Deploying the VMR self-service portal

Pexip provides the VMR portal appliance via an OVA template suitable for deployment on VMware ESXi. The OVA template is provided "as-is" and provides a reference installation which is suitable for integrating with an existing Pexip Infinity deployment.

This topic covers:

• Firewall and DNS requirements
• Installing the VMR portal
• Performance and API guidelines

If you need to re-run the installation wizard, perform further manual customization or replace the VMR portal's default certificate, see Extra configuration and maintenance tasks for the VMR self-service portal.

Firewall and DNS requirements

We recommend deploying the VMR portal in a suitably secured internal network segment.

The following table lists the ports/protocols used to carry traffic between end-users, the VMR portal, the Management Node and the LDAP server.

Source address	Source port	Destination address	Destination port	Protocol	Notes
End-user client browser	<any>	VMR portal	80/443	TCP (HTTP/HTTPS)	End-user access to portal
VMR portal	<any>	Management Node	443	TCP (HTTPS)	Retrieve/update VMR configuration
VMR portal	<any>	LDAP server	636	TCP	End-user authentication
Management Node	55000–65535	LDAP server	389 / 636 3268 / 3269	TCP	LDAP AD global catalog searches (If the VMR portal uses an LDAP account for management API authentication.)

Port requirements for the VMR portal

Installing the VMR portal

Deployment steps

These steps involve:

• Downloading the OVA template
• Deploying the OVA template
• Setting the password for SSH/console access
• Completing the installation wizard

Downloading the OVA template

Download the latest version of the Pexip VMR self-service portal template from https://dl.pexip.com/vmrportal/index.html to the PC running the vSphere web client.

We recommend that you verify the OVA file integrity after downloading the OVA file by calculating the MD5 sum of the downloaded file (for instance using WinMD5 Free from www.winmd5.com) and comparing that with the respective MD5 sum found in file readme.txt (located in the same download location as the OVA images).

Deploying the OVA template

We recommend 2 cores and 2 GB RAM for the host server VM.

To deploy the OVA template:

1. Using the vSphere web client, go to Hosts and clusters, click File and Deploy OVF Template (this option accepts OVA files).
2. During the OVA deployment, we recommend that you use the default options. Also make sure to assign the correct VMware network/port group for the network interface of the virtual machine.
3. After the OVA template has been deployed, power on the newly-created virtual machine.

Setting the password for SSH/console access

After the virtual machine has powered on, open the VMware console for the VMR portal virtual machine, right-click on the virtual machine in the vSphere client and choose Open Console.

Before you can start the install wizard, you must change the password. To do this:

1. Log in as user pexip with password PEXIP (these are case sensitive).
2. You are prompted again for the default password.

3. You are prompted to set a new account password. To do this you must enter the new password twice. The password must:

   • have a minimum of 8 characters

   • satisfy at least 3 out of the following 4 conditions:

     • one lower case character
     • one upper case character
     • one special character
     • one digit.
4. After setting the new password, the install wizard starts and you log in again with the new password.

Completing the installation wizard

The installation wizard is divided into several steps, which are explained below.

Note that all IP addresses in this guide are examples only — actual IP addressing is deployment specific.

The following table shows, for each step, the prompt text that is shown, an explanation of the step and some example input where appropriate. If you subsequently rerun the installation wizard, the default values for the questions use the answers from the previous run (if they are still valid).

