Polycom 3725-76302-001O Certificate Procedures

System Security

Polycom, Inc. 46

See also:

Security Certificates Overview on page 39

Certificate Settings on page43

Certificate Procedures

Certificate procedures include the following:

●Install your chosen certificate authority’s public certificate, if necessary, so that the Polycom

RealPresence DMA system trusts that certificate authority.

●Create a certificate signing request to submit to the certificate authority.

●Install a public certificate signed by your certificate authority that identifies the Polycom RealPresence

DMA system.

●Remove a signed certificate or a certificate authority’s certificate.

Install a Certificate Authority’s Certificate

This procedure is not necessary if you obtain a certificate chain that includes a signed certificate for the

Polycom RealPresence DMA system, your certificate authority’s public certificate, and any intermediate

certificates.

Use this procedure to add a trusted certificate authority, either an in-house or commercial CA.

To install a certificate for a trusted root CA

1Go to Admin > Local Cluster > Certificates.

The installed certificates are listed. The Trusted Root CA entries, if any, represent the certificate

authorities whose public certificates are already installed on the RealPresence DMA system and are

thus trusted.

Note: Obtaining Certificates for Microsoft Environments

If you’re configuring the Polycom RealPresence DMA system to support Polycom’s solution for the

Microsoft OCS or Lync environment, you can use Microsoft’s Certificate Wizard to request and obtain

a PFX file (a password-protected PKCS12 file containing a private key and public key for the system,

and the CA’s certificate).

Once you have the PFX file, you’re ready to install it.

See Polycom’s solution deployment guide for information about using the Certificate Wizard and other

steps needed to implement the solution.

Caution: Installing or Removing Certificates Requires a Restart

Installing or removing certificates requires a system restart and terminates all active conferences.

When you install or remove a certificate, the change is made to the certificate store immediately, but

the system can’t implement the change until it restarts and reads the changed certificate store.

For your convenience, you’re not required to restart and apply a change immediately. This permits you

to perform multiple installs or removals before restarting and applying the changes. But when you’re

finished making changes, you must select Restart to Apply Saved Changes to restart the system

and finish your update. Before you begin, make sure there are no active conferences and you’re

prepared to restart the system when you’re finished.

