Pexip Infinity Secure Mode Deployment Guide



Similar documents
Webalo Pro Appliance Setup

Pexip Infinity and Cisco UCM Deployment Guide

ScaleIO Security Configuration Guide

Ten Steps for an Easy Install of the eg Enterprise Suite

Release Notes. Dell SonicWALL Security firmware is supported on the following appliances: Dell SonicWALL Security 200

Junos Pulse Instructions for Windows and Mac OS X

SBClient and Microsoft Windows Terminal Server (Including Citrix Server)

Deployment Overview (Installation):

MaaS360 Cloud Extender

FINRA Regulation Filing Application Batch Submissions

Instructions for Configuring a SAFARI Montage Managed Home Access Expansion Server

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1

Helpdesk Support Tickets & Knowledgebase

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Cloud Services MDM. Windows 8 User Guide

McAfee Enterprise Security Manager. Data Source Configuration Guide. Infoblox NIOS. Data Source: September 2, Infoblox NIOS Page 1 of 8

GETTING STARTED With the Control Panel Table of Contents

Release Notes. Dell SonicWALL Security firmware is supported on the following appliances: Dell SonicWALL Security 200

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

CallRex 4.2 Installation Guide

BackupAssist SQL Add-on

Click Studios. Passwordstate. RSA SecurID Configuration

Release Notes. Dell SonicWALL Security 8.0 firmware is supported on the following appliances: Dell SonicWALL Security 200

WatchDox Server. Administrator's Guide. Version 3.8.5

Remote Setup and Configuration of the Outlook Program Information Technology Group

How To Install An Orin Failver Engine On A Network With A Network Card (Orin) On A 2Gigbook (Orion) On An Ipad (Orina) Orin (Ornet) Ornet (Orn

2. When logging is used, which severity level indicates that a device is unusable?

Deploy Your First Cloud Foundry App to Any Cloud Foundry Service Provider

Implementing ifolder Server in the DMZ with ifolder Data inside the Firewall

efusion Table of Contents

Configuring BMC AREA LDAP Using AD domain credentials for the BMC Windows User Tool

CenterPoint Accounting for Agriculture Network (Domain) Installation Instructions

Traffic monitoring on ProCurve switches with sflow and InMon Traffic Sentinel

Copyright 2013, SafeNet, Inc. All rights reserved. We have attempted to make these documents complete, accurate, and

Serv-U Distributed Architecture Guide

Readme File. Purpose. What is Translation Manager 9.3.1? Hyperion Translation Manager Release Readme

Configuring and Monitoring AS400 Servers. eg Enterprise v5.6

Application Advisories for Data Integrator for Non- EDI location

Readme File. Purpose. Introduction to Data Integration Management. Oracle s Hyperion Data Integration Management Release 9.2.

Durango Merchant Services QuickBooks SyncPay

User Guide. Sysgem SysMan Remote Control. By Sysgem AG

SANsymphony-V Storage Virtualization Software Installation and Getting Started Guide. February 5,

Configuring and Monitoring Network Elements

Mobile Device Manager Admin Guide. Reports and Alerts

Setup PPD IT How-to Guides June 2010

STIOffice Integration Installation, FAQ and Troubleshooting

Learn More Cloud Extender Requirements Cheat Sheet

Configuring SSL and TLS Decryption in ngeniusone

AVG AntiVirus Business Edition

CNS-205: Citrix NetScaler 11 Essentials and Networking

Service Desk Self Service Overview

SMART Active Directory Migrator Requirements

How to deploy IVE Active-Active and Active-Passive clusters

Connecting to

TECHNICAL BULLETIN. Title: Remote Access Via Internet Date: 12/21/2011 Version: 1.1 Product: Hikvision DVR Action Required: Information Only

Serv-U Distributed Architecture Guide

Configuring an Client for your Hosting Support POP/IMAP mailbox

KronoDesk Migration and Integration Guide Inflectra Corporation

Using PayPal Website Payments Pro UK with ProductCart

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE Savision B.V. savision.com All rights reserved.

