Deploying Polycom Unified Communications in an...

[Type the document title]

Polycom Document Title 1

January 2013 | 3725-38201-001A1

Deploying Polycom® Unified Communications in an Acme Packet® Environment

© 2012-2013 Polycom, Inc. All rights reserved.

Polycom, Inc. 6001 America Center Drive San Jose CA 95002 USA

No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Polycom, Inc. Under the law, reproducing includes translating into another language or format.

As between the parties, Polycom, Inc., retains title to and ownership of all proprietary rights with respect to the software contained within its products. The software is protected by United States copyright laws and international treaty provision. Therefore, you must treat the software like any other copyrighted material (e.g., a book or sound recording).

Every effort has been made to ensure that the information in this manual is accurate. Polycom, Inc., is not responsible for printing or clerical errors. Information in this document is subject to change without notice.

ii

Trademark Information

POLYCOM® and the names and marks associated with Polycom's products are trademarks and/or service marks of Polycom, Inc., and are registered and/or common law marks in the United States and various other countries.

All other trademarks are the property of their respective owners.

Patent Information

The accompanying product may be protected by one or more U.S. and foreign patents and/or pending patent applications held by Polycom, Inc.

Polycom, Inc. iii

About This Guide

This guide includes requirements for Polycom and Acme Packet® Net-Net Enterprise Session Director (ESD) interoperability. It describes how to enable Polycom products for firewall traversal when using the Acme Packet Net-Net ESD in a corporate SIP environment. It also describes how remote clients are provisioned and managed within the Acme Packet Net-Net ESD environment.

This guide describes deploying a full Polycom video conferencing solution with the DMA system as the video call control unit and an Acme Packet system as the session border controller (SBC). If you use Broadsoft Broadworks for call control together with the Acme Packet SBC, see the Polycom® Unified Communications Deployment Guide for BroadSoft® BroadWorks® Environments.

If you use another Polycom strategic partners product for video call control, such as Avaya® Aura® or Siemens Enterprise Communications® OpenScape®, see the Polycom deployment guides for your specific environment.

Related DocumentationPlease refer to the product documentation for the appropriate Polycom product for detailed documentation. You can find Polycom product documentation online at http://support.polycom.com.

For detailed information about Acme Packet Net-Net ESD, refer to Acme Packet documentation online at https://support.acmepacket.com/documentation.asp.

Required SkillsIntegrating Polycom infrastructure and endpoint systems with the Acme Packet Net-Net ESD requires planning and elementary knowledge of Polycom video conferencing and video conferencing administration.

http://support.polycom.com


https://support.acmepacket.com/documentation.asp


iv Polycom, Inc.

Polycom assumes the readers of this guide have a basic understanding of SIP, Acme Packet and Polycom device concepts. Users should also be comfortable with navigating and configuring Acme Packet Net-Net ESD.

Users should have knowledge of Microsoft® Windows Exchange Server 2010.

Polycom Solution and Support ServicesPolycom Implementation and Maintenance services provide support for Polycom solution components only. For Acme Packet Net-Net ESD issues, contact your Acme Packet support representative.

Please see http://www.polycom.com/services/professional_services/index.html or contact your local Polycom representative for more information.

Contents

Polycom, Inc. v

Contents

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiRequired Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiPolycom Solution and Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv

1 Getting Started with the Polycom— Acme Packet® Net-Net Enterprise Session Director Solution . . . . . . . . . . . . . . . . . . . . 1

Overview of the Polycom — Acme Packet Solution . . . . . . . . . . . . . . . . . . . 1Polycom — Acme Packet Solution Deployment Models . . . . . . . . . . . . . . . . 2

Deploying the Acme Packet Net-Net ESD Parallel to the Firewall . . . . 4Deploying the Acme Packet Net-Net ESD in the DMZ . . . . . . . . . . . . . 4

Supported Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Connecting Remote Users to the Enterprise . . . . . . . . . . . . . . . . . . . . . . . 5Connecting Guest Users to the Enterprise . . . . . . . . . . . . . . . . . . . . . . . . 5

Guest User Dial String Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Connecting Trusted Divisions or Enterprises . . . . . . . . . . . . . . . . . . . . . 7

Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Products Used to Test This Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Deploying the Polycom—Acme Packet Solution to Support Remote and Guest Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Configure DNS Service (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Configure Firewalls and Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

External Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Internal Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Install and Configure the Acme Packet Net-Net ESD . . . . . . . . . . . . . . . . . 10Install the Acme Packet Net-Net ESD . . . . . . . . . . . . . . . . . . . . . . . 10Configure the Acme Packet Net-Net ESD . . . . . . . . . . . . . . . . . . . . 10

Configure the RealPresence Resource Manager System . . . . . . . . . . . . . . . 11Configure Enterprise Directory Server Integration . . . . . . . . . . . . 12Add a Site to Provision the Acme Packet Net-Net ESD System . . 12Add the Acme Packet Net-Net ESD to the Network Device List . 13Add a Provisioning User Account for Endpoints . . . . . . . . . . . . . . 13

Configure Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Install a Root Certificate on the RealPresence Resource Manager system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14


vi Polycom, Inc.

