Upload
hatuong
View
219
Download
2
Embed Size (px)
Citation preview
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 1 of 73 © Polycom University
Slide notes
This lab exercise demonstration will outline how to configure and use the new Access Control List feature of RPAD version 3.0 that provides an additional level of security to the system.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 2 of 73 © Polycom University
Slide notes
There are four basic steps to this lab exercise, as outlined in your student guide.
1. We will create an ACL rule on the RPAD that will identify endpoints that have not been provisioned by the RealPresence Resource Manager system
2. An ACL setting will be created using this new rule to deny registration to unprovisioned H.323 endpoints
3. We will then access an offsite HDX endpoint and attempt to register to the internal H.323 gatekeeper via the RPAD system
4. The registration will be denied, which will then be verified by viewing the security denial in the RPAD Registration History
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 3 of 73 © Polycom University
Slide notes
Let's start on the RPAD system by navigating to Configuration...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 4 of 73 © Polycom University
Slide notes
...Access Control List Rules.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 5 of 73 © Polycom University
Slide notes
Take the Action to Add a new rule.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 6 of 73 © Polycom University
Slide notes
Name the rule 323RegWhitelist...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 7 of 73 © Polycom University
Slide notes
...and change the signaling type to...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 8 of 73 © Polycom University
Slide notes
...H.323.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 9 of 73 © Polycom University
Slide notes
This rule will define an H.323 registration request from an endpoint that has not been provisioned by the Resource Manager. Our next step will be to create an ACL setting that will allow the RPAD to deny these registration requests.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 10 of 73 © Polycom University
Slide notes
Click the Add button to create the first condition.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 11 of 73 © Polycom University
Slide notes
Select the Attribute field...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 14 of 73 © Polycom University
Slide notes
...and choose the request.type attribute.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 15 of 73 © Polycom University
Slide notes
The value needs to be equal to...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 16 of 73 © Polycom University
Slide notes
...RAS.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 17 of 73 © Polycom University
Slide notes
Click OK to add the first condition that will identify a RAS request.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 18 of 73 © Polycom University
Slide notes
Now let's Add the second condition.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 19 of 73 © Polycom University
Slide notes
This condition will be "ANDed" together with the first condition.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 20 of 73 © Polycom University
Slide notes
The attribute we select from the drop-down list...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 21 of 73 © Polycom University
Slide notes
...will be the request.src-ip attribute.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 22 of 73 © Polycom University
Slide notes
The operator for this condition...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 23 of 73 © Polycom University
Slide notes
... will be not memberof.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 25 of 73 © Polycom University
Slide notes
prov_list is a system variable that is maintained by the RPAD that contains the IP address of all endpoints that have been successfully provisioned by the Resource Manager through the RPAD system.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 26 of 73 © Polycom University
Slide notes
Click OK to create the second condition.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 27 of 73 © Polycom University
Slide notes
Click OK again to create the new ACL Rule.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 28 of 73 © Polycom University
Slide notes
Now let's modify the ACL Settings to use this rule to deny H.323 registration to non-provisioned endpoints.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 29 of 73 © Polycom University
Slide notes
Take the action to Add a new ACL Setting.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 30 of 73 © Polycom University
Slide notes
We need to change the Service Name...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 31 of 73 © Polycom University
Slide notes
... to H.323.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 32 of 73 © Polycom University
Slide notes
Now we can Add the ACL rule we just created...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 34 of 73 © Polycom University
Slide notes
...323RegWhitelist.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 35 of 73 © Polycom University
Slide notes
We need to change the action for this rule...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 36 of 73 © Polycom University
Slide notes
...to deny.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 37 of 73 © Polycom University
Slide notes
Click OK to add the rule.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 38 of 73 © Polycom University
Slide notes
Click OK again to save the new ACL Setting that will deny H.323 registration to any endpoint that has not been provisioned by the RealPresence Resource Manager.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 39 of 73 © Polycom University
Slide notes
The new H.323 ACL Setting is now shown in the list.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 40 of 73 © Polycom University
Slide notes
Now let's access an offsite HDX endpoint and attempt to register to the corporate H.323 gatekeeper via the RPAD system. Navigate to Admin Settings...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 41 of 73 © Polycom University
Slide notes
...Network...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 42 of 73 © Polycom University
Slide notes
...IP Network.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 43 of 73 © Polycom University
Slide notes
We will Specify the H.323 Gatekeeper...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 44 of 73 © Polycom University
Slide notes
...as the Medeatalk RPAD (rpad.medeatalk.com).
