Pexip Infinity Secure Mode Deployment Guide

Similar documents
Pexip Infinity Secure Mode Deployment Guide

Pexip Infinity Secure Mode Deployment Guide

Pexip Infinity Secure Mode. Deployment Guide

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

BMC Remedyforce Integration with Remote Support

BMC Remedyforce Integration with Bomgar Remote Support

Secure File Transfer Protocol (SFTP) Interface for Data Intake User Guide

Launching Xacta 360 Marketplace AMI Guide June 2017

CCNA Security v2.0 Chapter 3 Exam Answers

Enterprise Installation

Dolby Conference Phone Support Frequently Asked Questions

ClassFlow Administrator User Guide

Using the Swiftpage Connect List Manager

These tasks can now be performed by a special program called FTP clients.

Using the Swiftpage Connect List Manager

Please contact technical support if you have questions about the directory that your organization uses for user management.

RISKMAN REFERENCE GUIDE TO USER MANAGEMENT (Non-Network Logins)

Your New Service Request Process: Technical Support Reference Guide for Cisco Customer Journey Platform

CCNA Security v2.0 Chapter 2 Exam Answers

Click Studios. Passwordstate. RSA SecurID Configuration

Campuses that access the SFS nvision Windows-based client need to allow outbound traffic to:

USER MANUAL. RoomWizard Administrative Console

CounterSnipe Software Installation Guide Software Version 10.x.x. Initial Set-up- Note: An internet connection is required for installation.

File Share Navigator Online

1 Getting and Extracting the Upgrader

Kaltura Video Extension for SharePoint 2013 Deployment Guide for Microsoft Office 365. Version: 1.0

2. When logging is used, which severity level indicates that a device is unusable?

Release Notes. Dell SonicWALL Security firmware is supported on the following appliances: Dell SonicWALL Security 200

CCNA Security v2.0 Chapter 9 Exam Answers

User Guide. Document Version: 1.0. Solution Version:

AvePoint Meetings Pro 4.3 for SharePoint On-Premises. Installation and Configuration Guide

1 Getting and Extracting the Upgrader

DELL EMC VxRAIL vcenter SERVER PLANNING GUIDE

Planning, installing, and configuring IBM CMIS for Content Manager OnDemand

VMware EVO:RAIL Customer Release Notes

Integrating QuickBooks with TimePro

Troubleshooting Citrix- Published Resources Configuration in VMware Identity Manager

NiceLabel LMS. Installation Guide for Single Server Deployment. Rev-1702 NiceLabel

DocAve 6 Service Pack 2 Control Panel

Reference Guide. Service Pack 3 Cumulative Update 2. Revision J Issued October DocAve 6: Control Panel

Date: October User guide. Integration through ONVIF driver. Partner Self-test. Prepared By: Devices & Integrations Team, Milestone Systems

Release Notes. Dell SonicWALL Security BETA

HPE AppPulse Mobile. Software Version: 2.1. IT Operations Management Integration Guide

Manual for installation and usage of the module Secure-Connect

Troubleshooting Citrix- Published Resources Configuration in VMware Identity Manager

SAS Viya 3.2 Administration: Mobile Devices

To start your custom application development, perform the steps below.

UDS Enterprise Configuring UDS Enterprise in HA

SANsymphony Installation and Getting Started Guide. November 7, 2016

Admin Report Kit for Exchange Server

DIVAR IP 3000 Field Installation Guide

REFWORKS: STEP-BY-STEP HURST LIBRARY NORTHWEST UNIVERSITY

CaseWare Working Papers. Data Store user guide

TRAINING GUIDE. Overview of Lucity Spatial

DocAve 6 Control Panel

Installing AX Server with PostgreSQL

Adverse Action Letters

AvePoint Discovery Tool 3.5. User Guide

Frequently Asked Questions

Wave IP 4.5. CRMLink Desktop User Guide

Compliance Guardian 4. User Guide

SMART Room System for Microsoft Lync. Software configuration guide

SAS Hot Fix Analysis, Download and Deployment Tool

USER GUIDE. Thanks for purchasing the igate! You ll need to follow these five Configuration Steps to get your igate up and running:

IBM SPSS Interviewer Setting up Data Entry Supervisor machines for Synchronization

Enabling Your Personal Web Page on the SacLink

Technical Paper. Installing and Configuring SAS Environment Manager in a SAS Grid Environment with a Shared Configuration Directory