Install a Certificate for the FQDN on the RealPresence Resource Manager system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Install a Root Certificate on the Polycom endpoint systems . . . . . 14

.Configure the Polycom DMA System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Enable SIP Signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Add Ports, Prefixes, and Dial Rules for Guest Users . . . . . . . . . . . 15Enable Device Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Integrate the DMA and RealPresence Resource Manager systems . 17

Configure Polycom Endpoint Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Configure Polycom HDX Series Endpoints . . . . . . . . . . . . . . . . . . . 18Configure Polycom RealPresence Mobile endpoints for certificate verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Professional Mode Sign-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Configure the Polycom RMX® System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Configure RMX system for Content and FECC support . . . . . . . . 20Configure RMX system for RealPresence Mobile support . . . . . . 21

Configure the Polycom RSS™ System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3 Federation in a SIP Environment . . . . . . . . . . . . . . . . . . . . . 23Configure the Acme Packet Net-Net ESD for Federation . . . . . . . . . . . . . . 23

A Optional DNS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 25Create a DNS A record on the external DNS server . . . . . . . . . . . 25Create DNS SRV records on the external DNS server . . . . . . . . . . 25Set up a split DNS configuation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Create DNS A records on the internal DNS server . . . . . . . . . . . . 27Create DNS SRV records on the internal DNS server . . . . . . . . . . 27Validate DNS settings on the external DNS server . . . . . . . . . . . . 28Validate DNS settings on the internal DNS server . . . . . . . . . . . . . 28

Polycom, Inc. 1

1Getting Started with the Polycom— Acme Packet® Net-Net Enterprise Session Director Solution

In this solution, Polycom’s integrated suite of video conferencing systems integrates with the Acme Packet® Net-Net Enterprise Session Director (ESD) which:

• Secures the borders to the enterprise IP network, the private VPN, and the Internet.

• Enables high-quality and secure unified communications between divisions or enterprises, remote users, and guest users.

The topics that follow describe the Polycom secure firewall solution that includes the Acme Packet Net-Net ESD as the session border controller (SBC) for the enterprise IP network.

Overview of the Polycom — Acme Packet SolutionThe Polycom video infrastructure integrates with the Acme Packet Net-Net ESD to provide video conferencing management for remote, guest, and federated endpoint users with secure firewall traversal for all the required connections. The following table describes the network traversal feature services this solution secures.

Component Description

HTTPS Access Proxy

Enables guest and remote users via designated video endpoints to make HTTPS connections to the Acme Packet Net-Net ESD system that are then proxied to the internal RealPresence Resource Manager system.


2 Polycom, Inc.

Polycom — Acme Packet Solution Deployment ModelsTo implement this solution, the high-level video network must be set up as shown in the following deployment architecture.

XMPP Access Proxy

Enables XMPP signaling from remote users via designated video endpoints to traverse the firewall to the internal XMPP server, as well as the sending of outgoing XMPP signaling to other remote endpoints.

LDAP Access Proxy

Enables guest and remote users via designated video endpoints to make an LDAP connection to the Acme Packet Net-Net ESD system which are then proxied to the internal LDAP server.

SIP Signaling Enables the following:

• SIP signaling from remote users via designated video endpoints to traverse the firewall to the internal SIP server.

• Sending of outgoing SIP signaling to remote endpoints.

• Modification of SIP signaling to direct media through the media relay when required.

Media Relay Enables media from guest and remote users residing in external federated organizations to traverse the firewall. The media relay functions as an SBC-based relay.

Component Description

Getting Started with the Polycom— Acme Packet® Net-Net Enterprise Session Director Solution

Polycom, Inc. 3

Also, two enterprises that implement this deployment architecture can federate to each other with all of the functionality enabled by this solution as illustrated in the following diagram.

Note that there are two supported deployment models for the Acme Packet Net-Net ESD within this solution.

• “Deploying the Acme Packet Net-Net ESD Parallel to the Firewall” on page 4

• “Deploying the Acme Packet Net-Net ESD in the DMZ” on page 4

A discussion of these two models follows, but in general, Polycom recommends that the Acme Net-Net ESD system be deployed between an outside (also referred to as public or external) firewall and inside (also referred to as private or internal) firewall. In this implementation:

• The outside or public firewall, which resides between the WAN (Untrust) and the Acme Net-Net ESD system in the DMZ, must be in Destination NAT mode. In this mode:

— When inbound packets from the WAN pass through the firewall, it translates the destination IP address to that of the Acme Net-Net ESD system.

— When outbound packets from the enterprise network pass through the firewall, it translates the source IP address to the public IP address of the firewall system.

— A static and direct 1:1 NAT mapping is recommended for the outside firewall.

• The inside firewall, which resides between the Acme Packet Net-Net ESD system in the DMZ and the LAN (Trust), must be in Route mode. In this mode, the firewall does not change the destination or source IP address, so no translation is required or supported.


4 Polycom, Inc.

This approach takes advantage of the firewall’s security functionality. However, because all media and signaling traffic flows through the firewall, performance can be affected.

Deploying the Acme Packet Net-Net ESD Parallel to the FirewallIn this first—and recommended—deployment model, the Acme Packet Net-Net ESD is deployed parallel to the corporate firewall as shown in the following illustration.

The advantage of this deployment model: it avoids open port mismatches between the Acme Packet Net-Net ESD and the firewall.

Deploying the Acme Packet Net-Net ESD in the DMZIn the second deployment model, the Acme Packet Net-Net ESD is deployed in the DMZ as shown in the following illustration.


Polycom, Inc. 5

When deploying the Acme Packet ESD in a DMZ, the Acme Packet system runs behind the firewall. The advantage of this approach: the security functionality in the corporate firewall can be used. The disadvantage of this approach: all traffic (media and signaling) flows through the corporate firewall, which can affect performance.

