Polycom® Video Border Proxy (VBP™) 7301 …...HTTP Strict Transport Security (HSTS) RFC 6797 has...

14.7.1 | May 2016 | 3725-78311-001FRELEASE NOTES

Polycom® Video Border Proxy(VBP™) 7301

© 2016 Polycom, Inc. All Rights Reserved. 1

Polycom VBP Release NotesThis document describes the enhancements and fixes for Polycom® Video Border Proxy (VBP™) 7301 software release 14.7.1. It includes all modifications made since VBP 7301 initial release 14.1.1.

Note

At this time, you must change the Upgrade Firmware username to lower case “vbp” when upgrading your firmware version. See Firmware Upgrade Instructions for more information.

ContentsContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Release Notes for the Current Release . . . . . . . . . . . . . . . . . . . . . . . . . . 3VBP 7301 Release 14.7.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Supported Endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Security Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Upgrade Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5What’s New in Release 14.7.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Issues Resolved in Release 14.7.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Known Limitations in Release 14.7.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Firmware Upgrade Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Save Your Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Reboot Your System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Upgrade Your Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Restoring or Downgrading Your Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Edgewater Networks Knowledgebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Obtaining Further Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Release Notes for the 14.2 Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . 17VBP 7301 Release 14.2.5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Release Notes Polycom VBP 7301Version 14Current Version: 14.7.1Release Date: May 2016

Polycom VBP 7301 Release Notes

2 .

VBP 7301 Release 14.2.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

VBP 7301 Release 14.2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

VBP 7301 Release 14.2.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

VBP 7301 Release 14.2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Release Notes for the 14.1 Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . 30VBP 7301 Release 14.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

VBP 7301 Release 14.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Copyright and Trademark Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Revision History

Supported Platforms

Revision Date

Release 14.7.1 05/25/2016

Release 14.2.5 03/28/2016

Release 14.2.4 02/12/2016

Release 14.2.2 10/15/2015

Release 14.2.0.1 06/18/2015

Release 14.2.0 06/15/2015

Release 14.1.2 04/16/2015

Release 14.1.1 03/01/2015

VBP Platform Supported Model Number(s)

7000 Series 7301


Release Notes for the Current Release

VBP 7301 Release 14.7.1Release Date: May 25, 2016

Supported EndpointsVBP 7301 Release 14.7.1 has been successfully tested with the following endpoints.

Security Updates OpenSSL Vulnerability [EM-14134] Qualys Vulnerability in port 8443 scans - Cookie Does Not Contain the

"secure" Attribute [EP-1050, EP-1055] UDP Payload Length is Not Properly Checked [EM-14215]

OpenSSL Vulnerability [EM-14134]

CVE-2015-3193

CVE-2015-3194

CVE-2015-3195

CVE-2015-3196

CVE-2015-1794

Endpoint Supported Version

Polycom HDX 3.1.9

RealPresence Group Series 5.1

RealPresence Desktop 3.5.0Note: Use with the VBP Access Server embedded provisioning feature requires RealPresence Desktop license to be purchased from Polycom. Contact your Polycom sales representative for licensing options.

RealPresence Mobile 3.5.0Note: Use with the VBP Access Server embedded provisioning feature does not require RealPresence Mobile license purchase from Polycom.

RMX Virtual Edition 8.6.3


4 © 2016 Polycom, Inc. All Rights Reserved.

The VBP 7301 was using openssl 1.0.1i, which was vulnerable to security threats in multiple categories (High/Medium/Low).

Resolution

Now, openssl is upgraded to version 1.0.1s, which resolves as many as 35 security threats.

Qualys Vulnerability in port 8443 scans - Cookie Does Not Contain the "secure" Attribute [EP-1050, EP-1055]

Qualys QID: 150122

The cookie does not contain the “secure” attribute. Cookies with the “secure” attribute are only permitted to be sent via HTTPS. Session cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account.

Solution

If the associated risk of a compromised account is high, apply the “secure” attribute to cookies and force all sensitive requests to be sent via HTTPS.

UDP Payload Length is Not Properly Checked [EM-14215]

CVE-2015-8605

A badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally.

Impact

Nearly all IPv4 DHCP clients and relays, and most IPv4 DHCP servers are potentially affected.

A server, client, or relay that is built to only be able to process unicast packets (for example, those that have already been processed by the OS UDP/IP stack) is not affected, however this build configuration is not normally viable for clients and relays. Servers with this build configuration require a relay in order to be able to process DISCOVER and other broadcast requests from clients.

Not all potentially affected builds will actually be affected. But because it is difficult to identify or predict those which should be upgraded, Edgewater Networks advises that all builds should be considered vulnerable.

Polycom VBP 7301 Release Notes VBP 7301 Release 14.7.1


Upgrade RequirementsObserve the following upgrade requirement.

VBP 7301 Upgrade Requirements

If you are upgrading from a release prior to 14.1.0 and you have VLANs enabled, the following upgrade procedure must be performed before adding new VLANs to the system on the VLAN Configuration page:1. Choose Network from the Configuration Menu (Figure 1).2. Change the Default VLAN ID from the 0 (zero) to 1, as shown in Figure 1,

and click Submit. When the change is applied you are able to add new VLANs on the Network > VLAN Configuration page.

Figure 1 Default VLAN Settings

What’s New in Release 14.7.1The following features are new in this release: Editing VLANs in the VBP 7301 GUI HTTP to HTTPS Re-direction Limit the Number of SSH Attempts

Editing VLANs in the VBP 7301 GUI

Feature No: EM-14540

Improvement No: EM-9631

Existing VLANs can be edited and deleted from the Network > VLAN page via the Action drop-down menu: 1. Choose Network > VLAN. The VLAN Configuration page is displayed.2. Select Edit VLAN x from the Create a new VLAN Action drop-down menu

(Figure 2).



Figure 2 Edit VLAN Drop-Down Option

3. Edit information for the selected VLAN in the Edit an existing VLAN fields (Figure 3) and click Edit to save your changes.

Figure 3 Edit Existing VLAN

HTTP to HTTPS Re-direction

The system will now provide web UI management redirection on the LAN or WAN interfaces of the system. Insecure HTTP TCP port 80 connections will receive a 301 Moved Permanently to secure HTTPS:ALT PORT.

HTTP Strict Transport Security (HSTS) RFC 6797 has also been added to the system. All connecting web browsers being re-directed from HTTP to HTTPS will have the HSTS flag set for 1yr. The browser will no longer attempt to connect to HTTP://LAN or WAN IP when for a period of 1yr, the browser will detect the insecure URL has been entered and automatically connect to the “remembered” HTTPS IP and ALT PORT.



Note

When changing the HTTPS ALT PORT, the computer applying the change will be re-directed to the new ALT PORT when the change is saved. Other computers that were previously re-directed will still attempt to connect to the old ALT PORT. There is no known method to clear the "remember" old ALT PORT from the browser.

Limit the Number of SSH Attempts

Improvement No: EM-13925

The Intrusion Prevention page enables a user to set a number of unsuccessful login attempts a remote host may have during a period of time before that remote host is locked out from being able to attempt to login. The user will be locked out from the time of the first unsuccessful login to the lockout duration.

For example, if the number of attempts specified is 3 and the lockout duration is 5 minutes, a user who unsuccessfully logs in at time 0, at 1 minute, and at 3 minutes will be locked out until the time of 5 minutes because that is the time of the lockout duration since the initial failed attempt.

The user will then have one attempt available to login. At the 6 minute mark, the user will have another attempt to login, if needed. Failed attempts essentially “expire” after the lockout duration from the time of the failed attempt.

When the feature is disabled or if the system reboots, all records of failed attempts are deleted and all users can attempt to login. When the feature is re-enabled, the record keeping starts again. This feature works for SSH, HTTP, & HTTPS for IPv4 & IPv6.

To enable the feature:1. Choose Security > Intrusion Prevention from the Configuration Menu

(Figure 4).



Figure 4 Enable Intrusion Prevention

2. Select the Enable Intrusion Prevention checkbox and click Submit.Additional fields become active (Figure 5).

Figure 5 Intrusion Prevention Page

3. Enter a value in the Failed Login Attempts (2-10) field.4. Enter a value in the Host Lockout Duration (1-480 mins) field.

The Locked Out Hosts section displays hosts that have exceeded the number of attempts to log in.



Issues Resolved in Release 14.7.1

Issue IDArea/Component Description

EM-14500 B2BUA PRACK OFFER in 183 getting 491 Request Pending while expecting 200 OK.

EM-11028 DHCP The dhcpd.lease file is filling up the /etc/config directory.

EP-606 GUI The H.323 Client List page E.164 Alias field accepts alphabetical and special characters. The field should only accept numbers.

EP-803 GUI Fixed an issue where EULA returns after reboot.

EP-1018 GUI Multi-LAN option should not become editable when HA is enabled with VMAC ON.

EM-13808 GUI GUI pages may experience intermittent loading issues when the /var directory reaches 90% full. A new error message is added to the top of all GUI pages when the condition is present.

EM-14396 GUI There is no warning prompt on the VOIP > SIP configuration page that voice and video service will be interrupted upon clicking Submit.

EM-14613 GUI VLAN configuration page wording updated to designate IPv4 and IPv6 entries.

EM-14564 IPv6VLAN

For Additional WAN VLAN, IPv6 interface is not displayed

EM-14707 Network IPv6 Proxy is not working with VBP 7301.

EM-14231 Network The ppp0 interface does not receive the IPv6 address.

EM-9921EM-10360

Network The VBP 7301 system experiences packet loss and video quality issues when Ethernet interfaces are configured for autonegotiate and the interface negotiates 100/Half-duplex or is statically set to 100/Half-duplex.

EP-605 Online Help Online help for H.323 icons now reflects the functionality of the icon. “A locked icon can be locked or unlocked depending on how the endpoint has been configured. By click on this icon the state is toggled. A locked icon will not automatically be deleted by the system (if that feature is enabled).”

EP-859 Online Help Security Help page is not modified for HTTP/HTTPS checkbox behavior for the “Allow HTTP access through firewall” feature.” Online help is now updated.

EP-819 Security International Data Encryption Algorithm (IDEA) ciphers were removed.



Known Limitations in Release 14.7.1There are no known issues to report in this release.

Firmware Upgrade InstructionsYou must perform a backup of the currently running configuration before you upgrade to new VOS. If you downgrade, you must restore the saved configuration from the previous VOS version.

Attention

When you update your software, telephone services will be unavailable for several minutes. It is therefore advised that upgrades be performed during a window when telephone traffic can be interrupted.

EP-1050EP-1055

Security Cookie does not contain the “secure” attribute. Refer to Qualys Vulnerability in port 8443 scans - Cookie Does Not Contain the "secure" Attribute [EP-1050, EP-1055].

EP-1060 Security Updated the systems self-signed default certificate to SHA256

EM-14134 Security OpenSSL Vulnerability CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794. Refer to OpenSSL Vulnerability [EM-14134].

EM-14215 Security UDP payload length not properly checked. CVE-2015-8605. Refer to UDP Payload Length is Not Properly Checked [EM-14215].

EM-14334 Security Nessus security scan caused the system’s web management GUI (BOA) to exit.

EM-14621 SIP The system stops responding to REGISTER requests.

EM-13434 SIP When configuring the From or To user on the SIP Routing page that includes a underscore the trunking devices disappears from SIP Routing page.

EM-14360 SIP Added TLSv1.2 to SIP TLS > TLS Protocol: selection. The default setting is TLSv1.0.

EM-9631 VLAN Added the ability to edit VLANs on the system. Refer to Editing VLANs in the VBP 7301 GUI.

EM-12755 VMAC Routing between VLANs fails when High Availability is enabled with VMAC.


Polycom VBP 7301 Release Notes Firmware Upgrade Instructions


Save Your ConfigurationPrior to upgrade, use the VOS Backup / Restore option to save the currently running configuration and store it offline as follows:1. Open the VBP 7301 user interface in a supported browser.2. Choose Admin > Backup / Restore from the Configuration Menu. The

Backup / Restore Configuration page displays (Figure 6).

Figure 6 Backup / Restore Configuration

3. Click Create New Config Backup.A pop up box displays to alert you that you will be overwriting a previously saved configuration.

4. Click OK in the pop up box. The file name appears in the Backup File column (Figure 7).



Figure 7 Create New Configuration

5. Click on the file name to open it in Notepad. 6. Save the file to your local drive.7. Reboot your system as described in Reboot Your System.

Reboot Your SystemReboot the VBP 7301 prior to doing the upgrade to be sure there is enough dynamic memory available to handle the upgrade process.

Caution

Rebooting the system interrupts all services for several minutes.

1. Choose Admin > Reboot System from the Configuration Menu (Figure 8).

Polycom VBP 7301 Release Notes Firmware Upgrade Instructions


Figure 8 Reboot System

2. Click Reboot.The following message is displayed:WARNING: All voice, video, and data services will be interrupted. They will be unavailable for several minutes while the system reboots. Do you want to continue?

3. Click OK to continue.4. Allow several minutes for the reboot to complete.5. Upgrade your firmware as described in Upgrade Your Firmware.

Upgrade Your FirmwareAfter saving your old configuration and rebooting your system, upgrade to new firmware as follows:1. Log back in to the VBP 7301.2. Choose Admin > Upgrade Firmware from the Configuration Menu

(Figure 9).



Figure 9 Upgrade Firmware

3. Enter the firmware upgrade information.

Tip

Change the Upgrade Firmware username to lower case “vbp” when upgrading your firmware version.

4. Click Submit.

Restoring or Downgrading Your ConfigurationIf for any reason you need to downgrade to the previous firmware version, you must first downgrade the VOS version and then restore the saved configuration using the Backup / Restore Configuration page. Your firmware is downgraded to the version that was running on the system before the downgrade procedure.

Note

It is strongly recommended that you restore the same firmware version that was previously configured on your system.

1. Choose Admin > Backup / Restore from the Configuration Menu (Figure 10).

Polycom VBP 7301 Release Notes Edgewater Networks Knowledgebase


Figure 10 Restore Saved Configuration

2. Click Browse and select the saved configuration file from your desktop Click Upload File. The backup file appears in the Backup File column.

3. To restore to a previously saved configuration, click Restore Saved Configuration.

Edgewater Networks KnowledgebaseThe Edgewater Networks KnowledgeBase provides a central repository for information that includes: Configuration guides Data sheets Frequently asked questions (FAQs) Hardware and software installation guides Release notes Troubleshooting guides White papers

Visit the Knowledgebase: www.edgewaternetworks.com/kb

For further information, contact Edgewater Networks:[email protected]

www.edgewaternetworks.com/kb



Obtaining Further AssistanceFor more information about installing, configuring, and administering Polycom products, refer to Documents and Downloads at Polycom Support.

http://support.polycom.com/PolycomService/home/home.htm


Release Notes for the 14.2 Releases

VBP 7301 Release 14.2.5Release Date: March 2016

Supported Endpoints

VBP 7301 Release 14.2.5 has been successfully tested with the following endpoints.

Security Updates

Web Session Tokens [EP-750]

Web session tokens should be sufficiently long and random to withstand session guessing attacks.

A session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session, a series of related message exchanges. Session identifiers become necessary in cases where the communications infrastructure uses a stateless protocol such as HTTP. As session IDs are often used to identify a user that has logged into a website, they can be used by an attacker to hijack the session and obtain potential privileges.

A session ID is often a long, randomly generated string to decrease the probability of obtaining a valid one by means of a brute-force search. Examples of the names that some programming languages use when naming their cookie include JSESSIONID (JEE), PHPSESSID (PHP), and ASPSESSIONID (Microsoft ASP).


Polycom HDX 3.1.9

RealPresence Group Series 5.1




VBP 7301 Release 14.2.5

© 2016 Polycom, Inc. All Rights Reserved.

Recommendation

PSO recommends that all session IDs be generated using cryptographic algorithms with key length of 256 bits (like AES).

In addition, the session IDs must be at least 50 characters in length. To verify the length of the session ID: 1. Point a web browser to the Polycom product and login as any user.2. Examine the cookie for your product and make sure the session ID in the

cookie is at least 50 characters long. For steps on how to examine browser cookies, refer to: https://kb.iu.edu/d/ajfi

GLIBC getaddrinfo Stack-based Buffer Overflow [EM-14401]

CVE-2015-7547

Description

Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module.

Resolution

A patch for the glibc vulnerability has been created to address this issue.

What’s New in Release 14.2.5

There are no new features in this release.



EP-750 Security Web session tokens should be sufficiently long and random to withstand session guessing attacks. Refer to Web Session Tokens [EP-750].

EM-14401 Security GLIBC getaddrinfo Stack-based Buffer Overflow CVE-2015-7547. Refer to GLIBC getaddrinfo Stack-based Buffer Overflow [EM-14401].

EP-1059 Security Update default certificate to SHA2.

EP-1044 High Availability The Access Server in a High Availability (HA) pair sends a WAN VIP IP for LDAP, not a NATed IP.

EP-1051 LDAP GroupSeries500 codecs lose LDAP registration with VBP 7301.

https://kb.iu.edu/d/ajfi





Known Limitations in Release 14.2.5

VBP 7301 Release 14.2.4Release Date: February 2016

Supported Endpoints

VBP 7301 Release 14.2.4 has been successfully tested with the following endpoints.



Issue ID Limitation Workaround

EM-9921 The VBP 7301 experiences packet loss and video quality issues when Ethernet interfaces are configured for autonegotiate and the interface negotiates 100/Half-duplex or is statically set to 100/Half-duplex.

Statically set the system to 100/Full-duplex on all interfaces and the connected switch ports.

Do not configure the switch or VBP 7301 Ethernet interface to auto-negotiate on one side and hard-coded on the other.

Verify the connected switch port and the VBP 7301 interface are set to the same speed and duplex combinations.


Polycom HDX 3.1.9

RealPresence Group Series 5.0.1













EP-572 H.323 H.225 CONNECT message when configured in LAN-side Gatekeeper mode sometimes failed to establish the call correctly.

EP-736 H.323 Business-to-business (B2B) calls to and from H.460 endpoints failed to establish behind certain NAT devices.

EP-955 H.323 When Peering Proxy is configured and a call is placed through the system, if the call is terminated on the Call Status page before the call is answered the H.323 service will restart.

EP-914 SIP Embedded SIP server mode, certain conditions caused the SIP service to restart.

EM-918 SIP With a SIP trunking device configured and one call over the licensed limit was placed the SIP service would restart.







EP-765 Web Server Qualys scan causes BOA process to hang.

VBP 7301 Release 14.2.0.1



VBP 7301 Release 14.2.0.1

Security Updates

The VBP 7301 14.2.0.1 release provides fixes for the following CVE vulnerability.

Logjam TLS Vulnerability [EP-631]

CVE-2015-4000

Description

A vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography.

This security fix issue affects the Access Server/Access Proxy application as detected by the security scanning tools. Access Server/Access Proxy as a service

EP-748 Access Proxy Access Proxy does not accept a name for LAN side server entry.

The Access Proxy configuration now allows for entering an FQDN. Access Proxy will query DNS for each new incoming connection.

EP-736 H.323 Audio and video from the remote H.323-H.460 user is not received by the far end in B2B calls.

EP-701 Security International Data Encryption Algorithm (IDEA) ciphers were removed.

EP-664 Security SHA2/SHA256 support for certificate signing requests.

EP-582

EP-573

H.460 The RTP Port keepalive would sometimes send to an incorrect port number.









is listening on TCP 443 on the public interface on the system and LogJam was detected by security scanning tools.

Resolution

Reconfigured the Access Server/Access Proxy from using a 512 prime DH keying process when creating connections to a 2048 prime DH key as recommended during the investigation of this issue.

Note

Export grade ciphers have been previously removed from the system.

What’s New in Release 14.2.0.1


Issues Resolved in Release 14.2.0.1

Known Limitations in Release 14.2.0.1

VBP 7301 Release 14.2.0Release date: June 15, 2015


LAN/WAN Authentication


EP-631 Security CVE-2015-4000 – LogJam Vulnerability

Refer to Logjam TLS Vulnerability [EP-631].








Enhancement No: EP-588

Client Authentication Mode now has three methods for setting the authentication mode for SIP REGISTER message support.1. Choose VoIP > SIP.

Figure 11 SIP Settings Page

2. Click one of the following SIP mode radio buttons: WAN-side SIP Server mode LAN-side SIP Server mode

3. Choose one of the following Client Authentication Mode options from the drop-down menu: Local Authentication—The system challenges all SIP REGISTER

requests and verifies the authentication credentials for the client as configured in the User Management page. After receiving the REGISTER request with an answer to the challenge, the system generates a REGISTER request without authentication information and forwards to the SIP server.

Server Authentication—The system does not challenge the REGISTER request from the client. If the SIP server challenges the REGISTER request, it is passed back to the client for authentication.



Support for SIP Server Transport


The SIP Server Transport option is added to the SIP Settings configuration page. SIP Server Transport protocol used for sending messages to the SIP server. 1. Choose VoIP > SIP Settings.

Figure 12 SIP Server Transport

2. Click one of the following SIP mode radio buttons: WAN-side SIP Server mode LAN-side SIP Server mode

3. Choose an option from the SIP Server Transport option drop-down menu: UDP TCP TLS Pass Through

If the Pass Through option is selected, the system will use the transport protocol taken from the incoming SIP message while forwarding messages to the SIP server. For other options, the system will do a transport conversion if the transport protocol of the incoming SIP message does not match the selected SIP Server Transport.



PRACK Settings


SIP PRACK interoperability provides B2BUA support to allow an endpoint that does not support PRACK to interoperate with an endpoint that requires PRACK support. PRACK is enabled on the system by default. You can now disable PRACK from the SIP Settings configuration page. Disabling this option reverts the system B2BUA to PRACK pass-through support. 1. Choose VoIP > SIP.

Figure 13 Enable or Disable PRACK

2. Click one of the following SIP mode radio buttons: Embedded SIP Server mode WAN-side SIP Server mode LAN-side SIP Server mode

3. Uncheck the PRACK Support checkbox to disable PRACK on the system.

Support for SDP Modifications in WAN-side SIP Server Mode


WAN-side SIP Server Mode now allows SDP modifications to be applied to outgoing SIP messages. The system modifies codecs in the first matching media line of the SDP while forwarding a SIP message to the WAN-side SIP server.



After modifying the SDP, if no codecs are left in the media line, the system rejects the call with a 488 response code.1. Choose VoIP > SIP.

Figure 14 SDP Modifications in WAN-side SIP Server Mode

2. Click the WAN-side SIP Server mode SIP mode radio button.3. Select the SDP Modifications checkbox. Additional fields are displayed.4. Choose an action from the Codec Operation drop-down menu:

Delete codecs—The list of defined codecs will be deleted from the SDP. Allow codecs—Except the defined codecs, all other codecs will be

removed from the SDP. Arrange Codec—When the listed codecs are present in the SDP, the

system will arrange the codecs to the defined order.5. Choose an option from the Media Type drop-down menu:

Audio—Search for codecs in the audio media line of the SDP. Video—Search for codecs in the video media line of the SDP.

6. In the Codecs List, enter a list of codes to search for in the SDP. The codecs are entered by their names such as PCMU, PCMA, G723, G729, H261, and so on, separated by a comma. Names should adhere to Real-Time Transport Protocol (RTP) Parameters for standardized codec names.



Microsoft® Lync® SIP Trunking Support

Support is added for Microsoft Lync 2013 SIP with VBP 7301, allowing enterprise Lync 2013 deployments to provide SIP telephony trunking for voice services. Microsoft Lync 2013 is supported through the system by configuring a B2BUA Trunking Device type as “Microsoft Lync.” This allows the Lync 2013 internal telephony system to securely access external SIP trunking providers for SIP voice services.

A WAN-side SIP server configuration allows the system to proxy Microsoft Lync 2013 SIP messages to the configured external SIP trunking provider to ensure interoperability for the Microsoft Lync 2013 telephony system. Depending on the external SIP trunking provider header manipulation rules will be required for the configuration, these specific rules will be defined by the SIP trunking provider when configuring the system for SIP service.

When configuring the Microsoft Lync 2013 transfer methods, if the REFER method is chosen, then Refer to Re-INVITE must be enabled on the system as an Action for the Microsoft Lync trunking device.

The Microsoft Lync Server 2013 provides the following: Centralized security, authentication, encryption and user access control Bandwidth limitation and traffic prioritization based on traffic type, tagged to

ensure proper priority handling at downstream networks Simplified troubleshooting and traffic monitoring with EdgeView



EP-439 User Management

GUI

Incorrect validation is displayed for field H.323 Alias field on the Access Server User on the User Management configuration page.

EP-483 Access Server When enabling the Access Server, no warning message was displayed to indicate that a Submit must occur on the Access Server page to enable the Access Server option.

EP-510 ALG A problem was resolved when enabling just H.323. If SIP and H.323 were not both enabled, H.323 would not operate.

EP-575 GUI The Javascript submit() function is not working on the Access Server page in HTTPS mode for certain versions of IE and Chrome.

EP-365 H.323 In embedded gatekeeper Auto-Direct H.245 mode for a LAN-to-LAN call, the Terminate Call link should not be shown on the H.323 call status page when the gatekeeper signals direct routing.

EP-509 H.323 An AVAYA content sharing Issue was found.

EP-560 H.323 When two remote VBP 7301s are configured in WAN-side gatekeeper mode, or when a public IP endpoint is registered to the WAN in embedded GK mode, the system will not hairpin or hatpin the RTP media. The H.225 CONNECT should set the H.245 address as the other side of the call.




EP-588 None Client Authentication Mode setting for “Pass Through” was validating the SIP username before forwarding the SIP authentication request to the LAN-side SIP server. This required a SIP user to be configured in User Management when the client authentication mode was “Pass Through.” This is no longer a requirement.

EP-148 Online Help Security > Certificates page online help contained outdated “Certificate Store” reference.The page is renamed “Certificates.”

EP-149 Online Help The Access Server online help is missing Type of Service descriptions.

EP-450 Online Help Online help missing for H.323-ID Alias when adding an Access Server user on the User Management page.

EP-479 Security The Certificate Common Name field can only accept a DNS name that contains alpha, numeric, dots, dashes, and underscore. IPv4 addresses are not accepted.

EP-480 Security The 1024 key size has been obsoleted by the NSA and is removed as an option on the Certificates configuration page.

EP-481 Security A certificate name now allows alpha and numeric characters, back slash, under score, dash, and dots.

EP-472 SIP An error message was displayed while deleting SIP clients when SIP is disabled. It is now possible to delete a SIP client when SIP is disabled.

EP-484 SIP Added “Allow clients to register on WAN” in Embedded SIP Server mode.

EP-492 SIP Some SIP services are running even when SIP mode is configured as None.

EP-494 SIP On the B2BUA Trunking Configuration, the word “Beta” has been removed from the Actions Refer to Re-INVITE field.

EP-550 SIP During a SIP B2B call, the system converted the transport from TCP to UDP.

EP-451 User Management

Unable to disable the Access Server User on User Management page if the user is only configured for H.323. If the user is configured for H.323 and SIP, this issue does not exist.


VBP-565 The default polycom FTP username is not accepted by the Upgrade Firmware page.

Refer to Polycom VBP Username Requirements [EP-565]




Polycom VBP Username Requirements [EP-565]

Description

The Polycom VBP username by default is upper-case “VBP” in the Username field. However, the Upgrade Firmware configuration page does not allow an upper case character in the Username entry field.

This issue is resolved in firmware release 14.2.0. However, the current PLCM VBP shipping build, 14.1.1, does not include this fix.

Resolution

When upgrading to 14.2.0, you must enter “vbp” in lower case. After the upgrade to 14.2.0, you can enter lower case “vbp” or upper case “VBP” in the username field.







Release Notes for the 14.1 Releases

VBP 7301 Release 14.1.2Release date: April 16, 2015

Security UpdatesThe VBP 7301 14.1.2 release provides fixes for the following CVE vulnerabilities.

GHOST Vulnerability [EM-12243]

CVE-2015-0235

Description

GHOST is a vulnerability in the family of function calls gethostbyname* () (ghost=gethost) provided by the C-library glibc. Glibc is a widely used C-library that provides common functionality for C or C++ programs such as DNS resolution. gethostbyname () is used by programs to look up DNS names and resolve them nto IP addresses.

This vulnerability allows the caller of the function to provide input data that will overrun the provided buffer used to contain the resolution of the DNS lookup. The data put in the buffer overrun can then be used to execute malicious code on the system. This means that the attack must be executed locally by a program that does DNS resolution and calls the gethostbyname() function. However, many programs doing DNS resolution are network servers that may accept input from remote clients through client requests over a network connection. Examples of these network services are SSH, HTTP, and SIP. During a code audit performed internally at Qualys, a buffer overflow was discovered in the __nss_hostname_digits_dots() function of the GNU C Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions.

Resolution

A patch for the glibc vulnerability has been created to address this issue.

What’s New in Release 14.1.2There are no new features in this release.





EM-12348 ALG SIP ALG stop processing SIP messages after sending a stream of large NOTIFY messages.

EM-12380 ALG Fixed a mistake in the amount of bytes being set by memset in the ortp report code.

EM-12414 ALG Added additional debugging information to the ALG symbols file.

EM-12203 B2BUA The B2BUA page has an unwanted Transport field.

EM-9962 B2BUA

GUI

On the B2BUA Trunking Configuration page, deleting a trunking device that is being used by an Action causes the Action > Trunking Device drop-down list to show a blank entry.

EM-11396 DHCP Error-trapping needs to be added if the LAN DHCP server is enabled and the LAN subnet is changed on the Network configuration page.

EP-422 Directory A wild card using the asterisk symbol ( * ) was added to display all users in the directory.

EP-289 Firewall Traversal

The Network > Firewall Traversal > External Server > Enable Server for Remote Clients option does not start after clicking Apply.

EM-12192 Firewall Traversal

A message prompt should be issued when on the Firewall Traversal page when the Remote Client option is selected and the Submit button is clicked.

EM-9975 GUI Unable to delete SIP clients from the client list when SIP is disabled.

EP-319 GUI The B2BUA Match table has an extra column.

EM-12204 GUI An input /output error message appears on a running cfg_restore CLI command.

VBP-8 GUI The VBP MOTD page should look identical to the VBP 7301 MOTD page.

EM-12429 GUI

Security

A typo was found on the Security > Trusted Hosts page.

EP-192 H.323 H.323 Embedded Gatekeeper unlocked client shows as locked after reboot.

EP-431 H.323 Modified the systems H.460 support for calls terminating to Polycom RealPresence Access Director.

EP-435 H.323 Content sharing was not working correctly for a Panasonic endpoint.

EM-11357 Multi-LAN On the High Availability page, the LAN IP address is not shown when the Multi-LAN option is enabled.

EM-12396 Config Backup / Restore

The Restore Saved Configuration option on the Config Backup/Restore page accepts an invalid configuration file without any error notification.

EM-12136 DNS Excessive DNS SRV lookup messages were observed on the system. Every two minutes the logs are populated with a DNS SRV message even if successful each time. This makes the syslog very busy with unnecessary messages.

EM-12198 Online Help Typos were found in the B2BUA configuration page online help.




EM-12243 Security GHOST Vulnerability

CVE-2015-0235

Refer to GHOST Vulnerability [EM-12243].

Case number: 41178, 41231

EM-12369 Security Doing an ewn restore with an empty conf1 file removes the CLI root user.

EP-458 SIP Receiving a SIP 180 message with a blank supported header caused the ALG to restart.

EP-327 SIP SIP stress testing with certain configurations can cause a memory issue after 70 or 80,000 calls. This issue is still under investigation.

If the issue appears, the system will automatically recover.

EP-309 EP-461

SIP SIP Settings online help for SIP modes needs an updated description.

EP-433 SIP External SIP server mode does not pass Valid8 registration to the external SIP server.

EP-455 SIP Embedded mode shows a call count = 0 when a call is established between WAN to LAN clients.

EP-457 SIP Calls between WAN to WAN registered clients fail when dialling user@host with ‘host’ as the DUT WAN FQDN address.

EP-478 SIP When the system is configured for LAN-side SIP server mode, the system blocks SIP messages on the LAN except for messages coming from the configured LAN SIP server address. The system now allows INVITES when the source matches a configured LAN trunking device.

EP-364 Switch Ports The Switch Ports page contains a WLR warning. The feature is not supported on the VBP 7301 platform.

EM-12253 VLAN The default VLAN subinterface is not created when VLANs are enabled.

EM-11901 VLAN Unable to add a VLAN with an IPv6 address only on the Network > VLAN configuration page. The GUI displays an error if an IPv6 address is used without also having an IPv4 address.


EP-269 When two WAN-side registered SIP devices call each other, it is possible to experience two-way audio and one-way video intermittently.

Hang up and place call again.

EP-384 A SIP memory leak during call stress testing was fixed. —

EP-327 SIP stress testing with certain configurations can cause a memory issue after 70 or 80,000 calls. This issue is still under investigation.


—

EM-12489 Upgrade using SCP is not working. —




VBP 7301 Release 14.1.1Version 14.1.1 is the first VBP 7301 product release.







EP-327 SIP stress testing with certain configurations can cause a memory issue after 70 or 80,000 calls. This issue is still under investigation.


— Polycom Series devices configured for SIP TLS are having issues with certificate management and may not be able to register to the system correctly.

LifeSize and Cisco SIP devices will accept the certificate and register correctly.

Bria software client must be configured to accept the certificate before this client will register correctly.

Use SIP TCP

EP-269 When two WAN-side registered SIP devices call each other, it is possible to experience two-way audio and one-way video intermittently.

Hang up and place call again.



Copyright and Trademark Information

Copyright© 2016, Polycom, Inc. All rights reserved. No part of this document may be reproduced, translated into another language or format, or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Polycom, Inc.

6001 America Center DriveSan Jose, CA 95002USA

Trademarks Polycom®, the Polycom logo and the names and marks associated with Polycom products are trademarks and/or service marks of Polycom, Inc. and are registered and/or common law marks in the United States and various other countries.

All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient's personal use, without the express written permission of Polycom.

End User License Agreement By installing, copying, or otherwise using this product, you acknowledge that you have read, understand and agree to be bound by the terms and conditions of the End User License Agreement for this product. The EULA for this product is available on the Polycom Support page for the product.

Patent Information The accompanying product may be protected by one or more U.S. and foreign patents and/or pending patent applications held by Polycom, Inc.

Open Source Software Used in this Product This product may contain open source software. You may receive the open source software from Polycom up to three (3) years after the distribution date of the applicable product or software at a charge not greater than the cost to Polycom of shipping or distributing the software to you. To receive software information, as well as the open source software code used in this product, contact Polycom by email at [email protected].

Disclaimer While Polycom uses reasonable efforts to include accurate and up-to-date information in this document, Polycom makes no warranties or representations as to its accuracy. Polycom assumes no liability or responsibility for any typographical or other errors or omissions in the content of this document.

Limitation of Liability Polycom and/or its respective suppliers make no representations about the suitability of the information contained in this document for any purpose. Information is provided "as is" without warranty of any kind and is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall Polycom and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive or other damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of business information), even if Polycom has been advised of the possibility of such damages.

Customer Feedback We are striving to improve our documentation quality and we appreciate your feedback. Email your opinions and comments to [email protected].

Polycom Support Visit the Polycom Support Center for End User License Agreements, software downloads, product documents, product licenses, troubleshooting tips, service requests, and more.

mailto:[email protected]

http://support.polycom.com/

Polycom® Video Border Proxy (VBP™) 7301 …...HTTP Strict Transport Security (HSTS) RFC 6797 has...

Documents

Transcript of Polycom® Video Border Proxy (VBP™) 7301 …...HTTP Strict Transport Security (HSTS) RFC 6797 has...