Page 1
Operations Guide
6.2 | December 2014 | 3725-76302-001P
Polycom® RealPresence® DMA®
7000 System
The Polycom RealPresence DMA 7000 System is also known and certified as the DMA System.
Page 2
Copyright© 2014, Polycom, Inc. All rights reserved. No part of this document may be reproduced, translated into another
language or format, or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the
express written permission of Polycom, Inc.
6001 America Center Drive
San Jose, CA 95002
USA
Polycom®, the Polycom logo and the names and marks associated with Polycom products are trademarks and/or
service marks of Polycom, Inc. and are registered and/or common law marks in the United States and various other
countries. All other trademarks are property of their respective owners. No portion hereof may be reproduced or
transmitted in any form or by any means, for any purpose other than the recipient's personal use, without the express
written permission of Polycom.
and/or
its
Java is a registered trademark of Oracle America, Inc.,
affiliates.
End User License Agreement By installing, copying, or otherwise using this product, you acknowledge that you
have read, understand and agree to be bound by the terms and conditions of the End User License Agreement for this
product. The EULA for this product is available on the Polycom Support page for the product.
Patent Information The accompanying product may be protected by one or more U.S. and foreign patents and/or
pending patent applications held by Polycom, Inc.
Open Source Software Used in this Product This product may contain open source software. You may receive
the open source software from Polycom up to three (3) years after the distribution date of the applicable product or
software at a charge not greater than the cost to Polycom of shipping or distributing the software to you.
Disclaimer While Polycom uses reasonable efforts to include accurate and up-to-date information in this document,
Polycom makes no warranties or representations as to its accuracy. Polycom assumes no liability or responsibility for
any typographical or other errors or omissions in the content of this document.
Limitation of Liability Polycom and/or its respective suppliers make no representations about the suitability of the
information contained in this document for any purpose. Information is provided "as is" without warranty of any kind and
is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall
Polycom and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive or other
damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of
business information), even if Polycom has been advised of the possibility of such damages.
Customer Feedback We are striving to improve our documentation quality and we appreciate your feedback. Email
your opinions and comments to DocumentationFeedback@polycom.com.
Polycom Support Visit the Polycom Support Center for End User License Agreements, software downloads,
product documents, product licenses, troubleshooting tips, service requests, and more.
2
Page 3
Contents
Polycom® RealPresence DMA®7000 System Overview . . . . . . . . . . . . . . . . . . . 13
Introduction to the Polycom RealPresence DMA System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
The Polycom RealPresence DMA System’s Primary Functions . . . . . . . . . . . . . . . . . . . . 13
The Polycom RealPresence DMA System’s Three Configurations . . . . . . . . . . . . . . . . . 16
System Capabilities and Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
System Port Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Polycom Solution Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Working in the Polycom RealPresence DMA System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Accessing the Polycom RealPresence DMA System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Field Input Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Settings Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Polycom RealPresence DMA System User Roles and Their Access Privileges . . . . . . . . 22
Open Source Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Polycom RealPresence DMA System Initial Configuration Summary . . . . . . . . 27
Add Required DNS Records for the Polycom RealPresence DMA System . . . . . . . . . . . . . . 28
Additional DNS Records for SIP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Additional DNS Records for the H.323 Gatekeeper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Additional DNS Records for the Optional Embedded DNS Feature . . . . . . . . . . . . . . . . . 29
Verify That DNS Is Working for All Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
License the Polycom RealPresence DMA System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
License the RealPresence DMA System, Appliance Edition . . . . . . . . . . . . . . . . . . . . . . 30
License the RealPresence DMA System, Virtual Edition . . . . . . . . . . . . . . . . . . . . . . . . . 31
Set Up Signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Configure the Call Server and Optionally Create a Supercluster . . . . . . . . . . . . . . . . . . . . . . 32
Set Up Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Set Up MCUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Connect to Microsoft Active Directory
Set Up Conference Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Test the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Polycom, Inc. 3
®
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Page 4
Contents
System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Security Certificates Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
How Certificates Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Forms of Certificates Accepted by the Polycom RealPresence DMA System . . . . . . . . . 37
How Certificates Are Used by the Polycom RealPresence DMA System . . . . . . . . . . . . . 38
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Certificate Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Certificate Information Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Certificate Signing Request Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Add Certificates Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Certificate Details Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Certificate Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Install a Certificate Authority’s Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Create a Certificate Signing Request in the RealPresence DMA System . . . . . . . . . . . . 45
Install a Certificate in the RealPresence DMA System . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Remove a Certificate from the RealPresence DMA System . . . . . . . . . . . . . . . . . . . . . . 47
Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
The Consequences of Enabling Maximum Security Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Enabling File Uploads in Maximum Security with Mozilla Firefox . . . . . . . . . . . . . . . . . . . 55
Login Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Local Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Local User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Access Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Reset System Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Local Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Routing Configuration Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Licenses for the Appliance Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Licenses for the Virtual Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Signaling Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
H.323 and SIP Signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Add Guest Port Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Edit Guest Port Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Add Guest Prefix Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Edit Guest Prefix Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Polycom, Inc. 4
Page 5
Contents
Logging Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Alerting Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Local Cluster Configuration Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Add Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configure Signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Configure Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Automatically Send Usage Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Enable or Disable Automatic Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
See the Collected Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Active Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Call Details Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Names/Aliases in a Mixed H.323 and SIP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Naming ITP Systems Properly for Recognition by the Polycom RealPresence DMA System
93
Add Endpoint Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Edit Device Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Edit Devices Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Add Alias Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Edit Alias Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Associate User Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Site Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Site Link Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
External Gatekeeper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Add External Gatekeeper Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Edit External Gatekeeper Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
External SIP Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Multiple External SIP Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Add External SIP Peer Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Edit External SIP Peer Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
SIP Peer Postliminary Output Format Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Add Authentication Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Edit Authentication Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Add Outbound Registration Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Edit Outbound Registration Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
External H.323 SBC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Add External H.323 SBC Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Edit External H.323 SBC Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Polycom, Inc. 5
Page 6
Contents
MCU Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
MCUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Considerations when using MCUs with the RealPresence DMA system . . . . . . . . . . . . 127
Add MCU Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Edit MCU Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Add Session Profile Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Edit Session Profile Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
ISDN Gateway Selection Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
MCU Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
MCU Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Add MCU Pool Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Edit MCU Pool Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
MCU Pool Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
MCU Pool Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Add MCU Pool Order Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Edit MCU Pool Order Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
MCU Selection Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
MCU Availability and Reliability Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
MCU Pool Order Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Integrations with Other Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Microsoft Active Directory® Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Microsoft Active Directory Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Active Directory Integration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Understanding Base DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Adding Passcodes for Enterprise Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
About the System’s Directory Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Microsoft
Microsoft Exchange Server Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
®
Lync® 2013 Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Lync 2010 vs. Lync 2013 Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Scheduled Conferences with Polycom RealConnect™ . . . . . . . . . . . . . . . . . . . . . . . . . 168
Automatic Contact Creation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Active Directory Service Account Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Lync and non-Lync Endpoint Collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Considerations and Requirements for Lync 2013 Integration . . . . . . . . . . . . . . . . . . . . . 170
Lync 2010 and 2013 Client / Server Feature Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Integrate RealPresence DMA and Lync 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Diagnose Presence Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Polycom Solution and Integration Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Differences between Calendaring and Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Polycom, Inc. 6
Page 7
Contents
Microsoft Exchange Server Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Exchange Server Integration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
RealPresence Resource Manager Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
RealPresence Resource Manager Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Join RealPresence Resource Manager Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
RealPresence Resource Manager Integration Procedures . . . . . . . . . . . . . . . . . . . . . . . 179
Juniper Networks SRC Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Juniper Networks SRC Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Juniper Networks SRC Integration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Conference Manager Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Conference Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Default Polycom Conference Contacts Presence Settings . . . . . . . . . . . . . . . . . . . . . . . 186
Remove Contacts from Active Directory Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Conference Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Two Types of Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Template Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
About Conference IVR Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
About Cascading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Conference Templates List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Add Conference Template Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Edit Conference Template Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Select Layout Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Conference Templates Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
IVR Prompt Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Shared Number Dialing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Add Virtual Entry Queue Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Add Direct Dial Virtual Entry Queue Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Edit Virtual Entry Queue Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Edit Direct Dial Virtual Entry Queue Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Script Debugging Dialog for VEQ Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Sample Virtual Entry Queue Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Superclustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
About Superclustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
DMAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Join Supercluster Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Supercluster Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Polycom, Inc. 7
Page 8
Contents
Call Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
About the Call Server Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Call Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Dial Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Test Dial Rules Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
The Default Dial Plan and Suggestions for Modifications . . . . . . . . . . . . . . . . . . . . . . . . 243
Add Dial Rule Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Edit Dial Rule Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Preliminary/Postliminary Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Predefined Preliminary/Postliminary Scripting Variables . . . . . . . . . . . . . . . . . . . . . . . . 254
Preliminary/Postliminary Scripting Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
How Dial Rule Actions Affect SIP Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Script Debugging Dialog for Preliminaries/Postliminaries . . . . . . . . . . . . . . . . . . . . . . . . 258
Sample Preliminary and Postliminary Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Hunt Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Add Hunt Group Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Edit Hunt Group Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Add Alias Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Edit Alias Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Device Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Add Device Authentication Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Edit Device Authentication Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Registration Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Registration Policy Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Script Debugging Dialog for Registration Policy Scripts . . . . . . . . . . . . . . . . . . . . . . . . . 272
Sample Registration Policy Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Prefix Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Add Simplified ISDN Gateway Dialing Prefix Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Edit Simplified ISDN Gateway Dialing Prefix Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Edit Vertical Service Code Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Embedded DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
History Retention Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Site Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
About Site Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Bandwidth Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Site Information Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Add Site Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Polycom, Inc. 8
Page 9
Contents
Edit Site Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Add Subnet Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Edit Subnet Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Site Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Add Site Link Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Edit Site Link Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Site-to-Site Exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Add Site-to-Site Exclusion Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Territories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Add Territory Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Edit Territory Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Network Clouds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Add Network Cloud Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Edit Network Cloud Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Site Topology Configuration Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
User Roles Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Adding Users Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Add User Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Edit User Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Authentication Required Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Select Associated Endpoints Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Conference Rooms Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Add Conference Room Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Edit Conference Room Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Add Dial-out Participant Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Edit Dial-out Participant Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Users Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Conference Rooms Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Import Enterprise Groups Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Edit Group Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Enterprise Groups Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Login Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Change Password Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
System Management and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Management and Maintenance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Polycom, Inc. 9
Page 10
Contents
Administrator Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Administrative Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Auditor Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Auditor Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Provisioner Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Recommended Regular Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Regular archive of backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
General system health and capacity checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Microsoft Active Directory health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Security configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Network usage data export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
CDR export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Active Directory Integration Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Call Server Active Calls Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Call Server Registrations Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Cluster Info Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Conference History – Max Participants Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Conference Manager MCUs Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Conference Manager Usage Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Exchange Server Integration Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Juniper Networks SRC Integration Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
License Status Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
RealPresence Resource Manager Integration Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Signaling Settings Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Supercluster Status Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Territory Status Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
User Login History Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Supercluster Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Territory Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Asynchronous Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
RealPresence Resource Manager System Integration . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Active Directory Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Exchange Server Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Database Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Lync Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Polycom, Inc. 10
Page 11
Contents
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Server Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
System Health and Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
MCUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Conference Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Conference Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Lync Presence Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Call Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Call Bandwidth Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
System Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
System Logs Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Troubleshooting Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
I/O Stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
SAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
NTP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Check Configuration Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Diagnostics for your Polycom Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Backing Up and Restoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Confirm Restore Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Backup and Restore Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Upgrading the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Basic Upgrade Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Incompatible Software Version Supercluster Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . 396
Factors to Consider for an Incremental Supercluster Upgrade . . . . . . . . . . . . . . . . . . . . 397
Simplified Supercluster Upgrade (Complete Service Outage) . . . . . . . . . . . . . . . . . . . . 398
Complex Supercluster Upgrade (Some Service Maintained) . . . . . . . . . . . . . . . . . . . . . 401
RealPresence DMA System, Virtual Edition System Upgrade . . . . . . . . . . . . . . . . . . . . 401
Adding a Second Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Expanding an Unpatched System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Expanding a Patched System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Replacing a Failed Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Shutting Down and Restarting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Polycom, Inc. 11
Page 12
Contents
System Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Alert History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Call History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Export History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Conference History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Export History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Associated Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Conference Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Property Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Call Detail Records (CDRs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Exporting CDR Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Call Record Layouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Conference Record Layouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Registration History Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Registration History Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Active Directory Integration Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Orphaned Groups and Users Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Orphaned Groups and Users Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Conference Room Errors Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Exporting Conference Room Errors Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Enterprise Passcode Errors Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Exporting Enterprise Passcode Errors Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Network Usage Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Exporting Network Usage Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Polycom RealPresence DMA System SNMP Support . . . . . . . . . . . . . . . . . . . . 430
SNMP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
SNMP Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
SNMP Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
SNMP Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Configure SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Enable the SNMP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Add an SNMP Notification User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Edit Notification User Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Add an SNMP Notification Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Edit Notification Agent Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Download MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Available SNMP MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Polycom, Inc. 12
Page 13
Polycom® RealPresence DMA®7000
System Overview
This section provides an overview of the Polycom® Distributed Media Application™ (RealPresence DMA®)
7000 system. It includes these topics:
● Introduction to the Polycom RealPresence DMA System
● Polycom Solution Support
● Working in the Polycom RealPresence DMA System
● Open Source Software
Introduction to the Polycom RealPresence DMA
System
The Polycom RealPresence DMA system is a highly reliable and scalable video collaboration infrastructure
solution based on the Polycom
system:
● The Polycom RealPresence DMA System’s Primary Functions
● The Polycom RealPresence DMA System’s Three Configurations
● System Capabilities and Constraints
● System Port Usage
®
Proxias™ application server. The following topics introduce you to the
The Polycom RealPresence DMA System’s Primary Functions
The primary functions of the Polycom RealPresence DMA system are described briefly below.
Conference Manager
The Polycom RealPresence DMA system’s Conference Manager facilitates multipoint video conferencing.
A multipoint video conference is one in which multiple endpoints are connected, with all participants able to
see and hear each other. The endpoints connect to a media server (Multipoint Control Unit, or MCU), which
processes the audio and video from each and sends the conference audio and video streams back to them.
Traditionally, such multipoint conferences had to be scheduled in advance, reserving ports on a specific
MCU, in order to ensure the availability of resources. Conference Manager makes this unnecessary.
Conference Manager uses advanced routing policies to distribute voice and video calls among multiple
MCUs, creating a single virtual resource pool. This greatly simplifies multipoint video conferencing resource
management and uses MCU resources more efficiently.
The Polycom RealPresence DMA system integrates with your Microsoft® Active Directory®, automating the
task of provisioning users with virtual meeting rooms (VMRs), which are available for use at any time for
Polycom, Inc. 13
Page 14
Polycom® RealPresence DMA®7000 System Overview
multipoint video conferencing. Combined with its advanced resource management, this makes
reservationless (ad hoc) video conferencing on a large scale feasible and efficient, reducing or eliminating
the need for conference scheduling.
The Polycom RealPresence DMA system’s ability to handle multiple MCUs as a single resource pool makes
multipoint conferencing services highly scalable. You can add MCUs on the fly without impacting end users
and without requiring re-provisioning. The RealPresence DMA system can span a conference across two
or more MCUs (called cascading), enabling the conference to contain more participants than any single
MCU can accommodate.
The Conference Manager continually monitors the resources used and available on each MCU and
intelligently distributes conferences among them. If an MCU fails, loses its connection to the system, or is
taken out of service, the Polycom RealPresence DMA system distributes new conferences to the remaining
MCUs. Every conference on the failed MCU is restarted on another MCU (provided there is space
available). The consequences for existing calls in those conferences depend on whether they’re H.323 or
SIP:
● H.323 participants are not automatically reconnected to the conference. In order to rejoin the
conference, dial-in participants simply need to redial the same number they used for their initial
dial-in. Dial-out participants will need to be dialed out to again; the RealPresence DMA system
doesn’t automatically redial out to them.
● SIP participants are automatically reconnected to the conference on the new MCU. This includes
both dial-in and dial-out SIP participants. No new dial-out is needed because the RealPresence DMA
system maintains the SIP call leg to the participant and only has to re-establish the SIP call leg from
the RealPresence DMA system to the MCU.
Call Server
The Polycom RealPresence DMA system’s Call Server provides the following functionality:
● H.323 gatekeeper
● SIP registrar and proxy server
● H.323 <—> SIP transition gateway
● Dial plan and prefix services
● Device authentication
● Bandwidth management
The Call Server can also be integrated with a Juniper Networks Service Resource Controller (SRC) to
provide bandwidth and QoS assurance services.
RealPresence® Platform API
The Polycom RealPresence DMA system optionally allows an API client application, developed by you or a
third party, to access the Polycom RealPresence
API access is licensed separately. It provides programmatic access to the Polycom RealPresence DMA
system for the following:
● Provisioning
● Conference control and monitoring
● Call control and dial-out
● Billing and usage data retrieval
● Resource availability queries
®
Platform Application Programming Interface (API). This
Polycom, Inc. 14
Page 15
Polycom® RealPresence DMA®7000 System Overview
The API uses XML encoding over HTTPS transport and adheres to a Representational State Transfer
(REST) architecture.
To browse the RealPresence Platform API reference documentation, go to Help > RealPresence Platform
API Documentation in the system’s web interface.
Note: Asynchronous API communication
The API communicates asynchronously. Clients subscribing to event notifications via the API must be
prepared to receive notifications out of order.
A Polycom RealPresence Resource Manager system can integrate with the RealPresence DMA system via
the API. No separate license is needed in order for the RealPresence Resource Manager system to use the
API. It provides the full programmatic access to the RealPresence DMA system described above and
enables users of the RealPresence Resource Manager scheduling interface to:
● Schedule conferences using the RealPresence DMA system’s MCU resources.
● Set up Anytime conferences. Anytime conferences are referred to as preset dial-out conferences in
the RealPresence DMA system (see Edit Conference Room Dialog).
Note: Integration with a RealPresence Resource Manager system
Integrating the Polycom RealPresence Resource Manager system with the RealPresence DMA
system via the API is separate and distinct from integrating the RealPresence DMA system with a
RealPresence Resource Manager system.
• The former enables RealPresence Resource Manager users to obtain information from and use
functionality of the RealPresence DMA system that would otherwise be accessible only in the
RealPresence DMA system’s management interface.
• The latter enables the RealPresence DMA system to retrieve site topology and user-to-device
associations from the RealPresence Resource Manager system.
For convenience, however, when you integrate your RealPresence Resource Manager system to the
RealPresence DMA system, the RealPresence DMA system automatically integrates itself back to the
RealPresence Resource Manager system so that the RealPresence DMA system will have the site
topology and user-to-device information that the RealPresence Resource Manager system expects it
to have.
SVC Conferencing Support
This version of the Polycom RealPresence DMA system supports the Annex G extension of the H.264
standard, known as H.264 Scalable Video Coding (SVC), for both point-to-point and multipoint (VMR) calls.
SVC is sometimes referred to as layered media because the video streams consist of a base layer that
encodes the lowest available quality representation plus one or more enhancement layers that each provide
an additional quality improvement. SVC supports three dimensions of scalability: temporal (frames per
second), spatial (resolution and aspect ratio), and quality (signal-to-noise ratio).
The video stream to a device can be tailored to fit the bandwidth available and device capabilities by
adjusting the number of enhancement layers sent to the device.
For multipoint conferencing, the MCU doesn't have to do processing-intensive mixing and transcoding to
optimize the experience for each device. Instead, it simply passes the video stream from each device to
each device, including the enhancement layers that provide the best quality the device can support.
Polycom’s SVC solution focuses on the temporal and spatial dimensions. It offers a number of advantages
over standard AVC conferencing, including:
Polycom, Inc. 15
Page 16
Polycom® RealPresence DMA®7000 System Overview
● Improved video quality at lower bandwidths
● Improved audio and video error resiliency (good audio quality with more than 50% packet loss, good
video quality with more than 25% packet loss)
● Lower end-to-end latency (typically less than half that of AVC)
● More efficient use of bandwidth
● Lower infrastructure cost and operational expenses
● Easier to provision, control, and monitor
● Better security (end-to-end encryption)
Polycom’s SVC solution is supported by the Polycom RealPresence Platform and Environments, including
the latest generation of Polycom MCUs and RealPresence room, personal, desktop, and mobile endpoints.
Existing RMX MCUs with MPMx cards can be made SVC-capable with a software upgrade, and doing so
triples their HD multipoint conferencing capacity.
RealPresence Collaboration Server 800s MCUs support mixed-mode (SVC+AVC) conferences. Both SVC
and AVC endpoints can join the conference, and each gets the appropriate experience: SVC endpoints get
SVC mode and get a video stream for each AVC participant; AVC endpoints get a single Continuous
Presence (CP) video stream of the participants (both AVC and SVC) supplied by the MCU.
When the Polycom RealPresence DMA system selects an MCU that doesn’t support SVC for a conference
configured for mixed mode, it starts the conference as an AVC-only conference (all SVC-capable endpoints
also support AVC). But if the MCU supports SVC but not mixed mode (RMX 7.8), the conference fails to
start.
Refer to your RealPresence Collaboration Server or RMX documentation for important information about
the MCU’s implementation of SVC conferencing and its configuration, limitations, and constraints.
See also:
Introduction to the Polycom RealPresence DMA System
The Polycom RealPresence DMA System’s Three Configurations
Depending on your organization’s needs, you can deploy the Polycom RealPresence DMA system in one
of the following three configurations.
Two-server Cluster Configuration
The Polycom RealPresence DMA system is designed to be deployed as a pair of co-located redundant
servers that share the same virtual IP address(es). The two-server cluster configuration of the Polycom
RealPresence DMA system has no single point of failure within the system that could cause the service to
become unavailable.
The two servers communicate over the private network connecting them. To determine which one should
host the public virtual IP address, each server uses three criteria:
● Ability to ping its own public physical address
● Ability to ping the other server’s public physical address
● Ability to ping the default gateway
In the event of a tie, the server already hosting the public virtual address wins.
