Pexip One-Touch Join

Deployment Guide

Software Version 33

Document Version 33.a

October 2023
 Pexip One-Touch Join Deployment Guide

Contents

About One-Touch Join 6

Enabling One-Touch Join 6
Supported Google Workspace editions 7
Supported Exchange environments 7
Exchange servers 7
Outlook clients 7
Supported endpoints 7
Cisco OBTP 8
Poly OTD 8
Supported meeting types 9
Supported number of endpoints and Conferencing Nodes 9
Pexip Infinity server requirements 9

One-Touch Join process and deployment overview 10

Process overview 10
Administrator configures OTJ 10
End user sends invitation 10
OTJ provides endpoint with meeting information 10
Frequency of and limitations on calendar requests 11
Changing the request quota 11
Locations, Conferencing Nodes and redundancy 12
Conferencing Nodes 12
Management Node 12
Network architecture, firewalls and web proxy 12
Conferencing Nodes 12
Management Node 13
Port usage 13
Permitting the service account to access calendars 14
Exchange integrations 14
Google Workspace integrations 15
Using One-Touch Join with personal endpoints and calendars 15

Configuring Exchange on-premises for One-Touch Join 16

Prerequisites 16
Creating a service account 16
Configuring Application Impersonation on the service account 17
Creating a new Distribution Group 17
Configuring application impersonation 18
Enabling authentication 18
NTLMv2 authentication 19
Basic authentication 19
Configuring calendar processing on room resource mailboxes 19

© 2023 Pexip AS Version 33.a October 2023 Page 2 of 121

 Pexip One-Touch Join Deployment Guide

Recommended configuration 20
Optional configuration 20
Checking calendar processing settings 21
Adding a One-Touch Join Exchange integration on Pexip Infinity 23
Next steps 24

Configuring Office 365 using Graph for One-Touch Join 25

Prerequisites 25
Creating and configuring a new App registration in Azure 25
Restricting the scope of the App registration 29
Creating a Distribution Group 30
Restricting access 30
Configuring calendar processing on room resource mailboxes 30
Recommended configuration 30
Optional configuration 31
Checking calendar processing settings 32
Adding a One-Touch Join O365 Graph integration on Pexip Infinity 34
Configuring the O365 Graph integration 34
Next steps 34

Configuring Office 365 using EWS for One-Touch Join 35

Prerequisites 35
Creating a service account 35
Configuring Application Impersonation on the service account 36
Creating a new Distribution Group 37
Configuring application impersonation 37
Configuring calendar processing on room resource mailboxes 38
Recommended configuration 38
Optional configuration 38
Checking calendar processing settings 40
Enabling OAuth authentication 41
Adding a One-Touch Join Exchange integration on Pexip Infinity 45
Configuring the Exchange integration 45
Signing in to the service account 47
Next steps 48

Configuring Google Workspace for One-Touch Join 49

Prerequisites 49
Creating a service account 49
Creating a room resource 53
Configuring the room resource 55
Sharing calendars externally 55
Sharing individual calendars with the service account 56
Auto-accepting invitations 57
Allowing users to book resources 58

© 2023 Pexip AS Version 33.a October 2023 Page 3 of 121

 Pexip One-Touch Join Deployment Guide

Updating the per-user request quota 59

Requesting an increase to API limits 60
Adding a One-Touch Join Google Workspace integration on Pexip Infinity 62
Next steps 63

Configuring Pexip Infinity for One-Touch Join 64

Prerequisites 64
Adding a One-Touch Join profile 64
Hiding or changing the meeting subject 67
Adding One-Touch Join endpoint groups 67
Adding One-Touch Join endpoints 68
Adding endpoints individually 68
Adding OTJ endpoints in bulk 70
Adding One-Touch Join meeting processing rules 72
Testing the rule 74
Next steps 75

Configuring endpoints to support One-Touch Join 76

Prerequisites 76
Configuring Cisco OBTP endpoints for OTJ 76
Prerequisites 77
Creating a Webex Integration 77
Enabling a One-Touch Join profile to use Webex Cloud 77
Adding a Webex endpoint 78
Disabling the calendar 78
Enabling the client API 80
DNS records 80
Poly authentication 80
Deployments with a load balancer 81
Configuring Poly RealPresence Group series 81
Configuring Poly Trio series 82
Configuring Poly HDX series 85
Configuring Poly Studio X series and Poly G7500 series 86
Configuring Poly Debut series 87

One-Touch Join meeting types and transforms 89

Fallback alias matching 89
Supported meeting types 89
Regex meeting type 92
Examples 92
Custom meeting type 93
Examples 94

Deploying a dedicated One-Touch Join platform 96

Minimum hardware requirements 96
On-premises deployments 96

© 2023 Pexip AS Version 33.a October 2023 Page 4 of 121

 Pexip One-Touch Join Deployment Guide

Cloud deployments 96
Minimum Pexip Infinity platform configuration 97
One-Touch Join configuration 97

Scheduling and joining meetings using One-Touch Join 98

Using One-Touch Join in meeting rooms 98
Using One-Touch Join with your personal endpoint 98

Viewing One-Touch Join status 99

Viewing One-Touch Join meetings 99
Viewing One-Touch Join endpoints 100

Configuring Google Workspace for domain user authorization 101

Prerequisites 101
Enabling authorization using OAuth 101
Creating a room resource 105
Configuring the room resource 108
Sharing individual calendars with the authorization user 108
Auto-accepting invitations 109
Allowing users to book resources 110
Updating the per-user request quota 111
Requesting an increase to API limits 112
Adding a One-Touch Join Google Workspace integration on Pexip Infinity 114
Configuring the Google Workspace integration 114
Authorizing calendar access 115
Next steps 117

Troubleshooting One-Touch Join 118

© 2023 Pexip AS Version 33.a October 2023 Page 5 of 121

 Pexip One-Touch Join Deployment Guide About One-Touch Join

About One-Touch Join

Pexip Infinity's One-Touch Join (OTJ) feature integrates support for existing "click to join" videoconferencing endpoint workflows into
your Pexip Infinity deployment. With One-Touch Join, when users schedule a meeting in Microsoft Outlook or Google Calendar and
include in the meeting invitation a room that contains a supported Cisco or Poly endpoint, the endpoint will display a Join button just
before the meeting is scheduled to begin. Participants can then simply walk into the room and select the button, and the endpoint will
automatically dial in to the meeting.
One-Touch Join is available as an optional licensed feature within the Pexip Infinity platform.
In most cases, One-Touch Join will be implemented as a feature within a wider Pexip Infinity deployment, and run on Conferencing
Nodes alongside other Pexip Infinity services. However, you can also set up separate OTJ locations within your deployment that contain
Conferencing Nodes used solely for One-Touch Join. A third option appropriate in some situations is to implement a separate Pexip
Infinity deployment purely for One-Touch Join, for example if you are a Pexip Service customer wishing to use One-Touch Join, or you
are a large enterprise wishing to separate the resources used for your One-Touch Join deployment. For more information, see
Deploying a dedicated One-Touch Join platform.

Enabling One-Touch Join

All Conferencing Nodes are capable of running One-Touch Join, although the service will only come into active operation on a node
when the location the node is in is associated with a One-Touch Join Endpoint Group.
Enabling the Pexip One-Touch Join service within your Pexip Infinity deployment involves the following steps, each described in
separate topics:

1. Permitting the One-Touch Join service to access the calendars used for One-Touch Join. How this is achieved depends on which
calendar/email service is used in your environment:
o For Google Workspace, you create a service account and share OTJ calendars with the service account. This service account
authenticates to Google Workspace with a private key using 2-legged OAuth. For full details, see Configuring Google
Workspace for One-Touch Join.
We also offer an alternative means for Google Workspace environments where the recommended method of using a
service account is not desirable. This alternative method uses a domain user which authenticates to Google Workspace
using 3-legged OAuth. For full details, see Configuring Google Workspace for domain user authorization.
o For Exchange on premises, you create a service account that uses application impersonation to read the OTJ calendars. This
service account authenticates to Exchange using basic authentication. For full details, see Configuring Exchange on-premises
for One-Touch Join.
o For Office 365, you create an application registration in Azure for OTJ, and grant the application permission to read OTJ
calendars using Microsoft's Graph API. OTJ uses 2-legged OAuth to authenticate to Office 365 without the need of a service
account. For full details, see Configuring Office 365 using Graph for One-Touch Join.
We continue to support existing One-Touch Join deployments for Office 365 that used a service account with application
impersonation to read OTJ calendars. This service account authenticated using OAuth and used the EWS API to access
mailboxes. However, the EWS API is being deprecated by Microsoft, so for new One-Touch Join deployments in Office
365 environments you should instead use the Graph API to provide access to room resource mailboxes. For information
on managing these existing deployments, see Configuring Office 365 using EWS for One-Touch Join.
2. Configuring Pexip Infinity for One-Touch Join
3. Configuring endpoints to support One-Touch Join
4. Viewing One-Touch Join status

For an overview of the process and general deployment and network considerations for One-Touch Join, see One-Touch Join process
and deployment overview.
For a guide for end users, see Scheduling and joining meetings using One-Touch Join.
For help with troubleshooting your One-Touch Join deployment, see Troubleshooting One-Touch Join.

© 2023 Pexip AS Version 33.a October 2023 Page 6 of 121

 Pexip One-Touch Join Deployment Guide About One-Touch Join

Supported Google Workspace editions

Pexip One-Touch Join is supported in the following Google Workspace environments:
l Google Workspace Basic
l Google Workspace Business
l Google Workspace Enterprise

Supported Exchange environments

Pexip One-Touch Join is supported in the following Microsoft Exchange environments:

Exchange servers
l Office 365
l Exchange 2013 (with the latest updates)
l Exchange 2016 (with the latest updates)
l Exchange 2019 (with the latest updates)

Outlook clients
Meetings scheduled in all Outlook clients are supported. Note that different third-party Outlook add-ins for different Outlook versions
may format the join details for some meeting types slightly differently.

Supported endpoints
Endpoints used for One-Touch Join must not also be registered to the calendaring service on other systems such as the cloud-based
Webex Hybrid Calendar Service, or Cisco TMS XE.

© 2023 Pexip AS Version 33.a October 2023 Page 7 of 121

 Pexip One-Touch Join Deployment Guide About One-Touch Join

Cisco OBTP
OTJ is supported on Cisco VTC endpoints that support Cisco One Button to Push (OBTP) and are running TC, CE, or RoomOS software.
This includes:
l Cisco Webex Room series (Room, Room Kit)
l Cisco Board series
l Cisco C series (C20, C40, C60, C90)
l Cisco DX series (DX70, DX80)
l Cisco EX series (EX60, EX90)
l Cisco MX series (MX200, MX300, MX700, MX800)
l Cisco SX series (SX10, SX20, SX80)
l Webex Desk Series (Webex Desk, Webex Desk Pro, Webex Desk Mini)

There are two ways in which One-Touch Join can be implemented for these endpoints, depending on whether or not the endpoint is on
the same network as the OTJ Conferencing Nodes.
l If the endpoint is on the same network as the OTJ Conferencing Node, the Conferencing Node will connect directly to the endpoint
to provide it with the necessary meeting information. When setting up these endpoints in Pexip Infinity, you assign them an
Endpoint type of Cisco OBTP.
For more information on how to configure these endpoints, see Configuring Cisco OBTP endpoints for OTJ.
l If the endpoint is not on the same network as the OTJ Conferencing Node (for example if it is located in a home office) but is
registered to Webex or Webex Edge for Devices, the Conferencing Node will connect to Webex Cloud, which will in turn connect
to the endpoint to provide it with the necessary meeting information. When setting up these endpoints in Pexip Infinity, you
assign them an Endpoint type of Webex Cloud registered.
For more information on how to configure these endpoints, see Configuring Cisco Webex Cloud registered endpoints.