Supported Use CasesThis Polycom solution supports the following use cases when in an Acme Packet Net-Net ESD environment.

• “Connecting Remote Users to the Enterprise” on page 5

• “Connecting Guest Users to the Enterprise” on page 5

• “Connecting Trusted Divisions or Enterprises” on page 7

This Polycom solution does allow these use cases to occur within the same call.

Connecting Remote Users to the EnterpriseA remote user is an enterprise user with a managed SIP or H.323 endpoint that lies outside of the enterprise network. In this use case:

• Remote users can participate in video calls with other enterprise users as if they were inside the enterprise network.

• Remote users can also receive calls as if they were inside the network.

• Remote users can also receive management services including endpoint provisioning, user directory, and XMPP contact list and presence services, as well as SIP calling, calendaring, and scheduling services.

The standard solution deployment as described in “Deploying the Polycom—Acme Packet Solution to Support Remote and Guest Users” on page 9 supports this user scenario.

Connecting Guest Users to the EnterpriseA guest user is a non-enterprise user with a non-managed SIP or H.323 endpoint that lies outside of the enterprise network.

In this use case:

• Guest users can participate in video calls with enterprise users without being members of the enterprise. Users will have people video, content video and audio capabilities

• Enterprise users cannot place video calls out to guest users. This is because until guest users initiate the video call, calls cannot be routed to them by the gatekeeper (H.323 endpoints) or SIP Proxy (SIP endpoints).


6 Polycom, Inc.

• Guest users do not have access to any management services such as endpoint provisioning, user directory, XMPP contact list and presence services, or SIP calling, calendaring, and scheduling services.

In this user scenario, the enterprise must carefully manage dial plan routes (via the DMA system) to guard against toll fraud.

The standard solution deployment as described in “Deploying the Polycom—Acme Packet Solution to Support Remote and Guest Users” on page 9 supports this user scenario.

Guest User Dial String Formats

Guests must use specific dial string formats when placing calls to video meeting rooms and SIP endpoints inside the enterprise network.

• Guest users must use the following format to place a call to a Virtual Meeting Room (VMR) already configured within your enterprise DMA system:

<extension>@<domain>

<extension>@<ip address:port>

Where ip address is the IP Address of the Acme Packet Net-Net ESD, extension is the VMR number and domain is the FQDN or IP address of the external interface of the Acme Packet. If port is not specified, use 5060 or 5061, as appropriate.

• Guest users must use the following format to place a call to a SIP endpoint inside your enterprise:

<name>@<domain>

<name>@<ip address:port>

Where ip address is the IP Address of the Acme Packet Net-Net ESD, name is the SIP user name of the internal SIP endpoint and domain is your enterprise domain. No directory or XMPP services are available to guest users. If port is not specified, use 5060 or 5061 as appropriate.

Use port 5060 for SIP over unencrypted UDP/TCP. Use port 5061 for encrypted SIP over TLS.


Polycom, Inc. 7

Connecting Trusted Divisions or EnterprisesEnterprise users from one division or enterprise can call enterprise users from another divisions or enterprises when:

• Both enterprise users have supported and managed SIP or H.323 endpoints.

• The divisions or enterprises are connected by a mutually trusted connection. For SIP systems, this trust relationship is a SIP trunk between their SBCs.

In this use case:

• Each user will have access to their enterprise's provisioning services, directory services, contact lists and presence services, and calling services.

• The divisions or enterprises can have an established dial plan with prefix and suffix dial string edits.

ConsiderationsWhen deploying these solutions, you must decide whether or not to enable encryption and whether or not to enable device authentication.

• Polycom recommends enabling encryption. If you enable encryption, additional setup is required. Both encryption options are documented in this guide.

• Enabling device authentication is optional. If you enable device authentication, guest user call flows are not supported. Guest users will be challenged for credentials they don't have, so their calls will fail.

Products Used to Test This SolutionThe following products are supported in this RealPresence Access Director system solution.

Polycom Product Version Function in Solution

Acme Packet Net-Net ESD 6.3 Testing was carried out specifically with the Acme Packet Net-Net ESD-3820 platform running S-Cx6.3.0M2P4 software.

Other Acme Packet E-SBCs such as Net-Net ESD-4500, Net-Net ESD-SE and Net-Net ESD-VME also run the same line of C-series software. These other products can also be used in this Polycom RealPresence solution.

Polycom Distributed Media Application™ (DMA™) 7000

5.1 Provides SIP proxy/registrar, H.323 gatekeeper, SIP and H.323 gateway, and bridge virtualization services.


8 Polycom, Inc.

Polycom RealPresence Resource Manager

7.1 Provisions and manages remote endpoints, and enables directory and presence services.

Polycom RSS™ 4000 8.5 Provides recording capabilities for video, audio, and content.

Polycom RealPresence Collaboration Server (RMX® 2000 or RMX® 4000) Conferencing Platform

7.8 Provides bridge capability for SIP and H.323 conferences, including support for content over video.

Polycom RealPresence Mobile 2.0 Serves as client application for supported Apple® devices.

Polycom Product Version Function in Solution

Polycom, Inc. 9

2Deploying the Polycom—Acme Packet Solution to Support Remote and Guest Users

The general configuration processes required for this Polycom-Acme Packet solution deployment to support remote or guest users are described in this chapter. The chapters that follow then describe additional configuration processes required for the specific deployment models.

Configure DNS Service (Optional)If your network has a domain name system (DNS) implemented to resolve fully qualified domain names as well as IP addresses, see Appendix A for information about creating DNS records for the systems involved in this solution.

