Pexip Infinity Secure Mode Deployment Guide

Similar documents
Pexip Infinity Secure Mode Deployment Guide

Pexip Infinity Secure Mode Deployment Guide

Pexip Infinity Secure Mode. Deployment Guide

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

BMC Remedyforce Integration with Remote Support

Launching Xacta 360 Marketplace AMI Guide June 2017

BMC Remedyforce Integration with Bomgar Remote Support

Enterprise Installation

ClassFlow Administrator User Guide

Secure File Transfer Protocol (SFTP) Interface for Data Intake User Guide

Dolby Conference Phone Support Frequently Asked Questions

CCNA Security v2.0 Chapter 3 Exam Answers

Release Notes. Dell SonicWALL Security firmware is supported on the following appliances: Dell SonicWALL Security 200

RISKMAN REFERENCE GUIDE TO USER MANAGEMENT (Non-Network Logins)

Release Notes. Dell SonicWALL Security BETA

Please contact technical support if you have questions about the directory that your organization uses for user management.

CounterSnipe Software Installation Guide Software Version 10.x.x. Initial Set-up- Note: An internet connection is required for installation.

USER MANUAL. RoomWizard Administrative Console

Kaltura Video Extension for SharePoint 2013 Deployment Guide for Microsoft Office 365. Version: 1.0

NiceLabel LMS. Installation Guide for Single Server Deployment. Rev-1702 NiceLabel

DocAve 6 Service Pack 2 Control Panel

Reference Guide. Service Pack 3 Cumulative Update 2. Revision J Issued October DocAve 6: Control Panel

File Share Navigator Online

Using the Swiftpage Connect List Manager

These tasks can now be performed by a special program called FTP clients.

Manual for installation and usage of the module Secure-Connect

Planning, installing, and configuring IBM CMIS for Content Manager OnDemand

Using the Swiftpage Connect List Manager

HPE AppPulse Mobile. Software Version: 2.1. IT Operations Management Integration Guide

Campuses that access the SFS nvision Windows-based client need to allow outbound traffic to:

1 Getting and Extracting the Upgrader

CCNA Security v2.0 Chapter 2 Exam Answers

DocAve 6 Control Panel

Click Studios. Passwordstate. RSA SecurID Configuration

VMware EVO:RAIL Customer Release Notes

Your New Service Request Process: Technical Support Reference Guide for Cisco Customer Journey Platform

Installing AX Server with PostgreSQL

CaseWare Working Papers. Data Store user guide

Integrating QuickBooks with TimePro

DELL EMC VxRAIL vcenter SERVER PLANNING GUIDE

Troubleshooting Citrix- Published Resources Configuration in VMware Identity Manager

Troubleshooting Citrix- Published Resources Configuration in VMware Identity Manager

AvePoint Meetings Pro 4.3 for SharePoint On-Premises. Installation and Configuration Guide

1 Getting and Extracting the Upgrader

User Guide. Document Version: 1.0. Solution Version:

Adverse Action Letters

Date: October User guide. Integration through ONVIF driver. Partner Self-test. Prepared By: Devices & Integrations Team, Milestone Systems

2. When logging is used, which severity level indicates that a device is unusable?

SANsymphony Installation and Getting Started Guide. November 7, 2016

Technical Paper. Installing and Configuring SAS Environment Manager in a SAS Grid Environment with a Shared Configuration Directory

SAS Hot Fix Analysis, Download and Deployment Tool

Frequently Asked Questions

Exosoft Backup Manager

Kaltura MediaSpace TM Enterprise 2.0 Requirements and Installation

Kaltura MediaSpace Installation and Upgrade Guide. Version: 5.0

Admin Report Kit for Exchange Server

DocAve Governance Automation 2

CCNA Security v2.0 Chapter 9 Exam Answers

DIVAR IP 3000 Field Installation Guide

TRAINING GUIDE. Overview of Lucity Spatial

STIDistrict AL Rollover Procedures

OASIS SUBMISSIONS FOR FLORIDA: SYSTEM FUNCTIONS

Technical Paper. Installing and Configuring SAS Environment Manager in a SAS Grid Environment

AvePoint Discovery Tool 3.5. User Guide

App Orchestration 2.6

Pexip Infinity Getting Started Guide

ADSS Server Evaluation Quick Guide

Tips For Customising Configuration Wizards

REFWORKS: STEP-BY-STEP HURST LIBRARY NORTHWEST UNIVERSITY

Wave IP 4.5. CRMLink Desktop User Guide

UDS Enterprise Configuring UDS Enterprise in HA

I. Introduction: About Firmware Files, Naming, Versions, and Formats

AvePoint Online Services 2

Enabling Your Personal Web Page on the SacLink

SMART Room System for Microsoft Lync. Software configuration guide

Dynamic Storage (ECS)

DC Remote Control Installation and Configuration Guide. Version 1.2

Dear Milestone Customer,

Getting Started with the SDAccel Environment on Nimbix Cloud

Cisco Smart Software Manager satellite

To start your custom application development, perform the steps below.