Poly OTD
OTJ is supported on Poly VTC endpoints that support Poly One Touch Dial (OTD). This includes:
l Poly RealPresence Group series v5.0.0 or later
l Poly Trio series
l Poly HDX series (unless Pexip Infinity has been deployed in a secure mode of operation - for more information, see Poly
authentication); must be running a software version that supports NTLMv2 for calendaring, e.g. 3.1.11 or later
l Poly Studio X series
l Poly G7500 series
l Poly Debut series

For information on how to configure these endpoints to support Pexip One-Touch Join, see Configuring Poly OTD endpoints for OTJ.

© 2023 Pexip AS Version 33.a October 2023 Page 8 of 121

 Pexip One-Touch Join Deployment Guide About One-Touch Join

Supported meeting types

This release of Pexip One-Touch Join can be used to join the following types of meetings:
l Pexip Infinity meetings (i.e. those scheduled using the VMR Scheduling for Exchange feature)
l Pexip Service meetings (i.e. those scheduled using the plugin available to Pexip Service users)
l Google Meet (for Google Workspace integrations only)
l Microsoft Teams
l Skype for Business
l Webex
l Zoom
l BlueJeans
l GoToMeeting

You can also create your own meeting processing rules for meeting types not listed above. For more information, see One-Touch Join
meeting types and transforms.

Supported number of endpoints and Conferencing Nodes

The One-Touch Join feature will support up to 4,000 room resource calendars and associated endpoints. This applies to One-Touch Join
both when integrated with a Pexip Infinity deployment (i.e. when running on Conferencing Nodes alongside other Pexip Infinity
services), and as a deployment dedicated to One-Touch Join.
For integrated One-Touch Join deployments (i.e. where OTJ is being implemented as a feature within a wider Pexip Infinity
deployment), we recommend at least one Conferencing Node for every 1,000 endpoints in a location (although you may wish to
include one or more additional Conferencing Nodes for redundancy). For large or busy deployments, you may need to add additional
Conferencing Nodes per location to provide the additional capacity required when One-Touch Join is implemented — we recommend
that you consult your Pexip authorized support representative for advice on your particular deployment.
For dedicated One-Touch Join deployments of all sizes (i.e. up to the supported 4,000 room resource calendars and associated
endpoints), a minimal Pexip Infinity deployment of 1 Management Node and 1 Conferencing Node should suffice. However, we
recommend adding additional Conferencing Nodes for redundancy.

Pexip Infinity server requirements

In most cases you will be enabling One-Touch Join within a new or existing Pexip Infinity deployment, and the One-Touch Join service
can be run alongside other Pexip Infinity services on each Conferencing Node. Enabling One-Touch Join within most Pexip Infinity
deployments (see Supported number of endpoints and Conferencing Nodes) will not significantly increase the processing requirements
of the Management Node or Conferencing Nodes, therefore our standard server design guidelines still apply. However, if your
deployment is expected to be particularly large or busy, we recommend that you consult your Pexip authorized support representative
for advice.
For dedicated One-Touch Join deployments, see Minimum hardware requirements.
In both cases, we recommend that each Conferencing Node runs on a different VM host and uses different storage.

© 2023 Pexip AS Version 33.a October 2023 Page 9 of 121

 Pexip One-Touch Join Deployment Guide One-Touch Join process and deployment overview

One-Touch Join process and deployment overview

This topic gives an overview of the process used by One-Touch Join to extract calendar information and provide it to endpoints, along
with information on general deployment and network considerations.

Process overview
The general process from setting up One-Touch Join through to having the endpoint display a Join button at the start of a meeting is as
follows:

Administrator configures OTJ

1. The administrator configures their Google Workspace, Exchange on-premises or Office 365 deployment to support Pexip Infinity
One-Touch Join, and ensures that each physical meeting room that contains an endpoint to be used for One-Touch Join has an
associated email address.
2. The administrator then configures One-Touch Join on the Pexip Infinity Management Node. This configuration is automatically
replicated to the One-Touch Join service that runs on each Conferencing Node in the Pexip Infinity deployment.
3. Finally, the administrator configures their endpoints to support One-Touch Join.

End user sends invitation

When an end user wants to use a One-Touch Join room for a meeting, they create a meeting invitation in their usual way, using their
usual client, ensuring that the room resource is added to the invitation.
Generally, rooms are added to a meeting invitation as a room resource, but One-Touch Join also works if the room resource's
email address is included in the list of invitees, or as a location.

OTJ provides endpoint with meeting information

1. Each meeting room resource has one Conferencing Node which will be its primary node. Periodically, One-Touch Join on the
Conferencing Node connects to Google Workspace or Microsoft Exchange and reads the calendars of each room resource for
which it is the primary node. For each room resource, One-Touch Join finds all meetings to which the room has been invited. By
default, it does this for all meetings with a scheduled start time from one day in the past up to seven days in the future, but this
range is configurable.
2. One-Touch Join parses the meeting invitation (in accordance with the relevant meeting processing rule) to obtain information
about the meeting, which it uses to generate the alias that the endpoint will dial in order to join the meeting.
3. One-Touch Join then provides the meeting information to the endpoint that is associated with the room resource:
o for Cisco endpoints, One-Touch Join pushes the meeting information to the endpoint - either directly (for endpoints on the
same network) or via Webex Cloud (for endpoints on a different network)
o for Poly endpoints, the endpoint registers to the OTJ calendaring service on the Conferencing Node and periodically requests
updated meeting information from the Conferencing Node.
More than one endpoint can be associated with a single room resource; in this case, all the endpoints will receive the same
meeting information.
4. When the meeting is about to start, the endpoint displays a Join button; participants in the room simply click the button and the
endpoint dials in to the meeting.

The flow of information between the calendar/email service, One-Touch Join and the endpoint is shown in the following diagram (using
Google Workspace and a Cisco endpoint as the example):

© 2023 Pexip AS Version 33.a October 2023 Page 10 of 121

 Pexip One-Touch Join Deployment Guide One-Touch Join process and deployment overview

Frequency of and limitations on calendar requests

The length of time taken for a meeting booked via Exchange or Google calendar to appear on the corresponding room endpoint
depends on a number of factors, but is largely due to the number of endpoints in your deployment.
In general, for deployments of around 170 endpoints or fewer, the One-Touch Join service will poll room resource calendars with a
maximum frequency of every 30 seconds. (It does not poll any more frequently than this to avoid impacting the performance of
Conferencing Nodes.)
l Cisco endpoints are updated after each poll if a meeting change is detected, and meetings are re-pushed to Cisco endpoints once
per hour.
l Poly endpoints generally connect to the Conferencing Node to get updates every minute, but this depends on the Poly
configuration.

As you add more endpoints, One-Touch Join reduces the frequency of requests correspondingly. For a deployment of 4,000 endpoints
(the maximum supported number), endpoints are updated around every 12 minutes. This is because both Microsoft Exchange and
Google limit the number of API requests that can be made to their calendar services in a 24-hour period.

Changing the request quota

You can change the 24-hour quota to increase the frequency of endpoint updates in larger deployments, but note that doing so may
impact the performance of the Conferencing Nodes, so we do not generally recommend doing so unless:
l you have deployed a dedicated One-Touch Join platform or system locations, and
l you are using the Office 365 Graph API

— in which case you could increase the quota to between 4,000,000 - 8,000,000. However, we recommend you discuss larger
deployments with your Pexip authorized support representative.
To increase the 24-hour quota:

© 2023 Pexip AS Version 33.a October 2023 Page 11 of 121

 Pexip One-Touch Join Deployment Guide One-Touch Join process and deployment overview

l For Google Workspace deployments, first request an increase to API limits and then increase the Maximum Google Workspace API
requests, but note that this is a paid-for service.
l For Exchange on-premises and Office 365 EWS API deployments, increase the Find Items Request Quota.
l For Office 365 Graph API deployments, increase the Maximum Graph API requests.

Locations, Conferencing Nodes and redundancy

Conferencing Nodes
All Conferencing Nodes in your deployment are capable of running One-Touch Join. However, the service will be in active operation on
only those nodes that belong to a location that has been associated with a OTJ Endpoint Group (and when that Endpoint Group has
been associated with an OTJ profile).
Within each such location, a maximum of five Conferencing Nodes will actively read room resource calendars and process meeting
information. Responsibility for each room resource is spread across these nodes in order to balance the workload and provide
redundancy. Should one node become unavailable (for example, if it is put into maintenance mode or loses connectivity), the other
nodes take over responsibility for its room resources.
However, if there are one or more Poly endpoints in the location, the One-Touch Join service on all nodes within the location will
handle requests from Poly endpoints. Therefore round-robin DNS records are required for all nodes in a location that has Poly
endpoints.
You can use existing system locations for One-Touch Join, in which case up to five Conferencing Nodes in that location will be actively
operating One-Touch Join in addition to their core functions. Alternatively, you can set up system locations that will be used specifically
for One-Touch Join. These can be in the same physical locations as your existing Conferencing Nodes, but their resources will be
dedicated to One-Touch Join.
The concept of media overflow locations does not apply to One-Touch Join (overflow locations relate specifically to the handling of call
media). Therefore if you want to provide redundancy, this can only be done by providing additional Conferencing Nodes within a given
location. For the same reason, if you put all Conferencing Nodes in a One-Touch Join location into maintenance mode, then none of
the endpoints in the associated Endpoint Groups will receive any updates.

Management Node
As with other Pexip Infinity services, the One-Touch Join service will continue to function if the Management Node goes offline,
although you will not be able to make any changes to the configuration of the service during this time.
For deployments using OAuth, the Management Node periodically refreshes OAuth tokens on behalf of Conferencing Nodes, so
eventually (after some weeks) these nodes may become unable to authenticate with Exchange / Google Workspace.

Network architecture, firewalls and web proxy

Conferencing Nodes
Each Conferencing Node used for One-Touch Join requires a persistent connection to one of Google Workspace, on-premises Microsoft
Exchange server; Office 365; or the Microsoft Graph API (depending on the calendar service you are integrating with), either directly or
via a web proxy*.
If you are using OAuth (i.e. you are using an OTJ Google Workspace Integration, an OTJ Graph Integration, or an OTJ Exchange
integration with OAuth enabled), each Conferencing Node must be able to reach the OAuth token endpoint, either directly or via a web
proxy*.
Each Conferencing Node must be able to access the Cisco One-Touch Join endpoints within its location (using the endpoints' APIs),
either directly or via a web proxy*.
If you have Webex-registered endpoints, each Conferencing Node must be able to access the Webex OAuth token endpoint, and
Webex cloud.
Poly endpoints must be able to connect directly to the Conferencing Nodes in their location.

