[Type the document title] Military Unique Deployment Guide 2.7.3.
Trademark Information POLYCOM® and the names and marks associated with Polycom's products are trademarks and/or service marks of Polycom, Inc., and are registered and/or common law marks in the United States and various other countries. All other trademarks are the property of their respective owners. Patent Information The accompanying product may be protected by one or more U.S. and foreign patents and/or pending patent applications held by Polycom, Inc.
Contents Document Change History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 FIPS 140-2 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Upgrading and Downgrading your Polycom HDX System . . . . . . . . . . . . . 6 Upgrading the Software in a Non-DHCP Environment . . . . . . . . . . . . . 6 Upgrading from Versions Earlier than 2.7.0_J . . . . . . . . . . . . . . . . . . . . . 6 Upgrading from Version 2.7.1_J or 2.7.
Deployment Guide for Maximum Security Environments 4 Contents Polycom, Inc.
Deployment Guide for Maximum Security Environments This software, when configured per the guidance provided in this guide, is designed to meet the latest U.S. Department of Defense (DoD) security requirements for listing on the Unified Capabilities (UC) Approved Products List (APL) as maintained by the Defense Information Systems Agency (DISA) Unified Capabilities Connection Office (UCCO). For more information about the UC APL process, visit the UCCO website http://www.disa.
Deployment Guide for Maximum Security Environments Upgrading and Downgrading your Polycom HDX System When you upgrade your Polycom HDX system to version 2.7.3.1_J, the factory partition might also be automatically upgraded if it contains certain previous versions with known issues that have been corrected. If you later perform a factory restore, the system returns to version 2.7.3.1_J instead of the software version originally installed on the system. After installing version 2.7.3.
Deployment Guide for Maximum Security Environments Configuring Security Settings in a Web Browser You can configure some of the security settings on the local HDX system screens. For other security settings, however, you must use the HDX system web interface. Using the Maximum Security Profile The Maximum Security Profile lets you control particular fields to meet the highest security requirements (for example, systems used in government or military environments).
Deployment Guide for Maximum Security Environments Security Settings Setting Restriction Security Profile Set to Maximum, not configurable. Security Mode Enabled, not configurable. Use Room Password for Remote Access Disabled, not configurable. Remote Admin Access (web) Enabled, configurable. Require Login for System Access Enabled, not configurable. Enable Remote Access: These are the restrictions: • Web • Enabled, configurable. • Telnet • Disabled, not configurable.
Deployment Guide for Maximum Security Environments Setting Restriction Require Numbers Set to Off, configurable. Require Special Characters • Remote (Admin only): Set to 1; range is 1 to 2. • Room (User/Admin): Set to Off; range is 1, 2, or All. Reject Previous Passwords Set to 10; range is 8 to 16. Minimum Password Age in Days Set to Off; range is 1 to 30. Maximum Password Age in Days Set to 60; range is 30 to 180.
Deployment Guide for Maximum Security Environments Account Management Setting Restriction Admin: • Lock Account after Failed Logins Set to 3, Off is not allowed. • Account Lock Duration in Minutes Set to 1, configurable. User: • Lock Account after Failed Logins Set to 3, Off is not allowed. • Account Lock Duration in Minutes Set to 1, configurable. Certificates, Revocation, and Whitelist These settings can be configured only through the HDX system web interface.
Deployment Guide for Maximum Security Environments Setting Restriction Lock Port after Failed Logins Set to 3, configurable. Off is not allowed. Port Lock Duration in Minutes Set to 1, configurable. Off is not allowed. You can configure the period of time, in hours, in which the failed login threshold must be exceeded to lock the user’s account. This command can only be changed through the command-line interface using the serial API: loginwindowduration: Set to 1, range is 1 to 24.
Deployment Guide for Maximum Security Environments Setting Restriction Call Detail Report Enabled, not configurable. Exchange Calendaring Disabled, not configurable. Locating Your System The system should be placed in a secured location and on a firewall-protected network segment. To mitigate certain network-based attacks, Polycom recommends that the network administrator configure port security on the switch to which Polycom devices connect.
Deployment Guide for Maximum Security Environments 4 Go to System > Admin Settings > General Settings > Security > External Authentication to configure the Active Directory Server (ADS) settings. 5 Go to System > Admin Settings > General Settings > Security > Security Settings. Any user account information entered during the setup wizard is not valid after system restart. ADS is enabled by default in Maximum Security mode, which disables the local user account.
Deployment Guide for Maximum Security Environments Deployment Type Configuration Steps IDSN-only Deployments Go to System > Admin Settings > General Settings > Location > , and set Time Server to Off and manually configure the time and date.
Deployment Guide for Maximum Security Environments 8 On Polycom HDX 4000, 7000, and 8000 series systems, go to System > Admin Settings > LAN Properties > > , and disable the Enable PC LAN Port setting, unless its use is required. If you change this setting, the system restarts. 9 Go to System > Admin Settings > Network > Call Preference, and configure the following settings on the Call Preference screen. Setting Description IP H.323 • Disable this setting for ISDN-only deployments.
Deployment Guide for Maximum Security Environments not configurable. You configure the remote access password initially during the setup wizard, and you can make changes later using the Admin Settings screens. • Makes available different API commands depending on whether you log in with the Admin account or with the User account. • Locks the serial port after a specified number of failed login attempts.
Deployment Guide for Maximum Security Environments Setting Strong Passwords Numeric-only Passwords Minimum Length Value: 15 (recommended) Value: 15 This setting meets these requirements: Can Contain ID or Its Reverse Form • UNIX STIG V5R1.23: GEN000580 (minimum 14) • Application Security Checklist V3R3: APP3320 (minimum 8) • DSN STIG V2R3.4: DSN13.06 (minimum 8) • GR-815-CORE-2 R3-39 [26] (minimum 6) • DODI 8500.2: IAIA-1, IAIA-2 (minimum 8) • VTC STIG V1R1.2: RTS-VTC 2024.
Deployment Guide for Maximum Security Environments Setting Strong Passwords Numeric-only Passwords Require Special Characters Value: 1 Off This setting meets these requirements: • UNIX STIG V5R1.23: GEN000640 • Application Security Checklist V3R3: APP3320 • DSN STIG V2R3.4: DSN13.06 • GR-815-CORE-2 R3-39 [26] • DODI 8500.2: IAIA-1, IAIA-2 2 Select and configure the following settings.
Deployment Guide for Maximum Security Environments 3 Go to System > Admin Settings > General Settings > Security > Password Settings > User Room Password, and enter the corresponding settings for the User Room Password. 4 Go to System > Admin Settings > General Settings > Security > Password Settings > Remote Access Passwords, and enter the corresponding settings for the Remote Access Password.
Deployment Guide for Maximum Security Environments Viewing Network Interface and System Status Network Interface Status The network interface status is indicated by the lights on the network interface module. Quad BRI Network Interface Status Lights The network interface lights are located on the network interface module. Indicator Light Connection Status Green and yellow lights off Indicates one of the following situations: • No power to the system. • The system is not connected to the network.
Deployment Guide for Maximum Security Environments Indicator Light Connection Status Yellow light on or blinking There is a problem with the ISDN line. Green light on The system is able to make and receive calls. Viewing System Status You can view the System Status screen on the local system or by using the HDX system web interface.
Deployment Guide for Maximum Security Environments Using the Camera Privacy Cover The Polycom EagleEye camera goes to sleep when the Polycom HDX system does. For added security Polycom now offers a privacy cover (part number 2215-28454-001) that you can attach to the camera. You can open and close the cover as needed. Contact your Polycom distributor for more information.
Deployment Guide for Maximum Security Environments With HDX system software version 2.7.
Deployment Guide for Maximum Security Environments Command Description a_detectcamera.cgi Initiates camera detection a_downloadlogpkg.cgi Downloads the complete system log package a_downloadpanasonicsettings.cgi Downloads the Panasonic settings into a file a_exportdirectoryasabk.cgi Exports the contacts information into an xml file that can be imported back into the HDX system a_getcdr.cgi Gets the call detail report (CDR) from the system a_getcurrentlog.
Deployment Guide for Maximum Security Environments Command Description addgmsurl.cgi Adds the Global Management Server (GMS) URL to the system addrbooklist.cgi Gets the address book list currentscreen.cgi Creates an image of the current screen deletegmsurl.cgi Deletes the GMS URL from the system downloadclientcsr.cgi Downloads the client Certificate Signing Request (CSR) from the system downloadservercsr.cgi Downloads the server CSR from the system far_image_1.
Deployment Guide for Maximum Security Environments Command Description swu_startupdate.cgi Begins the softupdate process swu_switchmode.cgi Switches the system to softupdate mode swu_updaterestoreimage.cgi Reloads the current web page swu_updatetasks.cgi Sets the update tasks to be performed swu_updatetype.cgi Sets the type of update to perform, typical or custom updatetime.cgi Updates the system time whitelistupdate.
Deployment Guide for Maximum Security Environments Polycom, Inc. b An NTP Server is required for proper system operation as tested. This is needed to provide the correct time and date for the following systems: HDX 7000 family, HDX 4000 family, HDX 6000 family, HDX 9000 family, and the HDX 8000 family. c The HDX system must be integrated into the site’s AD environment for authentication and authorization requirements.