Compliance Guardian 4. User Guide

TRAUMACAD 2.5 PREREQUISITES

Single File Upload Guide

Gemini Intercom Quick Start Guide

AvePoint Perimeter Pro 1.9

AppSense Management Center. Product Guide Version 10.1

CommandCenter Secure Gateway Release Virtual CC

Upgrade Guide. Medtech Evolution General Practice. Version 1.9 Build (March 2018)

INSTALLING CCRQINVOICE

WorldShip PRE-INSTALLATION INSTRUCTIONS: INSTALLATION INSTRUCTIONS: Window (if available) Install on a Single or Workgroup Workstation

OATS Registration and User Entitlement Guide

IBM SPSS Interviewer Setting up Data Entry Supervisor machines for Synchronization

Cloud Storage Migration Suite 1.1.0

Access the site directly by navigating to in your web browser.

DocAve 6 Deployment Manager

Exercise 1: Deploying Windows Server 2012

UPGRADING TO DISCOVERY 2005

Reference Guide. Service Pack 9, Cumulative Update 1. Issued September DocAve 6: Control Panel

Dell EqualLogic PS Series Arrays: Expanding Windows Basic Disk Partitions

Transcription:

Intrductin Pexip Infinity Secure Mde Deplyment Guide This guide cntains instructins fr deplying and using Pexip Infinity in a secure mde f peratin. Fr further infrmatin abut the deplyment instructins and cnfiguratin settings described in this guide, please see the Pexip Infinity technical dcumentatin website. Securing the hst envirnment The VMware hst envirnment must be hardened befre deplying Pexip Infinity. It is expected that the hst server cntains at least tw physical netwrk interfaces and that management access t the ESXi hst is restricted t a specific physical netwrk and that virtual machines (VMs) are cnnected t a separate physical netwrk. Instructins fr perfrming VMware-specific hardening are described in the VMware vsphere ESXi 6.0 Security Technical Implementatin Guide which can be fund at http://iasecntent.disa.mil/stigs/zip/u_vmware_vsphere_6-0_esxi_v1r4_ STIG.zip. Management f the ESXi hst can run ut-f-band f the vide cnferencing netwrk. Reserving virtual machine resurces The resurces allcated t each virtual machine must be reserved after it has been deplyed. This ensures that each VM has guaranteed access t the resurces that it expects and is thus islated frm any ther VMs n the hst. T d this, find the VM in the vsphere client and edit its settings. There are separate settings fr CPU, Memry, and Disk hardware. CPU resurce limits There are three CPU resurce settings: Reservatin, Limit, and Shares. These specify the guaranteed CPU resurce fr the VM, the maximum CPU resurce fr the VM, and the weighting applied t the VM when sharing resurces with its siblings. 2018 Pexip AS Versin 18.a May 2018 Page 1 f 14

Pexip Infinity Secure Mde Deplyment Guide Reserving virtual machine resurces These shuld be cnfigured as fllws: Reservatin Select the menu entry labeled Maximum. (The value assciated with Maximum will then appear in the Reservatin field.) Limit Shares Select the menu entry labeled Minimum. Select Nrmal. These settings ensure that the VM is guaranteed access t all f its allcated CPU resurce, with n ability t burst abve this resurce allcatin. Nte that the MHz/GHz values fr Reservatin and Limit shuld thus be identical. As the resurces are guaranteed, n sharing is necessary, s a setting f Nrmal is apprpriate. Memry resurce limits There are three memry resurce settings: Reservatin, Limit, and Shares. These specify the guaranteed memry resurce fr the VM, the maximum memry resurce fr the VM, and the weighting applied t the VM when sharing resurces with its siblings. These shuld be cnfigured as fllws: Reservatin Limit Shares Select the Reserve all guest memry (All lcked) check bx. Select the menu entry labeled Minimum. Select Nrmal. These settings ensure that the VM is guaranteed access t all its allcated memry resurce, with n ability t burst abve this resurce allcatin. Nte that the MB values fr Reservatin and Limit shuld thus be identical. As the resurces are guaranteed, n sharing is necessary, s a setting f Nrmal is apprpriate. Disk resurce limits There are tw disk resurce settings: Shares, and Limit - IOPs. These specify the weighing applied t the VM when sharing resurces with ther VMs n the hst, and the maximum number f IOPs the VM is permitted t cnsume. These shuld be cnfigured as fllws: Shares Limit - IOPs Select Nrmal. Enter the apprpriate number f IOPs fr the Virtual Machine. The sum f all IOP limits fr all VMs n the same hst must nt exceed the capacity f the datastre. These settings ensure that the VM is limited t its fair share f IOPs. As the sum f all IOP limits n the same hst d nt exceed the hst capabilities, sharing is nt necessary, s a setting f Nrmal is apprpriate. 2018 Pexip AS Versin 18.a May 2018 Page 2 f 14

