Trusted Devices: trial, orderability and configuration

Trusted devices is an add-on for service gateway customers (with Microsoft Teams CVI or Google Meet interoperability) to allow lobby-bypass for SIP video endpoints that are not registered to the service — this enables them to join the interop meeting directly and not have to wait to be admitted by the meeting host.

Without trusted devices, only video endpoints that are registered on the service under the same company that has the Teams CVI / Google Meet interop service can bypass the Teams / Google Meet lobby.

With trusted devices, lobby-bypass can be enabled for:

• Endpoints that are not registered on the Pexip Service.
• Endpoints that are registered on the Pexip Service, but are part of a different company (for example where a large organization is managed as different companies within the Pexip Service).

This article covers:

• How it works
• Supported devices and call control systems
• Trials, paid licenses and orderability
• Configuring trusted devices

How it works

Each type of trust method works in different ways.

Non-registered SIP endpoints

Pexip offers two ways to trust non-registered SIP endpoints:

• SIP authentication (recommended): this is defined as a challenge rule in the Partner Portal.
• IP address: this is defined as a trust rule in the Partner Portal.

You can use a combination of both methods.

SIP authentication

When using SIP authentication:

• The video endpoint calls from a domain that the Pexip Service is configured to challenge. After providing authentication, the call bypasses the lobby. If it does not provide authentication, the call disconnects.
• If the call is from a domain that is not set up to be challenged, the user is placed in the lobby.

This is the most secure trust option. It requires that customer’s SBC can authenticate on behalf of its clients. (Pexip can provide the customer with a username/password to be used.)

Pexip supports multiple domains to be challenged per customer.

IP address

When using IP address authentication:

• The endpoint is trusted if the call comes from a pre-configured list of IP addresses. This assumes that the customer's call control system is correctly configured to validate the endpoint, and that it only relays their own traffic to the Pexip Service.
• Any calls not coming from an approved IP address are placed in the lobby.
• You can further restrict this rule to only include endpoints coming from a specific domain. This is useful when multiple companies share one call control infrastructure.

Pexip supports multiple IP addresses / network masks.

Registered endpoints with a different company

To trust endpoints that are registered on the Pexip Service but belong to a different company, Pexip simply needs to know which (one or more) companies should be trusted when the company with the Teams / Google Meet interop license has a Teams / Google Meet meeting. All of the registered endpoints with those associated companies will then bypass the Teams / Google Meet lobby.

Supported devices and call control systems

Any SIP (2.0) compatible system is supported.

Non-SIP calls, e.g. H.323, are not supported. Any such calls bypass any policy rules and are handled as if no rules have been set.

We have tested against self-hosted Pexip Infinity and we also expect other session border controller (SBC) systems to work successfully. Note that the Cisco Expressway is not a suitable system for use with the SIP authentication method (however, IP address trust works correctly with Expressway).

Trials, paid licenses and orderability

This section describes how to create a Trusted Device while in Evaluation mode, order a Trusted Device paid license, and how to order additional Trusted Device licenses.

Creating a Trusted Device while in Evaluation mode

When Evaluation mode is open, you can configure your trusted device rules as described below (this is the same process as with a paid license).

When the company's evaluation period closes, all active rules become deactivated.

Ordering a Trusted Device paid license

To order a Trusted Device paid license:

1. In the Purchasing tab, select .

2. Select the Trusted Device License and submit the order by following the standard orderability wizard. Note that the license quantity is the number of third-party endpoints to be trusted.

   

3. You can then configure your trusted device rules as described below.

Ordering additional Trusted Device licenses

To order additional trusted licenses:

1. In the Purchasing tab, select the Actions menu for the Trusted Device License, and select the Edit Plan option.

   

2. Set the new total number of licenses needed — one per video endpoint that needs to be trusted — and then follow the standard orderability wizard to submit the order.

   Note that you will receive the same amount of Endpoint subscription licenses and Trusted Device licenses.

   

Configuring trusted devices

This section explains how to set up trusted devices for a company.

Registered endpoints with a different company

You cannot currently configure this yourself via the Partner Portal. Please contact your Pexip account manager with the details (Partner Portal URLs) of the companies to be trusted by the company with the Teams / Google Meet interop license.

Non-registered endpoints

You can use the Partner Portal to configure the trusted devices for each company, under the Interop tab. You can add one or more rules as required for each company:

• One or more trusted calling domains with SIP Authentication
• One or more trusted IP Trust addresses or networks
• You can combine SIP Authentication and IP Trust criteria

Using Challenge and Trust rules

When using a Policy action of Challenge:

• Trust is based on the calling party domain (From domain) plus SIP authentication.
• The SIP Username and Password required for authentication are automatically generated as a suggestion. However, the customer can provide their own values to be used instead.
• Each calling party domain to be trusted should be configured individually.

When using a Policy action of Trust:

• Trust is based on the calling party source IP address or IP network.
• Configure the Source IP Address with either a specific IP address (/32), or with an IP host network and netmask in CIDR notation.
• Lists of IP addresses are not accepted – you must enter lists of /32 IP addresses one by one.

An IP address specified without a netmask is assumed to be a /32 address:

When setting an IP host network and network mask, set the IP network and network mask explicitly:

Finally, if sharing call control infrastructure between multiple companies, use the optional From domain field to only trust devices coming from this particular domain and IP address/mask:

The tool does not automatically determine the IP network for you if you use a specific host address and a network mask, e.g. 176.121.88.66/21.

Enabling rules

All rules are set in an inactive state by default, and you have to manually activate them to enable them for production use. When a rule is marked active the trusted devices policy will be enabled within a few minutes.

Activating a challenge rule before the customer configures their call control with credentials on their side, will result in failed calls. Therefore, make sure to coordinate activating the challenge rule with configuring the customer's call control credentials.