© 2023 Pexip AS Version 33.a October 2023 Page 12 of 121

 Pexip One-Touch Join Deployment Guide One-Touch Join process and deployment overview

* Web proxies are enabled on a system location basis. When enabled, all One-Touch Join-related outbound requests from
Conferencing Nodes in that location will use the web proxy. You can bypass use of the web proxy for connections to endpoints on the
local network, or for EWS connections to the Exchange server; for further information, please contact your Pexip authorized support
representative.

Management Node
As with all Pexip Infinity deployments, the Management Node must be able to contact each Conferencing Node.
In addition, if your One-Touch Join deployment is using OAuth (within an Exchange integration, a Google Workspace integration with
domain user authorization, or where your deployment includes Webex-registered endpoints on a different network to your
Conferencing Nodes), the Management Node will send requests to the OAuth token endpoint, both during the initial set up, and
periodically thereafter in order to refresh the OAuth tokens. These requests are sent either directly or via the web proxy (if one has
been configured for the Management Node).

Port usage
The following table lists the ports/protocols required for communication between the components of Pexip One-Touch Join:

Source address Source Destination address Dest. Protocol

port port

Management 55000– Web proxy (if configured for the Management Node) 8080 † TCP
Node 65535

Management 55000– OAuth token endpoint (for Exchange integrations connecting to O365 using 443 † TCP (HTTPS)
Node 65535 OAuth for the service account; or Google Workspace integrations; or
Webex-registered endpoints) ◊
l for Exchange/O365 service account authorization:
login.microsoftonline.com
l for Google Workspace domain user authorization:
oauth2.googleapis.com/token
l for Webex-registered endpoints: webexapis.com

Conferencing 55000– Web proxy (if configured for the system location to which the Conferencing 8080 † TCP
Node 65535 Node belongs)

Conferencing 55000– graph.microsoft.com (for O365 Graph Integrations) ◊ 443 † TCP (HTTPS)
Node 65535

Conferencing 55000– Exchange on-premises or Office 365 (for Exchange Integrations or O365 443 †‡ TCP (HTTPS)
Node 65535 EWS Integrations) ◊

Conferencing 55000– Exchange Server (only required if the O365 Autodiscover URL lookup has 80† TCP (HTTP)
Node 65535 otherwise failed) ◊

Conferencing 55000– OAuth token endpoint (for Exchange Integrations connecting to O365, or 443 † TCP (HTTPS)
Node 65535 O365 Graph Integrations, or Google Workspace integrations, or Webex-
registered endpoints) ◊
l for O365: login.microsoftonline.com
l for Google Workspace service account authorization:
googleapis.com/oauth2/v4/token
l for Google Workspace domain user authorization:
oauth2.googleapis.com/token
l for Webex-registered endpoints: webexapis.com

Conferencing 55000– googleapis.com (for Google Workspace Integrations) ◊ 443 TCP (HTTPS)
Node 65535

© 2023 Pexip AS Version 33.a October 2023 Page 13 of 121

 Pexip One-Touch Join Deployment Guide One-Touch Join process and deployment overview

Source address Source Destination address Dest. Protocol

port port

Conferencing 55000– Cisco endpoint API ◊ 80/443 † TCP

Node 65535 (HTTP/HTTPS)

Conferencing 55000– Webex cloud: webexapis.com ◊ 443 TCP (HTTPS)

Node 65535

Poly endpoint <any> Conferencing Node 443 TCP (HTTPS)

† Configurable by the administrator.

‡ Determined by Exchange.

◊ Does not apply if a web proxy has been configured.

Note also that the ephemeral port range (55000–65535) is subject to change.

The diagram below summarizes the connectivity required between the components of Pexip One-Touch Join, using Microsoft Exchange
as an example.

Note in most cases, and particularly for a dedicated One-Touch Join deployment, all Conferencing Nodes should remain within the
internal network, and not in the DMZ.

Permitting the service account to access calendars

Exchange integrations
For Exchange on-premises integrations, the One-Touch Join service account must be able to impersonate the calendar of each OTJ
room resource (or a user's personal calendar, if you wish to Use OTJ with personal endpoints and calendars). This is achieved by adding
the email address to a specific OTJ Distribution Group, and giving the service account application impersonation rights to that group.
For instructions on how to do this, see Configuring Application Impersonation on the service account.

© 2023 Pexip AS Version 33.a October 2023 Page 14 of 121

 Pexip One-Touch Join Deployment Guide One-Touch Join process and deployment overview

Existing Office 365 One-Touch Join deployments that were set up to use the EWS API also use application impersonation; see
Configuring Application Impersonation on the service account. However, the EWS API is being deprecated by Microsoft, so for new
One-Touch Join deployments in Office 365 environments you should instead use the Graph API to provide access to room resource
mailboxes.
The use of Exchange impersonation is common in business applications that work with mail, when a single account needs to access
many accounts.
The following information from Microsoft provides further background on the use of impersonation in Exchange:
l Impersonation and EWS in Exchange for guidelines on when to use impersonation in your Exchange service applications.
l Exchange Impersonation vs. Delegate Access for information on the differences between impersonation and delegate access.

Google Workspace integrations

For Google Workspace integrations, the OTJ service account (or the authentication user, if using 3-legged OAuth) must be able to
access the calendar of each room resource. This is achieved by sharing the room resource's calendar (or the user's personal calendar, if
you plan to use OTJ with personal endpoints and calendars — see below) with the service account. For instructions on how to do this,
see Sharing individual calendars with the service account.
Note that the Google calendar API limits the number of calendars that can be shared within a 24 hour period to 750 (for more
information, see this Google article). This means that if you have more than 750 room resources that you wish to use for OTJ, they will
need to be set up over a period of days.

Using One-Touch Join with personal endpoints and calendars

Some users in your enterprise may have their own personal endpoints on their desk or in their office, which they want to integrate
with their personal calendars so that they can simply use the "Join" button to connect to any video meetings that appear in their
calendar.
To achieve this, you use the user's own email address as the room resource email address when configuring OTJ. You must also ensure
that the OTJ service can access the user's calendar. In Exchange environments this is achieved by adding the personal email address to
the distribution group used for OTJ; in Google Workspace environments the calendar must be shared with the service account.

© 2023 Pexip AS Version 33.a October 2023 Page 15 of 121

 Pexip One-Touch Join Deployment Guide Configuring Exchange on-premises for One-Touch Join

Configuring Exchange on-premises for One-Touch Join

This topic describes how to implement Pexip Infinity's One-Touch Join feature in a Microsoft Exchange on-premises environment, by
using a service account authenticated using basic authentication to enable the One-Touch Join service to access calendars used for OTJ.
The process involves the following steps, described in detail in the sections that follow:

1. Creating a service account for One-Touch Join. This service account will be used by One-Touch Join to read each room resource's
calendar.
This should be a different service account to that used for VMR Scheduling for Exchange, because the configuration will be
different.
2. Configuring Application Impersonation on the service account.
For more information and guidelines on the use of application impersonation in Exchange, see Permitting the service account
to access calendars.
3. Enabling the authentication method used for the service account — either NTLMv2 or basic authentication.
4. Configuring calendar processing within Exchange.
5. Creating an associated Exchange integration on Pexip Infinity.

Prerequisites
Before you begin, ensure that the following configuration is complete:

1. Ensure each physical room that will have a One-Touch Join endpoint in it has an associated room resource with an email address.
2. Enable auto calendar processing for each room resource, so that the room will automatically accept meeting requests if it is
available, and automatically decline an invitation if it is already booked.
3. We recommend that if you are using Safe Links, you modify your Safe Links policy so that URLs are not rewritten in any meeting
invitations sent to room resources used by One-Touch Join endpoints.
4. Ensure you have access to your Exchange Admin Center (EAC) web interface, and access to Exchange Management PowerShell.
5. If your Exchange server does not use a globally trusted certificate, you must upload a custom CA certificate.

Creating a service account

In this step, you create a service account that will be used to log in to Exchange to access the calendars of the room resources being
used for One-Touch Join.
This service account should only be used with One-Touch Join. However, you can use the same Exchange service account for multiple
One-Touch Join integrations.
You can create a new service account using either EAC or PowerShell, as follows:

© 2023 Pexip AS Version 33.a October 2023 Page 16 of 121

 Pexip One-Touch Join Deployment Guide Configuring Exchange on-premises for One-Touch Join

EAC PowerShell

1. Log in to your Exchange Admin Center as an administrator and The first command lets the administrator type in a password for
go to recipients > mailboxes. the service account as a secure string. This password variable is
2. Add a new mailbox for the service account by selecting the + then used in the second command to create a mailbox for the
icon and then User mailbox. service account. The third command ensures the password of
the service account will not expire.
3. Complete the fields as appropriate.
$password = Read-Host "Enter password" -AsSecureString
4. Uncheck the Require password change on next logon box.
New-Mailbox -Name "<Account Name>" -UserPrincipalName "<UPN>" -
Password $password -Alias "<Account Alias>" -FirstName "<Account
First Name>" -LastName "<Account Last Name>" -DisplayName "<Account
Name>"

Set-ADUser -Identity "<UPN>" -PasswordNeverExpires $true

For example:
New-Mailbox -Name "Pexip OTJ Service Account" -UserPrincipalName
pexip-otj-svc@example.com -Password $password -Alias pexip-otj-svc
-FirstName "Pexip OTJ" -LastName "Service Account" -DisplayName
"Pexip OTJ Service Account"

Set-ADUser -Identity pexip-otj-svc@example.com -

PasswordNeverExpires $true

5. Select Save.

Configuring Application Impersonation on the service account

In this step, you create a new Distribution Group, and add the rooms to be used for One-Touch Join to the group. You then use
PowerShell commands to make it so that the service account will only be able to impersonate members of that Group.
Configuring Application Impersonation in this way means that if rooms are added or removed from the group, this automatically
updates whether or not the service account can impersonate them.

Creating a new Distribution Group

1. Log in to your Exchange Admin Center as an administrator and go to recipients > groups.
2. Select the + icon and select add a new Distribution Group.
3. Add the rooms you want to impersonate to the group.

© 2023 Pexip AS Version 33.a October 2023 Page 17 of 121

 Pexip One-Touch Join Deployment Guide Configuring Exchange on-premises for One-Touch Join

Note that the service account should not be added as a member of this distribution group. Instead, this step allows the service
account to impersonate any member of this distribution group (i.e. any of the room resources).
4. Make sure to uncheck the option to make the group owner a group member. Otherwise the service account will be able to
impersonate your account.
5. Also make sure to lock the group down so people cannot accidentally add themselves as group members. Do this by selecting
Closed: Members can be added / removed only by the group owners.

