Local Cluster Configuration
Polycom, Inc. 71
● Configure specific ports or prefixes for untrusted (“unauthorized” or “guest”) SIP calls that can only
access specific resources (VMRs, VEQs, or a SIP peer).
H.323 Device Authentication
In an environment where H.235 authentication is used, H.323 devices include their credentials (name and
password) in registration and signaling (RAS) requests. The Polycom RealPresence DMA system
authenticates requests as follows:
● If it’s a signaling request (ARQ, BRQ, DRQ) from an unregistered endpoint, the Call Server doesn’t
authenticate the credentials.
● Otherwise, if the request is from an endpoint and the Polycom RealPresence DMA system is
integrated with a Polycom RealPresence Resource Manager system, the Call Server attempts to
authenticate the endpoint’s credentials with the RealPresence Resource Manager system.
● If it can’t authenticate with the RealPresence Resource Manager system, or if the request is from an
MCU or neighbor gatekeeper, the Call Server attempts to authenticate using its device authentication
list.
● If it’s a signaling request from a registered endpoint, or if the request is from an MCU or neighbor
gatekeeper, the Call Server attempts to authenticate using its device authentication list (see Device
Authentication).
If the credentials can’t be authenticated, the Call Server rejects the registration or signaling request. For call
signaling requests, it also rejects the request if the credentials differ from those with which the device
registered.
SIP Device Authentication
The SIP digest authentication mechanism is described in RFC 3261, starting in section 22, and in
RFC 2617, section 3. When a SIP endpoint registers with or calls the Polycom RealPresence DMA system,
if the request includes authentication information, that information is checked against the Call Server’s local
device authentication list (see Device Authentication).
SIP authentication can be enabled at the port/transport level or (for “unauthorized” access prefixes) the
prefix level.
If SIP authentication is enabled and an endpoint’s request doesn’t include authentication information, the
Call Server responds with an authentication challenge containing the required fields (see the RFCs). If the
endpoint responds with valid authentication information, the system accepts the registration or call.
Untrusted SIP Call Handling Configuration
You can configure special handling for SIP calls from devices outside the corporate firewall that aren’t
registered with the Polycom RealPresence DMA system and aren’t from a federated division or enterprise.
These calls come to the RealPresence DMA system via SIP session border controllers (SBCs) such as a
Polycom RealPresence Access Director or Acme Packet Session Border Controller device (which are
configured as SIP peers in the RealPresence DMA system; see External SIP Peer).
Note: SIP device authentication
If inbound SIP authentication is turned on for a port or prefix, the Polycom RealPresence DMA system
challenges any SIP message coming to the system via that port or with that prefix. Any SIP peer and
other device that interacts with the system by those means must be configured to authenticate itself,
or you must turn off Device authentication for that specific device. See Edit Device Dialog.