Polycom, Inc. 16
Page 17
Polycom® RealPresence DMA®7000 System Overview
Failover to the backup server takes about five seconds in the event of a graceful shutdown and about 40
seconds in the event of a power loss or other failure. In the event of a single server failure, these things
happen:
● All calls that are being routed through the failed server are terminated (including SIP calls, VMR calls,
and routed mode H.323 calls). These users simply need to redial the same number, and they’re
placed back into conference or reconnected to the point-to-point call they were in. The standby server
takes over the virtual signaling address, so existing registrations and new calls are unaffected.
● Direct mode H.323 point-to-point calls are not dropped, but the bandwidth management system loses
track of them. This could result in overuse of the available network bandwidth.
● If the failed server is the active web host for the system management interface, the active user
interface sessions end, the web host address automatically migrates to the remaining server, and it
becomes the active web host. Administrative users can then log back into the system at the same
URL. The system can always be administered via the same address, regardless of which server is
the web host.
The internal databases within each Polycom RealPresence DMA system server are fully replicated to the
other server in the cluster. If a catastrophic failure of one of the database engines occurs, the system
automatically switches itself over to use the database on the other server.
Single-server Configuration
The Polycom RealPresence DMA system is also available in a single-server configuration. This
configuration offers all the advantages of the Polycom RealPresence DMA system except the redundancy
and fault tolerance at a lower price. It can be upgraded to a two-server cluster at any time.
This manual generally assumes a redundant two-server cluster. Where there are significant differences
between the two configurations, those are spelled out.
Superclustering
To provide geographic redundancy and better network traffic management, up to five geographically
distributed Polycom RealPresence DMA system clusters (two-server or single-server) can be integrated into
a supercluster. All five clusters can be Call Servers (function as gatekeeper, SIP proxy, SIP registrar, and
gateway). Up to three can be designated as Conference Managers (manage an MCU resource pool to host
conference rooms).
The superclustered Polycom RealPresence DMA systems can be centrally administered and share a
common data store. Each cluster maintains a local copy of the data store, and changes are replicated to all
the clusters. Most system configuration is supercluster-wide. The exceptions are cluster-specific or
server-specific items like network settings and time settings.
Polycom, Inc. 17
Page 18
Polycom® RealPresence DMA®7000 System Overview
Note: Clusters vs. superclusters
Technically, a standalone Polycom RealPresence DMA system (two-server or single-server) is a
supercluster that contains one cluster. All the system configuration and other data that’s shared
across a supercluster is kept in the same data store. At any time, another Polycom RealPresence
DMA system can be integrated with it to create a two-cluster supercluster that shares its data store.
It’s important to understand the difference between two co-located servers forming a single
RealPresence DMA system (cluster) and two geographically distributed RealPresence DMA clusters
(single-server or two-server) joined into a supercluster.
A single two-server RealPresence DMA system (cluster) has the following characteristics:
• A single shared virtual IP address and FQDN, which switches from one server to the other when
necessary to provide local redundancy and fault tolerance.
• A single management interface and set of local settings.
• Ability to manage a single territory, with no territory management backup.
• A single set of Call Server and Conference Manager responsibilities.
A supercluster consisting of two RealPresence DMA clusters (single-server or two-server) has the
following characteristics:
• Separate IP addresses and FQDNs for each cluster.
• Separate management interfaces and sets of local settings for each cluster.
• Ability for each cluster to manage its own territory, with another cluster able to serve as backup for
that territory.
Different Call Server and Conference Manager responsibilities for each territory and thus each cluster.
System Capabilities and Constraints
The following capabilities and constraints apply to the entire supercluster:
● Number of sites: 500
● Number of subnets: 5000
● Number of clusters in a supercluster: 5 (not counting an integrated Polycom RealPresence Resource
Manager system)
● Number of MCUs enabled for conference rooms: 64
● Number of territories enabled for conference rooms (Conference Manager enabled): 3
● Number of concurrent VMR calls: 1200 per cluster (Conference Manager), up to 3600 total
● Number of concurrent SIP<->H.323 gateway calls: 500
● Size of Active Directory supported: 1,000,000 users and 1,000,000 groups (up to 10,000 groups may
be imported)
The following capabilities and constraints apply to each cluster in the supercluster:
● Number of registrations: 15000
● Number of contacts registered to a Microsoft Lync 2013 server: 25,000
● Number of concurrent H.323 calls: 5000
● Number of concurrent SIP calls: 5000
● Total number of concurrent calls: 5000
● Number of network usage data points retained: 8,000,000
Polycom, Inc. 18
Page 19
Polycom® RealPresence DMA®7000 System Overview
● Number of IRQ messages sent per second: 100
● Number of history records retained per cluster:
500,000 registration history
2,000,000 registration signaling history
500,000 call history
12,500,000 call signaling history
200,000 conference history
10,000 CDR export history
System Port Usage
The following table lists the inbound ports that may be open on the Polycom RealPresence DMA system,
depending on signaling and security settings, integrations, and system configuration.
Port Protocol Description
22 TCP SSH. Only available if Linux console access is enabled (see Security
Settings).
53 TCP/UDP DNS. Only available if the embedded DNS server is enabled (see
Embedded DNS).
80 TCP HTTP. Redirects to 443 (HTTP access is not allowed). Disabled in
maximum security mode.
123 UDP NTP. Only available if an NTP server is specified (see Time Settings).
161 UDP SNMP. Default port; can be changed or disabled (see Configure SNMP).
443 TCP HTTPS. Redirects to 8443.
1718 UDP H.323 RAS. Default port; can be changed (see Signaling Settings).
1719 UDP H.323 RAS. Default port; can be changed (see Signaling Settings).
1720 TCP H.323 H.225 signaling. Default port; can be changed (see Signaling
Settings).
4449 TCP LDAP. OpenDJ replication (superclustering).
5060 TCP/UDP Unencrypted SIP. Default port; can be changed or disabled (see Signaling
Settings).
5061 TCP SIP TLS. Default port; can be changed (see Signaling Settings).
8080 TCP HTTP. Redirects to 443 (HTTP access is not allowed). Disabled in
maximum security mode.
8443 TCP HTTPS. Management interface access.
8444 TCP HTTPS. Supercluster communication.
8989 TCP LDAP. OpenDJ replication (superclustering).
Polycom, Inc. 19
Page 20
Polycom® RealPresence DMA®7000 System Overview
Port Protocol Description
9090 TCP HTTPS. Upgrade status monitoring (only while upgrade process is
running).
36000-61000 TCP Ephemeral port range.
The following table lists the remote ports to which the Polycom RealPresence DMA system may connect,
depending on signaling and security settings, integrations, and system configuration.
Port Protocol Description
80 TCP HTTP. MCUs, Exchange Web Services (calendaring). Only used if
unencrypted connections are enabled (see Security Settings).
162 TCP/UDP SNMP notifications (Traps or Informs). Used if SNMP is enabled and
configured to send notifications (see Configure SNMP), or if system is
monitored with RealPresence Platform Director.
389 TCP LDAP. Active Directory integration. RealPresence Platform Director
licensing and API communication.
443 TCP HTTPS. MCUs, Exchange Web Services (calendaring), RealPresence
Platform Director licensing and API communication.
1718 UDP H.323 RAS. Default port; can be changed (see Signaling Settings).
1719 UDP H.323 RAS. Default port; can be changed (see Signaling Settings).
1720 TCP H.323 H.225 signaling. Default port; can be changed (see Signaling
Settings).
3268 TCP Global Catalog. Active Directory integration.
3269 TCP Secure Global Catalog. Active Directory integration.
4449 TCP OpenDJ replication (superclustering).
5060 TCP/UDP Unencrypted SIP. Default port; can be changed or disabled (see Signaling
Settings).
5061 TCP SIP TLS. Default port; can be changed (see Signaling Settings).
8443 TCP HTTPS. RealPresence Platform Director API communication.
8443 TCP HTTPS. Hourly transmission of system usage data to the address
customerusagedatacollection.polycom.com. This data is only sent if the
Automatically Send Usage Data feature is enabled (see Automatically
Send Usage Data).
8444 TCP Supercluster communication.
8989 TCP OpenDJ replication (superclustering).
36000-61000 TCP Ephemeral port range.
Polycom, Inc. 20
Page 21
Polycom® RealPresence DMA®7000 System Overview
Polycom Solution Support
Polycom Implementation and Maintenance services provide support for Polycom solution components only.
Additional services for supported third-party Unified Communications (UC) environments integrated with
Polycom solutions are available from Polycom Global Services and its certified Partners. These additional
services will help customers successfully design, deploy, optimize, and manage Polycom visual
communications within their UC environments.
Professional Services for Microsoft Integration is mandatory for Polycom Conferencing for Microsoft Outlook
and Microsoft Office Communications Server or Lync Server 2010 integrations. For more information,
please visit www.polycom.com/services/professional_services/ or contact your local Polycom
representative.
Working in the Polycom RealPresence DMA System
This section includes some general information you should know when working in the Polycom
RealPresence DMA system.
Accessing the Polycom RealPresence DMA System
The Polycom RealPresence DMA system’s management interface is accessed by pointing a compatible
browser equipped with Adobe® Flash® Player to the system’s host name or IP address (a two-server cluster
or an IPv6-only single-server cluster has a virtual host name and IP address, and we strongly recommend
always using the virtual address). Minimum requirements:
● Microsoft Internet Explorer® 7 or newer, or Mozilla Firefox® 3 or newer, or Google Chrome 11 or
newer
● Adobe Flash Player 9.0.124 or newer
● 1280x1024 minimum display resolution (1680x1050 or greater recommended)
Note: Adobe Flash Player considerations
The Polycom RealPresence DMA system’s Flex-based management interface requires Adobe Flash
Player. For stability and security reasons, we recommend always using the latest version of Flash
Player.
Even so, be aware that your browser’s Flash plugin may hang or crash from time to time. Your
browser should alert you when this happens and enable you to reload the plugin. In some cases, you
may need to close and restart your browser.
In the Google Chrome browser, use the Adobe Flash plugin, not the built-in Flash support.
Field Input Requirements
While every effort was made to internationalize the Polycom RealPresence DMA system, not all system
fields accept Unicode entries. If you work in a language other than English, be aware that some fields accept
only ASCII characters.
For input fields that accept a SIP URI, the supported characters for the “userinfo” portion of the URI include:
● Alpha: a-z, A-Z
Polycom, Inc. 21
Page 22
Polycom® RealPresence DMA®7000 System Overview
● Numeric: 0-9
● Escaped: %XX where X=0-9,A-F,a-f
● Other: -_!~*’();:&=+$,
This character support adheres to the full SIP specification.
For input fields that accept an H.323 alias, the supported characters include:
● All ASCII characters in the ranges %x21-24,%x26-3F,%x41-7f
● % @ and values < %x21 can be escaped.
● Escaped: %XX
This character support adheres to the full H.323specification.
Settings Dialog
The Settings dialog opens when you click the button to the right of the menus. It displays your user
name and the address of the RealPresence DMA server you’re logged in to.
The Settings dialog lets you change:
● The maximum number of columns in the Dashboard. Note that this is a maximum, not a fixed value.
The panes have a minimum width, and they arrange themselves to best fit your browser window.
Depending on the size of your browser window, there may be fewer columns than the maximum you
select. For instance, at the minimum supported display resolution of 1280x1024, only two columns
can be displayed.
● The text size used in the system interface. Note that larger text sizes will affect how much you can
see in a given window or screen size and may require frequent scrolling.
Polycom RealPresence DMA System User Roles and Their Access
Privileges
The Polycom RealPresence DMA system has three system user roles (see User Roles Overview) that
provide access to the management and operations interface and, if available, the separately licensed
RealPresence Platform Application Programming Interface (API). The functions you can perform and parts
of the interface you can access depend on your user role or roles, as shown in the following table.
For information on access privileges to API resources, go to Help > RealPresence Platform API
Documentation in the system’s web interface.
Menu/Icon Admin Provisioner Auditor
- Home. Returns to the Dashboard. • • •
Network >
Active Calls • •
Endpoints • •
DMAs
1
• •
Polycom, Inc. 22
Page 23
Polycom® RealPresence DMA®7000 System Overview
Menu/Icon Admin Provisioner Auditor
MCU > MCUs1
MCU > MCU Pools
1
MCU > MCU Pool Orders
Site Statistics
Site Link Statistics
Site Topology > Sites
1
1
1
Site Topology > Site Links
Site Topology > Site-to-Site Exclusions
Site Topology > Network Clouds
Site Topology > Territories
1
External Gatekeeper
External SIP Peer
External H.323 SBC
1
1
User >
Users 2
• •
• •
1
• •
• •
• •
• •
1
1
1
1
• •
• •
• •
• •
• •
• •
• •
• •
Groups •
Login Sessions1
• •
Change Password • • •
Reports >
Alert History • • •
Call History • • •
Conference History • • •
Registration History • • •
Network Usage • •
Microsoft Active Directory Integration
3
Enterprise Passcode Errors
3
•
•
Orphaned Groups and Users • •
Conference Room Errors
3
•
Polycom, Inc. 23
Page 24
Polycom® RealPresence DMA®7000 System Overview
Menu/Icon Admin Provisioner Auditor
Maintenance
System Log Files
4
Troubleshooting Utilities > Ping, Traceroute, Top, I/O
• •
•
Stats, SAR, NTP Status, Check Configuration
Synchronization
Shutdown and Restart •
Software Upgrade •
Backup and Restore •
Admin > Conference Manager >
Conference Settings •
Conference Templates •
IVR Prompt Sets •
Shared Number Dialing •
Admin > Call Server >
Call Server Settings •
Domains •
Dial Rules •
Hunt Groups • •
Registration Policy •
Device Authentication •
Prefix Service
1
• •
Embedded DNS •
History Retention Settings • •
Admin > Integrations >
Microsoft Active Directory •
Microsoft Exchange Server •
RealPresence Resource Manager •
Juniper Networks SRC •
Polycom, Inc. 24
Page 25
Polycom® RealPresence DMA®7000 System Overview
Menu/Icon Admin Provisioner Auditor
Admin > Login Policy Settings >
Local Password •
Session •
Local User Account •
Banner •
Access Policy Settings •
Admin > Local Cluster >
Network Settings •
Signaling Settings •
Time Settings •
Licenses •
Logging Settings • •
SNMP Settings •
Security Settings •
Certificates •
Help >
About DMA 7000 • • •
Help Contents • • •
- Settings. Displays Settings dialog. • • •
- Log Out. Logs you out of the Polycom RealPresence DMA
system.
- Help. Opens the online help topic for the page you’re
viewing.
• • •
• • •
1. Provisioners have view-only access.
2. Must be an enterprise user to see enterprise users. Provisioners can’t add or remove roles or endpoints,
and can’t edit user accounts with explicitly assigned roles (Administrator, Provisioner, or Auditor), but can
manage their conference rooms.
3. Must be an enterprise user to view this report.
4. Administrators can’t delete log archives.
Polycom, Inc. 25
Page 26
Polycom® RealPresence DMA®7000 System Overview
Open Source Software
License Information
Refer to the Polycom RealPresence DMA 7000 System Offer of Open Source Software for a list of the open
source software packages used in the Polycom RealPresence DMA system, the applicable license for each,
and the internet address where you can find it. To obtain the source code for any of these packages, e-mail
your request to Open.Source@Polycom.com.
Modifying Open Source Code
The Polycom RealPresence DMA system software is not combined with or otherwise linked to any open
source libraries, but the CentOS software is. The LGPL v2.1 license allows you to modify the LGPL code
included with CentOS, recompile the modified code, and re-link it with the CentOS code. Note that although
you’re free to modify the included LGPL modules in any way you wish, we cannot be responsible if the
changes you make impair the system.
To replace an LGPL library with your modified version
1 Obtain the source code for the module you want to modify.
2 Modify the source code and compile it.
3 Go to Admin > Local Cluster > Security Settings, select Allow Linux console access, and click
Update.
4 Contact Polycom Global Services for the root password for the Polycom RealPresence DMA server.
5 Use ssh to log into the server as root.
6 Upload the modified software via wget or scp.
7 Find the module you’re replacing and install the new version to that location.
8 Reboot the system.
Polycom, Inc. 26
Page 27
Polycom RealPresence DMA System
Initial Configuration Summary
This section describes the configuration tasks required to complete your implementation of a new Polycom®
RealPresence
configuration are complete.
This section assumes you’ve completed the server configuration procedure in the Getting Started Guide
(available at support.polycom.com), logged in to the Polycom RealPresence DMA system’s management
interface, and verified that the Supercluster Status pane of the Dashboard shows (for a two-server
configuration) two servers in the cluster, with healthy enterprise and private network status for both.
Initial configuration includes the following topics:
®
Distributed Media Application™ (DMA®) 7000 system once installation and initial network
System configuration
● Add Required DNS Records for the Polycom RealPresence DMA System
● License the Polycom RealPresence DMA System
● Set Up Signaling
● Configure the Call Server and Optionally Create a Supercluster
● Set Up Security
● Set Up MCUs
● Connect to Microsoft Active Directory
● Set Up Conference Templates
®
Confirming configuration
● Test the System
Each topic describes the task, provides background and overview information for it, and where appropriate,
links to specific step-by-step procedures to follow in order to complete the task.
Note: Optional configuration tasks
These topics outline the configuration tasks that are generally required. You may wish to complete
other optional configuration tasks, including:
• Enable cascading of conferences (see About Cascading).
• Configure calendaring service (see Microsoft Exchange Server Integration).
Integrate with a Juniper Networks SRC Series Session and Resource Control module to provide
bandwidth assurance services (see Juniper Networks SRC Integration).
Polycom, Inc. 27
Page 28
Polycom RealPresence DMA System Initial Configuration Summary
Add Required DNS Records for the Polycom
RealPresence DMA System
Note: Consult an expert
If you’re not familiar with DNS administration, the creation of various kinds of DNS resource records
(A/AAAA,NAPTR, NS, and SRV), your enterprise’s DNS implementation, and tuning for load
balancing (if needed), please consult with someone who is.
Your Polycom RealPresence DMA system must be accessible by its host name(s), not just its IP
address(es), so you (or your DNS administrator) must create A and/or AAAA records for IPv4 and IPv6,
respectively, as well as the corresponding PTR records, on your DNS server(s).
A/AAAA records and PTR records that map each physical host name to the corresponding physical IP
address and each virtual host name to the corresponding virtual IP address are mandatory, as are the
corresponding PTR records that allow reverse DNS resolution of the system’s physical or virtual host
name(s).
Note: Fully qualified domain names
Depending on local DNS configuration, a host name could be the Polycom RealPresence DMA
system’s fully qualified domain name (FQDN) or a shorter name that DNS can resolve.
For some features, such as Microsoft Exchange Server integration, it’s imperative that the FQDN can
be resolved in DNS, especially by the Exchange server.
The DNS server(s) should also have entries for your Microsoft
the DNS server) and any external gatekeepers or SIP peers.
You may need to create additional DNS records as described below.
®
Active Directory® server (if different from
Additional DNS Records for SIP Proxy
To support the use of your Polycom RealPresence DMA system as a SIP proxy server and ease future
network administrative burdens, create the following DNS records (for each cluster in a supercluster, if
applicable):
● Optionally, NAPTR records that describe the transport protocols supported by the SIP proxies at a
domain and identify the preferred protocol. Configure these statically to match the system’s SIP
transport protocol configuration.
Polycom, Inc. 28
Page 29
Polycom RealPresence DMA System Initial Configuration Summary
● SRV records for each transport protocol that identify the host names of the SIP proxies that service
a particular domain. Configure these statically to point to the host names of the Call Servers in the
domain. Here are example records for two clusters:
_sips._tcp.example.com. 86400 IN SRV 10 1001 5061 dma-asia.example.com.
_sips._tcp.example.com. 86400 IN SRV 10 1002 5061 dma-europe.example.com.
_sip._tcp.example.com. 86400 IN SRV 20 1001 5060 dma-asia.example.com.
_sip._tcp.example.com. 86400 IN SRV 20 1002 5060 dma-europe.example.com.
_sip._udp.example.com. 86400 IN SRV 30 1001 5060 dma-asia.example.com.
_sip._udp.example.com. 86400 IN SRV 30 1002 5060 dma-europe.example.com.
To enable access from the public internet, create corresponding SRV records, visible from outside the
firewall, for the public address of each SIP session border controller (SBC).
For more information about the use of DNS in SIP, refer to RFCs 3263 and 2782.
Additional DNS Records for the H.323 Gatekeeper
To support the use of your Polycom RealPresence DMA system as an H.323 gatekeeper and ease future
network administrative burdens, create SRV records that identify the host names of the gatekeepers that
service a particular domain. These records are necessary in order to enable the optional inbound URL
dialing feature. Configure them statically to point to the host names of the Call Servers in the domain. Here
are example records for two clusters:
_h323ls._udp.example.com. 86400 IN SRV 0 1 1719 dma-asia.example.com.
_h323ls._udp.example.com. 86400 IN SRV 0 1 1719 dma-europe.example.com.
_h323cs._tcp.example.com. 86400 IN SRV 0 1 1720 dma-asia.example.com.
_h323cs._tcp.example.com. 86400 IN SRV 0 1 1720 dma-europe.example.com.
To enable access from the public internet, create corresponding SRV records, visible from outside the
firewall, for the public address of each H.323 session border controller (SBC).
For more information about the use of DNS in H.323, refer to the H.323 specification, Annex O, and the
H.225.0 specification, Appendix IV.
