Polycom One Touch Dial Service

November 28, 2018 by · 6 Comments 

This article is the second in a series which covers Polycom’s RealConnect service, a Microsoft Azure-based video interoperability service for Skype for Business and Microsoft Teams meetings.

  1. RealConnect Service for Skype and Teams – introduces the overall solution and the steps to activate the service for use with Skype for Business Online meetings and/or Teams meetings.  (A future article will cover the additional configuration steps required to support Skype for Business Server or Hybrid deployments with the service.)
         
  2. Polycom One Touch Dial Service – explains what this ancillary service is, how it works, and provides detailed configuration steps for using it with Polycom VTCs.  (A future article will cover the configuration for Cisco VTCs.)      
         
  3. Polycom Cloud Relay – outlines the purpose of this component, how it works, and then walks through the steps for deploying a Cloud Relay virtual server on-premises.  This on-premises server is an optional component to the RealConnect service, only needing to be deployed when using Skype for Business Server and/or supporting Cisco endpoints with the One Touch Dial service.

The specific term "One Touch Dial" (or its initialism "OTD") is not new.  It has been used for several years to describe various concepts throughout Polycom solutions: a workflow, an action, a server, an application, and now a service.  To offer some clarity, OTD started as an application which provided a simple meeting joining experience to Polycom and Cisco VTCs for on-premises RealConnect meetings.  This application is one of several custom applications which runs on an a dedicated on-premises server called the Polycom Workflow Server.  This server is used only with the traditional RealConnect deployment model which utilizes on-premises Polycom MCUs. 

More recently the OTD functionality was put into Microsoft Azure for use with the RealConnect service.  Yet, not 100% of what OTD does can be put into the cloud.  The on-premises version of OTD essentially operates as both a Microsoft Exchange Web Services (EWS) proxy and an emulator of the Cisco Telepresence Management Suite (TMS), at a Calendaring level only.  Each of those roles are needed to support both Polycom and Cisco endpoints.  Polycom endpoints (like the Group Series, HDX, Trio, etc) all operate as native EWS clients and will automatically retrieve meeting invitations by routinely polling the appropriate Exchange Server or Exchange Online, which is essentially a ‘pull’ operation.  So regardless of the location of the endpoint it is easy for these devices to open a new connection to a server over HTTPS 443.

On the other hand, Cisco endpoints that natively support One Button To Push (OBTP) do not operate using the same approach.  These endpoints are effectively dumb and rely on another server (TMS) to retrieve meeting invitation emails on their behalf, which are then relayed to the endpoint.  Given that this ‘push’ operation can not typically be performed from an Internet-based service down to a host sitting on a private network behind firewalls then the relay would need to also exist within the same routed internal network. Thus, the Polycom Cloud Relay is utilized as this relay.  Meaning that while most of the operation of the original OTD application was placed into Azure as a service, the TMS emulator portion is provided as an applet which resides on the on-premises Cloud Relay virtual server.

Workflow Explained

This simple diagram depicts how the OTD service works for both types of supported endpoints.

image

The OTD service acts as an EWS proxy and will fetch the mailbox contents on behalf of the endpoint.  This middle-man step is required as OTD’s primary function is to scan the invitation, looking for RealConnect-enabled meeting invitations.  When am applicable Skype for Business or Teams meeting invitation is found then it reformats the outgoing copy to match what the associated endpoint expects to see to enable the ‘Join’ button to appear and operate correctly on the endpoint.  As the required formatting is different between Polycom and Cisco endpoints then OTD will handle this accordingly.

  • Polycom VTCs communicate directly with the OTD service currently hosted in Microsoft Azure, so when the endpoint performs a routine mailbox check it will connect to the OTD service to trigger the process.  OTD processes the messages and then passes it on to the Polycom endpoint.  To the endpoint this process is transparent and looks like a regular EWS message exchange.

  • Cisco VTCs do not initiate this process though; the environment configuration drives this.  The OTD service itself will monitor mailboxes associated with Cisco endpoints and routinely check for new messages. If any are found then it will push the message down to the Cloud Relay (which has previously established an ongoing secure two-way connection to the OTD service) and then the Cloud Relay will act as a TMS Calendaring service and relay the message to the target Cisco VTC over the local network.  The connection from the relay to the VTC is first attempted securely via HTTPS, but if connectivity over TCP 443 is not available then it will failback to attempting to connect via HTTP over TCP 80.

