Deploying the VMR self-service portal

Pexip provides the VMR portal appliance via an OVA template suitable for deployment on VMware ESXi. The OVA template is provided "as-is" and provides a reference installation which is suitable for integrating with an existing Pexip Infinity deployment.

This topic covers:

If you need to re-run the installation wizard, perform further manual customization or replace the VMR portal's default certificate, see Extra configuration and maintenance tasks for the VMR self-service portal.

Firewall and DNS requirements

We recommend deploying the VMR portal in a suitably secured internal network segment.

The following table lists the ports/protocols used to carry traffic between end-users, the VMR portal, the Management Node and the LDAP server.

Source address Source port Destination address Destination port Protocol Notes
End-user client browser <any> VMR portal 80/443 TCP (HTTP/HTTPS) End-user access to portal
VMR portal <any> Management Node 443 TCP (HTTPS) Retrieve/update VMR configuration
VMR portal <any> LDAP server 636 TCP End-user authentication
Management Node 55000–65535 LDAP server

389 / 636

3268 / 3269

TCP

LDAP

AD global catalog searches

(If the VMR portal uses an LDAP account for management API authentication.)

By default, the VMR portal requires access to NTP servers on the public internet. However, you can configure alternative NTP server addresses.

Port requirements for the VMR portal

Installing the VMR portal

Deploying the VMR portal involves the following steps:

We recommend 2 cores and 2 GB RAM for the host server VM.

Downloading the OVA template

Download the latest version of the Pexip VMR self-service portal template (vmrportal_<version-build>-release.ova) from https://dl.pexip.com/vmrportal/index.html to the PC running the vSphere web client.

We recommend that you verify the OVA file integrity after downloading the OVA file by calculating the SHA256 sum of the downloaded file and comparing that with the respective SHA256 sum found in the readme.txt file (located in the same download location as the OVA images).

Deploying the OVA template

To deploy the OVA template:

  1. Using the vSphere web client, go to Hosts and clusters, click File and Deploy OVF Template (this option accepts OVA files).
  2. During the OVA deployment, we recommend that you use the default options. Also make sure to assign the correct VMware network/port group for the network interface of the virtual machine.
  3. After the OVA template has been deployed, power on the newly-created virtual machine.

Setting the password for SSH/console access

After the virtual machine has powered on, open a console for the VMR portal virtual machine.

Before you can start the install wizard, you must change the password. To do this:

  1. Log in as user pexip with password PEXIP (these are case sensitive).
  2. You are prompted again for the default password.
  3. You are prompted to set a new account password. To do this you must enter the new password twice. The password must:

    • have a minimum of 8 characters
    • satisfy at least 3 out of the following 4 conditions:

      • one lower case character
      • one upper case character
      • one special character
      • one digit.
  4. After setting the new password, the install wizard starts and you log in again with the new password.

Completing the installation wizard

The installation wizard is divided into several steps, which are explained below.

Note that all IP addresses in this guide are examples only — actual IP addressing is deployment specific.

The following table shows, for each step, the prompt text that is shown, an explanation of the step and some example input where appropriate. If you subsequently rerun the installation wizard, the default values for the questions use the answers from the previous run (if they are still valid).

Step / Wizard prompt text Example value Description
1 VMR Portal Network / NIC Configuration
    If the wizard is being rerun you are first asked "Do you want to reconfigure the network?". If you answer "no" you are taken to step 2.
  1.1 Enter the hostname for the virtual machine vmrportal

The hostname of the VMR portal.

Default: vmrportal

  1.2 Enter the IP address and network mask for the virtual machine in CIDR format 10.0.0.10/24 You must enter the IP address and netmask in CIDR notation.
  1.3 Enter the gateway address for this interface 10.0.0.1 The IP address of the VM's default gateway.
  1.4 Enter one or more DNS servers to use 8.8.8.8, 8.8.4.4

A comma-separated list of DNS server IP addresses. The DNS servers must be able to resolve the addresses of the LDAP server and the Management Node.

Default: 8.8.8.8, 8.8.4.4 or as detected from DHCP

  1.5 Do you want to restrict SSH access to a specific IP range? Yes

For added security you can restrict SSH access to this VM to a specific range of IP addresses.

