager Configuring Certificates...17 Create a Certificate Signing Request Request a Certificate...20 Install the Certificate...22 Integrating with an Enterprise Directory Prestage Machine Account for RealPresence Resource Manager Integrate with the Enterprise Directory Server Integrate with RealPresence DMA Configure the Mail Server Site Topology Setup...29 Add a Site...30 Add a Site Link Add a Network Cloud Add a Territory...39 Working with Provisioning Profiles Configure Network Provisioning Profile...41 Configure Admin Config Provisioning Profile Add a Provisioning Rule...46 Auto-Generate SIP URI...48 Configure E.164 Numbering...50 Add a User Polycom, Inc. 1

4 Contents Provision Endpoint Configuration for RealPresence Access Director Integration...54 Add RealPresence Access Director to the RealPresence Resource Manager Network Device List...54 Define a New Site in the RealPresence Resource Manager...56 Create RealPresence Access Director Provisioning Profiles Create Network Provisioning Profile for Endpoints That Connect to RealPresence Access Director...60 Create Provisioning Rule...65 Configure Site Links to Connect RealPresence Access Director Site with Existing Topology...67 Configuring RealPresence DMA Configuring Certificate...69 Create a Certificate Signing Request Request a Certificate...70 Install the Certificate...72 Integrate with the Microsoft Active Directory...72 Integrate with MCU Add an MCU Pool Add an MCU Pool Order Configure Conference Template with 2048 kbps Line Rate...79 Configure Conference Settings Add Conference Rooms...89 Edit Personal VMR...92 Create Virtual Entry Queue Enable WebRTC Signaling Configure the RealPresence DMA Gatekeeper Call Mode Configuring RealPresence Collaboration Server Configure Gatekeeper and SIP Server Configure Soft MCU for WebRTC Configuring Certificates on the RealPresence Collaboration Server Generate a Certificate Request Request a Certificate Install Certificates Configure System Flag Define Recording Links from RealPresence Collaboration Server Configuring RealPresence Access Director RealPresence Access Director Considerations Polycom, Inc. 2

5 Contents RealPresence Access Director Installation and Network Configuration Install the RealPresence Access Director System Software Using Your Virtual Environment Tools Assign a Static IP Address License Your System with RealPresence Resource Manager Virtual Edition Initial Configuration Configure Time Settings Configuring Certificates Create a Certificate Signing Request Request a Certificate Install the Certificate Required Ports Management Access SIP Signaling H.323 Signaling Access Proxy Media TURN Server RealPresence Access Director and RealPresence Resource Manager Integration Configuring Access Proxy Settings Provision the RealPresence Access Director System RealPresence Access Director and RealPresence DMA Integration Configure SIP and H.323 Settings Configure the Classless Inter-Domain Routing RealPresence Access Director and RealPresence Web Suite Integration Add the Next Hop Based on the Host Header Filter Configure HTTP Tunnel Settings Configure TURN Settings for WebRTC Configure Endpoints Configuring RealPresence Media Suite Configuring Certificates Create a Certificate Signing Request Request a Certificate Install the Certificate Configure Media Storage Set up the Gatekeeper Validate the Recording Configuring RealPresence Web Suite Configuring Certificates for RealPresence Web Suite Polycom, Inc. 3

6 Contents Generate a Certificate Signing Request Copy a Certificate Signing Request Request a Certificate Download the CA Root Certificate Upload a Certificate to the RealPresence Web Suite Services Portal Upload a Certificate to the RealPresence Web Suite Experience Portal Set the RealPresence Web Suite Date and Time RealPresence Web Suite Services Portal Server Settings Configure the RealPresence Web Suite Services Portal Using LDAP Enable Notifications for Users Set Web Addresses for the Portals Add a RealPresence DMA System Add Access Points Configure the MCU Pool Order and Conference Template RealPresence Web Suite Experience Portal Conference Settings Configure Conference General Settings Configure the Portal Authentication Agent Configure the Conference Agent Enable Enhanced Content Sharing Configure WebRTC Products Tested with this Release Known Issues Polycom, Inc. 4

7 Polycom RealPresence Clariti Solution Overview Polycom RealPresence Clariti is a complete infrastructure solution that you can install, license, and deploy with ease. From standard video conferencing and collaboration components to add-ons like advanced analytics and video content management, the RealPresence Clariti solution provides you the flexibility to select implementation options based on your needs. RealPresence Clariti includes: Desktop and mobile clients and soft endpoint management Content sharing and real-time collaboration accessible through a web browser Video, audio, and content bridging for H.323, SIP, and WebRTC calls up to 1080p An H.323/SIP video call control engine for simplified dial plans, automated VMR creation, bridge visualization, and UC integrations A video firewall edge application providing H.323/SIP dialing and registration for remote workers and business to business (B2B), and business to customer (B2C) user scenarios Automated scheduling, provisioning, and monitoring of software, and hardware-based video conferencing and Polycom voice solutions Video recording and streaming with a free trial of Polycom RealPresence Media Suite, which transforms any workspace into a media studio Powerful analytics that monitor performance, capacity, and utilization to improve user experiences, drive higher adoption, and empower decision making A standards-based solution with a rich set of SDKs, developer s forum, and that Polycom Sandbox for custom integrations Polycom, Inc. 5

8 Planning the RealPresence Clariti Solution Topics: RealPresence Clariti Solution Architecture RealPresence Clariti Solution Use Case RealPresence Clariti Solution Components Preparing for System Installation Before installing and configuring the RealPresence Clariti solution, you must plan your RealPresence Clariti solution according to the meeting requirements and company network. RealPresence Clariti Solution Architecture The RealPresence Clariti solution incorporates a full suite of endpoints, infrastructure components, and centralized management tools. The following figures show the RealPresence Clariti solution reference architecture. RealPresence Clariti Advanced Architecture Polycom, Inc. 6

9 Planning the RealPresence Clariti Solution RealPresence Clariti Solution Use Case This section introduces a typical RealPresence Clariti Solution use case which includes company network design and RealPresence Clariti Solution workflow in the company environment. Company Network Introduction Company A is a global firm and has deployed the entire RealPresence Clariti solution in the headquarters data center. Polycom provides flexible modes for company network design. RealPresence Clariti Advanced Network Scheduling a Meeting The organizer decides to contact others and plan a time, location, and media resources for an upcoming video call. The call can be either informal or ad-hoc model, or follows a more formal scheduling process such as from company exchange server. Connecting to Meetings Depending on the deployed workflow model and the device from which a user is connecting, users can connect to meetings by dialing a VMR from a remote control or Polycom Touch Control, clicking on a SIP URI from a desktop client, or walking into a room to join a conference that was scheduled in advance. To better explain the options available to you when configuring how users connect to meetings, this topic provides a sample company and a list of workflows they use. Polycom, Inc. 7

10 Planning the RealPresence Clariti Solution Example Company A Company A is configured with the following conditions and network configurations. Employee meeting rooms are high-definition meeting rooms limited to 2 Mbps. Company A supports video conferencing participation from both internal and external users using RealPresence Web Suite, which enables users to schedule meetings using the RealPresence Web Suite Services Portal and enables anyone to join meetings over a web browser. On average, Company A sees approximately 70 % utilization of the core infrastructure. Most meetings include 5 10 participants along with a mixture of different endpoint types and locations. Some meetings are highly collaborative where many users share content while discussing the material; others consist of a group meeting or staff meeting lead primarily by one speaker or location at a time. For the most part, the company has adopted a meet on the bridge strategy, but some users still call point-to-point. The help desk handles company-wide meetings or specific vendor events where they want the events scheduled and dialed out. These are typically high-definition conferences that utilize a mixture of devices and connection methods, including dial-in audio and RealPresence Web Suite connections. These calls typically have a high level of attendance from all locations and can span more than one RealPresence Collaboration Server. Company A settles on three distinct workflows to enable all employees to collaborate simply and easily without much user training or help desk support. Dialing in by Personal VMR In Company A s dial-in model, users are assigned a persistent personal VMR through Active Directory integration, which enables users to dial into their own VMR whenever they wish. No operator or Video Network Operations Center (VNOC) is required to monitor or schedule conferences. The advantages of this model are as follows: Self-service conferencing Low conference admin overhead Users connect to meetings from multiple types of devices, including room systems, desktop clients, and mobile devices From an IT perspective, video conferencing usage in Company A is about 90 % self-service once each employee receives a personal VMR. Polycom, Inc. 8

11 Planning the RealPresence Clariti Solution Personal VMR Workflow The users are in the Headquarter and home office of the Company A or will connect to the VMR from the Internet. All endpoints and clients are directly registered to the RealPresence DMA or RealPresence Access Director of Company A. All users establish an audio or video call to the VMR using the Remote Control, Touch Control, RealPresence Touch, Web UI, and Keypad. The VMR can be called by dialing the E.164 number, SIP/TEL URI or IP address + Dial String (## using manual dial, speed dial button and directory entry. All IVR services are available. During the call, content can be sent from each user using VGA, HDMI, USB, UI, Web UI, People&Content IP, Pano, and RealPresence Desktop. Content is received from all other users as dual stream (H.239/BFCP/HTML5) in the highest available resolution and frame rate. Automatic recording or manual recording is available. Transcoding of audio, video, and content algorithm and speed is available. The highest available bandwidth for each call is based on the VMR profile setting. Operator-Assisted Conferencing (Dial-Out) In Company A s dial-out model, users do not start or stop their own conferences. Instead, they use a centralized reservation service that is managed either by an internal service desk or by an external VNOC. This method of connecting to meetings is very popular with certain workgroups that schedule meetings that take place in conference rooms. The video conference starts automatically according to the schedule without any user interaction. Polycom, Inc. 9

12 Planning the RealPresence Clariti Solution Multipoint meetings at Company A are usually scheduled in advance and initiated using operator assisted services. The operator sets up the conference by dialing out to all participants so the user does not need to launch the call locally. Speed-Dial to Virtual Entry Queue Users within the Company A video environment can also connect using the Speed-Dial to Virtual Entry Queue (VEQ) workflow model. This method enables video attendees and voice callers to easily dial into a VMR by using DTMF codes to enter the conference ID, where all participants can join the conference bridge. In this case, audio users dial the Company A headquarters using the toll free number and enter a VEQ where the IVR service asks for the conference ID. Internally, all video users can dial to call into the VEQ. This solution is adapted to help people who feel that using multiple button functions on the remote control to connect to a conference causes confusion and frustration. This dialing method reduces the functions of the remote control to just one entering the conference ID (VMR number) whenever a user clicks any button on the remote control. Polycom, Inc. 10

13 Planning the RealPresence Clariti Solution Speed-Dial to Virtual Entry Queue Workflow The users are in the Headquarters and home office of the Company A or will connect to the VEQ through the Internet. All endpoints and clients are directly registered to the RealPresence DMA or RealPresence Access Director of Company A. All users establish an audio or video call to the VEQ using the Remote Control, Touch Control, RealPresence Touch, Web UI and Keypad. The VEQ can be called by dialing the E.164 number, SIP/TEL URI or IP address + Dial String (## using manual dial, speed dial button and directory entry. All IVR services are available. During the call, content can be sent from each user using VGA, HDMI, USB, UI, Web UI, People&Content IP, Pano, and RealPresence Desktop. Content is received from all other users as dual stream (H.239/BFCP/HTML5) in the highest available resolution and frame rate. Automatic recording or manual recording is available. The highest available bandwidth for each call is based on the VMR profile setting. RealPresence Clariti Solution Components This section describes the system components that are used in the RealPresence Clariti solution. Polycom RealPresence DMA The Polycom RealPresence DMA system is a network-based application that manages and distributes multipoint video calls within an organization and intelligently distributes multipoint calls across networked Polycom, Inc. 11

14 Planning the RealPresence Clariti Solution conference platforms. The RealPresence DMA system provides call control for SIP and H.323 devices and serves as an H.323 Gatekeeper/SIP Registrar for up to 75,000 devices and 64 bridges based on your license. The RealPresence DMA system provides endpoint registration, call processing, and call admission control. Call control design considerations include the dial plan, endpoint addressing, call admission control, external connectivity, and general trunking requirements. Polycom RealPresence Collaboration Server The Polycom RealPresence Collaboration Server solution delivers a multiprotocol hardware- or software-based MCU that runs on an industry-standard (x86-type) server. The RealPresence Collaboration Server solution provides the following features: Universal bridging capabilities for seamless connectivity regardless of bandwidth, device, or protocol Call at any data rate or bandwidth with support for resolutions up to 1080p 60, fully transcoded Support for the latest technologies, including H.264 High Profile for optimal resource utilization Support for point-to-point calls with integrated dial-through gateway capabilities (ISDN, SIP, and H. 323) Polycom RealPresence Resource Manager The Polycom RealPresence Resource Manager system is an integrated scheduling and management platform for endpoints and video conferencing infrastructure management. In particular, it functions as the management and licensing platform for Polycom RealPresence Clariti. It also includes a rich suite of APIs for customized integration into the video network. With a Linux operating system, multitenant partitioning, and the ability to scale to 50,000 managed mobile, desktop, and Polycom RealPresence Group Series video devices, you can confidently deploy and manage your video network with RealPresence Resource Manager applications. The RealPresence Resource Manager system provides the following features: Ability to scale to 50,000 devices to manage H.323 and SIP supported endpoints, bridges, and recording servers Easy administration through comprehensive device monitoring, provisioning, management, and software revision control Directories and presence engines that provide simplified dialing An API suite for direct integrations into your key applications and systems Multitenant support for cloud-based hosting Scheduling options through the browser-based user interface or APIs for a application Polycom RealPresence Access Director The Polycom RealPresence Access Director system provides secure video collaboration from anywhere, supporting SIP and H.323 devices. Users can connect their devices and mobile clients simply and easily, reducing the cost to support the growing number of video-enabled workers in your organization without compromising network security. The RealPresence Access Director system provides the following features: An application that combines remote and B2B calling scenarios with SIP, H.323, and HTTP tunneling capabilities, enabling a seamless video collaboration experience within and beyond the firewall Collaboration over video while on the go, in the office, or from home Polycom, Inc. 12

15 Planning the RealPresence Clariti Solution Support for up to 1000 simultaneous video calls securely without requiring additional client hardware or software Leverage of existing investments in UC products and IT infrastructure, which enable you to build towards a SIP-based future Easy, secure, and reliable extension of video collaboration to your mobile workforce Polycom RealPresence Web Suite Polycom RealPresence Web Suite leverages core capabilities of the enterprise-grade video infrastructure provided by RealPresence Clariti, enabling universal access to enterprise-grade video collaboration to any business (B2B) or consumer (B2C) at the highest quality, interoperability, reliability, and security. Through the RealPresence Web Suite Services Portal, users create and participate in online video conference meetings. Users create meetings by logging in to the RealPresence Web Suite Services Portal, selecting the type of meeting they want to create, setting the meeting parameters, and entering a list of participants to invite. In RealPresence Web Suite Services Portal, administrators can create and manage users and configure the components for online video conference meetings. Polycom RealPresence Media Suite Polycom RealPresence Media Suite is a video content management solution that integrates with standards-based and telepresence video conferencing systems. As a native part of the Polycom RealPresence Clariti solution, the RealPresence Media Suite product can record or live stream meetings, manage archives, and play back recordings on a variety of client devices including tablets, smartphones, desktop and laptop computers, and standards-based video endpoints. The RealPresence Media Suite solution can be used as a standalone solution to provide video content management functions with built-in tools or integrate with third-party systems to support recording, streaming, and various content editing and management functions. The RealPresence Media Suite solution also introduces an easy-to-use User Portal where customers can easily start recording, create live events, and share media files. By leveraging RealPresence Media Suite solution with existing telepresence systems, video conferencing endpoints and video infrastructure, or familiar unified communications (UC) tools, your organization can easily convert real-time conferences and events into reusable multimedia assets. Polycom Video and Telepresence Endpoints Polycom video endpoints provide IP video telephony features and functions similar to IP voice telephony, enabling users to make point-to-point and multipoint video calls. Polycom video endpoints are classified into families based on the features they support, hardware screen size, and environment where the endpoint is deployed. Room system: Polycom RealPresence Group Series, and Polycom RealPresence Debut endpoints are an ideal fit for any type of collaborative environment, from huddle rooms to large classrooms, and open workspaces. Components of Polycom Video Architecture The RealPresence Clariti solution includes the following components: Polycom, Inc. 13

16 Planning the RealPresence Clariti Solution The RealPresence Clariti Solution Components Module Component Description Call Control RealPresence DMA Provides endpoint registration, call processing, and media resource management Conferencing RealPresence Collaboration Server Provides audio and video conferencing resources Management Applications RealPresence Resource Manager Manages client and server application Recording RealPresence Media Suite Provides Recording, Playback, and Streaming capabilities Collaboration Edge Endpoints RealPresence Access Director RealPresence Web Suite RealPresence Group Series, and Polycom RealPresence Debut Enables firewall traversal Enables B2B/B2C collaboration via browser or standard-based endpoints Room endpoints Preparing for System Installation Complete the following tasks to ensure a smooth installation. Assign IP Addresses Allocate static IP addresses at the data center for different servers. IP and Hostname for Each Component in DNS The following is an example of the network plan for the RealPresence Clariti Solution: Product FQDN Internal IP Address RealPresence Resource Manager rprm.mycompany.com RealPresence DMA dma.mycompany.com RealPresence Collaboration Server rpcs.mycompany.com RealPresence Access Director rpad.mycompany.com External IP: Public IP: RealPresence Media Suite (VMware only) rpms.mycompany.com Polycom, Inc. 14

17 Planning the RealPresence Clariti Solution Product FQDN Internal IP Address RealPresence Web Suite Experience Portal RealPresence Web Suite Services Portal rpwsep.mycompany.com rpwssp.mycompany.com RealPresence Group Series gs01.mycompany.com DNS dns.mycompany.com Gateway NFS NTP time.google.com - Hyper-V Host Mail server mail.mycompany.com - Active Directory dc.mycompany.com RealPresence Collaboration Server (management) (signalling and media) Split-horizon DNS By using split-horizon DNS, you can resolve the same FQDN differently for clients inside and outside the organization. Polycom recommends configuring the following FQDNs as split-horizon DNS records on internal and public DNS server. FQDN Resolve From Internal Network Resolve From Public Network Description rprm.mycompany.com For internal and external endpoint provisioning dma.mycompany.com For internal and external web client joining the conference rpad.mycompany.com For internal and external WebRTC client joining the conference Polycom, Inc. 15

18 RealPresence Clariti Solution Software Installation and Network Configuration Before configuring the RealPresence Clariti solution, make sure that you complete the software installation, license allocation, and network configuration for all RealPresence Clariti components. This document assumes that administrators have knowledge of the following systems, that these systems are already deployed: Microsoft Active Directory Domain name servers Components of the Polycom RealPresence Clariti solution. You can access Polycom product documentation and software at Polycom Support. Polycom, Inc. 16

19 Configuring RealPresence Resource Manager Topics: Configuring Certificates Integrating with an Enterprise Directory Integrate with RealPresence DMA Configure the Mail Server Site Topology Setup Working with Provisioning Profiles Add a Provisioning Rule Auto-Generate SIP URI Configure E.164 Numbering Add a User Provision Endpoint Configuration for RealPresence Access Director Integration The RealPresence Resource Manager is a key component of the RealPresence Clariti solution. It monitors, manages, and provisions thousands of video endpoints and provides directory, scheduling, and reporting services. It also manages the bandwidth controls and allows administrators to monitor and manage the entire video collaboration network. In particular, it functions as the management and licensing platform for Polycom RealPresence Clariti. Configuring Certificates You must install a security certificate on the RealPresence Resource Manager. Create a Certificate Signing Request The RealPresence Resource Manager needs a CA signed certificate from the Microsoft Certificate Services. Procedure 1. Go to Admin > Management and Security > Certificate Management. Polycom, Inc. 17

20 Configuring RealPresence Resource Manager 2. Click Create Certificate Signing Request. 3. In the Certificate Request Data dialog, enter the following information for your RealPresence Resource Manager system. Field Signature Algorithm Country Name Description SHA256 Two-letter (ASCII only) ISO 3166 country code in which the server is located. Polycom, Inc. 18