Configure Firewalls and PortsFollow these guidelines for configuring your firewalls.

• If you’re not familiar with firewall concepts and administration and your enterprise’s firewall implementation, please consult with someone who is.

• For greater security, Polycom recommends that you disable SSH and Web access connectivity from the Internet, and enable SSH and Web access connectivity from the LAN.


10 Polycom, Inc.

Task 1 External Firewall Configuration

• Implement a WAN (untrusted) and LAN (trusted) configuration

• Configure 1:1 NAT

• Set interface mode to NAT

• Disable H.323 and SIP ALG

• Disable any H.323 helper services on the firewall (for example, Cisco® H323 Fixup).

Task 2 Internal Firewall Configuration

• Implement a WAN (untrusted) and LAN (trusted) configuration

• Disable H.323 and SIP ALG

• Set interface mode to Route

• Disable the port NAT.

• Disable any H.323 helper services on the firewall (for example, Cisco® H323 Fixup).

Install and Configure the Acme Packet Net-Net ESD

Task 1 Install the Acme Packet Net-Net ESDInstall the Acme Packet Net-Net ESD as the SBC parallel to or in the DMZ of the corporate firewall. See the product documentation at https://support.acmepacket.com/documentation.asp for installation instructions.

Task 2 Configure the Acme Packet Net-Net ESD

Configure the Acme Packet Net-Net ESD to conform with standard access, peering, and static-flow configurations as documented in the Acme Packet application note Polycom UC Wave 7 with Acme Packet Net-Net C series Session Director. Within that framework:

1 When configuring the outside SIP interfaces used for access

a Enable route-to-registrar.

b Set register-keep-alive to always.

A valid login username and password is required to access documentation on the Acme Packet support website.

https://support.acmepacket.com/documentation.asp

Configure the RealPresence Resource Manager System Deploying the Polycom—Acme Packet Solution to Support

Polycom, Inc. 11

2 Access the media-level configuration elements (ACME PACKET# > media-manager) and enable hnt-rtcp.

3 Configure the SBC signaling component to accept SIP sessions through UDP, TCP or TLS as required.

4 Configure a session-agent for the DMA system.

5 Configure the static flow to forward connections to the internal presence, directory and provisioning servers. Use the following port numbers:

6 When deploying the Acme Packet Net-Net ESD within the DMZ, set the 1:1 NAT mappings in your corporate firewall to map to the Acme Packet Net-Net ESD components.

7 When remote access of the management interface is required, configure a host-routes on the Acme Packet Net-Net ESD.

8 Configure the firewalls adjacent to the Acme Packet Net-Net ESD signalling interface to allow the following: TCP: 5060, 5061, 443, 389, 5222UDP: 5060 and all ports configured in the Acme Packet “steering pool” element.

Configure the RealPresence Resource Manager SystemThe following tasks describe the configuration steps to perform on the RealPresence Resource Manager system to enable RealPresence Access Director system integration and provisioning. They include:

• Configure Enterprise Directory Server Integration

• Add a Site to Provision the Acme Packet Net-Net ESD System

• Add the Acme Packet Net-Net ESD to the Network Device List

• Add a Provisioning User Account for Endpoints

It is assumed here that the RealPresence Resource Manager system is already installed and configured in standard security mode.

Acme Packet Net-Net ESD Component Port number

Presence Server (XMPP) 5222

Directory Server (LDAP) 389

Provisioning Server (HTTP) 443


12 Polycom, Inc.

Task 1 Configure Enterprise Directory Server Integration

To integrate the RealPresence Resource Manager system with an enterprise directory server:

>> See the Polycom RealPresence Resource Manager System Operations Guide for detailed information about AD integration. Then go to Admin > Directories > Enterprise Directory. and perform the integration.

Task 2 Add a Site to Provision the Acme Packet Net-Net ESD System

The Acme Packet Net-Net ESD system secures a specific network segment or subnet. To accurately characterize and represent that network segment, you must create a site on the RealPresence Resource Manager system that is enabled for and can provisioned to the Acme Packet Net-Net ESD system. Your remote users will be managed through this site.

To add a site to the RealPresence Resource Manager system

1 See the Polycom RealPresence Resource Manager System Operations Guide for detailed information about adding a site. Then go to Admin > Topology > Sites and add a site.

2 On the General Info tab of the Add Site dialog box, enter a Site Name and Description for the site. Complete the other fields of the tab as required.

3 Go to the Subnets tab and add a subnet and mask for the Acme Packet Net-Net ESD. Enter its internal signaling IP address in the IP address field along with its subnet Mask (255.255.255.255).

4 Complete the other tabs and fields of the Add Site dialog box as required and finish adding the site.

The site is added to the system, and the Add/Edit Site Provisioning Details dialog box appears.

5 On the Directory Setting tab of the Add/Edit Site Provisioning Details dialog box, enter the Acme Packet Net-Net ESD system’s public IP address as Directory Server. Complete the other fields of the tab as required.

6 On the Presence Settings tab, enter the Acme Packet Net-Net ESD system’s public IP address as Presence Server. Complete the other fields of the tab as required.

7 To enable SIP service on Acme Packet Net-Net ESD systems, on the SIP Settings tab:

a Select Enable SIP and in the Proxy Server and Registrar Server fields, enter the Acme Packet Net-Net ESD system’s public signaling IP address.