STIDistrict AL Rollover Procedures

Kaltura MediaSpace TM Enterprise 2.0 Requirements and Installation

Dear Milestone Customer,

OO Shell for Authoring (OOSHA) User Guide

TRAUMACAD 2.5 PREREQUISITES

Tips For Customising Configuration Wizards

OASIS SUBMISSIONS FOR FLORIDA: SYSTEM FUNCTIONS

Single File Upload Guide

Managing Your Access To The Open Banking Directory How To Guide

OATS Registration and User Entitlement Guide

Kaltura MediaSpace Installation and Upgrade Guide. Version: 5.0

AppSense Management Center. Product Guide Version 10.1

Pexip Infinity Getting Started Guide

Cisco Smart Software Manager satellite

DocAve Governance Automation 2

Cloud Storage Migration Suite 1.1.0

Dynamic Storage (ECS)

Gemini Intercom Quick Start Guide

I. Introduction: About Firmware Files, Naming, Versions, and Formats

Managing User Accounts

INSTALLING CCRQINVOICE

Advanced and Customized Net Conference Powered by Cisco WebEx Technology

Access the site directly by navigating to in your web browser.

DocAve 6 Deployment Manager

Application Note. Digi Connect Wi-SP Troubleshooting Guide. Digi Technical Support 10 May 2016

Exosoft Backup Manager

Connect+/SendPro P Series Networking Technical Specification

Technical Paper. Installing and Configuring SAS Environment Manager in a SAS Grid Environment

IMPORTING INFOSPHERE DATA ARCHITECT MODELS INFORMATION SERVER V8.7

DC Remote Control Installation and Configuration Guide. Version 1.2

Configuring Database & SQL Query Monitoring With Sentry-go Quick & Plus! monitors

Getting Started with the SDAccel Environment on Nimbix Cloud

AvePoint Perimeter Pro 1.9

Transcription:

Intrductin Pexip Infinity Secure Mde Deplyment Guide This guide cntains instructins fr deplying and using Pexip Infinity in a secure mde f peratin. Fr further infrmatin abut the deplyment instructins and cnfiguratin settings described in this guide, please see the Pexip Infinity technical dcumentatin website. Securing the hst envirnment The VMware hst envirnment must be hardened befre deplying Pexip Infinity. It is expected that the hst server cntains at least tw physical netwrk interfaces and that management access t the ESXi hst is restricted t a specific physical netwrk and that virtual machines (VMs) are cnnected t a separate physical netwrk. Instructins fr perfrming VMware-specific hardening are described in the VMware ESXi Server 5.0 Security Technical Implementatin Guide which can be fund at http://iase.disa.mil/stigs/dcuments/u_esxi5_server_v1r5_stig.zip. Management f the ESXi hst can run ut-f-band f the vide cnferencing netwrk. Reserving virtual machine resurces The resurces allcated t each virtual machine must be reserved after it has been deplyed. This ensures that each VM has guaranteed access t the resurces that it expects and is thus islated frm any ther VMs n the hst. T d this, find the VM in the vsphere client and edit its settings. There are separate settings fr CPU, Memry, and Disk hardware. CPU resurce limits There are three CPU resurce settings: Reservatin, Limit, and Shares. These specify the guaranteed CPU resurce fr the VM, the maximum CPU resurce fr the VM, and the weighting applied t the VM when sharing resurces with its siblings. 2017 Pexip AS Versin 17.a December 2017 Page 1 f 13

Reserving virtual machine resurces These shuld be cnfigured as fllws: Reservatin Select the menu entry labeled Maximum. (The value assciated with Maximum will then appear in the Reservatin field.) Limit Shares Select the menu entry labeled Minimum. Select Nrmal. These settings ensure that the VM is guaranteed access t all f its allcated CPU resurce, with n ability t burst abve this resurce allcatin. Nte that the MHz/GHz values fr Reservatin and Limit shuld thus be identical. As the resurces are guaranteed, n sharing is necessary, s a setting f Nrmal is apprpriate. Memry resurce limits There are three memry resurce settings: Reservatin, Limit, and Shares. These specify the guaranteed memry resurce fr the VM, the maximum memry resurce fr the VM, and the weighting applied t the VM when sharing resurces with its siblings. These shuld be cnfigured as fllws: Reservatin Limit Shares Select the Reserve all guest memry (All lcked) check bx. Select the menu entry labeled Minimum. Select Nrmal. These settings ensure that the VM is guaranteed access t all its allcated memry resurce, with n ability t burst abve this resurce allcatin. Nte that the MB values fr Reservatin and Limit shuld thus be identical. As the resurces are guaranteed, n sharing is necessary, s a setting f Nrmal is apprpriate. Disk resurce limits There are tw disk resurce settings: Shares, and Limit - IOPs. These specify the weighing applied t the VM when sharing resurces with ther VMs n the hst, and the maximum number f IOPs the VM is permitted t cnsume. These shuld be cnfigured as fllws: Shares Limit - IOPs Select Nrmal. Enter the apprpriate number f IOPs fr the Virtual Machine. The sum f all IOP limits fr all VMs n the same hst must nt exceed the capacity f the datastre. These settings ensure that the VM is limited t its fair share f IOPs. As the sum f all IOP limits n the same hst d nt exceed the hst capabilities, sharing is nt necessary, s a setting f Nrmal is apprpriate. 2017 Pexip AS Versin 17.a December 2017 Page 2 f 13

