Create an account on the HP Community to personalize your profile and ask a question
09-22-2020 01:14 PM
RPAD 4.2.5, DMA 9.x - Mix of HDX and GroupSeries endpoints on the inside.
We are using Zoom Cloud Room connectors for hosting meetings while using our internal Clariti setup for endpoint management. Dialing out to Zoom generally works fine
I am hoping that we can allow for Zoom's Call Out service - essentially E164 or public facing configs on individual endpoints.
It appears that there isn't a broad rule for allowing incoming calls, through the RPAD to individual endpoints w/o making some exceptions and managing a whitelist.
I was wondering if anyone can give me any guidance on how I might construct an ACL rule that would allow this? I have setup an ACL variable with the Zoom IP ranges used for this service, so I am comfortable at this point allowing those IPs to hit the RPAD and route into E164 addresses on the inside, but not certain on how to allow that.
We have a series of Rules on the RPAD that allow for Registration, then access - but the incoming Zoom calls would just be transient and not registered. We have a 'whitelist' ACL var, but again - that seems to be to leg registration. Would 'registration' be comparable to just allow a call in, to another endpoint?
09-23-2020 12:26 PM
Been playing around with it a bit and have this setup, which I think is getting me closer.
Advanced Variables - variable list made up of the known Zoom addresses used for the CRC/Call Out service (published by Zoom).
Advanced Rules - Rule that matches the request.src-ip attribute to the variable made up of the Zoom addresses.
Advanced Settings - on both H323 service entries (1719, 1720) added the Zoom rule with an action to Accept.
Basic Settings - what we don't have on is the Call Policy. We have Registration Policy enabled. I feel like this should be enabled and perhaps some Custom Allow Entries? Per this doc here: https://documents.polycom.com/bundle/rpad-ag-4-2/page/rpad_admin_guide/sys_config/TOC_Configure_Basi... You have the Caller and Callee aliases but I am not sure of the format there.
Dial Plans - our default dial plan has 7 entries, the first listed is Endpoints by Alias and to Resolve that. Same for Conference Room, Service Prefix, Endpoint IP, etc. Internally, E164 dialing as well as IP dialing between the endpoints works fine.
There is a 'Guest Dial Plan' listed, but no entries so I added an Endpoints by Alias entry there, resolving to endpoint. I am assuming that incoming calls from the RPAD, from a non-registered device would be seen by the DMA as a 'guest' in the Dial Plan?
Anyone else working on anything like this.
11-20-2020 01:17 PM
I will document what I am doing, I think I am close - I have one issue that remains, perhaps someone has a suggestion.
We have RPAD using one eth/NIC. DMA on the inside plus an RMX, RPRM, etc but at this point we are just using the DMA and RPRM for management and gatekeeper and RPAD in a DMZ for security. All our calls now are in Zoom (cloud) for both the soft client/apps and our for our 60+ hardware endpoints. Dialing out to Zoom from an endpoint works fine, we use a prefix on the DMA and use H.323 since Zoom handles GroupSeries and HDX different with SIP (we wanted to keep dial string formats similar across all devices).
What I am attempting to do is enable the Zoom dial out service, where Zoom users can bring in an endpoint from a directory on the application. https://support.zoom.us/hc/en-us/articles/203028549-H-323-SIP-Rooms-Directory
At this point I can get incoming calls from Zoom, through the RPAD to the DMA, where the call end, there is no routing to the endpoint (E164).
I have added an ACL to RPAD, based on Zoom's published IP ranges for their endpoint services, created a matching rule and applied that to both H323 services on the RPAD (ports 1719, 1720) to allow calls in.
At this point, when I do a dial out from the Zoom side, the traffic gets through the RPAD, to the DMA and I can see the call on the DMA, but the prefix of 60 is added and the call doesn't get routed to the endpoint.
60 is our internal prefix and what we used for our calls on the RMX. We have the web services/RP Desktop for on-prem and off as well as a few 3rd party devices registered to our DMA for calls, though those have been disconnected and direct dial Zoom now for call. I think I need to strip that 60 prefix off the call leaving the RPAD or on the DMA in some manner?
On the RPAD, under Config, H323 settings I have Bypass H323 Federation Restrictions for incoming and outgoing LRQ, we also have Enabled, H323 guest policy, with prefix set as 60. Enable H323 default policy E164/H.323_ID is NOT checked however. Is it safe to assume this is where the 60 is getting amended to call?
On Zoom's end, they can call in SIP or H323 and we are using H323 and the E164 number, which in our case is the internal IP of each of our devices 10174xxxxx, etc. Since we are not doing anything internally on the RMX anymore, would it be safe to remove the guest policy/60* on the RPAD?
UPDATE. Actually, this works - unchecking the guest policy/60 setting. Watching RPAD and the DMA I am not seeing any unwanted calls coming in (don't see much H323 'scanners', plenty on SIP that RPAD stops). Assuming my ACL is correct, would anything be wrong by disabling the Guest Policy for 323 on the H323 signaling page of RPAD?