this lab exercise demonstration will outline how to...

Breaking News Lab Transcript: RPAD 3.0 Access Control Lists

of 73 © Polycom University

Slide notes

This lab exercise demonstration will outline how to configure and use the new Access Control List feature of RPAD version 3.0 that provides an additional level of security to the system.



Slide notes

There are four basic steps to this lab exercise, as outlined in your student guide.

1. We will create an ACL rule on the RPAD that will identify endpoints that have not been provisioned by the RealPresence Resource Manager system

2. An ACL setting will be created using this new rule to deny registration to unprovisioned H.323 endpoints

3. We will then access an offsite HDX endpoint and attempt to register to the internal H.323 gatekeeper via the RPAD system

4. The registration will be denied, which will then be verified by viewing the security denial in the RPAD Registration History



Slide notes

Let's start on the RPAD system by navigating to Configuration...



Slide notes

...Access Control List Rules.



Slide notes

Take the Action to Add a new rule.



Slide notes

Name the rule 323RegWhitelist...



Slide notes

...and change the signaling type to...



Slide notes

...H.323.



Slide notes

This rule will define an H.323 registration request from an endpoint that has not been provisioned by the Resource Manager. Our next step will be to create an ACL setting that will allow the RPAD to deny these registration requests.



Slide notes

Click the Add button to create the first condition.



Slide notes

Select the Attribute field...



Slide notes

...and choose the request.type attribute.



Slide notes

The value needs to be equal to...



Slide notes

...RAS.



Slide notes

Click OK to add the first condition that will identify a RAS request.



Slide notes

Now let's Add the second condition.



Slide notes

This condition will be "ANDed" together with the first condition.



Slide notes

The attribute we select from the drop-down list...



Slide notes

...will be the request.src-ip attribute.



Slide notes

The operator for this condition...



Slide notes

... will be not memberof.



Slide notes

prov_list is a system variable that is maintained by the RPAD that contains the IP address of all endpoints that have been successfully provisioned by the Resource Manager through the RPAD system.



Slide notes

Click OK to create the second condition.



Slide notes

Click OK again to create the new ACL Rule.



Slide notes

Now let's modify the ACL Settings to use this rule to deny H.323 registration to non-provisioned endpoints.



Slide notes

Take the action to Add a new ACL Setting.



Slide notes

We need to change the Service Name...



Slide notes

... to H.323.



Slide notes

Now we can Add the ACL rule we just created...



Slide notes

...323RegWhitelist.



Slide notes

We need to change the action for this rule...



Slide notes

...to deny.



Slide notes

Click OK to add the rule.



Slide notes

Click OK again to save the new ACL Setting that will deny H.323 registration to any endpoint that has not been provisioned by the RealPresence Resource Manager.



Slide notes

The new H.323 ACL Setting is now shown in the list.



Slide notes

Now let's access an offsite HDX endpoint and attempt to register to the corporate H.323 gatekeeper via the RPAD system. Navigate to Admin Settings...



Slide notes

...Network...



Slide notes

...IP Network.



Slide notes

We will Specify the H.323 Gatekeeper...



Slide notes

...as the Medeatalk RPAD (rpad.medeatalk.com).



Slide notes

Because this endpoint is offsite, outside of the corporate firewall...



Slide notes

...we will also enable H.460 Firewall Traversal support.



Slide notes

Now click Update to initiate the H.323 registration.



Slide notes

To view the registration status, navigate to Diagnostics....



Slide notes

...and click on the Gatekeeper line item.



Slide notes

The system reports that the gatekeeper registration has been rejected.



Slide notes

Click OK to close the dialog box.



Slide notes

Now let's return to the RPAD to view the Registration attempt from this unprovisioned endpoint.



Slide notes

From the RPAD web interface, navigate to Diagnostics...



Slide notes

...Registration History.



Slide notes

Change the Signaling type...



Slide notes

...to H.323....



Slide notes

...and click Search.



Slide notes

The registration attempt from the Offsite Endpoint is at the top of the list.



Slide notes

Take the Action to Show Registration Details for this attempt.



Slide notes

Now select Registration Events.



Slide notes

The second line item is the INBOUND_REQUEST from the endpoint, click the Show Message button.



Slide notes

Now Expand all...



Slide notes

...to expose the inbound RAS messaging from the HDX endpoint.



Slide notes

Scroll down to the very end to see the details of the registration request...



Slide notes

...and then click OK to close this window.



Slide notes

Now let's review the OUTBOUND_RESPONSE from the RPAD.



Slide notes

Click Expand all...



Slide notes

...to see the Registration Reject with a reason of Security Denial. This registration was denied because of the ACL setting we created that applied the 323RegWhitelist ACL rule. Because the Offsite HDX was not dynamically provisioned by the RealPresence Resource Manager, the RPAD denied the registration request.



Slide notes

Click OK to close the window...



Slide notes

...and OK once again.



Slide notes

It is important to note that this registration request will not appear in the DMA Registration History, because the RPAD was configured to deny the request before ever sending the RRQ to the DMA Gatekeeper.



Slide notes

This concludes the RPAD Access Control List lab exercise demonstration. We completed four basic steps in this lab exercise, starting with creating an ACL rule on the RPAD that identified endpoints that have not been provisioned by the RealPresence Resource Manager system. Next, we created an ACL setting using this new rule to deny registration to H.323 endpoints not provisioned by the Resource Manager system.

We then accessed an offsite HDX endpoint and attempted to register to the internal H.323 gatekeeper via the RPAD system. The registration was denied, which was verified by viewing the security denial in the RPAD Registration History.



Slide notes

Thank you for taking the time to view this lab exercise demonstration of the RPAD Access Control List feature.

this lab exercise demonstration will outline how to...

Documents