Polycom 4000, (RMX) 1500, 1800, 2000 Mixing Encrypted and Non-encrypted Endpoints in one Conference

RealPresence Collaboration Server (RMX) 1500/1800/2000/4000 Administrator’s Guide

Polycom®, Inc. 178

The SEND_SRTP_MKI System Flag enables or disables the inclusion of the MKI field in SRTP

packets sent by the Collaboration Server. The default value of the flag is YES.

Add the flag to system.cfg and set its value set to NO to disable the inclusion of the MKI field in SRTP

packets sent by the Collaboration Server when using endpoints that cannot decrypt SRTP-based

audio and video streams if the MKI (Master Key Identifier) field is included in SRTP packets sent by

the Collaboration Server. When all conferences on the RMX will not have MS-Lync clients

participating and will have 3rd party endpoints participating. This setting is recommended for

Maximum Security Environments.

Add the flag to system.cfg and set its value set to YES when Microsoft Office Communicator and

Lync Clients. When any conferences on the RMX will have both MS-Lync clients and Polycom

endpoints participating. Some 3rd party endpoints may be unsuccessful in participating in

conferences with this setting.

Polycom endpoints function normally regardless of the setting of this flag.

For more information, see Modifying System Flags.

●In compliance with UC_APL_SEC_0013, the Collaboration Server 1500/2000/4000 supports an

additional Privacy Protocol AES_CM_128_HMAC_SHA1_32, in addition to

AES_CM_128_HMAC_SHA1_80. For more information see Media Encryption and Authentication.

Mixing Encrypted and Non-encrypted Endpoints in one Conference

Mixing encrypted and non-encrypted endpoints in one conference is possible, based on the Encryption

option Encrypt When Possible in the Conference Profile - Advance dialog box. The behavior is different

for H.323/SIP and ISDN participants (Collaboration Server 1500/2000/4000).

In Collaboration Server 1500/2000/4000 with versions prior to version 7.6.1, this behavior is based on the

setting of the system flag ALLOW_NON_ENCRYPT_PARTY_IN_ENCRYPT_CONF.

The option Encrypt When Possible enables the negotiation between the MCU and the endpoints and let

the MCU connect the participants according to their capabilities, where encryption is the preferred setting.

Defined participants that cannot connect encrypted are connected non-encrypted, with the exception of

dial-out SIP participants.

The same system behavior can be applied to undefined participants, depending on the setting of the System

Flag FORCE_ENCRYPTION_FOR_UNDEFINED_PARTICIPANT_IN_WHEN_AVAILABLE_MODE:

●When set to NO and the conference encryption in the Profile is set to Encrypt when possible, both

Encrypted and Non-encrypted undefined participants can connect to the same conferences, where

encryption is the preferred setting.

●When set to YES (default), Undefined participants must connect encrypted, otherwise they are

disconnected.

•When the conference encryption is set to Encrypt when possible, SIP dial out participants

whose encryption is set to AUTO can only connect with encryption, otherwise they are

disconnected from the conference.

•In CISCO TIP environments, dial in endpoints that are registered to CUCM can only connect as

non-encrypted when the conference encryption is set to Encrypt when possible as the CUCM

server sends the Invite command without SDP.