Contents

Main End User License Agreement Patent Information Open Source Software Used in this Product Disclaimer Limitation of Liability Contents Polycom RealPresence DMA7000 System Overview . . . . . . . . . . . . . . . . . . . 15 Polycom RealPresence DMA System Initial Configuration Summary . . . . . . 29 Page Page Page Page Page Page Page Page Page Polycom RealPresence DMA System SNMP Support . . . . . . . . . . . . . . . . . . . . 419 Page Polycom RealPresence DMA7000 System Overview Introduction to the Polycom RealPresence DMA System The Polycom RealPresence DMA Systems Primary Functions Conference Manager Call Server RealPresence Platform API SVC Conferencing Support The Polycom RealPresence DMA Systems Three Configurations Two-server Cluster Configuration Single-server Configuration Superclustering System Capabilities and Constraints System Port Usage Page Polycom Solution Support Working in the Polycom RealPresence DMA System Accessing the Polycom RealPresence DMA System Field Input Requirements Settings Dialog Box Polycom RealPresence DMA System User Roles and Their Access Privileges Page Page Page Open Source Software License Information Modifying Open Source Code To replace an LGPL library with your modified version Polycom RealPresence DMA System Initial Configuration Summary System configuration Confirming configuration Add Required DNS Records for the Polycom RealPresence DMA System Additional DNS Records for SIP Proxy Additional DNS Records for the H.323 Gatekeeper Additional DNS Records for the Optional Embedded DNS Feature Verify That DNS Is Working for All Addresses License the Polycom RealPresence DMA System License the RealPresence DMA System, Appliance Edition License the RealPresence DMA System, Virtual Edition Set Up Signaling Configure the Call Server and Optionally Create a Supercluster Set Up Security Set Up MCUs Connect to Microsoft Active Directory Set Up Conference Templates Test the System System Security Security Certificates Overview How Certificates Work Forms of Certificates Accepted by the Polycom RealPresence DMA System How Certificates Are Used by the Polycom RealPresence DMA System Page Frequently Asked Questions Certificate Settings The following table describes the fields on the Certificate Settings page. Certificate Information Dialog Box Certificate Signing Request Dialog Box Add Certificates Dialog Box Certificate Details Dialog Box Certificate Procedures Install a Certificate Authoritys Certificate To install a certificate for a trusted root CA Create a Certificate Signing Request in the RealPresence DMA System To create a certificate signing request Install a Certificate in the RealPresence DMA System To install a signed certificate that identifies the Polycom RealPresence DMA system Remove a Certificate from the RealPresence DMA System To remove a Trusted Root CAs certificate To remove a signed certificate and revert to the default self-signed certificate Security Settings The following table describes the options in the Security Settings page. Page Page To change the security settings 5Click OK. The Consequences of Enabling Maximum Security Mode Page Enabling File Uploads in Maximum Security with Mozilla Firefox Login Policy Settings Local Password Session Local User Account Banner Access Policy Settings Reset System Passwords To reset system passwords Page Local Cluster Configuration Network Settings Page Page Page Page Routing Configuration Dialog Box Time Settings Licenses Licenses for the Appliance Edition Licenses for the Virtual Edition Signaling Settings H.323 and SIP Signaling H.323 Device Authentication SIP Device Authentication Untrusted SIP Call Handling Configuration Signaling Settings Fields Page Add Guest Port Dialog Box See also: Signaling Settings on page72 Local Cluster Configuration Procedures on page 81 Edit Guest Port Dialog Box Add Guest Prefix Dialog Box See also: Signaling Settings on page72 Local Cluster Configuration Procedures on page 81 Edit Guest Prefix Dialog Box See also: Signaling Settings on page72 Local Cluster Configuration Procedures on page 81 Logging Settings Licenses for the Appliance Edition on page70 The following table describes the fields on the Logging Settings page. Alerting Settings Local Cluster Configuration Procedures Add Licenses To request a software activation key code for each server To enter license activation key codes Configure Signaling To configure signaling Page Configure Logging To configure logging Automatically Send Usage Data Enable or Disable Automatic Data Collection See the Collected Data To see the collected data Device Management Active Calls Call Details Dialog Box Page Page Endpoints Page The Actions list associated with the Endpoints list contains the items in the following table. Names/Aliases in a Mixed H.323 and SIP Environment Naming ITP Systems Properly for Recognition by the Polycom RealPresence DMA System Add Endpoint Dialog Box Edit Device Dialog Box See also: Endpoints on page91 Add Alias Dialog Box on page 99 Edit Alias Dialog Box on page 99 Edit Devices Dialog Box Add Alias Dialog Box Edit Alias Dialog Box Associate User Dialog Box Site Statistics Site Link Statistics External Gatekeeper See also: Device Management on page 87 Edit External Gatekeeper Dialog Box on page 103 The following table describes the fields in the Add External Gatekeeper dialog box. Add External Gatekeeper Dialog Box The following table describes the fields in the Edit External Gatekeeper