Pexip Infinity Secure Mde Deplyment Guide BIOS cnfiguratin BIOS cnfiguratin The BIOS f each Virtual Machine must be cnfigured and secured after deplyment. This ensures that the system bts frm the crrect devices and that this cnfiguratin cannt be mdified by unauthrized persnnel. T d this: 1. Use the vsphere client t edit the cnfiguratin f the VM t frce it t bt int the BIOS as sn as it is pwered n. This is usually fund under VM Optins > Bt Optins as a cnfiguratin item named Frce BIOS setup. This ptin shuld be selected t frce entry t the BIOS n the next bt. 2. Pwer n the Virtual Machine and pen its cnsle, which shuld cntain the BIOS setup utility. 3. Cnfigure the bt rder: a. G t the Bt cnfiguratin page, and ensure that Hard Drive is the first entry. b. Expand the Hard Drive device tree and ensure that VMware Virtual SCSI Hard Drive (0:0) is the first entry. 4. Cnfigure the BIOS security: a. G t the Security cnfiguratin page. b. Cnfigure a Supervisr passwrd t prevent unauthrized mdificatin f the BIOS cnfiguratin. 5. Save and exit. a. G t the Exit cnfiguratin page. b. Select the Exit Saving Changes ptin. Pexip Infinity Management Nde deplyment and btstrap cnfiguratin This sectin describes the steps needed t deply the Pexip Infinity Management Nde int the secure envirnment described abve. 1. Use the vsphere client t deply the Management Nde OVA nt the selected ESXi hst system. See Installing the Management Nde fr full instructins n hw t d this. The VLAN ID used fr the Management Nde must nt cnflict with existing reserved VLAN IDs and must nt use VLAN ID 4095 (which is reserved fr virtual guest tagging), as the system will be lcked dwn accrding t the VMware ESXi Server Security Technical Implementatin Guide. 2. Lg in t the Management Nde cnsle as the admin user. A passwrd fr this user must be set. 3. Enter the admin user passwrd t permit the installatin wizard t start. 4. Cmplete the installatin wizard, ensuring that: Enable incident reprting is set t n. Send deplyment and usage statistics t Pexip is set t n. On cmpletin, the installatin wizard will rebt the system. 5. Use a web brwser t cnnect t the Pexip Infinity Administratr interface and ensure that yu can lg in using the credentials cnfigured in the installatin wizard. 6. Lg in t the Management Nde cnsle as the admin user. Issue the fllwing cmmand: $ securitywizard 7. Enter the admin user passwrd t permit the security wizard t start. 8. Cmplete the security wizard, prviding answers as described belw: Setting Enable FIPS 140-2 cmpliance mde (default = NO) Value t enter YES 2018 Pexip AS Versin 18.a May 2018 Page 3 f 14

Pexip Infinity Secure Mde Deplyment Guide Pexip Infinity Cnferencing Nde deplyment Setting Disable system administratr accunt (NO) (this applies t SSH and cnsle access) Accept ICMPv6 redirects (NO) Drp incming packets t clsed prts rather than reject (YES) Accept multicast ICMPv6 ech requests (YES) Enable IPv6 Duplicate Address Detectin (YES) Value t enter YES NO YES NO NO SIP UDP listen prt (5060) * 5060 SIP TCP listen prt (5060) * 5060 SIP TLS listen prt (5061) * 5061 Active management web sessins (0) * 100 Active per-user management web sessins (0) * 10 Enable management web validatin f hst headers (NO) Enable TLS 1.0 (YES) Enable Annymus DH fr utbund SIP/TLS (YES) Permit TLS <1.2 fr inbund HTTPS (NO) Enable HTTP Cntent-Security-Plicy fr Cnferencing Ndes (NO) YES NO NO NO YES * The SIP listen prts and web sessin limits may be custmized fr the target envirnment, as apprpriate. On cmpletin, the security wizard will rebt the system. After the system has rebted, n OS-level user access will be available n the system and it cannt be re-enabled. Nte that nly the Management Nde is rebted autmatically. If the security wizard is run after any Cnferencing Ndes have been deplyed, thse Cnferencing Ndes must be manually rebted. Pexip Infinity Cnferencing Nde deplyment When deplying Cnferencing Ndes, nte that: Befre deplying any Cnferencing Ndes, yu must cmplete the Management Nde deplyment and btstrap cnfiguratin. As the hst system will be lcked dwn accrding t the VMware ESXi Server Security Technical Implementatin Guide: All Cnferencing Ndes shuld be deplyed manually (see Manually deplying a Cnferencing Nde n an ESXi hst). The VLAN ID used fr the Cnferencing Nde must nt cnflict with existing reserved VLAN IDs and must nt use VLAN ID 4095 (which is reserved fr virtual guest tagging). Pexip Infinity applicatin cnfiguratin This sectin describes the applicatin-specific cnfiguratin required fr Pexip Infinity t perate in a secure envirnment. This cnfiguratin is perfrmed using a web brwser t access the Pexip Infinity Administratr interface. Lg in t the Administratr interface using the credentials cnfigured earlier in the installatin wizard. Mre infrmatin abut all f these settings can be fund n the Pexip Infinity technical dcumentatin website. TLS certificates This sectin describes the prcess fr btstrapping the PKI envirnment. 2018 Pexip AS Versin 18.a May 2018 Page 4 f 14