Additional DNS Records for the Optional Embedded DNS Feature
To support DNS publishing by your Polycom RealPresence DMA system’s embedded DNS servers (see
Embedded DNS), a DNS NS record is needed for the physical host name of each server in each cluster in
the supercluster. These records identify the Polycom RealPresence DMA system’s embedded DNS servers
as authoritative for the specified logical host name. The logical host name you specify is the one in the Call
server sub-domain controlled by RealPresence DMA field on the Embedded DNS page. Here are
example records for two dual-server clusters:
callservers.example.com. 86400 IN NS dma-asia-server1.example.com.
callservers.example.com. 86400 IN NS dma-asia-server2.example.com.
callservers.example.com. 86400 IN NS dma-europe-server1.example.com.
callservers.example.com. 86400 IN NS dma-europe-server2.example.com.
Polycom, Inc. 29
Page 30
Polycom RealPresence DMA System Initial Configuration Summary
Note: Virtual host names cannot have NS records
NS records for the virtual host names must not exist.
Your enterprise DNS must also have the zone callservers.example.com defined and be configured to
forward requests for names in that zone to any of the clusters in the supercluster. The way you do this
depends on the DNS server software being used.
Queries to the enterprise DNS for callservers.example.com are referred to the specified RealPresence DMA
clusters. Their embedded DNS servers create and manage A records for each site in the site topology.
When responsibility for a site moves from one cluster to another, the A records are updated so that the site’s
domain name is mapped to the new cluster.
Verify That DNS Is Working for All Addresses
To confirm that DNS can resolve all the host names and/or FQDNs, ping each of them, either from a
command prompt on the PC you’re using to access the system or from one of the clusters you’re setting up
(go to Troubleshooting Utilities > Ping).
If you have access to a Linux PC and are familiar with the dig command, you can use it to query the
enterprise DNS server to verify that all the records (A/AAAA, NS, and SRV) are present and look correct.
License the Polycom RealPresence DMA System
A Polycom RealPresence DMA system is licensed at the cluster level (single-server or two-server). A
cluster’s license specifies:
● The maximum number of concurrent calls that can touch the cluster. In a supercluster configuration,
note that:
A single call may touch more than one cluster. It consumes a license on each cluster it touches.
Each cluster may be licensed for a different number of calls.
If your superclustering strategy (see About Superclustering) calls for a cluster to be primary for
one territory and backup for another, it must be licensed for the call volume expected when it has
to take over the territory for which it’s the backup.
● Whether access to the RealPresence
The API provides an API client application with programmatic access to the Polycom RealPresence
DMA system (see RealPresence
API licensing status.
Note: API licenses
An API license isn’t required in order for a Polycom RealPresence Resource Manager system to
access the API. It’s only needed for a client application that you or a third party develop.
®
Platform Application Programming Interface (API) is enabled.
®
Platform API). In a supercluster, all clusters must have the same
License the RealPresence DMA System, Appliance Edition
Polycom, Inc. 30
Page 31
Polycom RealPresence DMA System Initial Configuration Summary
You should have received either one or two license numbers for each cluster, depending on whether you
ordered a single-server or two-server cluster. You must obtain an activation key code for each server from
the Polycom Resource Center (PRC):
1 Enter the server’s serial number and the license number that you were given for that server.
The PRC generates an activation key for that server.
2 For a two-server cluster, repeat the process using the other server’s serial number and its license
number.
3 On the Licenses page of the RealPresence DMA system, install the activation keys to activate the
licenses for your system (see Licenses).
Caution: Do not generate both activation keys from the same physical server
An activation key is linked to a specific server’s serial number. For a two-server cluster, you must
generate the activation key for each server using that server’s serial number. Licensing will fail if you
generate both activation keys from the same server serial number.
License the RealPresence DMA System, Virtual Edition
The RealPresence DMA Virtual Edition is deployed and licensed through Polycom RealPresence Platform
Director. You can view the licensing information for your system from the RealPresence DMA system user
interface on the Admin > Local Cluster > Licenses page.
See the RealPresence Platform Director System Administrator’s Guide for more information.
Note: Local cluster not supported with virtual edition
The RealPresence DMA Virtual Edition does not support a two-server local cluster configuration.
However, superclustering of individual RealPresence DMA Virtual Edition instances is fully supported
in a virtual environment.
Set Up Signaling
Signaling setup includes configuring the following options:
● Enable H.323 signaling so that the Polycom RealPresence DMA system’s Call Server operates as a
gatekeeper, which may include:
Enable gatekeeper discovery via H.323 multicast.
Enable and configure H.235 device authentication.
● Enable SIP signaling so that the Polycom RealPresence DMA system’s Call Server operates as a
SIP registrar and proxy server, which may include:
Configure whether to support unencrypted SIP and whether to require mutual authentication
(validation of client certificates).
Enable pass-through of ANAT signaling (RFC 4091 and RFC 4092).
Enable and configure SIP digest authentication.
Enable and configure special handling for untrusted (“unauthorized” or “guest”) calls from SIP
session border controllers (SBCs).
To set up signaling, follow the procedure in Configure Signaling.
Polycom, Inc. 31
Page 32
Polycom RealPresence DMA System Initial Configuration Summary
Configure the Call Server and Optionally Create a
Supercluster
Configuring the Polycom RealPresence DMA system’s Call Server function consists of the following
high-level tasks:
1 Integrate with a Polycom RealPresence Resource Manager or CMA system (see RealPresence
Resource Manager Integration) or enter site topology information (see Site Topology).
2 If deploying a supercluster of multiple geographically distributed Polycom RealPresence DMA
clusters:
a Set the Security Configuration page security options before superclustering (see Security
Settings). But wait until after superclustering to do the rest of the security setup tasks.
b Depending on security settings, you may need to install certificates before superclustering (see
Certificate Procedures).
c Create a supercluster (see About Superclustering) and configure supercluster options.
3 Create territories and assign sites to them (if you integrated with a Polycom RealPresence
Resource Manager or CMA system, this must be done on that system). Assign the primary and
backup cluster responsible for each territory, and designate which territories can host conference
rooms (see Territories).
4 Add any external devices, such as a neighbor gatekeeper or SIP peer (see Call Server
Configuration).
5 Configure the dial plan (see Dial Rules).
Set Up Security
The first step in securing your Polycom RealPresence DMA system is to locate it in a secure data center
with controlled access, but that topic is beyond the scope of this document.
Secure setup of the Polycom RealPresence DMA system consists of the following high-level tasks (some
of which assume you’re integrating with Active Directory and some of which overlap with other initial setup
topics):
1 As the default local administrative user (admin), create a local user account for yourself with the
Administrator role, log in using that account, and delete the admin user account. See Adding Users
Overview and Users Procedures.
2 Create the Active Directory service account (read-only user account) that the Polycom
RealPresence DMA system will use to read and integrate with Active Directory. See Active Directory
Integration Procedure.
3 Assign the Administrator role to your named enterprise account, and remove the Polycom
RealPresence DMA system’s user roles (see User Roles Overview) from the service account used
to integrate with Active Directory. See Connect to Microsoft Active Directory
Directory
4 Log out and log back in using your enterprise user ID and password.
5 Verify that the expected enterprise users are available in the Polycom RealPresence DMA system
and that conference room IDs were successfully created for them. If necessary, adjust integration
settings and correct errors. See Microsoft Active Directory
Conference Room Errors Report.
®
Integration.
®
Integration, Users Procedures, and
®
and Microsoft Active
Polycom, Inc. 32
Page 33
Polycom RealPresence DMA System Initial Configuration Summary
6 Obtain and install a security certificate from a trusted certificate authority. See Security Certificates
Overview and Certificate Procedures.
7 Configure as needed various login policy settings (see Login Policy Settings) and optionally, a
management access whitelist (see Access Policy Settings).
8 Document your current configuration for comparison in the future. We recommend saving screen
captures of all the configuration pages.
9 Manually create a backup, download it, and store it in a safe place. See Backing Up and Restoring.
Set Up MCUs
Note: MCUs and RealPresence DMA system interaction
The Polycom RealPresence DMA system can interact with MCUs, or media servers, in either or both
of the following two ways:
• MCUs may be made available to system’s Conference Manager to manage for multi-point
conferencing (hosting virtual meeting rooms, or VMRs).
• MCUs may be registered with the system’s Call Server as standalone MCUs and/or gateways.
This configuration summary assumes you want to do both.
Make sure your MCUs are configured to accept encrypted (HTTPS) management connections (required for
maximum or high security mode).
Make sure that each MCU is in a site belonging to a territory for which the Polycom RealPresence DMA
system is responsible. If you’re deploying a supercluster (see Configure the Call Server and Optionally
Create a Supercluster and About Superclustering), make sure that each territory has a primary and backup
cluster assigned to it. If the primary cluster becomes unavailable, the MCUs registered to it can re-register
to the backup.
If you’re deploying a supercluster, verify that you’ve enabled the hosting of conference rooms in the right
territories and assigned clusters to those territories. See Configure the Call Server and Optionally Create a
Supercluster.
Standalone MCUs can register themselves to the Polycom RealPresence DMA system’s Call Server. To
make an MCU available as a conferencing resource, either add it to the appropriate Polycom RealPresence
DMA cluster’s Conference Manager manually or, if it’s already registered with the Call Server, edit its entry
to enable it for conference rooms and provide the additional configuration information required. See MCU
Management.
You must organize MCUs configured as conferencing resources into one or more MCU pools (logical
groupings of media servers). Then, you can define one or more MCU pool orders that specify the order of
preference in which MCU pools are used.
Polycom, Inc. 33
Page 34
Polycom RealPresence DMA System Initial Configuration Summary
Note: Resource management and MCU pools
If you have a Polycom RealPresence Resource Manager system that’s going to use the
RealPresence DMA system API to schedule conferences on the RealPresence DMA system’s
conferencing resources (MCU pools), you must create MCU pools and pool orders specifically for the
use of the RealPresence Resource Manager system. The pool orders should be named in such a way
that:
• They appear at the top of the pool order list presented in the RealPresence Resource Manager
system.
• Users of that system will understand that they should choose one of those pool orders.
If the RealPresence Resource Manager system is also going to be used to directly schedule
conferences on MCUs, those MCUs should not be part of the conferencing resources (MCU pools)
available to the RealPresence DMA system.
Every conference room (VMR) is associated with an MCU pool order. The pool(s) to which an MCU belongs,
and the pool order(s) to which a pool belongs, are used to determine which MCU is used to host a
conference. See MCU Pools and MCU Pool Orders for information about how to use pools and pool orders,
as well as the rules that the system uses to choose an MCU for a user.
The Polycom RealPresence DMA system uses conference templates to define the conferencing experience
associated with a conference room or enterprise group. You can create standalone templates
(recommended), setting the conferencing parameters directly in the Polycom RealPresence DMA system,
or link templates to RealPresence
Te mp l at e s).
Both methods allow you to specify most conference parameters:
● General information such as line rate, encryption, auto termination, and H.239 settings
● Video settings such as mode (presentation or lecture) and layout
● IVR settings
● Conference recording settings
If you want to create RealPresence DMA system templates linked to conference profiles on the
RealPresence Collaboration Server or RMX MCUs, make sure the profiles used by the Polycom
RealPresence DMA system exist on all the MCUs and are defined the same on all of them.
®
Collaboration Server or RMX conference profiles (see Conference
Connect to Microsoft Active Directory
Connecting to Microsoft® Active Directory® simplifies the task of deploying conferencing to a large
organization. All Polycom RealPresence DMA system access to the Active Directory server is read-only and
minimally impacts the directory performance. See Microsoft Active Directory
Note: Consult an expert
If you’re not knowledgeable about enterprise directories in general and your specific implementation in
particular, please consult with someone who is. Active Directory integration is a non-trivial matter.
Before integrating with Active Directory, be sure that one or more DNS servers are specified (this should
have been done during installation and initial setup). See Network Settings.
Polycom, Inc. 34
®
®
Integration.
Page 35
Polycom RealPresence DMA System Initial Configuration Summary
If you’re deploying a supercluster of multiple geographically distributed Polycom RealPresence DMA
clusters, verify that you’ve assigned clusters to the territories in your site topology (see Configure the Call
Server and Optionally Create a Supercluster) and decide which cluster is to be responsible for Active
Directory integration.
Active Directory integration automatically makes the enterprise users (directory members) into
Conferencing Users in the Polycom RealPresence DMA system, and can assign each of them a conference
room (virtual meeting room, or VMR). The conference room IDs are typically generated from the enterprise
users’ phone numbers.
Note: Manually add conference rooms
Creating conference rooms for enterprise users is optional. If you want to integrate with Active
Directory to load user and group information into the Polycom RealPresence DMA system, but don’t
want to give all users the ability to host conferences, you can do so. You can manually add conference
rooms for selected users at any time. See Conference Rooms Procedures.
Once the Polycom RealPresence DMA system is integrated with Active Directory, it reads the directory
information nightly, so that user and group information is updated automatically as people join and leave the
organization. The system caches certain data from Active Directory. In a superclustered system, one cluster
is responsible for updating the cache, which is shared with all the clusters.
Between updates, clusters access the directory only to authenticate passwords (for instance, for
management interface login); all other user information (such as user search results) comes from the cache.
You can manually update the cache at any time.
Enterprise groups can have their own conference templates that provide a custom conferencing experience
(see Conference Templates). They can also have their own MCU pool order, which preferentially routes
conferences to certain MCUs (see MCU Pool Orders).
You can assign Polycom RealPresence DMA system roles to an enterprise group, applying the roles to all
members of the group and enabling them to log into the Polycom RealPresence DMA system’s
management interface with their standard network user names and passwords.
See User Roles Overview, Groups, and Enterprise Groups Procedures.
There are security concerns that need to be addressed regarding user accounts, whether local or
enterprise. See the high-level process described in Set Up Security.
Set Up Conference Templates
The Polycom RealPresence DMA system uses conference templates and global conference settings to
manage system and conference behavior, and it has a default conference template and default global
conference settings.
After you’ve added MCUs to the system, you may want to change the global conference settings or create
additional templates that specify different conference properties.
If you integrate with Active Directory, you can use templates to provide customized conferencing
experiences for various enterprise groups.
When you add a custom conference room to a user (either local or enterprise), you can choose which
template that conference room uses.
Polycom, Inc. 35
Page 36
Polycom RealPresence DMA System Initial Configuration Summary
To add conference templates, see Conference Templates Procedures. To change conference settings, see
Conference Settings. To customize the conferencing experience for an enterprise group, see Enterprise
Groups Procedures.
Test the System
On the Signaling Settings page (see Signaling Settings), verify that:
● If you enabled H.323, the H.323 Signaling Status section indicates that the signaling status is Active
and the port assignments are correct.
● If you enabled SIP, the SIP Signaling Status section shows that the correct protocols and listening
ports are enabled.
Have some endpoints register with the Polycom RealPresence DMA Call Server and make point-to-point
calls to each other.
On the Dashboard (see Dashboard), verify that:
● The information in the Cluster Info pane looks correct, including the time, network settings, and
system resource information.
● The Supercluster Status pane shows the correct number of servers and clusters, and the network
interfaces that should be working (depending on your IP type and split network settings) are up (green
up arrow) and in full duplex mode, with the speed correct for your enterprise network.
● The Call Server Registrations pane shows that the endpoints that attempted to register did so
successfully.
● The Call Server Active Calls pane shows that the endpoints that made calls did so successfully, and
the call limits per cluster and total are correct for your licenses.
● The Conference Manager MCUs pane shows that the MCUs you added are connected and in
service.
● The information on the Active Directory Integration pane looks correct, including the status, cache
refresh data, and enterprise conference room count.
Set up some multipoint conferences by having endpoints dial into enterprise users’ conference rooms
(preferably including a custom conference room). Verify that conferencing works satisfactorily, that the
system status is good, and that the Conference Manager Usage pane accurately presents the status.
When you’re satisfied that the Polycom RealPresence DMA system is configured and working properly,
manually create a backup, download it, and store it in a safe place. See Backing Up and Restoring.
Polycom, Inc. 36
Page 37
System Security
This section describes the following Polycom® RealPresence® Distributed Media Application™ (DMA®)
7000 system security topics:
● Security Certificates Overview
● Certificate Settings
● Certificate Procedures
● Security Settings
● The Consequences of Enabling Maximum Security Mode
● Login Policy Settings
● Reset System Passwords
Security Certificates Overview
How Certificates Work
X.509 certificates are a security technology that assists networked computers in determining whether to
trust each other.
● A single, centralized certificate authority (CA) is established. Typically, this is either an enterprise’s IT
department or a commercial certificate authority.
● Each computer on the network is configured to trust the central certificate authority.
● Each server on the network has a public certificate that identifies it.
● The certificate authority signs the public certificates of those servers that clients should trust.
● When a client connects to a server, the server shows its signed public certificate to the client. Trust
is established because the certificate has been signed by the certificate authority, and the client has
been configured to trust the certificate authority.
Forms of Certificates Accepted by the Polycom RealPresence DMA
System
X.509 certificates come in several forms (encoding and protocol). The following table shows the forms that
can be installed in the Polycom RealPresence DMA system.
Polycom, Inc. 37
Page 38
System Security
Protocol /
Encoding
File Type Description and Installation Method
PEM (Base64-encoded
ASCII text)
DER
(binary format using ASN.1
Distinguished Encoding
Rules)
PKCS #7 protocol
P7B file
CER (single certificate)
file
Certificate text Encoded certificate text copied from CA’s email or
PKCS #12 protocol
PFX file
PKCS #7 protocol
P7B file
Certificate chain containing:
• A signed certificate for the system, authenticating its
public key.
• The CA’s public certificate.
• Sometimes intermediate certificates.
Upload file or paste into text box.
Signed certificate for the system, authenticating its
public key.
Upload file or paste into text box.
secure web page.
Paste into text box.
Certificate chain containing:
• A signed certificate for the system, authenticating its
public key.
• A private key for the system.
• The CA’s public certificate.
Upload file.
Certificate chain containing:
• A signed certificate for the system, authenticating its
public key.
• The CA’s public certificate.
• Sometimes intermediate certificates.
Upload file.
CER (single certificate)
file
Signed certificate for the system, authenticating its
public key.
Upload file.
How Certificates Are Used by the Polycom RealPresence DMA System
The Polycom RealPresence DMA system uses X.509 certificates in the following ways:
1 When a user logs into the Polycom RealPresence DMA system’s browser-based management
interface, the Polycom RealPresence DMA system (server) offers an X.509 certificate to identify
itself to the browser (client).
The Polycom RealPresence DMA system’s certificate must have been signed by a certificate
authority (see Certificate Procedures).
The browser must be configured to trust that certificate authority (beyond the scope of this
documentation).
If trust can’t be established, most browsers allow connection anyway, but display a dialog to the user,
requesting permission.
Polycom, Inc. 38
Page 39
System Security
2 When the Polycom RealPresence DMA system connects to a Microsoft Active Directory server, it
may present a certificate to the server to identify itself.
If Active Directory is configured to require a client certificate (this is not the default), the Polycom
RealPresence DMA system offers the same SSL server certificate that it offers to browsers
connecting to the system management interface. Active Directory must be configured to trust the
certificate authority, or it rejects the certificate and the connection fails.
3 When the Polycom RealPresence DMA system connects to a Microsoft Exchange server (if the
calendaring service is enabled; see
to the server to identify itself.
Unless the Allow unencrypted calendar notifications from Exchange server security option is
enabled (see Security Settings), the Polycom RealPresence DMA system offers the same SSL server
certificate that it offers to browsers connecting to the system management interface. The Microsoft
Exchange server must be configured to trust the certificate authority. Otherwise, the Microsoft
Exchange Server integration status (see Dashboard) remains Subscription pending indefinitely, the
Polycom RealPresence DMA system does not receive calendar notifications, and incoming meeting
request messages are only processed approximately every 4 minutes.
4 When the Polycom RealPresence DMA system connects to a RealPresence Collaboration Server or
RMX MCU configured for secure communications (this is not the default), a certificate may be used
to identify the MCU (server) to the Polycom RealPresence DMA system (client).
5 When performing call signaling requiring TLS, the Polycom RealPresence DMA system presents its
certificate to the connecting client (one-way TLS). If the Require mutual authentication
(validation of client certificates) SIP Settings option is enabled (see Signaling Settings), the
system uses the installed CA certificates to authenticate the connecting client’s certificate as well
(mutual TLS).
Microsoft Exchange Server Integration), it may present a certificate
Polycom, Inc. 39
Page 40
System Security
Frequently Asked Questions
Q. Is it secure to send my certificate request through email?
A. Yes. The certificate request, signed certificate, intermediate certificates, and authority certificates
that are sent through email don’t contain any secret information. There is no security risk in letting
untrusted third parties see their contents.
As a precaution, you can verify the certificate fingerprints (which can be found in the Certificate
Details popup) with the certificate authority via telephone. This ensures that a malicious third party
didn’t substitute a fake email message with fake certificates.
Q. Why doesn’t the information on the Certificate Details popup match the information that I filled out
in the signing request form?
A. Commercial certificate authorities routinely replace the organizational information in the certificate
with their own slightly different description of your organization.
Q. I re-installed the Polycom RealPresence DMA system software. Why can’t I re-install my signed
public certificate?
A. X.509 certificates use public/private key pair technology. The public key is contained in your public
certificate and is provided to any web browser that asks for it. The private key never leaves the
Polycom RealPresence DMA system.
As part of software installation, the Polycom RealPresence DMA system generates a new
public/private key pair. The public key from your old key pair can’t be used with the new private key.
To re-use your signed public certificate, try restoring from backup. Both the public and private keys
are saved as part of a backup file. Alternatively, if the certificate you want to reinstall is a PKCS#12
certificate, it contains a private key and will replace both the public key and the private key generated
at installation time.