BIOS cnfiguratin BIOS cnfiguratin The BIOS f each Virtual Machine must be cnfigured and secured after deplyment. This ensures that the system bts frm the crrect devices and that this cnfiguratin cannt be mdified by unauthrized persnnel. T d this: 1. Use the vsphere client t edit the cnfiguratin f the VM t frce it t bt int the BIOS as sn as it is pwered n. This is usually fund under VM Optins > Bt Optins as a cnfiguratin item named Frce BIOS setup. This ptin shuld be selected t frce entry t the BIOS n the next bt. 2. Pwer n the Virtual Machine and pen its cnsle, which shuld cntain the BIOS setup utility. 3. Cnfigure the bt rder: a. G t the Bt cnfiguratin page, and ensure that Hard Drive is the first entry. b. Expand the Hard Drive device tree and ensure that VMware Virtual SCSI Hard Drive (0:0) is the first entry. 4. Cnfigure the BIOS security: a. G t the Security cnfiguratin page. b. Cnfigure a Supervisr passwrd t prevent unauthrized mdificatin f the BIOS cnfiguratin. 5. Save and exit. a. G t the Exit cnfiguratin page. b. Select the Exit Saving Changes ptin. Pexip Infinity Management Nde deplyment and btstrap cnfiguratin This sectin describes the steps needed t deply the Pexip Infinity Management Nde int the secure envirnment described abve. 1. Use the vsphere client t deply the Management Nde OVA nt the selected ESXi hst system. See Installing the Management Nde fr full instructins n hw t d this. The VLAN ID used fr the Management Nde must nt cnflict with existing reserved VLAN IDs and must nt use VLAN ID 4095 (which is reserved fr virtual guest tagging), as the system will be lcked dwn accrding t the VMware ESXi Server Security Technical Implementatin Guide. 2. Lg in t the Management Nde cnsle as the admin user. A passwrd fr this user must be set. 3. Enter the admin user passwrd t permit the installatin wizard t start. 4. Cmplete the installatin wizard, ensuring that: Enable incident reprting is set t n. Send deplyment and usage statistics t Pexip is set t n. On cmpletin, the installatin wizard will rebt the system. 5. Use a web brwser t cnnect t the Pexip Infinity Administratr interface and ensure that yu can lg in using the credentials cnfigured in the installatin wizard. 6. Lg in t the Management Nde cnsle as the admin user. Issue the fllwing cmmand: $ securitywizard 7. Enter the admin user passwrd t permit the security wizard t start. 8. Cmplete the security wizard, prviding answers as described belw: Setting Enable FIPS 140-2 cmpliance mde (default = NO) Value t enter YES 2017 Pexip AS Versin 17.a December 2017 Page 3 f 13

Pexip Infinity Cnferencing Nde deplyment Setting Disable system administratr accunt (NO) (this applies t SSH and cnsle access) Accept ICMPv6 redirects (NO) Drp incming packets t clsed prts rather than reject (YES) Accept multicast ICMPv6 ech requests (YES) Enable IPv6 Duplicate Address Detectin (YES) Value t enter YES NO YES NO NO SIP UDP listen prt (5060) * 5060 SIP TCP listen prt (5060) * 5060 SIP TLS listen prt (5061) * 5061 Active management web sessins (0) * 100 Active per-user management web sessins (0) * 10 Enable management web validatin f hst headers (NO) Enable TLS 1.0 (YES) Enable Annymus DH fr utbund SIP/TLS (YES) YES NO NO * The SIP listen prts and web sessin limits may be custmized fr the target envirnment, as apprpriate. On cmpletin, the security wizard will rebt the system. After the system has rebted, n OS-level user access will be available n the system and it cannt be re-enabled. Pexip Infinity Cnferencing Nde deplyment When deplying Cnferencing Ndes, nte that: Befre deplying any Cnferencing Ndes, yu must cmplete the Management Nde deplyment and btstrap cnfiguratin. As the hst system will be lcked dwn accrding t the VMware ESXi Server Security Technical Implementatin Guide: All Cnferencing Ndes shuld be deplyed manually (see Manually deplying a Cnferencing Nde n an ESXi hst). The VLAN ID used fr the Cnferencing Nde must nt cnflict with existing reserved VLAN IDs and must nt use VLAN ID 4095 (which is reserved fr virtual guest tagging). Pexip Infinity applicatin cnfiguratin This sectin describes the applicatin-specific cnfiguratin required fr Pexip Infinity t perate in a secure envirnment. This cnfiguratin is perfrmed using a web brwser t access the Pexip Infinity Administratr interface. Lg in t the Administratr interface using the credentials cnfigured earlier in the installatin wizard. Mre infrmatin abut all f these settings can be fund n the Pexip Infinity technical dcumentatin website. TLS certificates This sectin describes the prcess fr btstrapping the PKI envirnment. 2017 Pexip AS Versin 17.a December 2017 Page 4 f 13