Configuring application impersonation

We recommend that you use combined PowerShell commands to configure application impersonation for the service account. This
allows you to use variables, thus reducing possible copy and paste errors.

1. Configure the following variables with the values you actually want to use:
o otj_group_id: the email of the distribution list whose members you want to be impersonated.
o otj_service_account: the email of the service account you want to grant impersonation to.
o management_scope_to_create: the name you want the newly created management scope to have.
o impersonation_role_name_to_create: the name you want the newly created impersonation role to have.
For example:
$otj_group_id = "otjrooms@example.com"
$otj_service_account = "pexip-otj-svc@example.com"
$management_scope_to_create = "OTJ Management Scope"
$impersonation_role_name_to_create = "OTJ Impersonation"

2. Create the management scope:

$otj_group = Get-DistributionGroup -Identity $otj_group_id
$otj_group_dn = $otj_group.DistinguishedName
$restriction_filter = "MemberOfGroup -eq ""$otj_group_dn"""
New-ManagementScope -Name $management_scope_to_create -RecipientRestrictionFilter $restriction_filter

Example output:
Name ScopeRestrictionType Exclusive RecipientRoot RecipientFilter
---- -------------------- --------- ------------- ---------------
OTJ Management Scope RecipientScope False MemberOfGroup -eq 'CN=OTJ Rooms2111430164340,OU...

3. Set up application impersonation using the previously created management scope:

New-ManagementRoleAssignment -Name $impersonation_role_name_to_create -Role ApplicationImpersonation -User $otj_service_
account -CustomRecipientWriteScope $management_scope_to_create

Example output:
Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserName
---- ---- ---------------- ---------------- ---------------- ----------------
OTJ Impersonation ApplicationImp... pexip-otj-svc User Direct

4. Verify that the above commands worked as expected. In the following command, replace <resource_email> with the email of the
room resource mailbox you want to test. If it is a room which is a member of the distribution list, it should show the OTJ
Impersonation in the returned roles. If it is anything else outside of the distribution list, it should not have the OTJ Impersonation
listed, which means the OTJ service account does not have permission to impersonate that user.
Get-ManagementRoleAssignment -Role ApplicationImpersonation -WritableRecipient "<resource_email>" | Format-List Name, Role,
RoleAssignee, CustomRecipientWriteScope

Expected output:
Name : OTJ Impersonation
Role : ApplicationImpersonation
RoleAssignee : pexip-otj-svc

Enabling authentication
In this step you enable your Exchange on-premises deployment to support your chosen authentication method for the service account.
One-Touch Join uses basic authentication by default, but you can elect to use NTLMv2 authentication instead.
For both forms of authentication, Pexip Infinity stores the credentials in encrypted form and all authentication is carried out over a
secure TLS channel.

© 2023 Pexip AS Version 33.a October 2023 Page 18 of 121

 Pexip One-Touch Join Deployment Guide Configuring Exchange on-premises for One-Touch Join

NTLMv2 authentication
In most on-premises Exchange deployments, NTLMv2 authentication is enabled by default. To confirm that it has been enabled in your
environment:

1. Open Server Manager and select the server on which Exchange is installed.
2. From the top right options select Tools > Local Security Policy.
3. On the tree on the left, expand Local Policies then select Security Options.
4. Scroll down to Network security: Restrict NTLM: Incoming NTLM traffic.
5. Ensure this is either left to the default value of Not Defined, or set to Allow All.

Basic authentication
If you are using basic authentication with on-prem Exchange you need to ensure it is enabled for both Autodiscover and Exchange Web
Services (EWS).
You can do this using either Windows Service Manager or PowerShell, as follows:

Windows Service Manager PowerShell

To enable basic authentication for Autodiscover: This command enables basic authentication for Autodiscover on a
1. Go to the Windows server on which Exchange is installed and specific server:
open the Service Manager. Set-AutodiscoverVirtualDirectory -Identity "<server>\Autodiscover
(Default Web Site)" -BasicAuthentication $true
2. Select the server on which Exchange is installed, and right-click
For example, if your server name is PEXCHANGE then:
to select Computer Management.
Set-AutodiscoverVirtualDirectory -Identity "PEXCHANGE\Autodiscover
3. From the panel on the left, select Services and Applications > (Default Web Site)" -BasicAuthentication $true
Internet Information Services (IIS) Manager.
4. Expand the options and select Sites > Default Web Site >
Autodiscover.
5. Select the Authentication button in the main pane.
6. Find Basic Authentication in the list and ensure it is Enabled. (If
not, right-click and select Enable.)
7. Select Save.

To enable basic authentication for EWS: This command enables basic authentication for EWS on a specific
1. Go to the Windows server on which Exchange is installed and server:
open the Service Manager. Set-WebServicesVirtualDirectory -Identity "<server>\EWS (Default
Web Site)" -BasicAuthentication $true
2. Select the server on which Exchange is installed, and right-click
For example, if your server name is PEXCHANGE then:
to select Computer Management.
Set-WebServicesVirtualDirectory -Identity "PEXCHANGE\EWS (Default
3. From the panel on the left, select Services and Applications > Web Site)" -BasicAuthentication $true
Internet Information Services (IIS) Manager.
4. Expand the options and select Sites > Default Web Site > EWS.
5. Select the Authentication button in the main pane.
6. Find Basic Authentication in the list and ensure it is Enabled. (If
not, right-click and select Enable.)
7. Select Save.

Configuring calendar processing on room resource mailboxes

In this step, you change the calendar processing settings for room resources from the default to those required to support One-Touch
Join.

© 2023 Pexip AS Version 33.a October 2023 Page 19 of 121

 Pexip One-Touch Join Deployment Guide Configuring Exchange on-premises for One-Touch Join

Recommended configuration
To take full advantage of the functionality offered by One-Touch Join, we recommend that, for One-Touch Join room resources, you
change the following calendar processing options from the default:

1. The meeting invite body is deleted by default. If you want One-Touch Join to parse meeting details from the body then you must
set the DeleteComments property to False. If you leave this set to True, only those rules that process information in the calendar
headers can be used (because the body will be deleted).
2. When a meeting invite is received by a resource mailbox, by default the meeting subject is deleted and is replaced with the name
of the organizer (for more information, see https://support.microsoft.com/en-gb/help/2842288/resource-mailbox-s-calendar-
shows-the-organizer-s-name-instead-of-the).
Because One-Touch Join accesses the meeting invites through the resource mailboxes, this default behavior means it won't have
access to the original subject. You can choose to leave the default behavior for privacy reasons, or you can modify the calendar
processing options for each mailbox so that the meeting subject is available and thus can be displayed on the meeting room
endpoints.
3. The private flag is cleared by default. If you want meetings that are marked as private by the organizer to remain marked as
private in the room mailbox, you must set the RemovePrivateProperty flag to False.
4. Room resources created using PowerShell commands may by default have AutomateProcessing set to AutoUpdate. In these cases
it should be changed to AutoAccept.
5. When the meeting room accepts the invitation, a response is sent to the original requester (including requesters external to your
organization if you have allowed forwarding of external invitations). To avoid any confusion as to why they would be receiving a
response from a room that may not have been included in their original invitation, you can configure additional text that is sent to
the requester using the -AddAdditionalResponse flag and -AdditionalResponse setting.

PowerShell command
To modify the calendar processing on a room from the default settings to those we recommend for One-Touch Join, connect to
Exchange Online PowerShell and use the following PowerShell command (replacing <resource_email> with the address of the room
resource whose processing you want to change):

Set-CalendarProcessing -Identity <resource_email> -DeleteComments $False -DeleteSubject $False -AddOrganizerToSubject $False -

RemovePrivateProperty $False -AutomateProcessing "AutoAccept" -AddAdditionalResponse $true -AdditionalResponse "Participants can join the
meeting from this room using Pexip One Touch Join."

Optional configuration
Hiding invitation details from other users
In order for One-Touch Join to function fully, the service account must be able to access the body of the invitation (which is why we
recommend that you set the DeleteComments property to False). However, this means that all other users in your deployment with
access to the room resource calendar may also be able to view the body of the invitation (depending on your deployment's other
policies). If you want to prevent this, you can use the following PowerShell command to restrict what users can see by default, without
restricting what the service account can access.
In the following command, replace resource_name with the name of the room resource, and replace role with one of the following
roles:
l AvailabilityOnly: users can view the room's availability, but nothing else.
l LimitedDetails: users can view the room's availability and the meeting subject and location, but not the body of the invitation.

Set-MailboxFolderPermission "resource_name:\Calendar" -User Default -AccessRights role

© 2023 Pexip AS Version 33.a October 2023 Page 20 of 121

 Pexip One-Touch Join Deployment Guide Configuring Exchange on-premises for One-Touch Join

Allowing forwarding of external invitations

Below is some recommended configuration to enable external invitations to be forwarded to your internal OTJ room resources so that
the meetings can be joined from those endpoints. In all cases, we recommend that you consult your Exchange administrator to
determine what is appropriate in your environment.
l If you want to enable users to forward invitations from other organizations to your OTJ room resources, you must set the
ProcessExternalMeetingMessages flag to True. Note that this will allow any users external to your organization to invite the
resource directly. To prevent this, you can use an Exchange transport rule similar to the example shown below so that only users
internal to your organization can forward external invitations to OTJ meeting rooms.

l If your Microsoft Exchange environment uses a security application (such as Office 365 ATP, or Mimecast) to re-write URLs, this
may prevent OTJ from being used to join external Microsoft Teams meetings (for example, when a user inside your organization
forwards an external Microsoft Teams meeting invitation to an OTJ room resource in order to join the meeting from that
endpoint). To enable users to join these meetings using OTJ, you must ensure that the security application's URL re-write rules
include an exception for any URL starting with the domain https://teams.microsoft.com/

Checking calendar processing settings

The following PowerShell command can be used to check calendar processing settings on all of the rooms in the Distribution Group
that was created for One-Touch Join.
We recommend copying and saving this as a file and running it from within PowerShell.

© 2023 Pexip AS Version 33.a October 2023 Page 21 of 121

 Pexip One-Touch Join Deployment Guide Configuring Exchange on-premises for One-Touch Join

Before running, ensure that you edit $otj_group_id = "otjrooms@example.com" to use the email of the Distribution Group used in your
own deployment.

