Operations Guide
6.1 | June 2014 | 3725-76302-001O
Polycom® RealPresence® DMA®
7000 System
Copyright© 2014, Polycom, Inc. All rights reserved. No part of this document may be reproduced, translated into another
language or format, or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the
express written permission of Polycom, Inc.
6001 America Center Drive
San Jose, CA 95002
USA
Polycom®, the Polycom logo and the names and marks associated with Polycom products are trademarks and/or
service marks of Polycom, Inc. and are registered and/or common law marks in the United States and various other
countries. All other trademarks are property of their respective owners. No portion hereof may be reproduced or
transmitted in any form or by any means, for any purpose other than the recipient's personal use, without the express
written permission of Polycom.
and/or
its
Java is a registered trademark of Oracle America, Inc.,
affiliates.
End User License Agreement By installing, copying, or otherwise using this product, you acknowledge that you
have read, understand and agree to be bound by the terms and conditions of the End User License Agreement for this
product. The EULA for this product is available on the Polycom Support page for the product.
Patent Information The accompanying product may be protected by one or more U.S. and foreign patents and/or
pending patent applications held by Polycom, Inc.
Open Source Software Used in this Product This product may contain open source software. You may receive
the open source software from Polycom up to three (3) years after the distribution date of the applicable product or
software at a charge not greater than the cost to Polycom of shipping or distributing the software to you.
Disclaimer While Polycom uses reasonable efforts to include accurate and up-to-date information in this document,
Polycom makes no warranties or representations as to its accuracy. Polycom assumes no liability or responsibility for
any typographical or other errors or omissions in the content of this document.
Limitation of Liability Polycom and/or its respective suppliers make no representations about the suitability of the
information contained in this document for any purpose. Information is provided "as is" without warranty of any kind and
is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall
Polycom and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive or other
damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of
business information), even if Polycom has been advised of the possibility of such damages.
Customer Feedback We are striving to improve our documentation quality and we appreciate your feedback. Email
your opinions and comments to DocumentationFeedback@polycom.com.
Polycom Support Visit the Polycom Support Center for End User License Agreements, software downloads,
product documents, product licenses, troubleshooting tips, service requests, and more.
2
Contents
Polycom® RealPresence DMA®7000 System Overview . . . . . . . . . . . . . . . . . . . 15
Introduction to the Polycom RealPresence DMA System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
The Polycom RealPresence DMA System’s Primary Functions . . . . . . . . . . . . . . . . . . . . 15
The Polycom RealPresence DMA System’s Three Configurations . . . . . . . . . . . . . . . . . 18
System Capabilities and Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
System Port Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Polycom Solution Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Working in the Polycom RealPresence DMA System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Accessing the Polycom RealPresence DMA System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Field Input Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Polycom RealPresence DMA System User Roles and Their Access Privileges . . . . . . . . 24
Open Source Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Polycom® RealPresence DMA® System Initial Configuration Summary . . . . . . 29
Add Required DNS Records for the Polycom RealPresence DMA System . . . . . . . . . . . . . . 30
Additional DNS Records for SIP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Additional DNS Records for the H.323 Gatekeeper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Additional DNS Records for the Optional Embedded DNS Feature . . . . . . . . . . . . . . . . . 31
Verify That DNS Is Working for All Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
License the Polycom RealPresence DMA System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
License the RealPresence DMA System, Appliance Edition . . . . . . . . . . . . . . . . . . . . . . 33
License the RealPresence DMA System, Virtual Edition . . . . . . . . . . . . . . . . . . . . . . . . . 33
Set Up Signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configure the Call Server and Optionally Create a Supercluster . . . . . . . . . . . . . . . . . . . . . . 34
Set Up Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Set Up MCUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Connect to Microsoft Active Directory
Set Up Conference Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Test the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Polycom, Inc. 3
®
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Contents
System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Security Certificates Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
How Certificates Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Forms of Certificates Accepted by the Polycom RealPresence DMA System . . . . . . . . . 39
How Certificates Are Used by the Polycom RealPresence DMA System . . . . . . . . . . . . . 40
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Certificate Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Certificate Information Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Certificate Signing Request Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Add Certificates Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Certificate Details Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Certificate Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Install a Certificate Authority’s Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Create a Certificate Signing Request in the RealPresence DMA System . . . . . . . . . . . . 47
Install a Certificate in the RealPresence DMA System . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Remove a Certificate from the RealPresence DMA System . . . . . . . . . . . . . . . . . . . . . . 49
Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
The Consequences of Enabling Maximum Security Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Enabling File Uploads in Maximum Security with Mozilla Firefox . . . . . . . . . . . . . . . . . . . 57
Login Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Local Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Local User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Access Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Reset System Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Local Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Routing Configuration Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Licenses for the Appliance Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Licenses for the Virtual Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Signaling Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
H.323 and SIP Signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Add Guest Port Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Edit Guest Port Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Add Guest Prefix Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Edit Guest Prefix Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Polycom, Inc. 4
Contents
Logging Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Alerting Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Local Cluster Configuration Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Add Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Configure Signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Configure Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Automatically Send Usage Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Enable or Disable Automatic Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
See the Collected Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Active Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Call Details Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Names/Aliases in a Mixed H.323 and SIP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Naming ITP Systems Properly for Recognition by the Polycom RealPresence DMA System
95
Add Endpoint Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Edit Device Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Edit Devices Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Add Alias Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Edit Alias Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Associate User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Site Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Site Link Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
External Gatekeeper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Add External Gatekeeper Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Edit External Gatekeeper Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
External SIP Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Add External SIP Peer Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Edit External SIP Peer Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
SIP Peer Postliminary Output Format Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Add Authentication Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Edit Authentication Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Add Outbound Registration Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Edit Outbound Registration Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
External H.323 SBC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Add External H.323 SBC Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Edit External H.323 SBC Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Polycom, Inc. 5
Contents
MCU Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
MCUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Considerations when using MCUs with the RealPresence DMA system . . . . . . . . . . . . 126
Add MCU Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Edit MCU Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Add Session Profile Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Edit Session Profile Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
ISDN Gateway Selection Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
MCU Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
MCU Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Add MCU Pool Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Edit MCU Pool Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
MCU Pool Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
MCU Pool Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Add MCU Pool Order Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Edit MCU Pool Order Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
MCU Selection Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
MCU Availability and Reliability Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
MCU Pool Order Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Integrations with Other Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Microsoft Active Directory® Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Microsoft Active Directory Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Active Directory Integration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Understanding Base DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Adding Passcodes for Enterprise Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
About the System’s Directory Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Microsoft Lync 2013 Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Lync 2010 vs. Lync 2013 Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Scheduled Conferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Automatic Contact Creation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Lync and non-Lync Endpoint Collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Considerations and Requirements for Lync 2013 Integration . . . . . . . . . . . . . . . . . . . . . 169
Lync 2010 and 2013 Client / Server Feature Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Integrate RealPresence DMA and Lync 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Diagnose Presence Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Microsoft Exchange Server Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Microsoft Exchange Server Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Exchange Server Integration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Resource Management System Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Polycom, Inc. 6
Contents
Resource Management System Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Join Resource Management System Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Resource Management System Integration Procedures . . . . . . . . . . . . . . . . . . . . . . . . 181
Juniper Networks SRC Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Juniper Networks SRC Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Juniper Networks SRC Integration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Conference Manager Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Conference Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Default Polycom conference contacts presence settings . . . . . . . . . . . . . . . . . . . . . . . . 188
Remove Contacts from Active Directory Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Conference Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Two Types of Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Template Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
About Conference IVR Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
About Cascading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Conference Templates List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Add Conference Template Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Edit Conference Template Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Select Layout Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Conference Templates Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
IVR Prompt Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Shared Number Dialing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Add Virtual Entry Queue Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Add Direct Dial Virtual Entry Queue Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Edit Virtual Entry Queue Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Edit Direct Dial Virtual Entry Queue Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Superclustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
About Superclustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
RealPresence DMAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Join Supercluster Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Supercluster Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Call Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
About the Call Server Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Call Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Dial Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Test Dial Rules Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Polycom, Inc. 7
Contents
The Default Dial Plan and Suggestions for Modifications . . . . . . . . . . . . . . . . . . . . . . . . 241
Add Dial Rule Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Edit Dial Rule Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Preliminary/Postliminary Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Script Debugging Dialog Box for Preliminaries/Postliminaries . . . . . . . . . . . . . . . . . . . . 254
Sample Preliminary and Postliminary Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Hunt Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Add Hunt Group Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Edit Hunt Group Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Add Alias Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Edit Alias Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Device Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Add Device Authentication Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Edit Device Authentication Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Registration Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Registration Policy Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Script Debugging Dialog Box for Registration Policy Scripts . . . . . . . . . . . . . . . . . . . . . 268
Sample Registration Policy Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Prefix Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Add Simplified ISDN Gateway Dialing Prefix Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . 272
Edit Simplified ISDN Gateway Dialing Prefix Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . 273
Edit Vertical Service Code Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Embedded DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
History Retention Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Site Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
About Site Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Site Information Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Add Site Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Edit Site Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Add Subnet Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Edit Subnet Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Site Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Add Site Link Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Edit Site Link Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Site-to-Site Exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Add Site-to-Site Exclusion Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Territories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Add Territory Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Polycom, Inc. 8
Contents
Edit Territory Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Network Clouds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Add Network Cloud Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Edit Network Cloud Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Site Topology Configuration Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
User Roles Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Adding Users Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Add User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Edit User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Authentication Required Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Select Associated Endpoints Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Conference Rooms Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Add Conference Room Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Edit Conference Room Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Add Dial-out Participant Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Edit Dial-out Participant Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Users Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Conference Rooms Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Import Enterprise Groups Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Edit Group Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Enterprise Groups Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Login Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Change Password Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
System Management and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Management and Maintenance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Administrator Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Administrative Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Auditor Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Auditor Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Provisioner Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Recommended Regular Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Regular archive of backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
General system health and capacity checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Microsoft Active Directory health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Security configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Polycom, Inc. 9
Contents
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Network usage data export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
CDR export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Active Directory Integration Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Call Server Active Calls Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Call Server Registrations Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Cluster Info Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Conference History – Max Participants Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Conference Manager MCUs Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Conference Manager Usage Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Exchange Server Integration Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
License Status Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Resource Management System Integration Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Signaling Settings Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Supercluster Status Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Territory Status Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
User Login History Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Alert 1001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Alert 1002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Alert 1003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Alert 1004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Alert 1103 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Alert 1105 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Alert 1106 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Alert 1107 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Alert 1108 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Alert 2001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Alert 2002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Alert 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Alert 2101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Alert 2102 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Alert 2104 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Alert 2105 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Alert 2106 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Alert 2107 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Alert 2201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Alert 2202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Alert 2203 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Polycom, Inc. 10
Contents
Alert 2401 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Alert 2402 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Alert 2601 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Alert 2602 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Alert 2603 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Alert 2604 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Alert 2605 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Alert 3001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Alert 3101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Alert 3102 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Alert 3103 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Alert 3104 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Alert 3105 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Alert 3201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Alert 3202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Alert 3203 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Alert 3204 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Alert 3205 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Alert 3206 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Alert 3301 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Alert 3302 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Alert 3303 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Alert 3304 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Alert 3305 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Alert 3306 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Alert 3309 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Alert 3310 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Alert 3401 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Alert 3403 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Alert 3404 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Alert 3405 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Alert 3406 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Alert 3601 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Alert 3602 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Alert 3603 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Alert 3604 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Alert 3605 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Alert 3606 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Alert 3801 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Alert 3802 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Polycom, Inc. 11
Contents
Alert 3803 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Alert 4001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Alert 4002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Alert 4003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Alert 4004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Alert 4005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Alert 4009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Alert 4010 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Alert 4011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Alert 4012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Alert 4013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Alert 4014 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Alert 4015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Alert 5001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Alert 5002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Alert 5003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Alert 6001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Alert 6002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Alert 6101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Alert 6102 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Alert 6103 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Alert 6104 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Alert 6201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Alert 6202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Alert 6203 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Alert 7001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Alert 7005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Alert 7101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
System Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
System Logs Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Troubleshooting Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
I/O Stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
SAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
NTP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Diagnostics for your Dell Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Backing Up and Restoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Confirm Restore Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Polycom, Inc. 12
Contents
Backup and Restore Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Upgrading the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Basic Upgrade Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Incompatible Software Version Supercluster Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . 386
Factors to Consider for an Incremental Supercluster Upgrade . . . . . . . . . . . . . . . . . . . . 387
Simplified Supercluster Upgrade (Complete Service Outage) . . . . . . . . . . . . . . . . . . . . 387
Complex Supercluster Upgrade (Some Service Maintained) . . . . . . . . . . . . . . . . . . . . . 390
Adding a Second Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Expanding an Unpatched System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Expanding a Patched System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Replacing a Failed Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Shutting Down and Restarting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
System Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Alert History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Call History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Export History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Conference History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Export History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Associated Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Conference Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Property Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Call Detail Records (CDRs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Exporting CDR Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Call Record Layouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Conference Record Layouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Registration History Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Registration History Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Active Directory Integration Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Orphaned Groups and Users Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Orphaned Groups and Users Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Conference Room Errors Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Exporting Conference Room Errors Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Enterprise Passcode Errors Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Exporting Enterprise Passcode Errors Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Network Usage Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Exporting Network Usage Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Polycom RealPresence DMA System SNMP Support . . . . . . . . . . . . . . . . . . . . 419
SNMP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Polycom, Inc. 13
Contents
SNMP Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
SNMP Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
SNMP Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Configure SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Enable the SNMP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Add an SNMP Notification User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Edit Notification User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Add an SNMP Notification Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Edit Notification Agent Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Download MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Available SNMP MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Polycom, Inc. 14
Polycom® RealPresence DMA®7000 System Overview
This chapter provides an overview of the Polycom® Distributed Media Application™ (RealPresence DMA®)
7000 system. It includes these topics:
● Introduction to the Polycom RealPresence DMA System
● Polycom Solution Support
● Working in the Polycom RealPresence DMA System
● Open Source Software
Introduction to the Polycom RealPresence DMA System
The Polycom RealPresence DMA system is a highly reliable and scalable video collaboration infrastructure
solution based on the Polycom
system:
● The Polycom RealPresence DMA System’s Primary Functions
● The Polycom RealPresence DMA System’s Three Configurations
● System Capabilities and Constraints
● System Port Usage
®
Proxias™ application server. The following topics introduce you to the
The Polycom RealPresence DMA System’s Primary Functions
The primary functions of the Polycom RealPresence DMA system are described briefly below.
Conference Manager
The Polycom RealPresence DMA system’s Conference Manager facilitates multipoint video conferencing.
A multipoint video conference is one in which multiple endpoints are connected, with all participants able to
see and hear each other. The endpoints connect to a media server (Multipoint Control Unit, or MCU), which
processes the audio and video from each and sends the conference audio and video streams back to them.
Traditionally, such multipoint conferences had to be scheduled in advance, reserving ports on a specific
MCU, in order to ensure the availability of resources. Conference Manager makes this unnecessary.
Conference Manager uses advanced routing policies to distribute voice and video calls among multiple
MCUs, creating a single virtual resource pool. This greatly simplifies multipoint video conferencing resource
management and uses MCU resources more efficiently.
Polycom, Inc. 15
Polycom® RealPresence DMA®7000 System Overview
The Polycom RealPresence DMA system integrates with your Microsoft® Active Directory®, automating the
task of provisioning users with virtual meeting rooms (VMRs), which are available for use at any time for
multipoint video conferencing. Combined with its advanced resource management, this makes
reservationless (ad hoc) video conferencing on a large scale feasible and efficient, reducing or eliminating
the need for conference scheduling.
The Polycom RealPresence DMA system’s ability to handle multiple MCUs as a single resource pool makes
multipoint conferencing services highly scalable. You can add MCUs on the fly without impacting end users
and without requiring re-provisioning. The RealPresence DMA system can span a conference across two
or more MCUs (called cascading), enabling the conference to contain more participants than any single
MCU can accommodate.
The Conference Manager continually monitors the resources used and available on each MCU and
intelligently distributes conferences among them. If an MCU fails, loses its connection to the system, or is
taken out of service, the Polycom RealPresence DMA system distributes new conferences to the remaining
MCUs. Every conference on the failed MCU is restarted on another MCU (provided there is space
available). The consequences for existing calls in those conferences depend on whether they’re H.323 or
SIP:
● H.323 participants are not automatically reconnected to the conference. In order to rejoin the
conference, dial-in participants simply need to redial the same number they used for their initial
dial-in. Dial-out participants will need to be dialed out to again; the RealPresence DMA system
doesn’t automatically redial out to them.
● SIP participants are automatically reconnected to the conference on the new MCU. This includes
both dial-in and dial-out SIP participants. No new dial-out is needed because the RealPresence DMA
system maintains the SIP call leg to the participant and only has to re-establish the SIP call leg from
the RealPresence DMA system to the MCU.
Call Server
The Polycom RealPresence DMA system’s Call Server provides the following functionality:
● H.323 gatekeeper
● SIP registrar and proxy server
● H.323 <—> SIP transition gateway
● Dial plan and prefix services
● Device authentication
● Bandwidth management
The Call Server can also be integrated with a Juniper Networks Service Resource Controller (SRC) to
provide bandwidth and QoS assurance services.
RealPresence® Platform API
The Polycom RealPresence DMA system optionally allows an API client application, developed by you or a
third party, to access the Polycom RealPresence
API access is licensed separately. It provides programmatic access to the Polycom RealPresence DMA
system for the following:
● Provisioning
● Conference control and monitoring
● Call control and dial-out
®
Platform Application Programming Interface (API). This
Polycom, Inc. 16
Polycom® RealPresence DMA®7000 System Overview
● Billing and usage data retrieval
● Resource availability queries
The API uses XML encoding over HTTPS transport and adheres to a Representational State Transfer
(REST) architecture.
To browse the RealPresence Platform API reference documentation, in your web browser’s address field,
type in the following URL (replacing <dma_hostname> with the hostname or IP address of your
RealPresence DMA system):
http://<dma_hostname>/api/rest/documentation
Note: Asynchronous API communication
The API communicates asynchronously. Clients subscribing to event notifications via the API must be
prepared to receive notifications out of order.
A Polycom RealPresence Resource Manager system can integrate with the RealPresence DMA system via
the API. No separate license is needed in order for the RealPresence Resource Manager system to use the
API. It provides the full programmatic access to the RealPresence DMA system described above and
enables users of the RealPresence Resource Manager scheduling interface to:
● Schedule conferences using the RealPresence DMA system’s MCU resources.
● Set up Anytime conferences. Anytime conferences are referred to as preset dial-out conferences in
the RealPresence DMA system (see Edit Conference Room Dialog Box on page 317)
Note: Integration with a Resource Management System
Integrating the Polycom RealPresence Resource Manager system with the RealPresence DMA
system via the API is separate and distinct from integrating the RealPresence DMA system with a
Polycom CMA or RealPresence Resource Manager system.
• The former enables RealPresence Resource Manager users to obtain information from and use
functionality of the RealPresence DMA system that would otherwise be accessible only in the
RealPresence DMA system’s management interface.
• The latter enables the RealPresence DMA system to retrieve site topology and user-to-device
associations from the CMA or RealPresence Resource Manager system.
For convenience, however, when you integrate your RealPresence Resource Manager system to the
RealPresence DMA system, the RealPresence DMA system automatically integrates itself back to the
RealPresence Resource Manager system so that the RealPresence DMA system will have the site
topology and user-to-device information that the RealPresence Resource Manager system expects it
to have.
SVC Conferencing Support
This version of the Polycom RealPresence DMA system supports the Annex G extension of the H.264
standard, known as H.264 Scalable Video Coding (SVC), for both point-to-point and multipoint (VMR) calls.
SVC is sometimes referred to as layered media because the video streams consist of a base layer that
encodes the lowest available quality representation plus one or more enhancement layers that each provide
an additional quality improvement. SVC supports three dimensions of scalability: temporal (frames per
second), spatial (resolution and aspect ratio), and quality (signal-to-noise ratio).
The video stream to a device can be tailored to fit the bandwidth available and device capabilities by
adjusting the number of enhancement layers sent to the device.
Polycom, Inc. 17
Polycom® RealPresence DMA®7000 System Overview
For multipoint conferencing, the MCU doesn't have to do processing-intensive mixing and transcoding to
optimize the experience for each device. Instead, it simply passes the video stream from each device to
each device, including the enhancement layers that provide the best quality the device can support.
Polycom’s SVC solution focuses on the temporal and spatial dimensions. It offers a number of advantages
over standard AVC conferencing, including:
● Improved video quality at lower bandwidths
● Improved audio and video error resiliency (good audio quality with more than 50% packet loss, good
video quality with more than 25% packet loss)
● Lower end-to-end latency (typically less than half that of AVC)
● More efficient use of bandwidth
● Lower infrastructure cost and operational expenses
● Easier to provision, control, and monitor
● Better security (end-to-end encryption)
Polycom’s SVC solution is supported by the Polycom RealPresence Platform and Environments, including
the latest generation of Polycom MCUs and RealPresence room, personal, desktop, and mobile endpoints.
Existing RMX MCUs with MPMx cards can be made SVC-capable with a software upgrade, and doing so
triples their HD multipoint conferencing capacity.
RealPresence Collaboration Server 800s MCUs support mixed-mode (SVC+AVC) conferences. Both SVC
and AVC endpoints can join the conference, and each gets the appropriate experience: SVC endpoints get
SVC mode and get a video stream for each AVC participant; AVC endpoints get a single Continuous
Presence (CP) video stream of the participants (both AVC and SVC) supplied by the MCU.