Pexip Infinity applicatin cnfiguratin Management Nde and Cnferencing Nde server certificates The Pexip Infinity platfrm ships with default self-signed server certificates fr the Management Nde and each Cnferencing Nde. Because these certificates are self-signed, they will nt be trusted by clients. Therefre yu must replace these certificates with yur wn certificates that have been signed by a trusted certificate authrity. Yu shuld als cnfigure a SIP TLS FQDN n each Cnferencing Nde that matches ne f the entries in the TLS certificate. Creating a certificate signing request (CSR) Yu can use Pexip Infinity's inbuilt Certificate Signing Request (CSR) generatr t assist in acquiring a server certificate frm a Certificate Authrity. The resulting CSR file cntents shuld be submitted t the CA fr signing. After the CA has signed the CSR, the certificate will be ready fr uplading. In deplyments that d nt use DNS reslutin, the Cmmn Name shuld cntain the IP address f the Cnferencing Nde instead f an FQDN t achieve this yu need t use third-party tls such as the OpenSSL tlkit (http://www.penssl.rg), available fr Windws, Mac and Linux. Uplading a certificate t a Pexip nde T uplad a new TLS server certificate fr the Management Nde r a Cnferencing Nde: 1. Frm the Pexip Infinity Administratr interface, g t Platfrm Cnfiguratin > TLS Certificates. 2. Select Add TLS certificate. 3. Cmplete the fllwing fields: TLS certificate Private key Private key passphrase TLS parameters Ndes Paste the PEM-frmatted certificate int the text area r alternatively select the file cntaining the new TLS certificate. Yu must uplad the certificate file that yu have btained frm the Certificate Authrity (typically with a.crt r.pem extensin). D nt uplad yur certificate signing request (.CSR file). The certificate must be valid fr the hstname r FQDN f the Management Nde r Cnferencing Nde t which it will be assigned. Yu can paste multiple certificates int the text area, but ne f thse certificates must pair with the assciated private key. Paste the PEM-frmatted private key int the text area r alternatively select the file cntaining the private key that is assciated with the new TLS certificate. Private key files typically have a.key r.pem extensin. Pexip Infinity supprts RSA and ECDSA keys. If the private key is encrypted, yu must als supply the assciated passphrase. Optinally, paste any additinal PEM-frmatted parameters int the text area r alternatively select the file cntaining the parameters that are t be assciated with the new TLS certificate. Custm DH parameters and an EC curve name fr ephemeral keys can be added. Such parameters can be generated thrugh the OpenSSL tlkit using the cmmands penssl dhparam and penssl ecparam. Fr example, the cmmand penssl dhparam -2 -utfrm PEM 2048 generates 2048 bit DH parameters. Nte that these parameters can alternatively be added 'as is' t the end f the TLS certificate. Select ne r mre ndes t which the new TLS certificate is t be applied. If required, yu can uplad a certificate and then apply it t a nde later. 4. Select Save. Trusted CA certificates Yu must als uplad the trusted Certificate Authrity (CA) certificates fr the secure envirnment. This must include any required chain f intermediate certificates fr the CA that signed the server certificates. Nte that the default set f trusted CA certificates 2017 Pexip AS Versin 17.a December 2017 Page 5 f 13