Getting Started Guide

Installation Guide Marshal Reporting Console

A Beginner s Guide to Building Virtual Web Servers

Network Intrusion Detection

AvePoint Privacy Impact Assessment 1

Firewall/Proxy Server Settings to Access Hosted Environment. For Access Control Method (also known as access lists and usually used on routers)

LogMeIn Rescue Web SSO via SAML 2.0 Configuration Guide

The user authentication process varies from client to client depending on internal resource capabilities, and client processes and procedures.

Kaltura MediaSpace Setup Guide. Version: 5.0

Using Sentry-go Enterprise/ASPX for Sentry-go Quick & Plus! monitors

ROSS RepliWeb Operations Suite for SharePoint. SSL User Guide

Citrix XenServer from HP Getting Started Guide

HOWTO: How to configure SSL VPN tunnel gateway (office) to gateway

Remote Desktop Tutorial. By: Virginia Ginny Morris

Intel Hybrid Cloud Management Portal Update FAQ. Audience: Public

DocAve 6 High Availability

SMART Active Directory Migrator 9.2

DocAve for Salesforce 3.1

Installation Guide Marshal Reporting Console

CSAT Account Management

DocAve 6 Supplementary Tools

Blue Link Solutions Terminal Server Configuration How to Install Blue Link Solutions in a Terminal Server Environment

The Relativity Appliance Installation Guide

A COMPLETE GUIDE TO ORACLE BI DISCOVERER END USER LAYER (EUL)

Telelink 6. Installation Manual

Integrating With incontact dbprovider & Screen Pops

Business Digital Voice Site Services - Phone & User Assignments

Kaltura Video Extension for SharePoint 2013 Deployment Guide for Microsoft Office 365. Version: 1.0

PENNSYLVANIA SURPLUS LINES ASSOCIATION Electronic Filing System (EFS) Frequently Asked Questions and Answers

Client Application Installation Guide

DocAve 6 Exchange Public Folder Migrator

CNS-205 Citrix NetScaler 10.5 Essentials and Networking

TaskCentre v4.5 MS SQL Server Trigger Tool White Paper

Montana Acquisition & Contracting System (emacs) emacs Handbook. Vendor Registration and Data Management

Avatier Identity Management Suite

Interworks Cloud Platform Citrix CPSM Integration Specification

webnetwork Pre-Installation Configuration Checklist

AvePoint Perimeter 1.6. Administrator Guide

Employee Self Service (ESS) Quick Reference Guide ESS User

E-Biz Web Hosting Control Panel

Transcription:

Intrductin Pexip Infinity Secure Mde Deplyment Guide This guide cntains instructins fr deplying and using Pexip Infinity in a secure mde f peratin. Fr further infrmatin abut the deplyment instructins and cnfiguratin settings described in this guide, please see the Pexip Infinity technical dcumentatin website. Securing the hst envirnment The VMware hst envirnment must be hardened befre deplying Pexip Infinity. It is expected that the hst server cntains at least tw physical netwrk interfaces and that management access t the ESXi hst is restricted t a specific physical netwrk and that virtual machines (VMs) are cnnected t a separate physical netwrk. Instructins fr perfrming VMware-specific hardening are described in the VMware ESXi Server 5.0 Security Technical Implementatin Guide which can be fund at http://iase.disa.mil/stigs/dcuments/u_esxi5_server_v1r5_stig.zip. Management f the ESXi hst can run ut-f-band f the vide cnferencing netwrk. Reserving virtual machine resurces The resurces allcated t each virtual machine must be reserved after it has been deplyed. This ensures that each VM has guaranteed access t the resurces that it expects and is thus islated frm any ther VMs n the hst. T d this, find the VM in the vsphere client and edit its settings. There are separate settings fr CPU, Memry, and Disk hardware. CPU resurce limits There are three CPU resurce settings: Reservatin, Limit, and Shares. These specify the guaranteed CPU resurce fr the VM, the maximum CPU resurce fr the VM, and the weighting applied t the VM when sharing resurces with its siblings. 2015 Pexip AS Versin 10.a July 2015 Page 1 f 10