When the Polycom RealPresence DMA system selects an MCU that doesn’t support SVC for a conference
configured for mixed mode, it starts the conference as an AVC-only conference (all SVC-capable endpoints
also support AVC). But if the MCU supports SVC but not mixed mode (RMX 7.8), the conference fails to
start.
Refer to your RealPresence Collaboration Server or RMX documentation for important information about
the MCU’s implementation of SVC conferencing and its configuration, limitations, and constraints.
See also:
Introduction to the Polycom RealPresence DMA System on page 15
The Polycom RealPresence DMA System’s Three Configurations
Depending on your organization’s needs, you can deploy the Polycom RealPresence DMA system in one
of the following three configurations.
Two-server Cluster Configuration
The Polycom RealPresence DMA system is designed to be deployed as a pair of co-located redundant
servers that share the same virtual IP address(es). The two-server cluster configuration of the Polycom
RealPresence DMA system has no single point of failure within the system that could cause the service to
become unavailable.
The two servers communicate over the private network connecting them. To determine which one should
host the public virtual IP address, each server uses three criteria:
● Ability to ping its own public physical address
Polycom, Inc. 18
Polycom® RealPresence DMA®7000 System Overview
● Ability to ping the other server’s public physical address
● Ability to ping the default gateway
In the event of a tie, the server already hosting the public virtual address wins.
Failover to the backup server takes about five seconds in the event of a graceful shutdown and about twenty
seconds in the event of a power loss or other failure. In the event of a single server failure, two things
happen:
● All calls that are being routed through the failed server are terminated (including SIP calls, VMR calls,
and routed mode H.323 calls). These users simply need to redial the same number, and they’re
placed back into conference or reconnected to the point-to-point call they were in. The standby server
takes over the virtual signaling address, so existing registrations and new calls are unaffected.
● Direct mode H.323 point-to-point calls are not dropped, but the bandwidth management system loses
track of them. This could result in overuse of the available network bandwidth.
● If the failed server is the active web host for the system management interface, the active user
interface sessions end, the web host address automatically migrates to the remaining server, and it
becomes the active web host. Administrative users can then log back into the system at the same
URL. The system can always be administered via the same address, regardless of which server is
the web host.
The internal databases within each Polycom RealPresence DMA system server are fully replicated to the
other server in the cluster. If a catastrophic failure of one of the database engines occurs, the system
automatically switches itself over to use the database on the other server.
Single-server Configuration
The Polycom RealPresence DMA system is also available in a single-server configuration. This
configuration offers all the advantages of the Polycom RealPresence DMA system except the redundancy
and fault tolerance at a lower price. It can be upgraded to a two-server cluster at any time.
This manual generally assumes a redundant two-server cluster. Where there are significant differences
between the two configurations, those are spelled out.
Superclustering
To provide geographic redundancy and better network traffic management, up to five geographically
distributed Polycom RealPresence DMA system clusters (two-server or single-server) can be integrated into
a supercluster. All five clusters can be Call Servers (function as gatekeeper, SIP proxy, SIP registrar, and
gateway). Up to three can be designated as Conference Managers (manage an MCU resource pool to host
conference rooms).
The superclustered Polycom RealPresence DMA systems can be centrally administered and share a
common data store. Each cluster maintains a local copy of the data store, and changes are replicated to all
the clusters. Most system configuration is supercluster-wide. The exceptions are cluster-specific or
server-specific items like network settings and time settings.
Polycom, Inc. 19
Polycom® RealPresence DMA®7000 System Overview
Note: Clusters vs. Superclusters
Technically, a standalone Polycom RealPresence DMA system (two-server or single-server) is a
supercluster that contains one cluster. All the system configuration and other data that’s shared
across a supercluster is kept in the same data store. At any time, another Polycom RealPresence
DMA system can be integrated with it to create a two-cluster supercluster that shares its data store.
It’s important to understand the difference between two co-located servers forming a single
RealPresence DMA system (cluster) and two geographically distributed RealPresence DMA clusters
(single-server or two-server) joined into a supercluster.
A single two-server RealPresence DMA system (cluster) has the following characteristics:
• A single shared virtual IP address and FQDN, which switches from one server to the other when
necessary to provide local redundancy and fault tolerance.
• A single management interface and set of local settings.
• Ability to manage a single territory, with no territory management backup.
• A single set of Call Server and Conference Manager responsibilities.
A supercluster consisting of two RealPresence DMA clusters (single-server or two-server) has the
following characteristics:
• Separate IP addresses and FQDNs for each cluster.
• Separate management interfaces and sets of local settings for each cluster.
• Ability for each cluster to manage its own territory, with another cluster able to serve as backup for
that territory.
Different Call Server and Conference Manager responsibilities for each territory and thus each cluster.
System Capabilities and Constraints
The following capabilities and constraints apply to the entire supercluster:
● Number of sites: 500
● Number of subnets: 5000
● Number of clusters in a supercluster: 5 (not counting an integrated Polycom RealPresence Resource
Manager or CMA system)
● Number of MCUs enabled for conference rooms: 64
● Number of territories enabled for conference rooms (Conference Manager enabled): 3
● Number of concurrent VMR calls: 1200 per cluster (Conference Manager), up to 3600 total
● Number of concurrent SIP<->H.323 gateway calls: 500
● Size of Active Directory supported: 1,000,000 users and 1,000,000 groups (up to 10,000 groups may
be imported)
The following capabilities and constraints apply to each cluster in the supercluster:
● Number of registrations: 15000
● Number of contacts registered to a Microsoft Lync 2013 server: 25,000
● Number of concurrent H.323 calls: 5000
● Number of concurrent SIP calls: 5000
● Total number of concurrent calls: 5000
● Number of network usage data points retained: 8,000,000
Polycom, Inc. 20
Polycom® RealPresence DMA®7000 System Overview
● Number of IRQ messages sent per second: 100
● Number of history records retained per cluster:
500,000 registration history
2,000,000 registration signaling history
500,000 call history
12,500,000 call signaling history
200,000 conference history
10,000 CDR export history
System Port Usage
The table below lists the inbound ports that may be open on the Polycom RealPresence DMA system,
depending on signaling and security settings, integrations, and system configuration.
Port Protocol Description
22 TCP SSH. Only available if Linux console access is enabled (see Security
Settings on page 50).
53 TCP/UDP DNS. Only available if the embedded DNS server is enabled (see
Embedded DNS on page 274).
80 TCP HTTP. Redirects to 443 (HTTP access is not allowed). Disabled in
maximum security mode.
123 UDP NTP. Only available if an NTP server is specified (see Time Settings on
page 69).
161 UDP SNMP. Default port; can be changed or disabled (see Configure SNMP on
page 420).
443 TCP HTTPS. Redirects to 8443.
1718 UDP H.323 RAS. Default port; can be changed (see Signaling Settings on
page 72).
1719 UDP H.323 RAS. Default port; can be changed (see Signaling Settings on
page 72).
1720 TCP H.323 H.225 signaling. Default port; can be changed (see Signaling
Settings on page 72).
4449 TCP LDAP. OpenDJ replication (superclustering).
5060 TCP/UDP Unencrypted SIP. Default port; can be changed or disabled (see Signaling
Settings on page 72).
5061 TCP SIP TLS. Default port; can be changed (see Signaling Settings on
page 72).
8080 TCP HTTP. Redirects to 443 (HTTP access is not allowed). Disabled in
maximum security mode.
8443 TCP HTTPS. Management interface access.
Polycom, Inc. 21
Polycom® RealPresence DMA®7000 System Overview
Port Protocol Description
8444 TCP HTTPS. Supercluster communication.
8989 TCP LDAP. OpenDJ replication (superclustering).
9090 TCP HTTPS. Upgrade status monitoring (only while upgrade process is
running).
36000-61000 TCP Ephemeral port range.
The table below lists the remote ports to which the Polycom RealPresence DMA system may connect,
depending on signaling and security settings, integrations, and system configuration.
Port Protocol Description
80 TCP HTTP. MCUs, Exchange Web Services (calendaring). Only used if
unencrypted connections are enabled (see Security Settings on page 50).
162 TCP/UDP SNMP notifications (Traps or Informs). Only used if SNMP is enabled and
configured to send notifications (see Configure SNMP on page 420).
389 TCP LDAP. Active Directory integration.
443 TCP HTTPS. MCUs, Exchange Web Services (calendaring).
1718 UDP H.323 RAS. Default port; can be changed (see Signaling Settings on
page 72).
1719 UDP H.323 RAS. Default port; can be changed (see Signaling Settings on
page 72).
1720 TCP H.323 H.225 signaling. Default port; can be changed (see Signaling
Settings on page 72).
3268 TCP Global Catalog. Active Directory integration.
3269 TCP Secure Global Catalog. Active Directory integration.
4449 TCP OpenDJ replication (superclustering).
5060 TCP/UDP Unencrypted SIP. Default port; can be changed or disabled (see Signaling
Settings on page 72).
5061 TCP SIP TLS. Default port; can be changed (see Signaling Settings on
page 72).
8443 TCP HTTPS. Management interface access.
8443 TCP HTTPS. Hourly transmission of system usage data to the address
customerusagedatacollection.polycom.com. This data is only sent if the
Automatically Send Usage Data feature is enabled (see Automatically
Send Usage Data on page 85).
8444 TCP Supercluster communication.
Polycom, Inc. 22
Polycom® RealPresence DMA®7000 System Overview
Port Protocol Description
8989 TCP OpenDJ replication (superclustering).
36000-61000 TCP Ephemeral port range.
Polycom Solution Support
Polycom Implementation and Maintenance services provide support for Polycom solution components only.
Additional services for supported third-party Unified Communications (UC) environments integrated with
Polycom solutions are available from Polycom Global Services and its certified Partners. These additional
services will help customers successfully design, deploy, optimize, and manage Polycom visual
communications within their UC environments.
Professional Services for Microsoft Integration is mandatory for Polycom Conferencing for Microsoft Outlook
and Microsoft Office Communications Server or Lync Server 2010 integrations. For more information,
please visit www.polycom.com/services/professional_services/ or contact your local Polycom
representative.
Working in the Polycom RealPresence DMA System
This section includes some general information you should know when working in the Polycom
RealPresence DMA system.
Accessing the Polycom RealPresence DMA System
The Polycom RealPresence DMA system’s management interface is accessed by pointing a compatible
browser equipped with Adobe® Flash® Player to the system’s host name or IP address (a two-server cluster
or an IPv6-only single-server cluster has a virtual host name and IP address, and we strongly recommend
always using the virtual address). Minimum requirements:
● Microsoft Internet Explorer® 7 or newer, or Mozilla Firefox® 3 or newer, or Google Chrome 11 or
newer
● Adobe Flash Player 9.0.124 or newer
● 1280x1024 minimum display resolution (1680x1050 or greater recommended)
Note: Adobe Flash Player considerations
The Polycom RealPresence DMA system’s Flex-based management interface requires Adobe Flash
Player. For stability and security reasons, we recommend always using the latest version of Flash
Player.
Even so, be aware that your browser’s Flash plugin may hang or crash from time to time. Your
browser should alert you when this happens and enable you to reload the plugin. In some cases, you
may need to close and restart your browser.
In the Google Chrome browser, use the Adobe Flash plugin, not the built-in Flash support.
Polycom, Inc. 23
Polycom® RealPresence DMA®7000 System Overview
Field Input Requirements
While every effort was made to internationalize the Polycom RealPresence DMA system, not all system
fields accept Unicode entries. If you work in a language other than English, be aware that some fields accept
only ASCII characters.
Settings Dialog Box
The Settings dialog box opens when you click the button to the right of the menus. It displays your
user name and the address of the RealPresence DMA server you’re logged into.
The Settings dialog box lets you change:
● The maximum number of columns in the Dashboard. Note that this is a maximum, not a fixed value.
The panes have a minimum width, and they arrange themselves to best fit your browser window.
Depending on the size of your browser window, there may be fewer columns than the maximum you
select. For instance, at the minimum supported display resolution of 1280x1024, only two columns
can be displayed.
● The text size used in the system interface. Note that larger text sizes will affect how much you can
see in a given window or screen size and may require frequent scrolling.
Polycom RealPresence DMA System User Roles and Their Access Privileges
The Polycom RealPresence DMA system has three system user roles (see User Roles Overview on
page 301) that provide access to the management and operations interface and, if available, the separately
licensed RealPresence Platform Application Programming Interface (API). The functions you can perform
and parts of the interface you can access depend on your user role or roles, as shown in the following table.
For information on access privileges to API resources, see the RealPresence DMA system API reference
documentation included with your system at the following URL:
https://<IP_address_or_hostname_of_system>:8443/api/rest/documentation
Menu/Icon Admin Provisioner Auditor
Home. Returns to the Dashboard. • • •
Network >
Active Calls • •
Endpoints • •
RealPresence DMAs
1
• •
Polycom, Inc. 24
Polycom® RealPresence DMA®7000 System Overview
Menu/Icon Admin Provisioner Auditor
MCU > MCUs1
MCU > MCU Pools
1
MCU > MCU Pool Orders
Site Statistics
Site Link Statistics
Site Topology > Sites
1
1
1
Site Topology > Site Links
Site Topology > Site-to-Site Exclusions
Site Topology > Network Clouds
Site Topology > Territories
1
External Gatekeeper
External SIP Peer
External H.323 SBC
1
1
User >
Users 2
• •
• •
1
• •
• •
• •
• •
1
1
1
1
• •
• •
• •
• •
• •
• •
• •
• •
Groups •
Login Sessions1
• •
Change Password • • •
Reports >
Alert History • • •
Call History • • •
Conference History • • •
Registration History • • •
Network Usage • •
Microsoft Active Directory Integration
3
Enterprise Passcode Errors
3
•
•
Orphaned Groups and Users • •
Conference Room Errors
3
•
Polycom, Inc. 25
Polycom® RealPresence DMA®7000 System Overview
Menu/Icon Admin Provisioner Auditor
Maintenance
System Log Files
4
Troubleshooting Utilities > Ping, Traceroute, Top, I/O
• •
•
Stats, SAR, NTP Status
Shutdown and Restart •
Software Upgrade •
Backup and Restore •
Admin > Conference Manager >
Conference Settings •
Conference Templates •
IVR Prompt Sets •
Shared Number Dialing •
Admin > Call Server >
Call Server Settings •
Domains •
Dial Rules •
Hunt Groups • •
Registration Policy •
Device Authentication •
Prefix Service
1
• •
Embedded DNS •
History Retention Settings • •
Admin > Integrations >
Microsoft Active Directory •
Microsoft Exchange Server •
Resource Management System •
Juniper Networks SRC •
Polycom, Inc. 26
Polycom® RealPresence DMA®7000 System Overview
Menu/Icon Admin Provisioner Auditor
Admin > Login Policy Settings >
Local Password •
Session •
Local User Account •
Banner •
Access Policy Settings •
Admin > Local Cluster >
Network Settings •
Signaling Settings •
Time Settings •
Licenses •
Logging Settings • •
SNMP Settings •
Security Settings •
Certificates •
Help >
About RealPresence DMA 7000 • • •
Help Contents • • •
Settings. Displays Settings dialog box. • • •
Log Out. Logs you out of the Polycom RealPresence DMA
system.
Help. Opens the online help topic for the page you’re
viewing.
• • •
• • •
1. Provisioners have view-only access.
2. Must be an enterprise user to see enterprise users. Provisioners can’t add or remove roles or endpoints,
and can’t edit user accounts with explicitly assigned roles (Administrator, Provisioner, or Auditor), but can
manage their conference rooms.
3. Must be an enterprise user to view this report.
4. Administrators can’t delete log archives.
Polycom, Inc. 27
Polycom® RealPresence DMA®7000 System Overview
Open Source Software
License Information
Refer to the Polycom RealPresence DMA 7000 System Offer of Open Source Software for a list of the open
source software packages used in the Polycom RealPresence DMA system, the applicable license for each,
and the internet address where you can find it. To obtain the source code for any of these packages, email
your request to Open.Source@Polycom.com.
Modifying Open Source Code
The Polycom RealPresence DMA system software is not combined with or otherwise linked to any open
source libraries, but the CentOS software is. The LGPL v2.1 license allows you to modify the LGPL code
included with CentOS, recompile the modified code, and re-link it with the CentOS code. Note that although
you’re free to modify the included LGPL modules in any way you wish, we cannot be responsible if the
changes you make impair the system.
To replace an LGPL library with your modified version
1 Obtain the source code for the module you want to modify.
2 Modify the source code and compile it.
3 Go to Admin > Local Cluster > Security Settings, select Allow Linux console access, and click
Update.
4 Contact Polycom Global Services for the root password for the Polycom RealPresence DMA server.
5 Use ssh to log into the server as root.
6 Upload the modified software via wget or scp.
7 Find the module you’re replacing and install the new version to that location.
8 Reboot the system.
Polycom, Inc. 28
Polycom® RealPresence DMA® System Initial Configuration Summary
This chapter describes the configuration tasks required to complete your implementation of a new Polycom®
RealPresence
configuration are complete.
This chapter assumes you’ve completed the server configuration procedure in the Getting Started Guide
(available at support.polycom.com), logged into the Polycom RealPresence DMA system’s management
interface, and verified that the Supercluster Status pane of the Dashboard shows (for a two-server
configuration) two servers in the cluster, with healthy enterprise and private network status for both.
Initial configuration includes the following topics:
®
Distributed Media Application™ (DMA®) 7000 system once installation and initial network
System configuration
● Add Required DNS Records for the Polycom RealPresence DMA System
● License the Polycom RealPresence DMA System
● Set Up Signaling
● Configure the Call Server and Optionally Create a Supercluster
● Set Up Security
● Set Up MCUs
● Connect to Microsoft Active Directory
● Set Up Conference Templates
®
Confirming configuration
● Test the System
Each topic describes the task, provides background and overview information for it, and where appropriate,
links to specific step-by-step procedures to follow in order to complete the task.
Note: Optional Configuration Tasks
These topics outline the configuration tasks that are generally required. You may wish to complete
other optional configuration tasks, including:
• Enable cascading of conferences (see About Cascading on page 193).
• Configure calendaring service (see Microsoft Exchange Server Integration on page 175).
Integrate with a Juniper Networks SRC Series Session and Resource Control module to provide
bandwidth assurance services (see Juniper Networks SRC Integration on page 183).
Polycom, Inc. 29
Polycom® RealPresence DMA® System Initial Configuration Summary
Add Required DNS Records for the Polycom RealPresence DMA System
Note: Consult an Expert
If you’re not familiar with DNS administration, the creation of various kinds of DNS resource records
(A/AAAA,NAPTR, NS, and SRV), your enterprise’s DNS implementation, and tuning for load
balancing (if needed), please consult with someone who is.
Your Polycom RealPresence DMA system must be accessible by its host name(s), not just its IP
address(es), so you (or your DNS administrator) must create A (address) resource records (RRs) for IPv4
and/or AAAA records for IPv6 on your DNS server(s).
A/AAAA records that map each physical host name to the corresponding physical IP address and each
virtual host name to the corresponding virtual IP address are mandatory.
Note: Fully Qualified Domain Names
Depending on local DNS configuration, a host name could be the Polycom RealPresence DMA
system’s fully qualified domain name (FQDN) or a shorter name that DNS can resolve.
For some features, such as Microsoft Exchange Server integration, it’s imperative that the FQDN can
be resolved in DNS, especially by the Exchange server.
The DNS server(s) should also have entries for your Microsoft
the DNS server) and any external gatekeepers or SIP peers.
You may need to create additional DNS records as described below.
®
Active Directory® server (if different from
Additional DNS Records for SIP Proxy
To support the use of your Polycom RealPresence DMA system as a SIP proxy server and ease future
network administrative burdens, create the following DNS records (for each cluster in a supercluster, if
applicable):
● Optionally, NAPTR records that describe the transport protocols supported by the SIP proxies at a
domain and identify the preferred protocol. Configure these statically to match the system’s SIP
transport protocol configuration.
Polycom, Inc. 30
Polycom® RealPresence DMA® System Initial Configuration Summary
● SRV records for each transport protocol that identify the host names of the SIP proxies that service
a particular domain. Configure these statically to point to the host names of the Call Servers in the
domain. Here are example records for two clusters:
_sips._tcp.example.com. 86400 IN SRV 10 1001 5061 dma-asia.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 1002 5061
dma-europe.example.com.
_sip._tcp.example.com. 86400 IN SRV 20 1001 5060 dma-asia.example.com.
_sip._tcp.example.com. 86400 IN SRV 20 1002 5060
dma-europe.example.com.
_sip._udp.example.com. 86400 IN SRV 30 1001 5060 dma-asia.example.com.
_sip._udp.example.com. 86400 IN SRV 30 1002 5060
dma-europe.example.com.
To enable access from the public internet, create corresponding SRV records, visible from outside the
firewall, for the public address of each SIP session border controller (SBC).
For more information about the use of DNS in SIP, refer to RFCs 3263 and 2782.
Additional DNS Records for the H.323 Gatekeeper
To support the use of your Polycom RealPresence DMA system as an H.323 gatekeeper and ease future
network administrative burdens, create SRV records that identify the host names of the gatekeepers that
service a particular domain. These records are necessary in order to enable the optional inbound URL
dialing feature. Configure them statically to point to the host names of the Call Servers in the domain. Here
are example records for two clusters:
_h323ls._udp.example.com. 86400 IN SRV 0 1 1719 dma-asia.example.com.