Pexip Infinity applicatin cnfiguratin that ship with Pexip Infinity are nt used when FIPS 140-2 cmpliance mde is enabled. T manage the set f custm trusted CA certificates, g t Platfrm Cnfiguratin > Trusted CA Certificates. This shws a list and the current status f all the trusted CA certificates that have been upladed. Frm here yu can: Uplad a file f Trusted CA certificates: select Imprt files, select Chse Files t pick ne r mre PEM files that yu want t imprt, and then select Imprt. This adds the certificates in the selected files t the existing list f trusted CA certificates (r t the list f TLS certificates, depending n the certificate types cntained in the file). If a certificate with the same subject name already exists (e.g. when replacing an expired certificate), the new certificate is upladed alngside the riginal certificate (unless the issuer and serial number details are identical, in which case the existing certificate is updated with the new cntents frm the file). View r mdify an existing certificate: select the Subject name f the certificate yu want t view. The decded certificate data is shwn. If required, yu can mdify the PEM-frmatted certificate data and select Save. Dwnlad all certificates: select Exprt. A ca-certificates.pem file cntaining all f the custm-added certificates in PEM frmat is created and autmatically saved t yur lcal file system. Delete ne r mre certificates: select the bxes next t the certificates t be deleted, and frm the Actin drp-dwn menu select Delete selected Trusted CA certificates and select G. IPv6 (ptinal) If required, cnfigure the IPv6 address and IPv6 gateway addresses f the Management Nde and each Cnferencing Nde. T cnfigure these addresses: G t Platfrm Cnfiguratin > Management Nde and click n the name f the Management Nde. G t Platfrm Cnfiguratin > Cnferencing Ndes and click n the name f the Cnferencing Nde. Glbal settings G t Platfrm Cnfiguratin > Glbal Settings and review and mdify where required the fllwing settings: Setting Enable SIP Enable H.323 Actin Review the call prtcls (SIP, H.323, WebRTC and RTMP) and disable thse prtcls yu d nt need t supprt. Enable WebRTC Enable RTMP Enable chat Enable utbund calls Enable supprt fr Pexip Infinity Cnnect and Mbile App DSCP value fr management traffic Enable SSH Signaling prt range start and end Media prt range start and end OCSP state and OCSP respnder URL Disable this ptin. Disable this ptin. Disable supprt fr these applicatins. Set a DSCP value fr management traffic sent frm the Management Nde and Cnferencing Ndes. We recmmend a value f 16. Disable this ptin. Verify the range f prts (UDP and TCP) that all Cnferencing Ndes are t use fr signaling. Verify the range f prts (UDP and TCP) that all Cnferencing Ndes are t use fr media. Set this t Override and specify the OCSP respnder URL t which OCSP requests will be sent. 2017 Pexip AS Versin 17.a December 2017 Page 6 f 13

Pexip Infinity applicatin cnfiguratin Setting SIP TLS certificate verificatin mde Enable HTTP access fr external systems Lgin banner text Management web interface sessin timeut Actin Set this t On. Ensure that this ptin is disabled. Cnfigure this field with sme apprpriate text fr yur deplyment. Set this t 10 minutes r ther timeut value suitable fr yur deplyment. Cnfigure administratr accunts and authenticatin settings Yu must cnfigure the Pexip Infinity platfrm t authenticate and authrize lgin accunts via a centrally managed LDAP-accessible server. Administratr rles 1. G t Users > Administratr Rles. 2. Select the existing Read-nly rle and remve the fllwing permissins: May view lgs May generate system snapsht 3. Select the existing Read-write rle and remve the fllwing permissins: May view lgs May generate system snapsht 4. Create an Auditr rle: a. Select Add rle. b. Specify a Name f "Auditr". c. Assign the fllwing permissins t the rle: Is an administratr May use web interface May use API May view lgs May generate system snapsht d. Save the rle. LDAP server cnnectin details Yu must cnfigure the details f the LDAP-accessible server and, initially, set the system t authenticate bth lcally and against the LDAP database: 1. G t Users > Administratr Authenticatin. 2. Set the Authenticatin surce t LDAP database and lcal database. 3. In the LDAP Cnfiguratin sectin, specify the cnnectin details fr the LDAP-accessible server. 4. Save the settings. LDAP grup t rle mapping LDAP rle mappings are used t map the LDAP grups assciated with LDAP user recrds t the Pexip Infinity administratr rles. Yu must cnfigure a separate LDAP rle mapping fr each LDAP grup fr which yu want t map ne r mre Pexip Infinity administratr rles. 2017 Pexip AS Versin 17.a December 2017 Page 7 f 13