See also:
System Security
Certificate Settings
Certificate Procedures
Polycom, Inc. 40
Page 41
System Security
Certificate Settings
The following table describes the fields on the Certificate Settings page.
Column Description
Enable OCSP Enables the use of Online Certificate Status Protocol as a means of obtaining the
revocation status of a certificate presented to the system.
If OCSP responder URL is not specified, the system checks the certificate’s
AuthorityInfoAccess (AIA) extension fields for the location of an OCSP responder:
• If there is none, the certificate fails validation.
• Otherwise, the system sends the OCSP request to the responder identified in the
certificate.
If OCSP responder URL is specified, the system sends the OCSP request to that
responder.
The responder returns a message indicating whether the certificate is good, revoked, or
unknown.
If OCSP certificate is specified, the response message must be signed by the specified
certificate’s private key.
OCSP responder URL Identifies the responder to be used for all OCSP requests, overriding the AIA field
values.
If OCSP certificate is specified, the response message must be signed by the specified
certificate’s private key.
OCSP certificate Select a certificate to require OCSP response messages to be signed by the specified
certificate’s private key.
Store OCSP
Configuration
Identifier Common name of the certificate.
Purpose Kind of certificate:
Expiration Expiration date of certificate.
Saves the OCSP configuration.
• Server SSL is the RealPresence DMA system’s public certificate, which it presents to
identify itself. By default, this is a self-signed certificate, not trusted by other devices.
• Trusted Root CA is the root certificate of a certificate authority that the RealPresence
DMA system trusts.
• Intermediate CA is a CA certificate that trusted root CAs issue themselves to sign
certificate signing requests (reducing the likelihood of their root certificate being
compromised). If the RealPresence DMA system trusts the root CA, then the chain
consisting of it, its intermediate CA certificates, and the server certificate will all be
trusted.
Polycom, Inc. 41
Page 42
System Security
See also:
Security Certificates Overview
Certificate Signing Request Dialog
Add Certificates Dialog
Certificate Details Dialog
Certificate Procedures
Certificate Information Dialog
The Certificate Information dialog appears when you click Create Certificate Signing Request in the
Actions list (if a signing request has already been issued, you’re first asked whether to use the existing one
or create a new one). The following table describes the fields in the dialog.
Field Description
Common name (CN) Defaults to the FQDN of the system’s management interface, as defined by the virtual
host name and domain specified on the Network page. Editable.
Signature algorithm The cryptographic hash algorithm used to sign the CSR. Use SHA256 for maximum
security. Use SHA1 when necessary for interoperability.
Organizational unit (OU) Subdivision of organization. Specify up to three OUs. Optional.
Organization (O) Optional.
City or locality (L) Optional.
State (ST) Optional.
Country (C) Two-character country code.
See also:
Security Certificates Overview
Certificate Settings
Certificate Procedures
Certificate Signing Request Dialog
The Certificate Signing Request dialog appears when you create a request in the Certificate Information
dialog.
The Summary section at the top displays the information the Certificate Information dialog.
The Encoded Request box below displays the encoded certificate request text, which you can select and
copy.
See also:
Security Certificates Overview
Certificate Settings
Certificate Procedures
Polycom, Inc. 42
Page 43
System Security
Add Certificates Dialog
The Add Certificates dialog appears when you click Add Certificates in the Actions list. It lets you install
signed certificates or certificate chains. You can do so in two ways:
● Upload a PFX, PEM, or P7B certificate file.
● Paste PEM-format certificate text into the dialog.
The following table describes the fields in the dialog.
Field Description
Upload certificate If checked, the Password field and Upload file button enable you to upload a PFX,
PEM, or P7B certificate file.
Password Enter the password, if any, assigned to the certificate file when it was created.
Upload file Click the button to browse to the file you want to upload.
Paste certificate If checked, the text field below enables you to paste in the text of PEM certificate files.
See also:
Security Certificates Overview
Certificate Settings
Certificate Procedures
Certificate Details Dialog
The Certificate Details dialog appears when you click Display Details in the Actions list. It displays
information about the certificate selected in the list, as outlined in the following table.
Section Description
Certificate Info Purpose and alias of the certificate.
Issued To Information about the entity to which the certificate was issued and the certificate serial
number.
Issued By Information about the issuer.
Validity Issue and expiration dates.
Fingerprints SHA1 and MD5 fingerprints (checksums) for confirming certificate.
Subject Alternative
Names
Extended Key Usage Indicates the purposes for which the certificate can be used.
Additional identities bound to the subject of the certificate.
For the Polycom RealPresence DMA system, this should include the virtual and physical
FQDNs, short host names, and IP addresses of the system.
The Polycom RealPresence DMA system’s certificate is used for both server and client
connections, so this should always contain at least serverAuth and clientAuth.
Polycom, Inc. 43
Page 44
System Security
See also:
Security Certificates Overview
Certificate Settings
Certificate Procedures
Certificate procedures include the following:
● Install your chosen certificate authority’s public certificate, if necessary, so that the Polycom
RealPresence DMA system trusts that certificate authority.
● Create a certificate signing request to submit to the certificate authority.
● Install a public certificate signed by your certificate authority that identifies the Polycom RealPresence
DMA system.
● Remove a signed certificate or a certificate authority’s certificate.
Note: Obtaining certificates for Microsoft environments
If you’re configuring the Polycom RealPresence DMA system to support Polycom’s solution for the
Microsoft OCS or Lync environment, you can use Microsoft’s Certificate Wizard to request and obtain
a PFX file (a password-protected PKCS12 file containing a private key and public key for the system,
and the CA’s certificate).
Once you have the PFX file, you’re ready to install it.
See Polycom’s solution deployment guide for information about using the Certificate Wizard and other
steps needed to implement the solution.
Install a Certificate Authority’s Certificate
This procedure is not necessary if you obtain a certificate chain that includes a signed certificate for the
Polycom RealPresence DMA system, your certificate authority’s public certificate, and any intermediate
certificates.
Use this procedure to add a trusted certificate authority, either an in-house or commercial CA.
Caution: Installing or removing certificates requires a restart
Installing or removing certificates requires a system restart and terminates all active conferences.
When you install or remove a certificate, the change is made to the certificate store immediately, but
the system can’t implement the change until it restarts and reads the changed certificate store.
For your convenience, you’re not required to restart and apply a change immediately. This permits you
to perform multiple installs or removals before restarting and applying the changes. But when you’re
finished making changes, you must select Restart to Apply Saved Changes to restart the system
and finish your update. Before you begin, make sure there are no active conferences and you’re
prepared to restart the system when you’re finished.
To install a certificate for a trusted root CA
1 Go to Admin > Local Cluster > Certificates.
The installed certificates are listed. The Trusted Root CA entries, if any, represent the certificate
authorities whose public certificates are already installed on the RealPresence DMA system and are
thus trusted.
Polycom, Inc. 44
Page 45
System Security
2 If you’re using a certificate authority that isn’t listed, obtain a copy of your certificate authority’s
public certificate.
The certificate must be either a single X.509 certificate or a PKCS#7 certificate chain. If it’s ASCII
text, it’s in PEM format, and starts with the text -----BEGIN CERTIFICATE-----. If it’s a file, it
can be either PEM or DER encoded.
3 In the Actions list, select Add Certificates.
4 In the Add Certificates dialog, do one of the following:
If you have a file, click Upload certificate, enter the password (if any) for the file, and browse to
the file or enter the path and file name.
If you have PEM-format text, copy the certificate text, click Paste certificate, and paste it into the
text box below.
5 Click OK.
6 Verify that the certificate appears in the list as a Trusted Root CA.
7 Click Restart to Apply Saved Changes, and when asked to confirm that you want to restart the
system so that certificate changes can take effect, click OK.
See also:
Security Certificates Overview
Certificate Settings
Certificate Procedures
Create a Certificate Signing Request in the RealPresence DMA System
The procedure below creates a certificate signing request (CSR) that you can submit to your chosen
certificate authority. This method uses the private key generated at software installation time.
To create a certificate signing request
1 Go to Admin > Local Cluster > Certificates.
By default, the system is configured to use a self-signed certificate.
2 To see details of the public certificate currently being used to identify the system to other computers:
a In the list, select the Server SSL certificate.
b In the Actions list, select Display Details.
The Certificate Details dialog appears. If this is the default self-signed certificate, Organizational
Unit is Self Signed Certificate.
c To close the dialog, click OK.
3 In the Actions list, select Create Certificate Signing Request.
If you’ve created a signing request before, you’re asked if you want to use your existing certificate
request or generate a new one. Elect to generate a new one.
4 In the Certificate Information dialog, enter the identifying information for your Polycom
RealPresence DMA system (see Certificate Information Dialog) and click OK.
The Certificate Signing Request dialog displays the encoded request (see Certificate Signing
Request Dialog).
Polycom, Inc. 45
Page 46
System Security
5 Copy the entire contents of the Encoded Request box (including the text -----BEGIN NEW
CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----) and
submit it to your certificate authority.
Depending on the certificate authority, your CSR may be submitted via email or by pasting into a web
page.
6 Click OK to close the dialog.
When your certificate authority has processed your request, it sends you a signed public certificate
for your Polycom RealPresence DMA system. Some certificate authorities also send intermediate
certificates and/or root certificates. Depending on the certificate authority, these certificates may
arrive as e-mail text, e-mail attachments, or be available on a secure web page.
The Polycom RealPresence DMA system accepts PKCS#7 or PKCS#12 certificate chains or single
certificates.
Caution: Some CSR fields should not be modified
When you submit the CSR to your CA, make sure that the CA doesn’t modify any of the predefined
SAN fields or the X.509v3 Key Usage or Extended Key Usage fields. Changes to these fields may
make your system unusable. Contact Polycom technical support if you have any questions about this.
See also:
Security Certificates Overview
Certificate Settings
Certificate Procedures
Install a Certificate in the RealPresence DMA System
The procedure below installs the certificate or certificate chain provided by the certificate authority. It
assumes that you’ve received the certificate or certificate chain in one of the following forms:
● A PFX, P7B, or single certificate file that you’ve saved on your computer.
● PEM-format encoded text that you received in an e-mail or on a secure web page.
Caution: Installing or removing certificates requires a restart
Installing or removing certificates requires a system restart and terminates all active conferences.
When you install or remove a certificate, the change is made to the certificate store immediately, but
the system can’t implement the change until it restarts and reads the changed certificate store.
For your convenience, you’re not required to restart and apply a change immediately. This permits you
to perform multiple installs or removals before restarting and applying the changes. But when you’re
finished making changes, you must select Restart to Apply Saved Changes to restart the system
and finish your update. Before you begin, make sure there are no active conferences and you’re
prepared to restart the system when you’re finished.
To install a signed certificate that identifies the Polycom RealPresence DMA system
1 When you receive your certificate(s), return to Admin > Local Cluster > Certificates.
2 In the Actions list, select Add Certificates.
3 In the Add Certificates dialog, do one of the following:
Polycom, Inc. 46
Page 47
System Security
If you have a PFX, P7B, or single certificate file, click Upload certificate, enter the password (if
any) for the file, and browse to the file or enter the path and file name.
If you have PEM-format text, copy the certificate text, click Paste certificate, and paste it into the
text box below. You can paste multiple PEM certificates one after the other.
4 Click OK.
5 To verify that the new signed certificate has replaced the default self-signed certificate:
a In the list of certificates, once again select the Server SSL certificate.
b In the Actions list, select Display Details.
The Certificate Details dialog appears.
c Confirm from the information under Issued To and Issued By that the self-signed default
certificate has been replaced by your signed public certificate from the certificate authority.
d Click OK to close the dialog.
6 Click Restart to Apply Saved Changes, and when asked to confirm that you want to restart the
system so that certificate changes can take effect, click OK.
See also:
Security Certificates Overview
Certificate Settings
Certificate Procedures
Remove a Certificate from the RealPresence DMA System
There are two kinds of certificate removal:
● Removing the certificate of a Trusted Root CA so that the system no longer trusts certificates signed
by that certificate authority.
● Removing the signed certificate currently in use as the Server SSL certificate so that the system
reverts to using the default self-signed Server SSL certificate.
Removing a signed certificate also removes the certificate of the Trusted Root CA that signed it, along
with any intermediate certificates provided by that certificate authority.
Both procedures are described below.
Caution: Installing or removing certificates requires a restart
Installing or removing certificates requires a system restart and terminates all active conferences.
When you install or remove a certificate, the change is made to the certificate store immediately, but
the system can’t implement the change until it restarts and reads the changed certificate store.
For your convenience, you’re not required to restart and apply a change immediately. This permits you
to perform multiple installs or removals before restarting and applying the changes. But when you’re
finished making changes, you must select Restart to Apply Saved Changes to restart the system
and finish your update. Before you begin, make sure there are no active conferences and you’re
prepared to restart the system when you’re finished.
To remove a Trusted Root CA’s certificate
1 Go to Admin > Local Cluster > Certificates.
2 In the certificates list, select the certificate you want to delete.
Polycom, Inc. 47
Page 48
System Security
3 In the Actions list, select Display Details and confirm that you’ve selected the correct certificate.
Then click OK.
4 In the Actions list, select Delete Certificate.
5 When asked to confirm, click Yes.
A dialog informs you that the certificate has been deleted.
6 Click OK.
7 Click Restart to Apply Saved Changes, and when asked to confirm that you want to restart the
system so that certificate changes can take effect, click OK.
To remove a signed certificate and revert to the default self-signed certificate
1 Go to Certificates.
2 In the Actions list, select Revert to Default Certificate.
3 When asked to confirm, click Yes.
A dialog informs you that the system has reverted to a self-signed certificate.
4 Click OK.
5 Click Restart to Apply Saved Changes, and when asked to confirm that you want to restart the
system so that certificate changes can take effect, click OK.
6 After the system restarts, log back in, return to Admin > Local Cluster > Certificates, and verify
that the system has reverted to the default self-signed certificate:
a In the list of certificates, select the Server SSL certificate.
b In the Actions list, select Display Details.
The Certificate Details dialog appears.
c Confirm from the information under Issued To and Issued By that the default self-signed
certificate has replaced the CA-signed certificate.
d Click OK to close the dialog.
See also:
Security Certificates Overview
Certificate Settings
Certificate Procedures
Security Settings
The Security Settings page lets you switch between high security mode and a custom security mode in
which one or more insecure capabilities are allowed. It also lets you switch to, but not from, a maximum
security mode.
Polycom, Inc. 48
Page 49
System Security
Caution: High security setting recommended
We recommend always using the High security setting unless you have a specific and compelling
need to allow one of the insecure capabilities.
We recommend the Maximum security setting only for those environments where the most stringent
security protocols must be adhered to.
Enabling Maximum security is irreversible and has significant consequences (see The
Consequences of Enabling Maximum Security Mode). Don’t choose this setting unless you know what
you’re doing and are prepared for the consequences. Refer to the Polycom RealPresence DMA 7000
System Deployment Guide for Maximum Security Environments for additional important information
about enabling this setting.
Note: Security settings must match across superclusters
All clusters in a supercluster must have the same security settings. Before attempting to join a
supercluster, make sure the cluster’s security settings match those of the other members of the
supercluster. You can’t change a cluster’s security settings while it’s part of a supercluster.
Note: Maximum security mode unsupported in virtual edition
The RealPresence DMA system, Virtual Edition, does not support Maximum Security Mode.
The following table describes the options in the Security Settings page.
Field Description
Maximum security An extremely high security mode suitable for use where very strict security
requirements apply.
Once this mode is enabled, it’s no longer possible to reduce the security level.
See caution above.
High security Recommended setting for normal operation.
Custom security Lets you enable one or more of the unsecured methods of network access
listed below it.
Allow Linux console access Enables the Linux user root to log into the system using SSH. This direct
Linux access isn’t needed for normal operation, routine maintenance, or even
troubleshooting, all of which can be done through the administrative GUI.
In extreme circumstances, this option might enable expert Polycom Global
Services personnel to more fully understand the state of a troubled system or
correct problems. Enable this option only when asked to do so by Polycom
Global Services.
Polycom, Inc. 49
Page 50
System Security
Field Description
Allow unencrypted connections to
the Active Directory
Allow unencrypted connections to
MCUs
Allow unencrypted calendar
notifications from Exchange
server
Normally, the Polycom RealPresence DMA system connects to Active
Directory using SSL or TLS encryption. But if the Active Directory server or
servers (including domain controllers if you import global groups) aren’t
configured to support encryption, the Polycom RealPresence DMA system
can only connect using an unencrypted protocol. This option allows such
connections if an encrypted connection can’t be established.
This configuration causes an extreme security flaw: the unencrypted
passwords of enterprise users are transmitted over the network, where they
can easily be intercepted.
Use this option only for diagnostic purposes. By toggling it, you can determine
whether encryption is the cause of a failure to connect to Active Directory or to
load group data. If so, the solution is to correctly configure the relevant
servers, not to allow ongoing use of unencrypted connections.
Normally, the Polycom RealPresence DMA system uses only HTTPS for the
conference control connection to RealPresence Collaboration Server or RMX
MCUs, and therefore can’t control an MCU that accepts only HTTP (the
default). This option enables the system to fall back to HTTP for MCUs not
configured for HTTPS.
We recommend configuring your MCUs to accept encrypted connections
rather than enabling this option. When unencrypted connections are used, the
RealPresence Collaboration Server or RMX login name and password are
sent unencrypted over the network.
Normally, if calendaring is enabled, the Polycom RealPresence DMA system
gives the Microsoft Exchange server an HTTPS URL to which the Exchange
server can deliver calendar notifications. In that case, the Polycom
RealPresence DMA system must have a certificate that the Exchange server
accepts in order for the HTTPS connection to work.
If this option is selected, the Polycom RealPresence DMA system does not
require HTTPS for calendar notifications.
We recommend installing a certificate trusted by the Exchange server and
using an HTTPS URL for notifications rather than enabling this option.
Allow basic authentication to
Exchange server
Polycom, Inc. 50
Normally, if calendaring is enabled, the Polycom RealPresence DMA system
authenticates itself with the Exchange server using NTLM authentication.
If this option is selected, the Polycom RealPresence DMA system still
attempts to use NTLM first. But if that fails or isn’t enabled on the Exchange
server, then the RealPresence DMA system falls back to HTTP Basic
authentication (user name and password).
We recommend using NTLM authentication rather than enabling this option.
In order for either NTLM or HTTP Basic authentication to work, they must be
enabled on the Exchange server.
Page 51
System Security
Field Description
Skip validation of certificates
received while making outbound
connections
Unlock SIP Settings mutual
authentication option on the
Signaling Settings page
Normally, when the Polycom RealPresence DMA system connects to a
server, it validates that server’s certificate.
This option configures the system to accept any certificate presented to it
without validating it.
We recommend using valid certificates for all servers that the system may
need to contact rather than enabling this option. Depending on system
configuration, this may include:
MCUs
Active Directory
Exchange
RealPresence Resource Manager system
Other RealPresence DMA systems
Endpoints
Note: Either the Common Name (CN) or Subject Alternate Name (SAN) field
of the server’s certificate must contain the address or host name specified for
the server in the Polycom RealPresence DMA system.
Polycom MCUs don't include their management IP address in the SAN field of
the CSR (Certificate Signing Request), so their certificates identify them only
by the CN. Therefore, in the Polycom RealPresence DMA system, a Polycom
MCU's management interface must be identified by the name specified in the
CN field (usually the FQDN), not by IP address.
Similarly, an Active Directory server certificate often specifies only the FQDN.
So in the Polycom RealPresence DMA system, identify the enterprise
directory by FQDN, not by IP address.
Normally, during encrypted call signaling (SIP over TLS), the Polycom
RealPresence DMA system requires the remote party (endpoint or MCU) to
present a valid certificate. This is known as mutual TLS.
When enabled, this check box unlocks the Require mutual authentication
(validation of client certificates) option for SIP signaling on the Signaling
Settings page, allowing you to disable the mutual TLS requirement for SIP
signaling.
Polycom recommends recommend installing valid certificates on your
endpoints and MCUs rather than enabling this option.
Allow non-conference participants
to receive conference events
Polycom, Inc. 51
The SIP SUBSCRIBE/NOTIFY conference notification service (as described
in RFCs 3265 and 4575), allows SIP devices to subscribe to a conference and
receive conference rosters and notifications of conference events. Normally,
the subscribing endpoints are conference participants.
This option configures the system to let devices subscribe to a conference
without being participants in the conference.
Note: A subscription to a conference by a non-participant consumes a call
license. Call history doesn’t include data for non-participant subscriptions.
Page 52
System Security
Field Description
The following settings may be configured in any security mode.
Skip validation of certificates for
inbound connections
Allow forwarding of IPv6 ICMP
destination unreachable
messages
Allow IPv6 ICMP echo reply
messages to multicast addresses
This option may be configured in any security mode, and affects inbound
connections from entities like web browsers and API clients.
If this option is turned off, you can only connect to the Polycom RealPresence
DMA system if your browser presents a client certificate issued by a CA that
the system trusts (this is known as mutual TLS for administrative
connections).
Turn this option off only if:
• You’ve implemented a complete public key infrastructure (PKI) system,
including a CA server, client software (and optionally hardware, tokens, or
smartcards), and the appropriate operational procedures.
• The CA’s public certificate is installed in the Polycom RealPresence DMA
system so that it trusts the CA.
• All authorized users, including yourself, have a client certificate signed by
the CA that authenticates them to the Polycom RealPresence DMA
system.
This option may be configured in any security mode.
If this option is off, the Polycom RealPresence DMA system has an internal
firewall rule that blocks outbound destination unreachable messages.
If this option is on, that firewall rule is disabled.