dialog box. Edit External Gatekeeper Dialog Box Page External SIP Peer Add External SIP Peer Dialog Box Page Page Page Page Edit External SIP Peer Dialog Box Page Page Page SIP Peer Postliminary Output Format Options To Header Format Options Request-URI Header Format Options Free Form Template Variables To Header and Request-URI Header Examples Add Authentication Dialog Box Edit Authentication Dialog Box Add Outbound Registration Dialog Box Edit Outbound Registration Dialog Box External H.323 SBC Page Add External H.323 SBC Dialog Box The following table describes the fields in the Add External H.323 SBC dialog box. Edit External H.323 SBC Dialog Box The following table describes the fields in the Edit External H.323 SBC dialog box. MCU Management MCUs Page Considerations when using MCUs with the RealPresence DMA system Page The Actions list associated with the MCU list contains the items in the following table. Add MCU Dialog Box Page Page Page Edit MCU Dialog Box Page Page Page Page Add Session Profile Dialog Box Edit Session Profile Dialog Box ISDN Gateway Selection Process MCU Procedures To view information about an MCU To add an MCU To edit an MCU To delete an MCU To immediately stop using one or more MCUs for conferencing and simplified ISDN dialing To stop using one or more MCUs, but allow existing calls and conferences to continue To start using one or more MCUs for conferencing and simplified ISDN dialing again MCU Pools Add MCU Pool Dialog Box Edit MCU Pool Dialog Box MCU Pool Procedures To add an MCU Pool To edit an MCU Pool To delete an MCU Pool MCU Pool Orders Add MCU Pool Order Dialog Box Edit MCU Pool Order Dialog Box MCU Selection Process MCU Availability and Reliability Tracking Page MCU Pool Order Procedures To view the MCU Pool Orders list To add an MCU Pool Order To edit an MCU Pool Order To delete an MCU Pool Order Integrations with Other Systems Microsoft Active Directory Integration Microsoft Active Directory Page Page Page ()&%#@|"':;, Active Directory Integration Procedure To integrate with Active Directory Page Page Understanding Base DN Page Adding Passcodes for Enterprise Users To generate chairperson and conference passcodes for enterprise users About the Systems Directory Queries User Search Group Search Global Group Membership Search Attribute Replication Search Configurable Attribute Domain Search Domain Search Service Account Search Microsoft Lync 2013 Integration Lync 2010 vs. Lync 2013 Integration Scheduled Conferences Automatic Contact Creation and Configuration Lync and non-Lync Endpoint Collaboration Considerations and Requirements for Lync 2013 Integration Lync 2010 and 2013 Client / Server Feature Support Integrate RealPresence DMA and Lync 2013 Required Information Synchronize Lync Server and RealPresence DMA System Time Enable Windows Remote Shell Install Certificates for the Lync Server Add the Lync Pool as an External SIP Peer To add the Lync pool as an external SIP peer Enable the Dial by Lync Conference ID Dial Rule To enable the Dial by Lync conference ID dial rule Configure System-wide Presence and Contact Creation Settings To enable presence publishing for Polycom conference contacts Add the RealPresence DMA System to the Lync Topology (Optional) Edit Presence settings for Groups or Specific VMRs Diagnose Presence Problems Microsoft Exchange Server Integration Microsoft Exchange Server Page Exchange Server Integration Procedure To integrate the Polycom RealPresence DMA system with your Exchange server Resource Management System Integration Page Resource Management System Page Join Resource Management System Dialog Box Resource Management System Integration Procedures To integrate with a resource management system To terminate the integration with a resource management system Juniper Networks SRC Integration Juniper Networks SRC Page Juniper Networks SRC Integration Procedure To configure SRC integration Conference Manager Configuration Conference Settings Page Page Default Polycom conference contacts presence settings 1Go to Admin > Conference Manager > Conference Settings. To specify conference settings Remove Contacts from Active Directory Dialog Box To manually recreate Lync 2013 contact resources associated with other superclusters Conference Templates Two Ty pes o f Tem plat es Standalone Templates Templates Linked to RealPresence Collaboration Server or RMX Profiles Template Priority About Conference IVR Services About Cascading Cascading for Bandwidth Cascading for Size Conference Templates List Add Conference Template Dialog Box Page Page Page Page Page Page Page Page Page Edit Conference Template Dialog Box Page Page Page Page Page Page Page Page Page Select Layout Dialog Box To select a video frames layout Conference Templates Procedures To view the Conference Templates list To add a conference template linked to a RealPresence Collaboration Server or RMX profile To edit a conference template To change a conference templates priority To delete a conference template IVR Prompt Sets Page Shared Number Dialing Page Page Add Virtual Entry Queue Dialog Box Add Direct Dial Virtual Entry Queue Dialog Box Edit Virtual Entry Queue Dialog Box See also: Shared Number Dialing on page 220 Edit Direct Dial Virtual Entry Queue Dialog Box See also: Shared Number Dialing on page 220 Superclustering About Superclustering RealPresence DMAs Page Page Join Supercluster Dialog Box Supercluster Procedures To create or join a supercluster Page To