Pexip Infinity Secure Mde Deplyment Guide Pexip Infinity applicatin cnfiguratin Management Nde and Cnferencing Nde server certificates The Pexip Infinity platfrm ships with default self-signed server certificates fr the Management Nde and each Cnferencing Nde. Because these certificates are self-signed, they will nt be trusted by clients. Therefre yu must replace these certificates with yur wn certificates that have been signed by a trusted certificate authrity. Yu shuld als cnfigure a SIP TLS FQDN n each Cnferencing Nde that matches ne f the entries in the TLS certificate. Creating a certificate signing request (CSR) Yu can use Pexip Infinity's inbuilt Certificate Signing Request (CSR) generatr t assist in acquiring a server certificate frm a Certificate Authrity. The resulting CSR file cntents shuld be submitted t the CA fr signing. After the CA has signed the CSR, the certificate will be ready fr uplading. In deplyments that d nt use DNS reslutin, the Cmmn Name shuld cntain the IP address f the Cnferencing Nde instead f an FQDN t achieve this yu need t use third-party tls such as the OpenSSL tlkit (http://www.penssl.rg), available fr Windws, Mac and Linux. Uplading a certificate t a Pexip nde T uplad a new TLS server certificate fr the Management Nde r a Cnferencing Nde: 1. Frm the Pexip Infinity Administratr interface, g t Platfrm Cnfiguratin > TLS Certificates. 2. Select Add TLS certificate. 3. Cmplete the fllwing fields: TLS certificate Private key Private key passphrase TLS parameters Ndes Paste the PEM-frmatted certificate int the text area r alternatively select the file cntaining the new TLS certificate. Yu must uplad the certificate file that yu have btained frm the Certificate Authrity (typically with a.crt r.pem extensin). D nt uplad yur certificate signing request (.CSR file). The certificate must be valid fr the hstname r FQDN f the Management Nde r Cnferencing Nde t which it will be assigned. Yu can paste multiple certificates int the text area, but ne f thse certificates must pair with the assciated private key. Paste the PEM-frmatted private key int the text area r alternatively select the file cntaining the private key that is assciated with the new TLS certificate. Private key files typically have a.key r.pem extensin. Pexip Infinity supprts RSA and ECDSA keys. If the private key is encrypted, yu must als supply the assciated passphrase. Optinally, paste any additinal PEM-frmatted parameters int the text area r alternatively select the file cntaining the parameters that are t be assciated with the new TLS certificate. Custm DH parameters and an EC curve name fr ephemeral keys can be added. Such parameters can be generated thrugh the OpenSSL tlkit using the cmmands penssl dhparam and penssl ecparam. Fr example, the cmmand penssl dhparam -2 -utfrm PEM 2048 generates 2048 bit DH parameters. Nte that these parameters can alternatively be added 'as is' t the end f the TLS certificate. Select ne r mre ndes t which the new TLS certificate is t be applied. If required, yu can uplad a certificate and then apply it t a nde later. 4. Select Save. Trusted CA certificates Yu must als uplad the trusted Certificate Authrity (CA) certificates fr the secure envirnment. This must include any required chain f intermediate certificates fr the CA that signed the server certificates. Nte that the default set f trusted CA certificates 2018 Pexip AS Versin 18.a May 2018 Page 5 f 14

Pexip Infinity Secure Mde Deplyment Guide Pexip Infinity applicatin cnfiguratin that ship with Pexip Infinity are nt used when FIPS 140-2 cmpliance mde is enabled. T manage the set f custm trusted CA certificates, g t Platfrm Cnfiguratin > Trusted CA Certificates. This shws a list and the current status f all the trusted CA certificates that have been upladed. Frm here yu can: Uplad a file f Trusted CA certificates: select Imprt files, select Chse Files t pick ne r mre PEM files that yu want t imprt, and then select Imprt. This adds the certificates in the selected files t the existing list f trusted CA certificates (r t the list f TLS certificates, depending n the certificate types cntained in the file). If a certificate with the same subject name already exists (e.g. when replacing an expired certificate), the new certificate is upladed alngside the riginal certificate (unless the issuer and serial number details are identical, in which case the existing certificate is updated with the new cntents frm the file). View r mdify an existing certificate: select the Subject name f the certificate yu want t view. The decded certificate data is shwn. If required, yu can mdify the PEM-frmatted certificate data and select Save. Dwnlad all certificates: select Exprt. A ca-certificates.pem file cntaining all f the custm-added certificates in PEM frmat is created and autmatically saved t yur lcal file system. Delete ne r mre certificates: select the bxes next t the certificates t be deleted, and frm the Actin drp-dwn menu select Delete selected Trusted CA certificates and select G. IPv6 (ptinal) If required, cnfigure the IPv6 address and IPv6 gateway addresses f the Management Nde and each Cnferencing Nde. T cnfigure these addresses: G t Platfrm Cnfiguratin > Management Nde and click n the name f the Management Nde. G t Platfrm Cnfiguratin > Cnferencing Ndes and click n the name f the Cnferencing Nde. Glbal settings G t Platfrm Cnfiguratin > Glbal Settings and review and mdify where required the fllwing settings: Setting Enable SIP Enable H.323 Actin Review the call prtcls (SIP, H.323, WebRTC and RTMP) and disable thse prtcls yu d nt need t supprt. Enable WebRTC Enable RTMP Enable chat Enable utbund calls Enable supprt fr Pexip Infinity Cnnect and Mbile App DSCP value fr management traffic Enable SSH Signaling prt range start and end Media prt range start and end OCSP state and OCSP respnder URL Disable this ptin. Disable this ptin. Disable supprt fr these applicatins. Set a DSCP value fr management traffic sent frm the Management Nde and Cnferencing Ndes. We recmmend a value f 16. Disable this ptin. Verify the range f prts (UDP and TCP) that all Cnferencing Ndes are t use fr signaling. Verify the range f prts (UDP and TCP) that all Cnferencing Ndes are t use fr media. Set this t Override and specify the OCSP respnder URL t which OCSP requests will be sent. 2018 Pexip AS Versin 18.a May 2018 Page 6 f 14