Note: The Polycom RealPresence DMA system currently doesn’t send such
messages, regardless of this setting.
This option may be configured in any security mode.
If this option is off, the Polycom RealPresence DMA system doesn't reply to
echo request messages sent to multicast addresses (multicast pings).
If this option is on, the system responds to multicast pings.
To change the security settings
1 Go to Admin > Local Cluster > Security Settings.
2 To switch from a custom setting back to the recommended security mode, click High security.
3 To switch from the recommended security mode to a custom setting:
a Click Custom security.
b Check the unsecured network access method(s) that you want to enable.
4 Click Update.
A dialog informs you that the configuration has been updated.
Note: Skip validation of certificates for inbound connections is automatically re-enabled
If you turn off Skip validation of certificates for inbound connections, the system notifies you that
if you don’t log back in within 5 minutes, the setting will be automatically turned back on. This is a
safety precaution to ensure that at least one user is still able to access the system.
5 Click OK.
Polycom, Inc. 52
Page 53
System Security
See also:
System Security
Certificate Settings
Login Policy Settings
Reset System Passwords
The Consequences of Enabling Maximum Security
Mode
Enabling the Maximum security setting is irreversible and has the following significant consequences:
● All unencrypted protocols and unsecured access methods are disabled, and the enhanced support
feature is disabled.
● The boot order is changed so that the server(s) can’t be booted from the optical drive or a USB
device.
● A BIOS password is set.
● The port 443 redirect is removed, and the system can only be accessed by the full URL
(https://<IP>:8443/dma7000, where <IP> is one of the system's management IP addresses or a host
name that resolves to one of those IP addresses).
● For all server-to-server connections, the system requires the remote party to present a valid X.509
certificate. Either the Common Name (CN) or Subject Alternate Name (SAN) field of that certificate
must contain the address or host name specified for the server in the Polycom RealPresence DMA
system.
Polycom RMX MCUs don’t include their management IP address in the SAN field of the CSR
(Certificate Signing Request), so their certificates identify them only by the CN. Therefore, in the
Polycom RealPresence DMA system, an RMX MCU's management interface must be identified by
the host name or FQDN specified in the CN field, not by IP address.
Similarly, an Active Directory server certificate often specifies only the FQDN. Therefore, in the
Polycom RealPresence DMA system, the Active Directory must be identified by FQDN, not by IP
address.
● Superclustering is not supported.
● The Polycom RealPresence DMA system can’t be integrated with Microsoft Exchange Server and
doesn’t support virtual meeting rooms (VMRs) created by the Polycom Conferencing Add-in for
Microsoft Outlook.
● Integration with a Polycom RealPresence Resource Manager system is not supported.
● On the Banner page, Enable login banner is selected and can’t be disabled.
● On the Login Sessions page, the Terminate Session action is not available.
● On the Troubleshooting Utilities menu, Top is removed.
● In the Add User and Edit User dialogs, conference and chairperson passcodes are obscured.
● After Maximum security is enabled, management interface users must change their passwords.
● If the system is not integrated with Active Directory, each local user can have only one assigned role
(Administrator, Provisioner, or Auditor).
If some local users have multiple roles when you enable Maximum security, they retain only the
highest-ranking role (Administrator > Auditor > Provisioner).
Polycom, Inc. 53
Page 54
System Security
● If the system is integrated with Microsoft Active Directory, only one local user can have the
Administrator role, and no local users can have the Provisioner or Auditor role.
If there are multiple local administrators when you enable Maximum security, the system prompts
you to choose one local user to retain the Administrator role. All other local users, if any, become
conferencing users only and can’t log into the management interface.
Each enterprise user can have only one assigned role (Administrator, Provisioner, or Auditor). If some
enterprise users have multiple roles (or inherit multiple roles from their group memberships), they
retain only the lowest-ranking role (Administrator > Auditor > Provisioner).
● Local user passwords have stricter limits and constraints (each is set to the noted default if below that
level when you enable Maximum security):
Minimum length is 15-30 characters (default is 15).
Must contain 1 or 2 (default is 2) of each character type: uppercase alpha, lowercase alpha,
numeric, and non-alphanumeric (special).
Maximum number of consecutive repeated characters is 1-4 (default is 2).
Number of previous passwords that a user may not re-use is 8-16 (default is 10).
Minimum number of characters that must be changed from the previous password is 1-4 (default
is 4).
Password may not contain the user name or its reverse.
Maximum password age is 30-180 days (default is 60).
Minimum password age is 1-30 days (default is 1).
● Other configuration settings have stricter limits and constraints (each is set to the noted default if
below that level when you enable Maximum security):
Session configuration limits:
Sessions per system is 4-80 (default is 40).
Sessions per user is 1-10 (default is 5).
Session timeout is 5-60 minutes (default is 10).
Local account configuration limits:
Local user account is locked after 2-10 failed logins (default is 3) due to invalid password
within 1-24 hours (default is 1).
Locked account remains locked either until unlocked by an administrator (the default) or for a
duration of 1-480 minutes.
● Non-conference participants can’t be permitted to register for conference events.
● Software build information is not displayed anywhere in the interface.
● You can’t restore a backup made before Maximum security was enabled.
● The RealPresence DMA system, Virtual Edition, does not support Maximum Security Mode.
● If you’re using the Mozilla Firefox browser, you need to configure it to support TLS version 1.1 so that
it can function correctly with a RealPresence DMA system configured for Maximum Security Mode.
● File uploads may fail when using the Mozilla Firefox browser unless the proper steps have been
taken. See below.
Polycom, Inc. 54
Page 55
System Security
Enabling File Uploads in Maximum Security with Mozilla Firefox
The Mozilla Firefox browser uses its own certificate database instead of the certificate database of the OS.
If you use only that browser to access the Polycom RealPresence DMA system, the certificate(s) needed
to securely connect to the system may be only in the Firefox certificate database and not in the Windows
certificate store. This causes a problem for file uploads.
File upload via the Polycom RealPresence DMA system’s Flash-based interface bypasses the browser and
creates the TLS/SSL connection itself. Because of that, it uses the Windows certificate store, not the Firefox
certificate database. If the certificate(s) establishing trust aren’t there, the file upload silently fails.
To avoid this problem, you must import the needed certificates into Internet Explorer (and thus into the
Windows certificate store). And, when accessing the system with Firefox, you must use its fully qualified
host name.
First, start Internet Explorer and point it to the Polycom RealPresence DMA system. If you don’t receive a
security warning, the needed certificates are already in the Windows certificate store.
If you receive a warning, import the needed certificates. The details for doing so depend on the version of
Internet Explorer and on your enterprise’s implementation of certificates. In Internet Explorer 7, elect to
continue to the site. Then click Certificate Error to the right of the address bar and click View Certificates
to open the Certificate dialog. From there, you can access the Certificate Import Wizard.
The entire trust chain must be imported (the system’s signed certificate, intermediate certificates, if any, and
the root CA’s certificate). When importing a certificate, let Internet Explorer automatically select a certificate
store.
See also:
System Security
Security Certificates Overview
Certificate Settings
Security Settings
Reset System Passwords
Login Policy Settings
The following pages, under Admin > Login Policy Settings, let you configure various aspects of user
access to the system:
● Local Password
● Session
● Local User Account
● Banner
● Access Policy Settings
See also:
System Security
Certificate Settings
Security Settings
Reset System Passwords
Polycom, Inc. 55
Page 56
System Security
Local Password
The Local Password page lets you increase system security by specifying age, length, and complexity
requirements for the passwords of local administrator, auditor, and provisioner users. These rules don’t
apply to conferencing users’ conference and chairperson passcodes, or to Active Directory users.
The following table describes the fields on the Local Password page.
Field Description
Password Management
Maximum password age (days) Specify at what age a password expires (30-180 days).
Minimum password age (days) Specify how frequently a password can be changed (1-30 days).
Minimum length Specify the number of characters a password must contain (8-30).
Minimum changed characters Specify the number of characters that must be different from the previous
password (1-4).
Reject previous passwords Specify how many of the user’s previous passwords the system remembers
and won’t permit to be reused (8-30).
Password Complexity
Allow user name or its reverse
form
Lowercase letters Specify the number of lowercase letters (a-z) that a password must contain.
Uppercase letters Specify the number of uppercase letters (A-Z) that a password must contain.
Numbers Specify the number of digit characters (0-9) that a password must contain.
Special characters Specify the number of non-alphanumeric keyboard characters that a
Maximum consecutive repeated
characters
Turns off the protection against a password containing the user’s login name
or its reverse.
password must contain.
Specify how many sequential characters may be the same.
See also:
System Security
Login Policy Settings
Session
The Session page lets you increase system security by limiting the number and length of login sessions.
You can see the current login sessions and terminate sessions by going to User > Login Sessions. See
Login Sessions.
The following table describes the fields on the Session page.
Polycom, Inc. 56
Page 57
System Security
Field Description
Active system sessions Specify the number of simultaneous login sessions by all users or select
Unlimited.
Note: If this limit is reached, but none of the logged-in users is an
Administrator, the first Administrator user to arrive is granted access, and the
system terminates the non-Administrator session that’s been idle the longest.
Active sessions per user Specify the number of simultaneous login sessions per user ID or select
Unlimited.
Session timeout (minutes) Specify the length of time after which the system terminates a session for
inactivity or select Unlimited.
See also:
System Security
Login Policy Settings
Local User Account
The Local User Account page lets you increase system security by:
● Locking out users who have exceeded the specified number and frequency of login failures. The
system locks the account either indefinitely or for the length of time you specify.
● Disabling accounts that have been inactive a specified number of days.
The following table describes the fields on the Local User Account page.
Field Description
Account Lockout
Enable account lockout Turns on lockout feature and enables lockout configuration fields below.
Failed login threshold Specify how many consecutive login failures cause the system to lock an
account.
Failed login window (hours) Specify the time span within which the consecutive failures must occur in
order to lock the account.
Customize user account lockout
duration (minutes)
Account Inactivity
Customize account inactivity
threshold (days)
If selected, specify how long the user’s account remains locked.
If not selected, the lockout is indefinite, and a user with a locked account must
contact an Administrator to unlock it.
Turns on disabling of inactive accounts and lets you specify the inactivity
threshold that triggers disabling.
See also:
System Security
Login Policy Settings
Polycom, Inc. 57
Page 58
System Security
Banner
A login banner is a message that appears when users attempt to access the system. They must
acknowledge the message before they can log in.
The Banner page lets you enable the banner and select or create the message it displays. The message
may contain up to 1500 characters. If the system is in Maximum Security mode, the login banner is enabled
and can’t be disabled.
The following table describes the fields on the Banner page.
Field Description
Enable login banner Enables the display of a login banner.
If this box is unchecked, the Message field is disabled. The existing contents,
if any, remain unchanged, but aren’t displayed to users.
Message Select one of the messages from the list, or select Custom and type or paste
your own message into the field below.
If you select one of the built-in samples, it’s copied into the Message field, and
you can then edit the copy. When you do so, the system resets the list to
Custom.
Your edits don’t affect the stored sample. You can revert to the original version
of the sample by re-selecting it from the list.
See also:
System Security
Login Policy Settings
Access Policy Settings
The Access Policy Settings page lets you increase system security by restricting access to the
management and operations interface and APIs (port 8443) and to SNMP (by default, port 161) to a whitelist
of authorized IP addresses or address ranges.
If enabled, the whitelist restrictions take effect as soon as the update operation is completed. If you enable
the whitelist and click Update while logged in from an IP address that’s not included in the whitelist, the
system warns you that you won’t be able to access the system and asks you to confirm the update.
The whitelist settings apply to all clusters in a supercluster. When you join a cluster to a supercluster, the
cluster’s settings are replaced by those from the supercluster.
The following table describes the fields on the Access Policy Settings page.
Polycom, Inc. 58
Page 59
System Security
Field Description
Accept management connections
from these IP addresses and
address ranges on ports 8443
(GUI/API) and 161 (SNMP)
(list) Lists the IP addresses and address ranges authorized for management
(input field) Enter an IP address or address range and click Add. Enter a range as valid
Enables the input field below and restricts management access to the IP
addresses or address ranges added to the list.
If this box is unchecked, the list and input field are disabled. The existing
contents of the list, if any, remain unchanged so that it can be re-enabled at
any time without having to re-enter the addresses.
Note: The label changes to reflect the currently configured SNMP port (see
Configure SNMP). Port 161 is the default.
access. Select an entry and click Delete to remove it from the list.
starting and ending IP addresses separated by a dash. For example:
(IPv4) 10.33.33.0 - 10.33.34.255
(IPv6) ::1:fffe - ::2:1
See also:
System Security
Security Settings
The Consequences of Enabling Maximum Security Mode
Login Policy Settings
Reset System Passwords
Reset System Passwords
In an extremely high-security environment, security compliance policies may require that all passwords be
changed at certain intervals, including operating system passwords.
The Reset System Passwords page is available only if the system is in maximum security mode. It lets
you change these operating system passwords (such as the password for grub) to new,
randomly-generated values. These are passwords for logins that aren’t possible on a secure system.
Resetting these operating system passwords has no effect on authorized users of the management
interface (Administrators, Auditors, and Provisioners) or conferencing users.
To reset system passwords
1 Make sure there are no calls or conferences on the system.
2 Go to Admin > Local Cluster > Reset System Passwords.
3 Click Reset Passwords.
The system warns you that active calls and conferences will be terminated and the system will restart,
and asks you to confirm.
4 Click Yes.
The system informs you that the passwords have been reset and that you’re being logged out. Then
it restarts. This takes several minutes.
Polycom, Inc. 59
Page 60
System Security
5 Wait a few minutes to log back in.
See also:
System Security
Security Settings
The Consequences of Enabling Maximum Security Mode
Login Policy Settings
Access Policy Settings
Polycom, Inc. 60
Page 61
Local Cluster Configuration
This section describes the following Polycom® RealPresence® Distributed Media Application™ (DMA®)
7000 system configuration topics:
● Network Settings
● Time Settings
● Licenses
● Signaling Settings
● Alerting Settings
● Logging Settings
● Local Cluster Configuration Procedures
● Automatically Send Usage Data
These are cluster-specific settings that are not part of the data store shared across superclustered systems.
See Introduction to the Polycom RealPresence DMA System.
If you’re performing the initial configuration of your Polycom RealPresence DMA system, study Polycom
RealPresence DMA System Initial Configuration Summary before you continue.
Network Settings
The following table describes the fields on the Network Settings page. In the Appliance Edition, most of
these values are normally set in the USB Configuration Utility during system installation and rarely need to
be changed. In the Virtual Edition, some of these settings are provisioned automatically when the system is
deployed with RealPresence Platform Director. See the Getting Started Guide and the Getting Started
Guide for a Virtual Environment.
Polycom, Inc. 61
Page 62
Local Cluster Configuration
Caution: Network settings changes require a restart
Changing some network settings (host names, IP addresses, or domains) requires a system restart
and terminates all active conferences.
If the system is using a CA-provided identity certificate, changing some network settings (host names
or IP addresses) also requires you to update the certificate. (If the system is using a self-signed
certificate, an updated one is automatically created.)
You can’t change these network settings while the system is part of a supercluster or integrated with a
Polycom RealPresence Resource Manager system. You must first leave the supercluster or terminate
the integration. If the cluster is responsible for any territories (as primary or backup), reassign those
territories. After the change, rejoin the supercluster or Polycom RealPresence Resource Manager
system. See Superclustering or RealPresence Resource Manager Integration.
Incorrect network information may make the system unusable and the management interface
unreachable.
Caution: Configuring the RealPresence DMA system in a secure environment
The 802.1x LAN security settings can’t be configured in the USB Configuration Utility. In a highly
secure network that requires 802.1x authentication, the Polycom RealPresence DMA system won’t be
accessible until those settings are properly configured. To do so, follow the procedure for configuring
the network settings using a laptop, as described in the Deployment Guide for Maximum Security
Environments.
Note: Virtual host name not needed for single-server systems
This version of the Polycom RealPresence DMA system eliminates the need for virtual host name(s)
and IP addresses in a single-server system or cluster. When a version 5.0 or earlier single-server
RealPresence DMA system is upgraded to version 5.1 or later, the previous version's virtual host
name(s) and IP addresses become the upgraded version's physical host name(s) and IP addresses,
so accessing the system doesn't change.
(Exception: If only IPv6 is enabled, the system must have two addresses, so a single-server system
must still have a virtual host name and IP address.)
Field Description
System IP type IP addressing supported (IPv4, IPv6, or both).
System server configuration Number of servers (1 or 2) in this cluster.
Caution: Once this is set to 2 server configuration, it can’t be changed back
to 1 server configuration. To reconfigure a two-server system as two
separate single-server systems, you must use the USB Configuration Utility.
See the Polycom RealPresence DMA 7000 System Getting Started Guide.
Polycom, Inc. 62
Page 63
Local Cluster Configuration
Field Description
System split network setting Specifies whether to combine or split the system’s management and signaling
interfaces. If the same network will be used for both management
(administrative access) and signaling, the signaling IP addresses and Shared
Signaling Network Settings section below are not used.
Caution: Choose split networking only if you need to restrict access to the
management interface and SNMP to users on an isolated “non-public”
network separate from the enterprise network. Typically, this is the case only
in high-security environments.
In most network environments, users accessing the management interface
are on the same network as endpoints and other devices communicating with
the RealPresence DMA system, and they use the same physical and virtual IP
addresses and the same network interface.
To split the network configuration, you must use different gateways and
subnets for management and signaling, and separate physical connections
for the management and signaling networks (eth0 for management, eth2 for
signaling). In a split network configuration, routing rules are necessary for
proper routing of network traffic. See Routing Configuration Dialog.
If management and signaling traffic are combined on the same network
(subnet), both use the same physical and virtual IP addresses and the same
network interface.
If you aren’t sure whether split networking is appropriate, possible, or
necessary for this installation, consult the appropriate IT staff or network
administrator for your organization.
In a split network configuration, routing rules are necessary for proper routing
of network traffic.
Server 1 Status, host name, and IP address(es) of the primary server. The IP type and
network setting determine which of the IP fields in this section are enabled.
The management IP address is disabled if IPv4 boot protocol is set to
DHCP.
Host names may contain only letters, numbers, and internal dashes
(hyphens), and may not include a domain. The reserved values appserv* and
dmamgk-* may not be used for host names.
The host name is combined with the domain name specified under General
System Network Settings to form the fully qualified domain name (FQDN).
Server 2 Status, host name and IP address(es) of the secondary server. The fields in
this section duplicate those in the Server 1 section and are enabled only in
two-server configuration.
The management IP address is disabled if IPv4 boot protocol is set to
DHCP.
Polycom, Inc. 63
Page 64
Local Cluster Configuration
Field Description
Shared Management Network
Settings
Virtual host name Virtual host name and IP address(es) for the system’s management (or
IPv4
IPv6
Subnet mask IPv4 network mask that defines the subnetwork of the system’s management
IPv6 prefix length IPv6 CIDR (Classless Inter-Domain Routing) prefix size value (the number of
IPv4 gateway IP address of the gateway server used to route network traffic outside the
The settings in this section apply to the entire system (both servers in
two-server configuration), whether management and signaling are combined
or separate.
combined) network interface.
For a one-server configuration, these fields are disabled. (Exception: If only
IPv6 is enabled, the system must have two addresses, so a single-server
system must still have a virtual host name and IP address.)
Host names may contain only letters, numbers, and internal dashes
(hyphens), and may not include a domain. The reserved values appserv* and
dmamgk-* may not be used for host names.
The host name is combined with the domain name specified under General
System Network Settings to form the fully qualified domain name (FQDN).
Note: Specify all IPv4 addresses in dotted-decimal form and all IPv6
addresses in colon-hex form.
or combined interface.
leading 1 bits in the routing prefix mask) that defines the subnetwork of the
system’s management or combined interface.
subnet.
Management Link
Name The name of the management network interface (eth0) is not editable, and it
Enable
Auto-negotiation Turn on Auto-negotiation or set Speed and Duplex manually.
Speed
Duplex
Show Link Details Click to see details about link settings and information. This information may
LAN Security Settings Caution: In a network that requires 802.1x authentication for servers (this is
Enable 802.1x Enables the system to authenticate this network interface to the LAN.
User name The user name with which the system may authenticate this interface.
can’t be disabled.
The eth0 interface corresponds with the GB1 jack on the server.
Note: Auto-negotiation is required if your network is 1000Base-T. Don’t select
10000 unless you’re certain your hardware platform supports it.
be useful to Polycom Global Services when troubleshooting a network issue.
rarely the case), incorrect settings in this section and, if applicable, lack of the
proper certificate(s) can make the system unreachable. Recovering from this
situation requires connecting a laptop to the system using a crossover cable
in order to access it.
Depending on the authentication method, the access credentials required
may be either a user name and password (specified below) or a security
certificate.
Polycom, Inc. 64
Page 65
Local Cluster Configuration
Field Description
Password
Confirm password
EAP Method The Extensible Authentication Protocol method used to establish trust with the
Protocol When a TLS tunnel is established with the authentication server, the protocol
Shared Signaling Network
Settings
General System Network
Settings
DNS search domains One or more fully qualified domain names, separated by commas or spaces.
The password for the user name entered above.
authentication server (this is also known as the outer authentication protocol).
used within the tunnel (this is also known as the inner authentication protocol).
The settings in this section are enabled only if management and signaling
traffic are on separate networks. If so, they apply to the entire system (both
servers in two-server configuration).
For a one-server configuration, the virtual host name and IP fields are
disabled. (Exception: If only IPv6 is enabled, the system must have two
addresses, so a single-server system must still have a virtual host name and
IP address.)