remove a cluster from the supercluster Call Server Configuration About the Call Server Capabilities See also: Call Server Configuration on page 233 Call Server Settings on page 234 Call Server Settings Page Page See also: Call Server Configuration on page 233 About the Call Server Capabilities on page233 Domains The following table describes the fields on the page. Dial Rules Test Dial Rules Dialog Box The Default Dial Plan and Suggestions for Modifications Page Page Add Dial Rule Dialog Box Page Page Page Edit Dial Rule Dialog Box The following table describes the fields in the Edit Dial Rule dialog box. Page Page Preliminary/Postliminary Scripting Page Page Script Debugging Dialog Box for Preliminaries/Postliminaries Sample Preliminary and Postliminary Scripts Page Page Hunt Groups Add Hunt Group Dialog Box Edit Hunt Group Dialog Box Add Alias Dialog Box Edit Alias Dialog Box Device Authentication Inbound Authentication Shared Outbound Authentication The following table describes the fields on the Device Authentication page. Add Device Authentication Dialog Box Edit Device Authentication Dialog Box Registration Policy Registration Policy Scripting Page Page Script Debugging Dialog Box for Registration Policy Scripts Sample Registration Policy Scripts Page Page Prefix Service Add Simplified ISDN Gateway Dialing Prefix Dialog Box Edit Simplified ISDN Gateway Dialing Prefix Dialog Box Edit Vertical Service Code Dialog Box Embedded DNS To enable DNS publishing History Retention Settings To configure history record retention Page Site Topology About Site Topology Sites Page Site Information Dialog Box See also: About Site Topology on page278 Sites on page 279 Add Site Dialog Box Page Page Edit Site Dialog Box Page Page Page Lets you add subnets to the site youre adding or editing. Add Subnet Dialog Box Edit Subnet Dialog Box Site Links Add Site Link Dialog Box Edit Site Link Dialog Box Site-to-Site Exclusions Add Site-to-Site Exclusion Wizard To add a site-to-site exclusion Territories Add Territory Dialog Box Edit Territory Dialog Box Network Clouds Add Network Cloud Dialog Box Edit Network Cloud Dialog Box Site Topology Configuration Procedures To configure your site topology in the RealPresence DMA system Page Users and Groups User Roles Overview Adding Users Overview Users Page Add User Dialog Box Page Edit User Dialog Box Page Page Authentication Required Dialog Box Select Associated Endpoints Dialog Box Conference Rooms Dialog Box Page Add Conference Room Dialog Box Page Page Page Page Edit Conference Room Dialog Box Page Page Page Add Dial-out Participant Dialog Box Users Procedures Edit Dial-out Participant Dialog Box To find a user or users To add a local user To edit a user To delete a local user Conference Rooms Procedures To add a conference room to a user To edit one of a users conference rooms To delete one of a users custom conference rooms Groups The following table describes the fields in the Import Enterprise Groups dialog box. Import Enterprise Groups Dialog Box See also: Users on page 303 Groups on page325 Enterprise Groups Procedures on page329 Edit Group Dialog Box The following table describes the fields in the Edit Group dialog box. See also: Users on page 303 Groups on page325 Import Enterprise Groups Dialog Box on page 326 Enterprise Groups Procedures To set up an enterprise group for Polycom RealPresence DMA management and operations users To specify which MCUs a group uses by assigning an MCU pool order To set up a custom conferencing experience for an enterprise group Login Sessions To terminate a users login session Change Password Dialog Box System Management and Maintenance Management and Maintenance Overview Administrator Responsibilities Administrative Best Practices Auditor Responsibilities Auditor Best Practices Recommended Regular Maintenance Regular archive of backups General system health and capacity checks Microsoft Active Directory health Security configuration Certificates Network usage data export Dashboard Active Directory Integration Pane Call Server Active Calls Pane Call Server Registrations Pane Cluster Info Pane Conference History Max Participants Pane Conference Manager MCUs Pane Conference Manager Usage Pane Exchange Server Integration Pane License Status Pane Resource Management System Integration Pane Signaling Settings Pane Supercluster Status Pane Territory Status Pane User Login History Pane Alerts Alert 1001 Cluster <cluster> is busied out as of YYYY-MM-DD HH:MM GMT+/-H[:MM]. Alert 1002 Cluster <cluster> is out of service as of YYYY-MM-DD HH:MM GMT+/-H[:MM]. Alert 1003 Cluster <cluster> is orphaned. Alert 1004 No heartbeats from cluster <cluster>. Last heartbeat received YYYY-MM-DD HH:MM GMT+/-H[:MM]. Alert 1105 Alert 1106 Alert 1107 Alert 1108 <alerting-cluster>: Territory <territory> has failed over from <p-cluster> to <b-cluster>. Alert 2001 <formatted string from server> Alert 2002 Alert 2004 Alert 2101 Active Directory integration was not successful on cluster <cluster>. Alert 2102 Zero enterprise conference rooms exist on cluster <cluster>. Alert 2104 Alert 2105 Active Directory service is not available. Cluster <p-cluster> is not operational. Alert 2106 Alert 2107 Failed connection from <cluster> to Active Directory for caching at YYYY-MM-DD HH:MM GMT+/-H[:MM]. Alert 2201 Alert 2202 Alert 2203 Exchange server integration is not available. Cluster <p-cluster> is not operational. Alert 2401 Connection to the history/audit