RPAD Access Control Lists

Moony4 · ‎04-10-2014

I've just read the article Securing the video firewall and have a query about the ACL Rule used to block registration. Should I expect to see Access_Without_XMA_Provision as one of the default rules or, as it doesn't exist on my system, do I need to create it?

Anonymous · ‎04-16-2014

Hi Moony

What RPAD software version are you using?

Regards

Moony4 · ‎05-11-2014

3.1.1

simons3 · ‎05-15-2014

Moony,

In RPAD v3.1.1, the rule has changed the name to: Access_Without_RPAD_Provision.

S.

Anonymous · ‎06-16-2014

Hi there,

I tested out this ACL and it appears to block all registrations - so even though I have devices that I can successfully provision through the RPAD. They don't work as soon as I apply the ACL and they are blocked by RPAD prior to being forwarded through to DMA.

Is there a way to confirm if the provisioning list is working on the RPAD. From the help guide it says it is there by default but there is no other details on this in the documentation. It's very unclear.

Thank you

simons3 · ‎06-16-2014

Rock,

What specific rule did you add? Did you set it to allow or deny?

S.

Anonymous · ‎06-16-2014

I tried "Access without RPAD provision" set to Deny.

It now blocks me if I try and register through the internet. All devices are on the latest version.

simons3 · ‎06-18-2014

Rock,

This is the correct rule setting. Which client are you using? Are you entering a user name and password in order to authenicate to the the RPAD first and then get your provisioning setttings which includes your SIP and H323 alias?

I typically see folks in the field register directly to the RPAD via H323 and SIP. Obviously the RPAD ACLs that we mention block this anonymous user registeration. We don't want just anyone to be able to register to the RPAD without first suppling a user name and password.

S.

Anonymous · ‎06-20-2014

Hi there,

Yes that's correct.

For this test have used RealPresence Mobile on my iPhone.

1. I type in my Email address then click Next

2. Then I enter the username and password and click Next

3. I then click on the Information icon and I can see I am succesfully provisioned, yet I cannot register with SIP or H.323 because of the ACL "Access Without RPAD Provision" set to Deny

4. I then remove the ACL and it works perfectly

Simons have you tested this from the Internet personally?

I have a feeling there is an issue with this ACL on the RPAD 3.1.1_build_14357

simons3 · ‎06-26-2014

Hi,

We are still trying to move our lab into a new facility, so i have not personally set this up, but I have done this with other customers. We have about 1 RPAD install every 2 weeks or so. What usually calls for action is the 26k registerations the field service person let slip by because of the lack of ACLs. In version 4.1, we are redesigning the ACLs to be less removed on ports but rather dicated by call policies. This will make implementtions out of the box smoother and easier to understand.

Back to your issue. I assume you have the ACLs running on 5061 and external signalling IP. Check the rule setting to make sure the ACL is the following under ACL Rules:

request.src-ip not memberOf prov_list

If this is correct, then build a new one with the same values as above. Maybe the upgrade pooched something. Otherwise call into Support and they can go through the logs and configuration with a fine-tooth comb...

S.

Create an account on the HP Community to personalize your profile and ask a question