The settings are the same as those in Shared Management Network
Settings, except that under Signaling Link, the signaling network interface
(eth2) can be disabled. This capability exists for debugging purposes.
The eth2 interface corresponds with the GB3 jack on the server.
(The eth1 interface, which corresponds with the GB2 jack, is reserved for the
private network connection between the two servers in a two-server cluster.)
The settings in this section apply to the entire system and aren’t specific to
management or signaling.
The system domain you enter below is added automatically, so you need not
enter it.
DNS 1 IP addresses of up to three domain name servers. At least one DNS server is
DNS 2
DNS 3
Domain The domain for the system. This is combined with the host name to form the
Signaling DSCP The Differentiated Services Code Point value (0 - 63) to put in the DS field of
Polycom, Inc. 65
required.
Your Polycom RealPresence DMA system must be accessible by its host
name(s), not just its IP address(es), so you (or your DNS administrator) must
create A and/or AAAA records for IPv4 and IPv6, respectively, as well as the
corresponding PTR records, on your DNS server(s). A/AAAA records and
PTR records that map each physical host name to the corresponding physical
IP address and each virtual host name to the corresponding virtual IP address
are mandatory, as are the corresponding PTR records that allow reverse DNS
resolution of the system’s physical or virtual host name(s).
fully qualified domain name (FQDN). For instance:
Host name: dma1
Domain: callservers.example.com
FQDN: dma1.callservers.example.com
IP packet headers on outbound packets associated with signaling traffic.
The DSCP value is used to classify packets for quality of service (QoS)
purposes. If you’re not sure what value to use, leave the default of 0.
Page 66
Local Cluster Configuration
Field Description
Management DSCP The Differentiated Services Code Point value (0 - 63) to put in the DS field of
IP packet headers on outbound packets associated with management traffic
(including communications to other clusters.
The DSCP value is used to classify packets for quality of service (QoS)
purposes. If you’re not sure what value to use, leave the default of 0.
Default IPv6 gateway The IPv6 gateway’s address and the interface used to access it, generally
eth0, specified as:
<IPv6_address>%eth0
Default IPv4 gateway If management and signaling traffic are on separate networks, select which of
the two networks’ gateway servers is the default.
Your choice depends on your network configuration and routing. Typically,
unless all the endpoints, MCUs, and other devices that communicate with the
system are on the same subnet, you’d select the signaling network.
See also:
Local Cluster Configuration
Local Cluster Configuration Procedures
Routing Configuration Dialog
In the Network page’s action list, the Routing Configuration command opens the Routing Configuration
dialog, where you can add or delete network routing rules (IPv4, IPv6, or both, depending on the System
IP type setting on the Network page). The Show raw routing configuration button lets you view the
operating system’s underlying routing configuration.
In a split network configuration, routing rules are necessary for proper routing of network traffic. In a
combined network configuration, the operating system’s underlying routing configuration is likely sufficient
unless you need a special rule or rules for your particular network. If you aren’t sure, consult the appropriate
IT staff or network administrator for your organization.
Note: Route configuration applies to current network settings
You can only configure route settings that are valid for the currently applied settings in Admin > Local
Cluster > Network Settings. If you need to change the network settings and routing configuration,
make and apply the network settings changes first. Keep this in mind if you receive an error when
attempting to change the routing configuration.
The following table describes the fields in the Routing Configuration dialog. If System IP type is set to
IPv4 + IPv6, the dialog contains two essentially identical sections, one for each IP type. Each section
contains the input fields listed below, a table showing the defined routing rules, and buttons for adding and
deleting routes.
Polycom, Inc. 66
Page 67
Local Cluster Configuration
Field Description
Host/Network The IP address of the destination network host or segment.
Prefix length The CIDR (Classless Inter-Domain Routing) prefix size value (the number of
leading 1 bits in the routing prefix mask). This value, together with the
Host/Network address, defines the subnet for this route.
For IPv4, a prefix length of 24 is equivalent to specifying a dotted-quad subnet
mask of 255.255.255.0. A prefix length of 16 is equivalent to specifying a
subnet mask of 255.255.0.0.
Interface In split network configuration, select the interface for this route.
Via IP address of router for this route. Optional, and only needed for non-default
routers.
When you add a routing rule, it appears in the table below the input fields. Select a rule and click Delete
selected route to delete it. Click Show raw routing configuration to display the operating system’s
underlying routing configuration.
See also:
Network Settings
Time Settings
The following table describes the fields on the Time Settings page. These values are normally set in the
USB Configuration Utility during system installation and rarely need to be changed. See the Getting Started
Guide.
Caution: Time settings changes require a restart
Changing time settings requires a system restart and terminates all active conferences.
You can’t change the system’s time settings while it’s integrated with a Polycom RealPresence
Resource Manager system or part of a supercluster. The integration must first be terminated or the
cluster removed from the supercluster. See RealPresence Resource Manager Integration or
Superclustering.
We strongly recommend specifying NTP servers.
Field Description
System time zone Time zone in which the system is located. We strongly recommend selecting
the time zone of a specific geographic location (such as America/Denver), not
one of the generic GMT offsets (such as GMT+07 POSIX).
If you really want to use a generic GMT offset (for instance, to prevent
automatic daylight saving time adjustments), note that they use the
Linux/Posix convention of specifying how many hours ahead of or behind
local time GMT is. Thus, the generic equivalent of America/Denver
(UTC-07:00) is GMT+07, not GMT-07.
Polycom, Inc. 67
Page 68
Local Cluster Configuration
Field Description
Manually set system time We don’t recommend setting time and date manually.
NTP Servers Specify up to three time servers for maintaining system time (we recommend
three). Enter IP addresses or fully qualified domain names.
See also:
Local Cluster Configuration
Local Cluster Configuration Procedures
Licenses
The Polycom RealPresence DMA system is licensed for the number of concurrent calls it can handle and
optionally for API access. See License the Polycom RealPresence DMA System for more information about
licensing.
Licenses for the Appliance Edition
The following table describes the fields on the Licenses page when using the Appliance Edition of the
RealPresence DMA system.
Field Description
Active License
Licensed calls The maximum number of concurrent calls that the license enables.
Licensed capabilities Currently, the only separately licensed capability is access to the
RealPresence Platform API.
Note: An API license isn't required in order for a Polycom RealPresence
Resource Manager system to access the API. It's only needed for a client
application you or a third party develop.
Licensed capabilities The special features of the Polycom RealPresence DMA system that the
license enables.
Activation Keys
A two-server cluster has two sets of the fields below, one for each server in the cluster.
System serial number The serial number of the specified server.
Activation key The activation key you received from Polycom for this server. The key for
each server must be the correct one for that server’s serial number.
End User License Agreement
Status The state of acceptance of the EULA; if not accepted, this system is unable to
User The user who accepted the EULA.
Polycom, Inc. 68
make calls.
Page 69
Local Cluster Configuration
Field Description
Date accepted The GMT date and time of EULA acceptance.
Automatically send usage data Select to help improve this product by sending anonymous usage data to
Polycom.
See Automatically Send Usage Data for more information.
Licenses for the Virtual Edition
The following table describes the fields on the Licenses page when using the Virtual Edition of the
RealPresence DMA system.
Field Description
Active License
Licensed calls The maximum number of concurrent calls that the license enables.
Licensed capabilities Currently, the only separately licensed capability is access to the
RealPresence Platform API.
Note: An API license isn't required in order for a Polycom RealPresence
Resource Manager system to access the API. It's only needed for a client
application you or a third party develop.
DMA Host
Host name The host name of this VM instance, configurable on the Admin > Local
Cluster > Network Settings page.
Host ID The VMware UUID of this VM instance.
License version The version of the installed license.
Licensing Server
License server address The read-only address of the primary licensing server.
Note: This field is automatically provisioned by RealPresence Platform
Director.
Backup server address The read-only IP address or domain name of the secondary license server.
Note: This information is automatically provisioned by RealPresence Platform
Director.
Port The port used for communication with the licensing server(s). The default port
is 3333.
Last successful connection The licensing server that the system last communicated with, followed by the
time of the last communication.
End User License Agreement
Status The state of acceptance of the EULA; if not accepted, this system is unable to
make calls.
User The user who accepted the EULA.
Polycom, Inc. 69
Page 70
Local Cluster Configuration
Field Description
Date accepted The GMT date and time of EULA acceptance.
Automatically send usage data Select to help improve this product by sending anonymous usage data to
Polycom.
See Automatically Send Usage Data for more information.
See also:
Local Cluster Configuration
Local Cluster Configuration Procedures
Signaling Settings
On the Signaling Settings page, you can configure H.323 and SIP signaling.
Note: Supercluster-wide signaling settings
Although these are cluster-specific settings that are not part of the data store shared across
superclustered systems, we strongly recommend that all signaling settings be the same across all
clusters in a supercluster.
The settings for untrusted SIP call handling (“unauthorized” or “guest” calls) must be the same across
all clusters in a supercluster.
H.323 and SIP Signaling
If H.323 signaling is enabled, the Polycom RealPresence DMA system’s Call Server operates as a
gatekeeper, receiving registration requests and calls from H.323 devices. If SIP signaling is enabled, Call
Server operates as a SIP registrar and proxy server, receiving registration requests and calls from SIP
devices. If both are enabled, the system automatically serves as a SIP <–> H.323 gateway.
As a best practice, we recommend configuring your video conferencing network in such a way as to avoid
using the RealPresence DMA system as a SIP <--> H.323 gateway.
Either H.323, SIP, or both must be enabled in order for the RealPresence DMA system’s Conference
Manager to receive calls for multipoint conferences (virtual meeting rooms, or VMRs) and distribute them
among its pool of MCUs.
On this page, you can also:
● Turn on H.235 authentication for H.323 devices.
● Turn on SIP digest authentication for SIP devices.
● Click a Device authentication settings link to go to the Device Authentication page, where you
can configure SIP device authentication and maintain the inbound device authentication list for both
H.323 and SIP devices (see Device Authentication).
Note: Authentication for specific devices
You can turn authentication off and on for specific devices (assuming that it’s turned on here for that
device type). See Edit Device Dialog.
Polycom, Inc. 70
Page 71
Local Cluster Configuration
● Configure specific ports or prefixes for untrusted (“unauthorized” or “guest”) SIP calls that can only
access specific resources (VMRs, VEQs, or a SIP peer).
H.323 Device Authentication
In an environment where H.235 authentication is used, H.323 devices include their credentials (name and
password) in registration and signaling (RAS) requests. The Polycom RealPresence DMA system
authenticates requests as follows:
● If it’s a signaling request (ARQ, BRQ, DRQ) from an unregistered endpoint, the Call Server doesn’t
authenticate the credentials.
● Otherwise, if the request is from an endpoint and the Polycom RealPresence DMA system is
integrated with a Polycom RealPresence Resource Manager system, the Call Server attempts to
authenticate the endpoint’s credentials with the RealPresence Resource Manager system.
● If it can’t authenticate with the RealPresence Resource Manager system, or if the request is from an
MCU or neighbor gatekeeper, the Call Server attempts to authenticate using its device authentication
list.
● If it’s a signaling request from a registered endpoint, or if the request is from an MCU or neighbor
gatekeeper, the Call Server attempts to authenticate using its device authentication list (see Device
Authentication).
If the credentials can’t be authenticated, the Call Server rejects the registration or signaling request. For call
signaling requests, it also rejects the request if the credentials differ from those with which the device
registered.
SIP Device Authentication
The SIP digest authentication mechanism is described in RFC 3261, starting in section 22, and in
RFC 2617, section 3. When a SIP endpoint registers with or calls the Polycom RealPresence DMA system,
if the request includes authentication information, that information is checked against the Call Server’s local
device authentication list (see Device Authentication).
SIP authentication can be enabled at the port/transport level or (for “unauthorized” access prefixes) the
prefix level.
If SIP authentication is enabled and an endpoint’s request doesn’t include authentication information, the
Call Server responds with an authentication challenge containing the required fields (see the RFCs). If the
endpoint responds with valid authentication information, the system accepts the registration or call.
Note: SIP device authentication
If inbound SIP authentication is turned on for a port or prefix, the Polycom RealPresence DMA system
challenges any SIP message coming to the system via that port or with that prefix. Any SIP peer and
other device that interacts with the system by those means must be configured to authenticate itself,
or you must turn off Device authentication for that specific device. See Edit Device Dialog.
Untrusted SIP Call Handling Configuration
You can configure special handling for SIP calls from devices outside the corporate firewall that aren’t
registered with the Polycom RealPresence DMA system and aren’t from a federated division or enterprise.
These calls come to the RealPresence DMA system via SIP session border controllers (SBCs) such as a
Polycom RealPresence Access Director or Acme Packet Session Border Controller device (which are
configured as SIP peers in the RealPresence DMA system; see External SIP Peer).
Polycom, Inc. 71
Page 72
Local Cluster Configuration
You can route such untrusted (“unauthorized” or “guest”) calls by creating a separate set of “guest” dial rules
used only for these untrusted calls. See Dial Rules.
Depending on the SIP SBC and how it’s configured, such calls can be distinguished in one of two ways:
● By port: The SBC routes untrusted calls to a specific port.
● By prefix: The SBC adds a specific prefix in the Request-URI of the first INVITE message for the call.
The RealPresence Access Director SBC supports only the prefix method. The Acme Packet Session Border
Controller SBC can be configured for either.
In the SIP Settings section of the page, you can add one or more ports, prefixes, or both for untrusted calls.
For each entry, you can specify whether authentication is required. Calls to an untrusted call prefix follow
the authentication setting for that prefix, not for the port on which they’re received. For port entries, you can
also specify the transport, and if TLS, whether certificate validation is required (mutual TLS).
Note: Require certificate validations for TLS
If Unlock SIP Settings mutual authentication option on the Signaling Settings page is
unchecked on the Security Settings page, then Require mutual authentication (validation of
client certificates) is turned on for both authorized and unauthorized ports, and it can’t be turned off.
See Security Settings.
Signaling Settings Fields
The following table describes the fields on the Signaling Settings page.
Field Description
H.323 Settings
Enable H.323 signaling Enables the system to receive H.323 calls.
Caution: Disabling H.323 terminates any existing H.323 calls. When you click
Update, the system prompts you to confirm.
Status Indicates whether the system’s H.323 gatekeeper functions are active.
H.225 port Specifies the port number the system’s gatekeeper uses for call signaling.
We recommend using the default port number (1720), but you can use the
same value as the RAS port or any other value from 1024 to 65535 that’s not
already in use.
RAS port Specifies the port number the system’s gatekeeper uses for RAS
(Registration, Admission and Status).
We recommend using the default port number (1719), but you can use the
same value as the H.225 port or any other value from 1024 to 65535 that’s not
already in use.
H.245 open firewall ports Shows the port range used for H.245 so you can configure your firewall
accordingly. This is display only.
H.323 multicast Enables the system to support gatekeeper discovery (GRQ messages from
Polycom, Inc. 72
endpoints) as described in the H.323 and H.225.0 specifications.
Page 73
Local Cluster Configuration
Field Description
Enable H.323 device
authentication
SIP Settings
Enable SIP signaling Enables the system to receive Session Initiation Protocol (SIP) calls.
Enable ANAT support Configures the system to pass through Alternative Network Address Types
Authorized ports
Unencrypted SIP port To permit unencrypted SIP connections, select either TCP or UDP/TCP from
Enable authentication Check the box to turn on SIP device authentication for unencrypted SIP.
Check the box to turn on H.323 device authentication.
Click Device authentication settings to go to the Device Authentication
page and add authentication credentials (see Device Authentication).
Caution: Disabling SIP terminates any existing SIP calls. When you click
Update, the system prompts you to confirm.
(ANAT) signaling (RFC 4091 and RFC 4092) in the Session Description
Protocol (SDP) for the purpose of negotiating IP version in a dual-stack (IPv4
+ IPv6) environment.
the list. Select None to disallow unencrypted SIP connections.
We recommend using the default port number (5060), but you can use any
value from 1024 to 65535 that’s not already in use and is different from the
TLS port and from any “unauthorized” or “guest” ports that your SBC(s) may
be configured to use for calls to the system.
Click the Device authentication settings link to go to the Device
Authentication page to configure SIP device authentication and add device
authentication credentials (see Device Authentication). The settings on that
page determine:
• The realm used for authentication.
• Whether the Call Server responds to unauthenticated requests with 401
(Unauthorized) or 407 (Proxy Authentication Required).
TLS port Specifies the port number the system uses for TLS.
We recommend using the default port number (5061), but you can use any
value from 1024 to 65535 that’s not already in use and is different from the
UDP/TCP port and from any “unauthorized” or “guest” ports that your SBC(s)
may be configured to use for calls to the system.
If SIP signaling is enabled, TLS is automatically supported. Unless
unencrypted SIP connections are specifically permitted, TLS must be used.
Enable authentication Check the box to turn on SIP device authentication for encrypted SIP.
Click the Device authentication settings link to go to the Device
Authentication page to configure SIP device authentication and add device
authentication credentials (see Device Authentication). The settings on that
page determine:
• The realm used for authentication.
• Whether the Call Server responds to unauthenticated requests with 401
(Unauthorized) or 407 (Proxy Authentication Required).
Polycom, Inc. 73
Page 74
Local Cluster Configuration
Field Description
Require mutual
authentication (validation
of client certificates)
Unauthorized ports Lists the ports used by your SBC(s) for untrusted calls, showing the transport
Unauthorized prefixes Lists the prefixes used by your SBC(s) for untrusted calls. The Strip Prefix
Check the box to enable mutual TLS, requiring each caller to present a valid
certificate.
Note: This setting is enabled and locked if Unlock SIP Settings mutual
authentication option on the Signaling Settings page option is unchecked
on the Security Settings page. See Security Settings.
type for each and, for TLS, whether a certificate is required. The
Authentication column indicates whether calls to that port are passed without
challenge, challenged for authentication credentials, or blocked.
Click Add to add a port to the list (see Add Guest Port Dialog). Click Edit to
edit the selected entry (see Edit Guest Port Dialog) or Delete to delete it.
column indicates whether the RealPresence DMA system should immediately
strip the prefix. The Authentication column indicates whether calls to that
port are passed without challenge, challenged for authentication credentials,
or blocked.
Click Add to add a prefix to the list (see Add Guest Prefix Dialog). Click Edit
to edit the selected entry (see Edit Guest Prefix Dialog) or Delete to delete it.
See also:
Local Cluster Configuration
Local Cluster Configuration Procedures
Add Guest Port Dialog
The Add Guest Port dialog appears when you click the Add button next to the Unauthorized ports list in
the SIP Settings section of the Signaling Settings page. It lets you add a port to the list of ports used for
“unauthorized” or “guest” calls.
The following table describes the fields in the Add Guest Port dialog.
Field Description
Port The SIP signaling port number for this entry.
This is the port number that an SBC is configured to use for untrusted calls to
the RealPresence DMA system via the transport specified below.
Transport To use this guest port for unencrypted SIP connections, select either TCP or
UDP/TCP from the list. To use this port for encrypted SIP connections, select
TLS.
Polycom, Inc. 74
Page 75
Local Cluster Configuration
Field Description
Require mutual authentication
(validation of client certificates)
Authentication Select one of the following:
For TLS transport, check this box to enable mutual TLS, requiring callers to
present a valid certificate.
Note: This setting is enabled and locked if Unlock SIP Settings mutual
authentication option on the Signaling Settings page is unchecked on the
Security Settings page. See Security Settings.
•None — The system doesn’t issue authentication challenges or check
authentication credentials for calls to this port.
• Authentication — The system issues authentication challenges and
checks authentication credentials for calls to this port.
The settings on the Device Authentication page (see Device
Authentication) determine the realm used for authentication and
whether the Call Server responds to unauthenticated requests with
401 (Unauthorized) or 407 (Proxy Authentication Required).
•Block — The system blocks calls to this port.
See also:
Signaling Settings
Local Cluster Configuration Procedures
Edit Guest Port Dialog
The Edit Guest Port dialog lets you edit an Unauthorized ports list entry in the SIP Settings section of
the Signaling Settings page.
The following table describes the fields in the Edit Guest Port dialog.
Field Description
Port The SIP signaling port number for this entry.
This is the port number that an SBC is configured to use for untrusted calls to
the RealPresence DMA system via the transport specified below.
Transport To use this guest port for unencrypted SIP connections, select either TCP or
UDP/TCP from the list. To use this port for encrypted SIP connections, select
TLS.
Polycom, Inc. 75
Page 76
Local Cluster Configuration
Field Description
Require mutual authentication
(validation of client certificates)
Authentication Select one of the following:
For TLS transport, check this box to enable mutual TLS, requiring callers to
present a valid certificate.
Note: This setting is enabled and locked if Unlock SIP Settings mutual
authentication option on the Signaling Settings page is unchecked on the
Security Settings page. See Security Settings.
•None — The system doesn’t issue authentication challenges or check
authentication credentials for calls to this port.
• Authentication — The system issues authentication challenges and
checks authentication credentials for calls to this port.
The settings on the Device Authentication page (see Device
Authentication) determine the realm used for authentication and
whether the Call Server responds to unauthenticated requests with
401 (Unauthorized) or 407 (Proxy Authentication Required).
•Block — The system blocks calls to this port.
See also:
Signaling Settings
Local Cluster Configuration Procedures
Add Guest Prefix Dialog
The Add Guest Prefix dialog appears when you click the Add button next to the Unauthorized prefixes
list in the SIP Settings section of the Signaling Settings page. It lets you add a prefix to the list of prefixes
used for “unauthorized” or “guest” calls.
The following table describes the fields in the Add Guest Prefix dialog.
Field Description
Prefix The prefix number for this entry.