21 Configuring RealPresence Resource Manager Field State and Province Name Locality Name Organization Name Organizational Unit Name Common Name Description Full state or province name (ASCII only) in which the server is located. City name (ASCII only) in which the server is located. Enterprise name (ASCII only) at which the server is located. Optional: Subdivision (ASCII only) of the enterprise at which the server is located. Multiple values are permitted, one per line. The FQDN (fully qualified domain name) of the system (read-only), as defined in the network settings. Polycom, Inc. 19

22 Configuring RealPresence Resource Manager 4. Click OK. 5. In the Create Certificate Signing Request dialog, click OK. 6. In the Save As dialog, enter a unique name for the file, browse to the location to which to save the file, and click Save. 7. Open the CSR file using Notepad and copy the content. Request a Certificate You can request a certificate from a third-party Certificate Authority. Procedure 1. Navigate to the Certificate Authority and click Request a Certificate. Polycom, Inc. 20

23 Configuring RealPresence Resource Manager 2. Click the advanced certificate request. 3. Paste the CSR into the saved request field. 4. Under Certificate Template, choose Web Server with client EKU. 5. Click the Submit button. Polycom, Inc. 21

24 Configuring RealPresence Resource Manager 6. Choose Base 64 encoded, and click Download certificate. Install the Certificate Before installing a certificate or certificate chain provided by the certificate authority, be sure that you received the certificate or certificate chain in one of the following forms: A PFX, P7B, or single certificate file that you ve saved on your computer. PEM-format encoded text that you received in an or on a secure web page. Polycom, Inc. 22

25 Configuring RealPresence Resource Manager Installing or removing certificates requires a system restart. When you install a certificate, the change is made to the certificate store immediately, but the system will not recognize or use the new certificate until it restarts and reads the changed certificate store. The RealPresence Resource Manager system must be running on an Internet Explorer browser in order to upload a file. Procedure 1. Go to Admin > Management and Security > Certificate Management. 2. Click Install Certificates. 3. Click Upload Certificate, and browse to the file or enter the path and file name. 4. Click OK. Polycom, Inc. 23

26 Configuring RealPresence Resource Manager Integrating with an Enterprise Directory In a large organization, integrating your RealPresence Resource Manager system with Microsoft Active Directory greatly simplifies the task of managing conference system security. Prestage Machine Account for RealPresence Resource Manager To enable the single sign-on option, an Active Directory administrator must first prestage an Active Directory machine account for RealPresence Resource Manager. The single sign-on allows endpoint users who are included in the Active Directory to securely log in to their dynamically managed endpoint without typing in credentials. Procedure 1. On the Active Directory server, go to Start > Programs > Administrative Tools > Active Directory Users and Computers to open Active Directory Users and Computers window. 2. Select the node for your domain. 3. Right-click the Organizational Unit (OU) folder in which to add the computer account, and select New > Computer. 4. Enter the Computer name, and click OK. Polycom, Inc. 24

27 Configuring RealPresence Resource Manager 5. Open PowerShell/Command Prompt window, enter the following command to create password for your computer. net user <machine name>$ <password> /domain machine name: the computer name you just configured before. password: the desired temporary password to be used during integration. The RealPresence Resource Manager will change the password immediately upon successful integration. You have configured a machine account that you can use for RealPresence Resource Manager single sign-on. Integrate with the Enterprise Directory Server Enabling the Integrate with Enterprise Directory Server option enables RealPresence Resource Manager system users who are included in the Active Directory to log in to the RealPresence Resource Manager system interface using their network credentials. Procedure 1. Go to Admin > Directories > Enterprise Directory. Polycom, Inc. 25

28 Configuring RealPresence Resource Manager 2. On the Enterprise Directory page, select Integrate with Enterprise Directory Server. 3. Enter the DNS Name for the enterprise directory server. 4. Enter Domain\Enterprise Directory User ID and Enterprise Directory User Password. Other fields can be left as default or configure if you needed. 5. Select Allow delegated authentication to enterprise directory server. 6. Enter the Fully Qualified Host Name of the domain controller. 7. Enter the Username (Domain\<Computer Name>) and Password and click Update. Polycom, Inc. 26

29 Configuring RealPresence Resource Manager Integrate with RealPresence DMA You can integrate your RealPresence Resource Manager system with a single RealPresence DMA system to take advantage of the RealPresence DMA system s two main functions: the Conference Manager function and the call server (gatekeeper and SIP proxy/registrar) function. Procedure 1. Go to Network Device > Instances. 2. On the Instances page, select the RealPresence DMA that you want to integrate with the RealPresence Resource Manager, click the button. 3. Select Service Integration tab. 4. Select Integrate the RealPresence DMA system s conference manager and call server services with RealPresence Resource Manager system s conferencing and endpoint services, Conference Manager(MCU Pool Orders), and Call server. 5. Click OK. 6. In the Instances page, check that the is added for RealPresence DMA status. Polycom, Inc. 27

30 Configuring RealPresence Resource Manager Configure the Mail Server You can set up the account from which the RealPresence Resource Manager system will send conference notification s and system alerts. Procedure 1. Go to Admin > Server Settings > Select Allow confirmation s for scheduled conferences. 3. In the From Address text box, enter the account (ASCII only) from which the RealPresence Resource Manager system will send conference notification s and system alerts. 4. In the SMTP Server text box, specify the IP address of the SMTP server from which the RealPresence Resource Manager system will send conference notification s and system alerts. Polycom, Inc. 28

31 Configuring RealPresence Resource Manager 5. Click Update. Site Topology Setup The Site Topology feature of RealPresence Resource Manager provides a global view of the video conferencing network, showing how it is organized within groupings called Territories and direct Site Links indicating cumulative bandwidth capacity and utilization for all subnets within a Site. Site topology information describes your network and its interfaces to other networks, including the following elements: Site: A local area network (LAN) that generally corresponds with a geographic location such as an office or plant. A site contains one or more network subnets, so a device s IP address identifies the site to which it belongs. Network clouds: A Multiprotocol Label Switching (MPLS) network cloud defined in the site topology. An MPLS network is a private network that links multiple locations and uses label switching to tag packets with origin, destination, and Quality of Service (QoS) information. Note: MPLS clouds are not associated with an IP address range, so they can be used to group multiple subnets. They could also represent a service provider. While links to MPLS clouds have bandwidth and bit rate limitations, the cloud is infinite. In this way, clouds reflect the way in which businesses control bandwidth and bit rate. Internet/VPN: An entity that represents your network s connection to the public Internet. Site link: A network connection between two sites or between a site and an MPLS network cloud. Site-to-site exclusion: A site-to-site connection that the site topology doesn t permit an audio or video call to use. Territory: A grouping of one or more sites for which a RealPresence Resource Manager system is responsible. Polycom, Inc. 29

32 Configuring RealPresence Resource Manager The site topology you create within the RealPresence Resource Manager system should reflect your network design. Consider the following information and best practices when creating your site topology: If possible, connect all sites to an MPLS cloud. MPLS clouds are like corporate networks, used to connect multiple subnets in multiple sites, but all servicing a company. Avoid cross loops or multiple paths to a site; otherwise a call may have different paths to a single destination. The more cross, circular, and multi paths you have, the higher the number of calculations for a conference. Link sites that aren t connected to an MPLS cloud directly to another site that is connected to an MPLS cloud. Do not create orphan sites. Calls are routed through a bridge, so bandwidth and bit rate limits for the site and subnet apply to all calls made using that bridge. Reserve the Internet/VPN site for IP addresses that fall outside your private or corporate network (for example remote workers), because all calls routed to the Internet/VPN site will be routed through the site on your private or corporate network that has Internet access. Add a Site RealPresence Resource Manager has default site Internet/VPN, and associates with registered endpoint by default. Polycom recommends adding new site based on the needs of your network topology. You can define a new site in the system s site topology and specify which subnets are associated with it. You can define overlapping subnets within a site or between sites. Larger subnets can contain smaller ones. When the system determines which subnets a given IP address belongs to, it chooses the subnet with the longest IP match. For example: Subnet1 = /8 Subnet2 = /24 The IP address belongs to subnet2, while the IP address belongs to subnet1. Procedure 1. Go to Network Topology > Sites or Network Topology > Site Topology. To add a site in the Sites page, click. To add a site in the Site Topology page, go to Site Actions > Add. 2. Complete the General Info. The minimum information required is Site Name, Description, and Location. General Info Field Site Name Description Territory Location Description A meaningful name for the site, this name can be 64 characters (ASCII only) long. A brief description (ASCII only) of the site. Assigns the site to a territory, and thus to a RealPresence Resource Manager system. Specify the geographic location of the site either by longitude + latitude or country + city. Polycom, Inc. 30

33 Configuring RealPresence Resource Manager 3. Complete the H.323 Routing dialog. H.323 Routing Field Description Allowed via H.323 aware firewall Enables call routing through the Internet, using an H.323-aware firewall. For an outbound call to the Internet, you must enter the firewall gateway service (e.g. a Polycom RealPresence Access Director appliance) code before the IP address in the dial string. If you select Allowed via H.323 aware firewall, you must create a site link between this site and the Internet/VPN site. 4. Complete the SIP Routing dialog. Polycom, Inc. 31

34 Configuring RealPresence Resource Manager SIP Routing Field Description SIP Routing Allowed via SIP aware firewall Enables call routing through the Internet, using an SIP-aware firewall. Note: For an outbound call to the Internet, you must enter the firewall gateway service (e.g. a Polycom RealPresence Access Director appliance) code before the IP address in the dial string. If you select Allowed via SIP aware firewall, you must create a site link between this site and the Internet/VPN site. 5. Go to Subnets and click to add a new subnet. 6. Complete the Subnet dialog. Subnet Field Subnet IP Address/Mask Description Specifies the subnets within the site. For each subnet, include: IP Address range Mask Length Polycom, Inc. 32

35 Configuring RealPresence Resource Manager 7. Click OK. 8. Check the new subnet information and click OK. Add a Site Link When you add a site link, you enter the starting and ending sites of the link and the maximum bandwidth and bit rates available for calls (audio and video) that use the link. Links are bidirectional. After you have Polycom, Inc. 33

36 Configuring RealPresence Resource Manager created a link from Site A to Site B, you automatically have a bidirectional link from Site B to Site A, although the link appears as unidirectional. A link can connect two sites, or it can connect a site to an MPLS network cloud. Before you can create a site link, you must add two or more sites to the system. Procedure 1. Go to Network Topology > Site-Links. 2. In the Site-Links page, click. 3. In the Add Site-Link dialog, enter a Name and Description for the link and select the starting (From Site) and ending (To Site) sites. 4. Enter the Bandwidth and Max Bit Rate and click Save. You can define any bandwidth limitations between the two sites. The new link appears on the Site Links page. Add a Network Cloud To simplify the network topology, define network clouds to represents a hub with many sites connected to each other such as a private network or VPN. Polycom, Inc. 34

37 Configuring RealPresence Resource Manager The Network Clouds page contains a list of the MPLS (Multiprotocol Label Switching) network clouds defined in the site topology. Note: MPLS clouds are not associated with an IP address range, so they can be used to group multiple subnets and could also represent a connection to a service provider. Procedure 1. Go to Network Topology > Network Clouds. 2. In the Network Clouds page, click Add. 3. In the Cloud Info section of the Add Network Cloud dialog, enter a unique and meaningful Cloud Name and Description for the cloud. 4. Click Linked Sites to create a link between sites and the network cloud. 5. In the Search Sites field, enter all or part of the site name or location and click Search. The list of sites containing the search phrase appear in the Search Results column. 6. Select one site to link with the network cloud and then click the down arrow to move it to the Selected Sites column. Field Description Linked Sites Search Sites Search Result Enter search string or leave blank to find all sites. Lists sites show the territory, if any, to which each belongs. Select a site and click the right arrow to open the Add Site Link dialog. Polycom, Inc. 35

38 Configuring RealPresence Resource Manager Field Add Site Link Description Lists sites linked to the cloud and shows the territory, if any, to which each belongs. 7. The Add Site Link dialog appears to let you change the bandwidth limitation between this site and the MPLS cloud. Change the bandwidth limitation between each site and the MPLS cloud. You can define any bandwidth limitations between each Site and the MPLS Cloud. The following images show the bandwidth values for each site link. Polycom, Inc. 36

39 Configuring RealPresence Resource Manager Polycom, Inc. 37

40 Configuring RealPresence Resource Manager 8. Click OK. 9. Repeat the step 5 on page 35 to step 8 on page 38 to add all sites to the network cloud. Polycom, Inc. 38

41 Configuring RealPresence Resource Manager 10. Click OK. Add a Territory The Territories page contains a list of the territories defined in the site topology. Territory is a set of one or more sites for which a RealPresence DMA system is responsible. After RealPresence Resource Manager integrates with RealPresence DMA, by default, there are two territories, one is named Default RealPresence Resource Manager Territory and the other is named Default DMA Territory (DMA host name), and the RealPresence DMA instance is the primary node of the two territories. By default, the Default DMA Territory is used for communication. Polycom recommends adding new territory based on the needs of your network topology, especially in DMA supercluster environment. Procedure 1. Go to Network Topology > Territories. 2. In the Territories page, click Add. Polycom, Inc. 39

42 Configuring RealPresence Resource Manager 3. Complete the Territory Info sections of the Add Territories dialog. Field Description Territory Info Territory Name A meaningful name for the territory (up to 128 characters). Description A brief description of the territory (up to 200 characters). Primary Cluster Backup Cluster Host Conference Rooms In This Territory Enter dma.mycompany.com When integrating with a RealPresence DMA system, enter the management FQDN or IP address of the primary cluster that will manage this territory. Do this step AFTER you integrate with a RealPresence DMA system. The second node, if any, of the RealPresence Resource Manager system responsible for this territory. Enables this territory to be used for hosting conference rooms (VMRs, or virtual meeting rooms). The territory s primary and backup clusters must both be enabled for conference room hosting. No more than three territories may have this capability enabled. 4. Click OK. Working with Provisioning Profiles The Polycom RealPresence Resource Manager system enables you to use provisioning profiles and provisioning rules as a way to dynamically manage endpoint settings. Polycom, Inc. 40

43 Configuring RealPresence Resource Manager When you dynamically manage endpoints (have the endpoint use the RealPresence Resource Manager as its provisioning server), you can automatically configure them by using provisioning profiles. Configure Network Provisioning Profile Provisioning profiles contain configuration information that administrators use to remotely manage endpoints with network settings such as security, Quality of Service, gatekeeper address, SIP server address, and so on. For example, as soon as an endpoint is configured to use the RealPresence Resource Manager system for its provisioning server, it starts polling for provisioning profile updates. With network provisioning profiles, you can ensure that all dynamically managed endpoints have the optimal and correct settings respective to their network location. The RealPresence Resource Manager system comes with a default network provisioning profile Default Network Provisioning Profile that can be edited to include information specific to your environment. By default, endpoint uses this default provisioning profile for provisioning. You can edit the Default Network Provisioning Profile or add new provisioning profile and new rule using for specified site. Both of them will use the same settings introduced in this section. Polycom recommends adding new provisioning profile based on the needs of your network topology. Procedure 1. Go to Endpoint > Dynamic Management > Provisioning Profiles. 2. In the Provisioning Profiles page, click. Polycom, Inc. 41

44 Configuring RealPresence Resource Manager If you want to edit the default profile, select Default Network Provisioning Profile, and click. 3. In the General Info page, set the Profile Name and select Network Provisioning Profile for Provisioning Profile Type. 4. Select Date and Time Settings, set Country, Date Format, Time Format, andtime Server Timezone for the endpoints, which will use the profile for provisioning. 5. Select H.323 Settings, and edit the following fields: Check the Enable IP H.323 check box. Enter the RealPresence DMA IP address in the Gatekeeper Address. Select Dynamic in the User Gatekeeper for Multipoint Calls. Polycom, Inc. 42

45 Configuring RealPresence Resource Manager 6. Select SIP Settings, and edit the following fields: Check the Enable SIP check box. Enter the DMA IP address in the Proxy Server. Enter the DMA IP address in the Registrar Server. Select Auto in the Transport Protocol. Select Standard in the Server Type. 7. Select Security Settings, and edit the following fields: Check the Enable Dynamic Provisioning for IDs check box. Select When Available in the AES Encryption. Check the Enable HTTPS Only check box. Enter 443 in the Web Access Port. Polycom, Inc. 43

46 Configuring RealPresence Resource Manager 8. Click OK to save the Default Network Provisioning Profile. Configure Admin Config Provisioning Profile Admin Config provisioning profiles, allow you to create provisioning profiles that include maximum and preferred call speeds, calendaring settings, and so on. As soon as an endpoint is configured to use the RealPresence Resource Manager for its provisioning server, it starts polling for provisioning profile updates. To ensure out-of-box usability, the RealPresence Resource Manager system comes with a default Admin Config provisioning Profile. This default profile cannot be customized with any rule. You need to create new Admin Config provisioning profiles to customize endpoint configuration settings in your video environment. Procedure 1. Go to Endpoint > Dynamic Management > Provisioning Profiles. Polycom, Inc. 44

47 Configuring RealPresence Resource Manager 2. In the Provisioning Profiles page, click. If you want to edit the default profile, select Default Admin Config Provisioning Profile, and click. 3. In the Edit Profile dialog, select Call Settings. 4. Set 1920 to Maximum Speed for Receiving Calls(Kbps) and Preferred Speed for Placing Calls(Kbps). 5. Click OK. Polycom, Inc. 45

48 Configuring RealPresence Resource Manager Add a Provisioning Rule By default, endpoint will be associated with default site Internet/VPN and using Default Network Provisioning Profile and Default Admin Configure Provisioning for provisioning. No rule needs to be configured. If you have added new site and new provisioning profile, you need to add rule for the provisioning. Procedure 1. Go to Endpoint > Dynamic Management > Provisioning Rules. 2. Click. 3. In the General Info page, enter a name for the new rule and check the Active check box. 4. Click to add new condition. 5. In the Add New Condition dialog, select the following: Polycom, Inc. 46

49 Configuring RealPresence Resource Manager Type: Site Attribute: Site Operator: = Value: the site you want to use this rule for endpoint provisioning 6. Click OK. 7. Check the Condition just has been added. 8. Select Endpoint Provisioning Profile page. 9. Click the network profile you just created from Available list and move it to Selected profile list using the arrow button. Polycom, Inc. 47

50 Configuring RealPresence Resource Manager 10. Click OK. 11. Check the rule result. Auto-Generate SIP URI You can automatically generate a SIP URI for each dynamically managed endpoint according to a naming scheme you define. When you define a custom SIP URI from Active Directory fields, you can choose one of the default fields or a different Active Directory attribute. Procedure 1. Go to Endpoint > Dynamic Management > SIP URI. Polycom, Inc. 48

51 Configuring RealPresence Resource Manager 2. Check the Auto-generate SIP URIs for all users and Use the user's address as their SIP URI check boxes. The setting automatically populates the SIP URI field of each user and thus allow other endpoints to dial someone by address. Polycom, Inc. 49

52 Configuring RealPresence Resource Manager 3. Click Update. Configure E.164 Numbering You can define an E.164 address scheme that will be used when provisioning E.164 addresses to all dynamically managed endpoints. Procedure 1. Optional: Define an E.164 Address Scheme. You can keep the default setting, or configure according to your environment. a. Select Use Phone Number for the Base Field, and choose the Maximum number of digits to use. b. Click Update. Polycom, Inc. 50

53 Configuring RealPresence Resource Manager Add a User Add a local user for endpoint provision. Procedure 1. Go to User > Users and click. 2. Configure the general information of the user in the Add New User dialog. Field First Name Last Name User ID Password Address Description The user s first name The user s last name The user s unique login name. This user ID must be unique across all rooms and users and across all domains. The user s assigned password. This password must be a minimum of eight characters in length. The user s address. (The address is an ASCII-only field.) 3. Click OK. Polycom, Inc. 51