Reserving virtual machine resurces These shuld be cnfigured as fllws: Reservatin Select the menu entry labeled Maximum. (The value assciated with Maximum will then appear in the Reservatin field.) Limit Shares Select the menu entry labeled Minimum. Select Nrmal. These settings ensure that the VM is guaranteed access t all f its allcated CPU resurce, with n ability t burst abve this resurce allcatin. Nte that the MHz/GHz values fr Reservatin and Limit shuld thus be identical. As the resurces are guaranteed, n sharing is necessary, s a setting f Nrmal is apprpriate. Memry resurce limits There are three memry resurce settings: Reservatin, Limit, and Shares. These specify the guaranteed memry resurce fr the VM, the maximum memry resurce fr the VM, and the weighting applied t the VM when sharing resurces with its siblings. These shuld be cnfigured as fllws: Reservatin Limit Shares Select the Reserve all guest memry (All lcked) check bx. Select the menu entry labeled Minimum. Select Nrmal. These settings ensure that the VM is guaranteed access t all its allcated memry resurce, with n ability t burst abve this resurce allcatin. Nte that the MB values fr Reservatin and Limit shuld thus be identical. As the resurces are guaranteed, n sharing is necessary, s a setting f Nrmal is apprpriate. Disk resurce limits There are tw disk resurce settings: Shares, and Limit - IOPs. These specify the weighing applied t the VM when sharing resurces with ther VMs n the hst, and the maximum number f IOPs the VM is permitted t cnsume. These shuld be cnfigured as fllws: Shares Limit - IOPs Select Nrmal. Enter the apprpriate number f IOPs fr the Virtual Machine. The sum f all IOP limits fr all VMs n the same hst must nt exceed the capacity f the datastre. These settings ensure that the VM is limited t its fair share f IOPs. As the sum f all IOP limits n the same hst d nt exceed the hst capabilities, sharing is nt necessary, s a setting f Nrmal is apprpriate. 2015 Pexip AS Versin 10.a July 2015 Page 2 f 10

BIOS cnfiguratin BIOS cnfiguratin The BIOS f each Virtual Machine must be cnfigured and secured after deplyment. This ensures that the system bts frm the crrect devices and that this cnfiguratin cannt be mdified by unauthrized persnnel. T d this: 1. Use the vsphere client t edit the cnfiguratin f the VM t frce it t bt int the BIOS as sn as it is pwered n. This is usually fund under VM Optins > Bt Optins as a cnfiguratin item named Frce BIOS setup. This ptin shuld be selected t frce entry t the BIOS n the next bt. 2. Pwer n the Virtual Machine and pen its cnsle, which shuld cntain the BIOS setup utility. 3. Cnfigure the bt rder: a. G t the Bt cnfiguratin page, and ensure that Hard Drive is the first entry. b. Expand the Hard Drive device tree and ensure that VMware Virtual SCSI Hard Drive (0:0) is the first entry. 4. Cnfigure the BIOS security: a. G t the Security cnfiguratin page. b. Cnfigure a Supervisr passwrd t prevent unauthrized mdificatin f the BIOS cnfiguratin. 5. Save and exit. a. G t the Exit cnfiguratin page. b. Select the Exit Saving Changes ptin. Pexip Infinity Management Nde deplyment and btstrap cnfiguratin This sectin describes the steps needed t deply the Pexip Infinity Management Nde int the secure envirnment described abve. 1. Use the vsphere client t deply the Management Nde OVA nt the selected ESXi hst system. See Installing the Management Nde fr full instructins n hw t d this. The VLAN ID used fr the Management Nde must nt cnflict with existing reserved VLAN IDs and must nt use VLAN ID 4095 (which is reserved fr virtual guest tagging), as the system will be lcked dwn accrding t the VMware ESXi Server Security Technical Implementatin Guide. 2. Lg in t the Management Nde cnsle as the admin user. A passwrd fr this user must be set. 3. Enter the admin user passwrd t permit the installatin wizard t start. 4. Cmplete the installatin wizard as described in Pexip Infinity Getting Started Guide, ensuring that: Enable incident reprting is set t n. Send deplyment and usage statistics t Pexip is set t n. On cmpletin, the installatin wizard will rebt the system. 5. Use a web brwser t cnnect t the Pexip Infinity Administratr interface and ensure that yu can lg in using the credentials cnfigured in the installatin wizard. 6. Lg in t the Management Nde cnsle as the admin user. Issue the fllwing cmmand: $ securitywizard 7. Enter the admin user passwrd t permit the security wizard t start. 8. Cmplete the security wizard, prviding answers as described belw: Setting Enable FIPS 140-2 cmpliance mde Value YES 2015 Pexip AS Versin 10.a July 2015 Page 3 f 10