$deleted_subjects = @()
$organizer_added = @()
$deleted_bodies = @()
$private_flag_reset = @()
$not_auto_accept = @()
$process_external = @()
$otj_group_id = "otjrooms@example.com"

Get-DistributionGroupMember -Identity $otj_group_id -ResultSize Unlimited | ForEach-Object {

Write-Host "Checking room '$($_.name)'"
$processing = Get-CalendarProcessing -Identity $_.name
$pass = $true
if ($processing.DeleteSubject) {
Write-Host "WARNING: The room '$($_.name)' is deleting the meeting subject" -ForegroundColor Red
$deleted_subjects += $_.name
$pass = $false
}
if ($processing.AddOrganizerToSubject) {
Write-Host "WARNING: The room '$($_.name)' is adding the organizer to the meeting subject" -ForegroundColor Red
$organizer_added += $_.name
$pass = $false
}
if ($processing.DeleteComments) {
Write-Host "WARNING: The room '$($_.name)' is deleting the meeting body" -ForegroundColor Red
$deleted_bodies += $_.name
$pass = $false
}
if ($processing.RemovePrivateProperty) {
Write-Host "WARNING: The room '$($_.name)' is clearing the private flag on meetings" -ForegroundColor Red
$private_flag_reset += $_.name
$pass = $false
}
if ($processing.AutomateProcessing -ne "AutoAccept") {
Write-Host "WARNING: The room '$($_.name)' is not configured to Auto Accept. Processing='$($processing.AutomateProcessing)'" -
ForegroundColor Red
$not_auto_accept += $_.name
$pass = $false
}
# Optional permission for allowing the external invites:
if ($processing.ProcessExternalMeetingMessages) {
Write-Host "The room '$($_.name)' is configured to process external (forwarded) meetings"
$process_external += $_.name
}
if ($pass) {
Write-Host "INFO: All checks passed for room '$($_.name)'" -ForegroundColor Green
}
}

Write-Host "Summary:"
Write-Host "There are $($deleted_subjects.count) rooms deleting the meeting subject"
if ($deleted_subjects) {
Write-Host $deleted_subjects -Separator ", "
Write-Host ""
}
Write-Host "There are $($organizer_added.count) rooms adding the organizer to the meeting subject"
if ($organizer_added) {
Write-Host $organizer_added -Separator ", "
Write-Host ""
}
Write-Host "There are $($deleted_bodies.count) rooms deleting the meeting body"
if ($deleted_bodies) {
Write-Host $deleted_bodies -Separator ", "
Write-Host ""
}
Write-Host "There are $($private_flag_reset.count) rooms clearing the private flag on meetings"
if ($private_flag_reset) {
Write-Host $private_flag_reset -Separator ", "
Write-Host ""
}

© 2023 Pexip AS Version 33.a October 2023 Page 22 of 121

 Pexip One-Touch Join Deployment Guide Configuring Exchange on-premises for One-Touch Join

Write-Host "There are $($not_auto_accept.count) rooms not configured to Auto Accept"

if ($not_auto_accept) {
Write-Host $not_auto_accept -Separator ", "
Write-Host ""
}
Write-Host "There are $($process_external.count) rooms configured to process external (forwarded) meetings"
if ($process_external) {
Write-Host $process_external -Separator ", "
Write-Host ""
}

Adding a One-Touch Join Exchange integration on Pexip Infinity

In this step you log in to the Pexip Infinity Administrator interface and add details of the Exchange deployment you are integrating
with, including details of the service account username and password (based on the configuration you have just set up in Exchange).
From the Pexip Infinity Administrator interface, go to One-Touch Join > OTJ Exchange Integrations.

Option Description

Name The name of this One-Touch Join Exchange integration.

Description An optional description of this One-Touch Join Exchange integration.

Service account username The username of the service account to be used by the One-Touch Join Exchange integration.

If you are using NTLMv2, this must be in the format name@domain.

Otherwise, the format may be either domain\name or name@domain, depending on your domain.

Enable OAuth Leave this option disabled. (OAuth 2.0 is supported for Exchange in Office 365 only.)

Enable NTLM Enable this option to authenticate the service account using NTLMv2. (This option is only supported for
Exchange on-premises.) Leave this option disabled to authenticate the service account using basic
authentication.

Service account password (Available if OAuth has not been enabled)

The password of the service account to be used by the One-Touch Join Exchange integration.

Advanced options

Find Items Request Quota The number of Find Item requests that can be made by OTJ to your Exchange Server in a 24-hour period.

The default of 1,000,000 should be sufficient for most deployments — for more information, see
Frequency of and limitations on calendar requests.

We do not recommend increasing this quota unless you have deployed a dedicated One-Touch Join
platform, because it will impact the performance of the Conferencing Nodes.

OTJ Exchange Autodiscover URLs

This section is optional and will generally only be required if the Autodiscover URLs in your deployment do not use a standard location.

Name The name of this Exchange Autodiscover URL.

Description An optional description of this Exchange Autodiscover URL.

© 2023 Pexip AS Version 33.a October 2023 Page 23 of 121

 Pexip One-Touch Join Deployment Guide Configuring Exchange on-premises for One-Touch Join

Option Description

Autodiscover URL The URL used to connect to the Autodiscover service on the Exchange deployment.

If you are using Office 365, you may need to enter your autodiscover URL manually, particularly if you are
using a hybrid Exchange deployment. If your OTJ room resources and service account are hosted on O365,
then you should enter https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc as the
Autodiscover URL.

The URL must end in .svc; URLs ending in .xml are not supported.

Next steps
You must now configure the remainder of the One-Touch Join components on Pexip Infinity, as described in Configuring Pexip Infinity
for One-Touch Join.

© 2023 Pexip AS Version 33.a October 2023 Page 24 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using Graph for One-Touch Join

Configuring Office 365 using Graph for One-Touch Join

This topic describes how to implement Pexip Infinity's One-Touch Join feature in a Microsoft Office 365 environment, by configuring
Microsoft Azure and the Exchange Graph API to enable the One-Touch Join service to access calendars used for OTJ.
We continue to support existing One-Touch Join deployments for Office 365 that used a service account with application
impersonation to read OTJ calendars. This service account authenticated using OAuth and used the EWS API to access mailboxes.
However, the EWS API is being deprecated by Microsoft, so for new One-Touch Join deployments in Office 365 environments you
should instead use the Graph API to provide access to room resource mailboxes.
The process involves the following steps, described in detail in the sections that follow:

1. Creating and configuring a new App registration in Azure.

2. Restricting the scope of the App registration.
3. Configuring calendar processing within Exchange.
4. Creating an associated Exchange integration on Pexip Infinity.

Prerequisites
Before you begin, ensure that the following configuration is complete:

1. Ensure each physical room that will have a One-Touch Join endpoint in it has an associated room resource with an email address.
2. Enable auto calendar processing for each room resource, so that the room will automatically accept meeting requests if it is
available, and automatically decline an invitation if it is already booked.
3. We recommend that if you are using Safe Links, you modify your Safe Links policy so that URLs are not rewritten in any meeting
invitations sent to room resources used by One-Touch Join endpoints.
4. Ensure you have access to the Azure portal, using an account that can grant admin consent.
5. Ensure you have admin access to your Office 365 web interface, and access to the Microsoft Exchange Online and Azure Active
Directory Modules for Windows PowerShell. (If you are connecting from your Windows PC for the first time, you may need to
install these modules. See these Microsoft articles about connecting to Exchange online and Microsoft 365 with PowerShell for
more information.)

Creating and configuring a new App registration in Azure

In this step, you create an App registration in Azure for the OTJ service, and grant it permission to read calendars. (In a subsequent step
you will restrict the app to read OTJ calendars only.)

1. Log into the Azure portal at aad.portal.azure.com as an admin user.

2. From the main panel on the left, select Azure Active Directory.
3. Select App Registrations and then New registration:

© 2023 Pexip AS Version 33.a October 2023 Page 25 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using Graph for One-Touch Join

4. In the Register an application panel, enter the following options:

a. Name: this can be anything you wish. In our example we have used Pexip OTJ.
b. Supported account types: select the option most appropriate for your environment. In most cases, the default Accounts in
this organizational directory only can be used.
c. Redirect URI: leave this blank.

5. Select Register.

© 2023 Pexip AS Version 33.a October 2023 Page 26 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using Graph for One-Touch Join

You can now configure your application.

6. From the panel on the left, select API permissions and then Add a permission.
7. Select Microsoft Graph:

8. Select Application Permissions. Scroll down to Calendars, expand it, and select Calendars.Read. Then select Add Permissions:

9. Select Grant admin consent for <your tenant>:

© 2023 Pexip AS Version 33.a October 2023 Page 27 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using Graph for One-Touch Join

Next you need to obtain the client secret.

10. From the panel on the left, select Certificates & secrets and then New client secret.
11. Enter a Description. Under Expires select a duration in accordance with your organization's security policies, and select Add:

12. The new client secret will appear in the list at the bottom of the page. You must copy the Value now, before you navigate away
from the page:

© 2023 Pexip AS Version 33.a October 2023 Page 28 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using Graph for One-Touch Join

You must enter this as the Client secret when adding an O365 Graph integration on Pexip Infinity.
13. Go to the overview page for the App registration you have just created and copy the Application (client) ID:

You must enter this as the Client ID when adding an O365 Graph integration on Pexip Infinity.
14. Select the Endpoints tab and copy the OAuth 2.0 token endpoint (v2) value:

You must enter this as the OAuth 2.0 token endpoint URL when adding an O365 Graph integration on Pexip Infinity.

Restricting the scope of the App registration

© 2023 Pexip AS Version 33.a October 2023 Page 29 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using Graph for One-Touch Join

In this step, you create a group for the room resources to be used for One-Touch Join, and then restrict the App to only read these
calendars.

Creating a Distribution Group

1. Go to admin.microsoft.com and log in as the administrator.
2. From the menu on the left hand side, select Active teams & groups and then Add a group.
3. For the Group Type, select Mail-enabled security. Select Next.
4. Enter a Name and Description. Select Add.
5. Enter a Group email address. Leave the Communication checkbox clear.
Select Next.
6. Select Create Group.
7. Navigate back to Active teams & groups, select the Mail-enabled security tab, and then select the group you have just created.
From the panel on the right, select the Members tab and then View all and manage members.
8. Add as members of the group the resources to be used for One-Touch Join. These will be the only calendars that the OTJ App will
be able to read.

Restricting access
Open up a remote PowerShell connection to Office 365 and import an Exchange session. For example see
https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps
Run the following command, using the following values:
l AppId: the Application (client) ID that was generated by Azure when you created the OTJ Graph API application.
l PolicyScopeGroupId: the email of the distribution group containing the One-Touch Join resources.
l Description: a description of the access policy.

For example:
New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId otjrooms@pexample.com -AccessRight
RestrictAccess -Description "Restrict this app to members of distribution group otjrooms."

Configuring calendar processing on room resource mailboxes

In this step, you change the calendar processing settings for room resources from the default to those required to support One-Touch
Join.

Recommended configuration
To take full advantage of the functionality offered by One-Touch Join, we recommend that, for One-Touch Join room resources, you
change the following calendar processing options from the default:

1. The meeting invite body is deleted by default. If you want One-Touch Join to parse meeting details from the body then you must
set the DeleteComments property to False. If you leave this set to True, only those rules that process information in the calendar
headers can be used (because the body will be deleted).
2. When a meeting invite is received by a resource mailbox, by default the meeting subject is deleted and is replaced with the name
of the organizer (for more information, see https://support.microsoft.com/en-gb/help/2842288/resource-mailbox-s-calendar-
shows-the-organizer-s-name-instead-of-the).
Because One-Touch Join accesses the meeting invites through the resource mailboxes, this default behavior means it won't have
access to the original subject. You can choose to leave the default behavior for privacy reasons, or you can modify the calendar
processing options for each mailbox so that the meeting subject is available and thus can be displayed on the meeting room
endpoints.
3. The private flag is cleared by default. If you want meetings that are marked as private by the organizer to remain marked as
private in the room mailbox, you must set the RemovePrivateProperty flag to False.