Default: No

  1.6 Enter an IP range in CIDR notation 10.0.0.0/8 If you answered Yes to the previous question you are asked to enter the IP address range of the management workstations.
2 Pexip Infinity Management Node
  2.1 Enter the IP address or FQDN of the Management Node pexipmgr.example.com The IP address or FQDN of the Pexip Infinity Management Node.
  2.2 Enter the Management Node username vmrportal

The VMR portal uses the Management Node API to access the Pexip Infinity platform and to view and update the VMR settings.

We recommend that you set up a specific user (i.e. a service account) and Administrator Role for VMR portal access. The role must have the following permissions:

  • Is an administrator
  • May use API
  • May view VMR configuration
  • May modify VMR configuration
  • May view system configuration
  • May modify system configuration

See Managing administrator access via LDAP for more information.

  2.3 Enter the password for that username   The password associated with the username entered in the previous step.
  2.4 Do you want to verify the Management Node's certificate? Yes

Whether or not to verify that the certificate presented by the Management Node is valid before the connection is allowed.

Note that the VMR portal ships with an inbuilt list of trusted CA certificates. This list is the ca-certificates package from Ubuntu and cannot be modified.

Default: Yes

  2.5 Enter the base URL for the Infinity Connect web app vc.example.com

This is used to construct the join URL for this VMR for Connect web app users.

The address entered here should typically match the hostname of the DNS record for a Conferencing Node (or reverse proxy).

For example, if your Connect web app is made available to users at https://vc.example.com you would enter vc.example.com as the base URL.

  2.6 Enter the URL that VMR Portal will be accessed at https://my.example.com The address of the VMR portal. This link may be provided to conference Hosts when using Connect Webapp3. See step 6.12.
3 LDAP Configuration
  3.1 Enter the LDAP server address  

The address of the LDAP server used to authenticate the end-user when they sign in via the VMR portal.

Enter the domain name (for DNS SRV lookup), FQDN (for DNS A/AAAA lookup) or IP address of the LDAP server. If using a domain or an FQDN, ensure that it is resolvable over DNS.

We strongly recommend that you do not use an IP address. If an IP address is used, and a TLS connection is required, this will only work if the IP address is specified as the common name in the LDAP server's certificate.

  3.2 Enter the port for this LDAP server [Enter] (use default)

The destination port on the LDAP server.

Default: 636

  3.3 Enter the LDAP service account username  

The username of the bind account on the LDAP server. This should be a domain user service account, not the Administrator account.

  3.4 Enter the password for this service account   The password associated with the service account username.
  3.5 Do you want to use SSL with LDAP? Yes

The system will always attempt initially to establish a secure TLS connection with the LDAP server.

No: allows the system to fall back to a TCP connection and credentials are sent in the clear over the network.

Yes: the system must establish a secure TLS connection to the LDAP server; it cannot fall back to a TCP connection.

Default: Yes

We strongly recommend that you do not use No (TCP connection). This option is only suitable for a test/lab environment as credentials are sent in the clear over the network.

  3.5.1 Do you want to verify LDAP SSL certificate? Yes

If using SSL, controls whether the LDAP server's certificate is validated.

Default: Yes

  3.6 Enter the LDAP base DN dc=example,dc=com

The base DN (distinguished name) of the LDAP forest to query.

Default: ou=user,dc=domain,dc=tld

  3.7 Enter the LDAP user search filter [Enter] (use default)

The LDAP filter used to find user records when given the user name. The filter must contain {username} to indicate locations into which the username is substituted.

Default: (&(objectClass=user)(|(sAMAccountName={username})(mail={username})))

  3.8 Do you want to change the LDAP attribute names? [Enter] (use default)

If required you can change the names of the LDAP search attributes that are used to find the user records and to match VMR ownership.

If you answer "no" you are taken to step 4.

Default: No

  3.8.a Enter the username attribute   Default: sAMAccountName
  3.8.b Enter the firstname attribute   Default: givenName
  3.8.c Enter the surname attribute   Default: sn
  3.8.d Enter the mail attribute  

This attribute is used to match against the VMR owner's email address field to determine which VMR's configuration can be modified.