Pexip Infinity Cnferencing Nde deplyment Setting Disable system administratr accunt (this applies t SSH and cnsle access) Accept ICMPv6 redirects Drp incming packets t clsed prts rather than reject Accept multicast ICMPv6 ech requests Enable IPv6 Duplicate Address Detectin Value YES NO YES NO NO SIP UDP listen prt * 5060 SIP TCP listen prt * 5060 SIP TLS listen prt * 5061 Active management web sessins * 100 Active per-user management web sessins * 10 Enable SSL 3.0 NO * The SIP listen prts and web sessin limits may be custmized fr the target envirnment, as apprpriate. On cmpletin, the security wizard will rebt the system. After the system has rebted, n OS-level user access will be available n the system and it cannt be re-enabled. Pexip Infinity Cnferencing Nde deplyment When deplying Cnferencing Ndes, nte that: Befre deplying any Cnferencing Ndes, yu must cmplete the Management Nde deplyment and btstrap cnfiguratin. As the hst system will be lcked dwn accrding t the VMware ESXi Server Security Technical Implementatin Guide: All Cnferencing Ndes shuld be deplyed manually (see Manually deplying a Cnferencing Nde n an ESXi hst). The VLAN ID used fr the Cnferencing Nde must nt cnflict with existing reserved VLAN IDs and must nt use VLAN ID 4095 (which is reserved fr virtual guest tagging). Pexip Infinity applicatin cnfiguratin This sectin describes the applicatin-specific cnfiguratin required fr Pexip Infinity t perate in a secure envirnment. This cnfiguratin is perfrmed using a web brwser t access the Pexip Infinity Administratr interface. Lg in t the Administratr interface using the credentials cnfigured earlier in the installatin wizard. Mre infrmatin abut all f these settings can be fund n the Pexip Infinity technical dcumentatin website. TLS certificates This sectin describes the prcess fr btstrapping the PKI envirnment. Management Nde and Cnferencing Nde server certificates The Pexip Infinity platfrm ships with default self-signed server certificates fr the Management Nde and each Cnferencing Nde. Because these certificates are self-signed, they will nt be trusted by clients. Therefre yu must replace these certificates with yur wn certificates that have been signed by a trusted certificate authrity. 2015 Pexip AS Versin 10.a July 2015 Page 4 f 10