Pexip Infinity Secure Mde Deplyment Guide Pexip Infinity applicatin cnfiguratin Setting SIP TLS certificate verificatin mde Enable HTTP access fr external systems Lgin banner text Management web interface sessin timeut Actin Set this t On. Ensure that this ptin is disabled. Cnfigure this field with sme apprpriate text fr yur deplyment. Set this t 10 minutes r ther timeut value suitable fr yur deplyment. Cnfigure administratr accunts and authenticatin settings Yu must cnfigure the Pexip Infinity platfrm t authenticate and authrize lgin accunts via a centrally-managed LDAP-accessible server. Administratr rles 1. G t Users > Administratr Rles. 2. Select the existing Read-nly rle and remve the fllwing permissins: May view lgs May generate system snapsht 3. Select the existing Read-write rle and remve the fllwing permissins: May view lgs May generate system snapsht 4. Create an Auditr rle: a. Select Add rle. b. Specify a Name f "Auditr". c. Assign the fllwing permissins t the rle: Is an administratr May use web interface May use API May view lgs May generate system snapsht d. Save the rle. LDAP server cnnectin details Yu must cnfigure the details f the LDAP-accessible server and set the system t authenticate against the LDAP database and lcally (fr "last resrt" cntingency access): 1. G t Users > Administratr Authenticatin. 2. Set the Authenticatin surce t LDAP database and lcal database. 3. In the LDAP Cnfiguratin sectin, specify the cnnectin details fr the LDAP-accessible server. 4. Save the settings. LDAP grup t rle mapping LDAP rle mappings are used t map the LDAP grups assciated with LDAP user recrds t the Pexip Infinity administratr rles. Yu must cnfigure a separate LDAP rle mapping fr each LDAP grup fr which yu want t map ne r mre Pexip Infinity administratr rles. 2018 Pexip AS Versin 18.a May 2018 Page 7 f 14

Pexip Infinity Secure Mde Deplyment Guide Pexip Infinity applicatin cnfiguratin 1. G t Users > LDAP Rle Mappings. 2. Select Add LDAP rle mapping. 3. Cnfigure the rle mapping: Optin Name LDAP grup DN Rles Descriptin Enter a descriptive name fr the rle mapping. Select the LDAP grup against which yu want t map ne r mre administratr rles. The list f LDAP grups is nly ppulated when there is an active cnnectin t an LDAP server (Users > Administratr Authenticatin). Select frm the list f Available rles the administratr rles t assciate with the LDAP grup and then use the right arrw t mve the selected rles int the Chsen Rles list. 4. Save the rle. 5. Cnfigure as many LDAP rle mappings as required, ensuring that every administratr rle is mapped t at least ne LDAP grup. Enable certificate-based authenticatin This cnfiguratin requires administratrs t lg in t the Pexip Infinity Administratr interface by presenting (via their brwser) a client certificate cntaining their user identificatin details. 1. Install suitable client certificates int the certificate stres f the brwsers t be used by the Pexip Infinity administratrs. The identities cntained in the certificates must exist in the LDAP database. 2. G t Users > Administratr Authenticatin. 3. Set Require client certificate t ne f the Required ptins as apprpriate fr yur installatin: Required (user identity in subject CN): administratrs identify themselves via the identity cntained in the subject CN (cmmn name) f the client certificate presented by their brwser. Required (user identity in subjectaltname userprincipalname): administratrs identify themselves via the identity cntained in the subjectaltname userprincipalname attribute f the client certificate presented by their brwser. 4. Save the settings. When a client certificate is required, the standard lgin page is n lnger presented. Administratrs will nt be able t access the Pexip Infinity Administratr interface r the management API if their brwser des nt present a valid certificate that cntains a user identity which exists in the selected Authenticatin surce. Cnfigure "last resrt" cntingency lcal accunt access In case f prlnged lack f access t the LDAP-accessible server, a methd f "last resrt" access is required. This allws administrative access t the lcal Pexip Infinity administratr accunt via a securely-held certificate. T set this up: 1. Create a self-signed certificate fr the lcal administratr accunt: a. Create a certificate generatr script: cat >mkcert <<ENDSCRIPT #!/usr/bin/env bash set -e # Generate user certificate USER=\$1 cat >cba.cnf <<EOF [ usr_cert ] basiccnstraints=ca:true 2018 Pexip AS Versin 18.a May 2018 Page 8 f 14

