Deploying Pexip Infinity in a secure mode of operation

This guide explains how to deploy and use Pexip Infinity in a secure mode of operation. It covers the following areas:

Securing the host environment

The VMware host environment must be hardened before deploying Pexip Infinity. It is expected that the host server contains at least two physical network interfaces and that management access to the ESXi host is restricted to a specific physical network and that virtual machines (VMs) are connected to a separate physical network.

Instructions for performing VMware-specific hardening are described in the relevant VMware ESXi Security Technical Implementation Guide.

Management of the ESXi host can run out-of-band of the video conferencing network.

Reserving virtual machine resources

The resources allocated to each virtual machine must be reserved after it has been deployed. This ensures that each VM has guaranteed access to the resources that it expects and is thus isolated from any other VMs on the host.

To do this, find the VM in the vSphere client, right-click on the VM and select Edit Settings. There are separate settings for CPU, Memory, and Disk hardware.

CPU resource limits

There are three CPU resource settings: Reservation, Limit, and Shares. These specify the guaranteed CPU resource for the VM, the maximum CPU resource for the VM, and the weighting applied to the VM when sharing resources with its siblings.

These should be configured as follows:

Reservation

Select the menu entry labeled Maximum.

(The value associated with Maximum will then appear in the Reservation field.)

Limit Select the menu entry labeled Minimum.
Shares Select Normal.

These settings ensure that the VM is guaranteed access to all of its allocated CPU resource, with no ability to burst above this resource allocation. Note that the MHz/GHz values for Reservation and Limit should thus be identical. As the resources are guaranteed, no sharing is necessary, so a setting of Normal is appropriate.

Memory resource limits

There are three memory resource settings: Reservation, Limit, and Shares. These specify the guaranteed memory resource for the VM, the maximum memory resource for the VM, and the weighting applied to the VM when sharing resources with its siblings. These should be configured as follows:

Reservation Select the Reserve all guest memory (All locked) check box.
Limit Select the menu entry labeled Minimum.
Shares Select Normal.

These settings ensure that the VM is guaranteed access to all its allocated memory resource, with no ability to burst above this resource allocation. Note that the MB values for Reservation and Limit should thus be identical. As the resources are guaranteed, no sharing is necessary, so a setting of Normal is appropriate.

Hard Disk resource limits

There are two disk resource settings: Shares, and Limit - IOPs. These specify the weighting applied to the VM when sharing resources with other VMs on the host, and the maximum number of IOPs the VM is permitted to consume. These should be configured as follows:

Shares Select Normal.
Limit - IOPs Enter the appropriate number of IOPs for the Virtual Machine. The sum of all IOP limits for all VMs on the same host must not exceed the capacity of the datastore.

These settings ensure that the VM is limited to its fair share of IOPs. As the sum of all IOP limits on the same host do not exceed the host capabilities, sharing is not necessary, so a setting of Normal is appropriate.

BIOS configuration

The BIOS of each Virtual Machine must be configured and secured after deployment. This ensures that the system boots from the correct devices and that this configuration cannot be modified by unauthorized personnel.

To do this:

  1. Use the vSphere client to edit the configuration of the VM to force it to boot into the BIOS as soon as it is powered on. This is usually found under VM Options > Boot Options as a configuration item named Force BIOS setup. This option should be selected to force entry to the BIOS on the next boot.
  2. Power on the Virtual Machine and open its console, which should contain the BIOS setup utility.
  3. Configure the boot order:
    1. Go to the Boot configuration page, and ensure that Hard Drive is the first entry.
    2. Expand the Hard Drive device tree and ensure that VMware Virtual SCSI Hard Drive (0:0) is the first entry.
  4. Configure the BIOS security:
    1. Go to the Security configuration page.
    2. Configure a Supervisor password to prevent unauthorized modification of the BIOS configuration.
  5. Save and exit.
    1. Go to the Exit configuration page.
    2. Select the Exit Saving Changes option.