Pexip Infinity applicatin cnfiguratin Creating a certificate signing request (CSR) T acquire a server certificate frm a Certificate Authrity (CA), a certificate signing request (CSR) has t be created and submitted t the CA. One cmmn way f creating a CSR is thrugh the OpenSSL tlkit (http://www.penssl.rg), available fr Windws, Mac and Linux. After installing OpenSSL, the fllwing example penssl cmmand and input can be used t create a CSR in this case fr a Cnferencing Nde with an FQDN f sip.example.cm (user input is highlighted in gray): penssl req -ut sip.example.cm.csr -new -newkey rsa:2048 -ndes -keyut sip.example.cm.key Cuntry Name (2 letter cde) [AU]:NO State r Prvince Name (full name) [Sme-State]:Osl Lcality Name (eg, city) []:Osl Organizatin Name (eg, cmpany) [Internet Widgits Pty Ltd]:Pexip Organizatinal Unit Name (eg, sectin) []:Pexip Cmmn Name (e.g. server FQDN r YOUR name) []:sip.example.cm Email Address []: The abve cmmand and input will create tw files, sip.example.cm.csr and sip.example.cm.key. The.csr file is the actual CSR, while the.key file is the certificate private key. The private key shuld be kept secret, while the CSR file cntents shuld be submitted t the CA fr signing. After the CA has signed the CSR, the certificate will be ready fr uplading. Nte that the penssl cmmand will vary depending n which perating system yu are using. In deplyments that d nt use DNS reslutin, the Cmmn Name shuld cntain the IP address f the Cnferencing Nde instead f an FQDN. Uplading a certificate t a Pexip nde T uplad a new TLS certificate fr the Management Nde r a Cnferencing Nde: 1. Frm the Pexip Infinity Administratr interface, g t Platfrm cnfiguratin > TLS certificates. 2. Fr the selected Management Nde r Cnferencing Nde, select Uplad certificate. Yu will be taken t the Uplad certificate page. 3. Frm the Certificate file sectin, select Chse File and select the file cntaining the new TLS certificate. This file must be a text file in PEM frmat and must be valid fr the hstname r FQDN f the Management Nde r Cnferencing Nde t which it relates. Certificate files will typically have a.crt r.pem extensin. Custm DH parameters and an EC curve name fr ephemeral keys can als be added t end f the certificate file. Such parameters can be generated thrugh the OpenSSL tlkit using the cmmands penssl dhparam and penssl ecparam. The parameters can be added 'as is' t the end f the certificate file. 4. Frm the Private Key file sectin, select Chse File and select the file cntaining the private key fr the certificate. This file must be a text file in PEM frmat. Private key files typically have a.key r.pem extensin. 5. Select Save. Trusted CA certificates Yu must als uplad the trusted Certificate Authrity (CA) certificates fr the secure envirnment. This must include any required chain f intermediate certificates fr the CA that signed the server certificates. Nte that the default set f trusted CA certificates that ship with Pexip Infinity are nt used when FIPS 140-2 cmpliance mde is enabled. T uplad a new file f trusted CA certificates: 1. Frm the Pexip Infinity Administratr interface, g t Platfrm cnfiguratin > TLS certificates. 2. We recmmend that yu dwnlad and save the existing certificate file. 2015 Pexip AS Versin 10.a July 2015 Page 5 f 10