_h323ls._udp.example.com. 86400 IN SRV 0 1 1719
dma-europe.example.com.
_h323cs._tcp.example.com. 86400 IN SRV 0 1 1720 dma-asia.example.com.
_h323cs._tcp.example.com. 86400 IN SRV 0 1 1720
dma-europe.example.com.
To enable access from the public internet, create corresponding SRV records, visible from outside the
firewall, for the public address of each H.323 session border controller (SBC).
For more information about the use of DNS in H.323, refer to the H.323 specification, Annex O, and the
H.225.0 specification, Appendix IV.
Additional DNS Records for the Optional Embedded DNS Feature
To support DNS publishing by your Polycom RealPresence DMA system’s embedded DNS servers (see
Embedded DNS on page 274), a DNS NS record is needed for the physical host name of each server in
each cluster in the supercluster. These records identify the Polycom RealPresence DMA system’s
embedded DNS servers as authoritative for the specified logical host name. The logical host name you
Polycom, Inc. 31
Polycom® RealPresence DMA® System Initial Configuration Summary
specify is the one in the Call server sub-domain controlled by RealPresence DMA field on the
Embedded DNS page. Here are example records for two two-server clusters:
callservers.example.com. 86400 IN NS dma-asia-server1.example.com.
callservers.example.com. 86400 IN NS dma-asia-server2.example.com.
callservers.example.com. 86400 IN NS dma-europe-server1.example.com.
callservers.example.com. 86400 IN NS dma-europe-server2.example.com.
Note: Virtual Host Names Cannot Have NS Records
NS records for the virtual host names must not exist.
Your enterprise DNS must also have the zone callservers.example.com defined and be configured to
forward requests for names in that zone to any of the clusters in the supercluster. The way you do this
depends on the DNS server software being used.
Queries to the enterprise DNS for callservers.example.com are referred to the specified RealPresence DMA
clusters. Their embedded DNS servers create and manage A records for each site in the site topology.
When responsibility for a site moves from one cluster to another, the A records are updated so that the site’s
domain name is mapped to the new cluster.
Verify That DNS Is Working for All Addresses
To confirm that DNS can resolve all the host names and/or FQDNs, ping each of them, either from a
command prompt on the PC you’re using to access the system or from one of the clusters you’re setting up
(go to Troubleshooting Utilities > Ping).
If you have access to a Linux PC and are familiar with the dig command, you can use it to query the
enterprise DNS server to verify that all the records (A/AAAA, NS, and SRV) are present and look correct.
License the Polycom RealPresence DMA System
A Polycom RealPresence DMA system is licensed at the cluster level (single-server or two-server). A
cluster’s license specifies:
● The maximum number of concurrent calls that can touch the cluster. In a supercluster configuration,
note that:
A single call may touch more than one cluster. It consumes a license on each cluster it touches.
Each cluster may be licensed for a different number of calls.
If your superclustering strategy (see About Superclustering on page 226) calls for a cluster to be
primary for one territory and backup for another, it must be licensed for the call volume expected
when it has to take over the territory for which it’s the backup.
● Whether access to the RealPresence
The API provides an API client application with programmatic access to the Polycom RealPresence
DMA system (see RealPresence
the same API licensing status.
®
Platform Application Programming Interface (API) is enabled.
®
Platform API on page 16). In a supercluster, all clusters must have
Polycom, Inc. 32
Polycom® RealPresence DMA® System Initial Configuration Summary
Note: API Licenses
An API license isn’t required in order for a Polycom RealPresence Resource Manager system to
access the API. It’s only needed for a client application that you or a third party develop.
License the RealPresence DMA System, Appliance Edition
You should have received either one or two license numbers for each cluster, depending on whether you
ordered a single-server or two-server cluster. You must obtain an activation key code for each server from
the Polycom Resource Center (PRC):
1 Enter the server’s serial number and the license number that you were given for that server.
The PRC generates an activation key for that server.
2 For a two-server cluster, repeat the process using the other server’s serial number and its license
number.
3 On the Licenses page of the RealPresence DMA system, install the activation keys to activate the
licenses for your system (see Licenses on page 70).
Caution: Do Not Generate Both Activation Keys from the Same Physical Server
An activation key is linked to a specific server’s serial number. For a two-server cluster, you must
generate the activation key for each server using that server’s serial number. Licensing will fail if you
generate both activation keys from the same server serial number.
License the RealPresence DMA System, Virtual Edition
The RealPresence DMA Virtual Edition is deployed and licensed through Polycom RealPresence Platform
Director. You can view the licensing information for your system from the RealPresence DMA system user
interface on the Admin > Local Cluster > Licenses page.
See the RealPresence Platform Director System Administrator’s Guide for more information.
Note: Local Cluster Not Supported with Virtual Edition
The RealPresence DMA Virtual Edition does not support a two-server local cluster configuration.
However, superclustering of individual RealPresence DMA Virtual Edition instances is fully supported
in a virtual environment.
Set Up Signaling
Signaling setup includes configuring the following options:
● Enable H.323 signaling so that the Polycom RealPresence DMA system’s Call Server operates as a
gatekeeper, which may include:
Enable gatekeeper discovery via H.323 multicast.
Enable and configure H.235 device authentication.
● Enable SIP signaling so that the Polycom RealPresence DMA system’s Call Server operates as a
SIP registrar and proxy server, which may include:
Configure whether to support unencrypted SIP and whether to require certificate validation for
TLS.
Enable pass-through of ANAT signaling (RFC 4091 and RFC 4092).
Polycom, Inc. 33
Polycom® RealPresence DMA® System Initial Configuration Summary
Enable and configure SIP digest authentication.
Enable and configure special handling for untrusted (“unauthorized” or “guest”) calls from SIP
session border controllers (SBCs).
To set up signaling, follow the procedure in Configure Signaling on page 83.
Configure the Call Server and Optionally Create a Supercluster
Configuring the Polycom RealPresence DMA system’s Call Server function consists of the following
high-level tasks:
1 Integrate with a Polycom RealPresence Resource Manager or CMA system (see Resource
Management System Integration on page 178) or enter site topology information (see Site Topology
on page 278).
2 If deploying a supercluster of multiple geographically distributed Polycom RealPresence DMA
clusters:
a Set the Security Configuration page security options before superclustering (see Security
Settings on page 50). But wait until after superclustering to do the rest of the security setup tasks.
b Depending on security settings, you may need to install certificates before superclustering (see
Certificate Procedures on page 46).
c Create a supercluster (see About Superclustering on page 226) and configure supercluster
options.
3 Create territories and assign sites to them (if you integrated with a Polycom RealPresence
Resource Manager or CMA system, this must be done on that system). Assign the primary and
backup cluster responsible for each territory, and designate which territories can host conference
rooms (see Territories on page 294).
4 Add any external devices, such as a neighbor gatekeeper or SIP peer (see Call Server
Configuration on page 233).
5 Configure the dial plan (see Dial Rules on page 239).
Set Up Security
The first step in securing your Polycom RealPresence DMA system is to locate it in a secure data center
with controlled access, but that topic is beyond the scope of this document.
Secure setup of the Polycom RealPresence DMA system consists of the following high-level tasks (some
of which assume you’re integrating with Active Directory and some of which overlap with other initial setup
topics):
1 As the default local administrative user (admin), create a local user account for yourself with the
Administrator role, log in using that account, and delete the admin user account. See Adding Users
Overview on page 302 and Users Procedures on page 321.
2 Create the Active Directory service account (read-only user account) that the Polycom
RealPresence DMA system will use to read and integrate with Active Directory. See Active Directory
Integration Procedure on page 157.
Polycom, Inc. 34
Polycom® RealPresence DMA® System Initial Configuration Summary
3 Assign the Administrator role to your named enterprise account, and remove the Polycom
RealPresence DMA system’s user roles (see User Roles Overview on page 301) from the service
account used to integrate with Active Directory. See Connect to Microsoft Active Directory
page 36 and Microsoft Active Directory
®
Integration on page 152.
4 Log out and log back in using your enterprise user ID and password.
5 Verify that the expected enterprise users are available in the Polycom RealPresence DMA system
and that conference room IDs were successfully created for them. If necessary, adjust integration
settings and correct errors. See Microsoft Active Directory
®
Integration on page 152, Users
Procedures on page 321, and Conference Room Errors Report on page 412.
6 Obtain and install a security certificate from a trusted certificate authority. See Security Certificates
Overview on page 39 and Certificate Procedures on page 46.
7 Configure as needed various login policy settings (see Login Policy Settings on page 57) and
optionally, a management access whitelist (see Access Policy Settings on page 60).
8 Document your current configuration for comparison in the future. We recommend saving screen
captures of all the configuration pages.
9 Manually create a backup, download it, and store it in a safe place. See Backing Up and Restoring
on page 374.
®
on
Set Up MCUs
Note: MCUs and RealPresence DMA System Interaction
The Polycom RealPresence DMA system can interact with MCUs, or media servers, in either or both
of the following two ways:
• MCUs may be made available to system’s Conference Manager to manage for multi-point
conferencing (hosting virtual meeting rooms, or VMRs).
• MCUs may be registered with the system’s Call Server as standalone MCUs and/or gateways.
This configuration summary assumes you want to do both.
Make sure your MCUs are configured to accept encrypted (HTTPS) management connections (required for
maximum or high security mode).
Make sure that each MCU is in a site belonging to a territory for which the Polycom RealPresence DMA
system is responsible. If you’re deploying a supercluster (see Configure the Call Server and Optionally
Create a Supercluster on page 34 and About Superclustering on page 226), make sure that each territory
has a primary and backup cluster assigned to it. If the primary cluster becomes unavailable, the MCUs
registered to it can re-register to the backup.
If you’re deploying a supercluster, verify that you’ve enabled the hosting of conference rooms in the right
territories and assigned clusters to those territories. See Configure the Call Server and Optionally Create a
Supercluster on page 34.
Standalone MCUs can register themselves to the Polycom RealPresence DMA system’s Call Server. To
make an MCU available as a conferencing resource, either add it to the appropriate Polycom RealPresence
DMA cluster’s Conference Manager manually or, if it’s already registered with the Call Server, edit its entry
to enable it for conference rooms and provide the additional configuration information required. See MCU
Management on page 124.
Polycom, Inc. 35
Polycom® RealPresence DMA® System Initial Configuration Summary
You must organize MCUs configured as conferencing resources into one or more MCU pools (logical
groupings of media servers). Then, you can define one or more MCU pool orders that specify the order of
preference in which MCU pools are used.
Note: Resource Management and MCU Pools
If you have a Polycom RealPresence Resource Manager system that’s going to use the
RealPresence DMA system API to schedule conferences on the RealPresence DMA system’s
conferencing resources (MCU pools), you must create MCU pools and pool orders specifically for the
use of the RealPresence Resource Manager system. The pool orders should be named in such a way
that:
• They appear at the top of the pool order list presented in the RealPresence Resource Manager
system.
• Users of that system will understand that they should choose one of those pool orders.
If the RealPresence Resource Manager system is also going to be used to directly schedule
conferences on MCUs, those MCUs should not be part of the conferencing resources (MCU pools)
available to the RealPresence DMA system.
Every conference room (VMR) is associated with an MCU pool order. The pool(s) to which an MCU belongs,
and the pool order(s) to which a pool belongs, are used to determine which MCU is used to host a
conference. See MCU Pools on page 142 and MCU Pool Orders on page 145 for information about how to
use pools and pool orders, as well as the rules that the system uses to choose an MCU for a user.
The Polycom RealPresence DMA system uses conference templates to define the conferencing experience
associated with a conference room or enterprise group. You can create standalone templates
(recommended), setting the conferencing parameters directly in the Polycom RealPresence DMA system,
or link templates to RealPresence
Te mp l at e s on page 190).
Both methods allow you to specify most conference parameters:
®
Collaboration Server or RMX conference profiles (see Conference
● General information such as line rate, encryption, auto termination, and H.239 settings
● Video settings such as mode (presentation or lecture) and layout
● IVR settings
● Conference recording settings
If you want to create RealPresence DMA system templates linked to conference profiles on the
RealPresence Collaboration Server or RMX MCUs, make sure the profiles used by the Polycom
RealPresence DMA system exist on all the MCUs and are defined the same on all of them.
Connect to Microsoft Active Directory
®
Connecting to Microsoft® Active Directory® simplifies the task of deploying conferencing to a large
organization. All Polycom RealPresence DMA system access to the Active Directory server is read-only and
minimally impacts the directory performance. See Microsoft Active Directory
Note: Consult an Expert
If you’re not knowledgeable about enterprise directories in general and your specific implementation in
particular, please consult with someone who is. Active Directory integration is a non-trivial matter.
Polycom, Inc. 36
®
Integration on page 152.
Polycom® RealPresence DMA® System Initial Configuration Summary
Before integrating with Active Directory, be sure that one or more DNS servers are specified (this should
have been done during installation and initial setup). See Network Settings on page 63.
If you’re deploying a supercluster of multiple geographically distributed Polycom RealPresence DMA
clusters, verify that you’ve assigned clusters to the territories in your site topology (see Configure the Call
Server and Optionally Create a Supercluster on page 34) and decide which cluster is to be responsible for
Active Directory integration.
Active Directory integration automatically makes the enterprise users (directory members) into
Conferencing Users in the Polycom RealPresence DMA system, and can assign each of them a conference
room (virtual meeting room, or VMR). The conference room IDs are typically generated from the enterprise
users’ phone numbers.
Note: Manually Add Conference Rooms
Creating conference rooms for enterprise users is optional. If you want to integrate with Active
Directory to load user and group information into the Polycom RealPresence DMA system, but don’t
want to give all users the ability to host conferences, you can do so. You can manually add conference
rooms for selected users at any time. See Conference Rooms Procedures on page 323.
Once the Polycom RealPresence DMA system is integrated with Active Directory, it reads the directory
information nightly, so that user and group information is updated automatically as people join and leave the
organization. The system caches certain data from Active Directory. In a superclustered system, one cluster
is responsible for updating the cache, which is shared with all the clusters.
Between updates, clusters access the directory only to authenticate passwords (for instance, for
management interface login); all other user information (such as user search results) comes from the cache.
You can manually update the cache at any time.
Enterprise groups can have their own conference templates that provide a custom conferencing experience
(see Conference Templates on page 190). They can also have their own MCU pool order, which
preferentially routes conferences to certain MCUs (see MCU Pool Orders on page 145).
You can assign Polycom RealPresence DMA system roles to an enterprise group, applying the roles to all
members of the group and enabling them to log into the Polycom RealPresence DMA system’s
management interface with their standard network user names and passwords.
See User Roles Overview on page 301, Groups on page 325, and Enterprise Groups Procedures on
page 329.
There are security concerns that need to be addressed regarding user accounts, whether local or
enterprise. See the high-level process described in Set Up Security on page 34.
Set Up Conference Templates
The Polycom RealPresence DMA system uses conference templates and global conference settings to
manage system and conference behavior, and it has a default conference template and default global
conference settings.
After you’ve added MCUs to the system, you may want to change the global conference settings or create
additional templates that specify different conference properties.
If you integrate with Active Directory, you can use templates to provide customized conferencing
experiences for various enterprise groups.
Polycom, Inc. 37
Polycom® RealPresence DMA® System Initial Configuration Summary
When you add a custom conference room to a user (either local or enterprise), you can choose which
template that conference room uses.
To add conference templates, see Conference Templates Procedures on page 216. To change conference
settings, see Conference Settings on page 185. To customize the conferencing experience for an enterprise
group, see Enterprise Groups Procedures on page 329.
Test the System
On the Signaling Settings page (see Signaling Settings on page 72), verify that:
● If you enabled H.323, the H.323 Signaling Status section indicates that the signaling status is Active
and the port assignments are correct.
● If you enabled SIP, the SIP Signaling Status section shows that the correct protocols and listening
ports are enabled.
Have some endpoints register with the Polycom RealPresence DMA Call Server and make point-to-point
calls to each other.
On the Dashboard (see Dashboard on page 336), verify that:
● The information in the Cluster Info pane looks correct, including the time, network settings, and
system resource information.
● The Supercluster Status pane shows the correct number of servers and clusters, and the network
interfaces that should be working (depending on your IP type and split network settings) are up (green
up arrow) and in full duplex mode, with the speed correct for your enterprise network.
● The Call Server Registrations pane shows that the endpoints that attempted to register did so
successfully.
● The Call Server Active Calls pane shows that the endpoints that made calls did so successfully, and
the call limits per cluster and total are correct for your licenses.
● The Conference Manager MCUs pane shows that the MCUs you added are connected and in
service.
● The information on the Active Directory Integration pane looks correct, including the status, cache
refresh data, and enterprise conference room count.
Set up some multipoint conferences by having endpoints dial into enterprise users’ conference rooms
(preferably including a custom conference room). Verify that conferencing works satisfactorily, that the
system status is good, and that the Conference Manager Usage pane accurately presents the status.
When you’re satisfied that the Polycom RealPresence DMA system is configured and working properly,
manually create a backup, download it, and store it in a safe place. See Backing Up and Restoring on
page 374.
Polycom, Inc. 38
System Security
This chapter describes the following Polycom® RealPresence® Distributed Media Application™ (DMA®)
7000 system security topics:
● Security Certificates Overview
● Certificate Settings
● Certificate Procedures
● Security Settings
● The Consequences of Enabling Maximum Security Mode
● Login Policy Settings
● Reset System Passwords
Security Certificates Overview
How Certificates Work
X.509 certificates are a security technology that assists networked computers in determining whether to
trust each other.
● A single, centralized certificate authority (CA) is established. Typically, this is either an enterprise’s IT
department or a commercial certificate authority.
● Each computer on the network is configured to trust the central certificate authority.
● Each server on the network has a public certificate that identifies it.
● The certificate authority signs the public certificates of those servers that clients should trust.
● When a client connects to a server, the server shows its signed public certificate to the client. Trust
is established because the certificate has been signed by the certificate authority, and the client has
been configured to trust the certificate authority.
Forms of Certificates Accepted by the Polycom RealPresence DMA System
X.509 certificates come in several forms (encoding and protocol). The following table shows the forms that
can be installed in the Polycom RealPresence DMA system.
Polycom, Inc. 39
System Security
Protocol /
Encoding
File Type Description and Installation Method
PEM (Base64-encoded
ASCII text)
DER
(binary format using ASN.1
Distinguished Encoding
Rules)
PKCS #7 protocol
P7B file
CER (single certificate)
file
Certificate text Encoded certificate text copied from CA’s email or
PKCS #12 protocol
PFX file
PKCS #7 protocol
P7B file
Certificate chain containing:
• A signed certificate for the system, authenticating its
public key.
• The CA’s public certificate.
• Sometimes intermediate certificates.
Upload file or paste into text box.
Signed certificate for the system, authenticating its
public key.
Upload file or paste into text box.
secure web page.
Paste into text box.
Certificate chain containing:
• A signed certificate for the system, authenticating its
public key.
• A private key for the system.
• The CA’s public certificate.
Upload file.
Certificate chain containing:
• A signed certificate for the system, authenticating its
public key.
• The CA’s public certificate.
• Sometimes intermediate certificates.
Upload file.
CER (single certificate)
file
Signed certificate for the system, authenticating its
public key.
Upload file.
How Certificates Are Used by the Polycom RealPresence DMA System
The Polycom RealPresence DMA system uses X.509 certificates in the following ways:
1 When a user logs into the Polycom RealPresence DMA system’s browser-based management
interface, the Polycom RealPresence DMA system (server) offers an X.509 certificate to identify
itself to the browser (client).
The Polycom RealPresence DMA system’s certificate must have been signed by a certificate
authority (see Certificate Procedures on page 46).
The browser must be configured to trust that certificate authority (beyond the scope of this
documentation).
If trust can’t be established, most browsers allow connection anyway, but display a ‘nag’ dialog to the
user, requesting permission.
Polycom, Inc. 40
System Security
2 When the Polycom RealPresence DMA system connects to a Microsoft Active Directory server, it
may present a certificate to the server to identify itself.
If Active Directory is configured to require a client certificate (this is not the default), the Polycom
RealPresence DMA system offers the same SSL server certificate that it offers to browsers
connecting to the system management interface. Active Directory must be configured to trust the
certificate authority, or it rejects the certificate and the connection fails.
3 When the Polycom RealPresence DMA system connects to a Microsoft Exchange server (if the
calendaring service is enabled; see
Microsoft Exchange Server Integration on page 175), it may present
a certificate to the server to identify itself.
Unless the Allow unencrypted calendar notifications from Exchange server security option is
enabled (see Security Settings on page 50), the Polycom RealPresence DMA system offers the
same SSL server certificate that it offers to browsers connecting to the system management
interface. The Microsoft Exchange server must be configured to trust the certificate authority.
Otherwise, the Microsoft Exchange Server integration status (see Dashboard on page 336) remains
Subscription pending indefinitely, the Polycom RealPresence DMA system does not receive
calendar notifications, and incoming meeting request messages are only processed approximately
every 4 minutes.
