Polycom® RealPresence Collaboration Server (RMX) 1500/2000/4000 Administrator’s Guide
4-42 Polycom, Inc.
— The SEND_SRTP_MKI System Flag enables or disables the inclusion of the MKI
field in SRTP packets sent by the Collaboration Server. The default value of the flag
is YES. Add the flag to system.cfg and set its value set to NO to disable the inclusion
of the MKI field in SRTP packets sent by the Collaboration Server when using
endpoints that cannot decrypt SRTP-based audio and video streams if the MKI
(Master Key Identifier) field is included in SRTP packets sent by the Collaboration
Server. This System Flag should not be set to NO when HDX endpoints, Microsoft
Office Communicator and Lync Clients. For more information, see "Modifying System
Flags” on page 22-1.
• In compliance with UC_APL_SEC_0013, the MCU supports Privacy Protocol
AES_CM_128_HMAC_SHA1_32, in addition to AES_CM_128_HMAC_SHA1_80. For
more information see "Media Encryption and Authentication” on page 23-57.
Mixing Encrypted and Non-encrypted Endpoints in one Conference
Mixing encrypted and non-encrypted endpoints in one conference is possible, based on the
Encryption option “Encrypt When Possible” in the Conference Profile - Advance dialog box.
The behavior is different for H.323/SIP and ISDN participants.
In versions prior to version 7.6.1, this behavior is based on the setting of the system flag
ALLOW_NON_ENCRYPT_PARTY_IN_ENCRYPT_CONF.
The option “Encrypt When Possible” enables the negotiation between the MCU and the
endpoints and let the MCU connect the participants according to their capabilities, where
encryption is the preferred setting. Defined participants that cannot connect encrypted are
connected non-encrypted, with the exception of dial-out SIP participants.
The same system behavior can be applied to undefined participants, depending on the
setting of the System Flag
FORCE_ENCRYPTION_FOR_UNDEFINED_PARTICIPANT_IN_WHEN_AVAILABLE_MODE:
• When set to NO and the conference encryption in the Profile is set to “Encrypt When
Possible”, both Encrypted and Non-encrypted undefined participants can connect to the
same conferences, where encryption is the preferred setting.
• When set to YES (default), Undefined participants must connect encrypted, otherwise
they are disconnected.
For defined participants, connection to the conference is decided according to the encryption
settings in the conference Profile, the Defined Participant’s encryption settings.
For undefined participants, connection to the conference is decided according to the
encryption settings in the conference Profile, the System Flag setting and the connecting
endpoint’s Media Encryption capabilities.
• When the conference encryption is set to "Encrypt when possible", SIP dial out participants
whose encryption is set to AUTO can only connect with encryption, otherwise they are
disconnected from the conference.
• In CISCO TIP environments, dial in endpoints that are registered to CUCM can only connect as
non-encrypted when the conference encryption is set to “Encrypt when possible” as the CUCM
server sends the Invite command without SDP.