Pexip Infinity Management Node deployment and bootstrap configuration

This section describes the steps needed to deploy the Pexip Infinity Management Node into the secure environment described above.

  1. Use the vSphere client to deploy the Management Node OVA onto the selected ESXi host system.

    See Installing the Management Node — VMware hypervisors for full instructions on how to do this.

    The VLAN ID used for the Management Node must not conflict with existing reserved VLAN IDs and must not use VLAN ID 4095 (which is reserved for virtual guest tagging), as the system will be locked down according to the VMware ESXi Server Security Technical Implementation Guide.

  2. Log in to the Management Node console as the admin user. A password for this user must be set.
  3. Enter the admin user password to permit the installation wizard to start.
  4. Complete the installation wizard, ensuring that:

    • Enable incident reporting is set to no.
    • Send deployment and usage statistics to Pexip is set to no.

    On completion, the installation wizard will reboot the system.

  5. Use a web browser to connect to the Pexip Infinity Administrator interface and ensure that you can log in using the credentials configured in the installation wizard. Do not configure anything via the Administrator interface until after you have run the security wizard.
  6. Log in to the Management Node console as the admin user. Issue the following command:

    $ securitywizard

  7. Enter the admin user password to permit the security wizard to start.
  8. Complete the security wizard, providing answers as described below (note that when running the wizard, the values that are shown in brackets for each prompt indicate the default value for that setting):

    Setting Value to enter
    Enable FIPS compliance mode (default = NO) YES

    Disable system administrator account (NO)
    (this applies to SSH and console access)

    YES
    Accept ICMPv6 redirects (NO) NO
    Drop incoming packets to closed ports rather than reject (YES) YES
    Accept multicast ICMPv6 echo requests (YES) NO
    Enable IPv6 Duplicate Address Detection (YES) NO
    SIP UDP listen port (5060) * 5060
    SIP TCP listen port (5060) * 5060
    SIP TLS listen port (5061) * 5061
    Active management web sessions (0) * 100
    Active per-user management web sessions (0) * 10
    Enable TLS < 1.2 (NO) NO
    Enable Anonymous DH for outbound SIP/TLS (NO) NO
    Permit TLS <1.2 for inbound HTTPS (NO) NO
    Configure CCA-ID ("") The CCA-ID to use in the SIP Contact header.
    Configure Resource-Priority prefix ("") The Resource-Priority prefix to use in the SIP header. The prefix should be uc or dsn.
    Enable FIR (NO) YES
    Enable AES128-SHA ciphersuite (NO) NO
    Enable AES128-SHA ciphersuite for outbound SIP/TLS (YES)
    (only applies when Enable AES128-SHA ciphersuite = No)
    NO
    Tolerate iPAddress SubjectAlternativeNames in SIP/TLS certificates (NO) NO
    Enable Referrer-Policy: same-origin on HTTP responses (YES) YES
    Enable preload in HSTS header (NO) NO
    Enable AES_CM_128_HMAC_SHA1_* SRTP ciphersuites (YES) YES
    Enable TLSv1.2 CBC-mode ciphersuites (YES) YES
    Enable 2048-bit DH groups for H323 (NO) NO

    * The SIP listen ports and web session limits may be customized for the target environment, as appropriate.

    On completion, the security wizard will reboot the system. After the system has rebooted, no OS-level user access will be available on the system and it cannot be re-enabled (if Disable system administrator account = "YES"). Note that only the Management Node is rebooted automatically. If the security wizard is run after any Conferencing Nodes have been deployed, those Conferencing Nodes must be manually rebooted.

Pexip Infinity Conferencing Node deployment

When deploying Conferencing Nodes, note that:

  • Before deploying any Conferencing Nodes, you must complete the Management Node deployment and bootstrap configuration.
  • As the host system will be locked down according to the VMware ESXi Server Security Technical Implementation Guide:

    • All Conferencing Nodes should be deployed in accordance with Deploying a Conferencing Node on an ESXi host.
    • The VLAN ID used for the Conferencing Node must not conflict with existing reserved VLAN IDs and must not use VLAN ID 4095 (which is reserved for virtual guest tagging).