Configure the RealPresence Resource Manager System Deploying the Polycom—Acme Packet Solution to Support

Polycom, Inc. 13

b Set the Transport Protocol to TLS (Port 5061) and the SIP Server Type to Polycom.

8 Complete the other fields of the dialog box as required.

Task 3 Add the Acme Packet Net-Net ESD to the Network Device List

To add an Acme Packet Net-Net ESD system:

1 See the Polycom RealPresence Resource Manager System Operations Guide for detailed information about adding an SBC. Then go to Network Device > SBC and click Add.

In the Add SBC dialog box, enter values for the following fields:

2 Click Add.

The Acme Packet Net-Net ESD system appears in the Network Device list.

Task 4 Add a Provisioning User Account for Endpoints

To provision endpoint systems through the firewall, the RealPresence Resource Manager system must have a user account dedicated for this purpose. This user account is the username and password that you must enter on the endpoint system to enable the integration and provisioning capability.

IMPORTANT

If you plan to enable Device Authentication on the DMA system as recommended, clear Use Endpoint Provisioning Credentials and enter the Common SIP User Name and Common SIP Password, which are in the authentication list configured on the DMA system. For more information, refer to “Enable Device Authentication” on page 16.

Setting Description

Name A unique name to identify the Acme Packet Net-Net ESD.

Provider-side IP The private network IP address for the Acme Packet Net-Net ESD device.

Subscriber-side IP The public network IP address for the Acme Packet Net-Net ESD device.


14 Polycom, Inc.

To add a user account to the RealPresence Resource Manager system for an endpoint

1 See the Polycom RealPresence Resource Manager System Operations Guide for detailed information about adding a user account. Then go to User > Users > Add.

2 On the General Info tab of the Add New User dialog box, enter the minimum required information, as indicated by an asterisk and then click OK.

3 On the Dial String Reservations tab, enter the SIP URI for the endpoint and then click OK.

Configure CertificatesTo enable automatic provisioning, certificates must be properly configured.

All certificates described in this section must come from the same Certificate Authority (CA).

Task 1 Install a Root Certificate on the RealPresence Resource Manager system

Install a root certificate on the RealPresence Resource Manager system.

Task 2 Install a Certificate for the FQDN on the RealPresence Resource Manager system

Install a certificate assigned to the FQDN name on the RealPresence Resource Manager system. The RealPresence Resource Manager system must have a certificate installed that is assigned to the FQDN; for example, Access5.customerdomain.com

Task 3 Install a Root Certificate on the Polycom endpoint systems

Install a root certificate on all the Polycom endpoints using provisioning.

If you’re not familiar with certificate administration and management and your enterprise’s specific certificate requirements, please consult with someone who is.

.Configure the Polycom DMA System Deploying the Polycom—Acme Packet Solution to Support Remote and Guest

Polycom, Inc. 15

.Configure the Polycom DMA SystemOnce the RealPresence Resource Manager system has been configured, configure the Polycom DMA system.

The following sections describe the tasks to be performed. They include:

• Enable SIP Signaling

• Add Ports, Prefixes, and Dial Rules for Guest Users

• Enable Device Authentication

• Integrate the DMA and RealPresence Resource Manager systems

See the Polycom DMA System Operations Guide for detailed information about each of these tasks. But also read the following sections for specific information as it relates to this solution.

Task 1 Enable SIP Signaling

To enable SIP signaling on the DMA system:

1 See the Polycom DMA System Operations Guide for detailed information about enabling SIP device authentication. Then go to Admin > Local Cluster > Signaling Settings and in the SIP Settings section, select Enable SIP signaling.

2 If the system’s security settings permit un-encrypted SIP connections, optionally set the Unencrypted SIP port to TCP or UDP/TCP.

You must have the administrator role to change security settings. Leave the default port numbers (5060 for TCP/UDP, 5061 for TLS) unless you have a good reason for changing them.

3 As needed, select Enable authentication and then to add the device’s authentication credentials to the list of device credential entries that the call server checks, go on to Enable Device Authentication.

Task 2 Add Ports, Prefixes, and Dial Rules for Guest Users

To support guest users:

1 See the Polycom DMA System Operations Guide for detailed information about enabling SIP device authentication. Then go to Admin > Local Cluster > Signaling Settings

2 In the SIP Settings section, add an unauthorized port (Unauthorized ports > Add).

3 Add a guest dial rule prefix (Unauthorized prefixes > Add) and configure the required information.


16 Polycom, Inc.

4 Go to Admin > Call Server > Dial Rules and add three dial rules to handle the incoming unauthorized guest calls; one for each type of call resolution:

— Resolve to external SIP peer

— Resolve to conference room ID

— Resolve to virtual entry queue

5 Go to Admin > Call Server > Domains and add a domain to the domain lest for the host specified for guest port configuration.

Task 3 Enable Device Authentication

Device authentication enhances security by requiring devices registering with or calling through the DMA system to provide credentials that the system can authenticate. In turn, the DMA system may need to authenticate itself to an external SIP peer or neighbored gatekeeper.

All authentication configurations are supercluster-wide, but note that the default realm for SIP device authentication is the cluster’s FQDN, enabling each cluster in a supercluster to have its own realm for challenges.

Enabling device authentication is optional. If you enable device authentication, guest user call flows are not supported.

To enable authentication for ALL internal and external endpoints:

1 See the Polycom DMA System Operations Guide for detailed information about enabling SIP device authentication. Then go to Admin > Call Server > Device Authentication and click Add

2 Enter the user Name, Password, and Confirm Password credentials for the device and click OK.

IMPORTANT

If Device Authentication is enabled on the DMA system, make sure to clear Use Endpoint Provisioning Credentials on the RealPresence Resource Manager system (see step 7 on page 12).