Step / Wizard prompt text			Example value	Description
1	VMR Portal Network / NIC Configuration
	1.1	Enter the hostname for the virtual machine	vmrportal	The hostname of the VMR portal. Default: vmrportal
		If the wizard is being rerun you are instead first asked "Do you want to reconfigure the network?". If you answer "no" you are taken to step 2.
	1.2	Enter the IP address and network mask for the virtual machine in CIDR format	10.0.0.10/24	You must enter the IP address and netmask in CIDR notation.
	1.3	Enter the gateway address for this interface	10.0.0.1	The IP address of the VM's default gateway.
	1.4	Enter one or more DNS servers to use	8.8.8.8, 8.8.4.4	A comma-separated list of DNS server IP addresses. The DNS servers must be able to resolve the addresses of the LDAP server and the Management Node. Default: 8.8.8.8, 8.8.4.4 or as detected from DHCP
	1.5	Do you want to restrict SSH access to a specific IP range?	Yes	For added security you can restrict SSH access to this VM to a specific range of IP addresses. Default: No
	1.6	Enter an IP range in CIDR notation	10.0.0.0/8	If you answered Yes to the previous question you are asked to enter the IP address range of the management workstations.
2	Pexip Infinity Management Node
	2.1	Enter the IP address or FQDN of the Management Node	pexipmgr.example.com	The IP address or FQDN of the Pexip Infinity Management Node.
	2.2	Enter the Management Node username	vmrportal	The VMR portal uses the Management Node API to access the Pexip Infinity platform and to view and update the VMR settings. We recommend that you set up a specific user and Administrator Role for VMR portal access. The role must have the Is an administrator, May use API, May view VMR configuration and May modify VMR configuration permissions. See Managing administrator access via LDAP for more information.
	2.3	Enter the password for that username		The password associated with the username entered in the previous step.
	2.4	Do you want to verify the Management Node's certificate?	Yes	Whether or not to verify that the certificate presented by the Management Node is valid before the connection is allowed. Note that the VMR portal ships with an inbuilt list of trusted CA certificates. This list is the ca-certificates package from Ubuntu and cannot be modified. Default: Yes
	2.5	Enter the base URL for the Infinity Connect web app	px01.vc.example.com	This is used to construct the join URL for this VMR for Infinity Connect web app users. The address entered here should typically match the hostname of the DNS record for a Conferencing Node (or reverse proxy).
3	LDAP Configuration
	3.1	Enter the LDAP server address		The address of the LDAP server used to authenticate the end-user when they sign in via the VMR portal. Enter the domain name (for DNS SRV lookup), FQDN (for DNS A/AAAA lookup) or IP address of the LDAP server. If using a domain or an FQDN, ensure that it is resolvable over DNS. We strongly recommend that you do not use an IP address. If an IP address is used, and a TLS connection is required, this will only work if the IP address is specified as the common name in the LDAP server's certificate.
	3.2	Enter the port for this LDAP server	[Enter] (use default)	The destination port on the LDAP server. Default: 636
	3.3	Enter the LDAP service account username		The username of the bind account on the LDAP server. This should be a domain user service account, not the Administrator account.
	3.4	Enter the password for this service account		The password associated with the service account username.
	3.5	Do you want to use SSL with LDAP?	Yes	The system will always attempt initially to establish a secure TLS connection with the LDAP server. No: allows the system to fall back to a TCP connection and credentials are sent in the clear over the network. Yes: the system must establish a secure TLS connection to the LDAP server; it cannot fall back to a TCP connection. Default: Yes We strongly recommend that you do not use No (TCP connection). This option is only suitable for a test/lab environment as credentials are sent in the clear over the network.
	3.6	Enter the LDAP base DN	dc=example,dc=com	The base DN (distinguished name) of the LDAP forest to query. Default: ou=user,dc=domain,dc=tld
	3.7	Enter the LDAP user search filter	[Enter] (use default)	The LDAP filter used to find user records when given the user name. The filter may contain {username} to indicate locations into which the username is substituted. Default: (&(objectClass=user)(|(sAMAccountName={username})(mail={username})))
	3.8	Do you want to change the LDAP attribute names?	[Enter] (use default)	If required you can change the names of the LDAP search attributes that are used to find the user records and to match VMR ownership. If you answer "no" you are taken to step 4. Default: No
	3.8.a	Enter the username attribute		Default: sAMAccountName
	3.8.b	Enter the firstname attribute		Default: givenName
	3.8.c	Enter the surname attribute		Default: sn
	3.8.d	Enter the mail attribute		This attribute is used to match against the VMR owner's email address field to determine which VMR's configuration can be modified. Default: mail
4	VMR Portal Configuration
	4.1	Minimum number of Host PIN digits	6	This and the following 3 questions allow you to configure the rules for whether Host and Guest PINs are required, and if so, their minimum length. PINs, when used, must be between 4–20 digits long. Ensure that the values you enter here are compatible with any VMR sync templates you use to initially provision the VMR PINs. Default: 4
	4.2	Allow empty Host PINs?	No	Default: No
	4.3	Minimum number of Guest PIN digits	6	Default: 4
	4.4	Allow empty Guest PINs?	No	Default: No
	4.5	Enter the portal session timeout (in seconds)		You must enter a timeout value, with a minimum value of 300 seconds. Default: 3600
	4.6	Do you want to regenerate the SSH host keys?		Only appears when re-running the installation wizard. (They are always generated automatically on first run.) Default: No
	4.7	Do you want to regenerate self-signed SSL certificates and DH parameters?		Only appears when re-running the installation wizard. (They are always generated automatically on first run.) Default: No
5	Customize Portal Wording
	5.1	Do you want to customize the portal's wording?		Allows you to configure the name and description of the VMR portal as it appears to the end-user. The following 3 questions only appear if you answer "Yes". Default: No
	5.2	Enter the portal title to show on the sign in page		Default: "My Room Settings"
	5.3	Enter the description text shown on the sign in page		Default: "All of your virtual meeting room settings in one place."
	5.4	Enter the portal title to show in the navigation bar		Default: "My Room Settings"

When all of the installation wizard steps have been completed, the VMR portal will automatically reboot.

After the VMR portal has started up again it will be ready for use — users will now be able to sign in to the VMR portal (via the virtual machine's address) and configure their VMR settings.

Additional steps

If you need to re-run the installation wizard, perform further customization or replace the VMR portal's default certificate, see Extra configuration and maintenance tasks for the VMR self-service portal.

Performance and API guidelines

Note that as the VMR portal uses the Pexip Infinity management API to apply VMR configuration updates, it is subject to the same performance guidelines as any other management API requests.

Contact your Pexip authorized support representative if you expect a large number (100+) of concurrent updates to be requested via the VMR portal.