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 45 of 73 © Polycom University
Slide notes
Because this endpoint is offsite, outside of the corporate firewall...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 46 of 73 © Polycom University
Slide notes
...we will also enable H.460 Firewall Traversal support.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 47 of 73 © Polycom University
Slide notes
Now click Update to initiate the H.323 registration.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 48 of 73 © Polycom University
Slide notes
To view the registration status, navigate to Diagnostics....
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 49 of 73 © Polycom University
Slide notes
...and click on the Gatekeeper line item.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 50 of 73 © Polycom University
Slide notes
The system reports that the gatekeeper registration has been rejected.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 51 of 73 © Polycom University
Slide notes
Click OK to close the dialog box.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 52 of 73 © Polycom University
Slide notes
Now let's return to the RPAD to view the Registration attempt from this unprovisioned endpoint.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 53 of 73 © Polycom University
Slide notes
From the RPAD web interface, navigate to Diagnostics...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 54 of 73 © Polycom University
Slide notes
...Registration History.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 55 of 73 © Polycom University
Slide notes
Change the Signaling type...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 56 of 73 © Polycom University
Slide notes
...to H.323....
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 57 of 73 © Polycom University
Slide notes
...and click Search.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 58 of 73 © Polycom University
Slide notes
The registration attempt from the Offsite Endpoint is at the top of the list.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 59 of 73 © Polycom University
Slide notes
Take the Action to Show Registration Details for this attempt.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 60 of 73 © Polycom University
Slide notes
Now select Registration Events.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 61 of 73 © Polycom University
Slide notes
The second line item is the INBOUND_REQUEST from the endpoint, click the Show Message button.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 62 of 73 © Polycom University
Slide notes
Now Expand all...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 63 of 73 © Polycom University
Slide notes
...to expose the inbound RAS messaging from the HDX endpoint.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 64 of 73 © Polycom University
Slide notes
Scroll down to the very end to see the details of the registration request...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 65 of 73 © Polycom University
Slide notes
...and then click OK to close this window.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 66 of 73 © Polycom University
Slide notes
Now let's review the OUTBOUND_RESPONSE from the RPAD.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 67 of 73 © Polycom University
Slide notes
Click Expand all...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 68 of 73 © Polycom University
Slide notes
...to see the Registration Reject with a reason of Security Denial. This registration was denied because of the ACL setting we created that applied the 323RegWhitelist ACL rule. Because the Offsite HDX was not dynamically provisioned by the RealPresence Resource Manager, the RPAD denied the registration request.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 69 of 73 © Polycom University
Slide notes
Click OK to close the window...
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 70 of 73 © Polycom University
Slide notes
...and OK once again.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 71 of 73 © Polycom University
Slide notes
It is important to note that this registration request will not appear in the DMA Registration History, because the RPAD was configured to deny the request before ever sending the RRQ to the DMA Gatekeeper.
Breaking News Lab Transcript: RPAD 3.0 Access Control Lists
Page 72 of 73 © Polycom University
Slide notes
This concludes the RPAD Access Control List lab exercise demonstration. We completed four basic steps in this lab exercise, starting with creating an ACL rule on the RPAD that identified endpoints that have not been provisioned by the RealPresence Resource Manager system. Next, we created an ACL setting using this new rule to deny registration to H.323 endpoints not provisioned by the Resource Manager system.
We then accessed an offsite HDX endpoint and attempted to register to the internal H.323 gatekeeper via the RPAD system. The registration was denied, which was verified by viewing the security denial in the RPAD Registration History.