• The name and password for a device are whatever values the user who configured the device specified. They don't uniquely identify a specific device; multiple devices can have the same name and password.

• For endpoints being dynamically provisioned, include the Common SIP Username and Common SIP Password.

.Configure the Polycom DMA System Deploying the Polycom—Acme Packet Solution to Support Remote and Guest

Polycom, Inc. 17

3 Leave the other settings on the Inbound Authentication tab alone unless you need to configure the endpoints to use a specific realm (protection domain). To do this, complete the required fields on the Inbound Authentication tab.

4 If a SIP peer server is configured on the DMA system, edit its configuration (Network > External SIP Peer > Edit) and configure its Authentication settings.

5 If the external SIP peer, such as another DMA system, is configured to challenge for authentication credentials (inbound) and this DMA system is set to handle credential challenges instead of passing them to the endpoints, then configure the same Authentication and Shared Outbound Authentication settings on both systems.

To disable authentication for a specific endpoint:

1 Go to Network > Endpoints.

2 Select the endpoint for which you want to remove authentication.

3 Click Edit.

4 Clear Device Authentication.

Task 4 Integrate the DMA and RealPresence Resource Manager systems

1 See the Polycom DMA System Operations Guide for detailed information about integrating with a RealPresence Resource Manager system. Then go to Admin > Integrations > RealPresence Resource Manager System and select Join Resource Manager..

2 Enter the host name or IP address of the RealPresence Resource Manager system and the credentials with which to log into it.

The system connects to the RealPresence Resource Manager system, establishes the integration, and obtains site topology and user-to-device association data (this may take a few minutes). A dialog box informs you when the process is complete.

3 On the RealPresence Resource Manager System page, verify the RealPresence Resource Manager system integration information.

4 Go to Network > Site Topology > Sites, and from there to the other site topology pages, to see the site topology information obtained from the RealPresence Resource Manager system.

This ensures that the authentication credentials for the Shared Outbound Authentication and the SIP peer match in this 2-tier SIP server environment with only one of them doing authentication.


18 Polycom, Inc.

Configure Polycom Endpoint SystemsThis solution supports the Polycom endpoint systems identified in “Products Used to Test This Solution” on page 7.

You must have configured provisioning of the Acme Packet ESD on the RealPresence Resource Manager system (as described above) before configuring Polycom endpoints.

Task 1 Configure Polycom HDX Series Endpoints

Polycom HDX series endpoints do not require any special set up for this solution. However, Polycom recommends that endpoint system be configured for automatic provisioning because it enables easy setup and access to advanced features.

Polycom recommends dynamically provisioning endpoints using the RealPresence Resource Manager system. If you do not configure Polycom endpoints to be dynamically provisioned using the RealPresence Resource Manager system, only basic registration and calls will traverse the firewall when the correct SIP proxy and registrar settings are configured.

The following lists describe the functions that will not work on Polycom RealPresence Mobile and Polycom HDX systems if the endpoints are not configured for dynamic provisioning with the RealPresence Resource Manager system:

Polycom RealPresence Mobile systems

• Provisioning

• People + Content:--Receiving Content (P+C) (BFCP)--On iPad, sending PDF files as content (P+C) (BFCP)

• Encrypted media (SRTP)

• Local address book

• LDAP directory access

• TLS SIP

Polycom HDX systems

• Provisioning

• Automatic software updates

• LDAP directory access via the RealPresence Resource Manager system.

• Presence feature via the RealPresence Resource Manager system.

Configure Polycom Endpoint Systems Deploying the Polycom—Acme Packet Solution to Support Remote and Guest

Polycom, Inc. 19

To configure HDX systems for automatic provisioning

1 See the Administrator’s Guide for Polycom HDX System available at support.polycom.com for more information about configuring the system for automatic provisioning. Then go to Admin Settings > Global Services > Provisioning Service.

2 Enter the Domain, User Name, Password for the device provisioning user and Server Address of the RealPresence Resource Manager system.

Verify that the user name and password you configure here has been configured in the directory.

3 Enable SIP keep-alive messages. Go to Admin Settings > Network > IP Network and select the Enable SIP Keep-Alive Messages.

Task 2 Configure Polycom RealPresence Mobile endpoints for certificate verification

RealPresence Mobile systems must support non-mutual and mutual certificate validation during TLS connection establishment. It is assumed here that you have already installed the software on your device.

For more detailed RealPresence Mobile product information, refer to the Help and the Release Notes for the software version you are using, available at support.polycom.com.

To configure certificate verification for RealPresence Mobile for Apple iOS:

1 Install the root certificate of the server. See http://www.apple.com/ipad/business/docs/iPad_Certificates.pdf for instructions.

2 Install the client certificate:

a Create two files.

» Name one file client.p12. This file is a binary format PCKS12 file that includes a self certificate and self private key.

» Name the other file client.pwd. This file contains the private key protection password encrypted by base64.

b Import the client.pwd and client.p12 files into the application document directory using iTunes.

You must configure provisioning on the RealPresence Resource Manager system before configuring Polycom endpoints. Refer to “Configure Provisioning Information for Acme Packet Net-Net ESD components in the RealPresence Resource Manager system” on page 21.



http://www.apple.com/ipad/business/docs/iPad_Certificates.pdf


20 Polycom, Inc.

To configure certificate verification for RealPresence Mobile for Android:

1 Install the root certificate of the server.

a Copy the root certificate to the root directory of the SD card.

b From the RealPresence Mobile for Android application, go to Settings > Security and install the certificate.