© 2023 Pexip AS Version 33.a October 2023 Page 30 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using Graph for One-Touch Join

4. Room resources created using PowerShell commands may by default have AutomateProcessing set to AutoUpdate. In these cases
it should be changed to AutoAccept.
5. When the meeting room accepts the invitation, a response is sent to the original requester (including requesters external to your
organization if you have allowed forwarding of external invitations). To avoid any confusion as to why they would be receiving a
response from a room that may not have been included in their original invitation, you can configure additional text that is sent to
the requester using the -AddAdditionalResponse flag and -AdditionalResponse setting.

PowerShell command
To modify the calendar processing on a room from the default settings to those we recommend for One-Touch Join, connect to
Exchange Online PowerShell and use the following PowerShell command (replacing <resource_email> with the address of the room
resource whose processing you want to change):

Set-CalendarProcessing -Identity <resource_email> -DeleteComments $False -DeleteSubject $False -AddOrganizerToSubject $False -

RemovePrivateProperty $False -AutomateProcessing "AutoAccept" -AddAdditionalResponse $true -AdditionalResponse "Participants can join the
meeting from this room using Pexip One Touch Join."

Optional configuration
Hiding invitation details from other users
In order for One-Touch Join to function fully, the service account must be able to access the body of the invitation (which is why we
recommend that you set the DeleteComments property to False). However, this means that all other users in your deployment with
access to the room resource calendar may also be able to view the body of the invitation (depending on your deployment's other
policies). If you want to prevent this, you can use the following PowerShell command to restrict what users can see by default, without
restricting what the service account can access.
In the following command, replace resource_name with the name of the room resource, and replace role with one of the following
roles:
l AvailabilityOnly: users can view the room's availability, but nothing else.
l LimitedDetails: users can view the room's availability and the meeting subject and location, but not the body of the invitation.

Set-MailboxFolderPermission "resource_name:\Calendar" -User Default -AccessRights role

Allowing forwarding of external invitations

Below is some recommended configuration to enable external invitations to be forwarded to your internal OTJ room resources so that
the meetings can be joined from those endpoints. In all cases, we recommend that you consult your Exchange administrator to
determine what is appropriate in your environment.
l If you want to enable users to forward invitations from other organizations to your OTJ room resources, you must set the
ProcessExternalMeetingMessages flag to True. Note that this will allow any users external to your organization to invite the
resource directly. To prevent this, you can use an Exchange transport rule similar to the example shown below so that only users
internal to your organization can forward external invitations to OTJ meeting rooms.

© 2023 Pexip AS Version 33.a October 2023 Page 31 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using Graph for One-Touch Join

l If your Microsoft Exchange environment uses a security application (such as Office 365 ATP, or Mimecast) to re-write URLs, this
may prevent OTJ from being used to join external Microsoft Teams meetings (for example, when a user inside your organization
forwards an external Microsoft Teams meeting invitation to an OTJ room resource in order to join the meeting from that
endpoint). To enable users to join these meetings using OTJ, you must ensure that the security application's URL re-write rules
include an exception for any URL starting with the domain https://teams.microsoft.com/

Checking calendar processing settings

The following PowerShell command can be used to check calendar processing settings on all of the rooms in the Distribution Group
that was created for One-Touch Join.
We recommend copying and saving this as a file and running it from within PowerShell.
Before running, ensure that you edit $otj_group_id = "otjrooms@example.com" to use the email of the Distribution Group used in your
own deployment.

$deleted_subjects = @()
$organizer_added = @()
$deleted_bodies = @()
$private_flag_reset = @()
$not_auto_accept = @()

© 2023 Pexip AS Version 33.a October 2023 Page 32 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using Graph for One-Touch Join

$process_external = @()
$otj_group_id = "otjrooms@example.com"

Get-DistributionGroupMember -Identity $otj_group_id -ResultSize Unlimited | ForEach-Object {

Write-Host "Checking room '$($_.name)'"
$processing = Get-CalendarProcessing -Identity $_.name
$pass = $true
if ($processing.DeleteSubject) {
Write-Host "WARNING: The room '$($_.name)' is deleting the meeting subject" -ForegroundColor Red
$deleted_subjects += $_.name
$pass = $false
}
if ($processing.AddOrganizerToSubject) {
Write-Host "WARNING: The room '$($_.name)' is adding the organizer to the meeting subject" -ForegroundColor Red
$organizer_added += $_.name
$pass = $false
}
if ($processing.DeleteComments) {
Write-Host "WARNING: The room '$($_.name)' is deleting the meeting body" -ForegroundColor Red
$deleted_bodies += $_.name
$pass = $false
}
if ($processing.RemovePrivateProperty) {
Write-Host "WARNING: The room '$($_.name)' is clearing the private flag on meetings" -ForegroundColor Red
$private_flag_reset += $_.name
$pass = $false
}
if ($processing.AutomateProcessing -ne "AutoAccept") {
Write-Host "WARNING: The room '$($_.name)' is not configured to Auto Accept. Processing='$($processing.AutomateProcessing)'" -
ForegroundColor Red
$not_auto_accept += $_.name
$pass = $false
}
# Optional permission for allowing the external invites:
if ($processing.ProcessExternalMeetingMessages) {
Write-Host "The room '$($_.name)' is configured to process external (forwarded) meetings"
$process_external += $_.name
}
if ($pass) {
Write-Host "INFO: All checks passed for room '$($_.name)'" -ForegroundColor Green
}
}

Write-Host "Summary:"
Write-Host "There are $($deleted_subjects.count) rooms deleting the meeting subject"
if ($deleted_subjects) {
Write-Host $deleted_subjects -Separator ", "
Write-Host ""
}
Write-Host "There are $($organizer_added.count) rooms adding the organizer to the meeting subject"
if ($organizer_added) {
Write-Host $organizer_added -Separator ", "
Write-Host ""
}
Write-Host "There are $($deleted_bodies.count) rooms deleting the meeting body"
if ($deleted_bodies) {
Write-Host $deleted_bodies -Separator ", "
Write-Host ""
}
Write-Host "There are $($private_flag_reset.count) rooms clearing the private flag on meetings"
if ($private_flag_reset) {
Write-Host $private_flag_reset -Separator ", "
Write-Host ""
}
Write-Host "There are $($not_auto_accept.count) rooms not configured to Auto Accept"
if ($not_auto_accept) {
Write-Host $not_auto_accept -Separator ", "
Write-Host ""
}
Write-Host "There are $($process_external.count) rooms configured to process external (forwarded) meetings"
if ($process_external) {
Write-Host $process_external -Separator ", "
Write-Host ""
}

© 2023 Pexip AS Version 33.a October 2023 Page 33 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using Graph for One-Touch Join

Adding a One-Touch Join O365 Graph integration on Pexip Infinity

In this step you log in to the Pexip Infinity Administrator interface and add details of the Graph API application you have just
configured.

Configuring the O365 Graph integration

From the Pexip Infinity Administrator interface, go to One-Touch Join > OTJ Graph Integrations.

Option Description

Name The name of this One-Touch Join O365 Graph integration.

Description An optional description of this One-Touch Join O365 Graph integration.

Client ID The Application (client) ID which was generated by Azure when you created the OTJ Graph API application
(see Creating and configuring a new App registration in Azure).

This is available in Azure under App Registrations, by selecting the application and viewing the
Essentials section.

Client secret The client secret of the OTJ Graph API application.

If you didn't copy this at the time the registration was created, you'll need to generate a new one.

OAuth 2.0 token endpoint URL The URL of the OAuth 2.0 (v2) token endpoint for this OTJ Graph API application.

This is available in Azure under App Registrations, by selecting the application and then selecting the
Endpoints tab.

Advanced options

Maximum Graph API requests The maximum number of API requests that can be made by OTJ to the Microsoft Graph API in a 24-hour
period.

The default of 1,000,000 should be sufficient for most deployments — for more information, see
Frequency of and limitations on calendar requests.

We do not recommend increasing this quota unless you have deployed a dedicated One-Touch Join
platform, because it will impact the performance of the Conferencing Nodes.

Graph API FQDN The FQDN to use when connecting to the Graph API.

Next steps
You must now configure the remainder of the One-Touch Join components on Pexip Infinity, as described in Configuring Pexip Infinity
for One-Touch Join.

© 2023 Pexip AS Version 33.a October 2023 Page 34 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using EWS for One-Touch Join

Configuring Office 365 using EWS for One-Touch Join

This topic describes how to implement Pexip Infinity's One-Touch Join feature in a Microsoft Office 365 environment, by using a service
account authenticated using OAuth and the EWS API to enable the One-Touch Join service to access calendars used for OTJ.
The EWS API is being deprecated by Microsoft, so for new One-Touch Join deployments in Office 365 environments you should
instead use the Graph API to provide access to room resource mailboxes. This topic is intended as a reference for existing
deployments.
The process involves the following steps, described in detail in the sections that follow:

1. Creating a service account for One-Touch Join. This service account will be used by One-Touch Join to read each room resource's
calendar.
This should be a different service account to any used for VMR Scheduling for Exchange, because the configuration will be
different.
2. Configuring Application Impersonation on the service account.
For more information and guidelines on the use of application impersonation in Exchange, see Permitting the service account
to access calendars.
3. Configuring calendar processing within Exchange.
4. Enabling OAuth authentication for the service account.
5. Creating an associated Exchange integration on Pexip Infinity.

Prerequisites
Before you begin, ensure that the following configuration is complete:

1. Ensure each physical room that will have a One-Touch Join endpoint in it has an associated room resource with an email address.
2. Enable auto calendar processing for each room resource, so that the room will automatically accept meeting requests if it is
available, and automatically decline an invitation if it is already booked.
3. We recommend that if you are using Safe Links, you modify your Safe Links policy so that URLs are not rewritten in any meeting
invitations sent to room resources used by One-Touch Join endpoints.
4. Ensure that you have a Microsoft license available for the service account; this is required for the service account to access
Exchange.
5. Ensure you have admin access to your Office 365 web interface, and access to the Microsoft Exchange Online and Azure Active
Directory Modules for Windows PowerShell. (If you are connecting from your Windows PC for the first time, you may need to
install these modules. See these Microsoft articles about connecting to Exchange online and Microsoft 365 with PowerShell for
more information.)
6. Ensure you have access to your Exchange Admin Center (EAC) web interface, and access to Exchange Management PowerShell.
7. If your Exchange server does not use a globally trusted certificate, you must upload a custom CA certificate.

Creating a service account

In this step, you create a dedicated service account to use to log in to Exchange to access the calendars of the room resources being
used for One-Touch Join. After creating the service account, you must assign it an appropriate Exchange license, such as Office 365
Enterprise E1, Office 365 Business Basic (formerly Essentials) or one of the Exchange Online plans.
This service account should only be used with One-Touch Join. However, you can use the same Exchange service account for multiple
One-Touch Join integrations.
If the service account is subject to a password rotation policy or uses multi-factor authentication (MFA), then each time the password
changes or the MFA is refreshed, you must sign in to the service account again via the Pexip Infinity Administrator interface.
You can create a new service account using either the Office 365 admin portal or PowerShell, as follows:

© 2023 Pexip AS Version 33.a October 2023 Page 35 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using EWS for One-Touch Join

O365 PowerShell

1. Go to portal.office.com and log in as the administrator. You must run Powershell as administrator.
2. Go to the admin portal by selecting the Admin tile (this takes Establishing a remote connection
you to
https://portal.office.com/adminportal/home#/homepage). To use PowerShell for Office 365 you first need to connect remotely.
These commands install the required PowerShell modules (if they are
3. From the Users section, select Add a user and complete the
not already installed) and then connects to Exchange Online:
necessary fields:
#If not installed, install Exchange Online Module
a. In the Password section: Install-Module ExchangeOnlineManagement

n Select Let me create the password. #If not installed, install Azure AD Module
Install-Module -Name AzureAD
n Uncheck Make this user change their password when
they first sign in. #Connect to Exchange Online and AzureAD, works also with a MFA
enabled account
b. In the Product licenses section, assign an appropriate Connect-ExchangeOnline
product license from the available list. Creating the service account

The first command lets the administrator type in a password for the
service account as a secure string. This password variable is then
used in the second command to create a mailbox for the service
account. The remaining commands log you into Azure AD and then
set the password of the service account to never expire.
#Capture password for service account
$password = Read-Host "Enter password" -AsSecureString

# Create service account and mailbox

New-Mailbox -Name "<Account Name>" -MicrosoftOnlineServicesID
"<UPN>" -Password $password -Alias "<Account Alias>" -FirstName
"<Account First Name>" -LastName "<Account Last Name>" -DisplayName
"<Account Name>"

#Connect to AzureAD
Connect-AzureAD

#Set password policy

Set-AzureADUser -ObjectId "<UPN>" -PasswordPolicies
DisablePasswordExpiration

Example New-Mailbox command:

New-Mailbox -Name "Pexip OTJ Service Account" -
MicrosoftOnlineServicesID pexip-otj-svc@example.com -Password
$password -Alias pexip-otj-svc -FirstName "Pexip OTJ" -LastName
"Service Account" -DisplayName "Pexip OTJ Service Account"

Example Set-AzureADUser command:

Set-AzureADUser -ObjectId pexip-otj-svc@example.com -
4. Select Add to create the user.
PasswordPolicies DisablePasswordExpiration

Assigning a license to the service account

You must now assign an appropriate license to the service account.
See https://docs.microsoft.com/en-us/powershell/azure/active-
directory/enabling-licenses-sample for information on how to do
this.

Configuring Application Impersonation on the service account

In this step, you create a new Distribution Group, and add the rooms to be used for One-Touch Join to the group. You then use
PowerShell commands to make it so that the service account will only be able to impersonate members of that Group.
Configuring Application Impersonation in this way means that when a room is added to the group, the service account will
automatically be able to impersonate it. Likewise, when a room is removed, the service account will no longer be able to impersonate
it.

© 2023 Pexip AS Version 33.a October 2023 Page 36 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using EWS for One-Touch Join

Creating a new Distribution Group

1. Go to admin.microsoft.com and log in as the administrator.
2. From the menu on the left hand side, select Groups > Add a group.
3. For the Group Type, select Distribution List. Enter a name, email address and description and select Add.
4. Add as members of the Group the rooms to be used for One-Touch Join. These will be the rooms that the service account will
impersonate.
Note that the service account should not be added as a member of this distribution group. Instead, this step allows the service
account to impersonate any member of this distribution group (i.e. any of the room resources).
5. Open up a remote PowerShell connection to Office 365 and import an Exchange session. For example see
https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps

Configuring application impersonation

We recommend that you use combined PowerShell commands to configure application impersonation for the service account. This
allows you to use variables, thus reducing possible copy and paste errors.

1. You may need to enable customization, if this has not already been done within your organization:
Enable-OrganizationCustomization

2. Configure the following variables with the values you actually want to use:
o otj_group_id: the email of the distribution list whose members you want to be impersonated.
o otj_service_account: the email of the service account you want to grant impersonation to.
o management_scope_to_create: the name you want the newly created management scope to have.
o impersonation_role_name_to_create: the name you want the newly created impersonation role to have.
For example:
$otj_group_id = "otjrooms@example.com"
$otj_service_account = "pexip-otj-svc@example.com"
$management_scope_to_create = "OTJ Management Scope"
$impersonation_role_name_to_create = "OTJ Impersonation"

3. Create the management scope:

$otj_group = Get-DistributionGroup -Identity $otj_group_id
$otj_group_dn = $otj_group.DistinguishedName
$restriction_filter = "MemberOfGroup -eq ""$otj_group_dn"""
New-ManagementScope -Name $management_scope_to_create -RecipientRestrictionFilter $restriction_filter

Example output:
Name ScopeRestrictionType Exclusive RecipientRoot RecipientFilter
---- -------------------- --------- ------------- ---------------
OTJ Management Scope RecipientScope False MemberOfGroup -eq 'CN=OTJ Rooms2111430164340,OU...

4. Set up application impersonation using the previously created management scope:

New-ManagementRoleAssignment -Name $impersonation_role_name_to_create -Role ApplicationImpersonation -User $otj_service_
account -CustomRecipientWriteScope $management_scope_to_create

Example output:
Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserName
---- ---- ---------------- ---------------- ---------------- ----------------
OTJ Impersonation ApplicationImp... pexip-otj-svc User Direct

5. Verify that the above commands worked as expected. In the following command, replace <resource_email> with the email of the
room resource mailbox you want to test. If it is a room which is a member of the distribution list, it should show the OTJ
Impersonation in the returned roles. If it is anything else outside of the distribution list, it should not have the OTJ Impersonation
listed, which means the OTJ service account does not have permission to impersonate that user.
Get-ManagementRoleAssignment -Role ApplicationImpersonation -WritableRecipient "<resource_email>" | Format-List Name, Role,
RoleAssignee, CustomRecipientWriteScope

Expected output:
Name : OTJ Impersonation
Role : ApplicationImpersonation
RoleAssignee : pexip-otj-svc

© 2023 Pexip AS Version 33.a October 2023 Page 37 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using EWS for One-Touch Join

Configuring calendar processing on room resource mailboxes

In this step, you change the calendar processing settings for room resources from the default to those required to support One-Touch
Join.

Recommended configuration
To take full advantage of the functionality offered by One-Touch Join, we recommend that, for One-Touch Join room resources, you
change the following calendar processing options from the default:

1. The meeting invite body is deleted by default. If you want One-Touch Join to parse meeting details from the body then you must
set the DeleteComments property to False. If you leave this set to True, only those rules that process information in the calendar
headers can be used (because the body will be deleted).
2. When a meeting invite is received by a resource mailbox, by default the meeting subject is deleted and is replaced with the name
of the organizer (for more information, see https://support.microsoft.com/en-gb/help/2842288/resource-mailbox-s-calendar-
shows-the-organizer-s-name-instead-of-the).
Because One-Touch Join accesses the meeting invites through the resource mailboxes, this default behavior means it won't have
access to the original subject. You can choose to leave the default behavior for privacy reasons, or you can modify the calendar
processing options for each mailbox so that the meeting subject is available and thus can be displayed on the meeting room
endpoints.
3. The private flag is cleared by default. If you want meetings that are marked as private by the organizer to remain marked as
private in the room mailbox, you must set the RemovePrivateProperty flag to False.
4. Room resources created using PowerShell commands may by default have AutomateProcessing set to AutoUpdate. In these cases
it should be changed to AutoAccept.
5. When the meeting room accepts the invitation, a response is sent to the original requester (including requesters external to your
organization if you have allowed forwarding of external invitations). To avoid any confusion as to why they would be receiving a
response from a room that may not have been included in their original invitation, you can configure additional text that is sent to
the requester using the -AddAdditionalResponse flag and -AdditionalResponse setting.

PowerShell command
To modify the calendar processing on a room from the default settings to those we recommend for One-Touch Join, connect to
Exchange Online PowerShell and use the following PowerShell command (replacing <resource_email> with the address of the room
resource whose processing you want to change):

Set-CalendarProcessing -Identity <resource_email> -DeleteComments $False -DeleteSubject $False -AddOrganizerToSubject $False -

RemovePrivateProperty $False -AutomateProcessing "AutoAccept" -AddAdditionalResponse $true -AdditionalResponse "Participants can join the
meeting from this room using Pexip One Touch Join."

Optional configuration
Hiding invitation details from other users
In order for One-Touch Join to function fully, the service account must be able to access the body of the invitation (which is why we
recommend that you set the DeleteComments property to False). However, this means that all other users in your deployment with
access to the room resource calendar may also be able to view the body of the invitation (depending on your deployment's other
policies). If you want to prevent this, you can use the following PowerShell command to restrict what users can see by default, without
restricting what the service account can access.
In the following command, replace resource_name with the name of the room resource, and replace role with one of the following
roles:
l AvailabilityOnly: users can view the room's availability, but nothing else.
l LimitedDetails: users can view the room's availability and the meeting subject and location, but not the body of the invitation.

© 2023 Pexip AS Version 33.a October 2023 Page 38 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using EWS for One-Touch Join

Set-MailboxFolderPermission "resource_name:\Calendar" -User Default -AccessRights role

Allowing forwarding of external invitations

Below is some recommended configuration to enable external invitations to be forwarded to your internal OTJ room resources so that
the meetings can be joined from those endpoints. In all cases, we recommend that you consult your Exchange administrator to
determine what is appropriate in your environment.
l If you want to enable users to forward invitations from other organizations to your OTJ room resources, you must set the
ProcessExternalMeetingMessages flag to True. Note that this will allow any users external to your organization to invite the
resource directly. To prevent this, you can use an Exchange transport rule similar to the example shown below so that only users
internal to your organization can forward external invitations to OTJ meeting rooms.

l If your Microsoft Exchange environment uses a security application (such as Office 365 ATP, or Mimecast) to re-write URLs, this
may prevent OTJ from being used to join external Microsoft Teams meetings (for example, when a user inside your organization
forwards an external Microsoft Teams meeting invitation to an OTJ room resource in order to join the meeting from that
endpoint). To enable users to join these meetings using OTJ, you must ensure that the security application's URL re-write rules
include an exception for any URL starting with the domain https://teams.microsoft.com/

© 2023 Pexip AS Version 33.a October 2023 Page 39 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using EWS for One-Touch Join

Checking calendar processing settings

The following PowerShell command can be used to check calendar processing settings on all of the rooms in the Distribution Group
that was created for One-Touch Join.
We recommend copying and saving this as a file and running it from within PowerShell.
Before running, ensure that you edit $otj_group_id = "otjrooms@example.com" to use the email of the Distribution Group used in your
own deployment.