4 When the Polycom RealPresence DMA system connects to a RealPresence Collaboration Server or
RMX MCU configured for secure communications (this is not the default), a certificate may be used
to identify the MCU (server) to the Polycom RealPresence DMA system (client).
5 When performing call signaling requiring TLS, the Polycom RealPresence DMA system presents its
certificate to the connecting client (one-way TLS). Unless the Skip certificate validation for
encrypted signaling security option is enabled (see Security Settings on page 50), the system
uses the installed CA certificates to authenticate the connecting client’s certificate as well (mTLS or
two-way TLS).
Polycom, Inc. 41
System Security
Frequently Asked Questions
Q. Is it secure to send my certificate request through email?
A. Yes. The certificate request, signed certificate, intermediate certificates, and authority certificates
that are sent through email don’t contain any secret information. There is no security risk in letting
untrusted third parties see their contents.
As a precaution, you can verify the certificate fingerprints (which can be found in the Certificate
Details popup) with the certificate authority via telephone. This ensures that a malicious third party
didn’t substitute a fake email message with fake certificates.
Q. Why doesn’t the information on the Certificate Details popup match the information that I filled out
in the signing request form?
A. Commercial certificate authorities routinely replace the organizational information in the certificate
with their own slightly different description of your organization.
Q. I re-installed the Polycom RealPresence DMA system software. Why can’t I re-install my signed
public certificate?
A. X.509 certificates use public/private key pair technology. The public key is contained in your public
certificate and is provided to any web browser that asks for it. The private key never leaves the
Polycom RealPresence DMA system.
As part of software installation, the Polycom RealPresence DMA system generates a new
public/private key pair. The public key from your old key pair can’t be used with the new private key.
To re-use your signed public certificate, try restoring from backup. Both the public and private keys
are saved as part of a backup file. Alternatively, if the certificate you want to reinstall is a PKCS#12
certificate, it contains a private key and will replace both the public key and the private key generated
at installation time.
See also:
System Security on page 39
Certificate Settings on page 43
Certificate Procedures on page 46
Polycom, Inc. 42
System Security
Certificate Settings
The following table describes the fields on the Certificate Settings page.
Column Description
Enable OCSP Enables the use of Online Certificate Status Protocol as a means of obtaining the
revocation status of a certificate presented to the system.
If OCSP responder URL is not specified, the system checks the certificate’s
AuthorityInfoAccess (AIA) extension fields for the location of an OCSP responder:
• If there is none, the certificate fails validation.
• Otherwise, the system sends the OCSP request to the responder identified in the
certificate.
If OCSP responder URL is specified, the system sends the OCSP request to that
responder.
The responder returns a message indicating whether the certificate is good, revoked, or
unknown.
If OCSP certificate is specified, the response message must be signed by the specified
certificate’s private key.
OCSP responder URL Identifies the responder to be used for all OCSP requests, overriding the AIA field
values.
If OCSP certificate is specified, the response message must be signed by the specified
certificate’s private key.
OCSP certificate Select a certificate to require OCSP response messages to be signed by the specified
certificate’s private key.
Store OCSP
Configuration
Identifier Common name of the certificate.
Purpose Kind of certificate:
Expiration Expiration date of certificate.
Saves the OCSP configuration.
• Server SSL is the RealPresence DMA system’s public certificate, which it presents to
identify itself. By default, this is a self-signed certificate, not trusted by other devices.
• Trusted Root CA is the root certificate of a certificate authority that the RealPresence
DMA system trusts.
• Intermediate CA is a CA certificate that trusted root CAs issue themselves to sign
certificate signing requests (reducing the likelihood of their root certificate being
compromised). If the RealPresence DMA system trusts the root CA, then the chain
consisting of it, its intermediate CA certificates, and the server certificate will all be
trusted.
Polycom, Inc. 43
System Security
See also:
Security Certificates Overview on page 39
Certificate Signing Request Dialog Box on page 44
Add Certificates Dialog Box on page 45
Certificate Details Dialog Box on page 45
Certificate Procedures on page 46
Certificate Information Dialog Box
The Certificate Information dialog box appears when you click Create Certificate Signing Request in the
Actions list (if a signing request has already been issued, you’re first asked whether to use the existing one
or create a new one). The following table describes the fields in the dialog box.
Field Description
Common name (CN) Defaults to the FQDN of the system’s management interface, as defined by the virtual
host name and domain specified on the Network page. Editable.
Signature algorithm The cryptographic hash algorithm used to sign the CSR. Use SHA256 for maximum
security. Use SHA1 when necessary for interoperability.
Organizational unit (OU) Subdivision of organization. Specify up to three OUs. Optional.
Organization (O) Optional.
City or locality (L) Optional.
State (ST) Optional.
Country (C) Two-character country code.
See also:
Security Certificates Overview on page 39
Certificate Settings on page 43
Certificate Procedures on page 46
Certificate Signing Request Dialog Box
The Certificate Signing Request dialog box appears when you create a request in the Certificate
Information dialog box.
The Summary section at the top displays the information the Certificate Information dialog box.
The Encoded Request box below displays the encoded certificate request text, which you can select and
copy.
See also:
Security Certificates Overview on page 39
Certificate Settings on page 43
Certificate Procedures on page 46
Polycom, Inc. 44
System Security
Add Certificates Dialog Box
The Add Certificates dialog box appears when you click Add Certificates in the Actions list. It lets you
install signed certificates or certificate chains. You can do so in two ways:
● Upload a PFX, PEM, or P7B certificate file.
● Paste PEM-format certificate text into the dialog box.
The following table describes the fields in the dialog box.
Field Description
Upload certificate If checked, the Password field and Upload file button enable you to upload a PFX,
PEM, or P7B certificate file.
Password Enter the password, if any, assigned to the certificate file when it was created.
Upload file Click the button to browse to the file you want to upload.
Paste certificate If checked, the text field below enables you to paste in the text of PEM certificate files.
See also:
Security Certificates Overview on page 39
Certificate Settings on page 43
Certificate Procedures on page 46
Certificate Details Dialog Box
The Certificate Details dialog box appears when you click Display Details in the Actions list. It displays
information about the certificate selected in the list, as outlined in the following table.
Section Description
Certificate Info Purpose and alias of the certificate.
Issued To Information about the entity to which the certificate was issued and the certificate serial
number.
Issued By Information about the issuer.
Validity Issue and expiration dates.
Fingerprints SHA1 and MD5 fingerprints (checksums) for confirming certificate.
Subject Alternative
Names
Extended Key Usage Indicates the purposes for which the certificate can be used.
Additional identities bound to the subject of the certificate.
For the Polycom RealPresence DMA system, this should include the virtual and physical
FQDNs, short host names, and IP addresses of the system.
The Polycom RealPresence DMA system’s certificate is used for both server and client
connections, so this should always contain at least serverAuth and clientAuth.
Polycom, Inc. 45
System Security
See also:
Security Certificates Overview on page 39
Certificate Settings on page 43
Certificate Procedures
Certificate procedures include the following:
● Install your chosen certificate authority’s public certificate, if necessary, so that the Polycom
RealPresence DMA system trusts that certificate authority.
● Create a certificate signing request to submit to the certificate authority.
● Install a public certificate signed by your certificate authority that identifies the Polycom RealPresence
DMA system.
● Remove a signed certificate or a certificate authority’s certificate.
Note: Obtaining Certificates for Microsoft Environments
If you’re configuring the Polycom RealPresence DMA system to support Polycom’s solution for the
Microsoft OCS or Lync environment, you can use Microsoft’s Certificate Wizard to request and obtain
a PFX file (a password-protected PKCS12 file containing a private key and public key for the system,
and the CA’s certificate).
Once you have the PFX file, you’re ready to install it.
See Polycom’s solution deployment guide for information about using the Certificate Wizard and other
steps needed to implement the solution.
Install a Certificate Authority’s Certificate
This procedure is not necessary if you obtain a certificate chain that includes a signed certificate for the
Polycom RealPresence DMA system, your certificate authority’s public certificate, and any intermediate
certificates.
Use this procedure to add a trusted certificate authority, either an in-house or commercial CA.
Caution: Installing or Removing Certificates Requires a Restart
Installing or removing certificates requires a system restart and terminates all active conferences.
When you install or remove a certificate, the change is made to the certificate store immediately, but
the system can’t implement the change until it restarts and reads the changed certificate store.
For your convenience, you’re not required to restart and apply a change immediately. This permits you
to perform multiple installs or removals before restarting and applying the changes. But when you’re
finished making changes, you must select Restart to Apply Saved Changes to restart the system
and finish your update. Before you begin, make sure there are no active conferences and you’re
prepared to restart the system when you’re finished.
To install a certificate for a trusted root CA
1 Go to Admin > Local Cluster > Certificates.
The installed certificates are listed. The Trusted Root CA entries, if any, represent the certificate
authorities whose public certificates are already installed on the RealPresence DMA system and are
thus trusted.
Polycom, Inc. 46
System Security
2 If you’re using a certificate authority that isn’t listed, obtain a copy of your certificate authority’s
public certificate.
The certificate must be either a single X.509 certificate or a PKCS#7 certificate chain. If it’s ASCII
text, it’s in PEM format, and starts with the text -----BEGIN CERTIFICATE-----. If it’s a file, it
can be either PEM or DER encoded.
3 In the Actions list, select Add Certificates.
4 In the Add Certificates dialog box, do one of the following:
If you have a file, click Upload certificate, enter the password (if any) for the file, and browse to
the file or enter the path and file name.
If you have PEM-format text, copy the certificate text, click Paste certificate, and paste it into the
text box below.
5 Click OK.
6 Verify that the certificate appears in the list as a Trusted Root CA.
7 Click Restart to Apply Saved Changes, and when asked to confirm that you want to restart the
system so that certificate changes can take effect, click OK.
See also:
Security Certificates Overview on page 39
Certificate Settings on page 43
Certificate Procedures on page 46
Create a Certificate Signing Request in the RealPresence DMA System
The procedure below creates a certificate signing request (CSR) that you can submit to your chosen
certificate authority. This method uses the private key generated at software installation time.
To create a certificate signing request
1 Go to Admin > Local Cluster > Certificates.
By default, the system is configured to use a self-signed certificate.
2 To see details of the public certificate currently being used to identify the system to other computers:
a In the list, select the Server SSL certificate.
b In the Actions list, select Display Details.
The Certificate Details dialog box appears. If this is the default self-signed certificate,
Organizational Unit is Self Signed Certificate.
c To close the dialog box, click OK.
3 In the Actions list, select Create Certificate Signing Request.
If you’ve created a signing request before, you’re asked if you want to use your existing certificate
request or generate a new one. Elect to generate a new one.
4 In the Certificate Information dialog box, enter the identifying information for your Polycom
RealPresence DMA system (see Certificate Information Dialog Box on page 44) and click OK.
The Certificate Signing Request dialog box displays the encoded request (see Certificate Signing
Request Dialog Box on page 44).
Polycom, Inc. 47
System Security
5 Copy the entire contents of the Encoded Request box (including the text -----BEGIN NEW
CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----) and
submit it to your certificate authority.
Depending on the certificate authority, your CSR may be submitted via email or by pasting into a web
page.
6 Click OK to close the dialog box.
When your certificate authority has processed your request, it sends you a signed public certificate
for your Polycom RealPresence DMA system. Some certificate authorities also send intermediate
certificates and/or root certificates. Depending on the certificate authority, these certificates may
arrive as email text, email attachments, or be available on a secure web page.
The Polycom RealPresence DMA system accepts PKCS#7 or PKCS#12 certificate chains or single
certificates.
Caution: Some CSR Fields Should Not Be Modified
When you submit the CSR to your CA, make sure that the CA doesn’t modify any of the predefined
SAN fields or the X.509v3 Key Usage or Extended Key Usage fields. Changes to these fields may
make your system unusable. Contact Polycom technical support if you have any questions about this.
See also:
Security Certificates Overview on page 39
Certificate Settings on page 43
Certificate Procedures on page 46
Install a Certificate in the RealPresence DMA System
The procedure below installs the certificate or certificate chain provided by the certificate authority. It
assumes that you’ve received the certificate or certificate chain in one of the following forms:
● A PFX, P7B, or single certificate file that you’ve saved on your computer.
● PEM-format encoded text that you received in an email or on a secure web page.
Caution: Installing or Removing Certificates Requires a Restart
Installing or removing certificates requires a system restart and terminates all active conferences.
When you install or remove a certificate, the change is made to the certificate store immediately, but
the system can’t implement the change until it restarts and reads the changed certificate store.
For your convenience, you’re not required to restart and apply a change immediately. This permits you
to perform multiple installs or removals before restarting and applying the changes. But when you’re
finished making changes, you must select Restart to Apply Saved Changes to restart the system
and finish your update. Before you begin, make sure there are no active conferences and you’re
prepared to restart the system when you’re finished.
To install a signed certificate that identifies the Polycom RealPresence DMA system
1 When you receive your certificate(s), return to Admin > Local Cluster > Certificates.
2 In the Actions list, select Add Certificates.
3 In the Add Certificates dialog box, do one of the following:
Polycom, Inc. 48
System Security
If you have a PFX, P7B, or single certificate file, click Upload certificate, enter the password (if
any) for the file, and browse to the file or enter the path and file name.
If you have PEM-format text, copy the certificate text, click Paste certificate, and paste it into the
text box below. You can paste multiple PEM certificates one after the other.
4 Click OK.
5 To verify that the new signed certificate has replaced the default self-signed certificate:
a In the list of certificates, once again select the Server SSL certificate.
b In the Actions list, select Display Details.
The Certificate Details dialog box appears.
c Confirm from the information under Issued To and Issued By that the self-signed default
certificate has been replaced by your signed public certificate from the certificate authority.
d Click OK to close the dialog box.
6 Click Restart to Apply Saved Changes, and when asked to confirm that you want to restart the
system so that certificate changes can take effect, click OK.
See also:
Security Certificates Overview on page 39
Certificate Settings on page 43
Certificate Procedures on page 46
Remove a Certificate from the RealPresence DMA System
There are two kinds of certificate removal:
● Removing the certificate of a Trusted Root CA so that the system no longer trusts certificates signed
by that certificate authority.
● Removing the signed certificate currently in use as the Server SSL certificate so that the system
reverts to using the default self-signed Server SSL certificate.
Removing a signed certificate also removes the certificate of the Trusted Root CA that signed it, along
with any intermediate certificates provided by that certificate authority.
Both procedures are described below.
Caution: Installing or Removing Certificates Requires a Restart
Installing or removing certificates requires a system restart and terminates all active conferences.
When you install or remove a certificate, the change is made to the certificate store immediately, but
the system can’t implement the change until it restarts and reads the changed certificate store.
For your convenience, you’re not required to restart and apply a change immediately. This permits you
to perform multiple installs or removals before restarting and applying the changes. But when you’re
finished making changes, you must select Restart to Apply Saved Changes to restart the system
and finish your update. Before you begin, make sure there are no active conferences and you’re
prepared to restart the system when you’re finished.
To remove a Trusted Root CA’s certificate
1 Go to Admin > Local Cluster > Certificates.
2 In the certificates list, select the certificate you want to delete.
Polycom, Inc. 49
System Security
3 In the Actions list, select Display Details and confirm that you’ve selected the correct certificate.
Then click OK.
4 In the Actions list, select Delete Certificate.
5 When asked to confirm, click Yes.
A dialog box informs you that the certificate has been deleted.
6 Click OK.
7 Click Restart to Apply Saved Changes, and when asked to confirm that you want to restart the
system so that certificate changes can take effect, click OK.
To remove a signed certificate and revert to the default self-signed certificate
1 Go to Certificates.
2 In the Actions list, select Revert to Default Certificate.
3 When asked to confirm, click Yes.
A dialog box informs you that the system has reverted to a self-signed certificate.
4 Click OK.
5 Click Restart to Apply Saved Changes, and when asked to confirm that you want to restart the
system so that certificate changes can take effect, click OK.
6 After the system restarts, log back in, return to Admin > Local Cluster > Certificates, and verify
that the system has reverted to the default self-signed certificate:
a In the list of certificates, select the Server SSL certificate.
b In the Actions list, select Display Details.
The Certificate Details dialog box appears.
c Confirm from the information under Issued To and Issued By that the default self-signed
certificate has replaced the CA-signed certificate.
d Click OK to close the dialog box.
See also:
Security Certificates Overview on page 39
Certificate Settings on page 43
Certificate Procedures on page 46
Security Settings
The Security Settings page lets you switch between high security mode and a custom security mode in
which one or more insecure capabilities are allowed. It also lets you switch to, but not from, a maximum
security mode.
Polycom, Inc. 50
System Security
Caution: High Security Setting Recommended
We recommend always using the High security setting unless you have a specific and compelling
need to allow one of the insecure capabilities.
We recommend the Maximum security setting only for those environments where the most stringent
security protocols must be adhered to.
Enabling Maximum security is irreversible and has significant consequences (see The
Consequences of Enabling Maximum Security Mode on page 55). Don’t choose this setting unless
you know what you’re doing and are prepared for the consequences. Refer to the Polycom
RealPresence DMA 7000 System Deployment Guide for Maximum Security Environments for
additional important information about enabling this setting.
Note: Security Settings Must Match Across Superclusters
All clusters in a supercluster must have the same security settings. Before attempting to join a
supercluster, make sure the cluster’s security settings match those of the other members of the
supercluster. You can’t change a cluster’s security settings while it’s part of a supercluster.
Note: Maximum Security Mode Unsupported in Virtual Edition
The RealPresence DMA system, Virtual Edition, does not support Maximum Security Mode.
The following table describes the options in the Security Settings page.
Field Description
Maximum security An extremely high security mode suitable for use where very strict security
requirements apply.
Once this mode is enabled, it’s no longer possible to reduce the security level.
See caution above.
High security Recommended setting for normal operation.
Custom security Lets you enable one or more of the unsecured methods of network access
listed below it.
Allow Linux console access Enables the Linux user root to log into the system using SSH. This direct
Linux access isn’t needed for normal operation, routine maintenance, or even
troubleshooting, all of which can be done through the administrative GUI.
In extreme circumstances, this option might enable expert Polycom Global
Services personnel to more fully understand the state of a troubled system or
correct problems. Enable this option only when asked to do so by Polycom
Global Services.
Polycom, Inc. 51
System Security
Field Description
Allow unencrypted connections to
the Active Directory
Allow unencrypted connections to
MCUs
Allow unencrypted calendar
notifications from Exchange
server
Normally, the Polycom RealPresence DMA system connects to Active
Directory using SSL or TLS encryption. But if the Active Directory server or
servers (including domain controllers if you import global groups) aren’t
configured to support encryption, the Polycom RealPresence DMA system
can only connect using an unencrypted protocol. This option allows such
connections if an encrypted connection can’t be established.
This configuration causes an extreme security flaw: the unencrypted
passwords of enterprise users are transmitted over the network, where they
can easily be intercepted.
Use this option only for diagnostic purposes. By toggling it, you can determine
whether encryption is the cause of a failure to connect to Active Directory or to
load group data. If so, the solution is to correctly configure the relevant
servers, not to allow ongoing use of unencrypted connections.
Normally, the Polycom RealPresence DMA system uses only HTTPS for the
conference control connection to RealPresence Collaboration Server or RMX
MCUs, and therefore can’t control an MCU that accepts only HTTP (the
default). This option enables the system to fall back to HTTP for MCUs not
configured for HTTPS.
We recommend configuring your MCUs to accept encrypted connections
rather than enabling this option. When unencrypted connections are used, the
RealPresence Collaboration Server or RMX login name and password are
sent unencrypted over the network.
Normally, if calendaring is enabled, the Polycom RealPresence DMA system
gives the Microsoft Exchange server an HTTPS URL to which the Exchange
server can deliver calendar notifications. In that case, the Polycom
RealPresence DMA system must have a certificate that the Exchange server
accepts in order for the HTTPS connection to work.
If this option is selected, the Polycom RealPresence DMA system does not
require HTTPS for calendar notifications.
We recommend installing a certificate trusted by the Exchange server and
using an HTTPS URL for notifications rather than enabling this option.
Allow basic authentication to
Exchange server
Polycom, Inc. 52
Normally, if calendaring is enabled, the Polycom RealPresence DMA system
authenticates itself with the Exchange server using NTLM authentication.
If this option is selected, the Polycom RealPresence DMA system still
attempts to use NTLM first. But if that fails or isn’t enabled on the Exchange
server, then the RealPresence DMA system falls back to HTTP Basic
authentication (user name and password).
We recommend using NTLM authentication rather than enabling this option.
In order for either NTLM or HTTP Basic authentication to work, they must be
enabled on the Exchange server.
System Security
Field Description
Skip certificate validation for
server connecting
Allow certificate validation
skipping for encrypted signaling
Normally, when the Polycom RealPresence DMA system connects to a
server, it validates that server’s certificate.
This option configures the system to accept any certificate presented to it
without validating it.
We recommend using valid certificates for all servers that the system may
need to contact rather than enabling this option. Depending on system
configuration, this may include:
MCUs
Active Directory
Exchange
RealPresence Resource Manager or CMA system
Other RealPresence DMA systems
Endpoints
Note: Either the Common Name (CN) or Subject Alternate Name (SAN) field
of the server’s certificate must contain the address or host name specified for
the server in the Polycom RealPresence DMA system.