Pexip Infinity applicatin cnfiguratin 1. G t Users > LDAP Rle Mappings. 2. Select Add LDAP rle mapping. 3. Cnfigure the rle mapping: Optin Name LDAP grup DN Rles Descriptin Enter a descriptive name fr the rle mapping. Select the LDAP grup against which yu want t map ne r mre administratr rles. The list f LDAP grups is nly ppulated when there is an active cnnectin t an LDAP server (Users > Administratr Authenticatin). Select frm the list f Available rles the administratr rles t assciate with the LDAP grup and then use the right arrw t mve the selected rles int the Chsen Rles list. 4. Save the rle. 5. Cnfigure as many LDAP rle mappings as required, ensuring that every administratr rle is mapped t at least ne LDAP grup. Enable certificate-based authenticatin This cnfiguratin requires administratrs t lg in t the Pexip Infinity Administratr interface by presenting (via their brwser) a client certificate cntaining their user identificatin details. 1. Install suitable client certificates int the certificate stres f the brwsers t be used by the Pexip Infinity administratrs. The identities cntained in the certificates must exist in the LDAP database. 2. G t Users > Administratr Authenticatin. 3. Set Require client certificate t ne f the Required ptins as apprpriate fr yur installatin: Required (user identity in subject CN): administratrs identify themselves via the identity cntained in the subject CN (cmmn name) f the client certificate presented by their brwser. Required (user identity in subjectaltname userprincipalname): administratrs identify themselves via the identity cntained in the subjectaltname userprincipalname attribute f the client certificate presented by their brwser. 4. Save the settings. When a client certificate is required, the standard lgin page is n lnger presented. Administratrs will nt be able t access the Pexip Infinity Administratr interface r the management API if their brwser des nt present a valid certificate that cntains a user identity which exists in the selected Authenticatin surce. Disable lcal authenticatin Cmplete the authenticatin cnfiguratin by disabling the lcal authenticatin surce: 1. Lg in t the Pexip Infinity Administratr interface (via certificate-based authenticatin). 2. G t Users > Administratr Authenticatin. 3. Set the Authenticatin surce t LDAP database. 4. Save the settings. 2017 Pexip AS Versin 17.a December 2017 Page 8 f 13

Pexip Infinity applicatin cnfiguratin All authenticatin is nw perfrmed against the LDAP server and n lcal accunt infrmatin is used. Nte that the "SSH passwrd" is never used, as SSH access is disabled. Securing netwrk services DNS servers Cnfigure at least tw DNS servers (System Cnfiguratin > DNS Servers). NTP servers Cnfigure at least tw NTP servers (System Cnfiguratin > NTP Servers). The cnfiguratin fr each NTP server must include key authenticatin credentials. Remte syslg servers Cnfigure at least ne remte syslg server (System Cnfiguratin > Syslg Servers). SNMP Cnfigure the Management Nde and each Cnferencing Nde t use secure SNMPv3: 1. G t Platfrm Cnfiguratin > Management Nde and click n the name f the Management Nde. 2. Set SNMP mde t SNMPv3 read-nly. 3. Cnfigure the SNMPv3 credentials (SNMPv3 username, privacy passwrd and authenticatin passwrd) fr this SNMP agent t match thse used in requests frm the SNMP management statin. 4. Change the SNMP cmmunity t smething ther than "public". 5. Save the SNMP settings fr the Management Nde. 6. Apply the same cnfiguratin settings t each Cnferencing Nde (g t Platfrm Cnfiguratin > Cnferencing Ndes and click n the name f each Cnferencing Nde in turn). Secure SNMPv3 read-nly mde uses SHA1 authenticatin and AES 128-bit encryptin. 2017 Pexip AS Versin 17.a December 2017 Page 9 f 13

Cntingency deplyment Lcatin DSCP tags and MTU Cnfigure DSCP tags fr signaling and media, and set the MTU size fr each lcatin: 1. G t Platfrm Cnfiguratin > Lcatins. 2. Select the first lcatin. 3. Cnfigure the DSCP tags. We recmmend: DSCP value fr media is set t 51. DSCP value fr signaling is set t 40. 4. Cnfigure the MTU. We recmmend a value f 1400 bytes t accunt fr the verhead assciated with the encryptin headers. 5. Save the settings. 6. Repeat fr every ther lcatin. Cntingency deplyment We recmmend that yu maintain a secndary deplyment that yu can switch t in the event that yur primary deplyment fails r is cmprmised. This fallback system shuld mimic the primary installatin with the fllwing exceptins: In additin t supprting authenticatin and authrizatin via LDAP, in case cnnectivity t the LDAP server is dwn it shuld als maintain the lcal admin accunt and shuld nt use certificate-based authenticatin: a. G t Users > User Authenticatin. b. Set Authenticatin surce t LDAP database and lcal database. c. Set Require client certificate t Nt required. d. Save the settings. It shuld be deplyed withut licensing. After the fallback system has been cnfigured, all VMs shuld be cmpletely pwered ff and remain ff until required. If the primary deplyment is cmprmised and must be trn dwn, yu shuld cntact yur Pexip authrized supprt representative t return the riginal license key and then re-activate the same license n the fallback system after it has been brught up. Certificate signing requests (CSRs) T acquire a server certificate frm a Certificate Authrity (CA), a certificate signing request (CSR) has t be created and submitted t the CA. Yu can generate a CSR frm within Pexip Infinity, and then uplad the returned certificate assciated with that request. Yu can create a new CSR fr any given subject name / nde, r if yu have an existing certificate already installed n a Pexip Infinity nde that yu need t replace (fr example if it is due t expire) yu can create a CSR based n the existing certificate data. CSRs generated via Pexip Infinity always request client certificate and server certificate capabilities. This tpic cvers: Requesting a certificate signing request (CSR) fr an existing certificate / subject name Creating a new certificate signing request Uplading the signed certificate assciated with a certificate signing request Trubleshting Mdifying a CSR 2017 Pexip AS Versin 17.a December 2017 Page 10 f 13