Pexip Infinity applicatin cnfiguratin If yu want t preserve the CA certificates cntained in the existing certificate file, yu must first dwnlad it and append the cntents t the new file yu are abut t uplad. 3. Select Uplad trusted CA certificates. Yu will be taken t the Uplad trusted CA certificates page. 4. Select Chse File and select the file cntaining the new TLS certificates, in PEM frmat. 5. Select Save. IPv6 (ptinal) If required, cnfigure the IPv6 address and IPv6 gateway addresses f the Management Nde and each Cnferencing Nde. T cnfigure these addresses: G t Platfrm cnfiguratin > Management Nde and click n the name f the Management Nde. G t Platfrm cnfiguratin > Cnferencing Ndes and click n the name f the Cnferencing Nde. Glbal settings G t Platfrm cnfiguratin > Glbal settings and review and mdify where required the fllwing settings: Setting Enable H.323 Actin Disable these prtcls (and leave SIP enabled, and SIP UDP disabled). Enable WebRTC Enable RTMP Enable chat Enable utbund calls Enable supprt fr Pexip Infinity Cnnect and Mbile App DSCP value fr management traffic Enable SSH Signaling prt range start and end Media prt range start and end OCSP state and OCSP respnder URL SIP TLS certificate verificatin mde Enable HTTP access fr external systems Lgin banner text Management web interface sessin timeut Disable this ptin. Disable this ptin. Disable supprt fr these applicatins. Set a DSCP value fr management traffic sent frm the Management Nde and Cnferencing Ndes. We recmmend a value f 16. Disable this ptin. Verify the range f prts (UDP and TCP) that all Cnferencing Ndes are t use fr signaling. Verify the range f prts (UDP and TCP) that all Cnferencing Ndes are t use fr media. Set this t Override and specify the OCSP respnder URL t which OCSP requests will be sent. Set this t On. Ensure that this ptin is disabled. Cnfigure this field with sme apprpriate text fr yur deplyment. Set this t 10 minutes r ther timeut value suitable fr yur deplyment. Cnfigure user accunts and authenticatin settings Yu must cnfigure the Pexip Infinity platfrm t authenticate and authrize lgin accunts via a centrally managed LDAP-accessible server. 2015 Pexip AS Versin 10.a July 2015 Page 6 f 10

Pexip Infinity applicatin cnfiguratin Accunt rles 1. G t Users > Accunt rles. 2. Select the existing Read-nly rle and remve the fllwing permissins: May view lgs May generate system snapsht 3. Select the existing Read-write rle and remve the fllwing permissins: May view lgs May generate system snapsht 4. Create an Auditr rle: a. Select Add rle. b. Specify a Name f "Auditr". c. Assign the fllwing permissins t the rle: Is an administratr May use web interface May use API May view lgs May generate system snapsht d. Save the rle. LDAP server cnnectin details Yu must cnfigure the details f the LDAP-accessible server and, initially, set the system t authenticate bth lcally and against the LDAP database: 1. G t Users > User authenticatin. 2. Set the Authenticatin surce t LDAP database and lcal database. 3. In the LDAP cnfiguratin sectin, specify the cnnectin details fr the LDAP-accessible server. 4. Save the settings. LDAP grup t rle mapping LDAP rles are used t map the LDAP grups assciated with LDAP user recrds t the Pexip Infinity accunt rles. Yu must cnfigure a separate LDAP rle fr each LDAP grup fr which yu want t map ne r mre Pexip Infinity accunt rles. 1. G t Users > LDAP rles. 2. Select Add LDAP rle. 3. Cnfigure the rle: Optin Name LDAP grup DN Rles Descriptin Enter a descriptive name fr the rle. Select the LDAP grup against which yu want t map ne r mre accunt rles. The list f LDAP grups is nly ppulated when there is an active cnnectin t an LDAP server (Users > User authenticatin). Select frm the list f Available rles the accunt rles t assciate with the LDAP grup and then use the right arrw t mve the selected rles int the Chsen Rles list. 4. Save the rle. 5. Cnfigure as many LDAP rles as required, ensuring that every accunt rle is mapped t at least ne LDAP grup. 2015 Pexip AS Versin 10.a July 2015 Page 7 f 10