Default: mail

4 VMR Portal Configuration
  4.1 Minimum number of Host PIN digits 6

This and the following 3 questions allow you to configure the rules for whether Host and Guest PINs are required, and if so, their minimum length.

PINs, when used, must be between 4–20 digits long.

Ensure that the values you enter here are compatible with any VMR sync templates you use to initially provision the VMR PINs.

Default: 4

  4.2 Allow empty Host PINs? No Default: No
  4.3 Minimum number of Guest PIN digits 6 Default: 4
  4.4 Allow empty Guest PINs? No Default: No
  4.5 Enter the portal session timeout (in seconds)  

You must enter a timeout value, with a minimum value of 300 seconds.

Default: 3600

  4.6 Do you want to regenerate self-signed SSL certificates and DH parameters? No

Only appears when re-running the installation wizard. (They are always generated automatically on first run.)

Default: No

5 Customize Portal Wording
  5.1 Do you want to customize the portal's wording using a localization file? No

Allows you to configure the language strings in the VMR portal as it appears to the end-user.

Default: No

  5.2 Enter the localization filename to use en_US.json

Only applies if you want to customize the wording.

The file specified here must be placed in the /vmrportal/vmrportal/localization directory.

Note that the presence of the file is not validated at this stage.

See Customizing the language files (text localization) for more information.

Default: en_US.json

6 Customize Portal Functionality
  6.1 Do you want to customize which functionality is enabled for users? No

Allows you to configure whether end-users can customize some of the VMR's settings and features. The following questions only appear if you answer "Yes".

Default: No

  6.2 Do you want to allow users to change VMR names? Yes

Allows the user to change the name of their VMR (unless it is managed via LDAP provisioning).

Default: Yes

  6.3 Do you want to allow users to change whether guests can join a VMR? Yes

Allows the user to change the "Allow Guests" setting.

Default: Yes

  6.4 Do you want to allow users to change whether guests can present in a VMR? Yes

Allows the user to change the "Guests can present" setting.

Default: Yes

  6.5 Do you want to allow users to change a VMR guest PIN? Yes

Allows the user to change the "Guest PIN" setting.

Default: Yes

  6.6 Do you want to allow users to change a VMR host PIN? Yes

Allows the user to change the "Host PIN" setting.

Default: Yes

  6.7 Do you want to allow users to change VMR Single Sign-On (SSO) authentication settings for guests? No

Controls whether users can select a pre-configured Identity Provider Group to use for Guest authentication, or disable Guest SSO authentication for that VMR.

Default: No

  6.8 Do you want to allow users to change VMR Single Sign-On (SSO) authentication settings for hosts? No

Controls whether users can select a pre-configured Identity Provider Group to use for Host authentication, or disable Host SSO authentication for that VMR.

Default: No

  6.9 Do you want to allow users to set whether speaker names are displayed in a VMR? Yes

Allows the user to change the "Show names of participants" setting.

Default: Yes

  6.10 Do you want to allow users to change a VMR layout? Yes

Allows the user to change the default layout for their VMR.

Default: Yes

  6.11 Do you want to allow users to upload branding packages? Yes

Allows the user to access the Manage Branding options in the portal.

Default: Yes

  6.12 Should uploaded branding packages always contain a link for hosts to access VMR Portal? Yes

Controls whether Hosts are provided with a toolbar link to the VMR portal (as configured in step 2.6) from within a conference, when using Connect Webapp3 in combination with a customized branding package.

Default: Yes

When all of the installation wizard steps have been completed, the VMR portal will automatically reboot.

After the VMR portal has started up again it will be ready for use — users will now be able to sign in to the VMR portal (via the virtual machine's address) and configure their VMR settings.

Additional steps

If you need to re-run the installation wizard, perform further customization or replace the VMR portal's default certificate, see Extra configuration and maintenance tasks for the VMR self-service portal.

To control how users can manage VMRs and apply their own customizations, see Controlling web app path branding and VMR management via user groups.

Performance and API guidelines

Note that as the VMR portal uses the Pexip Infinity management API to apply VMR configuration updates, it is subject to the same performance guidelines as any other management API requests.

Contact your Pexip authorized support representative if you expect a large number (100+) of concurrent updates to be requested via the VMR portal.