54 Configuring RealPresence Resource Manager Provision Endpoint Enable the provisioning from endpoint (take RealPresence Group Series as an example), and you can manage the RealPresence Group Series from RealPresence Resource Manager. Procedure 1. Connect the RealPresence Group Series Web UI. 2. Go to Admin Settings > Servers > Provisioning Service. 3. Check the Enable Provisioning and enter the information of the user who you create for provisioning. You also can enter the enterprise user for provisioning. 4. Click Save. The Registration Status changes to Registered after the RealPresence Group Series is provisioned successfully. 5. Go to Diagnostics > System > System Status, and check the status of Provisioning Service, Gatekeeper, SIP Registrar Server, LDAP Server, and Presence Service. Polycom, Inc. 52

55 Configuring RealPresence Resource Manager 6. Log in the RealPresence Resource Manager Web UI. 7. Go to Endpoint > Monitor View. 8. Check the Status (in green status), and click View Details for more information. 9. Check the Device Status on the right panel. 10. Check other fields for the RealPresence Group Series. 11. You can click other action to manager the RealPresence Group Series from the RealPresence Resource Manager. Polycom, Inc. 53

56 Configuring RealPresence Resource Manager Configuration for RealPresence Access Director Integration If you deploy your RealPresence Access Director system with a RealPresence Resource Manager system, the RealPresence Resource Manager system can provision some RealPresence Access Director system settings and dynamically manage (provision, upgrade, and manage) select remote endpoints. Add RealPresence Access Director to the RealPresence Resource Manager Network Device List For RealPresence Resource Manager identifies the endpoints coming through a RealPresence Access Director system by IP address, you must add the RealPresence Access Director system into RealPresence Resource Manager network device list with the internal signaling and access proxy IP address of RealPresence Access Director. Procedure 1. From the RealPresence Resource Manager user interface, go to Network Device > Instances. 2. Click to add a new RealPresence Access Director. 3. Configure the Device Type values. Field Device Type Add By Device Name Description RealPresence Access Director IP or FQDN Address A unique name for the RealPresence Access Director system. Polycom, Inc. 54

57 Configuring RealPresence Resource Manager Field Version Description The version of the RealPresence Access Director system. Management Address Admin User and Admin Password Use a RealPresence Access Director user that is reserved only for integration with the RealPresence Resource Manager system. The user must have the Administrator role. 4. Select the Service Integration tab, and enter RealPresence Access Director internal signaling and access proxy IP address in Provider-side Proxy IP Address. Depends on your RealPresence Access Director network settings, the RealPresence Access Director management address, and the internal signaling and access proxy address may be different. Polycom, Inc. 55

58 Configuring RealPresence Resource Manager 5. Click OK. Define a New Site in the RealPresence Resource Manager The RealPresence Access Director system can be configured using the RealPresence Resource Manager system s provisioning service by extending the Site Topology to include the RealPresence Access Director system. In this section, you can create a new site and specify a network segment or subnet that is enabled for the RealPresence Access Director system. Procedure 1. From the RealPresence Resource Manager user interface, go to Network Topology > Sites. 2. Click Add. 3. Complete the General Info and Subnet. Leave the default settings for H.323 Routing and SIP Routing. The IP address of Subnet must be the internal signaling address of RealPresence Access Director. Field Description General Info Site Name Description Country Code Area Code A meaningful name for the site, this name can be 64 characters (ASCII only) long. A brief description (ASCII only) of the site. The country code for the country in which the site is located. The city or area code for the site. Do not include a leading zero. For example, the city code for Paris is 01. Enter 1 in this field. Polycom, Inc. 56

59 Configuring RealPresence Resource Manager Field Territory Location Total Bandwidth (Mbps) Call Max Bit Rate (kbps) Description Choose the territory to which the site belongs. Click Specify Location and fill in the country and city and the RealPresence Resource Manager shows the location field. The total bandwidth of the pipe at the site. The maximum bandwidth that can be used for each intrasite call at the site. The default and maximum value is (2 GB). Subnets Subnet IP Address/Mask Specifies the subnets within the site. For each subnet, include: IP Address range Mask Length Total Bandwidth If this site is used for a site that includes a RealPresence Access Director system, be sure to include the subnet where the RealPresence Access Director system resides. Polycom, Inc. 57

60 Configuring RealPresence Resource Manager 4. Click OK. Create RealPresence Access Director Provisioning Profiles The RealPresence Resource Manager system provisions the configuration settings for the RealPresence Access Director system through a custom RealPresence Access Director Server Provisioning Profile. In this section, you can create the RealPresence Access Director Server Provisioning Profile that contains the IP Address information for the RealPresence DMA and RealPresence Resource Manager system. Procedure 1. From the RealPresence Resource Manager user interface, go to Endpoint > Dynamic Management > RPAD Server Provisioning Profiles. 2. Click Add. 3. In the General Info, enter a name for the new provisioning profile. 4. Select Server Provisioning Profile from Provisioning Profile Type drop-down list. Polycom, Inc. 58

61 Configuring RealPresence Resource Manager 5. Click RPAD Settings 2 tab, and configure the following server provisioning details. Field Enable IP H.323 Gatekeeper Address Enable SIP Proxy Server Registrar Server Transport Protocol Use Default Directory Server Use Default Presence Directory Server For the RealPresence Access Director system being provisioned... Check box to enable H.323 calls. Enter the IP Address or FQDN of RealPresence DMA system. Check box to enable SIP calls Enter the IP Address or FQDN of RealPresence DMA system. Enter the IP Address or FQDN of RealPresence DMA system. Select TLS or Auto. Check box to use default directory server. Check box to use default presence directory server. Polycom, Inc. 59

62 Configuring RealPresence Resource Manager 6. Configure the RPAD Settings values. 7. Click OK. Create Network Provisioning Profile for Endpoints That Connect to RealPresence Access Director You can define the connection information for the endpoints that connect to the RealPresence Access Director system. Polycom, Inc. 60

63 Configuring RealPresence Resource Manager Procedure 1. From the RealPresence Resource Manager user interface, go to Endpoint > Dynamic Management > Provisioning Profiles. 2. Click Add. 3. Add a Profile Name, and set Provisioning Profile Type to Network Provisioning Profile. 4. Click the Firewall Settings tab. Check the Enable H.460 Firewall Traversal and Enable SIP Keep Alives to provision external endpoints. Polycom, Inc. 61

64 Configuring RealPresence Resource Manager 5. Click the H.323 Settings tab. Check the Enable IP H.323 check box. Enter the external Natted IP address in the Gatekeeper Address. The managed endpoints that connect to the RealPresence Access Director system must be provisioned with the RealPresence Access Director system external natted IP address for all network settings. Enter the external natted IP address of the RealPresence Access Director system for the gatekeeper and SIP Server settings. Select Dynamic for Use Gatekeeper for Multipoint Calls. Polycom, Inc. 62

65 Configuring RealPresence Resource Manager 6. Click the SIP Settings tab. Check the Enable SIP check box. Enter the external Natted IP address in the Proxy Server and Registrar Server. 7. Select Security Settings, and edit the following fields: Check the Enable Dynamic Provisioning for IDs check box. Select When Available in the AES Encryption. Check the Enable HTTPS Only check box. Enter 443 in the Web Access Port. 8. Select Directory Settings, and edit the following fields: Polycom, Inc. 63

66 Configuring RealPresence Resource Manager Disable the Use Default Directory Server. Configure the Directory Server to the external natted address of RealPresence Access Director. 9. Select Presence Settings, and edit the following fields: Disable the Use Default Presence Server. Configure the Presence Server to the external natted address of RealPresence Access Director. 10. Click OK. Related Links Polycom, Inc. 64

67 Configuring RealPresence Resource Manager Configure Endpoints on page 173 Create Provisioning Rule So far we added RealPresence Access Director into RealPresence Resource Manager network device list, a new Site for the RealPresence Access Director system, a new RealPresence Access Director Server Provisioning Profile defining the RealPresence Access Director system connection information to the RealPresence DMA system and a Network Provisioning Profile for endpoints connecting to the RealPresence Access Director system. However, the new Site for the RealPresence Access Director hasn t been linked to the endpoint Provisioning Profile. In the section, you can create a new Provision Rule that will link the RealPresence Access Director site to the endpoint Provisioning Profile. Procedure 1. From the RealPresence Resource Manager user interface, go to Endpoint > Dynamic Management > Provisioning Rules. 2. Click Add. 3. In the General Info area, enter a name for the new rule. 4. Check the Active check box. 5. Click Add on the upper right corner. 6. Add new conditions. Type: Site Attribute: Site Operator: = Value: RealPresence Access Director site name Polycom, Inc. 65

68 Configuring RealPresence Resource Manager 7. Click OK. 8. Click Endpoint Provisioning Profile from the left panel. 9. Move the RealPresence Access Director endpoint profile to Selected Profile using the arrow and click OK. 10. Click Server Provisioning Profile from the left panel. 11. Move the RealPresence Access Director profile to Selected Profile using the arrow and click OK. Polycom, Inc. 66

69 Configuring RealPresence Resource Manager Configure Site Links to Connect RealPresence Access Director Site with Existing Topology You must create a site link that allows connections between the internal Sites and the RealPresence Access Director Site. Procedure 1. From the RealPresence Resource Manager user interface, go to Network Topology > Site- Links. 2. In the Site-Links page, click Add. 3. Add a site link to connect the RealPresence Access Director system with the internet/vpn. Polycom, Inc. 67

70 Configuring RealPresence Resource Manager 4. Click OK. 5. Follow the same steps to link RealPresence Access Director system to other Sites. Note: If other sites already have a site link with the Internet/VPN site, do not add site links between the RealPresence Access Director site and other sites. Because if the sites have a site link to the same site, the sites link to each other automatically. Polycom, Inc. 68

71 Configuring RealPresence DMA Topics: Configuring Certificate Integrate with the Microsoft Active Directory Integrate with MCU Add an MCU Pool Add an MCU Pool Order Configure Conference Template with 2048 kbps Line Rate Configure Conference Settings Add Conference Rooms Edit Personal VMR Create Virtual Entry Queue Enable WebRTC Signaling Configure the RealPresence DMA Gatekeeper Call Mode The RealPresence DMA provides redundancy, reliability, and efficiency of video services by distributing multipoint video calls across conference platforms. Configuring Certificate You must install security certificate on the RealPresence DMA. Create a Certificate Signing Request When you create a certificate signing request (CSR) from the Admin > Server > Certificates page, the system populates the CSR with the data that you enter in the Certificate Information dialog, including Subject Alternative Name (SAN) extensions. The default system-generated SAN extensions, which may vary depending on your configuration, are shown in the Value list. You can change these values or add more extensions if needed. Polycom strongly recommends that you not delete the default SAN extensions; this may cause the resulting certificate to not work with your configuration. Procedure 1. Go to Admin > Server > Certificates. 2. In the Actions list, select Create Certificate Signing Request. 3. Enter the identifying information for your Polycom RealPresence DMA system as described in the following table. Polycom, Inc. 69

72 Configuring RealPresence DMA 4. Click OK to generate the CSR. The Certificate Signing Request dialog displays the encoded request. 5. Copy the entire contents of the Encoded Request box (including the text -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----) and submit it to your certificate authority. Depending on the certificate authority, your CSR may be submitted via or by pasting into a web page. 6. Click OK. Request a Certificate You can request a certificate from a third-party Certificate Authority. Procedure 1. Navigate to the Certificate Authority and click Request a Certificate. Polycom, Inc. 70

73 Configuring RealPresence DMA 2. Click the advanced certificate request. 3. Paste the CSR into the saved request field. 4. Under Certificate Template, choose Web Server with client EKU. 5. Click the Submit button. 6. Choose Base 64 encoded, and click Download certificate. Polycom, Inc. 71

74 Configuring RealPresence DMA Install the Certificate The following procedure installs the certificate or certificate chain provided by the certificate authority. It assumes that you ve received the certificate or certificate chain. Procedure 1. When you receive your certificates, return to Admin > Server > Certificates. 2. In the Actions list, select Add Certificates. 3. In the Add Certificates dialog, do one of the following: 4. Click OK. If you have a PFX, P7B, or single certificate file, click Upload certificate, enter the password (if any) for the file, and browse to the file or enter the path and file name. If you have PEM-format text, copy the certificate text, click Paste certificate, and paste it into the text box below. You can paste multiple PEM certificates one after the other. 5. Click Restart to Apply Saved Changes, and when asked to confirm that you want to restart the system so that certificate changes can take effect, click OK. Integrate with the Microsoft Active Directory You can enable integration with Active Directory. Procedure 1. In Windows Server, add the service account (read-only user account) that the RealPresence DMA system will use to read the Active Directory. Configure this account as follows: User can t change password. Password never expires. User can only access services on the domain controllers and cannot log in anywhere. 2. Log in to the RealPresence DMA system. 3. Go to Integrations > Microsoft Active Directory. 4. Check Integrate with Enterprise Directory Server. Polycom, Inc. 72

75 Configuring RealPresence DMA 5. Complete the information in the General Integration Settings section. For IP Address or FQDN, enter the IP or FQDN of domain controller. For Domain\Enterprise directory user ID, enter the domain and user ID of the account you created in 1 on page 72. For Enterprise directory user password, enter the password of the account you created in 1 on page To generate conference room IDs for the enterprise users, complete the Enterprise Conference Room ID Generation section. a. For Directory attribute, the default value is telephonenumber. You can keep the value or update it if you have other attribute for your Active Directory users. If the value is telephonenumber, make sure the Telephone number field is populated in Active Directory for the user. Polycom, Inc. 73

76 Configuring RealPresence DMA b. If necessary, edit the contents of the Characters to remove field. c. Specify the number of characters to use. After the system strips out characters to remove, it removes characters in excess of this number from the beginning of the string. Polycom, Inc. 74

77 Configuring RealPresence DMA Integrate with MCU You can add an MCU, gateway, or combination of the two to the pool of devices available to the Polycom RealPresence DMA system. Procedure 1. Go to Integrations > MCU. 2. In the Actions list, click Add. 3. In the Add MCU dialog, complete the editable fields, described in the following table. Field Name Type Integrate with conference manager Management IP address Admin user ID Description Name for the MCU (up to 32 characters; must not include any of the following:, " ;? : = *). Polycom MCU Enabled Host name or IP address for logging in to the MCU Administrative user ID with which the Polycom RealPresence DMA system can log in to the MCU. Polycom, Inc. 75

78 Configuring RealPresence DMA Field Password Description Password for the administrative user ID. Add an MCU Pool You can create more MCU pool if you have planed more VMRs for conference. Every conference room (VMR) is associated with an MCU pool order (either by direct assignment, via the user s enterprise group membership, or from the system default). The pool to which an MCU belongs, and the pool order to which a pool belongs, are used to determine which MCU is used to host a conference. Procedure 1. Go to Service Config > Conference Manager Settings > MCU Pools. 2. In the Actions list, click Add. 3. In the Add MCU Pool dialog, enter the following required information. Field Name Description Description Name of the MCU pool. Description of the pool. This should be something meaningful, such as the geographic location of the MCUs that the pool contains. Polycom, Inc. 76

79 Configuring RealPresence DMA Field Available MCUs Selected MCUs Description Lists the MCUs available to the Polycom RealPresence DMA system. Lists the MCUs included in the pool. The arrow buttons move MCUs from one list to the other. 4. Click OK. The new MCU pool appears in the MCU Pools list. The MCUs included in the pool is displayed. Add an MCU Pool Order A pool order contains one or more MCU pools and specifies the order of preference in which the pools are used. Procedure 1. Go to Service Config > Conference Manager Settings > MCU Pool Orders. 2. In the Actions list, click Add. 3. In the Add MCU Pool dialog, complete the following fields. All are mandatory. Polycom, Inc. 77

80 Configuring RealPresence DMA Field Name Description Available MCU pools Selected MCU pools Fall back to any available MCU Description Name of the MCU pool order. Brief description of the pool order. Lists the MCU pools available to the system. Lists the pools included in the pool order in their priority order. The left/right arrow buttons move pools in and out of the list. The up/down arrow buttons change the priority rankings of the pools. Indicates whether this pool order is set to fall back to any available MCU if there are no available MCUs in its pools. 4. Click OK. The new MCU pool order appears in the MCU Pool Orders list. The MCU pools included in the pool order is displayed. Polycom, Inc. 78

81 Configuring RealPresence DMA Configure Conference Template with 2048 kbps Line Rate You can add a standalone conference template and specify conference properties directly in the template. The Common Settings section applies to all MCUs. The Cisco Codian settings apply only if a Codian MCU is selected for a conference. The other sections apply only if a Polycom MCU is selected for a conference. When the RealPresence DMA system uses a standalone template for a conference, the system sends the specific properties to the MCU instead of pointing to one of the MCU s conference profiles. Procedure 1. Go to Service Config > Conference Manager Settings > Conference Templates. 2. In the Actions list, click Add. 3. Specify the Common Settings based on the field descriptions in the following table: Common Settings Field Name Description WebRTC Description Clariti-AVC-2048-HD A brief description of the conference template (up to 50 characters). WebRTC with MCUs only Conferences using this template accept WebRTC, SIP, and H.323 participants, and the system promotes these conferences to a WebRTC-capable MCU as soon as the first participant connects. 4. Specify the Polycom MCU General Settings based on the field descriptions in the following table: Polycom, Inc. 79

82 Configuring RealPresence DMA Polycom MCU General Settings Field Conference mode Cascade for size Line rate Description AVC only Standard video conferencing mode supporting the H.264 Advanced Video Coding (AVC) compression standard. In an AVC conference, the MCU transcodes the video stream to each device in the conference to provide an optimal experience, based on its capabilities. Enables conferences using this template to span Polycom MCUs to achieve conference sizes larger than a single MCU can accommodate kbps Advanced Settings Encryption Packet loss compensation (LPR and DBA) Enable FECC FW NAT keep alive Encrypt when possible Endpoints supporting encryption join encrypted; others join unencrypted. Enabled. Enabled Enabled Interval (seconds) 30 TIP compatibility Enable MS panoramic layout Font for text over video (MPMx or newer) None Disabled Allows you to specify the font type for text displayed to participants in a conference. If using Default the system will display Heiti if a Chinese language is configured. Note: This property only applies when the MCU is configured for multilingual operation with Chinese (Simplified or Traditional) selected. Polycom, Inc. 80

83 Configuring RealPresence DMA 5. Specify the Polycom MCU Video Quality based on the field descriptions in the following table: Polycom MCU Video Quality Field Video quality Max resolution Description Sharpness higher resolution Auto (the default) imposes no limit. Content Video Definition Content settings High-resolution graphics higher bit rate for better graphics resolution Polycom, Inc. 81

84 Configuring RealPresence DMA Polycom MCU Video Quality Field Content protocol Description Use H.264 cascade and SVC optimized. Multiple content resolution Enable with transcode to H.264 and H.264 cascade. Transcode to Enable with transcode to H.264 and H.264 cascade H.264 high profile Enables the H.264 High Profile set of capabilities for the content channel, which enables additional compression efficiency and allows for higher resolutions to use the same bandwidth. Send content to legacy endpoints (MPM+ or newer) Enables endpoints that don t support H.239 to receive the Content channel over the video (People) channel. 6. Specify the Polycom MCU Video Settings based on the field descriptions in the following table: Polycom MCU Video Settings Field Auto layout Description Lets the system select the video layout based on the number of participants in conference. Polycom, Inc. 82

85 Configuring RealPresence DMA 7. Specify the Polycom MCU Audio Settings based on the field descriptions in the following table: Polycom MCU Audio Settings Field Echo suppression Audio clarity NoiseBlock (MPMx or newer) Speaker change threshold Description Enables the MCU to detect and suppress echo. Available only on MCUs with MPM+ or MPMx cards. Improves the voice quality in conference of a PSTN endpoint. Available only on version 7 and newer Polycom MCUs. Enables the MCU to automatically detect and mute endpoints that have a noisy audio channel. Not available on MCUs with an MPM+ card. Select Auto. The default Auto setting is 3 seconds. Polycom, Inc. 83