Certificate signing requests (CSRs) Requesting a certificate signing request (CSR) fr an existing certificate / subject name Yu can generate a certificate signing request (CSR) fr an existing certificate / subject name, fr example if yur current certificate is sn due t expire and yu want t replace it. Befre generating the CSR yu can change the certificate data t be included in the new request, such as adding extra subject alternative names (SANs) t thse already present in the existing certificate. T generate a CSR fr an existing certificate / subject name: 1. G t Platfrm Cnfiguratin > TLS Certificates. 2. Select the subject name f the certificate fr which yu want t generate a CSR. The certificate data is shwn. 3. G t the bttm f the page and select Create certificate signing request. Yu are taken t the Add Certificate signing request page, and the CSR data is defaulted t the cntents f the certificate yu selected. 4. If required yu can change the certificate data, such as the subject alternative names (SANs) and subject fields. Nte that yu cannt change the private key the CSR uses the same private key as the riginal certificate. 5. Select Save. The CSR is generated and yu are taken t the Change Certificate signing request page. 6. Select Dwnlad. This dwnlads the CSR t yur lcal file system, with a filename in the frmat <subject-name>.csr. Nte that the private key is nt dwnladed, r included within the CSR. 7. Yu can nw submit this CSR file t yur chsen CA fr signing. The CA will then send yu a signed certificate which yu can uplad int Pexip Infinity (see Uplading the signed certificate assciated with a certificate signing request). Nte that yu cannt generate a CSR fr an existing temprary / self-signed certificate. If the CSR generatin fails with a "It was nt pssible t autmatically create a certificate signing request frm this certificate" message, then there was a prblem with validating the riginal certificate data, mst likely an invalid subject name r an invalid cuntry cde. In this case yu will have t create the CSR manually. Creating a new certificate signing request T generate a CSR within Pexip Infinity: 1. G t Utilities > Certificate Signing Requests. 2. Select Add Certificate signing request. 3. Cmplete the fllwing fields: TLS Certificate Subject name Custm subject name Create nn-renewal CSR is selected by default. This lets yu create a new CSR. T create a renewal CSR based n an existing certificate, chse a different subject name / issuer frm the list (in which case the subject name and private key fields belw are nt displayed). Select the name t be specified as the Cmmn Name field f the requested certificate's subject. This is typically set t the FQDN f the nde n which the certificate is t be installed. The available ptins are preppulated with the FQDNs (hstname plus dmain) f the Management Nde and each currently deplyed Cnferencing Nde. The list als includes any SIP TLS FQDN names f yur Cnferencing Ndes, if such names have been cnfigured and are different frm the nde's FQDN. If yu want t specify a custm Cmmn Name instead, select User-prvided custm Cmmn Name. Enter the name that yu want t use as the Cmmn Name field f the requested certificate's subject, if yu have selected User-prvided custm Cmmn Name abve. 2017 Pexip AS Versin 17.a December 2017 Page 11 f 13