Pexip Infinity applicatin cnfiguratin Enable certificate-based authenticatin This cnfiguratin requires administratrs t lg in t the Pexip Infinity Administratr interface by presenting (via their brwser) a client certificate cntaining their user identificatin details. 1. Install suitable client certificates int the certificate stres f the brwsers t be used by the Pexip Infinity administratrs. The identities cntained in the certificates must exist in the LDAP database. 2. G t Users > User authenticatin. 3. Set Require client certificate t ne f the Required ptins as apprpriate fr yur installatin:. Required (user identity in subject CN): users identify themselves via the identity cntained in the subject CN (cmmn name) f the client certificate presented by their brwser. Required (user identity in subjectaltname userprincipalname): users identify themselves via the identity cntained in the subjectaltname userprincipalname attribute f the client certificate presented by their brwser. 4. Save the settings. When a client certificate is required, the standard lgin page is n lnger presented. Administratrs will nt be able t access the Pexip Infinity Administratr interface if their brwser des nt present a valid certificate that cntains a user identity which exists in the selected Authenticatin surce. Disable lcal authenticatin Cmplete the authenticatin cnfiguratin by disabling the lcal authenticatin surce: 1. Lg in t the Pexip Infinity Administratr interface (via certificate-based authenticatin). 2. G t Users > User authenticatin. 3. Set the Authenticatin surce t LDAP database. 4. Save the settings. All authenticatin is nw perfrmed against the LDAP server and n lcal accunt infrmatin is used. Nte that the "SSH passwrd" is never used, as SSH access is disabled. 2015 Pexip AS Versin 10.a July 2015 Page 8 f 10

Cntingency deplyment Securing netwrk services DNS servers Cnfigure at least tw DNS servers (System cnfiguratin > DNS servers). NTP servers Cnfigure at least tw NTP servers (System cnfiguratin > NTP servers). The cnfiguratin fr each NTP server must include key authenticatin credentials. Remte syslg servers Cnfigure at least ne remte syslg server (System cnfiguratin > Syslg servers). SNMP Cnfigure the Management Nde and each Cnferencing Nde t use secure SNMPv3: 1. G t Platfrm cnfiguratin > Management Nde and click n the name f the Management Nde. 2. Set SNMP mde t SNMPv3 read-nly. 3. Cnfigure the SNMPv3 credentials (SNMPv3 username, privacy passwrd and authenticatin passwrd) fr this SNMP agent t match thse used in requests frm the SNMP management statin. 4. Change the SNMP cmmunity t smething ther than "public". 5. Save the SNMP settings fr the Management Nde. 6. Apply the same cnfiguratin settings t each Cnferencing Nde (g t Platfrm cnfiguratin > Cnferencing Ndes and click n the name f each Cnferencing Nde in turn). Secure SNMPv3 read-nly mde uses SHA1 authenticatin and AES 128-bit encryptin. Lcatin DSCP tags and MTU Cnfigure DSCP tags fr signaling and media, and set the MTU size fr each lcatin: 1. G t System cnfiguratin > Lcatins. 2. Select the first lcatin. 3. Cnfigure the DSCP tags. We recmmend: DSCP value fr media is set t 51. DSCP value fr signaling is set t 40. 4. Cnfigure the MTU. We recmmend a value f 1400 bytes t accunt fr the verhead assciated with the encryptin headers. 5. Save the settings. 6. Repeat fr every ther lcatin. Cntingency deplyment We recmmend that yu maintain a secndary deplyment that yu can switch t in the event that yur primary deplyment fails r is cmprmised. This fallback system shuld mimic the primary installatin with the fllwing exceptins: In additin t supprting authenticatin and authrizatin via LDAP, in case cnnectivity t the LDAP server is dwn it shuld als maintain the lcal admin accunt and shuld nt use certificate-based authenticatin: a. G t Users > User authenticatin. b. Set Authenticatin surce t LDAP database and lcal database. 2015 Pexip AS Versin 10.a July 2015 Page 9 f 10

Cntingency deplyment c. Set Require client certificate t Nt required. d. Save the settings. It shuld be deplyed withut licensing. After the fallback system has been cnfigured, all VMs shuld be cmpletely pwered ff and remain ff until required. If the primary deplyment is cmprmised and must be trn dwn, yu shuld cntact yur Pexip supprt representative t return the riginal license key and then re-activate the same license n the fallback system after it has been brught up. 2015 Pexip AS Versin 10.a July 2015 Page 10 f 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information