database for cluster <cluster> has failed. Alert 2601 <cluster>: Cannot reach Lync server <lyncserver> for presence publishing. Alert 2602 <cluster>: Cannot authenticate with <lyncserver> for presence publishing. Alert 2605 <cluster>: Cannot authenticate with <lyncserver> to resolve conference IDs. Alert 3001 Alert 3101 Alert 3102 Cluster <cluster>: The server certificate will expire within 1 day. All system access may be lost. Alert 3103 Alert 3104 Cluster <cluster>: One or more CA certificates have expired. Alert 3105 Cluster <cluster>: One or more CA certificates will expire within 30 days. Alert 3201 Cluster <cluster> has no license key(s). System will allow up to 10 concurrent calls. Alert 3202 Alert 3203 The EULA for cluster <cluster> has not been accepted. All calls are blocked on this cluster. Alert 3204 Cannot connect to licensing server <lserver> for <cluster>. Alert 3205 Alert 3301 Cluster <cluster> is configured for 2 servers, but only a single server is detected. Alert 3302 Alert 3303 Cluster <cluster>: A private network error exists on <server>. Alert 3305 Cluster <cluster>: A public signaling network error exists on <server>. Alert 3306 Alert 3309 Alert 3310 Alert 3401 Cluster <cluster>: Available disk space is less than 15% on server <server>. Alert 3403 Alert 3404 Alert 3405 Server <server> CPU utilization >50% and <75%. Alert 3406 Server <server> CPU utilization > 75%. Alert 3602 Cluster <cluster>: Local time differs by more than ten seconds between servers. Alert 3603 Cluster <cluster>: Active Directory integration is not consistent between servers. Alert 3605 Cluster <cluster>: Custom conference rooms differ between servers. Alert 3606 Cluster <cluster>: Local users differ between servers. Alert 3801 Alert 3803 Alert 4001 MCU <MCUname> is currently busied out. Alert 4002 Alert 4004 MCU <MCUname> is configured with insufficient user connections. Alert 4005 MCU <MCUname> disconnected. Alert 4010 MCU <mcu> disconnect rate is > 4. Alert 4011 MCU <mcu> call failure rate is > 0.4 and < 0.8. Alert 4013 MCU <mcu> is connected with no port capacity. Alert 4014 MCU <mcu> video port capacity changed from <oldcapacity> to <newcapacity>. Alert 4015 Alert 5002 Alert 5003 Alert 6001 No territories configured to host conference rooms. Alert 6002 Alert 6101 Call failed: Preset dialout from conference VMR <VMR> to <destination> failed. Cause: <cause> Alert 6102 Conference <VMR> on MCU <MCU> failed to start: <reason>. Page Alert 6201 Alert 6202 Alert 6203 Alert 7001 Failed registration data incomplete: <cluster> history limited to <n.n> hours. Alert 7005 Site <sitename> has no available aliases for automatic ISDN assignment. System Log Files System Logs Procedures To download a log archive to your PC or workstation To manually roll the system logs To delete a system log archive Troubleshooting Utilities Ping To run ping on each server Traceroute To run traceroute on each server Diagnostics for your Dell Server Backing Up and Restoring Confirm Restore Dialog Box Backup and Restore Procedures To download a backup file To create a new backup file To upload a backup file To restore from a backup file on the cluster To restore from a backup file on the Polycom RealPresence DMA systems USB flash drive Upgrading the Software Page Basic Upgrade Procedures To install an upgrade Page To roll back an upgrade, restoring the previous version Page Incompatible Software Version Supercluster Upgrades Factors to Consider for an Incremental Supercluster Upgrade Simplified Supercluster Upgrade (Complete Service Outage) To upgrade a supercluster by taking all clusters out of service Page Complex Supercluster Upgrade (Some Service Maintained) Adding a Second Server Expanding an Unpatched System To expand an unpatched single-server system into a two-server cluster Expanding a Patched System To expand a patched single-server system into a two-server cluster Replacing a Failed Server To replace a failed server in a two-server cluster Shutting Down and Restarting To restart or shut down one or both servers in a cluster To start up a shut-down cluster System Reports Alert History Call History Page Export History Conference History Export History Associated Calls Conference Events Property Changes Call Detail Records (CDRs) Exporting CDR Data To download CDRs Call Record Layouts Page Page Page Page Conference Record Layouts Page Registration History Report Registration History Procedures To find a device or devices Active Directory Integration Report Page Orphaned Groups and Users Report Orphaned Groups and Users Procedures To remove orphaned group data from the system To remove orphaned user data from the system Conference Room Errors Report Exporting Conference Room Errors Data To download conference room errors data Enterprise Passcode Errors Report Exporting Enterprise Passcode Errors Data To download enterprise passcode errors data Network Usage Report Exporting Network Usage Data Page To download network usage data Polycom RealPresence DMA System SNMP Support SNMP Overview SNMP Framework SNMP Notifications Configure SNMP Enable the SNMP Agent To enable the SNMP agent Add an SNMP Notification User To add a notification user Edit Notification User Dialog Box Add an SNMP Notification Agent To add an SNMP notification agent to the system 3Click OK. The agent appears in the Notification Agents list. Edit Notification Agent Dialog Box Download MIBs To download the MIB package for a DMA system Available SNMP MIBs