This is the number that an SBC is configured to add to the Request-URI of the
first INVITE message for untrusted calls to the RealPresence DMA system.
Strip prefix Check this box to have the system immediately strip this prefix from the
INVITE message.
Authentication Select one of the following:
•None — The system doesn’t issue authentication challenges or check
authentication credentials for calls with this prefix.
• Authentication — The system issues authentication challenges and
checks authentication credentials for calls with this prefix.
The settings on the Device Authentication page (see Device
Authentication) determine the realm used for authentication and
whether the Call Server responds to unauthenticated requests with
401 (Unauthorized) or 407 (Proxy Authentication Required).
•Block — The system blocks calls with this prefix.
Polycom, Inc. 76
Page 77
Local Cluster Configuration
See also:
Signaling Settings
Local Cluster Configuration Procedures
Edit Guest Prefix Dialog
The Edit Guest Prefix dialog lets you edit an Unauthorized prefixes list entry in the SIP Settings section
of the Signaling Settings page.
The following table describes the fields in the Edit Guest Prefix dialog.
Field Description
Prefix The prefix number for this entry.
This is the number that an SBC is configured to add to the Request-URI of the
first INVITE message for untrusted calls to the RealPresence DMA system.
Strip prefix Check this box to have the system immediately strip this prefix from the
INVITE message.
Authentication Select one of the following:
•None — The system doesn’t issue authentication challenges or check
authentication credentials for calls with this prefix.
• Authentication — The system issues authentication challenges and
checks authentication credentials for calls with this prefix.
The settings on the Device Authentication page (see Device
Authentication) determine the realm used for authentication and
whether the Call Server responds to unauthenticated requests with
401 (Unauthorized) or 407 (Proxy Authentication Required).
•Block — The system blocks calls with this prefix.
See also:
Signaling Settings
Local Cluster Configuration Procedures
Logging Settings
The following table describes the fields on the Logging Settings page.
Field Description
Logging level Leave the default, Debug, unless advised to change it by Polycom support.
Production reduces system overhead and log file sizes, but omits information
that’s useful for troubleshooting. Verbose debug is not recommended for
production systems.
Rolling frequency If rolling the logs daily (the default) produces logs that are too large, shorten
the interval.
Polycom, Inc. 77
Page 78
Local Cluster Configuration
Field Description
Retention period (days) The number of days to keep log archives. For most systems, we recommend
setting this to 7.
Local log forwarding Checking the Enable forwarding check box allows you to forward selected
log entries to a central log management server (such as Graylog2). The log
management server should be configured to accept log entries via UDP port
514.
Specify:
• The address of the destination server. It must be running some version of
syslog.
• The facility value. Default is Local0.
• The log or logs to forward. The source log file name is included in each of
the forwarded messages.
Note: The RealPresence DMA system’s server.log entries are mapped to
syslog-compliant severities (for example, a “warn” message from server.log
arrives at the destination server with the syslog-compliant “warn” level, and an
“info” message arrives with the “info” level). All other logs being forwarded are
assigned the syslog-compliant “notice” severity.
Each log message is forwarded with the RealPresence DMA system’s
timestamp intact. The receiving syslog adds its own timestamp, but preserving
the RealPresence DMA-applied timestamp makes it easier to accurately
troubleshoot time-sensitive events.
See also:
Licenses for the Appliance Edition
Alerting Settings
The Alerting Settings page allows you to configure thresholds for system alerts. Here, you can enable or
disable certain alerts, and control when they will be triggered.
Note: SNMP and system alerts configuration
Since the triggering of SNMP alerts coincides with system alerts, configuration on this page applies to
both system alerts and SNMP alerts.
The Threshold Value column on the right of the page lists the configurable value for each alert’s threshold.
Use the arrows next to each field or enter a new number to change the default value. Click the Update
button to save your changes, or the Select Defaults button to revert them (Select Defaults returns the
values in all fields on this page to their factory defaults).
See the following table for descriptions of each alert’s condition.
Polycom, Inc. 78
Page 79
Local Cluster Configuration
Alert ID Threshold Condition Description
3103 Days until server certificate expires is less than Alert when there are only this many
days until the system’s security
certificate expires.
3105 Days until CA certificate expires is less than Alert when there are only this many
days until the server’s CA-signed
security certificate expires.
3401 Percentage available disk space is less than Alert when the percentage of free disk
space available on the DMA system
falls below this value.
3404 Percentage log file usage is greater than Alert when the percentage of the log
file storage area used by log data is
above this value.
3405 Percentage CPU utilization is greater than Alert when system CPU utilization is
between this lower limit, and...
And percentage CPU utilization is less than or equal to ...this upper limit.
3406 Percentage CPU utilization is greater than Alert when system CPU utilization is
above this value.
5002 Number of hyperactive, blacklisted endpoints is greater than Alert when the number of registered
endpoints that are blacklisted for
sending too much H.323 traffic is
above this value.
Local Cluster Configuration Procedures
This section describes the following Polycom RealPresence DMA 7000 system configuration procedures:
● Add Licenses
● Configure Signaling
● Configure Logging
If you’re performing the initial configuration of your Polycom RealPresence DMA system, study Polycom
RealPresence DMA System Initial Configuration Summary before you continue. Other tasks are required
that are described elsewhere.
Add Licenses
You can add licenses to both Appliance Edition and Virtual Edition systems.
Add Licenses to the RealPresence DMA system, Appliance Edition
Adding licenses to your Polycom RealPresence DMA system, Appliance Edition, is a two-step process:
● Request a software activation key code for each server.
● Enter the activation key codes into the system.
Polycom, Inc. 79
Page 80
Local Cluster Configuration
The procedures below describe the process.
To request a software activation key code for each server
1 Log into the Polycom RealPresence DMA system as an administrator and go to Admin > Local
Cluster > Licenses.
2 Record the serial number for each Polycom RealPresence DMA server:
Server A: ____________________________
Server B: ____________________________ (none for single-server system)
3 Go to http://www.polycom.com/activation.
4 If you don’t already have one, register for an account. Then log in.
5 Select Product Activation.
6 In the License Number field, enter the software license number listed on the first (or only) server’s
License Certificate (shipped with the product).
7 In the Serial Number field, enter the first (or only) server’s serial number (which you recorded in
step 2).
8 Click Generate.
9 When the activation key for the first (or only) server appears, record it:
Server A: __________-__________-_________-___________
10 If you have a single-server Polycom RealPresence DMA system, you’re finished with this procedure.
Continue to the next procedure.
11 If you have a two-server cluster, repeat steps 6–8, this time entering the second license number you
received and the second server’s serial number (also recorded in step 2).
Caution: Activation keys linked to the server serial number
An activation key is linked to a specific server’s serial number. For a two-server cluster, you must
generate the activation key for each server using that server’s serial number. Licensing will fail if you
generate both activation keys from the same server serial number.
12 When the activation key for the second server appears, record it:
Server B: __________-__________-_________-___________
To enter license activation key codes
1 Go to Admin > Local Cluster > Licenses.
2 In the Activation key field for the first (or only) server, enter the activation key code that was
generated for that server’s serial number.
Caution: Activation keys linked to the server serial number
An activation key is linked to a specific server’s serial number. Each Activation Key field is labeled
with a serial number. For a two-server cluster, make sure that the activation key code you enter for
each server is the correct one for that server’s serial number.
3 If you have a two-server cluster, in the Activation key field for the second server, enter the
activation key code that was generated for that server’s serial number.
Polycom, Inc. 80
Page 81
Local Cluster Configuration
4 Click Update.
A dialog informs you that the licenses have been updated.
5 Click OK.
Add Licenses to the RealPresence DMA system, Virtual Edition
The RealPresence DMA system, Virtual Edition, is deployed and licensed through Polycom RealPresence
Platform Director. You can view the licensing information for your system from the RealPresence DMA
system user interface on the Admin > Local Cluster > Licenses page.
See the RealPresence Platform Director System Administrator’s Guide for more information.
Note: Local cluster not supported with virtual edition
The RealPresence DMA Virtual Edition does not support a two-server local cluster configuration.
However, superclustering of individual RealPresence DMA Virtual Edition instances is fully supported
in a virtual environment.
See also:
Licenses
Configure Signaling
To configure signaling
1 Go to Admin > Local Cluster > Signaling Settings.
2 To make the system accessible via H.323 calls:
a Select Enable H.323 signaling.
b Leave the default port numbers (1720 for H.225, 1719 for RAS) unless you have a good reason
for changing them.
c Select H.323 multicast to support gatekeeper discovery messages from endpoints.
d To turn on H.235 authentication, select Enable H.323 device authentication.
Device authentication credentials must be added on the Inbound Authentication tab of the
Device Authentication page. Click the Device authentication settings link to go directly there.
3 To make the system accessible via SIP calls:
a Select Enable SIP signaling.
b To enable pass-through of ANAT signaling (RFC 4091 and RFC 4092) in the Session Description
Protocol (SDP) for the purpose of negotiating IP version in a dual-stack (IPv4 + IPv6)
environment, select Enable ANAT support.
c If the system’s security settings permit unencrypted SIP connections, optionally set Unencrypted
SIP port to TCP or UDP/TCP.
You must have the Administrator role to change security settings. See Security Settings.
Polycom, Inc. 81
Page 82
Local Cluster Configuration
Note: Understanding SIP communications
The system only answers UDP calls if that transport is enabled. But for communications back to the
endpoint, it uses the transport protocol that the endpoint requested (provided that the transport is
enabled, and for TCP, that unencrypted connections are permitted).
For more information about this and other aspects of SIP, see RFC 3261.
d Leave the default port numbers (5060 for TCP/UDP, 5061 for TLS) unless you have a good reason
for changing them.
e To turn on SIP digest authentication for either the unencrypted or TLS port, select the
corresponding Enable authentication check box.
Device authentication credentials must be added on the Inbound Authentication tab of the
Device Authentication page. Click the Device authentication settings link to go directly there.
f To enable mutual TLS, select Require mutual authentication (validation of client certificates).
4 To enable the system to receive untrusted calls (see Untrusted SIP Call Handling Configuration)
from SIP session border controllers (SBCs) configured to route such calls to special ports, do the
following:
a Under Unauthorized ports, click Add.
The Add Guest Port dialog opens.
b Specify the port number, the transport, whether authentication is required, and for TLS, whether
certificate validation is required (mutual TLS). Click OK.
The new entry is added to the Unauthorized ports list.
c Repeat for each additional port on which to receive “unauthorized” or “guest” calls.
5 To enable the system to receive untrusted calls (see Untrusted SIP Call Handling Configuration)
from SIP session border controllers (SBCs) configured to add a specific prefix in the Request-URI of
the INVITE message for such calls, do the following:
a Under Unauthorized prefixes, click Add.
The Add Guest Prefix dialog opens.
b Specify the prefix number, whether it should be stripped, and whether authentication is required.
Click OK.
The new entry is added to the Unauthorized prefixes list.
c Repeat for each additional prefix used for “unauthorized” or “guest” calls.
6 Click Update.
A dialog informs you that the configuration has been updated.
7 Click OK.
The system processes the configuration. The Status field shows the current H.323 signaling state.
8 If you enabled the system to receive “unauthorized” or “guest” calls, do the following:
a Go to Admin > Call Server > Dial Rules and click in the Dial rules for unauthorized calls list
to give it focus.
b
Add one or more dial rules to be used for routing “unauthorized” or “guest” calls. See Dial Rules.
An unauthorized call rule can route calls to a conference room ID (virtual meeting room, or VMR),
a virtual entry queue (VEQ), or a SIP peer.
Polycom, Inc. 82
Page 83
Local Cluster Configuration
Note: SIP URL dialing format
From SIP endpoints, users generally must dial (if a prefix is being used):
<prefix><VMR number>@<RealPresence DMA virtual host name or IP>
Depending on local DNS configuration, the host name could be the RealPresence DMA system’s
FQDN or a shorter name that DNS can resolve.
For example, if the RealPresence DMA system’s virtual host name is dma-virt, the E.164 dial string
prefix is 77, and the virtual meeting room number of the conference is 1001, SIP endpoint users dial:
771001@dma-virt
Depending on the network infrastructure and proxy server(s), it may be possible to use dial rules to
enable numeric-only dialing (for instance, 771001) from SIP endpoints. Doing so is beyond the scope
of this topic.
See also:
Signaling Settings
Configure Logging
To configure logging
1 Go to Admin > Local Cluster > Logging Settings.
2 Change Rolling frequency and Retention period as desired.
3 If requested to do so by Polycom support, change Logging level.
4 Click Update.
A dialog informs you that the configuration has been updated.
5 Click OK.
See also:
Logging Settings
Automatically Send Usage Data
To continually improve the product, it is important to gain understanding of how the RealPresence DMA
7000 system is used by customers. By collecting this data, Polycom can identify both the system level
utilization and the combination and usage of RealPresence DMA features. This usage data will inform
Polycom which features are important and are actually used on your system. Polycom will use this
information to help guide future development and testing to concentrate on the areas of RealPresence DMA
that are most heavily used. If you choose not to send this information, Polycom is less aware of which
features are important to you and that are used by you, which may influence future development to go in
directions that are less beneficial to you.
Your decision to enable or not enable the sending of this data does not affect the availability of any
documented system feature in any way. Enabling this feature does not affect the capacity or responsiveness
of the RealPresence DMA system to process calls, conferences, GUI or API interactions.
The system sends the data once per hour over a secured (TLS) connection to a Polycom collection point
(customerusagedatacollection.polycom.com). There is no access by any customer or others to view the
data received at the collection point. The raw data will be viewable only by Polycom. To avoid any impact to
Polycom, Inc. 83
Page 84
Local Cluster Configuration
starting and ending calls and conferences, data is never sent between 5 minutes before the hour and 5
minutes after the hour.
● The following types of data are reported:
● License information
● Hardware configuration
● System resource usage: CPU, RAM, disk, database
● System configuration: number of servers, clusters
● Feature configuration: Enterprise Directory Integration, Lync, Dial Rules, Shared Number Dialing,
Hunt Groups, Registration Policy, Device Authentication
● Number of users, endpoints, sites, MCUs, external gatekeepers, SIP peers, SBCs
● Registrations, call and conference statistics (see Network Usage Report)
● Security settings
When this information is reported, a customer’s user and environment identifying information (e.g., internal
IP addresses and FQDNs, names of users, devices, external systems, etc.) is made anonymous before
being sent from the system. System serial numbers and license information are sent without anonymization
and may be used to help improve customer experiences. In total, less than 100KB of data per hour is
collected and sent.
Polycom’s collection and use of this data complies with Polycom’s Privacy Policy.
Enable or Disable Automatic Data Collection
Initially, you can decide to allow or disallow the automatic sending of usage data when the system’s End
User License Agreement is presented.
You can view and change the current status of usage data sending and collection on the Admin > Local
Cluster > Licenses page. Usage data is being sent only if the Automatically send usage data field is
checked. By changing the value of this field, you can enable or disable this feature at any time.
See the Collected Data
The system records data that has been sent and collected in the system logs.
To see the collected data
1 Log in to the RealPresence DMA system as an Administrator.
2 Download the system logs. See System Logs Procedures.
3 On the PC where the logs have been downloaded, use an archiving or zipping tool to extract the file
analytics.json.
Analytics.json is a text file containing the hourly data reported most recently before the time when the
system logs were created.
4 View the analytics.json file with Notepad or another common text editing tool.
Polycom, Inc. 84
Page 85
Device Management
This section describes the following Polycom® RealPresence® Distributed Media Application™ (DMA®)
7000 system’s network device management pages:
● Active Calls
● Endpoints
● Site Statistics
● Site Link Statistics
● External Gatekeeper
● External SIP Peer
● External H.323 SBC
Other Network menu topics are addressed in the following chapters:
● Superclustering (DMAs)
● MCU Management
● Site Topology
Active Calls
The Active Calls page lets you monitor the calls in progress (managed by the Call Server) and disconnect
an active call.
The search pane above the two lists lets you find calls matching the criteria you specify. Click the down
arrow to expand the search pane. You can search for an originator or destination device by its name, alias,
or IP address. You can limit your search by specifying one or more of the following:
● Cluster, territory, or site.
● Signaling type (H.323 or SIP) or registration status of the call originator.
● Class of service or bit rate range.
The system matches any string you enter against the beginning of the values for which you entered it. If you
enter “10.33.17” in the Originator field, it displays calls from devices whose IP addresses are in that subnet.
To search for a string not at the beginning of the field, you can use an asterisk (*) as a wildcard.
Leave a field empty (or select the blank entry from a list) to match all values.
Note: Use specific filter strings
Specifying a filter that includes too many active calls can be a drain on system resources.
Polycom, Inc. 85
Page 86
Device Management
The calls that match your search criteria (up to 500) appear in the lower list. You can pin a call that you want
to study. This moves it to the upper list, and it remains there, even after the call ends, until you unpin it.
Details about the selected call are available in the Call Info, Originator, Destination, and Bandwidth tabs
of the pane on the right. This information (and more) is also available in the Call Details dialog, which
appears when you click Show Call Details (in the Actions list). See Call Details Dialog for descriptions of
the data.
Note: Cluster vs. supercluster call statistics
If a call traverses multiple clusters in a supercluster, it’s counted as a single call, but it appears in the
results of each cluster it touches when you search by cluster. Therefore, the sum of the number of
calls for each cluster may be greater than the total number of calls for the entire supercluster.
The following table describes the parts of the Active Calls list.
Column Description
(Pin State) Click to pin a call, moving it to the top list and keeping its information available
even if the call ends. Click again to unpin it.
Start Time Time the call began (first signaling event).
Originator Source of the call (the device’s display name, if available; otherwise, its name,
alias, or IP address, in that order of preference). If the originator is an MCU,
the MCU name.
Dial String Dial string sent by originator, when available.
Destination Destination of the call (the device’s display name, if available; otherwise, its
name, alias, or IP address, in that order of preference). If the destination is an
MCU, the MCU name.
Bit Rate Bit rate (kbps) of the call. A down arrow indicates that the call was
downspeeded. Hover over it to see details.
Class of Service Class of service (Gold, Silver, or Bronze) of the call.
See also:
Device Management
Call Details Dialog
Endpoints
Call Details Dialog
The Call Details dialog appears when you click Show Call Details on the Active Calls page or Call History
page. It provides detailed information about the selected call. Keep in mind that some of the settings on the
Call Server Settings page can affect the values reflected for a call.
The following table describes the fields in the dialog.
Polycom, Inc. 86
Page 87
Device Management
Tab/Field/Column Description
Call Info
Call Info Displays the call’s:
• Status (active/ended and pinned/unpinned)
• Start time and end time
• Duration
• Signaling protocol(s)
• Polycom RealPresence DMA server(s) involved
• Unique call ID
• Dial string, if available
• Final dial string (after processing by dial rules)
Originator Displays the source device’s:
• Name and authentication name
• Authentication status
• Model and version
• Aliases
• IP address or host name
• Registration status
• Site and territory
If this is a registered endpoint or a registered/configured MCU, a link takes
you to the corresponding page with that endpoint or MCU selected.
Destination Displays the destination device’s:
• Name and authentication name
• Authentication status
• Model and version
• Aliases
• IP address or host name
• Registration status
• Site and territory
If this is a registered endpoint or a registered/configured MCU, a link takes
you to the corresponding page with that endpoint or MCU selected.
Polycom, Inc. 87
Page 88
Device Management
Tab/Field/Column Description
Bandwidth Available only after the call has ended. The table at the top lists each throttle
point that the call traverses and shows its:
• Bit rate limit per call (kbps)
• Total capacity (kbps)
• Used bit rate (kbps) in each class of service
• Weight (%)
• Territory
If the throttle point is a subnet, site, or site link, a link takes you to the
corresponding site topology page with the throttle point entity selected.
Below the table, the data used in bandwidth processing is displayed (all bit
rates are kbps):
• Formal maximum bit rate limit — the maximum allowed bit rate considering
the per call bit rates of each throttle point, but not considering total capacity
or current usage
• Available bit rate capacity in each class of service and for the call’s class
• Class of service for the call
• Minimum downspeed bit rate
• Available bit rate limit (%) — the maximum percentage of remaining
bandwidth at a throttle point that will be given to any one call (configurable
on the Call Server Settings page)
• Requested bit rate
• Final bit rate
Call Events Lists each call event in the call and its attributes.
When the system is operating as a SIP proxy server, the list includes all SIP
signaling messages except 100 TRYING.
Hover over an attribute label to see a description. Click Show Message to
see the signaling message. Click Show QoS Data to see detailed quality of
service statistics.
Subscription Events For conference (VMR) calls, lists SUBSCRIBE/NOTIFY events, if any,
associated with this call.
The SIP SUBSCRIBE/NOTIFY conference notification service (as described
in RFCs 3265 and 4575), allows SIP devices (generally, conference
participants) to subscribe to a conference and receive conference rosters and
notifications of conference events. The rosters identify the participants, their
endpoints, and their video streams.
Hover over an attribute label to see a description. Click Show Message to
see the signaling message.
Note: If the system is configured to let devices subscribe to a conference
without being participants in the conference (see Security Settings), the call
history doesn’t include data for such non-participant subscriptions. But be
aware that a subscription to a conference by a non-participant consumes a
call license.
Polycom, Inc. 88
Page 89
Device Management
Tab/Field/Column Description
Property Changes Lists each property change in the call, showing the value, time, and sequence
number of the associated event.
QoS Quality of service data is only available if one of the endpoints is a registered
H.323 endpoint that supports IRQs. This tab displays a graph showing how
QoS varied during the call. The horizontal scale and frequency of data points
(dots on the lines of the graph) vary based on the length of the call.
Hover over a data point to see the value at that point.