Pexip Infinity application configuration

This section describes the application-specific configuration required for Pexip Infinity to operate in a secure environment.

This configuration is performed using a web browser to access the Pexip Infinity Administrator interface. Log in to the Administrator interface using the credentials configured earlier in the installation wizard.

TLS certificates

This section describes the process for bootstrapping the PKI environment.

When a deployment is running in FIPS compliance mode, files in PFX format are not supported because they require the use of non-FIPS cryptography. This means that PKCS#12/PFX certificate bundles cannot be uploaded to Pexip Infinity, and exporting a certificate as a PFX file results in an empty file.

Management Node and Conferencing Node server certificates

The Pexip Infinity platform ships with default self-signed server certificates for the Management Node and each Conferencing Node. Because these certificates are self-signed, they will not be trusted by clients. Therefore you must replace these certificates with your own certificates that have been signed by a trusted certificate authority. You should also assign a Configured FQDN on each Conferencing Node that matches one of the entries in the TLS certificate.

For any deployments running in FIPS compliance mode, TLS private keys must comply with SP 800-56b. Private keys generated through the Pexip Infinity inbuilt CSR generator are compatible.

Creating a certificate signing request (CSR)

You can use Pexip Infinity's inbuilt Certificate Signing Request (CSR) generator to assist in acquiring a server certificate from a Certificate Authority.

The resulting CSR file contents should be submitted to the CA for signing. After the CA has signed the CSR, the certificate will be ready for uploading.

In deployments that do not use DNS resolution, the Common Name should contain the IP address of the Conferencing Node instead of an FQDN — to achieve this you need to use third-party tools such as the OpenSSL toolkit (http://www.openssl.org), available for Windows, Mac and Linux.

Uploading a certificate to a Pexip node

To upload a new TLS server certificate for the Management Node or a Conferencing Node:

  1. From the Pexip Infinity Administrator interface, go to Certificates > TLS certificates.
  2. Select Add TLS certificate.
  3. Complete the following fields:

    TLS certificate

    Paste the PEM-formatted certificate into the text area or alternatively select the file containing the new TLS certificate.

    You must upload the certificate file that you have obtained from the Certificate Authority (typically with a .CRT or .PEM extension). Do not upload your certificate signing request (.CSR file).

    The certificate must be valid for the DNS hostname or FQDN of the Management Node or Conferencing Node to which it will be assigned.

    You can paste multiple certificates into the text area, but one of those certificates must pair with the associated private key.

    Private key

    Paste the PEM-formatted private key into the text area or alternatively select the file containing the private key that is associated with the new TLS certificate.

    Private key files typically have a .KEY or .PEM extension. Pexip Infinity supports RSA and ECDSA keys.

    Private key passphrase If the private key is encrypted, you must also supply the associated passphrase.
    TLS parameters

    Optionally, paste any additional PEM-formatted parameters into the text area or alternatively select the file containing the parameters that are to be associated with the new TLS certificate.

    Custom DH parameters and an EC curve name for ephemeral keys can be added. Such parameters can be generated through the OpenSSL toolkit using the commands openssl dhparam and openssl ecparam. For example, the command openssl dhparam -2 -outform PEM 2048 generates 2048 bit DH parameters.

    Note that these parameters can alternatively be added 'as is' to the end of the TLS certificate.

    Nodes

    Select one or more nodes to which the new TLS certificate is to be applied.

    If required, you can upload a certificate and then apply it to a node later.

  4. Select Save.

Trusted CA certificates

You must also upload the trusted Certificate Authority (CA) certificates for the secure environment. This must include any required chain of intermediate certificates for the CA that signed the server certificates. Note that the default set of trusted CA certificates that ship with Pexip Infinity are not used when FIPS compliance mode is enabled.

