Local Cluster Configuration

Configure specific ports or prefixes for untrusted (“unauthorized” or “guest”) SIP calls that can only access specific resources (VMRs, VEQs, or a SIP peer).

H.323 Device Authentication

In an environment where H.235 authentication is used, H.323 devices include their credentials (name and password) in registration and signaling (RAS) requests. The Polycom RealPresence DMA system authenticates requests as follows:

If it’s a signaling request (ARQ, BRQ, DRQ) from an unregistered endpoint, the Call Server doesn’t authenticate the credentials.

Otherwise, if the request is from an endpoint and the Polycom RealPresence DMA system is integrated with a Polycom RealPresence Resource Manager system, the Call Server attempts to authenticate the endpoint’s credentials with the RealPresence Resource Manager system.

If it can’t authenticate with the RealPresence Resource Manager system, or if the request is from an MCU or neighbor gatekeeper, the Call Server attempts to authenticate using its device authentication list.

If it’s a signaling request from a registered endpoint, or if the request is from an MCU or neighbor gatekeeper, the Call Server attempts to authenticate using its device authentication list (see Device Authentication).

If the credentials can’t be authenticated, the Call Server rejects the registration or signaling request. For call signaling requests, it also rejects the request if the credentials differ from those with which the device registered.

SIP Device Authentication

The SIP digest authentication mechanism is described in RFC 3261, starting in section 22, and in

RFC 2617, section 3. When a SIP endpoint registers with or calls the Polycom RealPresence DMA system, if the request includes authentication information, that information is checked against the Call Server’s local device authentication list (see Device Authentication).

SIP authentication can be enabled at the port/transport level or (for “unauthorized” access prefixes) the prefix level.

If SIP authentication is enabled and an endpoint’s request doesn’t include authentication information, the Call Server responds with an authentication challenge containing the required fields (see the RFCs). If the endpoint responds with valid authentication information, the system accepts the registration or call.

Note: SIP device authentication

If inbound SIP authentication is turned on for a port or prefix, the Polycom RealPresence DMA system challenges any SIP message coming to the system via that port or with that prefix. Any SIP peer and other device that interacts with the system by those means must be configured to authenticate itself, or you must turn off Device authentication for that specific device. See Edit Device Dialog.

Untrusted SIP Call Handling Configuration

You can configure special handling for SIP calls from devices outside the corporate firewall that aren’t registered with the Polycom RealPresence DMA system and aren’t from a federated division or enterprise. These calls come to the RealPresence DMA system via SIP session border controllers (SBCs) such as a Polycom RealPresence Access Director or Acme Packet Session Border Controller device (which are configured as SIP peers in the RealPresence DMA system; see External SIP Peer).

Polycom, Inc.

71

Page 71
Image 71
Polycom 7000 manual SIP Device Authentication, Untrusted SIP Call Handling Configuration