Pexip Infinity Secure Mde Deplyment Guide Pexip Infinity applicatin cnfiguratin keyusage=digitalsignature,keyencipherment,keycertsign subjectkeyidentifier=hash authritykeyidentifier=keyid,issuer subjectaltname=thername:1.3.6.1.4.1.311.20.2.3;utf8:\${user} EOF penssl genrsa -ut \${USER}.key 4096 penssl req -new -key \${USER}.key -subj "/O=Users/CN=\${USER}" -days 3650 -ut \${USER}.csr penssl x509 -req -days 3650 -in \${USER}.csr -signkey \${USER}.key -extfile cba.cnf -extensins usr_cert -set_serial 01 -ut \${USER}.pem # Cnvert user certificate t PKCS12 frmat fr imprt int brwser penssl pkcs12 -exprt -ut \${USER}.p12 -inkey \${USER}.key -in \${USER}.pem rm cba.cnf rm \${USER}.csr rm \${USER}.key ENDSCRIPT b. Set its permissins: chmd 755 mkcert c. Invke it:./mkcert <username> Where <username> is the Web administratin username that yu set up in the Pexip Infinity installatin wizard. A pair f Exprt Passwrd prmpts will appear blank entries are permitted (if n exprt passwrd is desired). Site-specific plicy shuld be fllwed, hwever. The result will be tw files in the current directry: <username>.pem: the user's public certificate. <username>.p12: the PKCS#12 bundle cntaining the user's certificate and private key. The script generated abve will issue a certificate valid fr 10 years. It is a site-specific respnsibility t ensure the cntinued validity f <username>.p12 and t rerun this prcess befre it expires. 2. It is a site-specific respnsibility t ensure that <username>.p12 (and any assciated Exprt Passwrd) is secured in a safe. 3. Cnfigure Pexip Infinity t trust this certificate: a. G t Platfrm Cnfiguratin > Trusted CA Certificates. b. Select Imprt and chse <username>.pem in the file brwser. c. Select Imprt t uplad the certificate. Using the "last resrt" lcal accunt access If needed, due t prlnged lack f access t the LDAP-accessible server, yu can access the Administratr interface via the lcal administratr accunt: 1. Remve <username>.p12 frm the safe, and add it t the apprpriate brwser's certificate stre. Fr example: a. In Firefx, brwse t abut:preferences#advanced, select View Certificates, select Imprt, and chse <username>.p12. b. In Chrme, brwse t chrme://settings/certificates, select Imprt, and chse <username>.p12. (Nte that these brwser-usage guidelines are subject t change, and depend n the current brwser sftware versin.) 2. Yu can nw lg in t the Administratr interface via the lcal administratr accunt. Nte that the "SSH passwrd" is never used, as SSH access is disabled. 2018 Pexip AS Versin 18.a May 2018 Page 9 f 14

Pexip Infinity Secure Mde Deplyment Guide Pexip Infinity applicatin cnfiguratin Securing netwrk services DNS servers Cnfigure at least tw DNS servers (System Cnfiguratin > DNS Servers). NTP servers Cnfigure at least tw NTP servers (System Cnfiguratin > NTP Servers). The cnfiguratin fr each NTP server must include key authenticatin credentials. Remte syslg servers Cnfigure at least ne remte syslg server (System Cnfiguratin > Syslg Servers). SNMP Cnfigure the Management Nde and each Cnferencing Nde t use secure SNMPv3: 1. G t Platfrm Cnfiguratin > Management Nde and click n the name f the Management Nde. 2. Set SNMP mde t SNMPv3 read-nly. 3. Cnfigure the SNMPv3 credentials (SNMPv3 username, privacy passwrd and authenticatin passwrd) fr this SNMP agent t match thse used in requests frm the SNMP management statin. 4. Change the SNMP cmmunity t smething ther than "public". 5. Save the SNMP settings fr the Management Nde. 6. Apply the same cnfiguratin settings t each Cnferencing Nde (g t Platfrm Cnfiguratin > Cnferencing Ndes and click n the name f each Cnferencing Nde in turn). Secure SNMPv3 read-nly mde uses SHA1 authenticatin and AES 128-bit encryptin. Lcatin DSCP tags and MTU Cnfigure DSCP tags fr signaling and media, and set the MTU size fr each lcatin: 1. G t Platfrm Cnfiguratin > Lcatins. 2. Select the first lcatin. 3. Cnfigure the DSCP tags. We recmmend: DSCP value fr media is set t 51. DSCP value fr signaling is set t 40. 4. Cnfigure the MTU. We recmmend a value f 1400 bytes t accunt fr the verhead assciated with the encryptin headers. 5. Save the settings. 6. Repeat fr every ther lcatin. 2018 Pexip AS Versin 18.a May 2018 Page 10 f 14