2 Install the client certificate by copying the client.p12 and client.pwd files to the RealPresence Mobile for Android polycom/certificate folder.

Task 3 Professional Mode Sign-In

If DNS is configured to point to the Acme Packet Net-Net ESD external interface, the RealPresence Mobile client is automatically registered to the DMA system’s SIP server and can access the RealPresence Resource Manager system for automatic provisioning.

Users who choose to use their RealPresence Mobile or Desktop systems in Professional Mode will be automatically provisioned/configured by the RealPresence Resource Manager system. Polycom recommends automatic provisioning because it enables easy setup and access to advanced features.

The product Help describes how users configure their systems for profession al mode. When setting up professional mode, the user must enter the user name and password configured in “Add a Provisioning User Account for Endpoints” on page 13.

Configure the Polycom RMX® System

Task 1 Configure RMX system for Content and FECC support

To ensure that Content and FECC are supported for a conference:

>> See the Polycom RMX 1500/2000/4000 Administrator’s Guide. for information about the FW NAT Keep Alive Interval. Then go to New Profile > Advanced and enable the FW NAT Keep Alive Interval should be set to a lower value than the default 30 secs.

Configure the Polycom RSS™ System Deploying the Polycom—Acme Packet Solution to Support Remote and Guest

Polycom, Inc. 21

Task 2 Configure RMX system for RealPresence Mobile support

To allow the RealPresence Mobile client to send content to a conference:

1 See the Polycom RMX 1500/2000/4000 Administrator’s Guide. for information about adding system flags. Then go to Setup > System Configuration > System Flags and set the value of the NUM_OF_INITIATE_HELLO_MESSAGE_IN_CALL_ESTABLISHMENT

system flag to at least 3.

2 Restart the RMX system.

Configure the Polycom RSS™ SystemThe Polycom RSS 4000 server can work in two modes: normal mode and maximum security mode.

To deploy the Polycom RSS 4000 server in an Acme Packet Net-Net ESD environment, the Polycom RSS 4000 server must be in normal mode.

See the Polycom RSS 4000 System User Guide for more information about Polycom RSS server working modes.


22 Polycom, Inc.

Polycom, Inc. 23

3Federation in a SIP Environment

This chapter describes how to configure this solution to support calls between endpoint users in two separate but federated (trusted) divisions or enterprises.

In this deployment model, one of the federated sites has an Acme Packet® Net-Net Enterprise Session Director (ESD). The other site may have a different session border controller.

In this chapter, we assume you have already performed the standard deployment for the applicable systems as documented in Chapter 2, “Deploying the Basic RealPresence Access Director System Solution to Support Remote and Guest Users.”

Configure the Acme Packet Net-Net ESD for Federation

To configure the Acme Packet Net-Net ESD for federation

1 See the Acme Packet documentation at https://support.acmepacket.com/documentation.asp. Then add two realms (configure terminal; media-manager; realm-config). Configure the following mandatory parameters:

identifier = B2B-Accessdescription = For External Connection(Optional)network-interfaces = s0p0:0

identifier = B2B-Coredescription = For Internal Connection(Optional)network-interfaces = 1p0:0

2 Add two SIP interfaces (configure terminal; session-router; sip-interface). Configure the following parameters:

state enabledrealm-id B2B-Accesssip-port

Polycom RealPresence Access Director System Solution Deploying Polycom® Unified Communications in an Acme

24 Polycom, Inc.

address 192.168.203.2 ACME Server External IPport 5061 ACME External Listening Porttransport-protocol TLS ACME External Listening Transporttls-profile TLS-profileallow-anonymous all

state enabledrealm-id B2B-Coresip-port

address 192.168.204.2 ACME Server Internal IPport 5060transport-protocol UDPtls-profile allow-anonymous all

3 Add two steering pools (configure terminal; media-manager; steering-pool). Configure the following parameters:

ip-address 192.168.203.2 ACME Server External IPstart-port 60000end-port 61999realm-id B2B-Access

ip-address 192.168.204.2 ACME Server Internal IPstart-port 62000end-port 63999realm-id B2B-Core

4 Add two local policies(configure terminal; session-router; local-policy). Configure the following parameters:

local-policyfrom-address * to-address * source-realm B2B-Accessstate enabledpolicy-attribute

next-hop 192.168.12.4-----DMA IPrealm B2B-Core

local-policyfrom-address * to-address * source-realm B2B-Corestate enabledpolicy-attribute

next-hop 10.220.211.112----Another Enterprise IPrealm B2B-Access

5 Save the configuration.

Polycom, Inc. 25

AOptional DNS Configuration

This section describes creating domain name system (DNS) service records to enable this solution.

Task 1 Create a DNS A record on the external DNS server

You must create a DNS A (address) record on the external DNS server to map the FQDN of the Acme Packet Net-Net ESD system to its public IP address. So if the Acme Packet Net-Net ESD system has the FQDN name acpkt.example.com, add an A record as follows.

acpkt.example.com IN A 192.168.11.175

Where:FQDN = acpkt.example.comClass = IN (Internet)A = Record type192.168.11.175 = Acme Packet Net-Net ESD system IP address

Task 2 Create DNS SRV records on the external DNS server

Create the required DNS SRV records on the external DNS server depending on your specific needs as identified below.