86 Configuring RealPresence DMA 8. Specify the Polycom MCU Skins based on the field descriptions in the following table: Polycom MCU Skins Field Polycom MCU Skins Description Lets you choose the display appearance (skin) for conferences using this template. Not available if Telepresence mode is Yes or Video switching is enabled. 9. Specify the Polycom MCU Site Names based on the field descriptions in the following table. Polycom, Inc. 84

87 Configuring RealPresence DMA Polycom MCU Site Names Field Display mode Description On Always display site names. Font size 12 Color Text Color Display position White font on red background White font Top left Horizontal position 0 Vertical position 0 Background transparency Optional: Specify the Polycom MCU Recording based on the field descriptions in the following table. You can skip the step if no RealPresence Media Suite in your environment. Polycom MCU Recording Field Record conference Dial out recording link Indication of recording Description Upon Request Recording can be initiated manually by the chairperson or an operator. Select the recording link which is created by RealPresence Collaboration Server. Enable to displays a red dot recording indicator in the upper left corner of the video layout. Polycom, Inc. 85

88 Configuring RealPresence DMA Polycom MCU Recording Field Play recording message (V8.4 or newer) Description Enable for available with version 8.4 or newer RealPresence Collaboration Server MCUs. 11. Specify the Polycom MCU Indications based on the field descriptions in the following table: Polycom MCU Indications Field Position Recordings Description Use the drop-down menu to set the display position of the indication icons group. Enables the Recording icon, which is displayed if a recording is in progress. Polycom, Inc. 86

89 Configuring RealPresence DMA 12. Click OK. After you configure a conference template, the template is added to the conference templates list. Related Links Define Recording Links from RealPresence Collaboration Server on page 111 Configure Conference Settings Conference settings define the default conference properties for the RealPresence DMA system. You can update as your requirement or just leave it as default settings. Procedure 1. Go to Service Config > Conference Manager Settings > Conference Settings. Polycom, Inc. 87

90 Configuring RealPresence DMA 2. Complete the fields described in the following table as needed. Field Description Dialing Prefix Set to 25. Default conference template Default class of service Default maximum bit rate (kbps) Select the template that is used most frequently for VMR. Bronze Set to UNLIMITED. Default minimum downspeed bit rate (kbps) Set to 384. Default conference room territory Default MCU pool order Default conference duration Select the territory, which is used most frequently for VMR. Default MCU pool order used by the system. Set to unlimited. Polycom, Inc. 88

91 Configuring RealPresence DMA 3. Click Update to save the settings. Related Links Add Conference Rooms on page 89 Add Conference Rooms You can create custom conference rooms (for a local or enterprise user) in order to offer the user a different conferencing experience (template) or just an alternate (perhaps simpler) room ID and dial-in number. Procedure 1. Navigate to User > Users. 2. Select a user from the list. 3. In the Actions list, click Manage Conference Rooms. Polycom, Inc. 89

92 Configuring RealPresence DMA 4. In the Conference Rooms dialog, click Add. 5. In the Add Conference Room dialog, edit the General Settings fields in the following table as required. You can update the other fields or keep them in default. General Settings Field Room ID Conference template Territory MCU pool order Description The unique ID of the conference room. Click Generate to let the system pick a random available ID. If using alphanumeric conference room IDs, don t include multiple consecutive spaces or the following characters: ()&%#@ "':;, If the ID includes any other punctuation characters, it must start with an alphanumeric character and end with an alphanumeric character. Use the setting configured in Conference Settings. You can check the item for update. Use the setting configured in Conference Settings. You can check the item for update. Use the setting configured in Conference Settings. You can check the item for update. Polycom, Inc. 90

93 Configuring RealPresence DMA 6. Optional: In the Add Conference Room dialog, edit the Passcodes and Aliases fields in the following table as required. Passcodes and Aliases Field Chairperson passcode Conference passcode Description The numeric passcode that identifies chairperson in this room s conferences. If none, the room s conferences don t include the chairperson feature. The numeric passcode that participants must enter to join this room s conferences. If none, the room s conferences don t require a passcode. Polycom, Inc. 91

94 Configuring RealPresence DMA 7. Click OK. You can check the new VMR from the room list. Related Links Configure Conference Settings on page 87 Edit Personal VMR You cannot delete the conference room, but can edit the enterprise conference room. Procedure 1. Go to Integrations > Microsoft Active Directory for checking or updating the settings. The default value for Directory attribute is telephonenumber, you can keep the value or update it if you have other attribute for your Active Directory users. Polycom, Inc. 92

95 Configuring RealPresence DMA 2. Login RealPresence DMA using an enterprise user who has the Administrator role. After RealPresence DMA integrated with Active Directory server, the user used for the integration has administrator role. 3. Go to User > Users. 4. Click, and select one domain and click Search. If the enterprise user has Telephone Numbers configured on Active Directory server, an enterprise conference room number is listed in the Conference Rooms. 5. Select the enterprise user and click Manage Conference Rooms. 6. Select the enterprise room and click Edit. The indicates that it is an enterprise conference room. Polycom, Inc. 93

96 Configuring RealPresence DMA 7. Update the conference room settings or keep the settings in default. Create Virtual Entry Queue You can create a Virtual Entry Queue (VEQ) for RealPresence DMA. Procedure 1. Defining a New Entry Queue on RealPresence Collaboration Server. a. In the RMX Management pane, in the Rarely Used menu, click Entry Queues. Polycom, Inc. 94

97 Configuring RealPresence DMA b. In the Entry Queues list pane, click. c. Define the parameters for new entry queue. Fields Display Name Profile ID Entry Queue Mode Description The Display Name is the conferencing entity name in native language character sets to be displayed in the Collaboration Server Web Client. Select the Profile to be used by the Entry Queue. Enter a unique number identifying this conferencing entity for dial-in. Default string length is 4 digits. Select IVR only Service Provider. Polycom, Inc. 95

98 Configuring RealPresence DMA 2. Log in to the RealPresence DMA system. 3. Go to Service Config > > Conference Manager Setting > Shared Number Dialing. 4. Click + Add Virtual Entry Queue. 5. Define the parameters for VEQ. Fields Virtual entry queue number Polycom MCU entry queue Description Should be the same as Entry Queue ID that is configured by RealPresence Collaboration Server. Select the Entry Queue that is just created by RealPresence Collaboration Server. Polycom, Inc. 96

99 Configuring RealPresence DMA Enable WebRTC Signaling You can enable WebRTC signaling if you have WebRTC clients on your network. Procedure 1. Go to Admin > Server > Signaling Settings. 2. Select Enable WebRTC signaling. 3. Click Update. Configure the RealPresence DMA Gatekeeper Call Mode If RealPresence Access Director is integrated with RealPresence DMA, Polycom recommends configuring the gatekeeper call mode with Route call mode. Procedure 1. From the RealPresence DMA user interface, go to Service Config > Call Server Settings. 2. Go to H.323 Settings. 3. Set Routed call mode to Gatekeeper call mode. Polycom, Inc. 97

100 Configuring RealPresence DMA 4. Click Update. Related Links Configure SIP and H.323 Settings on page 164 Configure the Classless Inter-Domain Routing on page 165 Polycom, Inc. 98

101 Configuring RealPresence Collaboration Server Topics: Configure Gatekeeper and SIP Server Configure Soft MCU for WebRTC Configuring Certificates on the RealPresence Collaboration Server Configure System Flag Define Recording Links from RealPresence Collaboration Server Collaboration Servers are high performance, scalable MCUs that provide feature-rich, easy-to-use, multipoint, voice and video conferencing. Collaboration Servers can be used as a standalone devices to run voice and video conferences or used as part of a RealPresence Clariti solution provided by Polycom. Configure Gatekeeper and SIP Server For the best practice, Polycom recommends configuring gatekeeper and SIP server. Procedure 1. Connect to RealPresence Collaboration Server through RMX Web Client/RMX Manager application. 2. Go to RMX Management > Rarely Used > IP Network Services. 3. Double click the Default IP Service from the IP Network Services page. Polycom, Inc. 99

102 Configuring RealPresence Collaboration Server 4. Go to Gatekeeper and complete the fields. Gatekeeper Field Gatekeeper Primary Gatekeeper IP Address or Name Alternate Gatekeeper IP Address or Name Description Select Specify to enable configuration of the gatekeeper IP address. When Off is selected, all gatekeeper options are disabled. Enter either the gatekeeper s host name as registered in the DNS or IP address. Enter the DNS host name or IP address of the gatekeeper used as a fallback gatekeeper used when the primary gatekeeper is not functioning properly. Note: When in IPv4&IPv6 or in IPv6 mode, it is easier to use Names instead of IP Addresses. Alternate Gatekeeper IP Address or Name Enter the DNS host name or IP address of the gatekeeper used as a fallback gatekeeper used when the primary gatekeeper is not functioning properly. Note: When in IPv4&IPv6 or in IPv6 mode, it is easier to use Names instead of IP Addresses. MCU Prefix in Gatekeeper Enter the number with which this Network Service registers in the gatekeeper. This number is used by H.323 endpoints as the first part of their dial-in string when dialing the MCU. When another gatekeeper is used, this prefix must also be defined in the gatekeeper. Polycom, Inc. 100

103 Configuring RealPresence Collaboration Server Gatekeeper Field Register as Gateway Description Select this check box if the RealPresence Collaboration Server is to be seen as a gateway, for example, when using a Cisco gatekeeper. Note: Do not select this check box when using Polycom ReadiManager or a Radvision gatekeeper. Refresh Registration every seconds The frequency with which the system informs the gatekeeper that it is active by re-sending the IP address and aliases of the IP cards to the gatekeeper. If the IP card does not register within the defined time interval, the gatekeeper will not refer calls to this IP card until it re-registers. If set to 0, re-registration is disabled. Note: It is recommended to use default settings. This is a re-registration and not a keep alive operation an alternate gatekeeper address may be returned. Aliases Alias The alias that identifies the Collaboration Server s Signaling Host within the network. Up to five aliases can be defined for each Collaboration Server. Note: When a gatekeeper is specified, at least one alias must be entered in the table. Additional aliases or prefixes may also be entered. Type The type defines the format in which the card s alias is sent to the gatekeeper. Each alias can be of a different type: H.323 ID (alphanumeric ID) E.164 (digits 0-9) ID ( address format, e.g. abc@example.com) Participant Number (digits 0-9, * and #) Note: Although all types are supported, the type of alias to be used depends on the gatekeeper s capabilities. Polycom, Inc. 101

104 Configuring RealPresence Collaboration Server 5. Click OK. Configure Soft MCU for WebRTC The RealPresence Collaboration Server, Virtual Edition, supports configuring up to two IP Network services: First mandatory IP Network service is used for either a generic or a Microsoft service. Second optional IP Network service is used for the WebRTC service. The WebRTC service is configured through RealPresence Collaboration Server, Virtual Edition, but all WebRTC functions are processed on a modular MCU. Polycom, Inc. 102

105 Configuring RealPresence Collaboration Server Procedure 1. In the RealPresence Collaboration Server (RMX) web browser, in the RealPresence Collaboration Server Management pane, expand the Rarely Used list and click IP Network Services. 2. In the IP Network Services pane, click New IP Service. 3. Set the IP configuration for WebRTC in IP tab. Select SIP for WebRTC network service. 4. Select the Ports tab to configure the port information. 5. Select the SIP Servers tab. Configure the following parameters: SIP Server: Specify SIP Server Type: WebRTC Polycom, Inc. 103

106 Configuring RealPresence Collaboration Server 6. Select the SIP Advanced tab. Configure the following STUN and TURN server settings: The STUN and TURN IPs are RealPresence Access Director external address. The TURN Server User Name and TURN Server Password must be the same as the configuration in RealPresence Access Director. Polycom, Inc. 104

107 Configuring RealPresence Collaboration Server Related Links Configure TURN Settings for WebRTC on page 170 Configuring Certificates on the RealPresence Collaboration Server You must install a security certificate on the RealPresence Collaboration Server solution. Generate a Certificate Request Create a management and signaling certificates. Procedure 1. In the RMX web client, go to Setup > RMX Secured Communication > Certification Repository > Personal Certificates. 2. Select IP Network Service. 3. Click Add. Polycom, Inc. 105

108 Configuring RealPresence Collaboration Server 4. Select IP Network Service for Network Service Name and CSR for Certificate Method. 5. Click Create Certificate Request. 6. Enter the CSR value, and click Copy Request. Polycom, Inc. 106

109 Configuring RealPresence Collaboration Server Request a Certificate You can request a certificate from a third-party Certificate Authority. Procedure 1. Navigate to the Certificate Authority and click Request a Certificate. 2. Click the advanced certificate request. Polycom, Inc. 107

110 Configuring RealPresence Collaboration Server 3. Paste the CSR into the saved request field. 4. Under Certificate Template, choose Web Server with client EKU. 5. Click the Submit button. 6. Choose Base 64 encoded, and click Download certificate. Polycom, Inc. 108

111 Configuring RealPresence Collaboration Server Install Certificates This section shows you how to install the chain certificates. Procedure 1. Open the certificate file and copy the certificate content. 2. In the RMX web client, go to Setup > RMX Secured Communication > Certification Repository > Personal Certificates. 3. Click Paste Certificate. 4. Click Send Certificate. Polycom, Inc. 109

112 Configuring RealPresence Collaboration Server Configure System Flag In cascading conference, Polycom recommends setting the system flag for enabling the content snatch among endpoints which are in different MCUs. Procedure 1. Go to Setup > System Configuration > System Configuration. The System Flags dialog opens. 2. In MCMS_PARAMETERS_USER page, click New Flag. 3. Set the value of the ENABLE_CONTENT_SNATCH_OVER_CASCADE system flag to YES. Polycom, Inc. 110

113 Configuring RealPresence Collaboration Server 4. Click OK. 5. Set the value of NUM_OF_INITIATE_HELLO_MESSAGE_IN_CALL_ESTABLISHMENT system flag to 3 for NAT Firewall deployment. Check the new flag has been added to the system. Define Recording Links from RealPresence Collaboration Server RealPresence Collaboration Server can dial out to the RealPresence Media Suite for a conference recording. Recording conferences is enabled through a dial-out Recording Link, which is a dial-out connection from the conference to the RealPresence Media Suite. Procedure 1. In the RealPresence Collaboration Server Management pane, click Recording Links ( ). 2. In the Recording Links list, click New Recording Link ( ). The New Recording Link dialog is displayed. 3. Define the New Recording Link parameters. Polycom, Inc. 111

114 Configuring RealPresence Collaboration Server Parameter Name Type Description Displays the default name that is assigned to the Recording Link. If multiple Recording Links are defined, it is recommended to use a descriptive name to be indicated the VRR to which to associate it Default: Recording Link Select the network environment: H.323 SIP Polycom recommends selecting H.323. IP Address If no gatekeeper is configured, enter the IP Address of the RealPresence Media Suite. If a gatekeeper is configured, you can either enter the IP address or an alias (see the alias description). If SIP server is configured, enter the IP address of the SIP server instead of the IP address of RealPresence Media Suite. Polycom, Inc. 112

115 Configuring RealPresence Collaboration Server Parameter Alias Name Description If using the endpoint s alias instead of IP address, first select the alias type and then enter the endpoint s alias. If you are associating this recording link to a VRR on the RealPresence Media Suite, define the alias as follows: If you are using the RealPresence Media Suite IP address, enter the VRR number in the Alias field. For example, if the VRR number is 5555, enter If the Alias Type is set to H.323 ID, enter the RealPresence Media Suite IP address and the VRR number in the format: <Media Suite IP Address>##<VRR number> For example: If the RealPresence Media Suite IP is and the VRR number is 5555, enter ##5555 If the Alias Type is set to E.164, enter the RealPresence Media Suite E.164 followed by VRR number: <Media Suite E.164><VRR number> For example: If the RealPresence Media Suite E.164 is and the VRR number is 5555, enter The name should be the same as RealPresence Media Suite registration information. Alias Type Depending on the format used to enter the information in the IP address and Alias fields, select H.323 ID or E.164 (for multiple Recording links). ID and Participant Number are also available. The type should be the same as RealPresence Media Suite registration information. If the recording link does not define the VRR, enter the RealPresence Media Suite E.164 that registers to RealPresence DMA in the Alias Name. The default VRR is used for recording. Polycom, Inc. 113

116 Configuring RealPresence Collaboration Server If the recording link defines the VRR, enter the RealPresence Media Suite E.164 +VRR in the Alias Name. Polycom, Inc. 114

117 Configuring RealPresence Collaboration Server 4. Click OK. Related Links Configure Conference Template with 2048 kbps Line Rate on page 79 Set up the Gatekeeper on page 191 Polycom, Inc. 115

118 Configuring RealPresence Access Director Topics: RealPresence Access Director Considerations RealPresence Access Director Installation and Network Configuration Configuring Certificates Required Ports RealPresence Access Director and RealPresence Resource Manager Integration RealPresence Access Director and RealPresence DMA Integration RealPresence Access Director and RealPresence Web Suite Integration Configure Endpoints The RealPresence Access Director system enables users within and beyond your firewall to securely access voice, video, and multimedia sessions across IP network borders. The system securely routes communication, management, and content traffic through firewalls without requiring special dialing methods or additional client hardware or software. Specifically, the RealPresence Access Director system supports SIP and H.323 video calls (including H.460 firewall/nat traversal) from registered users, guests, and federated enterprises or divisions. RealPresence Access Director Considerations TheRealPresence Access Director system is Polycom s firewall traversal solution for both SIP and H.323 environments. It has the following specific requirements: Network Location. It must be connected to the DMZ. Network Interface Card. TheRealPresence Access Director system must have four network interface cards (NICs) defined on the virtual machine. Even if the RealPresence Access Director system s network interfaces are configured so that some NICs remain unused, the NICS should NOT be removed. RealPresence Access Director Installation and Network Configuration The Polycom video infrastructure integrates with the RealPresence Access Director system to provide video conferencing management for remote, guest, federated, and unfederated users with secure firewall traversal for all of the required connections. Polycom, Inc. 116

119 Configuring RealPresence Access Director Install the RealPresence Access Director System Software Using Your Virtual Environment Tools If you install the RealPresence Access Director, Virtual Edition, using your virtual environment tools, you will still need to use the RealPresence Resource Manager system to manage licensing of your Polycom software. Note: If installing a Hyper-V version, you must use the Copy option. Procedure 1. Refer to the documentation for your virtual environment tools for instructions on installing a virtual instance. 2. Install an instance of the RealPresence Access Director, Virtual Edition system. 3. Assign a static IP address to the instance using the console if your VM environment does not use DHCP. 4. Add the instance to the RealPresence Platform Director system. Assign a Static IP Address The RealPresence Access Director system requires a static IP address for your system s instance. If your VM environment is not using DHCP, you must assign a static IP with the console before continuing to configure your system. If your VM environment has a DHCP server, it will assign an IP address to the instance. You can then assign a static IP using the console or assign the static IP from the RealPresence Access Director system s web interface during initial configuration. Note: During installation and initial network configuration, you need to assign one static IP address to the management interface (eth0). After installation is complete, you can configure additional IP addresses for the other network interfaces from the RealPresence Access Director web user interface. Procedure 1. Power on the newly-installed VM. 2. Access the console. 3. Click in the console window and press Enter if necessary to see the login prompt. A shell interface appears that enables you to configure the network. 4. Log in with user ID polycom and password polycom. Polycom, Inc. 117

120 Configuring RealPresence Access Director 5. Choose option 3 and follow the prompts to configure the following initial network settings: IP address Subnet Mask Default Gateway IP The system reboots. Polycom, Inc. 118