Pexip Infinity Secure Mde Deplyment Guide Cntingency deplyment Cntingency deplyment We recmmend that yu maintain a secndary deplyment that yu can switch t in the event that yur primary deplyment fails r is cmprmised. This fallback system shuld mimic the primary installatin. It shuld be deplyed withut licensing. After the fallback system has been cnfigured, all VMs shuld be cmpletely pwered ff and remain ff until required. If the primary deplyment is cmprmised and must be trn dwn, yu shuld cntact yur Pexip authrized supprt representative t return the riginal license key and then re-activate the same license n the fallback system after it has been brught up. Backing up cnfiguratin We recmmend that yu take regular backups f yur Pexip Infinity cnfiguratin s that up-t-date cnfiguratin can be restred t yur cntingency deplyment r t a new deplyment if needed. There are tw ways t maintain cpies f yur Management Nde cnfiguratin data: Take a VMware snapsht f the Management Nde VM. Use the backup and restre mechanism built int the Pexip Infinity Administratr interface. In bth cases yu shuld fllw site-specific guidelines fr the backup plicy and strage f backup files. Certificate signing requests (CSRs) T acquire a server certificate frm a Certificate Authrity (CA), a certificate signing request (CSR) has t be created and submitted t the CA. Yu can generate a CSR frm within Pexip Infinity, and then uplad the returned certificate assciated with that request. Yu can create a new CSR fr any given subject name / nde, r if yu have an existing certificate already installed n a Pexip Infinity nde that yu need t replace (fr example if it is due t expire) yu can create a CSR based n the existing certificate data. CSRs generated via Pexip Infinity always request client certificate and server certificate capabilities. This tpic cvers: Requesting a certificate signing request (CSR) fr an existing certificate / subject name Creating a new certificate signing request Uplading the signed certificate assciated with a certificate signing request Trubleshting Mdifying a CSR Requesting a certificate signing request (CSR) fr an existing certificate / subject name Yu can generate a certificate signing request (CSR) fr an existing certificate / subject name, fr example if yur current certificate is sn due t expire and yu want t replace it. Befre generating the CSR yu can change the certificate data t be included in the new request, such as adding extra subject alternative names (SANs) t thse already present in the existing certificate. T generate a CSR fr an existing certificate / subject name: 1. G t Platfrm Cnfiguratin > TLS Certificates. 2. Select the subject name f the certificate fr which yu want t generate a CSR. The certificate data is shwn. 3. G t the bttm f the page and select Create certificate signing request. 2018 Pexip AS Versin 18.a May 2018 Page 11 f 14

Pexip Infinity Secure Mde Deplyment Guide Certificate signing requests (CSRs) Yu are taken t the Add Certificate signing request page, and the CSR data is defaulted t the cntents f the certificate yu selected. 4. If required yu can change the certificate data, such as the subject alternative names (SANs) and subject fields. Nte that yu cannt change the private key the CSR uses the same private key as the riginal certificate. 5. Select Save. The CSR is generated and yu are taken t the Change Certificate signing request page. 6. Select Dwnlad. This dwnlads the CSR t yur lcal file system, with a filename in the frmat <subject-name>.csr. Nte that the private key is nt dwnladed, r included within the CSR. 7. Yu can nw submit this CSR file t yur chsen CA fr signing. The CA will then send yu a signed certificate which yu can uplad int Pexip Infinity (see Uplading the signed certificate assciated with a certificate signing request). Nte that yu cannt generate a CSR fr an existing temprary / self-signed certificate. If the CSR generatin fails with a "It was nt pssible t autmatically create a certificate signing request frm this certificate" message, then there was a prblem with validating the riginal certificate data, mst likely an invalid subject name r an invalid cuntry cde. In this case yu will have t create the CSR manually. Creating a new certificate signing request T generate a CSR within Pexip Infinity: 1. G t Utilities > Certificate Signing Requests. 2. Select Add Certificate signing request. 3. Cmplete the fllwing fields: TLS Certificate Subject name Custm subject name Private key type Private key Private key passphrase Create nn-renewal CSR is selected by default. This lets yu create a new CSR. T create a renewal CSR based n an existing certificate, chse a different subject name / issuer frm the list (in which case the subject name and private key fields belw are nt displayed). Select the name t be specified as the Cmmn Name field f the requested certificate's subject. This is typically set t the FQDN f the nde n which the certificate is t be installed. The available ptins are preppulated with the FQDNs (hstname plus dmain) f the Management Nde and each currently deplyed Cnferencing Nde. The list als includes any SIP TLS FQDN names f yur Cnferencing Ndes, if such names have been cnfigured and are different frm the nde's FQDN. If yu want t specify a custm Cmmn Name instead, select User-prvided custm Cmmn Name. Enter the name that yu want t use as the Cmmn Name field f the requested certificate's subject, if yu have selected User-prvided custm Cmmn Name abve. Select the type f private key t generate, r select Uplad user-prvided private key if yu want t prvide yur wn private key. Default: RSA (2048bit) Only applies if yu have selected Uplad user-prvided private key abve. Enter the PEM frmatted RSA r ECC private key t use when generating yur CSR. Yu can either paste the key int the input field r uplad the private key file frm yur lcal file system. Only applies if yu have selected Uplad user-prvided private key abve. If the private key is encrypted, yu must als supply the assciated passphrase. 2018 Pexip AS Versin 18.a May 2018 Page 12 f 14