• Create a DNS SRV record for the provisioning and management system on the external DNS server to map the service to the FQDN of the Acme Packet Net-Net ESD system (access proxy configuration).

This SRV record is required for Polycom endpoints outside the enterprise to locate the RealPresence Resource Manager system using the Auto Find Provisioning Server feature of the RealPresence Mobile system.

If you’re not familiar with DNS administration, the creation of various kinds of DNS resource records, and your enterprise’s DNS implementation, please consult with someone who is.


26 Polycom, Inc.

So if the Acme Packet Net-Net ESD system has the FQDN name acpkt.example.com, add an SRV record as follows. _cmaconfig._tcp.example.com. IN SRV 0 100 443 acpkt.example.com

Where:Service = _cmaconfigProtocol = _tcpPriority = 0Weight = 100Port = 443Host offering this service = acpkt.example.com

• Create a DNS SRV record for the SIP service on the external DNS server to map the service to the FQDN of the Acme Packet Net-Net ESD system (access proxy configuration). So if the Acme Packet Net-Net ESD system has the FQDN name acpkt.example.com, add an SRV record as follows

_sip._tcp.customerdomain.com 86400 IN SRV 0 0 5061 acpkt.example.com

Where:Service = _sipProtocol = _tcpPriority = 0Weight = 100Port = 5061Host offering this service = acpkt.example.com

Task 3 Set up a split DNS configuation

Consider setting up a split DNS configuration for both the internal and external DNS servers. For example, the Host (A) record in the internal DNS server might look like this: customerdomain.com Access5 192.168.11.175

Where 192.168.11.175 is the IP address of the public side of the Acme Packet Net-Net ESD.

Use port 5060 for SIP over unencrypted UDP/TCP. Use port 5061 for encrypted SIP over TLS.

Optional DNS Configuration

Polycom, Inc. 27

Task 4 Create DNS A records on the internal DNS server

Create three DNS A records on the internal DNS server.

• Create a DNS A record for the RealPresence Resource Manager system in the internal network. So if the FQDN of RealPresence Resource Manager system is rprm.example.com, and its IP address is 10.22.202.134, create an A record: rprm.example.com IN A 10.22.202.134

• Create a DNS A record for the DMA system in the internal network. So if the FQDN of DMA system is dma.example.com, and its IP address is 10.22.120.126, create an A record:dma.example.com IN A 10.22.120.126

• Create a DNS A record for the Acme Packet Net-Net ESD system (Access Proxy configuration) as the provisioning service, SIP service, and/or gatekeeper service (SBC setting). So if the FQDN of Acme Packet Net-Net ESD system is acpkt.example.com, and its IP address is 10.22.210.111, create an A record:acpkt.example.com IN A 10.22.210.111

Task 4 Create DNS SRV records on the internal DNS server

Create the required DNS SRV records on the internal DNS server depending on your specific needs as identified below.

• Create a DNS SRV record for the RealPresence Resource Manager system. So if the FQDN of RealPresence Resource Manager system is rprm.example.com, and its IP address is 10.22.202.134, create an SRV record:_cmaconfig._tcp.example.com. IN SRV 0 100 443 rprm.example.com

• Create several DNS SRV records for the services (SIP/UDP, SIP/TCP, SIP/TLS, H323) provided by the DMA system. So if the FQDN of DMA system is dma.example.com, and its IP address is 10.22.120.126, create SRV records:_sip._tcp.example.com. IN SRV 0 100 5060 dma.example.com_sip._ucp.example.com. IN SRV 0 100 5060 dma.example.com_sip._tls.example.com. IN SRV 0 100 5061 dma.example.com_sip._h323cs.example.com. IN SRV 0 100 1720 dma.example.com


28 Polycom, Inc.

Task 5 Validate DNS settings on the external DNS server

The following steps use the Windows nslookup commands as an example. The procedure is similar on Mac and Linux.

To validate the DNS settings on the external DNS server

1 From a Windows computer located on the Internet network, open a command line.

2 Type nslookup acpkt.example.com to check the A record of the Acme Packet Net-Net ESD system. The response should include the corresponding Acme Packet Net-Net ESD system's public IP address.

3 Type nslookup -type=srv _cmaconfig._tcp.example.com to check the SRV record. The response should include the FQDN of each Acme Packet Net-Net ESD system.

Task 6 Validate DNS settings on the internal DNS server

The following steps use the Windows nslookup commands as an example. The procedure is similar on Mac and Linux.

To validate the DNS settings on the internal DNS server

1 From a Windows computer located on the Internet network, open a command line.

2 Type nslookup xma.example.com to check the A record of the RealPresence Resource Manager systems. The response should include the corresponding RealPresence Resource Manager system's IP address.

3 Type nslookup dma.example.com to check the A record of the DMA systems. The response should include the corresponding DMA system's IP address.

4 Type nslookup acpkt.example.com to check the A record of the Acme Packet Net-Net ESD system. The response should include the corresponding RealPresence Access Director system's internal IP address.

5 Type nslookup -type=srv _cmaconfig._tcp.example.com to check the SRV record. The response should include the FQDN of RealPresence Resource Manager system.

6 Type nslookup -type=srv _sip._tcp.example.com and nslookup -type=srv _h323cs._tcp.example.com to check the SRV record. The response should include the FQDN of DMA system.

Date post:	24-Mar-2018
Category:	Documents
Upload:	buikien
View:	228 times
Download:	2 times

Deploying Polycom Unified Communications in an...

Documents