121 Configuring RealPresence Access Director 6. Press CTRL + ALT to release the cursor from the console, then close the console window. License Your System with RealPresence Resource Manager The RealPresence Resource Manager system must be able to communicate with your RealPresence Access Director system so it can be licensed and monitored. After you install your RealPresence Access Director system instance, you need to add the instance to the RealPresence Resource Manager system to establish communication. For instructions on how to add a system instance in the RealPresence Resource Manager system, see the RealPresence Resource Manager System Operations Guide. Virtual Edition Initial Configuration When you install an instance of the RealPresence Access Director, Virtual Edition system, you need to provide the following network settings during the installation process: IPv4 Address: the static or DHCP-assigned IP address of the virtual instance of the RealPresence Access Director system. If you use a DHCP-assigned IP address, you must assign a static IP address when you access the RealPresence Access Director web user interface for the first time. After you assign a static IP address, the DHCP IP address cannot be used. IPv4 Subnet Mask: the subnet mask for the RealPresence Access Director system's static IP address. IPv4 Default Gateway: the IP address of the gateway used to route network traffic outside the subnet. Polycom, Inc. 119

122 Configuring RealPresence Access Director Procedure 1. In the RealPresence Access Director user interface, go to Admin > Network Settings. 2. Click Configure Network Settings, then complete the following fields: Hostname: Enter the hostname of the RealPresence Access Director system. Primary DNS: Enter the IP address of the DNS server. 3. Click Next. 4. In the Step 2 of 3: Advanced Network Settings window, do one of the following: If you assigned a static IP address when you installed your system, confirm the IPv4 Address is correct. If you used a DHCP-assigned IP address, enter a static IPv4 Address. Polycom, Inc. 120

123 Configuring RealPresence Access Director 5. Confirm the following system values are correct: IPv4 Subnet Mask IPv4 Default Gateway 6. Confirm the eth1 values. Polycom, Inc. 121

124 Configuring RealPresence Access Director 7. Click Next. 8. In the Step 3 of 3: Service Network Settings window, select the static IP address of the eth0 interface for each type of traffic, as shown in the following table: Settings Field SIP/H.323 Settings External signaling IP Internal signaling IP Media Relay External relay IP Internal relay IP Management IP Settings Management IP Access Proxy Settings External Access Proxy IP If the eth0 IP address is not already listed, select it from the Available IP address list and click the right arrow to move the IP address to the External Access Proxy IP list. Internal Access Proxy IP Polycom, Inc. 122

125 Configuring RealPresence Access Director 9. Click Done, then click Commit and Reboot Now. The system reboots and applies your network settings. Polycom, Inc. 123

126 Configuring RealPresence Access Director Configure Time Settings The RealPresence Access Director system displays two different time settings: Client date and time: In the upper right corner of the Time Settings window, next to your user name, the system displays the date and time of your local machine. These values change only if you revise the date and time on your local machine. Server time: Server Time (Refresh every 10 seconds) indicates the server time. If you change the System time zone or Manually set the system time (not recommended), the Server Time (Refresh every 10 seconds) field displays the correct server time. Procedure 1. Go to Admin > Time Settings. 2. Complete the following fields as needed: Field System time zone Description The time zone in which your RealPresence Access Director system is located. Note: After initial installation of the RealPresence Access Director system, the default time zone is GMT (UTC). You must select the time zone of your geographic location immediately after installing the system. Auto adjust for Daylight Saving Time Automatically determined in accordance with the system time zone. If the system time zone you select observes Daylight Saving Time, this setting is enabled. Note: The administrator cannot change this setting. Manually set system time Polycom strongly recommends that you do not set the time and date manually. Manually setting system time removes Network Time Protocol (NTP) server information and sets the manually entered time for the selected time zone instead of for the current system UTC offset. Polycom, Inc. 124

127 Configuring RealPresence Access Director Field NTP servers Description The IP addresses or FQDNs of the NTP servers. For Appliance Editions, the NTP server IP addresses may be provisioned by the RealPresence Resource Manager system or you can enter them manually. For Virtual Editions, you can configure up to three NTP servers when you create an instance of the RealPresence Access Director system from the RealPresence Resource Manager system. You can later edit these server addresses as needed. Note: Polycom recommends that you specify at least two NTP servers for synchronizing system time. 3. Click Update. Configuring Certificates The RealPresence Access Director system uses X.509 certificates in different ways. When you log into the RealPresence Access Director system's user interface from your browser, the RealPresence Access Director system offers an X.509 certificate to identify itself to your browser client. When a client sets up an HTTPS, LDAP, or XMPP connection with access proxy, the RealPresence Access Director system offers an X.509 certificate to identify itself. When a client sends SIP messages with TLS transport, the RealPresence Access Director system offers an X.509 certificate to identify itself. When the RealPresence Access Director system connects to a RealPresence Resource Manager system, the RealPresence Access Director system may present a certificate to the RealPresence Resource Manager system to identify itself. Polycom, Inc. 125

128 Configuring RealPresence Access Director When the RealPresence Access Director system connects to another RealPresence Access Director system or other session border controller (SBC) for a SIP enterprise-to-enterprise call, the RealPresence Access Director system presents its certificate to the other system to identify itself. Create a Certificate Signing Request After initial installation, the RealPresence Access Director system is configured to use a self-signed certificate with a key length of 2048 bits. You can create a certificate signing request (CSR) to apply for a signed certificate from a certificate authority to replace the self-signed certificate. The signed certificate identifies the RealPresence Access Director system as a trusted entity. Procedure 1. Go to Admin > Certificates. 2. Click Create Certificate Signing Request. Polycom, Inc. 126

129 Configuring RealPresence Access Director 3. Enter the certificate information and click OK. Polycom, Inc. 127

130 Configuring RealPresence Access Director 4. Copy the CSR text content, and click OK. Polycom, Inc. 128

131 Configuring RealPresence Access Director Request a Certificate You can request a certificate from a third-party Certificate Authority. Procedure 1. Navigate to the Certificate Authority and click Request a Certificate. Polycom, Inc. 129

132 Configuring RealPresence Access Director 2. Click the advanced certificate request. 3. Paste the CSR into the saved request field. 4. Under Certificate Template, choose Web Server with client EKU. 5. Click the Submit button. 6. Choose Base 64 encoded, and click Download certificate. Polycom, Inc. 130

133 Configuring RealPresence Access Director Install the Certificate Use this procedure to add a trusted certificate authority, either an in-house or commercial CA. Procedure 1. Go to Admin > Certificates > Add Certificates. 2. Click Upload certificate and browse to the file. Polycom, Inc. 131

134 Configuring RealPresence Access Director 3. Click OK. Required Ports This section describes the specific ports or dynamic port ranges to configure on your RealPresence Access Director system and correspondingly on your firewall. The port information is organized based on the different functions, or services, that the RealPresence Access Director system supports. The dynamic source and destination port ranges listed here specify the allowable port ranges for communication between the RealPresence Access Director system and other systems and devices inside or outside of your enterprise network. The actual port ranges for your system depend on the number of calls on your license. A port range for a specific function (for example, LAN-side SIP signaling) indicates the number of ports for that function that must be available to accommodate the number of calls on your system license. You can change the beginning port ranges (within certain parameters) if necessary. If you do so, the RealPresence Access Director system automatically calculates the end ranges based on the number of calls on your license. Polycom, Inc. 132

135 Configuring RealPresence Access Director Caution: The specific ports and port ranges configured in the RealPresence Access Director system must match the ports configured on your firewall. If you change any port settings within the system, you must also change them on your firewall. Management Access The RealPresence Access Director system provides a web-based user interface to access, configure, and manage the system. Polycom suggests that you enable one interface as the management interface, segregated from WAN-accessible traffic. For greater security, Polycom recommends that you enable SSH and web access to the RealPresence Access Director system management interface only from authorized network segments. We also recommend that you disable SSH and web access from the WAN by creating explicit deny rules for these traffic types. To support certain functions in the RealPresence Access Director system, connectivity is required between the management interface and the following external systems (servers): Network Time Protocol (NTP) Syslog DNS Microsoft Active Directory SNMP Online Certificate Status Protocol (OCSP) The following table lists the required ports and transport protocols to access the system s web-based user interface and to establish connections between the RealPresence Access Director system and external services. The table also lists access information to manage the RealPresence Access Director system from the WAN, if desired. Management Access Ports SRC IP SRC Port Protocol DST IP DST Port Description RealPresenc e Access Director system managemen t IP address RealPresenc e Resource Manager system IP address TCP IP address of the RealPrese nce Resource Manager system >1023 TCP RealPrese nce Access Director system managem ent IP address 3333 and 9333 Connection from the RealPresence Access Director system to the RealPresence Resource Manager system for RealPresence Access Director system license communication 8443 Connection from the Polycom RealPresence Resource Manager system to the RealPresence Access Director system for Polycom API communication Polycom, Inc. 133

136 Configuring RealPresence Access Director SRC IP SRC Port Protocol DST IP DST Port Description RealPresenc e Resource Manager system IP address - Ping service (ICMP type: 8,code:0) RealPrese nce Access Director system managem ent IP address - Connection from the Polycom RealPresence Resource Manager system to the RealPresence Access Director system instance status monitoring. RealPresenc e Access Director system managemen t IP address UDP or TCP IP address of SNMP server 162 Connection from the RealPresence Access Director system to the SNMP server (for sending Trap messages) Note: The SNMP protocol and DST port depend on the SNMP settings you configure in the RealPresence Access Director system user interface. IP address of the host sending an SNMP request to the RealPresenc e Access Director system >1023 UDP or TCP RealPrese nce Access Director system managem ent IP address 161 Connection from the LAN SNMP server to the RealPresence Access Director system (for monitoring) Note: The SNMP protocol and DST port depend on the SNMP settings you configure in the RealPresence Access Director system user interface. RealPresenc e Access Director system managemen t IP address 123 UDP IP address of external NTP server, if in use 123 Connection from the RealPresence Access Director system to the public NTP server Polycom, Inc. 134

137 Configuring RealPresence Access Director SRC IP SRC Port Protocol DST IP DST Port Description RealPresenc e Access Director system managemen t IP address RealPresenc e Access Director system managemen t IP address RealPresenc e Access Director system managemen t IP address RealPresenc e Access Director system managemen t IP address RealPresenc e Access Director system managemen t IP address TCP IP address of the OCSP responder, if in use UDP IP address of the DNS server TCP IP address of the LANbased Microsoft Active Directory server, if in use TLS IP address of the LANbased Microsoft Active Directory server, if in use UDP or TCP IP address of the syslog server, if in use 8080, 80 Connection from the RealPresence Access Director system to the public OCSP responder 53 Connection from the RealPresence Access Director system to the DNS server 389 StartTLS encrypted or unencrypted (TCP) connection from the RealPresence Access Director system to the LAN-based Microsoft Active Directory server This connection is optional. 636 Encrypted connection from the RealPresence Access Director system to the LAN-based Microsoft Active Directory server This connection is optional. 514, Connection from the RealPresence Access Director system to the syslog server This connection is optional. Polycom, Inc. 135

138 Configuring RealPresence Access Director SRC IP SRC Port Protocol DST IP DST Port Description IP address of the WANbased PC using a browser to access the RealPresenc e Access Director system web (manageme nt) user interface IP address of the host managing the RealPresenc e Access Director system using SSH Any TCP RealPrese nce Access Director system public managem ent IP address Any TCP RealPrese nce Access Director system public managem ent IP address 8443 HTTPS connection from a WAN-based PC to the RealPresence Access Director system s web user interface used to manage the system This connection is optional. 22 Access to the command line interface (CLI) of the RealPresence Access Director system using SSH This connection is optional. SIP Signaling The RealPresence Access Director system serves as a SIP back-to-back user agent (B2BUA) and operates between endpoints that use the SIP protocol. When a SIP video call takes place, the RealPresence Access Director system divides the communication channel into two call legs and mediates all SIP signaling between the endpoints, from call establishment to termination. SIP signaling can be used for remote, guest, B2B, and open-sip calls. Caution: If your firewall has a SIP function that enables it to intercept and alter SIP messaging (for example, SIP ALG), you must disable the service. If not disabled, the service may cause call failures due to rewriting of port or IP address information. SIP WAN Ports The following table lists the required ports and protocols for bidirectional SIP signaling between the WAN and the RealPresence Access Director system. Polycom, Inc. 136

139 Configuring RealPresence Access Director SIP Signaling Ports for the WAN and RealPresence Access Director System SRC IP SRC Port Protocol DST IP DST Port Description IP address of external SIP client IP address of external SIP client IP address of external SIP client RPAD external signaling IP address RPAD external signaling IP address >1023 TCP RealPresence Access Director system public signaling IP address >1023 UDP RealPresence Access Director system public signaling IP address >1023 TCP RealPresence Access Director system public signaling IP address TCP Public signaling IP address of the other SIP system 5060 UDP IP address of remote user SIP client 5060 SIP (TCP 5060) connection from the WAN to the RPAD system 5060 SIP connection from the WAN to the RPAD system 5061 SIP TLS (TCP 5061) connection from the WAN to the RPAD system >1023 Outbound SIP call from the RPAD system to another system >1023 Outbound SIP call from the RPAD system to the remote user s SIP client SIP LAN Ports The following table lists the required ports and protocols for bidirectional SIP signaling between the LAN and the RealPresence Access Director system. SIP Signaling Ports for the LAN and RealPresence Access Director System SRC IP SRC Port Protocol DST IP DST Port Description RPAD internal signaling IP address 5070 UDP IP address of the LAN-based SIP registrar (DMA system) 5060 Connection from the RPAD system to the LAN-based SIP registrar (DMA system) Polycom, Inc. 137

140 Configuring RealPresence Access Director SRC IP SRC Port Protocol DST IP DST Port Description RPAD internal signaling IP address IP address of the LAN-based SIP registrar (DMA system) IP address of the LAN-based SIP registrar (DMA system) TCP IP address of the LAN-based SIP registrar (DMA system) 5060 UDP RPAD system internal signaling IP address TCP RPAD system internal signaling IP address SIP (TCP 5060) and SIP TLS (TCP 5061) connection from the RPAD system to the LAN-based SIP registrar (DMA system) 5070 Connection from the LANbased SIP registrar (DMA system) to the RPAD system SIP (TCP 5070) and SIP TLS (TCP 5071) connection from the LAN-based SIP registrar (DMA system) to the RPAD system H.323 Signaling H.323 signaling enables registration, calling, and neighboring functions for endpoints that use the H.323 protocol. H.323 signaling can be used for remote, guest, and federated or neighbored B2B calls. Caution: If your firewall has an H.323 function that enables it to intercept and alter H.323 messaging, for example, H.323 ALG, you must disable the service. If not disabled, the service may cause call failures due to rewriting of port or IP address information. H.323 WAN Ports The following table lists the required ports and protocols for H.323 signaling between the WAN and the RealPresence Access Director system. Polycom, Inc. 138

141 Configuring RealPresence Access Director H.323 Signaling Ports for the WAN and RealPresence Access Director System SRC IP SRC Port Protocol DST IP DST Port Description IP address of external H.323 device Public signaling IP address of the other enterprise system IP address of external H.323 device IP address of external H.323 device RealPresence Access Director external signaling IP address RealPresence Access Director external signaling IP address >1023 UDP RealPresence Access Director system public signaling IP address >1023 UDP RealPresence Access Director system public signaling IP address >1023 TCP RealPresence Access Director system public signaling IP address >1023 TCP RealPresence Access Director system public signaling IP address TCP IP address of external H.323 device TCP IP address of external H.323 device 1719 H.225 registration request from a remote endpoint to the RealPresence Access Director system 1719 Inbound H.225 Location ReQuest (LRQ) to the RealPresence Access Director system (suggested) 1720 H.225 connection from the WAN to the RealPresence Access Director system H.245 connection from the WAN to the RealPresence Access Director system 1720 H.225 connection from the RealPresence Access Director system to the WAN >1023 H.245 connection from the RealPresence Access Director system to the WAN Polycom, Inc. 139

142 Configuring RealPresence Access Director SRC IP SRC Port Protocol DST IP DST Port Description RealPresence Access Director external signaling IP address 1719 UDP Public signaling IP address of the other enterprise system 1719 H.225 gatekeeper neighboring connection from the RealPresence Access Director system to the other enterprise system, if needed H.323 LAN Ports The following table lists the required ports and protocols for H.323 signaling between the LAN and the RealPresence Access Director system. H.323 Signaling Ports for the LAN and RealPresence Access Director System SRC IP SRC Port Protocol DST IP DST Port Description RealPresence Access Director internal signaling IP address RealPresence Access Director internal signaling IP address 1719 UDP IP address of LAN-based H. 323 gatekeeper (RealPresence DMA system) 1719 UDP IP address of LAN-based H. 323 gatekeeper (RealPresence DMA system) 1719 H.225 RAS connection for H.323 remote user registrations from the RealPresence Access Director system to the LAN-based H. 323 gatekeeper (RealPresence DMA system) 1719 H.225 gatekeeper neighboring connection from the RealPresence Access Director system to the LAN-based H. 323 gatekeeper (RealPresence DMA system), if needed Polycom, Inc. 140

143 Configuring RealPresence Access Director SRC IP SRC Port Protocol DST IP DST Port Description RealPresence Access Director internal signaling IP address RealPresence Access Director internal signaling IP address RealPresence Access Director internal signaling IP address RealPresence Access Director internal signaling IP address TCP IP address of LAN-based H. 323 gatekeeper (RealPresence DMA system) TCP IP address of LAN-based H. 323 device TCP IP address of LAN-based H. 323 gatekeeper (RealPresence DMA system) TCP IP address of LAN-based H. 323 device 1720 H.225 connection from the RealPresence Access Director system to the LAN-based H. 323 gatekeeper (RealPresence DMA system) 1720 H.225 connection from the RealPresence Access Director system to the LAN-based H. 323 device (with the RealPresence DMA system in Direct mode, no need for the Routed mode.) H.245 connection from the RealPresence Access Director system to the LAN-based H. 323 gatekeeper (RealPresence DMA system) >1023 H.245 connection from the RealPresence Access Director system to a LAN-based H. 323 device (with the RealPresence DMA system in Direct mode, no need for the Routed mode) Polycom, Inc. 141

144 Configuring RealPresence Access Director SRC IP SRC Port Protocol DST IP DST Port Description IP address of the LAN-based H.323 gatekeeper (RealPresence DMA system) IP address of the LAN-based H.323 device IP address of the LAN-based H.323 device IP address of the LAN-based H.323 gatekeeper (RealPresence DMA system) 1719 UDP RealPresence Access Director system internal signaling IP address >1023 TCP RealPresence Access Director system internal signaling IP address >1023 TCP RealPresence Access Director system internal signaling IP address TCP RealPresence Access Director system internal signaling IP address 1719 H.225 RAS connection from the LAN-based H.323 gatekeeper (RealPresence DMA system) to the RealPresence Access Director system 1720 H.225 connection from the LAN-based H.323 device to the RealPresence Access Director system (with the RealPresence DMA system in Direct mode, no need for the Routed mode) H.245 connection from the LAN-based H.323 device (with the RealPresence DMA system in Direct mode, no need for the Routed mode) to the RealPresence Access Director system 1720 H.225 connection from the LAN-based H.323 gatekeeper (RealPresence DMA system in Routed mode) to the RealPresence Access Director system Polycom, Inc. 142

145 Configuring RealPresence Access Director SRC IP SRC Port Protocol DST IP DST Port Description IP address of the LAN-based H.323 gatekeeper (RealPresence DMA system) TCP RealPresence Access Director system internal signaling IP address H.245 connection from the LAN-based H.323 gatekeeper (RealPresence DMA system in Routed mode) to the RealPresence Access Director system Access Proxy The RealPresence Access Director system access proxy feature provides reverse proxy services for external users. Based on your system configuration, when access proxy receives a request from an external user, it accepts the request and sends a new request on behalf of the user to the appropriate application server. Access proxy routes communication requests based on the type of target application server: HTTPS_proxy: HTTPS servers that provide management services, such as provisioning for the RealPresence Access Director system and endpoints (Polycom RealPresence Resource Manager system), and web-based video conferencing services (RealPresence Web Suite). LDAP_proxy: LDAP servers that provide directory services for remote (authorized) users. XMPP_proxy: XMPP servers that provide message, presence, or other XMPP services for remote (authorized) users. HTTP tunnel proxy: An HTTP tunnel proxy enables RealPresence Web Suite SIP guest users to attend video conferences in an enterprise s Web Suite Experience Portal. Due to restrictive firewall rules, if a Web Suite client cannot establish a native SIP/RTP connection to a video conference, the RealPresence Access Director system can act as a web proxy to tunnel the SIP guest call on port 443. Once the SIP guest is connected to a meeting, the RealPresence Access Director system continues to tunnel TCP traffic, including SIP signaling, media, and Binary Floor Control Protocol (BFCP) content. Access Proxy WAN Ports The following table lists the ports and protocols for access proxy traffic between the WAN and the RealPresence Access Director system. Polycom, Inc. 143

146 Configuring RealPresence Access Director Access Proxy Ports for the WAN and the RealPresence Access Director System SRC IP SRC Port Protocol DST IP DST Port Description IP address of external client IP address of external client IP address of external client IP address of external RealPresence Web Suite browser client that signs into the Web Suite Experience Portal and/or the Services Portal >1023 TCP Public IP address of the RealPresence Access Director system s external access proxy IP address >1023 TCP Public IP address of the RealPresence Access Director system s external access proxy IP address >1023 TCP Public IP address of the RealPresence Access Director system s external access proxy IP address >1023 TCP Public IP address of the RealPresence Access Director system s external access proxy IP address 443 HTTPS connection from the WAN to the RealPresence Access Director system to sign in for provisioning 389 TLS-encrypted or unencrypted encrypted (TCP) LDAP connection from the WAN to the RealPresence Access Director system 5222 XMPP connection from the WAN to the RealPresence Access Director system 443 HTTPS web connection from the WAN to the RealPresence Access Director system. The RealPresence Access Director system can proxy to both the RealPresence Web Suite Experience Portal and Services Portal Polycom, Inc. 144

147 Configuring RealPresence Access Director SRC IP SRC Port Protocol DST IP DST Port Description IP address of RealPresence Web Suite client using an HTTP tunnel proxy. IP address of RealPresence Mobile client using an HTTP tunnel proxy >1023 TCP Public IP address of the RealPresence Access Director system s external access proxy IP address >1023 TCP Public IP address of the RealPresence Access Director system s external access proxy IP address 443 HTTP tunnel proxy connection from the WAN to the RealPresence Access Director system. The RealPresence Access Director system terminates the tunnel and proxies the traffic to the internal systems. 443 HTTPS tunnel proxy connection from the WAN to the RealPresence Access Director system. The RealPresence Access Director system terminates the tunnel and proxies the traffic to the internal systems. Access Proxy LAN Ports The following table lists the ports and protocols for bidirectional access proxy traffic between the RealPresence Access Director system and the LAN. Polycom, Inc. 145

148 Configuring RealPresence Access Director Access Proxy Ports for the LAN and the RealPresence Access Director System SRC IP SRC IP Protocol DST IP DST Port Description RealPresence Access Director internal access proxy IP address RealPresence Access Director internal access proxy IP address RealPresence Access Director internal access proxy IP address RealPresence Access Director internal access proxy IP address TCP IP address of the LAN-based provisioning server that provisions the RealPresence Access Director system TCP IP address of the LAN-based management server that provisions the endpoints TCP IP address of the LAN-based LDAP server TCP IP address of the LAN-based XMPP server 443 HTTPS connection from the RealPresence Access Director system to the LAN-based provisioning server that provisions the RealPresence Access Director system This connection is optional. 443 HTTPS connection from the RealPresence Access Director system to the LAN-based provisioning server that provisions the endpoints 389 LDAP connection from the RealPresence Access Director system to the LAN-based LDAP server 5222 XMPP connection from the RealPresence Access Director system to the LAN-based XMPP server Polycom, Inc. 146

149 Configuring RealPresence Access Director SRC IP SRC IP Protocol DST IP DST Port Description RealPresence Access Director internal access proxy IP address TCP IP address of the RealPresence Web Suite Services Portal and/or Experience Portal 443 HTTPS connection from the RealPresence Access Director system to the RealPresence Web Suite Experience Portal and/or Services Portal Media The RealPresence Access Director system enables media traffic (audio, video, and content) to traverse the firewall during video conferencing calls. Media WAN Ports The following table lists the ports and protocols for bidirectional media relay between the WAN and the RealPresence Access Director system. Media Ports for the WAN and the RealPresence Access Director System SRC IP SRC Port Protocol DST IP DST Port Description IP address of external device RealPresence Access Director system public media IP address >1023 UDP RealPresence Access Director system public media IP address UDP IP address of external device Inbound media (RTP) traffic from the WAN to the RealPresence Access Director system >1023 Outbound media traffic from the RealPresence Access Director system to the WAN Media LAN Ports The following table lists the ports and protocols for bidirectional media traffic between the LAN and the RealPresence Access Director system. Polycom, Inc. 147

150 Configuring RealPresence Access Director Media Ports for the LAN and the RealPresence Access Director System SRC IP SRC Port Protocol DST IP DST Port Description RealPresence Access Director internal media IP address IP address of the LAN-based video conferencing device RealPresence Access Director internal media IP address IP address of LAN-based RealPresence Collaboration Server (RMX) UDP Any LAN-based video conferencing device >1023 UDP RealPresence Access Director system internal media IP address TCP IP address of LAN-based RealPresence Collaboration Server (RMX) >1023 TCP RealPresence Access Director internal media IP address >1023 Inbound media traffic from the RealPresence Access Director system to the LAN-based video device Outbound media traffic from the LANbased video conferencing device to the RealPresence Access Director system >1023 Inbound BFCP content from the RealPresence Access Director system to the LAN-based RealPresence Collaboration Server (RMX) Outbound BFCP content from the LANbased RealPresence Collaboration Server (RMX) to the RealPresence Access Director system TURN Server The RealPresence Access Director system can act as a TURN server to enable firewall and NAT traversal of UDP media traffic between WebRTC-enabled clients. TURN Relay Ports The following table lists the ports and protocols for bidirectional media relay between WAN and LAN WebRTC-enabled clients and the RealPresence Access Director system TURN server. Polycom, Inc. 148

151 Configuring RealPresence Access Director TURN Ports for WAN and LAN-based WebRTC Endpoints and the TURN Server SRC IP SRC Port Protocol DST IP DST Port Description IP address of external WebRTC client >1023 UDP RealPresence Access Director system public signaling IP address Default: 3478 TURN allocation requests from an external WebRTC client to the TURN server. The port is used only to establish a TURN session. Note: The RealPresence Access Director system public signaling IP address refers to the public IP address for signaling mapped on the firewall between the WAN and the RealPresence Access Director system. IP address of internal WebRTC client >1023 UDP RealPresence Access Director system external signaling IP address Default: 3478 TURN allocation requests from an internal WebRTC client to the TURN server. The port is used only to establish a TURN session. RealPresence Access Director system public signaling IP address Default: 3478 UDP IP address of external WebRTC client >1023 Allocation response from the TURN server to an external WebRTC client. The response establishes the TURN session. Polycom, Inc. 149

152 Configuring RealPresence Access Director SRC IP SRC Port Protocol DST IP DST Port Description RealPresence Access Director system external signaling IP address Default: 3478 UDP IP address of internal WebRTC client >1023 Allocation response from the TURN server to an internal WebRTC client. The response establishes the TURN session. IP address of external WebRTC client >1023 UDP RealPresence Access Director system public signaling IP address (Default range: ) Inbound media traffic from an external WebRTC client to the TURN server. IP address of internal WebRTC client >1023 UDP RealPresence Access Director system external signaling IP address (Default range: ) Inbound media traffic from an internal WebRTC client to the TURN server. RealPresence Access Director system public signaling IP address (Default range: ) UDP IP address of external WebRTC client >1023 Outbound media traffic relay from the TURN server to an external WebRTC client RealPresence Access Director system external signaling IP address (Default range: ) UDP IP address of internal WebRTC client >1023 Outbound media traffic relay from the TURN server to an internal WebRTC client RealPresence Access Director and RealPresence Resource Manager Integration If you deploy your RealPresence Access Director system with a RealPresence Resource Manager system, the RealPresence Resource Manager system can provision some RealPresence Access Director system settings and dynamically manage (provision, upgrade, and manage) select remote endpoints. Provisioning of the RealPresence Access Director system is optional. If not provisioned, you must manually configure all system settings. Polycom, Inc. 150

153 Configuring RealPresence Access Director Configuring Access Proxy Settings The access proxy feature in the RealPresence Access Director system provides reverse proxy services for external devices. You can configure access proxy settings to enable firewall/nat traversal for login, registration, and call requests. When the RealPresence Access Director system receives a request from a remote user, the system accepts or denies the request, based on your basic Access Control List (ACL) settings. If the request is accepted, the RealPresence Access Director system sends a new request on behalf of the remote user to the appropriate application server. The RealPresence Access Director system is configured with three default reverse proxies that route communication requests based on the type of target application server: HTTPS_proxy HTTPS servers that provide management services (RealPresence Resource Manager system), and web-based video conferencing services (RealPresence Web Suite) LDAP_proxy LDAP servers that provide directory services XMPP_proxy XMPP servers that provide message, presence, or other XMPP services In addition to the default proxies, the RealPresence Access Director system supports the following proxy configurations: PassThrough_proxy A passthrough reverse proxy configuration provides transparent relay of communication requests through the RealPresence Access Director system to internal application servers. PassThrough_proxy is used primarily for backward compatibility with the TCP reverse proxy feature. Note that if you upgrade your system to a new version, PassThrough_proxy will not display on the main Access Proxy Settings page if you did not configure a TCP reverse proxy in a previous version of the RealPresence Access Director system. HTTP tunnel proxy An HTTP tunnel proxy enables SIP guest users to attend web-based video conferences hosted by an enterprise s RealPresence Web Suite. Due to restrictive firewall rules, if a SIP guest client cannot establish a native SIP/RTP connection to a Web Suite video conference, the RealPresence Access Director system can act as a web proxy to tunnel the SIP call on port 443. Once the SIP guest client is connected to a meeting, the RealPresence Access Director system continues to tunnel TCP traffic, including SIP signaling, media, and Binary Floor Control Protocol (BFCP) content. The default proxies may be edited or you can add new proxies for various internal application servers. When you configure the proxies, you must specify an external IP address and an external listening port for access proxy. Based on the network settings you configured, you may have external access proxy services assigned to more than one network interface. You can reuse an external IP address but the port, in most cases, must be unique for each proxy configuration that uses the same external IP address. For example, if you create two proxy configurations for LDAP directory services, the combined external IP address for access proxy and the external listening port cannot be the same for both LDAP proxy configurations. If you create an HTTP tunnel proxy, both the HTTP tunnel proxy and the default HTTPS_proxy can use port 443 on the same external access proxy IP address. The following examples show some possible external IP address and port combinations. Example 1 Name of Proxy External IP Address for Access Proxy External Listening Port LDAP_proxy_ LDAP_proxy_ Polycom, Inc. 151

154 Configuring RealPresence Access Director Name of Proxy External IP Address for Access Proxy External Listening Port HTTPS_proxy HTTP tunnel proxy Example 2 Name of Proxy External IP Address for Access Proxy External Listening Port LDAP_proxy_ LDAP_proxy_ If a RealPresence Resource Manager system and RealPresence Web Suite integrate with the RealPresence Access Director, the HTTPS proxy must be configured for the RealPresence Resource Manager system and RealPresence Web Suite. LDAP proxy and XMPP proxy must be configured for the RealPresence Resource Manager system. Add a New Proxy Configuration Adding a new proxy configuration consists of selecting the protocol for the proxy and configuring the detailed settings. Procedure 1. Go to Configuration > Access Proxy Settings. 2. Under Actions, click Add. 3. In the Step 1 of 2: Protocol Selection window, select the Protocol for the new proxy and click Next. Polycom, Inc. 152

155 Configuring RealPresence Access Director 4. In the Step 2 of 2: Detailed Settings window, configure the settings for the specific protocol of the proxy, as described in the following sections: Configure HTTPS Proxy on page 154 Configure LDAP Proxy Settings on page 158 Polycom, Inc. 153

156 Configuring RealPresence Access Director Configure XMPP Proxy Settings on page 161 Configure HTTP Tunnel Settings on page 168 Configure HTTPS Proxy The access proxy feature enables external users to access different internal HTTPS servers. The RealPresence Access Director system accepts a request from a remote user, then sends a new request on behalf of the user to the correct application server based on the HTTPS reverse proxy settings you configure. When the RealPresence Access Director system is integrated with a RealPresence Resource Manager system, access proxy enables remote endpoints to be provisioned and managed by the RealPresence Resource Manager system. When the RealPresence Access Director system receives a login and provisioning request from an external endpoint, it sends the request to the HTTPS provisioning server configured within the RealPresence Resource Manager system. When you configure the HTTPS Proxy settings, you can add multiple HTTPS next hops. For each next hop, you must apply a filter that s based on the HTTPS request message header received from the endpoint. The RealPresence Access Director system uses the filter and other settings to send the connection request to the correct internal HTTPS application server. Two filters are available: Request-URI The next hop is based on the Request-URI in the message header received from the endpoint. Use the Request-URI filter only when adding a next hop to a RealPresence Resource Manager system. Host header The next hop filter is based on the host information in the message header received from the endpoint. Use a host header filter when creating the next hop for various HTTPS application servers, including the RealPresence Web Suite Services Portal and Experience Portal. Procedure 1. Go to Configuration > Access Proxy Settings. 2. Under Actions, click Add. 3. In the Step 1 of 2: Protocol Selection window, select HTTPS from the Protocol list and click Next. Polycom, Inc. 154

157 Configuring RealPresence Access Director 4. In the Step 2 of 2: Detailed Settings window, complete the fields according to the following table: Setting Name External IP address Description The unique name of this HTTPS proxy configuration The external IP address of the RealPresence Access Director system network interface that receives access proxy traffic. Polycom, Inc. 155

158 Configuring RealPresence Access Director Setting External listening port Description The external port at which the RealPresence Access Director system listens for HTTPS proxy traffic. Default port: 443 Port range: Note: The RealPresence Access Director system automatically redirects inbound access proxy traffic on ports 443 and 389 to the internal ports reserved on the system's loopback interface private IP address. The CentOS operating system does not allow processes without root ownership to listen on ports <1024. Redirecting access proxy traffic on ports <1024 to the internal ports enables the access proxy process to function correctly. Internal IP address Require client certificate from the remote endpoint Verify certificate from internal server The internal access proxy IP address of the RealPresence Access Director system (specified when you configure network settings). The system forwards HTTPS requests from this IP address to the requested application server. When selected, access proxy requests and verifies the client certificate from the remote endpoint. When selected, access proxy verifies the certificate from the internal HTTPS server (the RealPresence Resource Manager system, or RealPresence Web Suite). 5. Under Next hops, click Add. Polycom, Inc. 156

159 Configuring RealPresence Access Director 6. Configure the settings as described in the following table: Setting Type Name System Description Request-URI The unique name of this next hop Polycom Management System Note: Add a separate Request-URI next hop if you need to configure HTTPS settings for both systems. Address Port The internal IP address of the target HTTPS server. After accepting the HTTPS request from the external endpoint, the RealPresence Access Director system sends a new HTTPS request to this IP address. The listening port of the internal HTTPS server. Polycom, Inc. 157

160 Configuring RealPresence Access Director 7. Click OK to save the configuration. Related Links Add the Next Hop Based on the Host Header Filter on page 166 Configure LDAP Proxy Settings LDAP reverse proxy configurations can be added to access different LDAP directory servers, such as the RealPresence Resource Manager system LDAP server or an Active Directory server. If you configure a new LDAP proxy with the same external IP address as the system s default LDAP_proxy, you must assign a port other than 389 to one of the proxies. The following instructions list the alternate port range. Procedure 1. Go to Configuration > Access Proxy Settings. 2. Under Actions, click Add. 3. In the Step 1 of 2: Protocol Selection window, select LDAP from the Protocol list and click Next. Polycom, Inc. 158

161 Configuring RealPresence Access Director 4. In the Step 2 of 2: Detailed Settings window, complete the fields according to the following table: Setting Name External IP address Description The unique name of this LDAP proxy configuration The external IP address of the RealPresence Access Director system network interface that receives access proxy traffic. Polycom, Inc. 159

162 Configuring RealPresence Access Director Setting External listening port Description The external port at which the RealPresence Access Director system listens for LDAP traffic. Default port: 389 Port range: Note: The RealPresence Access Director system automatically redirects inbound access proxy traffic on ports 443 and 389 to the internal ports reserved on the system's loopback interface private IP address. The CentOS operating system does not allow processes without root ownership to listen on ports <1024. Redirecting access proxy traffic on ports <1024 to the internal ports enables the access proxy process to function correctly. Internal IP address Next hop address Next hop port Verify certificate from internal server The internal access proxy IP address of the RealPresence Access Director system (specified when you configure network settings). The system forwards LDAP requests from this IP address to the requested application server. The internal IP address of the target LDAP server. The RealPresence Access Director system sends a new request to the next hop IP address on behalf of the external user. The port at which the internal LDAP application server listens. Default LDAP port: 389 When selected, access proxy verifies the certificate from the internal LDAP server. Polycom, Inc. 160

163 Configuring RealPresence Access Director 5. Click Done, and then click OK to confirm the configuration settings and restart the access proxy. Configure XMPP Proxy Settings XMPP reverse proxy configurations can be added to access different XMPP servers, such as the XMPP server configured in the RealPresence Resource Manager system or a different network server that provides message, presence or other XMPP services. Procedure 1. Go to Configuration > Access Proxy Settings. 2. Under Actions, click Add. 3. In the Step 1 of 2: Protocol Selection window, select XMPP from the Protocol list and click Next. Polycom, Inc. 161

164 Configuring RealPresence Access Director 4. In the Step 2 of 2: Detailed Settings window, complete the fields according to the following table: Setting Name External IP address External listening port Internal IP address Next hop address Description The unique name of this XMPP proxy configuration The external IP address of the RealPresence Access Director system network interface that receives access proxy traffic. The external port at which the RealPresence Access Director system listens for XMPP traffic. Default port: 5222 Port range: The internal access proxy IP address of the RealPresence Access Director system (specified when you configure network settings). The system forwards XMPP requests from this IP address to the requested application server. The internal IP address of the target XMPP server. The RealPresence Access Director system sends a new request to the next hop IP address on behalf of the external user. Polycom, Inc. 162

165 Configuring RealPresence Access Director Setting Next hop port Description The port at which the internal XMPP application server listens. Default XMPP port: Click Done, and then click OK to confirm the configuration settings and restart the access proxy. Provision the RealPresence Access Director System Configuring your RealPresence Access Director system to be provisioned by a RealPresence Resource Manager system is optional. If you choose to have your system provisioned, you must connect to the RealPresence Resource Manager system from the RealPresence Access Director user interface. Once connected, your system will be automatically provisioned with the information you configured in the RealPresence Resource Manager system. Note: After you connect to a Polycom RealPresence Resource Manager system for provisioning, you cannot update the provisioned information manually in the RealPresence Access Director system until you disconnect. Procedure 1. From the RealPresence Access Director user interface, go to Admin > Polycom Management System. Polycom, Inc. 163

166 Configuring RealPresence Access Director 2. Enter the Login Name, Password, and RealPresence Resource Manager IP address for the RealPresence Access Director system user account for provisioning. Uncheck the Verify certificate from internal server, and click Connect. The login user is a local user that is created on RealPresence Resource Manager. Note: No certificates have been exchanged between the two servers so the verify certificate from internal server box must be unchecked unless the certificate exchange step has been completed in advance. Exchanging certificates provides enhanced security and can be configured at any time in the future. When connected, the RealPresence Resource Manager system automatically provisions the RealPresence Access Director system. RealPresence Access Director and RealPresence DMA Integration Specify the RealPresence Access Director configuration to integrate the RealPresence DMA system. Configure SIP and H.323 Settings Configure SIP and H.323 settings to integrate the RealPresence Access Director system with the RealPresence DMA system if RealPresence Access Director has not integrated with RealPresence Resource Manager. Procedure 1. From the RealPresence Access Director user interface, go to Configuration > SIP Settings. 2. Select Enable SIP signaling. 3. Enter the RealPresence DMA FQDN or IP address in the SIP registrar (Next hop) address. Polycom, Inc. 164

167 Configuring RealPresence Access Director 4. Go to Configuration > H.323 Settings. 5. Enter the RealPresence DMA FQDN or IP address in the Gatekeeper (Next hop) address. Related Links Configure the RealPresence DMA Gatekeeper Call Mode on page 97 Configure the Classless Inter-Domain Routing on page 165 Configure the Classless Inter-Domain Routing Make sure the Gatekeeper call mode is Routed call mode. The CIDR notations include the IP address and subnet of local network H.323 devices (for example, the RealPresence DMA system gatekeeper, endpoints, and bridges). Procedure 1. Go to Configuration > H.323 Settings. 2. Configure CIDR. If the Gatekeeper (Next hop) address is not specified by the RealPresence DMA Supercluster FQDN, leave the CIDR empty. If the Gatekeeper (Next hop) address is specified by the RealPresence DMA Supercluster FQDN, enter every IP address in the RealPresence DMA Supercluster in the CIDR. Note: The RealPresence DMA Gatekeeper call mode must be routed call mode. Polycom, Inc. 165

168 Configuring RealPresence Access Director Related Links Configure SIP and H.323 Settings on page 164 Configure the RealPresence DMA Gatekeeper Call Mode on page 97 RealPresence Access Director and RealPresence Web Suite Integration Specify the RealPresence Access Director configuration to integrate the RealPresence Web Suite system. Add the Next Hop Based on the Host Header Filter The HTTPS proxy is configured. Add two next hops for RealPresence Web Suite Services Portal and Experience Portal. Procedure 1. Go to Configuration > Access Proxy Settings. 2. Select HTTPS Proxy. 3. Under Actions, click Edit. 4. Under Next hops, click Add. 5. Configure the settings as described in the following table: Setting Type Description Host header Polycom, Inc. 166

169 Configuring RealPresence Access Director Setting Name Host value Address Port Description The unique name of this next hop The host name in the request message header The internal IP address of the target HTTPS server. After accepting the HTTPS request from the external endpoint, the RealPresence Access Director system sends a new HTTPS request to this IP address. The listening port of the internal HTTPS server. 6. Click OK to save the configuration. 7. Click Add to add a next hop for RealPresence Web Suite Experience Portal. 8. Click OK to save the configuration. Related Links Configure HTTPS Proxy on page 154 Polycom, Inc. 167

170 Configuring RealPresence Access Director Configure HTTP Tunnel Settings An HTTP tunnel enables SIP guest users to attend video conferences hosted by RealPresence Web Suite. Some restrictive networks block outgoing UDP-based traffic and can limit outgoing TCP traffic to ports 80 and 443. In these situations, if a SIP guest client cannot establish a native SIP/RTP connection to a RealPresence Web Suite video conference, the RealPresence Access Director system can act as a web proxy to tunnel the SIP guest call on port 443. Once the SIP client is connected to a meeting, the RealPresence Access Director system continues to tunnel TCP traffic, including SIP signaling, media, and BFCP content. The HTTP tunnel proxy uses auto-discovery to ensure that a RealPresence Web Suite SIP guest call is routed through the HTTP tunnel proxy when necessary. When a RealPresence Web Suite SIP guest user attempts to join a meeting, auto-discovery determines if standard SIP and media ports are available for the call. If not, the call is routed through the HTTP tunnel proxy. You can configure both the default HTTPS_proxy and an HTTP tunnel proxy to use the same external IP address and standard port 443. If you configure a port other than 443 as the external listening port for HTTP tunnel proxy calls, these calls may fail if the network from which the SIP guest client calls blocks outgoing traffic to other ports. The following conditions apply to the HTTP tunnel proxy: Only one HTTP tunnel proxy can be configured. The RealPresence Access Director system supports a maximum of 50 concurrent HTTP tunnel calls. After a call ends, the system recycles the port allocation. Use of an HTTP tunnel proxy is not supported with two RealPresence Access Director systems deployed in a tunnel configuration. Procedure 1. Go to Configuration > Access Proxy Settings. 2. Under Actions, click Add. 3. In the Step 1 of 2: Protocol Selection window, select HTTP Tunnel from the Protocol list and click Next. Polycom, Inc. 168

171 Configuring RealPresence Access Director 4. In the Step 2 of 2: Detailed Settings window, complete the fields according to the following table: Setting Name External IP address External listening port Description The name of the HTTP tunnel proxy configuration The external IP address of the RealPresence Access Director system network interface that receives access proxy traffic. The external port at which the RealPresence Access Director system listens for HTTP tunnel requests. Recommended HTTP tunnel port: 443 Range: 80, Polycom, Inc. 169

172 Configuring RealPresence Access Director 5. Click Done, and then click OK to confirm the configuration settings and restart the access proxy. Configure TURN Settings for WebRTC When you configure TURN settings, Polycom recommends that you assign TURN services to the network interface assigned to external signaling. The external IP address (private) of this interface must be mapped to the public IP address on your firewall. The number of dynamic ports you specify for TURN media relay doesn t necessarily map to the number of calls that can be supported. The number of ports required to support all WebRTC calls varies depending on whether the conference uses mesh mode or bridge mode. The allowable port range is designed to accommodate a large number of licensed calls. Polycom recommends that you use the default port range listed in the TURN Settings since the number of allocations can vary for calls, but you can choose any port range within the allowable range. The port range you configure must be configured on your firewall. Caution: When you enable the TURN server for the first time, you must add at least one TURN user in order for the TURN server to allow requests. If you disable the TURN server, all TURN users are saved and will be available if you later re-enable the TURN server. Procedure 1. Go to Configuration > TURN Settings. 2. Select Enable TURN server. The TURN server is disabled by default for new installations of the RealPresence Access Director system. Polycom, Inc. 170

173 Configuring RealPresence Access Director 3. Use the information in the following table to configure the settings for your system. An asterisk (*) indicates a required field. Settings Listening IPs Available IPs Listening IPs Selected IPs TURN port (UDP) Relay port range (UDP) Default authentication realm Field The list includes the IP addresses of all network interfaces configured on your system. The list displays the IP address of the network interface you assign to provide TURN services. You should select the network interface assigned to external signaling and map the externai IP address (private) to the public IP address on your firewall, specified in External IP Address of NAT. Select the IP address from the Available IPs list, then click the right arrow to move the IP address to the Selected IPs list. Assign TURN services to only one network interface. The listening port the RealPresence Access Director system uses to receive TURN allocation requests from internal or external clients. Default UDP port: 3478 Allowable port range: The port range used to relay media directly between WebRTC clients in a mesh call or between WebRTC clients and an MCU in a bridge call. Default port range: Allowable relay port range: Polycom recommends that you use the default port range, but you can choose any port range within the allowable range that is not already in use. Each allocation requires one port, so if your port range is small, only a small number of allocations can be supported at one time. The realm is typically a domain name and is part of the required authentication credentials for a TURN user. If a WebRTC client provides only a username and password when requesting TURN services, the TURN server automatically assigns the default authentication realm. Polycom, Inc. 171

174 Configuring RealPresence Access Director 4. Next to the list of TURN Users, click Add. Complete the following required fields: Settings Username Realm Password Field The username that a WebRTC client uses to authenticate requests to the TURN server. Maximum of 20 characters. The realm value is typically a domain name and is specific to the TURN server. When you configure one user for RealPresence Web Suite Pro WebRTC and MCU clients, the realm value should be the same as the Default Authentication Realm you configured in TURN Settings. The realm value uniquely identifies the username and password combination that a WebRTC client must use to authenticate its TURN requests. Maximum of 20 characters. The password that a WebRTC client uses in combination with the username to authenticate its TURN requests. Maximum of 20 characters. Verify Password Polycom, Inc. 172

175 Configuring RealPresence Access Director 5. Click OK to add the TURN user. 6. Click Update to save the TURN Settings. Related Links Configure Soft MCU for WebRTC on page 102 Configure WebRTC on page 219 Configure Endpoints You need to configure external endpoints with the following settings to receive SIP and H.323 calls if they are not provisioned by RealPresence Resource Manager. Procedure Enable H.460 traversal option for external endpoints receive H.323 call. For Non-provisioned hard endpoints RealPresence Group Series, check the Enable H.460 Firewall Traversal checkbox from endpoint configuration UI. Enable SIP keep-alive for external SIP endpoints. For Non-provisioned hard endpoints RealPresence Group Series, check the Enable SIP Keep- Alive Messages checkbox from the endpoint configuration UI. Polycom, Inc. 173

176 Configuring RealPresence Access Director Configuration for Non-provisioned RealPresence Group Series Related Links Create Network Provisioning Profile for Endpoints That Connect to RealPresence Access Director on page 60 Polycom, Inc. 174

177 Configuring RealPresence Media Suite Topics: Configuring Certificates Configure Media Storage Set up the Gatekeeper Validate the Recording The RealPresence Media Suite product is a video content management solution that integrates with standards-based and telepresence video conferencing systems. As a native part of the Polycom RealPresence Clariti solution, the RealPresence Media Suite product can record or live stream meetings, manage archives, and play back recordings on a variety of client devices including tablets, smartphones, desktop and laptop computers, and standards-based video endpoints. Configuring Certificates The RealPresence Media Suite system supports using X.509 certificates (version 3 or earlier) for authenticating the network connections. Create a Certificate Signing Request You can creates a Certificate Signing Request (CSR) to submit to your chosen certificate authority. Procedure 1. Log into RealPresence Media Suite Admin Portal. 2. Go to Configuration > Certificate Management. 3. Select Issue Signing Request. Polycom, Inc. 175

178 Configuring RealPresence Media Suite 4. Enter the certificate information and click OK. 5. Copy the entire contents of the Encoded Request box. Polycom, Inc. 176

179 Configuring RealPresence Media Suite 6. Click OK. Request a Certificate You can request a certificate from a third-party Certificate Authority. Procedure 1. Navigate to the Certificate Authority and click Request a Certificate. Polycom, Inc. 177

180 Configuring RealPresence Media Suite 2. Click the advanced certificate request. 3. Paste the CSR into the saved request field. 4. Under Certificate Template, choose Web Server with client EKU. 5. Click the Submit button. 6. Choose Base 64 encoded, and click Download certificate. Polycom, Inc. 178

181 Configuring RealPresence Media Suite Install the Certificate You must install a CA's certificate if you don't obtain a certificate chain that includes a signed certificate for the RealPresence Media Suite system, your CA's public certificate, and any intermediate certificates. Procedure 1. Go to Configuration > Certificate Management. 2. Select Install Certificates. 3. Click Upload Certificate and click Add to browse to the certificate. Upload the selected certificate, and enter your password if necessary. Polycom, Inc. 179

182 Configuring RealPresence Media Suite 4. Click OK. 5. Click Upload and OK to finish the certificate installation. Polycom, Inc. 180

183 Configuring RealPresence Media Suite Configure Media Storage Make sure the RealPresence Media Suite OVA file has been deployed successfully RealPresence Media Suite, Virtual Edition, supports local storage as its media storage. You can use local storage or NFS as media storage. Polycom recommends to use local storage for better disk I/O performance. You can according to the media storage capacity usage to plan your media storage. Polycom, Inc. 181

184 Configuring RealPresence Media Suite Media Storage Usage Solution Primary Rate Call Duration Storage Space (WMV) Storage Space (MP4) 1*1080p 1024 kbps (MP4) 1728 kbps (WMV) 60 minutes ~1.4 GB ~870 MB 1*1080p 4096 kbps 60 minutes ~3.2 GB ~3.5 GB 1*720p 4096 kbps 60 minutes ~3.2 GB ~3.5 GB 1*720p 1024 kbps 60 minutes ~862 MB ~860 MB 1*4CIF 512 kbps 60 minutes ~458 MB ~459 MB 1*CIF 128 kbps 60 minutes ~100 MB ~103 MB Each 60-minute 512k call to RealPresence Media Suite requires about 450M storage (the 512k call raw + the default mp4 VoD). For 1024k, the storage space is approximately double, which is 900M. You cannot calculate an accurate ratio because the size also depends on the video quality. Procedure 1. Add a hard disk in VMware vshpere. a. Right click the virtual machine which you want to add hard disk to, and select Edit Settings. b. Click Add to add a new hard disk. Polycom, Inc. 182

185 Configuring RealPresence Media Suite c. Select Hard Disk as the device type, and click Next. Polycom, Inc. 183

186 Configuring RealPresence Media Suite d. Select Create a new virtual disk to create a new disk, and click Next. Polycom, Inc. 184

187 Configuring RealPresence Media Suite e. Set the Disk Size. f. Set the Disk Provisioning, and Location for the new disk, and click Next. Polycom, Inc. 185

188 Configuring RealPresence Media Suite g. Configure Virtual Device Node. Polycom, Inc. 186

189 Configuring RealPresence Media Suite h. Check the hard disk options, and click Finish to add the hardware. Polycom, Inc. 187

190 Configuring RealPresence Media Suite i. Check the new hard disk from Virtual Machine settings. Polycom, Inc. 188

191 Configuring RealPresence Media Suite 2. Access the RealPresence Media Suite Admin Portal by its IP address or FQDN from a compatible browser. 3. Go to Device > Device Manager. 4. Select a specific device, then click Edit. 5. Select Media Storage tab. 6. Optional: If select the local disk as the media storage, specify the following fields: Media Storage Policy: Local Storage Only Local Disk: select one local disk as the media storage. Polycom, Inc. 189

192 Configuring RealPresence Media Suite 7. Optional: If select the network storage as the media storage, specify the following fields: Media Storage Policy: Network Storage Only NFS Server Address: enter an address of the NFS server. NFS Storage Folder: specify the folder path to the NFS storage. Polycom, Inc. 190

193 Configuring RealPresence Media Suite 8. Click Save. Set up the Gatekeeper For H.323, if a gatekeeper is configured on your network, you can register RealPresence Media Suite to the gatekeeper to simplify calling. A gatekeeper manages functions such as bandwidth control and admission control. A gatekeeper also handles address translation, which allows you to make calls using static aliases instead of IP addresses that may change each day. Procedure 1. In the Web browser, enter the system's IP address in this format: IP address>/admin or 2. Go to Configuration > Signaling Settings > H Select Register To Gatekeeper. 4. Configure the following settings. After you finish the configuration, click OK. Parameter Gatekeeper Type Primary Gatekeeper Description Choose between Polycom and Cisco VCS. Indicates if the system is registered to the primary gatekeeper. Polycom, Inc. 191

194 Configuring RealPresence Media Suite Parameter Gatekeeper Address Gatekeeper Port Register User Information for Gatekeeper Gatekeeper User Gatekeeper Password Alternate Gatekeeper Description The IP address for the gatekeeper. Note: Never enter the IP address of RealPresence Media Suite. The port number for the gatekeeper; the default value is Specifies whether to register the system to a Polycom Gatekeeper server for H authentication. When H authentication is enabled, the gatekeeper ensures that only trusted endpoints are allowed to access the gatekeeper. The user name for registration with the Polycom Gatekeeper server. The password for registration with the Polycom Gatekeeper server. Indicates if the system is registered to the alternate gatekeeper. Note: The alternate gatekeeper is used only when the primary gatekeeper is not available. System Prefix / E.164 System H.323 Alias Remote Display Name Specify the E.164 number for the system. Specify the H.323 alias for the system. Specify the name to be displayed to the far end. Note: If you set the remote display name with double-bytes characters like Chinese, you will not see the characters on the far end endpoints in a H.323 call between endpoints and the RealPresence Media Suite system. Note: Find information on RealPresence DMA If you need to configure both the H.323 Gatekeeper parameters and SIP parameters at the same time, click OK after you finish the configuration of both parameters. If the RealPresence Media Suite is registered to RealPresence DMA as the SIP server, you can find RealPresence Media Suite information on the RealPresence DMA portal under Network > Endpoints. Polycom, Inc. 192

195 Configuring RealPresence Media Suite Related Links Define Recording Links from RealPresence Collaboration Server on page 111 Validate the Recording Validate the recording function from the RealPresence Collaboration Server. Procedure 1. Call the VMR from the endpoint to start a conference. 2. Connect to RealPresence Collaboration Server through RMX Web Client/RMX Manager application. Polycom, Inc. 193

196 Configuring RealPresence Media Suite 3. In the Conferences pane, select the conference and click to start the recording. Note: You also can use DTMF code to start a recording from the endpoint. 4. Check the recording status. When recording has started, Recording shows as a conference participant. Polycom, Inc. 194

197 Configuring RealPresence Web Suite Topics: Configuring Certificates for RealPresence Web Suite Set the RealPresence Web Suite Date and Time RealPresence Web Suite Services Portal Server Settings RealPresence Web Suite Experience Portal Conference Settings Configure WebRTC RealPresence Web Suite is a collaboration solution that provides content sharing capabilities and enterprise-grade voice and video options. As a native part of the Polycom RealPresence Clariti solution, the RealPresence Web Suite product can schedule and join meetings, participate in web video conferencing meetings, and share content with meeting attendees. Depending on your organization policy, you can also invite social media contacts to join the meetings. When RealPresence Web Suite attendees join non-webrtc meetings in the RealPresence Web Suite Experience Portal, the system automatically downloads the Launcher.exe to attendees computers. RealPresence Web Suite attendees can do as follows: If attendees don t have the RealPresence Desktop software installed on their computers, the attendees can run the launcher. RealPresence Desktop software version installs and launches to connect the attendees to the meeting. If attendees have the RealPresence Desktop software version installed on the computer, the attendees can run the launcher. RealPresence Desktop software launches to connect the attendees to the meeting. If attendees have a previous version (3.8.x and below) of RealPresence Desktop software installed on their computers, the attendees must uninstall the previous version of RealPresence Desktop software, then join the meeting again from the web portal. After the meeting connects, attendees can control meetings in the RealPresence Desktop software as the RealPresence Web Suite soft client. Configuring Certificates for RealPresence Web Suite You must upload certificates to both the RealPresence Web Suite Services Portal and RealPresence Web Suite Experience Portal. To establish secure, encrypted communication with users and verify the identity of the portal, you must upload the following certificates: The signed public key certificate for the portal provided by the CA in response to the CSR. If the CSR was created using a third-party tool, you must first upload the associated private key. Any root and intermediate certificates provided by the CA to establish the chain of trust. For servers that require secure communication, such as the Enterprise Directory server, SMTP server, and the RealPresence DMA system, upload that server public key certificate as a trust certificate. Polycom, Inc. 195

198 Configuring RealPresence Web Suite Generate a Certificate Signing Request You must generate a self-signed certificate or CSR in each of the portals. Procedure 1. Log in to each portal with super admin credentials. 2. Navigate to Platform Settings > Certificate > Generate CSR/Certificate. 3. Enter the following information: Field Values for a CSR Field Operation Type Type Common Name (CN) Organization Organizational Unit Country State Location Sub Alternate Name Description In the RealPresence Web Suite Services Portal, select one of the following: CSR: Generates a CSR to send to a third-party CA in order to obtain a digitally signed public key certificate. Certificate: Generates a self-signed certificate (not applicable for the RealPresence Web Suite Experience Portal). This field is set to WebServer and cannot be modified. This field is the Subject CN field. It defaults to the FQDN of the portal. If this field is blank, the CSR or self-signed certificate will not include a CN. Note: The CN field has been deprecated by the CA/Browser Forum, but is still required by some products, notably Microsoft Server. If generating a CSR to send to a public CA, this field must not contain an internal server name or reserved (non-routable) IP address. Enter the legally-registered name of your organization. Enter the name of your organization unit or the DBA name of your organization. Enter the two-letter ISO code for the country where your organization is located. Enter the full name of the state, province, or other political subdivision where your organization is located. Enter the city or locality where your organization is located. This is the SAN field. For a CSR, enter a comma-separated list of names that the signed certificate must include. Because the CN field is deprecated, it is recommended to include the portal FQDN in the SAN field, even if the CN field contains the FQDN. 4. Click Generate. 5. Restart the portals. Polycom, Inc. 196

199 Configuring RealPresence Web Suite Note: Restarting web services will log out all users. The system remains inaccessible until you restart the web services. Restart only during a maintenance window when there is no activity on the system. Copy a Certificate Signing Request After you generate a CSR in the RealPresence Web Suite Services Portal or RealPresence Web Suite Experience Portal, you must copy it and forward it to your preferred trusted certificate authority. Procedure 1. Log in to the RealPresence Web Suite Services Portal or the RealPresence Web Suite Experience Portal administration interface with super admin credentials. 2. Go to Platform Settings > Certificate > Certificate list. 3. Select webserver-csr and click View. 4. Copy the CSR starting from BEGIN CERTIFICATE REQUEST through END CERTIFICATE REQUEST (include the leading and trailing dashes). Polycom, Inc. 197

200 Configuring RealPresence Web Suite 5. Paste the text into a text editor. 6. Save the file with the.csr extension. Request a Certificate You can request a certificate from a third-party Certificate Authority. Procedure 1. Navigate to the Certificate Authority and click Request a Certificate. 2. Click the advanced certificate request. Polycom, Inc. 198

201 Configuring RealPresence Web Suite 3. Paste the CSR into the saved request field. 4. Under Certificate Template, choose Web Server with client EKU. 5. Click the Submit button. 6. Choose Base 64 encoded, and click Download certificate. Polycom, Inc. 199

202 Configuring RealPresence Web Suite Download the CA Root Certificate You can download CA root certificate for the RealPresence Web Suite Services Portal and RealPresence Web Suite Experience Portal. Procedure 1. Navigate to the Certificate Authority and click Download a CA certificate, certificate chain, or CRL. 2. Choose Base 64 encoded, and click Download CA certificate chain. Polycom, Inc. 200

203 Configuring RealPresence Web Suite Upload a Certificate to the RealPresence Web Suite Services Portal You can upload the certificate file to the RealPresence Web Suite Services Portal. Procedure 1. Log in to the RealPresence Web Suite Services Portal with super admin credentials. 2. Go to Platform Settings > Certificate > Upload Certificate. 3. From the Type list, select the WebServer Own. 4. Click Browse to select the certificate for the service portal. 5. Click Upload. Polycom, Inc. 201

204 Configuring RealPresence Web Suite 6. Select Upload Certificate. 7. From the Type list, select the WebServer Trust. 8. Click Browse to select the CA server's root certificate. 9. Click Upload. 10. Restart the rpp-tomcat and nginx services. 11. Go to Platform Settings > Certificate > Certificate list, and make sure the certificates appear. Upload a Certificate to the RealPresence Web Suite Experience Portal You can upload the certificate file to the RealPresence Web Suite Experience Portal. Procedure 1. Log in to the RealPresence Web Suite Experience Portal with super admin credentials. 2. Go to Platform Settings > Certificate > Upload Certificate. 3. From the Type list, select the server certificate. 4. Click Browse to select the certificate for experience portal. 5. Click Upload. Polycom, Inc. 202

205 Configuring RealPresence Web Suite 6. From the Type list, select the ca certificate. 7. Click Browse to select the CA root certificate. 8. Click Upload. 9. Restart the web services or reboot the server. 10. Go to Platform Settings > Certificate > Certificate list, and make sure the certificates appear. Polycom, Inc. 203

206 Configuring RealPresence Web Suite Set the RealPresence Web Suite Date and Time For meetings and recordings to work properly, the RealPresence Web Suite Services Portal and the RealPresence Web Suite Experience Portal must reference the same time zone and NTP servers. The portals retrieve the default time for the instances from the host server, so if the host server time is wrong, then the RealPresence Web Suite Services Portal scheduler can go out of sync. Procedure 1. Log in to the RealPresence Web Suite Services Portal and RealPresence Web Suite Experience Portal using super admin credentials. 2. Go to Platform Settings > Date Time. 3. In the Time Zone list, select the appropriate time zone for the system. 4. Click Update. 5. Restart the portals using your virtual environment tools. RealPresence Web Suite Services Portal Server Settings This section describes a number of required settings and optional customizations available in the RealPresence Web Suite Services Portal. Configure the RealPresence Web Suite Services Portal Using LDAP The RealPresence Web Suite Services Portal handles user authentication. Before you add an Enterprise Directory user, confirm that the proper LDAP server is configured with the correct values. Polycom, Inc. 204

207 Configuring RealPresence Web Suite With LDAP authentication enabled, all users in the Enterprise Directory are granted access to the RealPresence Web Suite Services Portal. Procedure 1. Log in to the RealPresence Web Suite Services Portal using super admin credentials. 2. Go to Settings > Core Settings > LDAP. 3. Enter the following configuration settings. Fields Forest Root Domain Port Username Password Use default domain for authentication Default Domain Description The forest root domain name for the enterprise. The port number through which LDAP communicates. Port 636 is a Secure Port and Port 389 is a Nonsecure Port. The user ID for the LDAP services account that has system access to the Enterprise Directory. The password for the LDAP services account user ID. Enabled The name of the default domain where users are authenticated when a user ID is provided without a domain name. 4. Click Update. Polycom, Inc. 205

208 Configuring RealPresence Web Suite Enable Notifications for Users Using your organizational Simple Mail Transport Protocol (SMTP) server, the RealPresence Web Suite Services Portal sends notifications to users in the following situations: Procedure When the accounts are created When the account details are updated When the participants are invited to a meeting When the users scheduled a meeting or have been invited to is updated or canceled 1. Log in to the RealPresence Web Suite Services Portal using super admin credentials. 2. Go to Settings > Core Settings > SMTP. 3. Enter the following configuration settings. Fields Server Login ID Password Sender Mail Id Description SMTP server FQDN or IP address. The service account user ID for the SMTP service. This ID is not required for an insecure connection. The password for the service account user ID. This password is not required for an insecure connection. The RealPresence Web Suite system address, which is included in the From header of all notifications other than meeting invitations and updates. This must be a no-reply address, such as NoReply@example.com. If the SMTP server requires authentication for sending s, this address must be whitelisted on the SMTP server. Polycom, Inc. 206

209 Configuring RealPresence Web Suite Set Web Addresses for the Portals Each server defines a specific purpose in the RealPresence Web Suite environment. Before configuring the portal settings, configure the web addresses of both portals using the RealPresence Web Suite Services Portal. Procedure 1. Log in to the RealPresence Web Suite Services Portal using super admin credentials. 2. Go to Settings > Core Settings > Server Settings. 3. Enter the FQDNs assigned to the IP address of the two portals. 4. Click Update. Polycom, Inc. 207

210 Configuring RealPresence Web Suite 5. Confirm that both portals are available and accessible by entering their FQDN into a web browser and logging in with super admin credentials. Add a RealPresence DMA System You can configure RealPresence Web Suite to use one or more RealPresence DMA systems, each configured with multiple access points, for its meetings. The system prioritizes access points in the order in which they were added. Procedure 1. Log in to the RealPresence Web Suite Services Portal using super admin credentials. 2. Go to Settings > DMA Config. 3. Click +Another DMA and configure the following DMA Configuration settings: Setting Name Host Port Virtual Meeting Room (VMR) Prefix Common SIP Username Common SIP Password Default Admin Admin Password Description A possible name for the RealPresence DMA system connection to identify it in the RealPresence Web Suite Services Portal configuration. The FQDN or IP address of the RealPresence DMA system. The TCP port number used to communicate with the RealPresence DMA system. Port 8443 is the standard port. The VMR prefix that corresponds to this RealPresence DMA system. The VMR prefix must match the prefix specified on the RealPresence DMA system. If SIP device authentication is enabled on the RealPresence DMA system (the recommended configuration), specify the SIP device authentication credentials. The RealPresence Web Suite Services Portal provides these details to devices that authenticate with it so that they can connect to the RealPresence DMA system as authorized. The password credentials must be in the RealPresence DMA system list of inbound device authentication entries. Callers are trusted by the RealPresence DMA system and processed by its regular dial plan. If Enhanced Content is enabled, these credentials are provided to the Standards Connector. The user ID of an admin user on the RealPresence DMA system. If the RealPresence DMA system is integrated with Enterprise Directory, this must be an Enterprise Directory user with access to all domains (not a local user defined on the RealPresence DMA system) to be able to search the VMRs of all users. The password for the RealPresence DMA admin user. Polycom, Inc. 208

211 Configuring RealPresence Web Suite Setting Description Owner Domain The domain of the user account assigned to create meetings in the RealPresence DMA system. For a local user (not in Enterprise Directory), enter LOCAL. Owner Username Generate VMR From Range The user ID of the user account assigned to create meetings in the RealPresence DMA system. Select the check box to enter the starting and ending numbers of the range to use for auto-generating random conference IDs (temporary RealPresence Web Suite VMRs). For better security, specify a wide range such as to Click Configure. 5. Restart RealPresence Web Suite to apply the configuration settings. Note: When you restart both the RealPresence Web Suite portals and/or the RealPresence DMA system, you must restart the RealPresence DMA system and the RealPresence Web Suite Services Portal before you restart the RealPresence Web Suite Experience Portal. Due to the way the RealPresence Web Suite Experience Portal obtains its licensing information, if you start the RealPresence Web Suite Experience Portal first, your RealPresence Web Suite system stops working correctly. Add Access Points An access point is a network location that is routed directly or indirectly to the RealPresence DMA system. Polycom, Inc. 209

212 Configuring RealPresence Web Suite Clients or endpoints connect to conferences through an access point. Add access points in the order that you want the RealPresence Web Suite Services Portal to use them. For example, enter internal access points first. Procedure 1. Log in to the RealPresence Web Suite Services Portal using super admin credentials. 2. Go to Settings > DMA Config. 3. Click +Add Access Point and configure the following settings: Setting Location Description A name for this access point that describes its location or other properties that distinguish it from other access points (such as transport and authentication). Transport The transport protocol associated with the access point (SIP, TUNNEL, H323, ISDN, or PSTN). Dial string Auth Mode The dial string that an endpoint uses to dial this access point. The string must be appropriate for the specified transport type. For instance, for a SIP access point for callers outside the network, enter the public FQDN used to access the system using the RealPresence Access Director system. Shared Access point is shared by all users. Use this option if SIP device authentication is not enabled on the RealPresence DMA system. 4. Click + Add Access Point to enter additional access points as needed. 5. When you have added all required and optional access points, click Configure. 6. Restart the RealPresence Web Suite Experience Portal to apply the changes. Polycom, Inc. 210

213 Configuring RealPresence Web Suite Configure the MCU Pool Order and Conference Template After you add a RealPresence DMA system and its access points, the RealPresence Web Suite Services Portal connects and retrieves the list of available MCU pool orders and conference templates. You can then configure these settings. Procedure 1. Log in to the RealPresence Web Suite Services Portal using super admin credentials. 2. Navigate to Settings > DMA Config. 3. Click Expand under the entry you want to use. 4. Select the MCU Pool Order you create from RealPresence DMA. You can specify an existing pool order from down drop list. 5. Select the Conference Template you want to use from the drop-down list. You can specify an existing template from down drop list. 6. Make any other changes to the connection settings and the required access points. 7. Click Configure. RealPresence Web Suite Experience Portal Conference Settings This section provides information on configuring certain general platform settings for the RealPresence Web Suite Experience Portal. Configure Conference General Settings You can enable or disable some general conference settings. Procedure 1. In the RealPresence Web Suite Experience Portal administration interface, go to Conference > General Settings. 2. Select RealPresence Web Suite Experience Portal enabled. 3. Select Enhanced Content enabled. 4. Select Select Group Chat enabled to enable the group chat only for attendees joining meetings using the web browser. 5. Select Mute on Entry enabled. When the administrator enables the Mute on Entry function, all attendees (except Chairperson) when joining meetings from RealPresence Desktop will be muted by default. 6. Set secure and non-secure web addresses for RealPresence Web Suite Experience Portal. Note that the terms external and internal for these settings do not see outside or inside the network. Polycom, Inc. 211

214 Configuring RealPresence Web Suite External addresses Enables human users to access the portal. Internal addresses Enables the RealPresence Web Suite Services Portal and RealPresence Web Suite Experience Portal to communicate with each other on the network. Configure the following Web Addresses settings: Fields Secure External Address External Address (non-secure) Secure Internal Address Internal Address (non-secure) Description The HTTPS address that the users use to connect to the RealPresence Web Suite Experience Portal. The HTTP address that the users use to connect to the RealPresence Web Suite Experience Portal. By default, it re-routes to the secure external address. The address used for inter-agent communication between the servers (not for users). This address includes the port number through which the portals connect to the Apache Tomcat server. By default, this is port The non-secure address used for the inter-agent communication between the servers (not for users). By default, it re-routes to the secure internal address. 7. Click APPLY to save the general settings. Polycom, Inc. 212

215 Configuring RealPresence Web Suite Configure the Portal Authentication Agent The authentication settings in the RealPresence Web Suite Experience Portal include the rules used to authenticate users and guests to enable them to host or attend meetings and the authentication agent configurations. Procedure 1. Set conference authentication rules. a. Log in to the RealPresence Web Suite Experience Portal administration interface using super admin credentials. b. Go to Conference > Authentication. c. Click and configure the following settings in the Match, Property, and Realm columns: Fields Match Property Description A regular expression that reflects the way you want the property to match for authentication. This value can reflect a host, domain host, or e- mail domain. For example, to authenticate only users with a polycom.com address, enter the following regular expression to match against the UserAddressDomain property: :+@(polycom.+)$ This is the data type to which you want to apply the Match regular expression. Based on the user information entered, at least one rule is required for each property: SSOSource Match the provided regular expression against the source of authentication for single sign-on users. SSOUsername Match the provided regular expression against the address of the RealPresence Web Suite Services Portal. UserAddressDomain Match the provided regular expression against the domain for users. Host Match the provided regular expression against the host URL to set the realm. Polycom, Inc. 213

216 Configuring RealPresence Web Suite Fields Realm Description The target authentication realm is the FQDN of the RealPresence Web Suite Services Portal server that you want to authenticate users against. UserAddressDomain and SSOSource can point to realms in the RealPresence Web Suite Services Portal authentication agent realm list using $#, with $1 referencing the first element in the list, and so on. 2. Configure the portal authentication agent. The RealPresence Web Suite Experience Portal queries the RealPresence Web Suite Services Portal to authenticate users logging in to it to join a conference. Configure the settings for the authentication agent in the RealPresence Web Suite Experience Portal to enable it to communicate with the RealPresence Web Suite Services Portal. a. Expand Agents > Service Portal Authentication and configure the following settings: Fields Target URL Username Description The FQDN of the RealPresence Web Suite Services Portal ( included). Read only. The name of the internal system user responsible for authentication, meaauth. Polycom, Inc. 214

217 Configuring RealPresence Web Suite Fields Password Realms Default Login Method (experimental) Description Click [!] to enter the password for the meaauth user. The default is meaauth, which must be changed for security reasons. Enter the RealPresence Web Suite Services Portal FQDN and the domains that the authentication rules can authenticate users against, separated by commas. Select Enterprise (the default). The RealPresence Web Suite Experience Portal login page requests user enterprise login credentials. b. Click Apply. Configure the Conference Agent You can configure both the scheduled and static conference agent settings and RealPresence DMA agent in the RealPresence Web Suite Experience Portal. Procedure 1. Log in to the RealPresence Web Suite Experience Portal administration interface using super admin credentials. 2. Go to Conference > Conference. 3. Expand Agents > RealPresence DMA and configure the following settings: Polycom, Inc. 215

218 Configuring RealPresence Web Suite Fields Target URL Username Password Routes Prefix Description The FQDN or IP address of the RealPresence DMA server, using this syntax: <IP address or FQDN of RealPresence DMA> :8443/api/rest The user ID of an admin user on the RealPresence DMA system. This must be the same as the admin user entered in the DMA Configuration section of the RealPresence Web Suite Services Portal. If the RealPresence DMA system is integrated with Enterprise Directory, this must be an Enterprise Directory user. The password for the RealPresence DMA admin user. This field includes the conference routes specified in the conference lobby rules, scheduled.cloudaxis.local and adhoc.cloudaxis.local. Do not make any changes. Enter the dialing prefix if any, for the RealPresence DMA system. 4. Configure the conference agent. a. Expand Agents > Conference Settings. b. Select Allow scheduled and static meetings for the Type. Polycom, Inc. 216

219 Configuring RealPresence Web Suite c. Expand Scheduled Conference Settings and configure the following settings: Fields Target URL Username Password Routes Description The complete URL of the RealPresence Web Suite Services Portal server (including Read only. The name of the internal system user responsible for conferences, meaconf. Click [!] to enter the password for the meaconf user. The default password is meaconf, which must be changed for security reasons. This field includes the conference routes specified in the conference lobby rules, scheduled.cloudaxis.local and adhoc.cloudaxis.local. Do not make any changes. d. Expand External Conference Template and specify the settings for each access point in the RealPresence Web Suite environment. These settings must match the settings for each access point set up in the RealPresence Web Suite Services Portal. Two sets of access point fields containing sample values are present by default. Edit those for the first two access points. Polycom, Inc. 217

220 Configuring RealPresence Web Suite Fields Dial String Location POP Address Transport Authentication Mode Description The dial string that an endpoint uses to dial this access point. The string must be appropriate for the specified access point transport type (for example, sip: for SIP). Do not remove or change the conference ID placeholder, {{ LobbyCode getvmr }}, but precede it with the appropriate dial prefix for this access point, if any. Specifies a name for this access point that describes its location or other properties that distinguish it from other access points (such as transport and authentication). Use the same name specified in the RealPresence Web Suite Services Portal for this access point. Enter the RealPresence Access Director FQDN. The transport protocol for this access point. Select SHARED. Access point is shared by all users. Use this if SIP device authentication is not enabled on the RealPresence DMA system. e. To add another access point, click Add below Authentication Mode and complete the new set of access point fields. Repeat the steps if necessary. Polycom, Inc. 218

221 Configuring RealPresence Web Suite 5. Click Apply. Enable Enhanced Content Sharing You can enable the Enhanced Content feature in the RealPresence Web Suite Experience Portal administration interface. To enable the sharing of content between HTML5 clients and standards-based clients, RealPresence Web Suite Pro uses the Standards Connector function. The Standards Connector provides a gateway function so that video-based content users can view enhanced content and vice-versa. Procedure 1. Log in to the RealPresence Web Suite Experience Portal administration interface using super admin credentials. 2. Go to Enhanced Content > Standards Connector. 3. Enter the correct password (the default password is ecsparticipant) for the ecsparticipant system user. Configure WebRTC Before enabling the RealPresence Web Suite Experience Portal for WebRTC support, ensure that you have completed the following: The RealPresence DMA system and the rest of your RealPresence Clariti solution have been provisioned appropriately to support WebRTC. Basic configuration of the RealPresence Web Suite portals is complete, including Enhanced Content. Procedure 1. Log in to the RealPresence Web Suite Experience Portal using super admin credentials. Polycom, Inc. 219

222 Configuring RealPresence Web Suite 2. Go to Conference > Conference. 3. Expand Agents > WebRTC > Settings and configure the following settings: Field Name Enabled Call Rate Settings STUN Settings TURN Settings Description Select to enable WebRTC support. Specify the maximum call rates used for WebRTC. Specify one or more STUN servers by IP address or FQDN. The default port number (3478) is used unless you specify a different one. The RealPresence Access Director TURN server provides both STUN and TURN services. Specify one or more TURN servers by IP address or FQDN. The default port number (3478) is used unless you specify a different one. Provide the TURN user credentials for each TURN server (the credentials you defined on your RealPresence Access Director). The RealPresence Web Suite Experience Portal Experience Portal provides these credentials to WebRTC clients so that they can connect to the TURN servers. Polycom, Inc. 220

223 Configuring RealPresence Web Suite Related Links Configure TURN Settings for WebRTC on page 170 Polycom, Inc. 221