Polycom MCUs don't include their management IP address in the SAN field of
the CSR (Certificate Signing Request), so their certificates identify them only
by the CN. Therefore, in the Polycom RealPresence DMA system, a Polycom
MCU's management interface must be identified by the name specified in the
CN field (usually the FQDN), not by IP address.
Similarly, an Active Directory server certificate often specifies only the FQDN.
So in the Polycom RealPresence DMA system, identify the enterprise
directory by FQDN, not by IP address.
Normally, during encrypted call signaling (SIP over TLS), the Polycom
RealPresence DMA system requires the remote party (endpoint or MCU) to
present a valid certificate. This is known as mTLS or two-way TLS.
This option configures the system to accept any certificate (or none).
We recommend installing valid certificates on your endpoints and MCUs
rather than enabling this option.
Allow non conference participants
to receive conference events
Polycom, Inc. 53
The SIP SUBSCRIBE/NOTIFY conference notification service (as described
in RFCs 3265 and 4575), allows SIP devices to subscribe to a conference and
receive conference rosters and notifications of conference events. Normally,
the subscribing endpoints are conference participants.
This option configures the system to let devices subscribe to a conference
without being participants in the conference.
Note: A subscription to a conference by a non-participant consumes a call
license. Call history doesn’t include data for non-participant subscriptions.
System Security
Field Description
The following settings may be configured in any security mode.
Skip certificate validation for user
login sessions
Allow forwarding of IPv6 ICMP
destination unreachable
messages
Allow IPv6 ICMP echo reply
messages to multicast addresses
This option may be configured in any security mode.
If this option is turned off, you can only connect to the Polycom RealPresence
DMA system if your browser presents a client certificate issued by a CA that
the system trusts (this is known as mTLS for administrative connections).
Turn this option off only if:
• You’ve implemented a complete public key infrastructure (PKI) system,
including a CA server, client software (and optionally hardware, tokens, or
smartcards), and the appropriate operational procedures.
• The CA’s public certificate is installed in the Polycom RealPresence DMA
system so that it trusts the CA.
• All authorized users, including yourself, have a client certificate signed by
the CA that authenticates them to the Polycom RealPresence DMA
system.
This option may be configured in any security mode.
If this option is off, the Polycom RealPresence DMA system has an internal
firewall rule that blocks outbound destination unreachable messages.
If this option is on, that firewall rule is disabled.
Note: The Polycom RealPresence DMA system currently doesn’t send such
messages, regardless of this setting.
This option may be configured in any security mode.
If this option is off, the Polycom RealPresence DMA system doesn't reply to
echo request messages sent to multicast addresses (multicast pings).
If this option is on, the system responds to multicast pings.
To change the security settings
1 Go to Admin > Local Cluster > Security Settings.
2 To switch from a custom setting back to the recommended security mode, click High security.
3 To switch from the recommended security mode to a custom setting:
a Click Custom security.
b Check the unsecured network access method(s) that you want to enable.
4 Click Update.
A dialog box informs you that the configuration has been updated.
Note: Skip Certificate Validation for User Login Sessions is Automatically Re-Enabled
If you turn off Skip certificate validation for user login sessions, the system notifies you that if you
don’t log back in within 5 minutes, the setting will be automatically turned back on. This is a safety
precaution to ensure that at least one user is still able to access the system.
5 Click OK.
Polycom, Inc. 54
System Security
See also:
System Security on page 39
Certificate Settings on page 43
Login Policy Settings on page 57
Reset System Passwords on page 61
The Consequences of Enabling Maximum Security Mode
Enabling the Maximum security setting is irreversible and has the following significant consequences:
● All unencrypted protocols and unsecured access methods are disabled, and the enhanced support
feature is disabled.
● The boot order is changed so that the server(s) can’t be booted from the optical drive or a USB
device.
● A BIOS password is set.
● The port 443 redirect is removed, and the system can only be accessed by the full URL
(https://<IP>:8443/dma7000, where <IP> is one of the system's management IP addresses or a host
name that resolves to one of those IP addresses).
● For all server-to-server connections, the system requires the remote party to present a valid X.509
certificate. Either the Common Name (CN) or Subject Alternate Name (SAN) field of that certificate
must contain the address or host name specified for the server in the Polycom RealPresence DMA
system.
Polycom RMX MCUs don’t include their management IP address in the SAN field of the CSR
(Certificate Signing Request), so their certificates identify them only by the CN. Therefore, in the
Polycom RealPresence DMA system, an RMX MCU's management interface must be identified by
the host name or FQDN specified in the CN field, not by IP address.
Similarly, an Active Directory server certificate often specifies only the FQDN. Therefore, in the
Polycom RealPresence DMA system, the Active Directory must be identified by FQDN, not by IP
address.
● Superclustering is not supported.
● The Polycom RealPresence DMA system can’t be integrated with Microsoft Exchange Server and
doesn’t support virtual meeting rooms (VMRs) created by the Polycom Conferencing Add-in for
Microsoft Outlook.
● Integration with a Polycom RealPresence Resource Manager or CMA system is not supported.
● On the Banner page, Enable login banner is selected and can’t be disabled.
● On the Login Sessions page, the Terminate Session action is not available.
● On the Troubleshooting Utilities menu, Top is removed.
● In the Add User and Edit User dialog boxes, conference and chairperson passcodes are obscured.
● After Maximum security is enabled, management interface users must change their passwords.
● If the system is not integrated with Active Directory, each local user can have only one assigned role
(Administrator, Provisioner, or Auditor).
If some local users have multiple roles when you enable Maximum security, they retain only the
highest-ranking role (Administrator > Auditor > Provisioner).
Polycom, Inc. 55
System Security
● If the system is integrated with Microsoft Active Directory, only one local user can have the
Administrator role, and no local users can have the Provisioner or Auditor role.
If there are multiple local administrators when you enable Maximum security, the system prompts
you to choose one local user to retain the Administrator role. All other local users, if any, become
conferencing users only and can’t log into the management interface.
Each enterprise user can have only one assigned role (Administrator, Provisioner, or Auditor). If some
enterprise users have multiple roles (or inherit multiple roles from their group memberships), they
retain only the lowest-ranking role (Administrator > Auditor > Provisioner).
● Local user passwords have stricter limits and constraints (each is set to the noted default if below that
level when you enable Maximum security):
Minimum length is 15-30 characters (default is 15).
Must contain 1 or 2 (default is 2) of each character type: uppercase alpha, lowercase alpha,
numeric, and non-alphanumeric (special).
Maximum number of consecutive repeated characters is 1-4 (default is 2).
Number of previous passwords that a user may not re-use is 8-16 (default is 10).
Minimum number of characters that must be changed from the previous password is 1-4 (default
is 4).
Password may not contain the user name or its reverse.
Maximum password age is 30-180 days (default is 60).
Minimum password age is 1-30 days (default is 1).
● Other configuration settings have stricter limits and constraints (each is set to the noted default if
below that level when you enable Maximum security):
Session configuration limits:
Sessions per system is 4-80 (default is 40).
Sessions per user is 1-10 (default is 5).
Session timeout is 5-60 minutes (default is 10).
Local account configuration limits:
Local user account is locked after 2-10 failed logins (default is 3) due to invalid password
within 1-24 hours (default is 1).
Locked account remains locked either until unlocked by an administrator (the default) or for a
duration of 1-480 minutes.
● Non-conference participants can’t be permitted to register for conference events.
● Software build information is not displayed anywhere in the interface.
● You can’t restore a backup made before Maximum security was enabled.
● The RealPresence DMA system, Virtual Edition, does not support Maximum Security Mode.
● If you’re using the Mozilla Firefox browser, you need to configure it to support TLS version 1.1 so that
it can function correctly with a RealPresence DMA system configured for Maximum Security Mode.
● File uploads may fail when using the Mozilla Firefox browser unless the proper steps have been
taken. See below.
Polycom, Inc. 56
System Security
Enabling File Uploads in Maximum Security with Mozilla Firefox
The Mozilla Firefox browser uses its own certificate database instead of the certificate database of the OS.
If you use only that browser to access the Polycom RealPresence DMA system, the certificate(s) needed
to securely connect to the system may be only in the Firefox certificate database and not in the Windows
certificate store. This causes a problem for file uploads.
File upload via the Polycom RealPresence DMA system’s Flash-based interface bypasses the browser and
creates the TLS/SSL connection itself. Because of that, it uses the Windows certificate store, not the Firefox
certificate database. If the certificate(s) establishing trust aren’t there, the file upload silently fails.
To avoid this problem, you must import the needed certificates into Internet Explorer (and thus into the
Windows certificate store). And, when accessing the system with Firefox, you must use its fully qualified
host name.
First, start Internet Explorer and point it to the Polycom RealPresence DMA system. If you don’t receive a
security warning, the needed certificates are already in the Windows certificate store.
If you receive a warning, import the needed certificates. The details for doing so depend on the version of
Internet Explorer and on your enterprise’s implementation of certificates. In Internet Explorer 7, elect to
continue to the site. Then click Certificate Error to the right of the address bar and click View Certificates
to open the Certificate dialog box. From there, you can access the Certificate Import Wizard.
The entire trust chain must be imported (the system’s signed certificate, intermediate certificates, if any, and
the root CA’s certificate). When importing a certificate, let Internet Explorer automatically select a certificate
store.
See also:
System Security on page 39
Security Certificates Overview on page 39
Certificate Settings on page 43
Security Settings on page 50
Reset System Passwords on page 61
Login Policy Settings
The following pages, under Admin > Login Policy Settings, let you configure various aspects of user
access to the system:
● Local Password
● Session
● Local User Account
● Banner
● Access Policy Settings
See also:
System Security on page 39
Certificate Settings on page 43
Security Settings on page 50
Reset System Passwords on page 61
Polycom, Inc. 57
System Security
Local Password
The Local Password page lets you increase system security by specifying age, length, and complexity
requirements for the passwords of local administrator, auditor, and provisioner users. These rules don’t
apply to conferencing users’ conference and chairperson passcodes, or to Active Directory users.
The following table describes the fields on the Local Password page.
Field Description
Password Management
Maximum password age (days) Specify at what age a password expires (30-180 days).
Minimum password age (days) Specify how frequently a password can be changed (1-30 days).
Minimum length Specify the number of characters a password must contain (8-30).
Minimum changed characters Specify the number of characters that must be different from the previous
password (1-4).
Reject previous passwords Specify how many of the user’s previous passwords the system remembers
and won’t permit to be reused (8-30).
Password Complexity
Allow user name or its reverse
form
Lowercase letters Specify the number of lowercase letters (a-z) that a password must contain.
Uppercase letters Specify the number of uppercase letters (A-Z) that a password must contain.
Numbers Specify the number of digit characters (0-9) that a password must contain.
Special characters Specify the number of non-alphanumeric keyboard characters that a
Maximum consecutive repeated
characters
Turns off the protection against a password containing the user’s login name
or its reverse.
password must contain.
Specify how many sequential characters may be the same.
See also:
System Security on page 39
Login Policy Settings on page 57
Session
The Session page lets you increase system security by limiting the number and length of login sessions.
You can see the current login sessions and terminate sessions by going to User > Login Sessions. See
Login Sessions on page 330.
The following table describes the fields on the Session page.
Polycom, Inc. 58
System Security
Field Description
Active system sessions Specify the number of simultaneous login sessions by all users or select
Unlimited.
Note: If this limit is reached, but none of the logged-in users is an
Administrator, the first Administrator user to arrive is granted access, and the
system terminates the non-Administrator session that’s been idle the longest.
Active sessions per user Specify the number of simultaneous login sessions per user ID or select
Unlimited.
Session timeout (minutes) Specify the length of time after which the system terminates a session for
inactivity or select Unlimited.
See also:
System Security on page 39
Login Policy Settings on page 57
Local User Account
The Local User Account page lets you increase system security by:
● Locking out users who have exceeded the specified number and frequency of login failures. The
system locks the account either indefinitely or for the length of time you specify.
● Disabling accounts that have been inactive a specified number of days.
The following table describes the fields on the Local User Account page.
Field Description
Account Lockout
Enable account lockout Turns on lockout feature and enables lockout configuration fields below.
Failed login threshold Specify how many consecutive login failures cause the system to lock an
account.
Failed login window (hours) Specify the time span within which the consecutive failures must occur in
order to lock the account.
Customize user account lockout
duration (minutes)
Account Inactivity
Customize account inactivity
threshold (days)
If selected, specify how long the user’s account remains locked.
If not selected, the lockout is indefinite, and a user with a locked account must
contact an Administrator to unlock it.
Turns on disabling of inactive accounts and lets you specify the inactivity
threshold that triggers disabling.
See also:
System Security on page 39
Login Policy Settings on page 57
Polycom, Inc. 59
System Security
Banner
A login banner is a message that appears when users attempt to access the system. They must
acknowledge the message before they can log in.
The Banner page lets you enable the banner and select or create the message it displays. The message
may contain up to 1500 characters. If the system is in Maximum Security mode, the login banner is enabled
and can’t be disabled.
The following table describes the fields on the Banner page.
Field Description
Enable login banner Enables the display of a login banner.
If this box is unchecked, the Message field is disabled. The existing contents,
if any, remain unchanged, but aren’t displayed to users.
Message Select one of the messages from the list, or select Custom and type or paste
your own message into the field below.
If you select one of the built-in samples, it’s copied into the Message field, and
you can then edit the copy. When you do so, the system resets the list to
Custom.
Your edits don’t affect the stored sample. You can revert to the original version
of the sample by re-selecting it from the list.
See also:
System Security on page 39
Login Policy Settings on page 57
Access Policy Settings
The Access Policy Settings page lets you increase system security by restricting access to the
management and operations interface and APIs (port 8443) and to SNMP (by default, port 161) to a whitelist
of authorized IP addresses or address ranges.
If enabled, the whitelist restrictions take effect as soon as the update operation is completed. If you enable
the whitelist and click Update while logged in from an IP address that’s not included in the whitelist, the
system warns you that you won’t be able to access the system and asks you to confirm the update.
The whitelist settings apply to all clusters in a supercluster. When you join a cluster to a supercluster, the
cluster’s settings are replaced by those from the supercluster.
The following table describes the fields on the Access Policy Settings page.
Polycom, Inc. 60
System Security
Field Description
Accept management connections
from these IP addresses and
address ranges on ports 8443
(GUI/API) and 161 (SNMP)
(list) Lists the IP addresses and address ranges authorized for management
(input field) Enter an IP address or address range and click Add. Enter a range as valid
Enables the input field below and restricts management access to the IP
addresses or address ranges added to the list.
If this box is unchecked, the list and input field are disabled. The existing
contents of the list, if any, remain unchanged so that it can be re-enabled at
any time without having to re-enter the addresses.
Note: The label changes to reflect the currently configured SNMP port (see
Configure SNMP on page 420). Port 161 is the default.
access. Select an entry and click Delete to remove it from the list.
starting and ending IP addresses separated by a dash. For example:
(IPv4) 10.33.33.0 - 10.33.34.255
(IPv6) ::1:fffe - ::2:1
See also:
System Security on page 39
Security Settings on page 50
The Consequences of Enabling Maximum Security Mode on page 55
Login Policy Settings on page 57
Reset System Passwords on page 61
Reset System Passwords
In an extremely high-security environment, security compliance policies may require that all passwords be
changed at certain intervals, including operating system passwords.
The Reset System Passwords page is available only if the system is in maximum security mode. It lets
you change these operating system passwords (such as the password for grub) to new,
randomly-generated values. These are passwords for logins that aren’t possible on a secure system.
Resetting these operating system passwords has no effect on authorized users of the management
interface (Administrators, Auditors, and Provisioners) or conferencing users.
To reset system passwords
1 Make sure there are no calls or conferences on the system.
2 Go to Admin > Local Cluster > Reset System Passwords.
3 Click Reset Passwords.
The system warns you that active calls and conferences will be terminated and the system will restart,
and asks you to confirm.
4 Click Yes.
The system informs you that the passwords have been reset and that you’re being logged out. Then
it restarts. This takes several minutes.
Polycom, Inc. 61
System Security
5 Wait a few minutes to log back in.
See also:
System Security on page 39
Security Settings on page 50
The Consequences of Enabling Maximum Security Mode on page 55
Login Policy Settings on page 57
Access Policy Settings on page 60
Polycom, Inc. 62
Local Cluster Configuration
This chapter describes the following Polycom® RealPresence® Distributed Media Application™ (DMA®)
7000 system configuration topics:
● Network Settings
● Time Settings
● Licenses
● Signaling Settings
● Alerting Settings
● Logging Settings
● Local Cluster Configuration Procedures
● Automatically Send Usage Data
These are cluster-specific settings that are not part of the data store shared across superclustered systems.
See Introduction to the Polycom RealPresence DMA System on page 15.
If you’re performing the initial configuration of your Polycom RealPresence DMA system, study Polycom
RealPresence DMA
®
System Initial Configuration Summary on page 29 before you continue.
®
Network Settings
The following table describes the fields on the Network Settings page. In the Appliance Edition, most of
these values are normally set in the USB Configuration Utility during system installation and rarely need to
be changed. In the Virtual Edition, some of these settings are provisioned automatically when the system is
deployed with RealPresence Platform Director. See the Getting Started Guide and the Getting Started
Guide for a Virtual Environment.
Polycom, Inc. 63
Local Cluster Configuration
Caution: Network Settings Changes Require a Restart
Changing some network settings (host names, IP addresses, or domains) requires a system restart
and terminates all active conferences.
If the system is using a CA-provided identity certificate, changing some network settings (host names
or IP addresses) also requires you to update the certificate. (If the system is using a self-signed
certificate, an updated one is automatically created.)
You can’t change these network settings while the system is part of a supercluster or integrated with a
Polycom RealPresence Resource Manager or CMA system. You must first leave the supercluster or
terminate the integration. If the cluster is responsible for any territories (as primary or backup),
reassign those territories. After the change, rejoin the supercluster or Polycom RealPresence
Resource Manager or CMA system. See Superclustering on page 226 or Resource Management
System Integration on page 178.
Incorrect network information may make the system unusable and the management interface
unreachable.
Caution: Configuring the RealPresence DMA System in a Secure Environment
The 802.1x LAN security settings can’t be configured in the USB Configuration Utility. In a highly
secure network that requires 802.1x authentication, the Polycom RealPresence DMA system won’t be
accessible until those settings are properly configured. To do so, follow the procedure for configuring
the network settings using a laptop, as described in the Deployment Guide for Maximum Security
Environments.
Note: Virtual Host Name Not Needed for Single-Server Systems
This version of the Polycom RealPresence DMA system eliminates the need for virtual host name(s)
and IP addresses in a single-server system or cluster. When a version 5.0 or earlier single-server
RealPresence DMA system is upgraded to version 5.1 or later, the previous version's virtual host
name(s) and IP addresses become the upgraded version's physical host name(s) and IP addresses,
so accessing the system doesn't change.
(Exception: If only IPv6 is enabled, the system must have two addresses, so a single-server system
must still have a virtual host name and IP address.)
Field Description
System IP type IP addressing supported (IPv4, IPv6, or both).
System server configuration Number of servers (1 or 2) in this cluster.
Caution: Once this is set to 2 server configuration, it can’t be changed back
to 1 server configuration. To reconfigure a two-server system as two
separate single-server systems, you must use the USB Configuration Utility.
See the Polycom RealPresence DMA 7000 System Getting Started Guide.
Polycom, Inc. 64
Local Cluster Configuration
Field Description
System split network setting Specifies whether to combine or split the system’s management and signaling
interfaces. If the same network will be used for both management
(administrative access) and signaling, the signaling IP addresses and Shared
Signaling Network Settings section below are not used.
Caution: Choose split networking only if you need to restrict access to the
management interface and SNMP to users on an isolated “non-public”
network separate from the enterprise network. Typically, this is the case only
in high-security environments.
In most network environments, users accessing the management interface
are on the same network as endpoints and other devices communicating with
the RealPresence DMA system, and they use the same physical and virtual IP
addresses and the same network interface.
To split the network configuration, you must use different gateways and
subnets for management and signaling, and separate physical connections
for the management and signaling networks (eth0 for management, eth2 for
signaling). In a split network configuration, routing rules are necessary for
proper routing of network traffic. See Routing Configuration Dialog Box on
page 68.
If management and signaling traffic are combined on the same network
(subnet), both use the same physical and virtual IP addresses and the same
network interface.
If you aren’t sure whether split networking is appropriate, possible, or
necessary for this installation, consult the appropriate IT staff or network
administrator for your organization.
In a split network configuration, routing rules are necessary for proper routing
of network traffic.
Server 1 Status, host name, and IP address(es) of the primary server. The IP type and
network setting determine which of the IP fields in this section are enabled.
The management IP address is disabled if IPv4 boot protocol is set to
DHCP.
Host names may contain only letters, numbers, and internal dashes
(hyphens), and may not include a domain. The reserved values appserv* and
dmamgk-* may not be used for host names.
The host name is combined with the domain name specified under General
System Network Settings to form the fully qualified domain name (FQDN).
Server 2 Status, host name and IP address(es) of the secondary server. The fields in
this section duplicate those in the Server 1 section and are enabled only in
two-server configuration.