Certificate signing requests (CSRs) Private key type Private key Private key passphrase Subject alternative names Additinal subject alternative names Select the type f private key t generate, r select Uplad user-prvided private key if yu want t prvide yur wn private key. Default: RSA (2048bit) Only applies if yu have selected Uplad user-prvided private key abve. Enter the PEM frmatted RSA r ECC private key t use when generating yur CSR. Yu can either paste the key int the input field r uplad the private key file frm yur lcal file system. Only applies if yu have selected Uplad user-prvided private key abve. If the private key is encrypted, yu must als supply the assciated passphrase. Select the subject alternative names (SANs) t be included in the CSR. This allws the certificate t be used t secure a server with multiple names (such as a different DNS name), r t secure multiple servers using the same certificate. Yu can chse frm the same list f names presented in the Subject name field. Nte that the name yu chse as the Cmmn Name is autmatically included in the generated CSR's list f SANs (even if yu remve it frm the Subject alternative names list shwn here). In sme deplyments it may be mre practical t generate single CSR in which all f yur Cnferencing Nde FQDNs are included in the list f SANs. This means that the same single server certificate returned by the CA can then be assigned t every Cnferencing Nde. When integrating with Micrsft Skype fr Business / Lync, SAN entries must be included fr every individual Cnferencing Nde in the public DMZ (public DMZ deplyments) r in the trusted applicatin pl (n-prem deplyments). Optinally, enter a cmma-separated list f additinal subject alternative names t include in the CSR. Fr example, when integrating with n-prem Skype fr Business / Lync deplyments yu wuld typically need t add the trusted applicatin pl FQDN. Additinal subject fields (if required yu can enter the fllwing additinal CSR attributes; these are all blank by default) Organizatin name Department City State r Prvince Cuntry The name f yur rganizatin. The department within yur rganizatin. The city where yur rganizatin is lcated. The state r prvince where yur rganizatin is lcated. The 2 letter cde f the cuntry where yur rganizatin is lcated. Advanced (in mst scenaris yu shuld leave the advanced ptins t their default settings) Include Micrsft certificate template extensin Include Cmmn Name in Subject Alternative Names Select this ptin t specify a (Micrsft-specific) certificate template in the CSR. This is needed when using the Certificatin Authrity MMC snap-in t request a certificate frm an enterprise CA. Selecting this ptin causes the 'WebServer' certificate template t be specified. Default: disabled. Specifies whether t include the requested subject Cmmn Name in the Subject Alternative Name field f the CSR. Default: enabled. 4. Select Save. Yu are taken t the Change Certificate signing request page. 5. Select Dwnlad. This dwnlads the CSR t yur lcal file system, with a filename in the frmat <subject-name>.csr. Nte that the private key is nt dwnladed, r included within the CSR. 2017 Pexip AS Versin 17.a December 2017 Page 12 f 13

Certificate signing requests (CSRs) 6. Yu can nw submit this CSR file t yur chsen CA fr signing. The CA will then send yu a signed certificate which yu can uplad int Pexip Infinity (see belw). Uplading the signed certificate assciated with a certificate signing request When the Certificate Authrity sends yu a signed certificate in respnse t yur CSR, yu can uplad that certificate int Pexip Infinity and assign it t ne r mre f yur ndes. Make sure that yu uplad it via the Certificate Signing Requests page as this ensures that it is linked with the private key assciated with yur riginal CSR. T uplad the signed certificate: 1. G t Utilities > Certificate Signing Requests. 2. Select the riginal CSR that is assciated with the signed certificate. Yu are taken t the Change Certificate signing request page. 3. In the Certificate field either paste the PEM-frmatted certificate int the input field r uplad the certificate file frm yur lcal file system. The certificate file that yu have btained frm the Certificate Authrity typically has a.crt r.pem extensin. D nt uplad yur certificate signing request (.CSR file). 4. Select Cmplete. Prviding it is a valid certificate and is based n the riginal CSR: the certificate is upladed and autmatically linked with the private key assciated with yur riginal CSR. if yu are uplading a replacement certificate (same subject name and private key) it will replace the existing certificate and maintain any existing nde assignments. the riginal CSR is deleted. yu are taken t the Change TLS Certificate page. 5. Yu can nw assign that certificate t the Management Nde r ne f mre Cnferencing Ndes as required: a. Frm within the Change TLS Certificate page g t the Ndes field and frm the Available Ndes list, select the ndes t which yu want t assign the certificate and mve them int the Chsen Ndes list. b. G t the bttm f the page and select Save. Trubleshting This sectin describes sme f the errr messages yu may see when attempting t uplad a signed certificate. Errr message Pssible cause Reslutin Certificate and private key d nt appear t be part f the same key pair This mst likely means that yu have tried t uplad the certificate against the wrng CSR. Select the crrect CSR and try again. Mdifying a CSR After a CSR has been created it cannt be mdified the nly available actins are t dwnlad it (fr sending t a CA), r t apply the returned, signed certificate that is assciated with that request. If yu need t change the cntent f a CSR, yu shuld delete the riginal CSR and create a new CSR with the crrect cntent. Nte that a CSR is autmatically deleted when the resulting signed certificate is upladed. 2017 Pexip AS Versin 17.a December 2017 Page 13 f 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback