What are trusted devices?
Trusted devices is an add-on for service gateway customers (Microsoft Teams or Google Meet) to allow lobby-bypass for video endpoints that are not registered on the service. (Without trusted devices, only video endpoints that are registered on the service or on the same tenant as the CVI service can bypass lobby.)
How does it work?
Pexip offers two ways to trust non-registered endpoints:
- SIP authentication (recommended). This is defined as a 'challenge rule' in the Pexip portal.
- IP address. This is defined as a 'trust rule' in the Pexip portal.
The video endpoint calls from a domain that the Pexip Service is configured to challenge. After providing authentication, the call bypasses the lobby. If it does not provide authentication, the call disconnects.
If the call is from a domain that is not set up to be challenged, the user is placed in the lobby.
This is the most secure trust option. It requires that customer’s SBC can authenticate on behalf of its clients. (Pexip can provide the customer with a username/password to be used.)
Pexip supports multiple domains to be challenged per customer.
The endpoint is trusted if the call comes from a pre-configured list of IP addresses. This assumes that the customer's call control system is correctly configured to validate the endpoint, and that it only relays their own traffic to the Pexip service.
Any calls not coming from an approved IP address are placed in the lobby.
Pexip supports multiple IP addresses / network masks.
One can further restrict this rule to only include endpoints coming from a specific domain. This is useful when multiple companies share one call control infrastructure.
Configuring trusted devices
Note: configuration of Trusted Devices is only available for Pexip Partners, via portal.pexip.com.
You can configure Trusted Devices for each company, under the 'Interop' tab. You can add one or more rules as required for each company:
- One or more trusted calling domains with SIP Authentication
- One or more trusted IP Trust addresses or networks
- You can combine SIP Authentication and IP Trust criteria
1. Policy Action = "Challenge"
- Trust is based on the calling party domain plus SIP authentication.
- The SIP Username and Password required for authentication are automatically generated as a suggestion. However, the customer can provide their own values to be used instead.
- Each calling party domain to be trusted should be configured individually.
2. Policy Action = "Trust"
- Trust is based on the calling party source IP address or IP network.
- Configure the Source IP address with either a specific IP address (/32), or with an IP host network and netmask in CIDR notation.
- Lists of IP addresses are not accepted – you must enter lists of /32 IP addresses one by one.
An IP address specified without a netmask is assumed to be a /32 address:
When setting an IP host network and network mask, set the IP network and network mask explicitly:
Finally, if sharing call control infrastructure between multiple companies, use the optional 'From domain' field to only trust devices coming from this particular domain AND IP address/mask.
Note: The tool will not automatically determine the IP network for you if you use a specific host address and a network mask, e.g. 22.214.171.124/21.
Enabling Trust Rules
The Trust Rules that you configure are set in an inactive state by default, and you have to manually activate them to enable them for production use. When a Trust Rule is marked active the Trusted Devices policy will be enabled within a few minutes.
IMPORTANT: activating a 'challenge rule' before the customer configures their call control with credentials on their side, will result in failed calls. Therefore, make sure to coordinate activating the 'challenge rule' with configuring the customer's call control credentials. This does not apply to 'trust rules'.
Ordering the Trusted Devices add-on
See this article (requires log in) for instructions about how to order the Trusted Devices add-on.
Ensuring that your trusted devices are shown in the global directory
You can use static addresses to add unregistered endpoints to the global directory. Ask your Pexip partner for support on this feature.
Supported devices and call control systems
Any SIP (2.0) compatible system is supported.
Non-SIP calls, e.g. H.323, are not supported. Any such calls bypass any policy rules and are handled as if no rules have been set.
We have tested against self-hosted Pexip Infinity and Cisco Expressway, and we also expect other call control systems to work successfully.