See also:
Active Calls
Endpoints
The Endpoints page provides access to information about the devices known to the Polycom
RealPresence DMA system. From it, you can:
● View details about a device.
● View the call history or registration history of a device.
● Add aliases for a device, edit or delete added aliases (but not aliases with which the device
registered), and configure the class of service settings.
● Block a device, which prevents it from registering.
● Unblock a blocked device, allowing it to register.
● Quarantine a device, which allows it to register (or remain registered), but not to make or receive
calls.
● Remove a quarantined device from quarantine, allowing it to make and receive calls.
● Delete an inactive device or devices. An inactive device is one whose registration has expired.
Depending on your Registration Policy settings (see Registration Policy), inactive devices may be
automatically deleted after a specified number of days.
● Select multiple devices to block/unblock, quarantine/unquarantine, delete, or change specific settings
of (device authentication, permanent registration, and class of service).
● Manually add a device. The registration status of the device depends on the system’s registration
policy (see Add Endpoint Dialog).
● Associate a user with a device.
Note: RealPresence Resource Manager integration and user-to-device association
If the Polycom RealPresence DMA system is integrated with a Polycom RealPresence Resource
Manager system, it receives user-to-device association information from that system, and you can
only associate users with devices on the Polycom RealPresence Resource Manager system.
The search pane above the list lets you find devices matching the criteria you specify. The default search
finds all endpoints with active registrations. Click the down arrow to expand the search pane.
The system matches any string you enter against the beginning of the values for which you entered it. If you
enter “10.33.17” in the IP address field, it displays devices whose IP addresses are in that subnet. To
search for a string not at the beginning of the field, you can use an asterisk (*) as a wildcard.
Polycom, Inc. 89
Page 90
Device Management
Leave a field empty (or select the blank entry from a list) to match all values.
Check Exceptions to find devices for which the registration policy script returned an exception. Leave the
field to the right empty to match all exception values, or enter a search string to find only exceptions
matching that string.
Check Exceptions and enter an exclamation point (!) in the field to the right to find only devices with no
exceptions.
The devices that match your search criteria (up to 500) are listed below.
The following table describes the parts of the Endpoints list.
Column Description
Name The name of the device.
Model The model designation of the device.
IP Address The IP address of the device.
Alias The aliases, if any, assigned to the device.
Site The site to which the device belongs.
Owner Domain The domain to which the device’s owner, if any, belongs.
Owner The user who owns the device.
Class of Service The class of service assigned to the device:
• Gold
• Silver
• Bronze
• Inherit from associated user (if none, default to Bronze)
Note: The class of service of the device applies to point to point calls. VMR
calls use the class of service of the conference room.
Admission Policy Indicates the admission policy applied to the device:
• Allow
• Block
• Quarantine
• Reject
Compliance Level Indicates whether the device is compliant or noncompliant with the applicable
registration policy script (see Registration Policy).
Polycom, Inc. 90
Page 91
Device Management
Column Description
Registration Status The registration status of the device:
• Active — The device is registered and can make and receive calls.
• Inactive — The device’s registration has expired. Whether it can make and
receive calls depends on the system’s rogue call policy (see Call Server
Settings) and. It can register again.
• Quarantined — The device is registered, but it can’t make or receive calls.
It remains in Quarantined or Quarantined (Inactive) status until you remove
it from quarantine.
• Quarantined (Inactive) — The device was quarantined, and its registration
has expired. It can register again, returning to Quarantined status.
• Blocked — The device is not permitted to register. It remains blocked from
registering until you unblock it.
If the device is in a site managed by the system, its ability to make and
receive calls depends on the system's rogue call policy (see Call
Server Settings).
If the device is not in a site managed by the system, it can’t make or
receive calls.
A device’s status can be determined by:
• An action by the device.
• An action applied to it manually on this page.
• The expiration of a timer.
• The application of a registration policy and admission policy (see
Registration Policy).
Exceptions Shows any exceptions with which the device was flagged as a result of
applying a registration policy.
Active Calls Indicates if the device is in a call.
Device Authentication Indicates whether the endpoint must authenticate itself.
Note: Inbound authentication for the device type must be enabled at the
system level (see Device Authentication), or the setting for the device has no
effect.
The Actions list associated with the Endpoints list contains the items in the following table.
Command Description
View Details Opens the Device Details dialog for the selected endpoint.
Add Opens the Add Endpoint dialog, where you can manually add a device to the
system.
Edit Opens the Edit Endpoint dialog for the selected endpoint, where you can change
its information and settings. If multiple endpoints are selected, opens the Edit
Endpoint dialog, where you can change the device authentication, permanent
registration, and class of service settings.
Polycom, Inc. 91
Page 92
Device Management
Command Description
Delete Removes the registration of the selected endpoint(s) with the Call Server and
deletes the endpoint(s) from the Polycom RealPresence DMA system. A dialog asks
you to confirm.
Unregistered endpoints are treated like rogue endpoints (see Call Server Settings).
The device can register again.
Associate User Opens the Associate User dialog for the selected endpoint, where you can
associate this device with a user.
Not available if the Polycom RealPresence DMA system is integrated with a
Polycom RealPresence Resource Manager system. In that case, it receives
user-to-device association information from that system.
Block Registrations Prevents the endpoint(s) from registering with the Call Server. A dialog asks you to
confirm. When blocked endpoints are selected, this becomes Unblock
Registrations.
If a blocked device is in a site managed by the system, its ability to make and
receive calls depends on the system's rogue call policy (see Call Server Settings). If
the device is not in a site managed by the system, it can’t make or receive calls.
Quarantine Prevents the endpoint(s) from making or receiving calls. A dialog asks you to
confirm. When quarantined endpoints are selected, this becomes Unquarantine.
Unlike a blocked endpoint, a quarantined endpoint is registered (or can register) with
the Call Server.
View Call History Takes you to Reports > Call History and displays the call history for the selected
endpoint.
View Registration History Takes you to Reports > Registration History and displays the registration history
for the selected endpoint.
Names/Aliases in a Mixed H.323 and SIP Environment
An endpoint that supports both H.323 and SIP can register with the Polycom RealPresence DMA system’s
gatekeeper and SIP registrar using the same name/alias. When the RealPresence DMA system receives a
call for that endpoint, it uses the protocol of the calling endpoint. This is logical and convenient, but it can
lead to failed calls under the following circumstances:
● The system is configured to allow calls to/from rogue (not actively registered) endpoints (see Call
Server Settings).
● An endpoint that was registered with both protocols (using the same name/alias) later has one of the
protocols disabled, and that registration expires (or otherwise becomes inactive).
The Polycom RealPresence DMA system doesn’t know if the endpoint no longer supports that protocol.
When another endpoint tries to call using the called endpoint’s disabled protocol, the system still tries to
reach it using that protocol, and the call fails.
To avoid this problem, you can do one of the following:
● Ensure that endpoints supporting both protocols use different names/aliases for each protocol.
● Don’t allow calls to/from rogue endpoints.
● If you know an endpoint has stopped supporting a protocol, manually delete its inactive registration
for that protocol.
Polycom, Inc. 92
Page 93
Device Management
Naming ITP Systems Properly for Recognition by the Polycom
RealPresence DMA System
A Polycom Immersive Telepresence (ITP) room system contains multiple displays and codecs (endpoints).
If the ITP system is using SIP or H.323 signaling (not Cisco TIP signaling), then in order for the Polycom
RealPresence DMA system to recognize these devices as part of an ITP system, they must have names
that properly identify them. The names must take the form systemName_M_N, where M is the total number
of displays in the ITP system (2, 3, or 4) and N is the sequence number of each display. The “primary” codec
must be assigned sequence number 1.
For example, the three HDX devices in a Polycom OTX 300 ITP system named Bainbridge might be named
as follows:
Bainbridge ITP_3_1
Bainbridge ITP_3_2
Bainbridge ITP_3_3
When these three devices register (H.323 or SIP) with the Polycom RealPresence DMA system’s Call
Server, the RealPresence DMA system recognizes them as constituting a single ITP system and assigns
them a Gold class of service (you can change this if you wish). The RealPresence DMA system also
manages the device authentication settings as applying to a single system.
You can only edit the device authentication and class of service settings for the primary codec (the device
with sequence number 1); the RealPresence DMA system automatically propagates any changes to the
other devices in the ITP system.
Note: ITP Systems and bit rates
The RealPresence DMA system’s ability to recognize ITP calls and treat them as one assures the
same class of service and device authentication settings for all the endpoints in the ITP system, but
not other registration settings. It’s up to you to ensure that the maximum and minimum bit rates and
other registration settings are consistent.
Note: ITP systems and CDRs
For ITP systems using SIP or TIP signaling (but not H.323), the RealPresence DMA system also
creates a single CDR for calls from the ITP system rather than separate CDRs for each of the three
devices. See Call Record Layouts.
Follow this naming convention for both the HDX system name and the name for each HDX endpoint in the
ITP system. For more information, see the following documents:
● Administrator’s Guide for Polycom HDX Systems
● Polycom Immersive Telepresence (ITP) Deployment Guide
● Polycom Multipoint Layout Application (MLA) User’s Guide for Use with Polycom Telepresence
Solutions
Polycom, Inc. 93
Page 94
Device Management
See also:
Device Management
Add Endpoint Dialog
Edit Device Dialog
Associate User Dialog
Active Calls
Add Endpoint Dialog
The Add Endpoint dialog lets you manually add a device to the system.
When you add an endpoint manually, the system applies its registration policy script (see
Registration Policy)
to determine the device’s compliance level (compliant or noncompliant with the policy), and then applies the
admission policy associated with that result to determine the registration status of the device.
The following table describes the parts of the dialog.
Field Description
Device type The device’s signaling protocol (H.323 or SIP).
Signaling address For an H.323 device, the H.225 call signaling address and port of the device. Either
this or the RAS address is required.
RAS address For an H.323 device, the RAS (Registration, Admission and Status) channel address
and port of the device.
Aliases For an H.323 device, lists the device’s aliases. When you’re adding a device, this list
is empty. The Add button lets you add an alias.
Address of record For a SIP device, the AOR with which the device registers (see registration rules in
RFC 3261), such as:
sip:1000@westminster.polycom.com
Device authentication Indicates whether the endpoint must authenticate itself.
Note: Inbound authentication for the device type must be enabled at the system
level (see Device Authentication), or the setting for the device has no effect.
Class of service Select to specify the class of service and the bit rate limits for calls to and from this
device.
A call between two devices receives the higher class of service of the two.
Note: The class of service of the device applies to point to point calls. VMR calls use
the class of service of the conference room.
Maximum bit rate (kbps) The maximum bit rate for calls to and from this device.
Minimum downspeed bit
rate (kbps)
Model Optional model number/name for the device.
Version Optional version information for the device.
Polycom, Inc. 94
The minimum bit rate to which calls from this device can be downspeeded to
manage bandwidth. If this minimum isn’t available, the call is dropped.
Page 95
Device Management
See also:
Endpoints
Add Alias Dialog
Edit Alias Dialog
Edit Device Dialog
The Edit Device dialog lets you change a device’s class of service settings, add aliases, and edit or delete
added aliases. You can’t edit or delete aliases with which the device registered.
The following table describes the parts of the dialog.
Field Description
Device type The device’s signaling protocol (H.323 or SIP).
Signaling address For an H.323 device, the H.225 call signaling address and port of the device. Either
this or the RAS address is required.
RAS address For an H.323 device, the RAS (Registration, Admission and Status) channel address
and port of the device.
Aliases For an H.323 device, lists the device’s aliases. When you’re adding a device, this list
is empty. The Add button lets you add an alias.
Site The site to which the device belongs. Display only.
Owner domain The domain to which the device’s owner belongs, if provided by the device. Display
only.
Owner The user who owns the device, if provided by the device. Display only.
Registration status The registration status of the device. Display only.
Permanent Prevents the registration from ever expiring.
Device authentication Indicates whether the endpoint must authenticate itself.
Note: Inbound authentication for the device type must be enabled at the system
level (see Device Authentication), or the setting for the device has no effect.
Class of service Select to modify the class of service and the bit rate limits for calls to and from this
device.
A call between two devices receives the higher class of service of the two.
Note: The class of service of the device applies to point to point calls. VMR calls use
the class of service of the conference room.
Maximum bit rate (kbps) The maximum bit rate for calls to and from this device.
Minimum downspeed bit
rate (kbps)
The minimum bit rate to which calls from this device can be downspeeded to
manage bandwidth. If this minimum isn’t available, the call is dropped.
Forward if no answer If the device doesn’t answer, forward calls to the specified alias.
Registered endpoints can activate this feature by dialing the vertical service code
(VSC) for it (default is *73) followed by the alias. They can deactivate it by dialing the
VSC alone.
Polycom, Inc. 95
Page 96
Device Management
Field Description
Forward if busy If the device is busy, forward calls to the specified alias.
Registered endpoints can activate this feature by dialing the VSC for it (default is
*74) followed by the alias. They can deactivate it by dialing the VSC alone.
Forward unconditionally Forward all calls to the specified alias.
Registered endpoints can activate this feature by dialing the VSC for it (default is
*75) followed by the alias. They can deactivate it by dialing the VSC alone.
Alert when endpoint
unregisters
If the device unregisters from the Call Server or its registration expires, an
informational alert is triggered (see Alert 5003).
See also:
Endpoints
Add Alias Dialog
Edit Alias Dialog
Edit Devices Dialog
The Edit Devices dialog appears when you select multiple devices on the Endpoints page and click Edit
Devices. It lets you change certain settings for multiple devices at a time.
The following table describes the parts of the dialog.
Field Description
Device authentication Indicates whether the selected devices must authenticate themselves.
Note: Inbound authentication for the device type must be enabled at the system
level (see Device Authentication), or the setting for these devices has no effect.
Permanent Prevents the registration of the selected devices from ever expiring.
Class of service Select to modify the class of service and the bit rate limits for calls to and from the
selected devices.
A call between two devices receives the higher class of service of the two.
Note: The class of service of the device applies to point to point calls. VMR calls use
the class of service of the conference room.
Maximum bit rate (kbps) The maximum bit rate for calls to and from the selected devices.
Minimum downspeed bit
rate (kbps)
Alert when endpoint
unregisters
The minimum bit rate to which calls from the selected devices can be downspeeded
to manage bandwidth. If this minimum isn’t available, the call is dropped.
If one of the selected devices unregisters from the Call Server or its registration
expires, an informational alert is triggered (see Alert 5003).
See also:
Endpoints
Edit Device Dialog
Polycom, Inc. 96
Page 97
Device Management
Add Alias Dialog
The Add Alias dialog lets you specify an alias for the H.323 device you’re adding or editing. Enter the alias
in the Value box and click OK.
See also:
Endpoints
Add Endpoint Dialog
Edit Device Dialog
Edit Alias Dialog
The Edit Alias dialog lets you change the selected alias for the H.323 device you’re editing. You can’t edit
aliases with which the device registered, only those that have been added. Edit the alias in the Value box
and click OK.
See also:
Endpoints
Edit Device Dialog
Associate User Dialog
Note: RealPresence Resource Manager integration and user-to-device association
If the Polycom RealPresence DMA system is integrated with a Polycom RealPresence Resource
Manager system, it receives user-to-device association information from that system, and you can
only associate users with devices on the Polycom RealPresence Resource Manager system.
The Associate User dialog lets you associate the selected device with a user. Use the search fields at the
top to find the user you want to associate with this device.
You can search by user ID, first name, or last name. The Search users field searches all three for matches.
The system matches the string you enter against the beginning of the field you’re searching. For instance,
if you enter “sa” in the Last name field, it displays users whose last names begin with “sa.” To search for a
string not at the beginning of the field, you can use an asterisk (*) as a wildcard.
When you find the right user, select that row and click OK. A prompt asks you to confirm associating the
endpoint with this user.
See also:
Endpoints
Site Statistics
The Site Statistics page lists the sites defined in the Polycom RealPresence DMA system’s site topology
and, for those controlled by the system, traffic and QoS statistics. Network clouds and the default internet
site aren’t included.
The following table describes the fields in the list.
Polycom, Inc. 97
Page 98
Device Management
Column Description
Site Name Name of the site.
Number of Calls Number of active calls on this site.
Bandwidth Used % Percentage of available bandwidth in use for this site.
Bandwidth (bps) Total bandwidth in use for this site.
Note: The Bit rate to bandwidth conversion factor setting on the Call
Server Settings page is used to calculate the bandwidth in use.
Avg Bit Rate (bps) Average bit rate of this site’s active calls.
Note: The Bit rate to bandwidth conversion factor setting on the Call
Server Settings page is used to calculate the average bit rate.
Packet Loss % Average packet loss percentage of this site’s active calls.
Avg Jitter (msec) Average jitter rate of this site’s active calls.
Avg Delay (msec) Average delay rate of this site’s active calls.
Territory Territory to which the site belongs.
Cluster Cluster responsible for the territory to which the site belongs.
See also:
Device Management
Sites
Site Link Statistics
The Site Link Statistics page lists the site links defined in the Polycom RealPresence DMA system’s site
topology and, for those controlled by the system, traffic and QoS statistics.
The following table describes the fields in the list.
Column Description
Site Name Name of the site.
Number of Calls Number of active calls on this site.
Bandwidth Used % Percentage of available bandwidth in use for this site.
Bandwidth (bps) Total bandwidth in use for this site.
Note: The Bit rate to bandwidth conversion factor setting on the Call
Server Settings page is used to calculate the bandwidth in use.
Avg Bit Rate (bps) Average bit rate of this site’s active calls.
Packet Loss % Average packet loss percentage of this site’s active calls.
Polycom, Inc. 98
Note: The Bit rate to bandwidth conversion factor setting on the Call
Server Settings page is used to calculate the average bit rate.
Page 99
Device Management
Column Description
Avg Jitter (msec) Average jitter rate of this site’s active calls.
Avg Delay (msec) Average delay rate of this site’s active calls.
Territory Territory to which the site belongs.
Cluster Cluster responsible for the territory to which the site belongs.
See also:
Device Management
Site Links
External Gatekeeper
On the External Gatekeeper page, you can add or remove neighbor gatekeepers. This is a
supercluster-wide configuration.
When an enterprise has multiple neighbored gatekeepers, each gatekeeper manages its own H.323 zone.
When a call originates in one gatekeeper zone and that zone’s gatekeeper is unable to resolve the dialed
address, it forwards the call to the appropriate neighbor gatekeeper(s) for resolution.
But note that a Polycom RealPresence DMA supercluster can manage multiple locations as a single H.323
zone, with the clusters acting as a single virtual gatekeeper. This allows the gatekeeper function to be
geographically distributed, but managed centrally. A Polycom RealPresence DMA supercluster may
eliminate the need for multiple zones and neighbor gatekeepers.
Note: External gatekeeper considerations
When adding a neighbor gatekeeper, you can only specify one IP address. In an IPv4 + IPv6
environment, to add a neighbor gatekeeper that has both an IPv4 and an IPv6 address, do the
following:
• Add the neighbor gatekeeper using its IPv4 address.
• Add it a second time using its IPv6 address.
• Add one Resolve to external gatekeeper dial rule (see Add Dial Rule Dialog) that specifies the
neighbor gatekeeper’s IPv4 address entry (and no other gatekeepers).
• Add another Resolve to external gatekeeper dial rule that specifies the neighbor gatekeeper’s
IPv6 address entry (and no other gatekeepers).
Requests from endpoints with IPv4 addresses will be forwarded to the gatekeeper’s IPv4 address,
and requests from endpoints with IPv6 addresses will be forwarded to the gatekeeper’s IPv6 address.
The following table describes the fields in the list.
Column Description
Name The name of the neighbored gatekeeper.
Description Brief description of the gatekeeper.
Address Host name or IP address of the gatekeeper.
Polycom, Inc. 99
Page 100
Device Management
Column Description
Prefix Range The dial string prefix(es) assigned to this neighbor gatekeeper.
If your dial plan uses the Dial services by prefix dial rule (in the default dial
plan) to route calls to services, all dial strings beginning with an assigned
prefix are forwarded to this gatekeeper for resolution.
Enabled Indicates whether the system is using the neighbor gatekeeper.
See also:
Device Management
Edit External Gatekeeper Dialog
Add External Gatekeeper Dialog
The following table describes the fields in the Add External Gatekeeper dialog.
Column Description
External Gatekeeper
Enabled Clearing this check box lets you stop using an external gatekeeper without
deleting it.
Name Gatekeeper name.
Description The text description displayed in the External Gatekeepers list.
Address Host name or IP address of the gatekeeper.
RAS port The RAS (Registration, Admission and Status) channel port number. Leave
set to 1719 unless you know the gatekeeper is using a non-standard port
number.
Prefix range The dial string prefix or prefix range for which the external gatekeeper is
responsible.
Enter a single prefix (44), a range of prefixes (44-47), multiple prefixes
separated by commas (44,46), or a combination (41, 44-47, 49).
If your dial plan uses the Dial services by prefix dial rule (in the default dial
plan) to route calls to services, all dial strings beginning with an assigned
prefix are forwarded to this gatekeeper for resolution.
If your dial plan instead uses a rule that you create to apply the Resolve to
external gatekeeper action, there is no need to specify a prefix.
Strip prefix If selected, the system strips the prefix when a call that includes a prefix is
routed to this gatekeeper.
Prefer routed If selected (the default), the system forces all calls to this gatekeeper to routed
mode.
This setting must be enabled to avoid interoperability issues with Polycom
CMA and Avaya gatekeepers, and possibly others as well.
Authentication Mode In this section, you can configure the system to send its H.235 credentials
Polycom, Inc. 100
when it sends address resolution requests to that gatekeeper.
Loading...