Pexip Infinity Secure Mde Deplyment Guide Certificate signing requests (CSRs) Subject alternative names Additinal subject alternative names Select the subject alternative names (SANs) t be included in the CSR. This allws the certificate t be used t secure a server with multiple names (such as a different DNS name), r t secure multiple servers using the same certificate. Yu can chse frm the same list f names presented in the Subject name field. Nte that the name yu chse as the Cmmn Name is autmatically included in the generated CSR's list f SANs (even if yu remve it frm the Subject alternative names list shwn here). In sme deplyments it may be mre practical t generate single CSR in which all f yur Cnferencing Nde FQDNs are included in the list f SANs. This means that the same single server certificate returned by the CA can then be assigned t every Cnferencing Nde. When integrating with Micrsft Skype fr Business / Lync, SAN entries must be included fr every individual Cnferencing Nde in the public DMZ (public DMZ deplyments) r in the trusted applicatin pl (n-prem deplyments). Optinally, enter a cmma-separated list f additinal subject alternative names t include in the CSR. Fr example, when integrating with n-prem Skype fr Business / Lync deplyments yu wuld typically need t add the trusted applicatin pl FQDN. Additinal subject fields (if required yu can enter the fllwing additinal CSR attributes; these are all blank by default) Organizatin name Department City State r Prvince Cuntry The name f yur rganizatin. The department within yur rganizatin. The city where yur rganizatin is lcated. The state r prvince where yur rganizatin is lcated. The 2 letter cde f the cuntry where yur rganizatin is lcated. Advanced (in mst scenaris yu shuld leave the advanced ptins t their default settings) Include Micrsft certificate template extensin Include Cmmn Name in Subject Alternative Names Select this ptin t specify a (Micrsft-specific) certificate template in the CSR. This is needed when using the Certificatin Authrity MMC snap-in t request a certificate frm an enterprise CA. Selecting this ptin causes the 'WebServer' certificate template t be specified. Default: disabled. Specifies whether t include the requested subject Cmmn Name in the Subject Alternative Name field f the CSR. Default: enabled. 4. Select Save. Yu are taken t the Change Certificate signing request page. 5. Select Dwnlad. This dwnlads the CSR t yur lcal file system, with a filename in the frmat <subject-name>.csr. Nte that the private key is nt dwnladed, r included within the CSR. 6. Yu can nw submit this CSR file t yur chsen CA fr signing. The CA will then send yu a signed certificate which yu can uplad int Pexip Infinity (see belw). Uplading the signed certificate assciated with a certificate signing request When the Certificate Authrity sends yu a signed certificate in respnse t yur CSR, yu can uplad that certificate int Pexip Infinity and assign it t ne r mre f yur ndes. Make sure that yu uplad it via the Certificate Signing Requests page as this ensures that it is linked with the private key assciated with yur riginal CSR. 2018 Pexip AS Versin 18.a May 2018 Page 13 f 14

Pexip Infinity Secure Mde Deplyment Guide Certificate signing requests (CSRs) T uplad the signed certificate: 1. G t Utilities > Certificate Signing Requests. 2. Select the riginal CSR that is assciated with the signed certificate. Yu are taken t the Change Certificate signing request page. 3. In the Certificate field either paste the PEM-frmatted certificate int the input field r uplad the certificate file frm yur lcal file system. The certificate file that yu have btained frm the Certificate Authrity typically has a.crt r.pem extensin. D nt uplad yur certificate signing request (.CSR file). 4. Select Cmplete. Prviding it is a valid certificate and is based n the riginal CSR: the certificate is upladed and autmatically linked with the private key assciated with yur riginal CSR. if yu are uplading a replacement certificate (same subject name and private key) it will replace the existing certificate and maintain any existing nde assignments. the riginal CSR is deleted. yu are taken t the Change TLS Certificate page. 5. Yu can nw assign that certificate t the Management Nde r ne f mre Cnferencing Ndes as required: a. Frm within the Change TLS Certificate page g t the Ndes field and frm the Available Ndes list, select the ndes t which yu want t assign the certificate and mve them int the Chsen Ndes list. b. G t the bttm f the page and select Save. Trubleshting This sectin describes sme f the errr messages yu may see when attempting t uplad a signed certificate. Errr message Pssible cause Reslutin Certificate and private key d nt appear t be part f the same key pair This mst likely means that yu have tried t uplad the certificate against the wrng CSR. Select the crrect CSR and try again. Mdifying a CSR After a CSR has been created it cannt be mdified the nly available actins are t dwnlad it (fr sending t a CA), r t apply the returned, signed certificate that is assciated with that request. If yu need t change the cntent f a CSR, yu shuld delete the riginal CSR and create a new CSR with the crrect cntent. Nte that a CSR is autmatically deleted when the resulting signed certificate is upladed. 2018 Pexip AS Versin 18.a May 2018 Page 14 f 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback