Rpad 4 2 Deploy Us en
Rpad 4 2 Deploy Us en
Rpad 4 2 Deploy Us en
Trademarks Polycom®, the Polycom logo and the names and marks associated with Polycom products are
trademarks and/or service marks of Polycom, Inc. and are registered and/or common law marks in the United States
and various other countries.
All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any
form or by any means, for any purpose other than the recipient's personal use, without the express written permission
of Polycom.
Disclaimer While Polycom uses reasonable efforts to include accurate and up-to-date information in this document,
Polycom makes no warranties or representations as to its accuracy. Polycom assumes no liability or responsibility for
any typographical or other errors or omissions in the content of this document.
Limitation of Liability Polycom and/or its respective suppliers make no representations about the suitability of the
information contained in this document for any purpose. Information is provided "as is" without warranty of any kind and
is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall
Polycom and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive or other
damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of
business information), even if Polycom has been advised of the possibility of such damages.
End User License Agreement By installing, copying, or otherwise using this product, you acknowledge that you
have read, understand and agree to be bound by the terms and conditions of the End User License Agreement for this
product. The EULA for this product is available on the Polycom Support page for the product.
Patent Information The accompanying product may be protected by one or more U.S. and foreign patents and/or
pending patent applications held by Polycom, Inc.
Open Source Software Used in this Product This product may contain open source software. You may receive
the open source software from Polycom up to three (3) years after the distribution date of the applicable product or
software at a charge not greater than the cost to Polycom of shipping or distributing the software to you. To receive
software information, as well as the open source software code used in this product, contact Polycom by email at
[email protected].
Customer Feedback We are striving to improve our documentation quality and we appreciate your feedback. Email
your opinions and comments to [email protected].
Polycom Support Visit the Polycom Support Center for End User License Agreements, software downloads,
product documents, product licenses, troubleshooting tips, service requests, and more.
2
Contents
Polycom, Inc. 3
Task 1: Create DNS A and PTR records on the external DNS server . . . . . . . . . . . . 23
Task 2: Create a DNS SRV record on the external DNS server . . . . . . . . . . . . . . . . . 24
Task 3: Create DNS A and PTR records on the internal DNS server . . . . . . . . . . . . . 24
Task 4: Create DNS SRV records on the internal DNS server . . . . . . . . . . . . . . . . . . 25
Task 5: Create DNS A records for STUN and TURN services . . . . . . . . . . . . . . . . . . 25
Task 6: Validate DNS settings on the external DNS server . . . . . . . . . . . . . . . . . . . . 27
Task 7: Validate DNS settings on the internal DNS server . . . . . . . . . . . . . . . . . . . . . 27
Configure Firewalls and Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Firewalls with SIP/H.323 ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Outside Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Inside Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Port Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Install and Configure the RealPresence Access Director System . . . . . . . . . . . . . . . . . . . . . . 29
Task 1: Perform Basic Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Task 2: Configure Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Task 3: Activate the License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Appliance Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Virtual Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Task 4: Configure Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configure the RealPresence Resource Manager System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configure the RealPresence Access Director System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Task 1: Configure Access Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Task 2: Configure Basic Access Control List Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Task 3: Configure System Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Task 4: Configure TURN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Task 5: Provision the RealPresence Access Director System . . . . . . . . . . . . . . . . . . . . . 37
Configure the Polycom RealPresence DMA System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Task 1: Enable SIP Device Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Task 2: Configure an External SIP Peer to Support SIP Open B2B Calls . . . . . . . . . . . . 38
Task 3: Configure SIP Settings for Guest Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
SIP Settings for Guest Users on the Polycom DMA System . . . . . . . . . . . . . . . . . . . 40
SIP Settings for Guest Users on the RealPresence Access Director System . . . . . . 40
Task 4: Configure SIP Settings for Remote Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
SIP Settings for Remote Users on the RealPresence Access Director System . . . . . 41
Configure Polycom Endpoint Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Task 1: Configure Polycom HDX Series Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Task 2: Configure the Polycom Group Series System . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Task 3: Configure Polycom RealPresence Mobile or Desktop Endpoints . . . . . . . . . . . . 42
Professional Mode Sign-In Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configure the Polycom RealPresence Collaboration Server . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Polycom, Inc. 4
Integrate Two or More Systems with an F5 Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
F5 Load Balancer Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
F5 Load Balancer Impacts on other RealPresence Access Director System Features . . 43
Polycom, Inc. 5
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
DNS Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Verifying Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Verifying Access Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Verifying Call Success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Verifying Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Required Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Management Access Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
SIP Signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Polycom, Inc. 6
SIP WAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
SIP LAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
H.323 Signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
H.323 WAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
H.323 LAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Access Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Access Proxy WAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Access Proxy LAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Media WAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Media LAN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
TURN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
TURN Relay Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Two-System Tunnel Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Comparison of Two-box Tunnel Deployment and Standard Deployment Ports . . . . . . . . . . . 96
Polycom, Inc. 7
Conventions Used in This Guide
This guide contains terms, graphical elements, and a few typographic conventions. Familiarizing yourself
with these terms, elements, and conventions will help you successfully perform tasks.
Information Elements
This guide may include any of the following icons to alert you to important information.
Caution The Caution icon highlights information you need to know to avoid a
hazard that could potentially impact device performance, application
functionality, or successful feature configuration.
Warning The Warning icon highlights an action you must perform (or avoid) to
prevent issues that may cause you to lose information or your
configuration setup, and/or affect phone, video, or network performance.
Web Info The Web Info icon highlights supplementary information available online
such as documents or downloads on support.polycom.com or other
locations.
User Tip The User Tip icon highlights techniques, shortcuts, or productivity
related tips.
Troubleshooting The Troubleshooting icon highlights information that may help you solve
a relevant problem or to refer you to other relevant troubleshooting
resources.
Polycom, Inc. 8
Typographic Conventions
A few typographic conventions, listed next, may be used in this guide to distinguish types of in-text
information.
A
Typographic Conventions
Convention Description
Bold Highlights interface items such as menus, menu selections, window and dialog names,
soft keys, file names, and directory names when they are involved in a procedure or user
action. Also used to highlight text to be entered or typed.
Italics Used to emphasize text, to show example values or inputs (in this form: <example>), and
to show titles of reference documents available from the Polycom Support Web site and
other reference sites.
Blue Text Used for cross references to other sections within this document and for hyperlinks to
external sites and documents.
Polycom, Inc. 9
Before You Begin
This guide describes the Polycom® RealPresence® Access Director™ solution and the process of deploying
the products in the solution. The solution provides firewall traversal for the connections required for the
supported deployment architecture, models, and user scenarios.
Related Documentation
Please read all available documentation before you install or operate the system. Documents are available
at Documents and Downloads at Polycom Support.
● Polycom RealPresence Access Director System Release Notes
● Polycom RealPresence Access Director System Getting Started Guide
● Polycom RealPresence Access Director System Administrator Guide
● Polycom RealPresence Platform Director System Administrator Guide
In addition, you will need the product documentation for the other infrastructure products required for this
solution, including:
● Polycom RealPresence DMA System Operations Guide
Polycom, Inc. 10
● Polycom RealPresence Resource Manager System Operations Guide
● Polycom RealPresence Collaboration Server System Administrator Guide
Get Help
For more information about installing, configuring, and administering Polycom products, refer to
Documents and Downloads at Polycom Support.
Polycom, Inc. 11
Unified Communications with the
Polycom® RealPresence® Access
Director™ Solution
In this solution, Polycom’s integrated suite of video conferencing systems includes the RealPresence
Access Director system, which:
● Secures the borders to the enterprise IP network, the private VPN, and the Internet for video
collaboration within and beyond the firewall.
● Enables high-quality and secure unified communications between divisions or enterprises, remote
users, and guest users.
● Combines remote, guest, open, and B2B calling scenarios with SIP and H.323 (AVC and SVC)
capabilities.
● Provides secure scalability for a mobile workforce.
The following topics describe the Polycom solution that includes the RealPresence Access Director system
as the session border controller (SBC) for a site’s IP network.
● Overview of the Polycom RealPresence Access Director Solution
● RealPresence Access Director System Solution Deployment Models
● Supported Call Scenarios
● Products Supported in this Solution
Component Description
HTTPS Access Proxy Enables remote and guest users via designated video endpoints to make HTTPS
connections to the RealPresence Access Director system, which are then proxied to the
internal Polycom® RealPresence® Resource Manager system, the RealPresence
Content Sharing Suite, and other HTTPS application servers, including the Polycom®
RealPresence® CloudAXIS™ Suite Experience Portal (MEA) and the RealPresence
CloudAXIS Services Portal (WSP).
XMPP Access Proxy Enables XMPP signaling from remote users via designated video endpoints to traverse
the firewall to the internal XMPP servers you specify in configuration settings. XMPP
access proxy also enables sending of outgoing XMPP signaling to remote endpoints.
Polycom, Inc. 12
Component Description
LDAP Access Proxy Enables remote and guest users via designated video endpoints to make LDAP
connections to the RealPresence Access Director system, which are then proxied to the
internal LDAP servers you specify in configuration settings. used by the RealPresence
Resource Manager system, or other LDAP application servers.
HTTP Tunnel Proxy An HTTP tunnel proxy enables CloudAXIS suite SIP guest users to attend video
conferences in your enterprise’s CloudAXIS suite Experience Portal. Some restrictive
networks block outgoing UDP-based traffic and can limit outgoing TCP traffic to ports 80
and 443. In these situations, if a CloudAXIS suite SIP guest cannot establish a native
SIP/RTP connection to a video conference, the RealPresence Access Director system
can act as a web proxy to tunnel the SIP guest call on port 443. Once the SIP guest is
connected to a meeting, the RealPresence Access Director system continues to tunnel
TCP traffic, including SIP signaling, media, and Binary Floor Control Protocol
(BFCP)/TCP content.
Media Relay Enables firewall traversal for media to and from remote and guest users with supported
video endpoints. The media relay functions as a Session Border Controller (SBC)-based
relay.
Static Routing Enables use of static routes to route traffic to the correct network destination. One or
more static routes may be defined for each network interface
H.460 Support The RealPresence Access Director system enables videoconference participants with
H.460-enabled endpoints to register to a Polycom® RealPresence® Distributed Media
Application™ (RealPresence DMA™ system), which acts as an H.323 gatekeeper, and
place and receive H.323 calls across firewalls/NATs.
Polycom, Inc. 13
Component Description
Access Control Lists The RealPresence Access Director system supports the use of access control lists for
login, registration, or call requests that come through the external signaling ports. Access
control list rules define whether the RealPresence Access Director system allows or
denies a specific type of request from a public network, which provides increased
protection against external security threats.
Configurable Port The RealPresence Access Director system allows you to configure port range settings to
Ranges decrease the number of dynamic ports that need to be open on your enterprise’s firewall.
When you specify a beginning port range number for signaling, media, or access proxy
dynamic source ports, the RealPresence Access Director system automatically
calculates the end port range number for that service, based on the number of calls on
your system license.
Two-System (Two-box) Two RealPresence Access Director systems can be deployed to tunnel traffic to and from
Tunnel Deployment your inside enterprise network. One RealPresence Access Director system is deployed
in the enterprise back-to-back DMZ between the inside and outside firewall and the other
system is deployed behind the inside firewall.
High Availability Two RealPresence Access Director systems can be deployed and configured to provide
High Availability (HA) of services.
STUN and TURN To support WebRTC-based video conferencing, the RealPresence Access Director
Services system can act as a STUN and TURN server to enable firewall and NAT traversal of UDP
media traffic between WebRTC clients. By using either Google Chrome or Mozilla
Firefox, users both inside and outside your enterprise network can attend web-based
Polycom® RealPresence® Web Suite Pro conferences, for which the RealPresence
Access Director system relays media between WebRTC clients (mesh conference) or
between WebRTC clients and a Polycom RealPresence Collaboration Server Multipoint
Control Unit (MCU).
F5 Load Balancer Two or more RealPresence Access Director systems can be deployed behind an F5
Support Networks load balancer to increase network capacity (concurrent users) and improve
overall performance by decreasing the burden on any one RealPresence Access
Director system.
Hypervisor The RealPresence Access Director, Virtual Edition, can be installed in the following
Environments for hypervisor environments:
Virtual Edition • VMware
• Microsoft Windows Server 2012 R2 with the Hyper-V role
Polycom, Inc. 14
The Polycom® RealPresence® Platform Director™ system is included with all Virtual Edition products and
is available at Polycom’s support site for download (support.polycom.com).
Before you install or upgrade your RealPresence Access Director system software, install the RealPresence
Platform Director system and verify that your product is licensed.
For complete instructions on how to deploy the RealPresence Access Director system, Virtual Edition, see
the Polycom RealPresence Access Director System Getting Started Guide and the Polycom RealPresence
Platform Director System Administrator Guide.
Polycom, Inc. 15
Polycom Unified Communications with the RealPresence Access Director System Standard Deployment
Polycom, Inc. 16
as the tunnel server and is deployed in the corporate back-to-back DMZ. The other system serves as a
tunnel client and is deployed behind the inside firewall. Communication between the tunnel server and the
tunnel client is through UDP transmission.
In a tunnel configuration, port mapping on the inside firewall between the tunnel server and the tunnel client
is not required. Instead, when you enable the tunnel feature on the tunnel server, the tunnel port is open
and listening for communication from the tunnel client. When you enable the tunnel feature on the tunnel
client, the client then registers to the tunnel server through the listening tunnel port.
The RealPresence Access Director System Two-System Tunnel Deployment
Polycom, Inc. 17
Integration with an F5 Load Balancer
Two or more RealPresence Access Director systems can be deployed behind an F5 Networks load balancer
to increase network capacity (concurrent users) and improve overall performance by decreasing the burden
on any one RealPresence Access Director system.
The F5 load balancer acts as a TCP or UDP reverse proxy to distribute incoming sign-in, registration, and
call requests across multiple RealPresence Access Director systems. When the F5 load balancer receives
a request, it distributes that request to a particular RealPresence Access Director system according to the
Round Robin algorithm. An F5 load balancer can help to ensure RealPresence Access Director system
reliability and availability by sending requests only to systems that can respond in a timely manner.
The configuration of the F5 load balancer’s routing policy must support persistence. Persistence ensures
that all requests from the same source IP address during a session are distributed to the same
RealPresence Access Director system. A heartbeat connection between the F5 load balancer and all
RealPresence Access Director systems ensures that requests are routed only to an accessible system.
The F5 load balancer must be configured to integrate with your RealPresence Access Director systems, but
no configuration is necessary on the RealPresence Access Director systems. See Integrate Two or More
Systems with an F5 Load Balancer.
Polycom, Inc. 18
● Enterprise users can place SIP calls out to guest users.
● Guest users do not have access to any management services such as endpoint provisioning, user
directory, XMPP contact list and presence services, or calendaring and scheduling services.
All RealPresence Access Director system deployment models support this user scenario.
Polycom, Inc. 19
The following products are supported in the RealPresence Access Director system solution.
Polycom RealPresence Access Director Provides secure access to H.323 and SIP video services for
small- to medium-sized federated enterprises.
Polycom RealPresence Resource Manager Provisions and manages remote endpoints, and enables
directory and presence services
Polycom RealPresence Content Sharing Suite Provide content sharing interoperability between Microsoft Lync
and Polycom ContentConnect 2010 and 2013 clients and Polycom video conferencing
solutions
Microsoft Active Directory Directory service that authenticates and authorizes all
registered users and devices
Polycom RealPresence Collaboration Server Provides bridge capability for SIP and H.323 conferences,
(RMX) 1500, 2000, and 4000 including support for content over video
Polycom RealPresence Distributed Media Functions as SIP proxy/registrar, H.323 gatekeeper, SIP and
Application (DMA) 7000 H.323 gateway, and bridge virtualizer
Endpoints
Polycom HDX 7000, 8000, and 9000 series Video conferencing endpoint systems
Polycom RealPresence Mobile Serves as client application for supported mobile devices
Polycom RealPresence CloudAXIS Suite or Provide two virtualized server components that enable users to
Polycom RealPresence Web Suite schedule and participate in video conferences accessed from a
web browser or other hardware and software video endpoints,
including the Polycom RealPresence Mobile application.
Polycom, Inc. 20
Product Function in Solution
Polycom RealPresence Platform Director Provides the ability to deploy, license, and monitor the
RealPresence Platform, Virtual Edition products in an
organization's data center or in the cloud.
VMware
Microsoft® Hyper-V
Polycom, Inc. 21
Deploying the RealPresence Access
Director System in a Corporate DMZ
Environment
This section describes the general configuration processes required for deploying the RealPresence
Access Director system in a DMZ environment with one or more network interfaces. The chapters that follow
describe additional configuration processes required for the specific deployment models.
The following cross-functional flow chart identifies the tasks you must perform.
See these topics for detailed information about each of the tasks:
● Configure the DNS Service
● Configure Firewalls and Ports
● Install and Configure the RealPresence Access Director System
● Configure the RealPresence Resource Manager System
Polycom, Inc. 22
● Configure the RealPresence Access Director System
● Configure the Polycom RealPresence DMA System
● Configure Polycom Endpoint Systems
● Configure the Polycom RealPresence Collaboration Server
● Integrate Two or More Systems with an F5 Load Balancer
Task 1: Create DNS A and PTR records on the external DNS server
Create a DNS A (address) record and associated reverse PTR (pointer) record on the external DNS server.
The A record maps the FQDN of the RealPresence Access Director system to its public IP address for
signaling and access proxy. The PTR record for reverse lookup resolves the public IP address of the
RealPresence Access Director to its FQDN.
● If the RealPresence Access Director system has the FQDN name rpad.example.com, add an A
record as follows:
rpad.example.com IN A 192.168.11.175
Where:
FQDN = rpad.example.com
Class = IN (Internet)
A = Record type
192.168.11.175 = RealPresence Access Director system public IP address
for signaling and access proxy
● If your DNS management tool does not automatically create the PTR record that corresponds to the
A record, add the PTR record manually as follows:
175.11.168.192.in-addr.arpa.
Where:
175.11.168.192.in-addr.arpa. = the RealPresence Access Director system IP address
stored as the reverse DNS domain name, which points back to rpad.example.com.
If you have deployed Polycom ContentConnect™, RealPresence CloudAXIS Suite, or RealPresence Web
Suite as part of your RealPresence Access Director solution, create a DNS A record and a PTR record on
the external DNS server for the host(s) in those systems. The A records will resolve to the RealPresence
Access Director system’s public IP address for signaling and access proxy; the PTR records will resolve to
the RealPresence Access Director system’s FQDN.
Polycom, Inc. 23
Task 2: Create a DNS SRV record on the external DNS server
Create DNS service records (SRV records) on the external DNS server to map the SRV service addresses
for dynamic endpoint provisioning, SIP registrar, and gatekeeper services to the FQDN of the RealPresence
Access Director system.
» If the RealPresence Access Director system has the FQDN name rpad.example.com, add these
SRV records:
_cmaconfig._tcp.example.com IN SRV 0 100 443 rpad.example.com (this SRV record is
required by the Auto Find Provisioning Server feature of dynamically-managed endpoints.)
_sip._tcp.example.com IN SRV 0 100 5060 rpad.example.com
_sip._udp.example.com IN SRV 0 100 5060 rpad.example.com
_sip._tls.example.com IN SRV 0 100 5061 rpad.example.com (optional*)
_sips._tcp.example.com IN SRV 0 100 5061 rpad.example.com
_h323cs._tcp.example.com IN SRV 0 100 1720 rpad.example.com
_h323ls._udp.example.com IN SRV 0 100 1719 rpad.example.com
Where, for example:
Service = _sip
Protocol = _tcp
Priority = 0
Weight = 100
Port = 5060
Host offering this service = rpad.example.com
* The majority of products use _sips._tcp. However, to prevent call failures for the small percentage of
devices that use _sip._tls, Polycom suggests that you also add the _sip._tls record.
Task 3: Create DNS A and PTR records on the internal DNS server
The RealPresence Access Director system, the RealPresence Resource Manager system, and the
RealPresence DMA system in the internal network each need one A record on the internal DNS server to
map their FQDNs to their respective IP addresses. Each system also needs a corresponding PTR record
to resolve their IP addresses to their FQDNs. For example:
● If the FQDN of RealPresence Access Director system is rpad.example.com, and its IP address is
10.22.210.111, create an A record:
rpad.example.com IN A 10.22.210.111
● If the FQDN of RealPresence Resource Manager system is rprm.example.com, and its IP address
is 10.22.202.134, create an A record:
rprm.example.com IN A 10.22.202.134
● If the FQDN of the RealPresence DMA system is dma.example.com, and its IP address is
10.22.120.126, create an A record:
dma.example.com IN A 10.22.120.126
Polycom, Inc. 24
Task 4: Create DNS SRV records on the internal DNS server
The RealPresence Resource Manager system requires a DNS SRV record on the internal DNS server to
dynamically provision endpoints. The DNS SRV record maps the SRV service address to the FQDN of the
RealPresence Resource Manager system.
● If the FQDN of the RealPresence Resource Manager system is rprm.example.com, and its IP
address is 10.22.202.134, create an SRV record as follows:
_cmaconfig._tcp.example.com IN SRV 0 100 443 rprm.example.com
The RealPresence DMA system requires several DNS SRV records on the internal DNS server to map the
SRV service address for SIP registrar and gatekeeper services to the FQDN of the RealPresence DMA
system.
● If the FQDN of the RealPresence DMA system is dma.example.com, and its IP address is
10.22.120.126, create these SRV records:
_sip._tcp.example.com IN SRV 0 100 5060 dma.example.com
_sip._udp.example.com IN SRV 0 100 5060 dma.example.com
_sip._tls.example.com IN SRV 0 100 5061 dma.example.com (optional*)
_sips._tcp.example.com IN SRV 0 100 5061 dma.example.com
_h323cs._tcp.example.com IN SRV 0 100 1720 dma.example.com
_h323ls._udp.example.com IN SRV 0 100 1719 dma.example.com
* The majority of products use _sips._tcp. However, to prevent call failures for the small percentage of
devices that use _sip._tls, Polycom suggests that you also add the _sip._tls record.
Polycom, Inc. 25
● If the RealPresence Access Director system TURN service has the FQDN turn.example.com, add
an A record as follows:
turn.example.com IN A 192.168.11.176
Where:
FQDN = turn.example.com
192.168.11.176 = RealPresence Access Director public IP address for TURN
service
The A records on the internal DNS server map the FQDN of STUN to the public IP address for TURN service
and the FQDN of TURN to the internal (private) IP address for TURN service.
Create DNS A records on the internal DNS server as follows:
● If the RealPresence Access Director system STUN service has the FQDN stun.example.com, add
an A record as follows:
stun.example.com IN A 192.168.11.176
Where:
FQDN = stun.example.com
192.168.11.176 = RealPresence Access Director public IP address for TURN
service
● If the RealPresence Access Director system TURN service has the FQDN turn.example.com, add
an A record as follows:
turn.example.com IN A 10.22.210.112
Where:
FQDN = turn.example.com
10.22.210.112 = RealPresence Access Director internal (private) IP
address for TURN service
The TURN A record on the internal DNS server should reference the internal IP address for
TURN service
The A record for TURN service on the internal DNS server should map the TURN FQDN to an internal
IP address. Polycom recommends this configuration for a single network interface deployment and for
LAN-WAN deployments where external and internal media relay services are assigned to separate
interfaces.
Polycom, Inc. 26
Task 6: Validate DNS settings on the external DNS server
The following steps use the Windows nslookup commands as an example. The procedure is similar on
Mac and Linux.
Polycom, Inc. 27
Caution: If necessary, get help with firewall settings
If you’re not familiar with firewall concepts and administration and your enterprise’s
firewall implementation, please consult with someone who is.
Polycom, Inc. 28
● Disable the port NAT.
● Disable any H.323 helper services on the firewall (for example, Cisco® H.323 Fixup).
Port Mapping
To enable firewall traversal for external clients, the RealPresence Access Director system uses ports for
provisioning, presence, directory, call signaling, media, and content. The specific ports and port ranges
configured in the RealPresence Access Director system must match the ports configured on your firewall.
If you change any port settings within the system, you must also change them on your firewall.
Incoming traffic from external clients uses static ports you define in the RealPresence Access Director
system user interface.
Outbound traffic from the RealPresence Access Director system uses dynamic source and destination ports
from a range of port numbers (a port pool). The total number of ports available for use is based on the
number of licensed calls on your system license. The RealPresence Access Director system automatically
calculates dynamic port ranges based on your number of licensed calls. A port range for a specific function
(for example, internal SIP signaling dynamic source ports) indicates the number of ports for that function
that must be available to accommodate the number of calls on your system license. You can change the
beginning port ranges (within certain parameters) if necessary. If you do so, the RealPresence Access
Director system will automatically calculate the end ranges.
See Required Ports for detailed port settings and refer to the Polycom RealPresence Access Director
System Administrator Guide for instructions on configuring static ports and dynamic port ranges.
Polycom, Inc. 29
Polycom strongly recommends that you select the time zone of your specific geographic location, for
example, America/Denver, instead of a generic GMT offset (such as GMT+7).
If you choose a generic GMT offset, the time displays with the Linux/Posix convention for specifying the
number of hours ahead of or behind GMT. Therefore, the generic equivalent of America/Denver
(UTC-07:00) is GMT+07, not GMT-07.
Consider the following information when configuring the time settings:
● You can configure up to three NTP server IP addresses from the RealPresence Platform Director
system when you deploy an instance of the RealPresence Access Director system, Virtual Edition.
● Changing the time settings requires a system restart, which logs all users out of the system.
● Changing the time settings can affect the number of days available for a trial period license.
● If you plan to install an identity certificate provided by a certificate authority (CA), the date, time, and
time zone configured in your system must be correct for the certificate to function correctly.
● If you plan to use your system to support calls between endpoints in your enterprise and endpoints
in a separate but federated or neighbored (trusted) division or enterprise that has its own
RealPresence Access Director system, both systems and the CA server should be in the same time
zone. If the time difference between the two RealPresence Access Director systems and the CA
server is too great, TLS connections may fail.
Field Description
System time zone The time zone in which your RealPresence Access Director system is
located.
Note: After initial installation of the RealPresence Access Director system,
the default time zone is GMT (UTC). You must select the time zone of your
geographic location immediately after installation of the system.
Auto adjust for Daylight Saving Automatically determined in accordance with the system time zone. If the
Time system time zone you select observes Daylight Saving Time, this setting is
enabled.
Note: The administrator cannot change this setting.
Polycom, Inc. 30
Field Description
Manually set system time Note: Polycom strongly recommends that you do not set the time and date
manually. Manually setting system time removes Network Time Protocol
(NTP) server information and sets the manually entered time for the
selected time zone instead of for the current system UTC offset.
3 Click Update.
If you change the System time zone or Manually set the system time, the Server Time (Refresh
every 10 seconds) value refreshes based on the new settings.
Appliance Edition
To activate the license for your system, you must first obtain an activation key code from Polycom Support
at support.Polycom.com. For instructions, see the Polycom RealPresence Access Director System
Administrator Guide.
After you have an activation key code, you must activate the license from the RealPresence Access Director
system, Appliance Edition web user interface.
To activate a license:
1 Go to Maintenance > License.
2 Enter the Activation key for the license and click Update.
The system restarts.
Virtual Edition
Virtual Editions of the RealPresence Access Director system require the Polycom® RealPresence® Platform
Director™ system to manage licensing. After you install your license in the RealPresence Platform Director
system, you can install a new instance or add an existing instance of the RealPresence Access Director
Polycom, Inc. 31
system in the RealPresence Platform Director system. The Platform Director system configures a license
server IP address and port number to enable communication between the two systems.
Your RealPresence Access Director, Virtual Edition, communicates regularly with the license server to
obtain updated license information, including changes to the number of licensed calls, access to features
(for example, High Availability), and license status (active or expired).
For details on managing licenses for the RealPresence Access Director, Virtual Edition, see the Polycom
RealPresence Platform Director System Administrator Guide at support.polycom.com.
Settings Field
Polycom, Inc. 32
Settings Field
Management IP • Management IP
NAT If Deployed behind Outside Firewall with NAT is enabled, complete these
fields:
• Signaling relay address
• Media relay address
Note: Changing some network settings requires a new CA certificate for your
system
You must create a certificate signing request to apply for a new CA-provided
identity certificate for the RealPresence Access Director system if one or both of the
following situations is true:
• You change the host name of the system
• You revise the signaling relay address and some registered or guest endpoints
use an IP address instead of an FQDN to establish a TLS connection to the
RealPresence Access Director system.
6 Click Done > Commit and Reboot Now to save the network settings.
Polycom, Inc. 33
Field Description
Primary Time Server Address The IP address of the primary time server that the system will use
to synchronize time.
Secondary Time Server Address The IP address of the secondary time server that the system will
use to synchronize time.
Enable IP H.323 Configures the system to enable or disable H.323 call forwarding.
Enable SIP Configures the system to enable or disable SIP call forwarding.
Proxy Server The IP address of the internal SIP proxy server to which the
RealPresence Access Director system forwards SIP calls from
external endpoints.
(This is the signaling IP address of the RealPresence DMA system)
Registrar Server The IP address of the internal SIP registrar server to which the
RealPresence Access Director system forwards SIP registration
requests from external endpoints.
(This is the signaling IP address of the RealPresence DMA system)
Transport Protocol The protocol the system uses for SIP signaling.
The following list provides a high-level summary of the tasks you must complete to configure the
RealPresence Resource Manager system to provision a RealPresence Access Director system and to
provision endpoints that request provisioning through a RealPresence Access Director system. For detailed
instructions, see The Polycom® RealPresence® Resource Manager System Operations Guide for your
version of the RealPresence Resource Manager system.
● Create a site for the RealPresence Access Director system
If you deploy two RealPresence Access Director systems for High Availability, you need to create
a separate site for each RealPresence Access Director system public IP address that maps to a
virtual IP address. See Deploying RealPresence Access Director Systems with High Availability.
● Create a RealPresence Access Director system provisioning profile
● Create a network provisioning profile for endpoints
● Create a provisioning rule and associate it with all related profiles
● Create a user account for the RealPresence Access Director system
Polycom, Inc. 34
● Task 1: Configure Access Proxy Settings
● Task 2: Configure Basic Access Control List Settings
● Task 3: Configure System Certificates
● Task 4: Configure TURN Services
● Task 5: Provision the RealPresence Access Director System
See the Polycom RealPresence Access Director System Administrator Guide for detailed information about
each of these tasks. The following sections provide specific information as it relates to this solution.
Polycom, Inc. 35
● Enable call policy
● Allow call from registered devices
Note that when you configure Basic ACL Settings, you must specify the login, registration, or call requests
to allow. If not specifically allowed, the system will deny requests. To ensure that the default settings function
as intended, be sure to configure your access proxy settings to enable provisioning of endpoints. See the
Polycom RealPresence Access Director System Administrator Guide for instructions.
Polycom, Inc. 36
protocol, a WebRTC client can allocate a media relay port on the TURN server that the far end can use to
indirectly send media to the WebRTC client.
When you enable and configure the TURN server and a TURN user, internal and external WebRTC clients
can request TURN media relay services.
For instructions on configuring TURN settings, see TURN Services in the Polycom RealPresence Access
Director System Administrator Guide.
Note: Provisioning not supported in the RealPresence Access Director, Virtual Edition
The RealPresence Access Director system, Virtual Edition cannot be provisioned by a RealPresence
Resource Manager system. You must manually configure all access proxy settings. Note that the
RealPresence Access Director system, Virtual Edition does enable endpoint provisioning by a
RealPresence Resource Manager system.
Polycom, Inc. 37
Caution: Enabling SIP device authentication may cause some calls to fail
If your RealPresence DMA system is peered with other SIP devices, enabling SIP
device authentication may cause inbound calls to the RealPresence DMA system
from those SIP peers to fail. Multiple solutions exist for resolving these issues with
dial plan and network design. If necessary, please contact your Polycom field
representative.
All authentication configurations are supercluster-wide, but note that the default realm for SIP device
authentication is the cluster’s FQDN, enabling each cluster in a supercluster to have its own realm for
challenges.
Task 2: Configure an External SIP Peer to Support SIP Open B2B Calls
To enable calls between enterprise users and external SIP endpoints that are not registered or are not
members of a federated enterprise or division, you must add the RealPresence Access Director system as
an external SIP peer on the RealPresence DMA system and then specify the default SIP contact ports on
the RealPresence Access Director system for each transport protocol. When the RealPresence Access
Director system receives a SIP request on the default contact port from a SIP endpoint that is not registered
or is not a member of a federated enterprise or division, the system routes the call to the appropriate
destination.
Polycom, Inc. 38
To configure an external SIP peer on the RealPresence DMA system:
1 See the Polycom RealPresence DMA System Operations Guide for detailed information about
adding an external SIP peer. Then go to Network > External SIP Peers > Add.
2 In the External SIP Peers settings, enter the internal signaling IP address of the RealPresence
Access Director system as the Next hop address.
3 In the Postliminary settings under Request URI options, select the format Use original request
URI (RR).
4 Go to Admin > Call Server > Dial Rules > Add and in the Action field, select Resolve to external
SIP peer. This enables the RealPresence DMA system to send an INVITE message outbound to the
RealPresence Access Director system.
To configure the default local SIP contact port on the RealPresence Access Director
system:
The RealPresence Access Director system routes SIP open B2B calls only if you specify a valid default
contact port for each type of transport.
1 See the Polycom RealPresence Access Director System Administrator Guide for details about
configuring the default contact port, then go to Configuration > SIP Settings.
2 Enter the default contact port the RealPresence Access Director system uses to receive SIP traffic
from endpoints that are not registered or are not members of a federated or neighbored enterprise
or division. For each type of transport (TCP, UDP, TLS), you can specify any external port not in use
as the default contact port. If you are deploying a RealPresence Access Director system for the first
time, the default contact ports have been pre-configured as follows:
TCP/UDP: 5060
TLS: 5061
Only one default contact port can be specified for each type of transport.
Polycom, Inc. 39
SIP Settings for Guest Users on the Polycom DMA System
Configure these RealPresence DMA settings to correspond with guest call settings on the RealPresence
Access Director system.
SIP Settings for Guest Users on the RealPresence Access Director System
Configure these settings to enable the RealPresence Access Director system to forward SIP guest calls to
the RealPresence DMA system.
To configure the RealPresence Access Director system external SIP port 5060 for guests:
1 See the Polycom RealPresence Access Director System Administrator Guide for detailed
information about configuring SIP settings. Then on the RealPresence Access Director system, go
to Configuration > SIP Settings.
2 Enable SIP signaling and then configure external port 5060 for SIP guest users (External Port
Settings > Edit) with the required information. In this case:
Port name: Defaults to Unencrypted port.
Transport: UDP/TCP.
Enable Dial string policy and enter a dial string prefix (Prefix of Userinfo) that does not interfere
with your dial plan and will be stripped by the RealPresence DMA system.
In Host, enter the host IP address or FQDN to use in the dial string. If a SIP guest user calls a
domain name that differs from the Host, the RealPresence Access Director system changes the
domain name and adds the Prefix of Userinfo to the dial string. For example, if a SIP guest user
calls [email protected], but the host is configured as example.com and the prefix is 77, the
system will change the user’s dial string to [email protected].
To configure the RealPresence Access Director system external SIP port 5061 for guests:
1 See the Polycom RealPresence Access Director System Administrator Guide for detailed
information about configuring SIP settings. Then on the RealPresence Access Director system, go
to Configuration > SIP Settings.
2 Enable SIP signaling and then configure external port 5061 for SIP guest users (External Port
Settings > Edit) with the required information. In this case:
Port name: Defaults to Encrypted port.
Transport: TLS.
Polycom, Inc. 40
Enable Dial string policy and enter a dial string prefix (Prefix of Userinfo) that does not interfere
with your dial plan and will be stripped by the RealPresence DMA system.
In Host, enter the host IP address or FQDN to use in the dial string. If a SIP guest user calls a
domain name that differs from the Host, the RealPresence Access Director system changes the
domain name and adds the Prefix of Userinfo to the dial string. For example, if a SIP guest user
calls [email protected], but the host is configured as example.com and the prefix is 77, the
system will change the user’s dial string to [email protected].
SIP Settings for Remote Users on the RealPresence Access Director System
If you configure the external SIP ports 5060 and 5061 for guest users, you must add a non-standard external
SIP port in the RealPresence Access Director system for remote users.
Polycom, Inc. 41
Task 3: Configure Polycom RealPresence Mobile or Desktop
Endpoints
For specific information on configuring RealPresence Mobile or Desktop software in this solution, refer to
the online help and the Release Notes for the RealPresence Mobile or RealPresence Desktop software
version you are using, available at support.polycom.com.
Polycom, Inc. 42
F5 Load Balancer Configuration Requirements
To ensure that an F5 load balancer operates correctly with your RealPresence Access Director systems,
the F5 system configuration must meet the following requirements:
● The F5 system terminates traffic flow on the transport layer and works as a UDP or TCP reverse
proxy. A port-based virtual server should be defined on the load balancer to support the following port
assignments:
Protocol Port
● The F5 system uses the Round Robin algorithm for load balancing and failovers.
● The F5 system routes only incoming sign-in, registration, and call requests. The load balancer does
not affect the outgoing calls from the enterprise network to the Internet.
● The F5 load balancer must have a heartbeat connection between all RealPresence Access Director
systems to ensure that requests are routed only to an accessible system. During a failover, the load
balancer routes requests to a different RealPresence Access Director system, based on the
RealPresence Access Director system priority group.
● The routing policy of the F5 load balancer must support persistence. Persistence ensures that all
requests from the same source IP address during a session are distributed to the same
RealPresence Access Director system.
● At a minimum, the F5 load balancer should support the following scenarios:
Remote endpoint (EP) login to the RealPresence Resource Manager system
Remote SIP EP registration to the RealPresence DMA system (TLS/TCP)
Remote SIP EP incoming call
Remote H.323 EP registration to the RealPresence DMA system (H.460/ non-H.460)
Remote H.323 EP incoming call
Guest SIP EP incoming call
Guest H.323 EP incoming call
Trusted H.323 B2B incoming call
RealPresence CloudAXIS suite incoming HTTP tunnel call
Polycom, Inc. 43
● When HTTPS, LDAP, and XMPP requests pass through the F5 system, the RealPresence Access
Director system does not know the source IP address of the remote device. As a result, the following
settings do not function:
Enable access proxy white list authentication for LDAP and XMPP access. See Admin >
Security Settings in the RealPresence Access Director system web user interface.
Allow registration from provisioned devices. See Configuration > Basic ACL Settings) in
the web user interface. Note that other basic ACL settings may not function correctly.
● The RealPresence Access Director system treats a trusted B2B call as a guest call because the
source IP address is unknown.
To configure the RealPresence Access Director system to allow a trusted H323 B2B call, you must
enable the Allow any incoming LRQ option. See Configuration > H.323 Settings.
Polycom, Inc. 44
Deploying Two RealPresence Access
Director Systems in a Tunnel
Configuration
Two RealPresence Access Director systems can be deployed in a tunnel configuration. In this model, one
system is deployed as the tunnel server in the corporate back-to-back DMZ and the other system is
deployed as the tunnel client inside your enterprise network. All traffic to and from the Internet flows through
the tunnel server, while all traffic to and from the enterprise network flows through the tunnel client.
Communication between the tunnel server and tunnel client traverses the enterprise firewall inside the
tunnel. The exception is management traffic. Each system has a management network interface so
management traffic does not traverse the tunnel.
In a tunnel configuration, port mapping on the firewall between the tunnel server and the tunnel client is not
required. Instead, when you enable the tunnel feature on the tunnel server, the tunnel port automatically
listens for communication from the tunnel client. When you enable the tunnel feature on the tunnel client,
the client then registers to the tunnel server through the listening tunnel port.
During the registration process, the tunnel server detects the IP address of the tunnel client. Additionally,
the tunnel client sends the internal signaling, media, and access proxy IP address to the tunnel server. The
tunnel client uses this IP address to communicate with the internal RealPresence DMA system. After the
tunnel client registration is complete, the tunnel server establishes a secure tunnel connection and stops
listening on the tunnel port.
In a two-system tunnel deployment, certain IP addresses are reserved for internal system use. The IP
address you define for each system must differ from the following IP addresses:
● Non-encrypted tunnel: 192.168.99.21
● Encrypted tunnel: 192.168.99.1 - 192.168.99.21
The tunnel connection between the two systems uses a self-signed certificate that is dedicated for tunnel
use.
Polycom, Inc. 45
Compatibility with TURN services
If you deploy two systems in a tunnel configuration, the TURN server feature is not
supported. If you enable the TURN server on either of the single RealPresence
Access Director systems before you set up a two-system tunnel, you must disable
the TURN server before you enable the tunnel feature.
See these topics for detailed information about tunnel configuration settings:
● Configure the DNS Service for the Two-System Tunnel
● Configure Firewalls and Ports
● Install and Configure the RealPresence Access Director Systems
● Configure the RealPresence Resource Manager System
● Configure the Polycom RealPresence DMA System
● Configure Additional Polycom Components
Caution
If you’re not familiar with firewall concepts and administration and your enterprise’s
firewall implementation, please consult with someone who is.
For greater security, Polycom recommends that you disable SSH and web access
connectivity from the Internet, and enable SSH and web access connectivity from
the LAN.
Polycom, Inc. 46
Outside Firewall Configuration
● Implement a WAN (untrusted) and LAN (trusted) configuration
● Configure 1:1 NAT
● Set interface mode to NAT
● Disable H.323 and SIP ALG
● Disable any H.323 helper services on the firewall (for example, Cisco® H.323 Fixup).
Polycom, Inc. 47
4 In NTP servers, enter the IP address or FQDN of the NTP server with which to synchronize.
Polycom recommends that you configure at least two NTP servers.
If you deploy two RealPresence Access Director, Virtual Edition systems, you can configure up to
three NTP servers from the RealPresence Platform Director system. .
5 Click Update and OK to accept your settings and restart the system.
6 Repeat the above steps from the user interface of the tunnel client.
Polycom, Inc. 48
IPv4 Address
IPv4 Subnet Mask
IPv4 Default Gateway: The RealPresence Access Director system uses Linux policy routing;
therefore, you must specify a default gateway for each network interface you configure.
5 In the Step 3 of 3: Service Network Settings window, select the IP address of the network
interface to assign to each type of traffic and to the tunnel itself between the tunnel server and tunnel
client:
External Signaling IP: The IP address of the network interface used for SIP and H.323 signaling
traffic between the RealPresence Access Director system and external networks.
External Relay IP: The IP address of the network interface used for media relay between the
RealPresence Access Director system and external networks.
Management IP: The IP address of the network interface used for management traffic, including
management through the web-based user interface, SSH, DNS, NTP, remote syslog, and OCSP.
If you use three or four network interfaces on the tunnel server, you can assign different
network interfaces for tunnel communication traffic between the two systems and for
management traffic. In this case, select the network interface used for management traffic in
the Management IP field. Configure the interface for tunnel communication between the two
systems in the Two-box Tunnel Settings (see Task 6: Configure Two-Box Tunnel Settings on
the Tunnel Server).
External Access Proxy IP: If the appropriate IP address does not already display in this field,
select it from the Available IP address list, then click the right arrow to move the IP address to
the External Access Proxy IP list.
6 Select Deployed behind Outside Firewall/NAT and enter the following information:
Signaling relay address: The RealPresence Access Director system’s public IP address for
signaling traffic. This IP address must be mapped on the outside firewall.
Media relay address: The RealPresence Access Director system’s public IP address for media
traffic. This IP address must be mapped on the outside firewall.
Depending on your network interface configuration, the Signaling relay address and the Media relay
address may be the same IP address.
7 Click Done > Commit and Reboot Now to save the network settings.
Polycom, Inc. 49
IPv4 Address
IPv4 Subnet Mask
IPv4 Default Gateway
5 In the Step 3 of 3: Service Network Settings window, select the network interface to assign as the
Management IP address. The network interface that handles management traffic is based on the
number of network interfaces configured on the tunnel client. See Tunnel Client Network Interface
Configuration.
6 Click Done > Commit and Reboot Now to save the network settings.
If the tunnel client uses more than one network interface, go to Configure > Tunnel Settings to specify the
IP address of the network interface that the tunnel client uses for internal signaling, media, and access proxy
communication with the RealPresence DMA system. See the Internal signaling/media/access proxy IP
of tunnel client field in Task 7: Configure Two-Box Tunnel Settings on the Tunnel Client.
Field Description
Settings
Encrypted tunnel When selected, communications between the tunnel server and tunnel
client are encrypted.
Note: This option displays only if you purchase a license that supports
encryption of the tunnel between two systems. Select this option to encrypt
the tunnel communications.
This setting must be the same on both the tunnel server and tunnel
client.
Polycom, Inc. 50
Field Description
* Local tunnel server address The IP address and port number of the tunnel server.
Default port: 1194
Note: Polycom recommends that you use the default port number 1194, but
you can use any value from 1190-1199 or 65380-65389.
3 Click Update.
The system restarts.
Field Description
Enable Tunnel The tunnel feature is enabled if you have configured the tunnel server.
Settings
Server Select Client to enable the system to operate as the tunnel client.
Client
Encrypted tunnel When selected, communications between the tunnel server and tunnel
client are encrypted.
Note: This option displays only if you purchase a license that supports
encryption of the tunnel between two systems. Select this option to encrypt
the tunnel communications.
This setting must be the same on both the tunnel server and tunnel
client.
Polycom, Inc. 51
Field Description
* Local tunnel client address The IP address and port number of the tunnel client.
Default port: 1194
Note: Polycom recommends that you use the default port number 1194, but
you can use any value from 1190-1199 or 65380-65389.
* Remote tunnel server address The IP address and port number of the tunnel server.
Default port: 1194
* Internal signaling/media/access The IP address of the network interface that the tunnel client uses for
proxy IP of tunnel client internal signaling, internal media, and internal access proxy communication
with the RealPresence DMA system.
3 Click Update.
The system restarts and the two-system tunnel connection status displays on the user interface
Dashboard on both the tunnel server and tunnel client.
Polycom, Inc. 52
To enable endpoint provisioning, configure the following information in the RealPresence Resource
Manager system. For detailed instructions, see The Polycom® RealPresence® Resource Manager System
Operations Guide.
● Create a site for the RealPresence Access Director system
● Create an RPAD server provisioning profile
● Create a network provisioning profile for endpoints
● Create a provisioning rule and associate it with all related profiles
● Create a user account for the RealPresence Access Director system
Polycom, Inc. 53
Deploying RealPresence Access Director
Systems with High Availability
Two Polycom® RealPresence® Access Director™ systems can be configured on the same network to
provide High Availability (HA) of services. Systems configured for High Availability support minimal
interruption of services and greater call reliability, which helps to ensure that users always have access to
a RealPresence Access Director system within your network.
This section provides information specific to a High Availability environment. For complete deployment
details, see Deploying the RealPresence Access Director System in a Corporate DMZ Environment.
The following topics provide details about High Availability:
● High Availability Overview
● Network Settings to Support High Availability
● Configure Network Settings
● High Availability Requirements
● Configure High Availability Settings
● Firewall Configuration
● High Availability Status
● Log Files
● Licensing
● Certificates
● DNS Records
Polycom, Inc. 54
Although not required, Polycom recommends that you configure more than one network interface as an HA
link. Multiple HA links ensure fewer points of failure and provide a reliable mechanism for communication
between the two systems.
Failovers
After High Availability is enabled and configured, the two systems communicate status by sending a
heartbeat signal to the network interfaces configured as HA links. If one system does not receive a heartbeat
signal from at least one HA link on the other system within a certain time period, a dynamic failover occurs.
During a failover, the system that is operating correctly takes over the resources (virtual IP addresses and
the associated services) of the system that failed.
The following situations will cause a failover to occur:
● A server fails
● All HA links fail (if at least one HA link is running normally, a failover will not occur.)
● A network interface with a virtual IP address fails (if more than one NIC has a virtual IP address, all
resources will be taken over, not just those associated with the failed NIC)
If a direct link fails (e.g., the cable is disconnected), the network interfaces with virtual IP addresses may
remain active. In this situation, a failover does not occur. Both systems will report the failure of the direct HA
link but neither system will take over the resources of the other. When you reconnect or repair the direct link,
the two systems will automatically reconnect.
A system failover typically requires approximately 10 seconds for all resources to be available on the peer
system. Note that the failover times may be longer depending on what caused the failover.
When a system that failed is running again, it requests its original resources back from the peer system. If
the peer system does not have any active calls, it releases the resources back to the system that previously
failed. If the peer system has active calls, it will release the resources approximately 2 minutes after its final
active call ends.
If you prefer to choose the time when a peer system releases resources back to the other system, you can
manually force the release of resources at the time you choose. To do so, log in to the user interface of the
peer system and go to Diagnostics > High Availability Status > Release Peer Resources.
Polycom, Inc. 55
If the two systems are located physically close to each other and the direct link cable does not
need to be routed within your network, the IP addresses you assign to the dedicated HA interfaces
do not need to be within your network IP space but they must be on the same subnet.
If your two systems are not located in the same area, the IP addresses you assign to the
dedicated HA interfaces must be within your network IP space and on the same subnet.
Polycom, Inc. 56
Name of Assigned Services Assigned Services
Number of NICs Interface Option 1 Option 2
See the Polycom RealPresence Access Director System Administrator Guide for additional details about
configuring network settings.
Polycom, Inc. 57
2 In the Step 1 of 3: General Network Settings window, confirm or reconfigure the general network
settings for the system.
3 Click Next.
4 In the Step 2 of 3: Advanced Network Settings window, click each of the network interfaces
consecutively to configure and complete the following fields.
IPv4 Address: Remember that the physical IP addresses assigned to the same network
interfaces on each server (for example, eth1) must be on the same subnet.
IPv4 Subnet Mask
IPv4 Default Gateway
5 Click Next.
6 In the Step 3 of 3: Service Network Settings window, select the IP address of the network
interface to assign to each type of traffic.
7 Click Done > Commit and Reboot Now to save the network settings.
Polycom, Inc. 58
C
Configure all network settings on both systems before you configure HA settings
Configure all of your network settings on both RealPresence Access Director systems before you
enable and configure High Availability. Network settings can be configured only when High Availability
is disabled.
Enter required information for all NICs before you submit your HA settings
When you configure High Availability settings, you need to enter the required information for each
active NIC before you submit your settings. If you try to submit partial settings, you may have errors
that result from missing information.
Setting Description
Interface Settings
Local Virtual IP Address The virtual IP address of the selected local network interface.
The Local Physical IP Address, Local Virtual IP Address, and Peer Virtual IP
Address must be on the same subnet for the selected interface.
Note that if the selected network interface has assigned services, the virtual IP
address will inherit the same service bindings.
Note: This field is required only on network interfaces with signaling and access
proxy traffic assigned that are not enabled as HA links.
Polycom, Inc. 59
Setting Description
Peer Virtual IP Address Virtual IP address of the same network interface on the peer system.
Note: This field is required only on network interfaces with signaling and access
proxy traffic assigned that are not enabled as HA links.
Peer Virtual Hostname Virtual hostname of the same network interface on the peer RealPresence
Access Director system.
Example: ha-rpad-2-0
Note: This field is required only on network interfaces with signaling and access
proxy traffic assigned that are not enabled as HA links.
HA Communication Settings
Use Direct Link Select this option if you have a direct, physical link (crossover or Ethernet cable)
between the same network interface on both systems.
Use Direct Link cannot be enabled on network interfaces that have assigned
services.
Peer Physical IP Address The physical IP address of the same network interface on the peer RealPresence
Access Director system.
Note: This field is required on network interfaces that you enable as HA links.
Configured Services
Each network interface Displays the services assigned to each network interface you select.
Polycom, Inc. 60
Change HA Password
When you configure two RealPresence Access Director systems for High Availability, the two systems share
an internal account that supports authentication between the systems. The account does not require any
interaction. However, if your network policy requires you to change passwords at certain intervals, you can
use the Change HA Password option.
Firewall Configuration
For overall information on configuring your firewalls, see Configure Firewalls and Ports.
For the High Availability solution, you must map public IP addresses on your firewall to specific virtual or
physical IP addresses on both RealPresence Access Director systems. Polycom recommends two different
options for configuring your firewall.
Polycom, Inc. 61
Option 1: Two Public IP Addresses (NAT Required)
The following table describes a firewall configuration with two NATed public IP addresses:
Public IP Address 1 System 1 Virtual IP address of the Ports used for external
network interface for signaling and external
external signaling and access proxy (see SIP
access proxy WAN Ports, H.323 WAN
Ports, Access Proxy WAN
Ports)
Public IP Address 2 System 2 Virtual IP address of the Ports used for external
network interface for signaling and external
external signaling and access proxy (see SIP
access proxy WAN Ports, H.323 WAN
Ports, Access Proxy WAN
Ports)
Public IP Address 1 System 1 Virtual IP address of the Ports used for external
network interface for signaling and external
external signaling and access proxy (see SIP
access proxy WAN Ports, H.323 WAN
Ports, Access Proxy WAN
Ports)
Public IP Address 2 System 1 Physical IP address of the Ports used for external
network interface for media (see Media WAN
external media Ports)
Polycom, Inc. 62
Public IP Address on Name of RealPresence
Firewall Access Director System Destination Port
Public IP Address 3 System 2 Virtual IP address of the Ports used for external
network interface for signaling and external
external signaling and access proxy (see SIP
access proxy WAN Ports, H.323 WAN
Ports, Access Proxy WAN
Ports)
Public IP Address 4 System 2 Physical IP address of the Ports used for external
network interface for media (see Media WAN
external media Ports)
Log Files
Any changes in state of the RealPresence Access Director system or High Availability will force an event to
the system. These events are then logged appropriately.
Events related to system services are recorded in the server.log file. High Availability events, such as HA
configuration changes and failover events are recorded in the ha_availability.log file.
Polycom, Inc. 63
Licensing
To use High Availability, you must have RealPresence Access Director system licenses that enable use of
the feature.
For the RealPresence Access Director, Appliance Edition, each server requires a system license that
includes the High Availability feature. For the Virtual Edition, you need a RealPresence Access Director
system license for calls and a capability license to enable the High Availability feature. These licenses must
be available on the RealPresence Platform Director system that manages licenses for your RealPresence
Access Director instances.
Although not required, Polycom highly recommends that you license each system or allocate each virtual
instance with the same number of calls. To determine the number of calls to license for each system,
consider the total number of calls you must be able to support at any given time. Remember that if a failover
occurs, the remaining active server should have enough licensed call capacity to support the calls that
failed.
Many call licensing options are possible. The following table includes examples of two different licensing
options:
Result After a failover, the remaining active After a failover, the remaining active
system can support a maximum of system can support a maximum of
50 calls. Any additional calls will fail. 100 calls.
In Licensing Option B, each system can accommodate 100 calls but you can balance the load between
systems based on your network requirements. Each system might handle 50 percent of its maximum
licensed calls but if a failover occurs, the remaining active system can accommodate 100 percent of the calls
you need to support.
If you activate a license for HA in the RealPresence Access Director, Appliance Edition, your system will
reboot when you update the license page. After the system restarts and you log in, the High Availability
features are available to use.
For the RealPresence Access Director, Virtual Edition, you must restart the RealPresence Access Director
instances after you add the High Availability license capability in the RealPresence Platform Director
system.
For complete instructions on activating your licenses, see System Licensing in the Polycom RealPresence
Access Director System Administrator Guide. For the RealPresence Access Director, Virtual Edition, see
the Polycom RealPresence Platform Director System Administrator Guide.
Polycom, Inc. 64
Certificates
When you deploy two RealPresence Access Director systems for High Availability, each system has a
default self-signed SSL certificate. To ensure that both of your systems are identified as trusted entities,
Polycom highly recommends that you request a signed identity certificate from a Certificate Authority (CA).
Additionally, you need to install your chosen CA’s public certificate in the TRUSTED_STORE on each
system before you enable and configure High Availability settings.
After you configure the network and High Availability settings, submit a Certificate Signing Request (CSR)
to obtain a signed certificate for each system. Each CSR must include the FQDN and domain of the
individual RealPresence Access Director system and Subject Alternative Names (SANs) for the following:
● Virtual hostnames* for interfaces on the individual RealPresence Access Director system
● Virtual IP addresses for interfaces on the individual RealPresence Access Director system
● Virtual hostnames for interfaces on the peer RealPresence Access Director system
● Virtual IP addresses for interfaces on the peer RealPresence Access Director system
* See Configure High Availability Settings for the characters allowed in hostnames.
After you receive the signed certificates, install both certificates in the KEY_STORE of both RealPresence
Access Director systems.
DNS Records
Your RealPresence Access Director systems must be accessible by their host name(s), not just their IP
address(es), so you (or your DNS administrator) must create the necessary A records, as well as the
corresponding PTR records, on your DNS server(s).
A records and PTR records that map each physical host name to the corresponding physical IP address
and each virtual host name to the corresponding virtual IP address are mandatory, as are the corresponding
PTR records that allow reverse DNS resolution of the system’s physical or virtual host name(s).
For further details about DNS records required for the RealPresence Access Director system, see Configure
the DNS Service in Deploying the RealPresence Access Director System in a Corporate DMZ Environment.
Polycom, Inc. 65
Federation Between RealPresence
Access Director Systems
This chapter describes how to configure this solution to support calls between endpoint users in two
separate but federated (trusted) divisions or enterprises. In the deployment solution described in this
chapter, each division or enterprise must have a RealPresence Access Director system.
In this chapter, we assume you have already performed the standard deployment as documented in
Deploying the RealPresence Access Director System in a Corporate DMZ Environment.
Note: Complete DNS records for the two sites being federated
Complete this process on the DNS systems for the two sites being federated.
If you’re not familiar with DNS administration, the creation of various kinds of DNS
resource records, and your enterprise’s DNS implementation, please consult with
someone who is.
Polycom, Inc. 66
Create an SRV record on the external DNS server you specified in Admin > Network Settings in the
RealPresence Access Director system. This SRV record maps the SRV service address to the FQDN of the
RealPresence Access Director system. The SRV record is required by the Auto Find Provisioning Server
feature of dynamically-managed endpoints.
So if the RealPresence Access Director system has the FQDN name rpad.example.com, add an SRV
record as follows.
_sips._tcp.example.com. IN SRV 0 0 5060 rpad.example.com.
Task 2: Obtain and Install the Certificates for the RealPresence Access
Director Systems
Each of the RealPresence Access Director systems in a SIP federation must have a signed Certificate
Authority (CA) certificate and each certificate must be installed on both RealPresence Access Director
systems.
To request a certificate for your RealPresence Access Director system, create a Certificate Signing Request
and submit it to your trusted CA. When you receive the signed certificate, install it in the KEY_STORE of
your system. Then, obtain the CA certificate of the other RealPresence Access Director system and install
it in your system’s TRUSTED_STORE.
The system administrator of the other RealPresence Access Director system must complete the same
process.
See the following topics in the Polycom RealPresence Access Director System Administrator Guide for
additional details:
● Create a Certificate Signing Request
● Add the Signed Certificate to the KEY_STORE
● Add a Certificate from a Trusted Connection
Polycom, Inc. 67
To configure the federated sites’ RealPresence Access Director systems to support SIP
calls:
1 See the Polycom RealPresence Access Director System Administrator Guide for detailed
information about configuring SIP settings. Then go to Configuration > SIP Settings.
2 Enable SIP signaling and add a port for SIP users (External Port Settings > Add) and configure
the required information.
Transport protocol must be TLS (mutual TLS).
Require certificate from remote endpoint must be selected.
3 Go to Configuration > Federation Settings > Add and configure the required information for the
federated sites.
In Company Address enter the FQDN or IP address of the federated site’s RealPresence Access
Director system.
4 Go to Admin > Certificates and verify that the federated site’s CA certificate for the RealPresence
Access Director system is in the TRUSTED_STORE.
To configure the federated sites’ RealPresence DMA systems to support federated SIP
calls:
1 See the Polycom RealPresence DMA System Operations Guide for detailed information about
adding an external SIP peer. Then go to Network > External SIP Peer > Add.
2 On the External SIP Peer tab, enter the following information:
Next hop address: the internal signaling IP address of the RealPresence Access Director
system.
Port: the internal SIP port of the RealPresence Access Director system used for communication
between the RealPresence Access Director system and the RealPresence DMA system.
3 On the Postliminary tab, set Request URI options to Use original request URI (RR).
4 On the Authentication tab, click Add and add the federated site’s authentication information.
5 Go to Admin > Call Server > Device Authentication and add the federated site’s authentication
credentials to the list of device credential entries that your call server should check.
6 Select the Inbound Authentication tab, click Add and add the local system’s authentication
information for inbound messages.
7 Select the Shared Outbound Authentication tab, click Add and add the federated site’s
authentication information for outbound messages.
8 Go to Admin > Local Cluster > Signaling Settings and in the SIP Settings section, select Enable
SIP signaling and Enable authentication.
9 Go to Admin > Call Server > Dial Rules and add a dial rule for federated site’s RealPresence
Access Director system that resolves to external SIP peer, so the RealPresence DMA system can
send the INVITE message out to the RealPresence Access Director system.
Polycom, Inc. 68
10 Go to Admin > Call Server > Domains and add the local RealPresence Access Director system to
the domain list.
Polycom, Inc. 69
Task 2: Configure the Polycom RealPresence DMA Systems to
Support Federated H.323 Calls
Each enterprise’s or division’s RealPresence DMA system must be configured to support neighbored H.323
calls. Use the following steps to configure both RealPresence DMA systems.
Polycom, Inc. 70
Federation Between RealPresence
Access Director and Other Systems
The RealPresence Access Director system can be configured to support calls between endpoint users in
two separate but federated (trusted) divisions or enterprises.This section describes how to configure the
solution when one of the federated sites has a RealPresence Access Director system and the other site has
a different session border controller. Supported solutions include:
● Federation in an H.323 Environment with Polycom VBP-E Systems
● Federation in a SIP Environment with Acme Packet
In this chapter, we assume you have already performed the standard deployment for the applicable systems
as documented in Deploying the RealPresence Access Director System in a Corporate DMZ Environment.
Polycom, Inc. 71
Create a DNS A (address) record on the external DNS server to map the FQDN of the VBP 5300E system
to its public (WAN side) IP address.
So if the VBP-E system has the FQDN name vbp_b.example2.com, add an A record as follows.
vbpe_b.example2.com IN A 192.168.11.100
Polycom, Inc. 72
3 Go to Configuration > Federation Settings > Add and configure the required information for the
federated enterprise.
Enter the FQDN or IP address of the federated site’s VBP-E system.
Complete the other tabs and fields of the dialog as required
To configure the federated enterprises’ CMA systems to support federated H.323 calls:
1 See the Polycom CMA System Operations Guide for detailed information about adding a
neighbored gatekeeper. Then go to Admin > Gatekeeper Settings > Neighboring Gatekeepers
and add the RealPresence Access Director system as neighboring gatekeeper.
2 Go to Admin > Server Settings > Network and enter the VBP-E’s LAN interface address as the
IPv4 Default Gateway address.
3 Go to Admin > Dial Plan and Sites > Dial Rules and add a Prefix dial rule. Assign it a Routing
Action of Route to a trusted neighbor.
4 Go to Trusted Neighbors and select the RealPresence Access Director system as a trusted
neighbor.
Polycom, Inc. 73
Task 6 (Conditional): Configure the VBP-5300E System to Support
Federated H.323 Calls
If a CMA system is the gatekeeper for the federated enterprise using the VBP-E access controller, perform
this task. Otherwise, skip to Task 7 (Conditional): Configure the VBP-5300E System in Embedded
Gatekeeper Mode to Support Federated H.323 Calls.
Polycom, Inc. 74
Verifying Deployment
Verifying Certificates
Verifying certificates confirms that the administrator installed the correct certificates on the RealPresence
Resource Manager, RealPresence Access Director, and RealPresence Mobile systems.
Polycom, Inc. 75
To verify certificates:
1 In the access proxy configuration, select these settings:
Require client certificate from the remote endpoint
Verify certificate from internal server
2 Have a user sign on to the RealPresence Mobile device, and verify that the user signed on
successfully.
3 In SIP settings, select TLS transport, and verify that the user can register and place a call
successfully.
Polycom, Inc. 76
Required Ports
This section describes the specific ports or dynamic port ranges to configure on your Polycom®
RealPresence® Access Director™ system and correspondingly on your firewall. The port information is
organized based on the different functions, or services, that the RealPresence Access Director system
supports.
The dynamic source and destination port ranges listed here specify the allowable port ranges for
communication between the RealPresence Access Director system and other systems and devices inside
or outside of your enterprise network.The actual port ranges for your system depend on the number of calls
on your license.
A port range for a specific function (for example, LAN-side SIP signaling) indicates the number of ports for
that function that must be available to accommodate the number of calls on your system license. You can
change the beginning port ranges (within certain parameters) if necessary. If you do so, the RealPresence
Access Director system automatically calculates the end ranges based on the number of calls on your
license. For instructions, see Configuring Port Ranges in the Polycom RealPresence Access Director
System Administrator Guide.
The following sections define the required ports to configure for the different traffic types, services, and
functions supported by the RealPresence Access Director system:
● Management Access
● SIP Signaling
● H.323 Signaling
● Access Proxy
● Media
● TURN Server
● High Availability
● Two-System Tunnel Communication
● Comparison of Two-box Tunnel Deployment and Standard Deployment Ports
Polycom, Inc. 77
Management Access
The RealPresence Access Director system provides a web-based user interface to access, configure, and
manage the system. Polycom suggests that you enable one interface as the management interface,
segregated from WAN-accessible traffic. For greater security, Polycom recommends that you enable SSH
and web access to the RealPresence Access Director system management interface only from authorized
network segments. We also recommend that you disable SSH and web access from the WAN by creating
explicit deny rules for these traffic types. If you require the ability to manage the RealPresence Access
Director system from the WAN, see the table in Management Access Ports for specific requirements.
To support certain functions in the RealPresence Access Director system, connectivity is required between
the management interface and the following external systems (servers):
● Network Time Protocol (NTP)
● Syslog
● DNS
● Microsoft Active Directory
● SNMP
● Online Certificate Status Protocol (OCSP)
Polycom, Inc. 78
Management Access Ports
Polycom, Inc. 79
Management Access Ports
RPAD system 60001–64000 UDP or TCP2 IP address of 514, 10514 Connection from
management IP the syslog the RPAD
address server, if in use system to the
syslog server
Note: This
connection is
optional.
Polycom, Inc. 80
Management Access Ports
Director system user interface. See the Polycom RealPresence Access Director System Administrator Guide for
details.
SIP Signaling
The RealPresence Access Director system serves as a SIP back-to-back user agent (B2BUA) and operates
between endpoints that use the SIP protocol. When a SIP video call takes place, the RealPresence Access
Director system divides the communication channel into two call legs and mediates all SIP signaling
between the endpoints, from call establishment to termination. SIP signaling can be used for remote, guest,
B2B, and open-SIP calls, and to initiate content streaming with a Polycom® RealPresence® Content Sharing
Suite system.
Polycom, Inc. 81
SIP WAN Ports
The following table lists the required ports and protocols for bidirectional SIP signaling between the WAN
and the RealPresence Access Director system.
SIP Signaling Ports for the WAN and RealPresence Access Director System
external port or add other SIP external listening ports on the RealPresence Access Director system, the ports must
also be changed or added on the firewall.
2 5061 is the encrypted (TLS) SIP external listening port on the RealPresence Access Director system.
3 Outbound calls normally resolve to TCP or UDP 5060 or TCP 5061 but DNS SRV queries may indicate any TCP
Polycom, Inc. 82
SIP LAN Ports
The following table lists the required ports and protocols for bidirectional SIP signaling between the LAN and
the RealPresence Access Director system.
SIP Signaling Ports for the LAN and RealPresence Access Director System
system. If you change these internal ports on the RealPresence Access Director system, they must be changed
accordingly on your firewall.
Polycom, Inc. 83
H.323 Signaling
H.323 signaling enables registration, calling, and neighboring functions for endpoints that use the H.323
protocol. H.323 signaling can be used for remote, guest, and federated or neighbored B2B calls.
Polycom, Inc. 84
H.323 Signaling Ports for the WAN and RealPresence Access Director System
signaling mapped on the firewall located between the WAN and the RealPresence Access Director system.
2 1719 is the default listening port on the RealPresence Access Director system used by remote H.323 endpoints to
request registration.
3 1720 is the default H.225 TCP port in the RealPresence Access Director system. If you change the port in the
RealPresence Access Director system, you must also change it accordingly on the firewall.
H.323 Signaling Ports for the LAN and RealPresence Access Director System
Polycom, Inc. 85
H.323 Signaling Ports for the LAN and RealPresence Access Director System
Polycom, Inc. 86
H.323 Signaling Ports for the LAN and RealPresence Access Director System
Access Proxy
The RealPresence Access Director system access proxy feature provides reverse proxy services for
external users. Based on your system configuration, when access proxy receives a request from an external
user, it accepts the request and sends a new request on behalf of the user to the appropriate application
server.
Access proxy routes communication requests based on the type of target application server:
● HTTPS_proxy: HTTPS servers that provide management services, such as provisioning for the
RealPresence Access Director system and endpoints (Polycom® RealPresence® Resource Manager
system, Polycom® RealPresence® Content Sharing Suite), and web-based video conferencing
services (RealPresence CloudAXIS suite)
● LDAP_proxy: LDAP servers that provide directory services for remote (authorized) users
Polycom, Inc. 87
● XMPP_proxy: XMPP servers that provide message, presence, or other XMPP services for remote
(authorized) users
● HTTP tunnel proxy: An HTTP tunnel proxy enables RealPresence CloudAXIS suite SIP guest users
to attend video conferences in an enterprise’s CloudAXIS suite Experience Portal. Due to restrictive
firewall rules, if a CloudAXIS suite client cannot establish a native SIP/RTP connection to a video
conference, the RealPresence Access Director system can act as a web proxy to tunnel the SIP
guest call on port 443. Once the SIP guest is connected to a meeting, the RealPresence Access
Director system continues to tunnel TCP traffic, including SIP signaling, media, and Binary Floor
Control Protocol (BFCP) content.
Access Proxy Ports for the WAN and the RealPresence Access Director System
Polycom, Inc. 88
Access Proxy Ports for the WAN and the RealPresence Access Director System
Polycom, Inc. 89
Access Proxy Ports for the WAN and the RealPresence Access Director System
389 to the internal ports 65100–65130 reserved on the system's loopback interface private IP address. The CentOS
operating system does not allow processes without root ownership to listen on ports <1024. Redirecting access
proxy traffic on ports <1024 to the internal ports 65100–65130 enables the access proxy process to function
correctly.
2 The RealPresence Access Director system denies all unencrypted LDAP requests if you enable Enforce TLS for
LDAP connection in the web user interface (Admin > Security Settings).
3 Access to the RealPresence CloudAXIS suite Services Portal is required only for users who create and host
conferences, and who are typically members of your organization. Providing external guests direct access to the
Services Portal is left to the administrator's discretion.
Polycom, Inc. 90
Access Proxy LAN Ports
The following table lists the ports and protocols for bidirectional access proxy traffic between the
RealPresence Access Director system and the LAN.
Access Proxy Ports for the LAN and the RealPresence Access Director System
Polycom, Inc. 91
Access Proxy Ports for the LAN and the RealPresence Access Director System
Media
The RealPresence Access Director system enables media traffic (audio, video, and content) to traverse the
firewall during video conferencing calls.
Media Ports for the WAN and the RealPresence Access Director System
both inbound and outbound media traffic. The port information is included here for reference.
Polycom, Inc. 92
Media LAN Ports
The following table lists the ports and protocols for bidirectional media traffic between the LAN and the
RealPresence Access Director system.
Media Ports for the LAN and the RealPresence Access Director System
TURN Server
The RealPresence Access Director system can act as a TURN server to enable firewall and NAT traversal
of UDP media traffic between WebRTC-enabled clients.
Polycom, Inc. 93
TURN Relay Ports
The following table lists the ports and protocols for bidirectional media relay between WAN and LAN
WebRTC-enabled clients and the RealPresence Access Director system TURN server.
TURN Ports for WAN and LAN-based WebRTC Endpoints and the TURN Server
mapped on the firewall between the WAN and the RealPresence Access Director system.
Polycom, Inc. 94
High Availability
For the High Availability solution, you must map public IP addresses on your firewall to specific virtual or
physical IP addresses on both RealPresence Access Director systems. For details, see Firewall
Configuration in Deploying RealPresence Access Director Systems with High Availability.
The following table lists the ports and protocols used for internal communication between two RealPresence
Access Director systems configured for High Availability.
High Availability ports used for encrypted traffic between the two systems do not need to be
open on the firewall
If your High Availability configuration does not include at least one direct link, the two RealPresence
Access Director systems use the High Availability ports to send and receive communication between
the two systems. These ports do not need to be open on the firewall.
High Availability Ports for Communication Between the Two RealPresence Access Director Systems
Polycom, Inc. 95
Management traffic does not traverse the tunnel. Regardless of how you configure your management
interface, you must ensure that your RealPresence Access Director system has access to all management
functions described in Management Access.
The following table lists the port and protocol for traffic between a RealPresence Access Director system
tunnel server and tunnel client.
From the WAN to the Tunnel Server From the Tunnel Server to the WAN
Polycom, Inc. 96
LAN and Tunnel Client Connections
From the LAN to the Tunnel Client From the Tunnel Client to the LAN
Polycom, Inc. 97
Network Interface Configurations
This chapter provides illustrations and network interface configuration details for the different RealPresence
Access Director system deployment models.
● Single Firewall Deployment with One Network Interface
● DMZ Deployment with One or More Network Interfaces
● Two-System Tunnel Deployment
● High Availability Deployment
Polycom, Inc. 98
All communication services are configured for one network interface card and IP address, as shown in the
following table.
1 eth0 Management
External signaling
Internal signaling
External media
Internal media
External access proxy
Internal access proxy
TURN
The figure below shows deployment in the enterprise DMZ, between an inside and outside firewall.
Standard Configuration
In a standard configuration with 1–4 configured NICs, all network interface IP addresses must be within the
same subnet. External signaling and access proxy must be assigned to the same interface. External
signaling and access proxy, and external media must have NATed IP addresses on the external, WAN-side
firewall. All other network interfaces route traffic to and from the enterprise LAN through the inside firewall
without NAT.
Polycom, Inc. 99
The following table lists the recommended network interface settings for the different communication
services in a standard configuration, based on the number of network interfaces you use.
1 eth0 Management
Minimal implementation External SIP/H.323 signaling and access proxy
External media
Internal SIP/H.323 signaling and access proxy
Internal media
TURN
eth1 Management
eth2 Management
eth3 Management
LAN-WAN Configuration
In a LAN-WAN configuration with 2–4 configured NICs, all network interface IP addresses must be assigned
to a WAN-side subnet or a LAN-side subnet. All network interfaces assigned to external, WAN-side services
must have IP addresses in the WAN-side subnet. All network interfaces assigned to route traffic to and from
the enterprise LAN must have IP addresses in the LAN-side subnet.
In the LAN-WAN configuration, external signaling and access proxy must be assigned to the WAN-side
subnet. Internal signaling and access proxy must be assigned to the LAN-side subnet.
2 eth0 Management
Minimal implementation Internal SIP/H.323 signaling and access proxy
Internal media
eth2 Management
eth2 Management
eth3 Management
2 eth0 Management
Internal signaling and access proxy
Internal media
Internal access proxy
eth2 Management