The management IP address is disabled if IPv4 boot protocol is set to
DHCP.
Polycom, Inc. 65
Local Cluster Configuration
Field Description
Shared Management Network
Settings
Virtual host name Virtual host name and IP address(es) for the system’s management (or
IPv4
IPv6
Subnet mask IPv4 network mask that defines the subnetwork of the system’s management
IPv6 prefix length IPv6 CIDR (Classless Inter-Domain Routing) prefix size value (the number of
IPv4 gateway IP address of the gateway server used to route network traffic outside the
The settings in this section apply to the entire system (both servers in
two-server configuration), whether management and signaling are combined
or separate.
combined) network interface.
For a one-server configuration, these fields are disabled. (Exception: If only
IPv6 is enabled, the system must have two addresses, so a single-server
system must still have a virtual host name and IP address.)
Host names may contain only letters, numbers, and internal dashes
(hyphens), and may not include a domain. The reserved values appserv* and
dmamgk-* may not be used for host names.
The host name is combined with the domain name specified under General
System Network Settings to form the fully qualified domain name (FQDN).
Note: Specify all IPv4 addresses in dotted-decimal form and all IPv6
addresses in colon-hex form.
or combined interface.
leading 1 bits in the routing prefix mask) that defines the subnetwork of the
system’s management or combined interface.
subnet.
Management Link
Name The name of the management network interface (eth0) is not editable, and it
Enable
Auto-negotiation Turn on Auto-negotiation or set Speed and Duplex manually.
Speed
Duplex
Show Link Details Click to see details about link settings and information. This information may
LAN Security Settings Caution: In a network that requires 802.1x authentication for servers (this is
Enable 802.1x Enables the system to authenticate this network interface to the LAN.
User name The user name with which the system may authenticate this interface.
can’t be disabled.
The eth0 interface corresponds with the GB1 jack on the server.
Note: Auto-negotiation is required if your network is 1000Base-T. Don’t select
10000 unless you’re certain your hardware platform supports it.
be useful to Polycom Global Services when troubleshooting a network issue.
rarely the case), incorrect settings in this section and, if applicable, lack of the
proper certificate(s) can make the system unreachable. Recovering from this
situation requires connecting a laptop to the system using a crossover cable
in order to access it.
Depending on the authentication method, the access credentials required
may be either a user name and password (specified below) or a security
certificate.
Polycom, Inc. 66
Local Cluster Configuration
Field Description
Password
Confirm password
EAP Method The Extensible Authentication Protocol method used to establish trust with the
Protocol When a TLS tunnel is established with the authentication server, the protocol
Shared Signaling Network
Settings
General System Network
Settings
DNS search domains One or more fully qualified domain names, separated by commas or spaces.
The password for the user name entered above.
authentication server (this is also known as the outer authentication protocol).
used within the tunnel (this is also known as the inner authentication protocol).
The settings in this section are enabled only if management and signaling
traffic are on separate networks. If so, they apply to the entire system (both
servers in two-server configuration).
For a one-server configuration, the virtual host name and IP fields are
disabled. (Exception: If only IPv6 is enabled, the system must have two
addresses, so a single-server system must still have a virtual host name and
IP address.)
The settings are the same as those in Shared Management Network
Settings, except that under Signaling Link, the signaling network interface
(eth2) can be disabled. This capability exists for debugging purposes.
The eth2 interface corresponds with the GB3 jack on the server.
(The eth1 interface, which corresponds with the GB2 jack, is reserved for the
private network connection between the two servers in a two-server cluster.)
The settings in this section apply to the entire system and aren’t specific to
management or signaling.
The system domain you enter below is added automatically, so you need not
enter it.
DNS 1 IP addresses of up to three domain name servers. At least one DNS server is
DNS 2
DNS 3
Domain The domain for the system. This is combined with the host name to form the
Signaling DSCP The Differentiated Services Code Point value (0 - 63) to put in the DS field of
Polycom, Inc. 67
required.
Your Polycom RealPresence DMA system must be accessible by its host
name(s), not just its IP address(es), so you (or your DNS administrator) must
create A (address) resource records (RRs) for IPv4 and/or AAAA records for
IPv6 on your DNS server(s). A/AAAA records that map each physical host
name to the corresponding physical IP address and each virtual host name to
the corresponding virtual IP address are mandatory.
fully qualified domain name (FQDN). For instance:
Host name: dma1
Domain: callservers.example.com
FQDN: dma1.callservers.example.com
IP packet headers on outbound packets associated with signaling traffic.
The DSCP value is used to classify packets for quality of service (QoS)
purposes. If you’re not sure what value to use, leave the default of 0.
Local Cluster Configuration
Field Description
Management DSCP The Differentiated Services Code Point value (0 - 63) to put in the DS field of
IP packet headers on outbound packets associated with management traffic
(including communications to other clusters.
The DSCP value is used to classify packets for quality of service (QoS)
purposes. If you’re not sure what value to use, leave the default of 0.
Default IPv6 gateway The IPv6 gateway’s address and the interface used to access it, generally
eth0, specified as:
<IPv6_address>%eth0
Default IPv4 gateway If management and signaling traffic are on separate networks, select which of
the two networks’ gateway servers is the default.
Your choice depends on your network configuration and routing. Typically,
unless all the endpoints, MCUs, and other devices that communicate with the
system are on the same subnet, you’d select the signaling network.
See also:
Local Cluster Configuration on page 63
Local Cluster Configuration Procedures on page 81
Routing Configuration Dialog Box
In the Network page’s action list, the Routing Configuration command opens the Routing Configuration
dialog box, where you can add or delete network routing rules (IPv4, IPv6, or both, depending on the
System IP type setting on the Network page). The Show raw routing configuration button lets you view
the operating system’s underlying routing configuration.
In a split network configuration, routing rules are necessary for proper routing of network traffic. In a
combined network configuration, the operating system’s underlying routing configuration is likely sufficient
unless you need a special rule or rules for your particular network. If you aren’t sure, consult the appropriate
IT staff or network administrator for your organization.
Note: Route Configuration Applies to Current Network Settings
You can only configure route settings that are valid for the currently applied settings in Admin > Local
Cluster > Network Settings. If you need to change the network settings and routing configuration,
make and apply the network settings changes first. Keep this in mind if you receive an error when
attempting to change the routing configuration.
The following table describes the fields in the Routing Configuration dialog box. If System IP type is set
to IPv4 + IPv6, the dialog box contains two essentially identical sections, one for each IP type. Each section
contains the input fields listed below, a table showing the defined routing rules, and buttons for adding and
deleting routes.
Polycom, Inc. 68
Local Cluster Configuration
Field Description
Host/Network The IP address of the destination network host or segment.
Prefix length The CIDR (Classless Inter-Domain Routing) prefix size value (the number of
leading 1 bits in the routing prefix mask). This value, together with the
Host/Network address, defines the subnet for this route.
For IPv4, a prefix length of 24 is equivalent to specifying a dotted-quad subnet
mask of 255.255.255.0. A prefix length of 16 is equivalent to specifying a
subnet mask of 255.255.0.0.
Interface In split network configuration, select the interface for this route.
Via IP address of router for this route. Optional, and only needed for non-default
routers.
When you add a routing rule, it appears in the table below the input fields. Select a rule and click Delete
selected route to delete it. Click Show raw routing configuration to display the operating system’s
underlying routing configuration.
See also:
Network Settings on page 63
Time Settings
The following table describes the fields on the Time Settings page. These values are normally set in the
USB Configuration Utility during system installation and rarely need to be changed. See the Getting Started
Guide.
Caution: A Restart is Needed After Time Settings Change
Changing time settings requires a system restart and terminates all active conferences.
You can’t change the system’s time settings while it’s integrated with a Polycom RealPresence
Resource Manager or CMA system or part of a supercluster. The integration must first be terminated
or the cluster removed from the supercluster. See Resource Management System Integration on
page 178 or Superclustering on page 226.
We strongly recommend specifying NTP servers.
Field Description
System time zone Time zone in which the system is located. We strongly recommend selecting
the time zone of a specific geographic location (such as America/Denver), not
one of the generic GMT offsets (such as GMT+07 POSIX).
If you really want to use a generic GMT offset (for instance, to prevent
automatic daylight saving time adjustments), note that they use the
Linux/Posix convention of specifying how many hours ahead of or behind
local time GMT is. Thus, the generic equivalent of America/Denver
(UTC-07:00) is GMT+07, not GMT-07.
Polycom, Inc. 69
Local Cluster Configuration
Field Description
Manually set system time We don’t recommend setting time and date manually.
NTP Servers Specify up to three time servers for maintaining system time (we recommend
three). Enter IP addresses or fully qualified domain names.
See also:
Local Cluster Configuration on page 63
Local Cluster Configuration Procedures on page 81
Licenses
The Polycom RealPresence DMA system is licensed for the number of concurrent calls it can handle and
optionally for API access. See License the Polycom RealPresence DMA System on page 32 for more
information about licensing.
Licenses for the Appliance Edition
The following table describes the fields on the Licenses page when using the Appliance Edition of the
RealPresence DMA system.
Field Description
Active License
Licensed calls The maximum number of concurrent calls that the license enables.
Licensed capabilities Currently, the only separately licensed capability is access to the
RealPresence Platform API.
Note: An API license isn't required in order for a Polycom RealPresence
Resource Manager system to access the API. It's only needed for a client
application you or a third party develop.
Licensed capabilities The special features of the Polycom RealPresence DMA system that the
license enables.
Activation Keys
A two-server cluster has two sets of the fields below, one for each server in the cluster.
System serial number The serial number of the specified server.
Activation key The activation key you received from Polycom for this server. The key for
each server must be the correct one for that server’s serial number.
End User License Agreement
Status The state of acceptance of the EULA; if not accepted, this system is unable to
make calls.
User The user who accepted the EULA.
Polycom, Inc. 70
Local Cluster Configuration
Field Description
Date accepted The GMT date and time of EULA acceptance.
Automatically send usage data Select to help improve this product by sending anonymous usage data to
Polycom.
See Automatically Send Usage Data on page 85 for more information.
Licenses for the Virtual Edition
The following table describes the fields on the Licenses page when using the Virtual Edition of the
RealPresence DMA system.
Field Description
Active License
Licensed calls The maximum number of concurrent calls that the license enables.
Licensed capabilities Currently, the only separately licensed capability is access to the
RealPresence Platform API.
Note: An API license isn't required in order for a Polycom RealPresence
Resource Manager system to access the API. It's only needed for a client
application you or a third party develop.
DMA Host
Host name The host name of this VM instance, configurable on the Admin > Local
Cluster > Network Settings page.
Host ID The VMWare UUID of this VM instance.
License version The version of the installed license.
Licensing Server
License server address The read-only address of the primary licensing server.
Note: This field is automatically provisioned by RealPresence Platform
Director.
Backup server address The read-only IP address or domain name of the secondary license server.
Note: This information is automatically provisioned by RealPresence Platform
Director.
Port The port used for communication with the licensing server(s). The default port
is 3333.
Last successful connection The licensing server that the system last communicated with, followed by the
time of the last communication.
End User License Agreement
Status The state of acceptance of the EULA; if not accepted, this system is unable to
make calls.
User The user who accepted the EULA.
Polycom, Inc. 71
Local Cluster Configuration
Field Description
Date accepted The GMT date and time of EULA acceptance.
Automatically send usage data Select to help improve this product by sending anonymous usage data to
Polycom.
See Automatically Send Usage Data on page 85 for more information.
See also:
Local Cluster Configuration on page 63
Local Cluster Configuration Procedures on page 81
Signaling Settings
On the Signaling Settings page, you can configure H.323 and SIP signaling.
Note: Supercluster-wide Signaling Settings
Although these are cluster-specific settings that are not part of the data store shared across
superclustered systems, we strongly recommend that all signaling settings be the same across all
clusters in a supercluster.
The settings for untrusted SIP call handling (“unauthorized” or “guest” calls) must be the same across
all clusters in a supercluster.
H.323 and SIP Signaling
If H.323 signaling is enabled, the Polycom RealPresence DMA system’s Call Server operates as a
gatekeeper, receiving registration requests and calls from H.323 devices. If SIP signaling is enabled, Call
Server operates as a SIP registrar and proxy server, receiving registration requests and calls from SIP
devices. If both are enabled, the system automatically serves as a SIP <–> H.323 gateway.
As a best practice, we recommend configuring your videoconferencing network in such a way as to avoid
using the RealPresence DMA system as a SIP <--> H.323 gateway.
Either H.323, SIP, or both must be enabled in order for the RealPresence DMA system’s Conference
Manager to receive calls for multipoint conferences (virtual meeting rooms, or VMRs) and distribute them
among its pool of MCUs.
On this page, you can also:
● Turn on H.235 authentication for H.323 devices.
● Turn on SIP digest authentication for SIP devices.
● Click a Device authentication settings link to go to the Device Authentication page, where you
can configure SIP device authentication and maintain the inbound device authentication list for both
H.323 and SIP devices (see Device Authentication on page 261).
Note: Authentication for Specific Devices
You can turn authentication off and on for specific devices (assuming that it’s turned on here for that
device type). See Edit Device Dialog Box on page 97.
Polycom, Inc. 72
Local Cluster Configuration
● Configure specific ports or prefixes for untrusted (“unauthorized” or “guest”) SIP calls that can only
access specific resources (VMRs, VEQs, or a SIP peer).
H.323 Device Authentication
In an environment where H.235 authentication is used, H.323 devices include their credentials (name and
password) in registration and signaling (RAS) requests. The Polycom RealPresence DMA system
authenticates requests as follows:
● If it’s a signaling request (ARQ, BRQ, DRQ) from an unregistered endpoint, the Call Server doesn’t
authenticate the credentials.
● Otherwise, if the request is from an endpoint and the Polycom RealPresence DMA system is
integrated with a Polycom CMA system, the Call Server attempts to authenticate the endpoint’s
credentials with the CMA system.
● If it can’t authenticate with the CMA system, or if the request is from an MCU or neighbor gatekeeper,
the Call Server attempts to authenticate using its device authentication list.
● If it’s a signaling request from a registered endpoint, or if the request is from an MCU or neighbor
gatekeeper, the Call Server attempts to authenticate using its device authentication list (see Device
Authentication on page 261).
If the credentials can’t be authenticated, the Call Server rejects the registration or signaling request. For call
signaling requests, it also rejects the request if the credentials differ from those with which the device
registered.
SIP Device Authentication
The SIP digest authentication mechanism is described in RFC 3261, starting in section 22, and in
RFC 2617, section 3. When a SIP endpoint registers with or calls the Polycom RealPresence DMA system,
if the request includes authentication information, that information is checked against the Call Server’s local
device authentication list (see Device Authentication on page 261).
SIP authentication can be enabled at the port/transport level or (for “unauthorized” access prefixes) the
prefix level.
If SIP authentication is enabled and an endpoint’s request doesn’t include authentication information, the
Call Server responds with an authentication challenge containing the required fields (see the RFCs). If the
endpoint responds with valid authentication information, the system accepts the registration or call.
Note: SIP Device Authentication
If inbound SIP authentication is turned on for a port or prefix, the Polycom RealPresence DMA system
challenges any SIP message coming to the system via that port or with that prefix. Any SIP peer and
other device that interacts with the system by those means must be configured to authenticate itself,
or you must turn off Device authentication for that specific device. See Edit Device Dialog Box on
page 97.
Untrusted SIP Call Handling Configuration
You can configure special handling for SIP calls from devices outside the corporate firewall that aren’t
registered with the Polycom RealPresence DMA system and aren’t from a federated division or enterprise.
These calls come to the RealPresence DMA system via SIP session border controllers (SBCs) such as a
Polycom RealPresence Access Director or Acme Packet Session Border Controller device (which are
configured as SIP peers in the RealPresence DMA system; see External SIP Peer on page 105).
Polycom, Inc. 73
Local Cluster Configuration
You can route such untrusted (“unauthorized” or “guest”) calls by creating a separate set of “guest” dial rules
used only for these untrusted calls. See Dial Rules on page 239.
Depending on the SIP SBC and how it’s configured, such calls can be distinguished in one of two ways:
● By port: The SBC routes untrusted calls to a specific port.
● By prefix: The SBC adds a specific prefix in the Request-URI of the first INVITE message for the call.
The RealPresence Access Director SBC supports only the prefix method. The Acme Packet Session Border
Controller SBC can be configured for either.
In the SIP Settings section of the page, you can add one or more ports, prefixes, or both for untrusted calls.
For each entry, you can specify whether authentication is required. Calls to an untrusted call prefix follow
the authentication setting for that prefix, not for the port on which they’re received. For port entries, you can
also specify the transport, and if TLS, whether certificate validation is required (mTLS).
Note: Require Certificate Validations for TLS
If Allow certificate validation skipping for encrypted signaling is turned off on the Security
Settings page, then Require certificate validation for TLS is turned on for both authorized and
unauthorized ports, and it can’t be turned off. See Security Settings on page 50.
Signaling Settings Fields
The following table describes the fields on the Signaling Settings page.
Field Description
H.323 Settings
Enable H.323 signaling Enables the system to receive H.323 calls.
Caution: Disabling H.323 terminates any existing H.323 calls. When you click
Update, the system prompts you to confirm.
Status Indicates whether the system’s H.323 gatekeeper functions are active.
H.225 port Specifies the port number the system’s gatekeeper uses for call signaling.
We recommend using the default port number (1720), but you can use the
same value as the RAS port or any other value from 1024 to 65535 that’s not
already in use.
RAS port Specifies the port number the system’s gatekeeper uses for RAS
(Registration, Admission and Status).
We recommend using the default port number (1719), but you can use the
same value as the H.225 port or any other value from 1024 to 65535 that’s not
already in use.
H.245 open firewall ports Shows the port range used for H.245 so you can configure your firewall
accordingly. This is display only.
H.323 multicast Enables the system to support gatekeeper discovery (GRQ messages from
endpoints) as described in the H.323 and H.225.0 specifications.
Polycom, Inc. 74
Local Cluster Configuration
Field Description
Enable H.323 device
authentication
SIP Settings
Enable SIP signaling Enables the system to receive Session Initiation Protocol (SIP) calls.
Enable ANAT support Configures the system to pass through Alternative Network Address Types
Authorized ports
Unencrypted SIP port To permit unencrypted SIP connections, select either TCP or UDP/TCP from
Enable authentication Check the box to turn on SIP device authentication for unencrypted SIP.
Check the box to turn on H.323 device authentication.
Click Device authentication settings to go to the Device Authentication
page and add authentication credentials (see Device Authentication on
page 261).
Caution: Disabling SIP terminates any existing SIP calls. When you click
Update, the system prompts you to confirm.
(ANAT) signaling (RFC 4091 and RFC 4092) in the Session Description
Protocol (SDP) for the purpose of negotiating IP version in a dual-stack (IPv4
+ IPv6) environment.
the list. Select None to disallow unencrypted SIP connections.
We recommend using the default port number (5060), but you can use any
value from 1024 to 65535 that’s not already in use and is different from the
TLS port and from any “unauthorized” or “guest” ports that your SBC(s) may
be configured to use for calls to the system.
Click the Device authentication settings link to go to the Device
Authentication page to configure SIP device authentication and add device
authentication credentials (see Device Authentication on page 261). The
settings on that page determine:
• The realm used for authentication.
• Whether the Call Server responds to unauthenticated requests with 401
(Unauthorized) or 407 (Proxy Authentication Required).
TLS port Specifies the port number the system uses for TLS.
We recommend using the default port number (5061), but you can use any
value from 1024 to 65535 that’s not already in use and is different from the
UDP/TCP port and from any “unauthorized” or “guest” ports that your SBC(s)
may be configured to use for calls to the system.
If SIP signaling is enabled, TLS is automatically supported. Unless
unencrypted SIP connections are specifically permitted, TLS must be used.
Enable authentication Check the box to turn on SIP device authentication for encrypted SIP.
Click the Device authentication settings link to go to the Device
Authentication page to configure SIP device authentication and add device
authentication credentials (see Device Authentication on page 261). The
settings on that page determine:
• The realm used for authentication.
• Whether the Call Server responds to unauthenticated requests with 401
(Unauthorized) or 407 (Proxy Authentication Required).
Polycom, Inc. 75
Local Cluster Configuration
Field Description
Require certificate
validation for TLS
Unauthorized ports Lists the ports used by your SBC(s) for untrusted calls, showing the transport
Unauthorized prefixes Lists the prefixes used by your SBC(s) for untrusted calls. The Strip Prefix
Check the box to enable mutual TLS (mTLS), requiring each caller to present
a valid certificate.
type for each and, for TLS, whether a certificate is required. The
Authentication column indicates whether calls to that port are passed without
challenge, challenged for authentication credentials, or blocked.
Click Add to add a port to the list (see Add Guest Port Dialog Box on
page 76). Click Edit to edit the selected entry (see Edit Guest Port Dialog Box
on page 77) or Delete to delete it.
column indicates whether the RealPresence DMA system should immediately
strip the prefix. The Authentication column indicates whether calls to that
port are passed without challenge, challenged for authentication credentials,
or blocked.
Click Add to add a prefix to the list (see Add Guest Prefix Dialog Box on
page 78). Click Edit to edit the selected entry (see Edit Guest Prefix Dialog
Box on page 79) or Delete to delete it.
See also:
Local Cluster Configuration on page 63
Local Cluster Configuration Procedures on page 81
Add Guest Port Dialog Box
The Add Guest Port dialog box appears when you click the Add button next to the Unauthorized ports
list in the SIP Settings section of the Signaling Settings page. It lets you add a port to the list of ports used
for “unauthorized” or “guest” calls.
The following table describes the fields in the Add Guest Port dialog box.
Field Description
Port The SIP signaling port number for this entry.
This is the port number that an SBC is configured to use for untrusted calls to
the RealPresence DMA system via the transport specified below.
Transport To use this guest port for unencrypted SIP connections, select either TCP or
UDP/TCP from the list. To use this port for encrypted SIP connections, select
TLS.
Polycom, Inc. 76
Local Cluster Configuration
Field Description
Require certificate validation for
TLS
Authentication Select one of the following:
For TLS transport, check this box to enable mutual TLS (mTLS), requiring
callers to present a valid certificate.
Note: If Skip certificate validation for encrypted signaling is turned off on
the Security Settings page, then Require certificate validation for TLS is
turned on for both authorized and unauthorized ports, and it can’t be turned
off. See Security Settings on page 50.
•None — The system doesn’t issue authentication challenges or check
authentication credentials for calls to this port.
• Authenticate — The system issues authentication challenges and checks
authentication credentials for calls to this port.
The settings on the Device Authentication page (see Device
Authentication on page 261) determine the realm used for
authentication and whether the Call Server responds to
unauthenticated requests with 401 (Unauthorized) or 407 (Proxy
Authentication Required).
•Block — The system blocks calls to this port.
See also:
Signaling Settings on page 72
Local Cluster Configuration Procedures on page 81
Edit Guest Port Dialog Box
The Edit Guest Port dialog box lets you edit an Unauthorized ports list entry in the SIP Settings section
of the Signaling Settings page.
The following table describes the fields in the Edit Guest Port dialog box.
Field Description
Port The SIP signaling port number for this entry.
This is the port number that an SBC is configured to use for untrusted calls to
the RealPresence DMA system via the transport specified below.
Transport To use this guest port for unencrypted SIP connections, select either TCP or
UDP/TCP from the list. To use this port for encrypted SIP connections, select
TLS.
Polycom, Inc. 77
Local Cluster Configuration
Field Description
Require certificate validation for
TLS
Authentication Select one of the following:
For TLS transport, check this box to enable mutual TLS (mTLS), requiring
callers to present a valid certificate.
Note: If Skip certificate validation for encrypted signaling is turned off on
the Security Settings page, then Require certificate validation for TLS is
turned on for both authorized and unauthorized ports, and it can’t be turned
off. See Security Settings on page 50.
•None — The system doesn’t issue authentication challenges or check
authentication credentials for calls to this port.
• Authenticate — The system issues authentication challenges and checks
authentication credentials for calls to this port.
The settings on the Device Authentication page (see Device
Authentication on page 261) determine the realm used for
authentication and whether the Call Server responds to
unauthenticated requests with 401 (Unauthorized) or 407 (Proxy
Authentication Required).
•Block — The system blocks calls to this port.
See also:
Signaling Settings on page 72
Local Cluster Configuration Procedures on page 81
Add Guest Prefix Dialog Box
The Add Guest Prefix dialog box appears when you click the Add button next to the Unauthorized
prefixes list in the SIP Settings section of the Signaling Settings page. It lets you add a prefix to the list
of prefixes used for “unauthorized” or “guest” calls.
The following table describes the fields in the Add Guest Prefix dialog box.
Field Description
Prefix The prefix number for this entry.
This is the number that an SBC is configured to add to the Request-URI of the
first INVITE message for untrusted calls to the RealPresence DMA system.
Polycom, Inc. 78
Local Cluster Configuration
Field Description
Strip prefix Check this box to have the system immediately strip this prefix from the
INVITE message.
Authentication Select one of the following:
•None — The system doesn’t issue authentication challenges or check
authentication credentials for calls with this prefix.
• Authenticate — The system issues authentication challenges and checks
authentication credentials for calls with this prefix.
The settings on the Device Authentication page (see Device
Authentication on page 261) determine the realm used for
authentication and whether the Call Server responds to
unauthenticated requests with 401 (Unauthorized) or 407 (Proxy
Authentication Required).
•Block — The system blocks calls with this prefix.
See also:
Signaling Settings on page 72
Local Cluster Configuration Procedures on page 81
Edit Guest Prefix Dialog Box
The Edit Guest Prefix dialog box lets you edit an Unauthorized prefixes list entry in the SIP Settings
section of the Signaling Settings page.
The following table describes the fields in the Edit Guest Prefix dialog box.
Field Description
Prefix The prefix number for this entry.
This is the number that an SBC is configured to add to the Request-URI of the
first INVITE message for untrusted calls to the RealPresence DMA system.
Strip prefix Check this box to have the system immediately strip this prefix from the
INVITE message.
Authentication Select one of the following:
•None — The system doesn’t issue authentication challenges or check
authentication credentials for calls with this prefix.
• Authenticate — The system issues authentication challenges and checks
authentication credentials for calls with this prefix.
The settings on the Device Authentication page (see Device
Authentication on page 261) determine the realm used for
authentication and whether the Call Server responds to
unauthenticated requests with 401 (Unauthorized) or 407 (Proxy
Authentication Required).
•Block — The system blocks calls with this prefix.
Polycom, Inc. 79
Local Cluster Configuration
See also:
Signaling Settings on page 72
Local Cluster Configuration Procedures on page 81
Logging Settings
The following table describes the fields on the Logging Settings page.
Field Description
Logging level Leave the default, Debug, unless advised to change it by Polycom support.
Production reduces system overhead and log file sizes, but omits information
that’s useful for troubleshooting. Verbose debug is not recommended for
production systems.
Rolling frequency If rolling the logs daily (the default) produces logs that are too large, shorten
the interval.
Retention period (days) The number of days to keep log archives. For most systems, we recommend
setting this to 7.
Local log forwarding Enables you to forward selected log entries to a central log management
server (such as Graylog2).
Specify:
• The address of the destination server. It must be running some version of
syslog.
• The socket type (transport) for which the destination server’s version of
syslog is configured. Most versions of syslog support only UDP, the default,
but syslog-ng also supports TCP.
• The facility value. Default is Local0.
• The log or logs to forward.
Note: The RealPresence DMA system’s server.log entries are mapped to
syslog-compliant severities (a “warn” message from server.log arrives at the
destination server with the syslog-compliant “warn” level). All other logs being
forwarded are assigned the syslog-compliant “notice” severity.
Each log message is forwarded with its server-side timestamp intact. The
receiving syslog adds its own timestamp, but preserving the RealPresence
DMA-applied timestamp makes it easier to accurately troubleshoot
time-sensitive events.
See also:
Licenses for the Appliance Edition on page 70
Polycom, Inc. 80
Local Cluster Configuration
Alerting Settings
The Alerting Settings page allows you to configure thresholds for system alerts. Here, you can enable or
disable certain alerts, and control when they will be triggered.
Note: SNMP and System Alerts Configuration
Since the triggering of SNMP alerts coincides with system alerts, configuration on this page applies to
both system alerts and SNMP alerts.
The Threshold Value column on the right of the page lists the configurable value for each alert’s threshold.
Use the arrows next to each field or enter a new number to change the default value. Click the Update
button to save your changes, or the Select Defaults button to revert them (Select Defaults returns the
values in all fields on this page to their factory defaults).
See the below table for descriptions of each alert’s condition.
Alert ID Threshold Condition Description
3103 Days until server certificate expires is less than Alert when there are only this many
days until the system’s security
certificate expires.
3105 Days until CA certificate expires is less than Alert when there are only this many
days until the server’s CA-signed
security certificate expires.
3401 Percentage available disk space is less than Alert when the percentage of free disk
space available on the DMA system
falls below this value.
3404 Percentage log file usage is greater than Alert when the percentage of the log
file storage area used by log data is
above this value.
3405 Percentage CPU utilization is greater than Alert when system CPU utilization is
between this lower limit, and...
And percentage CPU utilization is less than or equal to ...this upper limit.
3406 Percentage CPU utilization is greater than Alert when system CPU utilization is
above this value.
5002 Number of hyperactive, blacklisted endpoints is greater than Alert when the number of registered
endpoints that are blacklisted for
sending too much H.323 traffic is
above this value.
Local Cluster Configuration Procedures
This section describes the following Polycom RealPresence DMA 7000 system configuration procedures:
● Add Licenses
● Configure Signaling
Polycom, Inc. 81
Local Cluster Configuration
● Configure Logging
If you’re performing the initial configuration of your Polycom RealPresence DMA system, study Polycom
RealPresence DMA
®
System Initial Configuration Summary on page 29 before you continue. Other tasks
are required that are described elsewhere.
Add Licenses
Adding licenses to your Polycom RealPresence DMA system is a two-step process:
● Request a software activation key code for each server.
● Enter the activation key codes into the system.
The procedures below describe the process.
To request a software activation key code for each server
1 Log into the Polycom RealPresence DMA system as an administrator and go to Admin > Local
Cluster > Licenses.
2 Record the serial number for each Polycom RealPresence DMA server:
Server A: ____________________________
Server B: ____________________________ (none for single-server system)
3 Go to http://www.polycom.com/activation.
4 If you don’t already have one, register for an account. Then log in.
5 Select Product Activation.
6 In the License Number field, enter the software license number listed on the first (or only) server’s
License Certificate (shipped with the product).
7 In the Serial Number field, enter the first (or only) server’s serial number (which you recorded in
step 2).
8 Click Generate.
9 When the activation key for the first (or only) server appears, record it:
Server A: __________-__________-_________-___________
10 If you have a single-server Polycom RealPresence DMA system, you’re finished with this procedure.
Continue to the next procedure.
11 If you have a two-server cluster, repeat steps 6–8, this time entering the second license number you
received and the second server’s serial number (also recorded in step 2).
®
Caution: Activation Keys Linked to the Server Serial Number
An activation key is linked to a specific server’s serial number. For a two-server cluster, you must
generate the activation key for each server using that server’s serial number. Licensing will fail if you
generate both activation keys from the same server serial number.
12 When the activation key for the second server appears, record it:
Server B: __________-__________-_________-___________
Polycom, Inc. 82
Local Cluster Configuration
To enter license activation key codes
1 Go to Admin > Local Cluster > Licenses.
2 In the Activation key field for the first (or only) server, enter the activation key code that was
generated for that server’s serial number.
Caution: Activation Keys Linked to the Server Serial Number
An activation key is linked to a specific server’s serial number. Each Activation Key field is labeled
with a serial number. For a two-server cluster, make sure that the activation key code you enter for
each server is the correct one for that server’s serial number.
3 If you have a two-server cluster, in the Activation key field for the second server, enter the
activation key code that was generated for that server’s serial number.
4 Click Update.
A dialog box informs you that the licenses have been updated.
5 Click OK.
See also:
Licenses on page 70
Configure Signaling
To configure signaling
1 Go to Admin > Local Cluster > Signaling Settings.
2 To make the system accessible via H.323 calls:
a Select Enable H.323 signaling.
b Leave the default port numbers (1720 for H.225, 1719 for RAS) unless you have a good reason
for changing them.
c Select H.323 multicast to support gatekeeper discovery messages from endpoints.
d To turn on H.235 authentication, select Enable H.323 device authentication.
Device authentication credentials must be added on the Inbound Authentication tab of the
Device Authentication page. Click the Device authentication settings link to go directly there.
3 To make the system accessible via SIP calls:
a Select Enable SIP signaling.
b To enable pass-through of ANAT signaling (RFC 4091 and RFC 4092) in the Session Description
Protocol (SDP) for the purpose of negotiating IP version in a dual-stack (IPv4 + IPv6)
environment, select Enable ANAT support.
c If the system’s security settings permit unencrypted SIP connections, optionally set Unencrypted
SIP port to TCP or UDP/TCP.
You must have the Administrator role to change security settings. See Security Settings on
page 50.
Polycom, Inc. 83
Local Cluster Configuration
Note: Understanding SIP Communications
The system only answers UDP calls if that transport is enabled. But for communications back to the
endpoint, it uses the transport protocol that the endpoint requested (provided that the transport is
enabled, and for TCP, that unencrypted connections are permitted).
For more information about this and other aspects of SIP, see RFC 3261.
d Leave the default port numbers (5060 for TCP/UDP, 5061 for TLS) unless you have a good reason
for changing them.
e To turn on SIP digest authentication for either the unencrypted or TLS port, select the
corresponding Enable authentication check box.
Device authentication credentials must be added on the Inbound Authentication tab of the
Device Authentication page. Click the Device authentication settings link to go directly there.
f To enable mutual TLS (mTLS), select Require certificate validation for TLS.
4 To enable the system to receive untrusted calls (see Untrusted SIP Call Handling Configuration on
page 73) from SIP session border controllers (SBCs) configured to route such calls to special ports,
do the following:
a Under Unauthorized ports, click Add.
The Add Guest Port dialog box opens.
b Specify the port number, the transport, whether authentication is required, and for TLS, whether
certificate validation is required (mTLS). Click OK.
The new entry is added to the Unauthorized ports list.
c Repeat for each additional port on which to receive “unauthorized” or “guest” calls.
5 To enable the system to receive untrusted calls (see Untrusted SIP Call Handling Configuration on
page 73) from SIP session border controllers (SBCs) configured to add a specific prefix in the
Request-URI of the INVITE message for such calls, do the following:
a Under Unauthorized prefixes, click Add.
The Add Guest Prefix dialog box opens.
b Specify the prefix number, whether it should be stripped, and whether authentication is required.
Click OK.
The new entry is added to the Unauthorized prefixes list.
c Repeat for each additional prefix used for “unauthorized” or “guest” calls.
6 Click Update.
A dialog box informs you that the configuration has been updated.
7 Click OK.
The system processes the configuration. The Status field shows the current H.323 signaling state.
8 If you enabled the system to receive “unauthorized” or “guest” calls, do the following:
a Go to Admin > Call Server > Dial Rules and click in the Dial rules for unauthorized calls list
to give it focus.
b Add one or more dial rules to be used for routing “unauthorized” or “guest” calls. See Dial Rules
on page 239.
An unauthorized call rule can route calls to a conference room ID (virtual meeting room, or VMR),
a virtual entry queue (VEQ), or a SIP peer.
Polycom, Inc. 84
Local Cluster Configuration
Note: SIP URL Dialing Format
From SIP endpoints, users generally must dial (if a prefix is being used):
<prefix><VMR number>@<RealPresence DMA virtual host name or IP>
Depending on local DNS configuration, the host name could be the RealPresence DMA system’s
FQDN or a shorter name that DNS can resolve.
For example, if the RealPresence DMA system’s virtual host name is dma-virt, the E.164 dial string
prefix is 77, and the virtual meeting room number of the conference is 1001, SIP endpoint users dial:
771001@dma-virt
Depending on the network infrastructure and proxy server(s), it may be possible to use dial rules to
enable numeric-only dialing (for instance, 771001) from SIP endpoints. Doing so is beyond the scope
of this topic.
See also:
Signaling Settings on page 72
Configure Logging
To configure logging
1 Go to Admin > Local Cluster > Logging Settings.
2 Change Rolling frequency and Retention period as desired.
3 If requested to do so by Polycom support, change Logging level.
4 Click Update.
A dialog box informs you that the configuration has been updated.
5 Click OK.
See also:
Logging Settings on page 80
Automatically Send Usage Data
To continually improve the product, it is important to gain understanding of how the RealPresence DMA
7000 system is used by customers. By collecting this data, Polycom can identify both the system level
utilization and the combination and usage of RealPresence DMA features. This usage data will inform
Polycom which features are important and are actually used on your system. Polycom will use this
information to help guide future development and testing to concentrate on the areas of RealPresence DMA
that are most heavily used. If you choose not to send this information, Polycom is less aware of which
features are important to you and that are used by you, which may influence future development to go in
directions that are less beneficial to you.
Your decision to enable or not enable the sending of this data does not affect the availability of any
documented system feature in any way. Enabling this feature does not affect the capacity or responsiveness
of the RealPresence DMA system to process calls, conferences, GUI or API interactions.
The system sends the data once per hour over a secured (TLS) connection to a Polycom collection point
(customerusagedatacollection.polycom.com). There is no access by any customer or others to view the
data received at the collection point. The raw data will be viewable only by Polycom. To avoid any impact to
Polycom, Inc. 85
Local Cluster Configuration
starting and ending calls and conferences, data is never sent between 5 minutes before the hour and 5
minutes after the hour.
● The following types of data are reported:
● License information
● Hardware configuration
● System resource usage: CPU, RAM, disk, database
● System configuration: number of servers, clusters
● Feature configuration: Enterprise Directory Integration, Lync, Dial Rules, Shared Number Dialing,
Hunt Groups, Registration Policy, Device Authentication
● Number of users, endpoints, sites, MCUs, external gatekeepers, SIP peers, SBCs
● Registrations, call and conference statistics (see Network Usage Report on page 415)
● Security settings
When this information is reported, a customer’s user and environment identifying information (e.g., internal
IP addresses and FQDNs, names of users, devices, external systems, etc.) are anonymized before being
sent from the system. System serial numbers and license information are sent without anonymization and
may be used to help improve customer experiences. In total, less than 100KB of data per hour is collected
and sent.
Polycom’s collection and use of this data complies with Polycom’s Privacy Policy.
Enable or Disable Automatic Data Collection
Initially, you can decide to allow or disallow the automatic sending of usage data when the system’s End
User License Agreement is presented.
You can view and change the current status of usage data sending and collection on the Admin > Local
Cluster > Licenses page. Usage data is being sent only if the Automatically send usage data field is
checked. By changing the value of this field, you can enable or disable this feature at any time.
See the Collected Data
The system records data that has been sent and collected in the system logs.
To see the collected data
1 Log in to the RealPresence DMA system as an Administrator.
2 Download the system logs. See System Logs Procedures on page 371.
3 On the PC where the logs have been downloaded, use an archiving or zipping tool to extract the file
analytics.json.
Analytics.json is a text file containing the hourly data reported most recently before the time when the
system logs were created.
4 View the analytics.json file with Notepad or another common text editing tool.
Polycom, Inc. 86
Device Management
This chapter describes the following Polycom® RealPresence® Distributed Media Application™ (DMA®)
7000 system’s network device management pages:
● Active Calls
● Endpoints
● Site Statistics
● Site Link Statistics
● External Gatekeeper
● External SIP Peer
● External H.323 SBC
Other Network menu topics are addressed in the following chapters:
● Superclustering on page 226 (RealPresence DMAs)
● MCU Management on page 124
● Site Topology on page 278
Active Calls
The Active Calls page lets you monitor the calls in progress (managed by the Call Server) and disconnect
an active call.
The search pane above the two lists lets you find calls matching the criteria you specify. Click the down
arrow to expand the search pane. You can search for an originator or destination device by its name, alias,
or IP address. You can limit your search by specifying one or more of the following:
● Cluster, territory, or site.
● Signaling type (H.323 or SIP) or registration status of the call originator.
● Class of service or bit rate range.
The system matches any string you enter against the beginning of the values for which you entered it. If you
enter “10.33.17” in the Originator field, it displays calls from devices whose IP addresses are in that subnet.
To search for a string not at the beginning of the field, you can use an asterisk (*) as a wildcard.
Leave a field empty (or select the blank entry from a list) to match all values.
Note: Use Specific Filter Strings
Specifying a filter that includes too many active calls can be a drain on system resources.
The calls that match your search criteria (up to 500) appear in the lower list. You can pin a call that you want
to study. This moves it to the upper list, and it remains there, even after the call ends, until you unpin it.
Details about the selected call are available in the Call Info, Originator, Destination, and Bandwidth tabs
of the pane on the right. This information (and more) is also available in the Call Details dialog box, which
Polycom, Inc. 87
Device Management
appears when you click Show Call Details (in the Actions list). See Call Details Dialog Box on page 88 for
descriptions of the data.
Note: Cluster vs. Supercluster Call Statistics
If a call traverses multiple clusters in a supercluster, it’s counted as a single call, but it appears in the
results of each cluster it touches when you search by cluster. Therefore, the sum of the number of
calls for each cluster may be greater than the total number of calls for the entire supercluster.
The following table describes the parts of the Active Calls list.
Column Description
(Pin State) Click to pin a call, moving it to the top list and keeping its information available
even if the call ends. Click again to unpin it.
Start Time Time the call began (first signaling event).
Originator Source of the call (the device’s display name, if available; otherwise, its name,
alias, or IP address, in that order of preference). If the originator is an MCU,
the MCU name.
Dial String Dial string sent by originator, when available.
Destination Destination of the call (the device’s display name, if available; otherwise, its
name, alias, or IP address, in that order of preference). If the destination is an
MCU, the MCU name.
Bit Rate Bit rate (kbps) of the call. A down arrow indicates that the call was
downspeeded. Hover over it to see details.
Class of Service Class of service (Gold, Silver, or Bronze) of the call.
See also:
Device Management on page 87
Call Details Dialog Box on page 88
Endpoints on page 91
Call Details Dialog Box
The Call Details dialog box appears when you click Show Call Details on the Active Calls page or Call
History page. It provides detailed information about the selected call.
The following table describes the fields in the dialog box.
Polycom, Inc. 88
Device Management
Tab/Field/Column Description
Call Info
Call Info Displays the call’s:
• Status (active/ended and pinned/unpinned)
• Start time and end time
• Duration
• Signaling protocol(s)
• Polycom RealPresence DMA server(s) involved
• Unique call ID
• Dial string, if available
• Final dial string (after processing by dial rules)
Originator Displays the source device’s:
• Name and authentication name
• Authentication status
• Model and version
• Aliases
• IP address or host name
• Registration status
• Site and territory
If this is a registered endpoint or a registered/configured MCU, a link takes
you to the corresponding page with that endpoint or MCU selected.
Destination Displays the destination device’s:
• Name and authentication name
• Authentication status
• Model and version
• Aliases
• IP address or host name
• Registration status
• Site and territory
If this is a registered endpoint or a registered/configured MCU, a link takes
you to the corresponding page with that endpoint or MCU selected.
Polycom, Inc. 89
Device Management
Tab/Field/Column Description
Bandwidth Available only after the call has ended. The table at the top lists each throttle
point that the call traverses and shows its:
• Bit rate limit per call (kbps)
• Total capacity (kbps)
• Used bit rate (kbps) in each class of service
• Weight (%)
• Territory
If the throttle point is a subnet, site, or site link, a link takes you to the
corresponding site topology page with the throttle point entity selected.
Below the table, the data used in bandwidth processing is displayed (all bit
rates are kbps):
• Formal maximum bit rate limit — the maximum allowed bit rate considering
the per call bit rates of each throttle point, but not considering total capacity
or current usage
• Available bit rate capacity in each class of service and for the call’s class
• Class of service for the call
• Minimum downspeed bit rate
• Available bit rate limit (%) — the maximum percentage of remaining
bandwidth at a throttle point that will be given to any one call (configurable
on the Call Server Settings page)
• Requested bit rate
• Final bit rate
Call Events Lists each call event in the call and its attributes.
When the system is operating as a SIP proxy server, the list includes all SIP
signaling messages except 100 TRYING.
Hover over an attribute label to see a description. Click Show Message to
see the signaling message. Click Show QoS Data to see detailed quality of
service statistics.
Subscription Events For conference (VMR) calls, lists SUBSCRIBE/NOTIFY events, if any,
associated with this call.
The SIP SUBSCRIBE/NOTIFY conference notification service (as described
in RFCs 3265 and 4575), allows SIP devices (generally, conference
participants) to subscribe to a conference and receive conference rosters and
notifications of conference events. The rosters identify the participants, their
endpoints, and their video streams.
Hover over an attribute label to see a description. Click Show Message to
see the signaling message.
Note: If the system is configured to let devices subscribe to a conference
without being participants in the conference (see Security Settings on
page 50), the call history doesn’t include data for such non-participant
subscriptions. But be aware that a subscription to a conference by a
non-participant consumes a call license.
Polycom, Inc. 90
Device Management
Tab/Field/Column Description
Property Changes Lists each property change in the call, showing the value, time, and sequence
number of the associated event.
QoS Quality of service data is only available if one of the endpoints is a registered
H.323 endpoint that supports IRQs. This tab displays a graph showing how
QoS varied during the call. The horizontal scale and frequency of data points
(dots on the lines of the graph) vary based on the length of the call.
Hover over a data point to see the value at that point.
See also:
Active Calls on page 87
Endpoints
The Endpoints page provides access to information about the devices known to the Polycom
RealPresence DMA system. From it, you can:
● View details about a device.
● View the call history or registration history of a device.
● Add aliases for a device, edit or delete added aliases (but not aliases with which the device
registered), and configure the class of service settings.
● Block a device, which prevents it from registering.
● Unblock a blocked device, allowing it to register.
● Quarantine a device, which allows it to register (or remain registered), but not to make or receive
calls.
● Remove a quarantined device from quarantine, allowing it to make and receive calls.
● Delete an inactive device or devices. An inactive device is one whose registration has expired.
Depending on your Registration Policy settings (see Registration Policy on page 264), inactive
devices may be automatically deleted after a specified number of days.
● Select multiple devices to block/unblock, quarantine/unquarantine, delete, or change specific settings
of (device authentication, permanent registration, and class of service).
● Manually add a device. The registration status of the device depends on the system’s registration
policy (see Add Endpoint Dialog Box on page 96).
● Associate a user with a device.
Note: Resource Management Integration and User-to-Device Association
If the Polycom RealPresence DMA system is integrated with a Polycom RealPresence Resource
Manager or CMA system, it receives user-to-device association information from that system, and you
can only associate users with devices on the Polycom RealPresence Resource Manager or CMA
system.
The search pane above the list lets you find devices matching the criteria you specify. The default search
finds all endpoints with active registrations. Click the down arrow to expand the search pane.
Polycom, Inc. 91
Device Management
The system matches any string you enter against the beginning of the values for which you entered it. If you
enter “10.33.17” in the IP address field, it displays devices whose IP addresses are in that subnet. To
search for a string not at the beginning of the field, you can use an asterisk (*) as a wildcard.
Leave a field empty (or select the blank entry from a list) to match all values.
Check Exceptions to find devices for which the registration policy script returned an exception. Leave the
field to the right empty to match all exception values, or enter a search string to find only exceptions
matching that string.
Check Exceptions and enter an exclamation point (!) in the field to the right to find only devices with no
exceptions.
The devices that match your search criteria (up to 500) are listed below.
The following table describes the parts of the Endpoints list.
Column Description
Name The name of the device.
Model The model designation of the device.
IP Address The IP address of the device.
Alias The aliases, if any, assigned to the device.
Site The site to which the device belongs.
Owner Domain The domain to which the device’s owner, if any, belongs.
Owner The user who owns the device.
Class of Service The class of service assigned to the device:
• Gold
• Silver
• Bronze
• Inherit from associated user (if none, default to Bronze)
Note: When a device calls a conference room (VMR), the class of service of
the conference room applies to the call, not the class of service of the device.
Admission Policy Indicates the admission policy applied to the device:
• Allow
• Block
• Quarantine
• Reject
Compliance Level Indicates whether the device is compliant or noncompliant with the applicable
registration policy script (see Registration Policy on page 264).
Polycom, Inc. 92
Device Management
Column Description
Registration Status The registration status of the device:
• Active — The device is registered and can make and receive calls.
• Inactive — The device’s registration has expired. Whether it can make and
receive calls depends on the system’s rogue call policy (see Call Server
Settings on page 234) and. It can register again.
• Quarantined — The device is registered, but it can’t make or receive calls.
It remains in Quarantined or Quarantined (Inactive) status until you remove
it from quarantine.
• Quarantined (Inactive) — The device was quarantined, and its registration
has expired. It can register again, returning to Quarantined status.
• Blocked — The device is not permitted to register. It remains blocked from
registering until you unblock it.
If the device is in a site managed by the system, its ability to make and
receive calls depends on the system's rogue call policy (see Call
Server Settings on page 234).
If the device is not in a site managed by the system, it can’t make or
receive calls.
A device’s status can be determined by:
• An action by the device.
• An action applied to it manually on this page.
• The expiration of a timer.
• The application of a registration policy and admission policy (see
Registration Policy on page 264).
Exceptions Shows any exceptions with which the device was flagged as a result of
applying a registration policy.
Active Calls Indicates if the device is in a call.
Device Authentication Indicates whether the endpoint must authenticate itself.
Note: Inbound authentication for the device type must be enabled at the
system level (see Device Authentication on page 261), or the setting for the
device has no effect.
The Actions list associated with the Endpoints list contains the items in the following table.
Command Description
View Details Opens the Device Details dialog box for the selected endpoint.
Add Opens the Add Endpoint dialog box, where you can manually add a device to the
system.
Edit Opens the Edit Endpoint dialog box for the selected endpoint, where you can
change its information and settings. If multiple endpoints are selected, opens the
Edit Endpointdialog box, where you can change the device authentication,
permanent registration, and class of service settings.
Polycom, Inc. 93
Device Management
Command Description
Delete Removes the registration of the selected endpoint(s) with the Call Server and
deletes the endpoint(s) from the Polycom RealPresence DMA system. A dialog box
asks you to confirm.
Unregistered endpoints are treated like rogue endpoints (see Call Server Settings
on page 234). The device can register again.
Associate User Opens the Associate User dialog box for the selected endpoint, where you can
associate this device with a user.
Not available if the Polycom RealPresence DMA system is integrated with a
Polycom RealPresence Resource Manager or CMA system. In that case, it receives
user-to-device association information from that system.
Block Registrations Prevents the endpoint(s) from registering with the Call Server. A dialog box asks you
to confirm. When blocked endpoints are selected, this becomes Unblock
Registrations.
If a blocked device is in a site managed by the system, its ability to make and
receive calls depends on the system's rogue call policy (see Call Server Settings on
page 234). If the device is not in a site managed by the system, it can’t make or
receive calls.
Quarantine Prevents the endpoint(s) from making or receiving calls. A dialog box asks you to
confirm. When quarantined endpoints are selected, this becomes Unquarantine.
Unlike a blocked endpoint, a quarantined endpoint is registered (or can register) with
the Call Server.
View Call History Takes you to Reports > Call History and displays the call history for the selected
endpoint.
View Registration History Takes you to Reports > Registration History and displays the registration history
for the selected endpoint.
Names/Aliases in a Mixed H.323 and SIP Environment
An endpoint that supports both H.323 and SIP can register with the Polycom RealPresence DMA system’s
gatekeeper and SIP registrar using the same name/alias. When the RealPresence DMA system receives a
call for that endpoint, it uses the protocol of the calling endpoint. This is logical and convenient, but it can
lead to failed calls under the following circumstances:
● The system is configured to allow calls to/from rogue (not actively registered) endpoints (see Call
Server Settings on page 234).
● An endpoint that was registered with both protocols (using the same name/alias) later has one of the
protocols disabled, and that registration expires (or otherwise becomes inactive).
The Polycom RealPresence DMA system doesn’t know if the endpoint no longer supports that protocol.
When another endpoint tries to call using the called endpoint’s disabled protocol, the system still tries to
reach it using that protocol, and the call fails.
To avoid this problem, you can do one of the following:
● Ensure that endpoints supporting both protocols use different names/aliases for each protocol.
● Don’t allow calls to/from rogue endpoints.
Polycom, Inc. 94
Device Management
● If you know an endpoint has stopped supporting a protocol, manually delete its inactive registration
for that protocol.
Naming ITP Systems Properly for Recognition by the Polycom RealPresence DMA System
A Polycom Immersive Telepresence (ITP) room system contains multiple displays and codecs (endpoints).
If the ITP system is using SIP or H.323 signaling (not Cisco TIP signaling), then in order for the Polycom
RealPresence DMA system to recognize these devices as part of an ITP system, they must have names
that properly identify them. The names must take the form systemName_M_N, where M is the total number
of displays in the ITP system (2, 3, or 4) and N is the sequence number of each display. The “primary” codec
must be assigned sequence number 1.
For example, the three HDX devices in a Polycom OTX 300 ITP system named Bainbridge might be named
as follows:
Bainbridge ITP_3_1
Bainbridge ITP_3_2
Bainbridge ITP_3_3
When these three devices register (H.323 or SIP) with the Polycom RealPresence DMA system’s Call
Server, the RealPresence DMA system recognizes them as constituting a single ITP system and assigns
them a Gold class of service (you can change this if you wish). The RealPresence DMA system also
manages the device authentication settings as applying to a single system.
You can only edit the device authentication and class of service settings for the primary codec (the device
with sequence number 1); the RealPresence DMA system automatically propagates any changes to the
other devices in the ITP system.
Note: ITP Systems and Bit Rates
The RealPresence DMA system’s ability to recognize ITP calls and treat them as one assures the
same class of service and device authentication settings for all the endpoints in the ITP system, but
not other registration settings. It’s up to you to ensure that the maximum and minimum bit rates and
other registration settings are consistent.
Note: ITP Systems and CDRs
For ITP systems using SIP or TIP signaling (but not H.323), the RealPresence DMA system also
creates a single CDR for calls from the ITP system rather than separate CDRs for each of the three
devices. See Call Record Layouts on page 400.
Follow this naming convention for both the HDX system name and the name for each HDX endpoint in the
ITP system. For more information, see the following documents:
● Administrator’s Guide for Polycom HDX Systems
● Polycom Immersive Telepresence (ITP) Deployment Guide
● Polycom Multipoint Layout Application (MLA) User’s Guide for Use with Polycom Telepresence
Solutions
Polycom, Inc. 95
Device Management
See also:
Device Management on page 87
Add Endpoint Dialog Box on page 96
Edit Device Dialog Box on page 97
Associate User Dialog Box on page 99
Active Calls on page 87
Add Endpoint Dialog Box
The Add Endpoint dialog box lets you manually add a device to the system.
When you add an endpoint manually, the system applies its registration policy script (see
Registration Policy
on page 264) to determine the device’s compliance level (compliant or noncompliant with the policy), and
then applies the admission policy associated with that result to determine the registration status of the
device.
The following table describes the parts of the dialog box.
Field Description
Device type The device’s signaling protocol (H.323 or SIP).
Signaling address For an H.323 device, the H.225 call signaling address and port of the device. Either
this or the RAS address is required.
RAS address For an H.323 device, the RAS (Registration, Admission and Status) channel address
and port of the device.
Aliases For an H.323 device, lists the device’s aliases. When you’re adding a device, this list
is empty. The Add button lets you add an alias.
Address of record For a SIP device, the AOR with which the device registers (see registration rules in
RFC 3261), such as:
sip:1000@westminster.polycom.com
Device authentication Indicates whether the endpoint must authenticate itself.
Note: Inbound authentication for the device type must be enabled at the system
level (see Device Authentication on page 261), or the setting for the device has no
effect.
Class of service Select to specify the class of service and the bit rate limits for calls to and from this
device.
A call between two devices receives the higher class of service of the two.
Note: When a device calls a conference room (VMR), the class of service of the
conference room applies to the call, not the class of service of the device.
Maximum bit rate (kbps) The maximum bit rate for calls to and from this device.
Minimum downspeed bit
rate (kbps)
Model Optional model number/name for the device.
Version Optional version information for the device.
Polycom, Inc. 96
The minimum bit rate to which calls from this device can be downspeeded to
manage bandwidth. If this minimum isn’t available, the call is dropped.
Device Management
See also:
Endpoints on page 91
Add Alias Dialog Box on page 99
Edit Alias Dialog Box on page 99
Edit Device Dialog Box
The Edit Device dialog box lets you change a device’s class of service settings, add aliases, and edit or
delete added aliases. You can’t edit or delete aliases with which the device registered.
The following table describes the parts of the dialog box.
Field Description
Device type The device’s signaling protocol (H.323 or SIP).
Signaling address For an H.323 device, the H.225 call signaling address and port of the device. Either
this or the RAS address is required.
RAS address For an H.323 device, the RAS (Registration, Admission and Status) channel address
and port of the device.
Aliases For an H.323 device, lists the device’s aliases. When you’re adding a device, this list
is empty. The Add button lets you add an alias.
Site The site to which the device belongs. Display only.
Owner domain The domain to which the device’s owner belongs, if provided by the device. Display
only.
Owner The user who owns the device, if provided by the device. Display only.
Registration status The registration status of the device. Display only.
Permanent Prevents the registration from ever expiring.
Device authentication Indicates whether the endpoint must authenticate itself.
Note: Inbound authentication for the device type must be enabled at the system
level (see Device Authentication on page 261), or the setting for the device has no
effect.
Class of service Select to modify the class of service and the bit rate limits for calls to and from this
device.
A call between two devices receives the higher class of service of the two.
Note: When a device calls a conference room (VMR), the class of service of the
conference room applies to the call, not the class of service of the device.
Maximum bit rate (kbps) The maximum bit rate for calls to and from this device.
Minimum downspeed bit
rate (kbps)
The minimum bit rate to which calls from this device can be downspeeded to
manage bandwidth. If this minimum isn’t available, the call is dropped.
Polycom, Inc. 97
Device Management
Field Description
Forward if no answer If the device doesn’t answer, forward calls to the specified alias.
Registered endpoints can activate this feature by dialing the vertical service code
(VSC) for it (default is *73) followed by the alias. They can deactivate it by dialing the
VSC alone.
Forward if busy If the device is busy, forward calls to the specified alias.
Registered endpoints can activate this feature by dialing the VSC for it (default is
*74) followed by the alias. They can deactivate it by dialing the VSC alone.
Forward unconditionally Forward all calls to the specified alias.
Registered endpoints can activate this feature by dialing the VSC for it (default is
*75) followed by the alias. They can deactivate it by dialing the VSC alone.
Alert when endpoint
unregisters
If the device unregisters from the Call Server or its registration expires, an
informational alert is triggered (see Alert 5003 on page 365).
See also:
Endpoints on page 91
Add Alias Dialog Box on page 99
Edit Alias Dialog Box on page 99
Edit Devices Dialog Box
The Edit Devices dialog box appears when you select multiple devices on the Endpoints page and click
Edit Devices. It lets you change certain settings for multiple devices at a time.
The following table describes the parts of the dialog box.
Field Description
Device authentication Indicates whether the selected devices must authenticate themselves.
Note: Inbound authentication for the device type must be enabled at the system
level (see Device Authentication on page 261), or the setting for these devices has
no effect.
Permanent Prevents the registration of the selected devices from ever expiring.
Class of service Select to modify the class of service and the bit rate limits for calls to and from the
selected devices.
A call between two devices receives the higher class of service of the two.
Note: When a device calls a conference room (VMR), the class of service of the
conference room applies to the call, not the class of service of the device.
Maximum bit rate (kbps) The maximum bit rate for calls to and from the selected devices.
Minimum downspeed bit
rate (kbps)
Alert when endpoint
unregisters
Polycom, Inc. 98
The minimum bit rate to which calls from the selected devices can be downspeeded
to manage bandwidth. If this minimum isn’t available, the call is dropped.
If one of the selected devices unregisters from the Call Server or its registration
expires, an informational alert is triggered (see Alert 5003 on page 365).
Device Management
See also:
Endpoints on page 91
Edit Device Dialog Box on page 97
Add Alias Dialog Box
The Add Alias dialog box lets you specify an alias for the H.323 device you’re adding or editing. Enter the
alias in the Value box and click OK.
See also:
Endpoints on page 91
Add Endpoint Dialog Box on page 96
Edit Device Dialog Box on page 97
Edit Alias Dialog Box
The Edit Alias dialog box lets you change the selected alias for the H.323 device you’re editing. You can’t
edit aliases with which the device registered, only those that have been added. Edit the alias in the Value
box and click OK.
See also:
Endpoints on page 91
Edit Device Dialog Box on page 97
Associate User Dialog Box
Note: Resource Management Integration and User-to-Device Association
If the Polycom RealPresence DMA system is integrated with a Polycom RealPresence Resource
Manager or CMA system, it receives user-to-device association information from that system, and you
can only associate users with devices on the Polycom RealPresence Resource Manager or CMA
system.
The Associate User dialog box lets you associate the selected device with a user. Use the search fields at
the top to find the user you want to associate with this device.
You can search by user ID, first name, or last name. The Search users field searches all three for matches.
The system matches the string you enter against the beginning of the field you’re searching. For instance,
if you enter “sa” in the Last name field, it displays users whose last names begin with “sa.” To search for a
string not at the beginning of the field, you can use an asterisk (*) as a wildcard.
When you find the right user, select that row and click OK. A prompt asks you to confirm associating the
endpoint with this user.
See also:
Endpoints on page 91
Polycom, Inc. 99
Device Management
Site Statistics
The Site Statistics page lists the sites defined in the Polycom RealPresence DMA system’s site topology
and, for those controlled by the system, traffic and QoS statistics. Network clouds and the default internet
site aren’t included.
The following table describes the fields in the list.
Column Description
Site Name Name of the site.
Number of Calls Number of active calls.
Bandwidth Used % Percentage of available bandwidth in use.
Bandwidth (Mbps) Total available bandwidth.
Avg Bit Rate (kbps) Average bit rate of the active calls.
Note: Bit rate is not the same as bandwidth. Since the bit rate applies in both
directions and there is overhead, the actual bandwidth consumed is about 2.5
times the bit rate.
Packet Loss % Average packet loss percentage of the active calls.
Avg Jitter (msec) Average jitter rate of the active calls.
Avg Delay (msec) Average delay rate of the active calls.
Territory Territory to which the site belongs.
Cluster Cluster responsible for the territory to which the site belongs.
See also:
Device Management on page 87
Sites on page 279
Site Link Statistics
The Site Link Statistics page lists the site links defined in the Polycom RealPresence DMA system’s site
topology and, for those controlled by the system, traffic and QoS statistics.
The following table describes the fields in the list.
Column Description
Site Link Name Name of the site link.
Number of Calls Number of active calls.
Bandwidth Used % Percentage of available bandwidth in use.
Bandwidth (Mbps) Total available bandwidth.
Polycom, Inc. 100
Loading...