To manage the set of custom trusted CA certificates, go to either Certificates > Root Trust CA certificates (for root-level trusted CA certificates) or Certificates > Intermediate CA certificates (for intermediate CA certificates) . These pages show a list and the current status of all the trusted and intermediate CA certificates that have been uploaded. From here you can:

  • Upload a file of trusted CA certificates: select Import, select Choose Files to pick one or more PEM files that you want to import, and then select Import.

    This adds the certificates in the selected files to the existing list of trusted root or intermediate CA certificates (or to the list of TLS certificates, depending on the certificate types contained in the file). If a certificate with the same subject name already exists (e.g. when replacing an expired certificate), the new certificate is uploaded alongside the original certificate (unless the issuer and serial number details are identical, in which case the existing certificate is updated with the new contents from the file).

  • View or modify an existing certificate: select the Serial number of the certificate you want to view. The decoded certificate data is shown.

    If required, you can modify the PEM-formatted certificate data, or in the Advanced options for an intermediate certificate you can select Trusted intermediate (which instructs Pexip Infinity to use that certificate in the TLS verification chain), and select Save.

  • Download all certificates: select Export. A ca-certificates.pem file containing all of the custom-added certificates in PEM format is created and automatically saved to your local file system.
  • Delete one or more certificates: select the boxes next to the certificates to be deleted, and from the Action drop-down menu select Delete selected certificates and select Go.

IPv6 (optional)

If required, configure the IPv6 address and IPv6 gateway addresses of the Management Node and each Conferencing Node.

To configure these addresses:

  • Go to Platform > Management Node and click on the name of the Management Node.
  • Go to Platform > Conferencing Nodes and click on the name of the Conferencing Node.

Global settings

Go to Platform > Global settings and review — and modify where required — the following settings:

Setting Action
Connectivity

Enable SIP

Enable H.323

Enable WebRTC

Enable RTMP

Review the call protocols (SIP, H.323, WebRTC and RTMP) and disable those protocols you do not need to support.
Enable support for Pexip Infinity Connect clients and Client API Disable support for these applications.
DSCP value for management traffic Set a DSCP value for management traffic sent from the Management Node and Conferencing Nodes. We recommend a value of 16.
Enable SSH Disable this option.
Media encryption Set this to Required.
Port ranges
Signaling port range start and end Verify the range of ports (UDP and TCP) that all Conferencing Nodes are to use for signaling.
Media port range start and end Verify the range of ports (UDP and TCP) that all Conferencing Nodes are to use for media.
Security
OCSP state and OCSP responder URL Set this to Override and specify the OCSP responder URL to which OCSP requests will be sent.
SIP TLS certificate verification mode Set this to On.
External system integration
Enable HTTP access for external systems Ensure that this option is disabled.
Management web interface configuration
Login banner text Configure this field with some appropriate text for your deployment.
Enable management web interface session timeout Enable this option.
Management web interface session timeout Set this to 10 minutes or other timeout value suitable for your deployment.

Configure administrator accounts and authentication settings

You must configure the Pexip Infinity platform to authenticate and authorize login accounts via a centrally-managed LDAP-accessible server.

Administrator roles

  1. Go to Users & Devices > Administrator roles.
  2. Select the existing Read-only role and remove the following permissions:

    • May view logs
    • May generate system snapshot
    • May create/delete packet capture
    • May download packet capture
    • May create/delete system backup
    • May download system backup
  3. Select the existing Read-write role and remove the following permissions:

    • May view logs
    • May generate system snapshot
    • May create/delete packet capture
    • May download packet capture
    • May create/delete system backup
    • May download system backup
  4. Create an Auditor role:

    1. Select Add role.
    2. Specify a Name of "Auditor".
    3. Assign the following permissions to the role:

      • Is an administrator
      • May use web interface
      • May use API
      • May view logs
      • May generate system snapshot
      • May create/delete packet capture
      • May download packet capture
      • May create/delete system backup
      • May download system backup
    4. Save the role.