Note that while the diagram above depicts Exchange Online as the mailbox location the OTD service also supports on-premises Exchange Server environments.  As long as Exchange Web Services has been published externally in a deployment then the service can leverage the external EWS FQDN to connect to the server and access the required mailboxes.

image

Thus the OTD service can be used with Exchange Server, Hybrid, or Online topologies.  For the articles in this series a standard Microsoft Office 365 tenant is being used so Exchange Online mailboxes will be leveraged for all configuration steps.

Overview

There are several different configuration options available to provide One Touch Dial capabilities to Skype for Business Server, Online, and Teams meetings which are enabled for RealConnect.  Polycom endpoints support multiple options, but to support Cisco endpoints there is only one possible configuration.

Pass-Through Authentication

Polycom endpoints can by default simply leverage pass-through authentication via the OTD service to access the requested mailbox in Exchange.  The required credentials are stored on the endpoint and are used to authenticate through the OTD service (as a proxy) into Exchange. Pass-through authentication can be used with the actual mailbox account’s credentials or a shared service account if desired. 

This method of using the mailbox’s own credentials on the endpoint configuration is the easiest and requires no configuration in the OTD portal, but it may not be possible in environments where resource mailboxes are disabled in Active Directory.  An alternative approach is to utilize a service account to authenticate to Exchange in the event that the resource mailboxes themselves are not enabled for authentication, which is common (and the default) behavior for Exchange resource mailboxes.  The service account model can be configured to use either pass-through or proxy authentication models.

  • With pass-through authentication a single service account is created and then delegated permissions to all applicable resource mailboxes.  The service account credentials are entered in each endpoint alongside the SMTP address of the desired resource mailbox for a given endpoint. The same service credentials are used on every endpoint for accessing each unique resource mailbox.

image_thumb[16]

Proxy Authentication

The OTD service must first be configured to leverage this model as a service account is used alongside manual endpoint configuration in the portal.  To provide One Touch Dial to any supported Cisco endpoints this option is required; pass-through authentication is not applicable.  Polycom endpoints can also use this option if the credentials of the service account are to be known and managed only by IT staff with access to the OTD portal while a different set of local credentials which are known by support staff will be used on the endpoints themselves.  This is a less common approach but does offer flexibility in larger deployments with separate teams managing different components of the overall solution.

  • For proxy authentication the same service account is created and then delegated permissions to all applicable resource mailboxes but is instead stored directly in the OTD portal configuration.  Then unique credentials are manually generated in the OTD portal for each newly configured device, to be used for that endpoint’s local configuration.  The OTD service will act as an authentication proxy, using the local set of credentials for connections from endpoint to the OTD service, and the service account for all communications between itself and Exchange.

image_thumb[19]

This remainder of this article covers the multiple configuration options available to Polycom VTCs.  A separate (pending) article outlines the configuration for Cisco VTCs which require additional steps and as well as the deployment of a Cloud Relay server on-premises.


Basic Configuration

This section will walk through creating or validating the required Exchange mailbox and then configuring a single Polycom Group Series endpoint to leverage the OTD service.  The mailbox will be created in Exchange Online, but Exchange Server could also be used.  For this method to be viable the resource mailbox (new or existing) will need to be enabled for authentication.  If that is not possible or not allowed by enterprise policies then skip to the next section covering the Service Account Configuration methods.

There is no need to first sign in to the One Touch Dial portal and perform any service configuration steps when using Polycom endpoints.  The service will automatically leverage Exchange Autodiscover to locate the source mailbox in Exchange Online or Exchange Server. 

Prepare PowerShell

The following environment preparation steps are performed using Windows PowerShell to connect to multiple online modules.  The workstation used to perform these commands may need to have some initial setup steps performed to access these modules.  Only the Exchange Online PowerShell and MSOnline modules needs to be installed to support the cmdlets in this article.

  • Follow the steps in the Managing Office 365 with PowerShell article and then connect to both Exchange Online and the MSOnline modules as instructed.  (There is no need to connect to the AzureAD or Skype for Business modules.)

image

Create Mailbox

This step may not be required as typically a mailbox already exists for a conferencing room space that is represented in Outlook to book as a resource.  If a new mailbox needs to be created for a specific VTC then the following steps can be used to create an Exchange Room Mailbox using PowerShell.

For this article a new resource mailbox will be created for use with a single Polycom Group Series endpoint.

  • Run the following New-Mailbox command to create a new resource mailbox of Room type, updating the red text with the desired unique ID, Alias, Name, and Password.

New-Mailbox -MicrosoftOnlineServicesID "vtc1@msteams.net" -Alias "vtc1" -Name "VTC 1 (Polycom)" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String "P@s5w04d" -AsPlainText -Force)

image

If a replication failure warning appears it can safely be ignored as it is just reporting that the new mailbox will take some time to be created and replicated within Exchange Online.  The following configuration steps can be performed immediately. 

If needed, repeat this process to create a room mailbox for every Polycom endpoint which will be used with OTD service.

Configure Mailbox

Using either the new mailbox created above or an existing mailbox the following commands will ensure that the mailbox is correctly configured.  Depending on how existing resource mailboxes were created these parameters may already be set correctly, but sometimes the existing settings will purge the meeting invitation contents to save on mailbox storage.  Without that data included in the room’s copy of the invite then OTD has no information to process and then no ‘Join’ button would appear on the invited VTC.

  • Run the following Set-CalendarProcessing command against the new mailbox as identified by the Identity parameter.  Leave all other parameters at the documented vales, aside from the -AdditionalResponse setting which can be customized to include any message.

Set-CalendarProcessing -Identity "vtc1@msteams.net" -AutomateProcessing AutoAccept -AddOrganizerToSubject $false -AllowConflicts $false -DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false -AddAdditionalResponse $true -AdditionalResponse "This room is enabled for One Touch Dial with Polycom RealConnect"

image

If needed, repeat this process for every room mailbox (new or existing) that is (or will be) associated with a supported VTC to leverage OTD.

Configure Endpoint

The following steps are used to perform the calendar setup directly on the Polycom Group Series with the newly created and configured resource mailbox.

  • Connect to the web management interface on the Group Series endpoint and then navigate to the Admin Settings > Calendaring Service menu.

  • If not already enabled click the checkbox next to Enable Calendar Service.

  • Enter the Email address (e.g. vtc1@msteams.net), User Name (e.g. vtc1@msteams.net), and Password for the desired resource mailbox.  (Leave the Domain field blank as the User Principal Name format is used in the User Name field which already includes the domain name.)

image

  • In the Microsoft Exchange Server field enter the Polycom One Touch Dial service FQDN of otd.plcm.vc and then click Save.

image

After saving the configuration the Registration Status will typically read either Not Connected or Registration Failed for up to 30 seconds while it is attempting to sign-in via Exchange Web Services.  Once successful the status will automatically update to Registered.

image

If the mailbox has been invited to any scheduled meetings then the connected endpoint will now display those invitations on the calendar.

image

Furthermore, If any of those meetings are Skype for Business or Teams meetings scheduled by a user enabled for the RealConnect service then the Join button will be displayed, providing the simple One Touch Dial experience used to connect the endpoint directly into the scheduled meeting.  The following Call Statistics details from the Group Series show a successful H.323 video call into the RealConnect for Microsoft Teams service (as denoted by the t.plcm.vc domain name in the call string).

image

At this point the standard setup is complete for any Polycom endpoints which are not natively registered to Skype for Business.  In fact the Group Series used in this article was reset to factory defaults just prior to this configuration and the meeting was successfully joined simply by placing an H.323 video call after configuring the calendar.


Service Account Configurations

The configuration above simply uses the service’s default capabilities to automatically locate the source mailbox in Exchange Online or Exchange Server via standard autodiscover processes.  The mailbox credentials are stored on the endpoint and provided to the OTD service which uses pass-through authentication to connect to the mailbox and then process the invite.  The same automatic process can be used with a service account, given that pass-through authentication is utilized (Option 1).  Yet for proxy authentication (Option 2) some additional configuration is required to create new sets of credentials for each device as well as connect OTD to the Exchange organization and store the service account credentials.

Create Service Account

Both options outlined above can utilize the same single service account (e.g. otd@msteams.net), so perform these steps to create the new account and delegate permissions to the resource mailboxes accordingly for either option.

This service account must have a mailbox even though its own mailbox is never actually used throughout the OTD process.  Exchange can only delegate mailbox permission to other mailbox-enabled accounts, hence the need for the license.

  • Using the same process as outlined in the first section connect to both Exchange Online and the MSOnline PowerShell modules and then execute the Get-MsolAccountSku cmdlet to list all available license options currently applied to the Office 365 tenant.

Get-MsolAccountSku

image

The example tenant in this article has available Enterprise E5 licenses (ENTERPRISEPREMIUM), which is clearly overkill for this requirement.  As suggested above a less expensive option of Exchange Online Kiosk (EXCHANGEDESKLESS) can be used instead.  (As seen above the single Kiosk license in this tenant has already been assigned to another user, so for the purposes of this article one of the free E5 licenses will be used.)

  • Run the following New-MsolUser command to create a new user account which will be used by the OTD service to connect to Exchange over Exchange Web Services.  Update the red text in the example below with the desired Display Name, User Principal Name, Usage Location (appropriate two-letter country code), License Assignment, and Password.

New-MsolUser -DisplayName "OTD Service Account" -UserPrincipalName "otd@msteams.net" -UsageLocation "US" -LicenseAssignment "jschertz:ENTERPRISEPREMIUM" -Password "P@s5w04d" -PasswordNeverExpires $true -ForceChangePassword $false

image

Delegate Mailbox Permissions

In order to use the new service account to access each and every resource mailbox it will need to be delegated the appropriate permissions to each mailbox.  The only rights this account requires is Read access to just the Calendar folder in each mailbox.

  • Run the Add-MailboxPermission command by providing the Identity of the desired source mailbox, as well as the User Principal Name of the newly created service account.

Add-MailboxFolderPermission -Identity "vtc1@msteams.net:\Calendar” -User “otd@msteams.net” -AccessRights “Reviewer”

image

If needed, repeat this process to delegate permissions for each room mailbox’s Calendar to the single service account.

Verify Mailbox Permissions

Once all mailboxes are configured the following optional cmdlet can be used to report which mailboxes in the entire organization the service account has access to.

Run the following command to query every mailbox in the organization to see all mailboxes the target account has been assigned permissions to.

Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_":\Calendar" -User "otd@msteams.net" -ErrorAction SilentlyContinue |ft Identity,FolderName,User,AccessRights}

image

This completes the requisite environment configuration and now the One Touch Dial Service can be setup and enabled.

Option 1: Pass-through Authentication

The first option available to use the service account requires no additional configuration.  Simply use the service account’s username and password in the endpoint’s calendar configuration while still pointing to the desired.

  • Connect to the web management interface on the Group Series endpoint and then navigate to the Admin Settings > Calendaring Service menu.

  • Enter the Email address of the associated resource mailbox (e.g. vtc1@msteams.net), but provide the service account’s User Name (e.g. otd@msteams.net), and Password for the desired resource mailbox.  (Leave the Domain field blank as the User Principal Name format should be used in the User Name field which already includes the domain name.)

  • In the Microsoft Exchange Server field enter the Polycom One Touch Dial service FQDN of otd.plcm.vc and then click Save.

image

After saving the configuration the Registration Status will typically read either Not Connected or Registration Failed for up to 30 seconds while it is attempting to sign-in via Exchange Web Services.  Once successful the status will automatically update to Registered.

  • Check the endpoint’s calendar to verify any previously scheduled meetings are now displayed, and if any are a Skype for Business or Microsoft Teams meeting created by a RealConnect-licensed scheduler then a Join button should also appear.

image

In the example above a daily reoccurring Teams Meetings has been scheduled and the VTC1 mailbox was previously invited.

  • Select the Join button on the Group Series to connect to the scheduled meeting.

As this example meeting is a Team Meeting hosted in a tenant where the lobby bypass for VTCs has been enabled then the call connected directly into the empty meeting.  Reviewing the call statistics shows the standards-based call (in this case SIP) matches the information shown in the original invitation.

image

Option 2: Proxy Authentication

The second option here will require additional configuration.  The OTD service portal will be leveraged to store the service account credentials as well as define a second set of credentials to be used on the endpoint.  This approach uses two separate accounts for adhering to any IT policies related to knowledge of service account credentials being delineated among different teams. Essentially and administrator can configure the overall solution while help desk personnel can be given only the local credentials which will only function through the proxy.  They cannot be used to access the source mailbox directly in Exchange.

image

  • Click the Sign in with Microsoft button and then enter the credentials of the account which was enabled for access (e.g. jeff@msteams.net).

image

The first time that an authorized user signs into the portal a prompt will appear requesting permission for the Polycom app to sign in on behalf of and read the user’s profile information and data.

  • Review the requested permissions and then click the Accept button.  (If the "Consent on behalf of your organization" option appears it can be ignored as each user account authorized for the OTD portal will receive this same one-time prompt.  If desired, an administrator can select this option now and other accounts will not be prompted when they first sign in.  The behavior of the service is not impacted either way.)

image

  • Click on the Calendars section and then click Connect next to the appropriate Exchange option.  (Office 365 is used for connectivity to resource mailboxes hosted in Exchange Online and Exchange is used for connectivity to Exchange Server deployments.  As this article is utilizing Exchange Online mailboxes then the Office 365 option will be selected.)

image

  • Select Connect with Service Account.  (It is not recommended to utilize the Application approach given that permissions to more than just what was specifically delegated would be granted to the OTD service in the selected tenant.)

image

When the Connect with Service Account option is selected a Microsoft login window will appear.  This authentication prompt is used to store the service account credentials into the OTD portal so it is important to enter the correct information here.

  • Enter the username and password of the service account which was created earlier (e.g. otd@msteams.net) aa

image     image

  • Review the requested permissions and then click the Accept button.

image

If successful the connection status for Office 365 will display the name of the account currently being used to communicate with Exchange Online.

image

  • Select Devices from the navigation menu and then click the Connect a Device button.

image

  • Select the appropriate endpoint; in this example click the RealPresence Group Series button.

  • In the Calendaring Email field enter the email address of the resource mailbox for the desired endpoint (eg. vtc1@msteams.net), enter a descriptive name in the Name field (e.g. VTC1), and then click Create.

image

The next window will display a set of automatically generated credentials to use on the associated endpoint to authenticate to the OTD service with.  The username is randomly selected and cannot be changed or customized.  The password can be reset in a later step if desired.

  • Click on the Copy to Clipboard button and then paste the details into a new text file for later use.

image

    • Connect to the web management interface on the Group Series endpoint and then navigate to the Admin Settings > Calendaring Service menu.

    • In both the Email and User Name fields enter the email address created by the portal in the previous step (e.g. gsaoclxiohed@otd.plcm.vc).

    • Leave the Domain field blank as it is not used for this configuration.

    • Enter the password as provided in the previous step (e.g. Is1ofyLAv1).

    • In the Microsoft Exchange Server field enter the Polycom One Touch Dial service FQDN of otd.plcm.vc and then click Save.

image

After saving the configuration the Registration Status will typically read either Not Connected or Registration Failed for up to 30 seconds while it is attempting to sign-in via Exchange Web Services.  Once successful the status will automatically update to Registered.

About Jeff Schertz
Site Administrator

Comments

6 Responses to “Polycom One Touch Dial Service”
  1. Dirk Nelson says:

    So it looks like from this excellent guide and Polycom’s website, the Group Series finally has support for using RealConnect for Teams. Is that correct?

    “Furthermore, If any of those meetings are Skype for Business or Teams meetings scheduled by a user enabled for the RealConnect service then the Join button will be displayed, providing the simple One Touch Dial experience used to connect the endpoint directly into the scheduled meeting.”

    Do each of my users need to be enabled for RealConnect or just the Office 365 service accounts being used to connect to EWS?

    • Jeff Schertz says:

      Dirk, Yes, the Group Series can join Teams meetings via RealConnect and has been able to for the past few months. The users themselves (who schedule the Teams meetings) will need to be enabled for RealConnect for Teams. This is simply a policy setting and not a license like SFB used (as outlined in the article I posted before this one) so anyone and everyone in the org can have it. The service account in this article is simply used for accessing mailboxes for invitation retrieval by the endpoints.

  2. Leon says:

    Been following and it’s great article

    Currently we have RealConnect for SfB and everything goes well with Group Series since Microsoft licensed enable so Join Meeting wasn’t an issue until we are considering moving to Teams.

    For Option 1 with service account, do we need to purchase additional OTD or just simply follow the guide create account, point RPG to otd.plcm.vc will do? As of now I don’t have any official OTD account from Polycom yet..

    • Jeff Schertz says:

      OTD functionality is included with your RealConnect licenses, so just go ahead and configure the Group Series as I show in Option 1.

      You can find the official documentation for all Polycom cloud services here: https://cloudsupport.polycom.com/Services/ (select the Documentation section).

      • Leon says:

        Yes and it work seamlessly

        Just a quick note then the Group Series with Skype interop license enabled it will no longer in use, because of how OTD provision the dialstring method.

        • Jeff Schertz says:

          Correct, OTD is to be used with the RealConnect service. If you plan to stay registered to SfB you’ll want to keep the Calendaring service pointed directly at Exchange as the GS natively understands regular Skype Meetings.

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!