LDAP server connection details

You must configure the details of the LDAP-accessible server and set the system to authenticate against the LDAP database and locally (for "last resort" contingency access):

  1. Go to Users & Devices > Administrator authentication.
  2. Set the Authentication source to LDAP database and local database.
  3. In the LDAP configuration section, specify the connection details for the LDAP-accessible server.
  4. Save the settings.

LDAP group to role mapping

LDAP role mappings are used to map the LDAP groups associated with LDAP user records to the Pexip Infinity administrator roles. You must configure a separate LDAP role mapping for each LDAP group for which you want to map one or more Pexip Infinity administrator roles.

  1. Go to Users & Devices > LDAP role mappings.
  2. Select Add LDAP role mapping.
  3. Configure the role mapping:

    Option Description
    Name Enter a descriptive name for the role mapping.
    LDAP group DN

    Select the LDAP group against which you want to map one or more administrator roles.

    The list of LDAP groups is only populated when there is an active connection to an LDAP server (Users & Devices > Administrator authentication).

    Note that the LDAP groups used for role mappings cannot be the pre-defined AD groups such as Domain Users etc. but need to be explicitly configured custom groups.

    Roles Select from the list of Available roles the administrator roles to associate with the LDAP group and then use the right arrow to move the selected roles into the Chosen Roles list.
  4. Save the role.
  5. Configure as many LDAP role mappings as required, ensuring that every administrator role is mapped to at least one LDAP group.

Enable certificate-based authentication

This configuration requires administrators to log in to the Pexip Infinity Administrator interface by presenting (via their browser) a client certificate containing their user identification details.

  1. Install suitable client certificates into the certificate stores of the browsers to be used by the Pexip Infinity administrators. The identities contained in the certificates must exist in the LDAP database.
  2. Go to Users & Devices > Administrator authentication.
  3. Set Require client certificate to one of the Required options as appropriate for your installation:

    Required (user identity in subject CN): administrators identify themselves via the identity contained in the subject CN (common name) of the client certificate presented by their browser.

    Required (user identity in subjectAltName userPrincipalName): administrators identify themselves via the identity contained in the subjectAltName userPrincipalName attribute of the client certificate presented by their browser.

  4. Save the settings.

    When a client certificate is required, the standard login page is no longer presented. Administrators will not be able to access the Pexip Infinity Administrator interface or the management API if their browser does not present a valid certificate that contains a user identity which exists in the selected Authentication source.

Configure "last resort" contingency local account access

In case of prolonged lack of access to the LDAP-accessible server, a method of "last resort" access is required. This allows administrative access to the local Pexip Infinity administrator account via a securely-held certificate. To set this up:

  1. Create a self-signed certificate for the local administrator account:

    1. Create a certificate generator script:

      cat >mkcert <<ENDSCRIPT
      #!/usr/bin/env bash
      
      set -e
      
      # Generate user certificate
      USER=\$1
      
      cat >cba.cnf <<EOF 
      [ usr_cert ]
      
      basicConstraints=CA:TRUE
      keyUsage=digitalSignature,keyEncipherment,keyCertSign
      subjectKeyIdentifier=hash
      authorityKeyIdentifier=keyid,issuer
      subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:\${USER}
      EOF
      
      openssl genrsa -out \${USER}.key 4096
      openssl req -new -key \${USER}.key -subj "/O=Users/CN=\${USER}" -days 3650 -out \${USER}.csr
      openssl x509 -req -days 3650 -in \${USER}.csr -signkey \${USER}.key -extfile cba.cnf -extensions usr_cert -set_serial 01 -out \${USER}.pem
      
      # Convert user certificate to PKCS12 format for import into browser
      openssl pkcs12 -export -out \${USER}.p12 -inkey \${USER}.key -in \${USER}.pem
      
      rm cba.cnf
      rm \${USER}.csr
      rm \${USER}.key
      ENDSCRIPT
    2. Set its permissions:

      chmod 755 mkcert

    3. Invoke it:

      ./mkcert <username>

      Where <username> is the Web administration username that you set up in the Pexip Infinity installation wizard.

    A pair of Export Password prompts will appear — blank entries are permitted (if no export password is desired). Site-specific policy should be followed, however.

    The result will be two files in the current directory:

    • <username>.pem: the user's public certificate.
    • <username>.p12: the PKCS#12 bundle containing the user's certificate and private key.

    The script generated above will issue a certificate valid for 10 years. It is a site-specific responsibility to ensure the continued validity of <username>.p12 and to rerun this process before it expires.

  2. It is a site-specific responsibility to ensure that <username>.p12 (and any associated Export Password) is secured in a safe.
  3. Configure Pexip Infinity to trust this certificate:

    1. Go to Platform > Trusted CA Certificates.
    2. Select Import and choose <username>.pem in the file browser.
    3. Select Import to upload the certificate.

Using the "last resort" local account access

If needed, due to prolonged lack of access to the LDAP-accessible server, you can access the Administrator interface via the local administrator account:

  1. Remove <username>.p12 from the safe, and add it to the appropriate browser's certificate store. For example:

    • In Firefox, browse to about:preferences#privacy, select View Certificates, select Import, and choose <username>.p12.
    • In Chrome, browse to chrome://settings/security > Manage certificates, select Import, and choose <username>.p12.

    (Note that these browser-usage guidelines are subject to change, and depend on the current browser software version.)

  2. You can now log in to the Administrator interface via the local administrator account.

Note that the "SSH password" is never used, as SSH access is disabled.

Securing network services

DNS servers

Configure at least two DNS servers (System > DNS servers).

NTP servers

Configure at least two NTP servers (System > NTP servers).

The configuration for each NTP server must include key authentication credentials.

Remote syslog servers

Configure at least one remote syslog server (System > Syslog servers).

SNMP

Configure the Management Node and each Conferencing Node to use secure SNMPv3:

  1. Go to Platform > Management Node and click on the name of the Management Node.
  2. Set SNMP mode to SNMPv3 read-only.
  3. Configure the SNMPv3 credentials (SNMPv3 username, privacy password and authentication password) for this SNMP agent to match those used in requests from the SNMP management station.
  4. Change the SNMP community to something other than "public".
  5. Save the SNMP settings for the Management Node.
  6. Apply the same configuration settings to each Conferencing Node (go to Platform > Conferencing Nodes and click on the name of each Conferencing Node in turn).

Secure SNMPv3 read-only mode uses SHA1 authentication and AES 128-bit encryption.

Location DSCP tags and MTU

Configure DSCP tags for signaling and media, and set the MTU size for each location:

  1. Go to Platform > Locations.
  2. Select the first location.
  3. Configure the DSCP tags. We recommend:
    • DSCP value for media is set to 51.
    • DSCP value for signaling is set to 40.
  4. Configure the MTU. We recommend a value of 1400 bytes to account for the overhead associated with the encryption headers.
  5. Save the settings.
  6. Repeat for every other location.

Contingency deployment

We recommend that you maintain a secondary deployment that you can switch to in the event that your primary deployment fails or is compromised.

  • This fallback system should mimic the primary installation.
  • It should be deployed without licensing.
  • After the fallback system has been configured, all VMs should be completely powered off and remain off until required.

If the primary deployment is compromised and must be torn down, you should contact your Pexip authorized support representative to return the original license key and then re-activate the same license on the fallback system after it has been brought up.

Backing up configuration

We recommend that you take regular backups of your Pexip Infinity configuration so that up-to-date configuration can be restored to your contingency deployment or to a new deployment if needed.

There are two ways to maintain copies of your Management Node configuration data:

  • Take a VMware snapshot of the Management Node VM.
  • Use the backup and restore mechanism built into the Pexip Infinity Administrator interface.

In both cases you should follow site-specific guidelines for the backup policy and storage of backup files.