$deleted_subjects = @()
$organizer_added = @()
$deleted_bodies = @()
$private_flag_reset = @()
$not_auto_accept = @()
$process_external = @()
$otj_group_id = "otjrooms@example.com"

Get-DistributionGroupMember -Identity $otj_group_id -ResultSize Unlimited | ForEach-Object {

Write-Host "Checking room '$($_.name)'"
$processing = Get-CalendarProcessing -Identity $_.name
$pass = $true
if ($processing.DeleteSubject) {
Write-Host "WARNING: The room '$($_.name)' is deleting the meeting subject" -ForegroundColor Red
$deleted_subjects += $_.name
$pass = $false
}
if ($processing.AddOrganizerToSubject) {
Write-Host "WARNING: The room '$($_.name)' is adding the organizer to the meeting subject" -ForegroundColor Red
$organizer_added += $_.name
$pass = $false
}
if ($processing.DeleteComments) {
Write-Host "WARNING: The room '$($_.name)' is deleting the meeting body" -ForegroundColor Red
$deleted_bodies += $_.name
$pass = $false
}
if ($processing.RemovePrivateProperty) {
Write-Host "WARNING: The room '$($_.name)' is clearing the private flag on meetings" -ForegroundColor Red
$private_flag_reset += $_.name
$pass = $false
}
if ($processing.AutomateProcessing -ne "AutoAccept") {
Write-Host "WARNING: The room '$($_.name)' is not configured to Auto Accept. Processing='$($processing.AutomateProcessing)'" -
ForegroundColor Red
$not_auto_accept += $_.name
$pass = $false
}
# Optional permission for allowing the external invites:
if ($processing.ProcessExternalMeetingMessages) {
Write-Host "The room '$($_.name)' is configured to process external (forwarded) meetings"
$process_external += $_.name
}
if ($pass) {
Write-Host "INFO: All checks passed for room '$($_.name)'" -ForegroundColor Green
}
}

Write-Host "Summary:"
Write-Host "There are $($deleted_subjects.count) rooms deleting the meeting subject"
if ($deleted_subjects) {
Write-Host $deleted_subjects -Separator ", "
Write-Host ""
}
Write-Host "There are $($organizer_added.count) rooms adding the organizer to the meeting subject"
if ($organizer_added) {
Write-Host $organizer_added -Separator ", "
Write-Host ""
}
Write-Host "There are $($deleted_bodies.count) rooms deleting the meeting body"
if ($deleted_bodies) {

© 2023 Pexip AS Version 33.a October 2023 Page 40 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using EWS for One-Touch Join

Write-Host $deleted_bodies -Separator ", "

Write-Host ""
}
Write-Host "There are $($private_flag_reset.count) rooms clearing the private flag on meetings"
if ($private_flag_reset) {
Write-Host $private_flag_reset -Separator ", "
Write-Host ""
}
Write-Host "There are $($not_auto_accept.count) rooms not configured to Auto Accept"
if ($not_auto_accept) {
Write-Host $not_auto_accept -Separator ", "
Write-Host ""
}
Write-Host "There are $($process_external.count) rooms configured to process external (forwarded) meetings"
if ($process_external) {
Write-Host $process_external -Separator ", "
Write-Host ""
}

Enabling OAuth authentication

In this step, you enable OAuth authentication for the service account that One-Touch Join uses to log in to Exchange.
As of October 2022, Microsoft will stop supporting and fully decommission basic authentication for EWS to access Exchange Online (for
more information, see Microsoft's announcement). We therefore strongly recommend that for Office 365, all new deployments
authenticate the service account using OAuth 2.0, and all existing deployments are updated to enable this option as soon as possible.
To use OAuth for the service account, you must create an app registration in Azure and then use the settings from this app registration
when enabling and configuring the OAuth options within the One-Touch Join Exchange integration.

Create a new App Registration in Azure

1. Log into the Azure portal at aad.portal.azure.com.
2. From the main panel on the left, select Azure Active Directory.
3. Select App Registrations and then New registration:

© 2023 Pexip AS Version 33.a October 2023 Page 41 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using EWS for One-Touch Join

4. In the Register an application panel, enter the following options:

a. Name: this can be anything you wish. In our example we have used Pexip OTJ App.
b. Supported account types: select Accounts in this organizational directory only.
c. Redirect URI: from the drop-down menu, select Public client/native (mobile and desktop). The URI must use the IP address
or FQDN of the Management Node, in the format
https://<Management Node Address>/admin/platform/mjxexchangedeployment/oauth_redirect/
In our example we have used https://infinity.example.com/admin/platform/mjxexchangedeployment/oauth_redirect/
You will need to enter this as the OAuth redirect URI when configuring a One-Touch Join Exchange integration.
The OAuth redirect URI is the page on the Administrator interface to which the Pexip Infinity administrator will be
returned after they have successfully signed in to the service account. Because it is a page on the Management Node, this
URI is internal to your deployment and only needs to be accessible from the administrator's web browser; you do not
need to make it externally accessible. This URI must be the same on Azure and Pexip Infinity in order for Azure to validate
the sign-in request.

5. Select Register.
A new panel will open where you can configure your application.
6. From the panel on the left, select API permissions.
7. Select Add a permission.
8. From the Request API permissions panel, select APIs my organization uses, search for Office 365 Exchange Online and select it:

© 2023 Pexip AS Version 33.a October 2023 Page 42 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using EWS for One-Touch Join

9. Select Delegated permissions, and from the Select permissions list, expand EWS and select Access mailboxes as the signed-in
user via Exchange Web Services, and then select Add permissions:

© 2023 Pexip AS Version 33.a October 2023 Page 43 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using EWS for One-Touch Join

Taking note of configuration

When you Configure the One-Touch Join Exchange integration and enable OAuth authentication for the service account, you'll need to
provide the following information from Azure:
l Application (client) ID: this was generated for you by Azure when you saved the App Registration:

You can find this again in Azure under Azure Active Directory > App Registrations, under the Application (client) ID column.
You will need to enter this as the OAuth client ID when configuring the One-Touch Join Exchange integration.
l Redirect URI: this is the URI you entered when creating the App Registration.

© 2023 Pexip AS Version 33.a October 2023 Page 44 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using EWS for One-Touch Join

You can find this again in Azure under Azure Active Directory > App Registrations, clicking on the app registration, and then
clicking Redirect URIs.
You will need to enter this as the OAuth redirect URI when configuring the One-Touch Join Exchange integration.

You will also need to know the OAuth Endpoints to use. To find this information:

1. In the Azure Portal, select Overview > Endpoints.

2. Copy the URL of the OAuth 2.0 authorization endpoint (v1).
Ensure that you use the URL for ... endpoint (v1), not ... endpoint (v2).
You will need to enter this as the OAuth authorization endpoint when configuring the One-Touch Join Exchange integration.
3. Copy the URL of the OAuth 2.0 token endpoint (v1)
Ensure that you use the URL for ... endpoint (v1), not ... endpoint (v2).
You will need to enter this as the OAuth token endpoint when configuring the One-Touch Join Exchange integration.

Adding a One-Touch Join Exchange integration on Pexip Infinity

In this step you log in to the Pexip Infinity Administrator interface and add details of the Exchange deployment you are integrating
with, including details of the service account and OAuth access (based on the configuration you have just set up in Exchange). You must
then sign in to Exchange using the service account.

Configuring the Exchange integration

From the Pexip Infinity Administrator interface, go to One-Touch Join > OTJ Exchange Integrations.

Option Description

Name The name of this One-Touch Join Exchange integration.

Description An optional description of this One-Touch Join Exchange integration.

Service account username The username of the service account to be used by the One-Touch Join Exchange integration.

This is usually in the format name@domain.

© 2023 Pexip AS Version 33.a October 2023 Page 45 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using EWS for One-Touch Join

Option Description

Enable OAuth Enable this option to authenticate the service account using OAuth 2.0. (This option is only supported for
Exchange in Office 365.)

As of October 2022, Microsoft will stop supporting and fully decommission basic authentication for
EWS to access Exchange Online (for more information, see Microsoft's announcement). We therefore
strongly recommend that for Office 365, all new deployments authenticate the service account using
OAuth 2.0, and all existing deployments are updated to enable this option as soon as possible.

Enable NTLM Leave this option disabled. (NTLM is supported for Exchange on-premises only.)

OAuth client ID (Available if OAuth has been enabled)

The Application (client) ID which was generated by Azure when creating an App Registration in Azure
Active Directory (see Taking note of configuration).

OAuth redirect URI (Available if OAuth has been enabled)

The redirect URI you entered when creating an App Registration in Azure Active Directory.

This must be in the format https://<Management Node

Address>/admin/platform/mjxexchangedeployment/oauth_redirect/

The OAuth redirect URI is the page on the Administrator interface to which the Pexip Infinity administrator
will be returned after they have successfully signed in to the service account. Because it is a page on the
Management Node, this URI is internal to your deployment and only needs to be accessible from the
administrator's web browser; you do not need to make it externally accessible. This URI must be the same
on Azure and Pexip Infinity in order for Azure to validate the sign-in request.

OAuth authorization endpoint (Available if OAuth has been enabled)

The URL of the OAuth authorization endpoint (see Taking note of configuration).

Ensure that you use the URL for ... endpoint (v1), not ... endpoint (v2).

OAuth token endpoint (Available if OAuth has been enabled)

The URL of the OAuth token endpoint (see Taking note of configuration).

Ensure that you use the URL for ... endpoint (v1), not ... endpoint (v2).

Advanced options

Find Items Request Quota The number of Find Item requests that can be made by OTJ to your Exchange Server in a 24-hour period.

The default of 1,000,000 should be sufficient for most deployments — for more information, see Frequency
of and limitations on calendar requests.

We do not recommend increasing this quota unless you have deployed a dedicated One-Touch Join
platform, because it will impact the performance of the Conferencing Nodes.

OTJ Exchange Autodiscover URLs

This section is optional and will generally only be required if the Autodiscover URLs in your deployment do not use a standard location.

Name The name of this Exchange Autodiscover URL.

Description An optional description of this Exchange Autodiscover URL.

© 2023 Pexip AS Version 33.a October 2023 Page 46 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using EWS for One-Touch Join

Option Description

Autodiscover URL The URL used to connect to the Autodiscover service on the Exchange deployment.

If you are using Office 365, you may need to enter your autodiscover URL manually, particularly if you are
using a hybrid Exchange deployment. If your OTJ room resources and service account are hosted on O365,
then you should enter https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc as the
Autodiscover URL.

The URL must end in .svc; URLs ending in .xml are not supported.

When you have completed the above fields, select Save. You will be returned to the main OTJ Exchange Integration page. You must
now sign in to the Exchange integration using the service account details you have just created.

Signing in to the service account

If you have enabled OAuth for the first time, you must sign in to the service account after saving the configuration of the One-Touch
Join Exchange integration.
You may also need to re-sign in to the service account if:
l the service account password has changed
l the service account uses multi-factor authentication (MFA) and the MFA is refreshed
l you disable and then subsequently re-enable OAuth
l you update any of the following configuration for the One-Touch Join Exchange integration:
o Service account username
o OAuth client ID
o OAuth token endpoint
l the Management Node has been offline for more than 90 days.

To sign in to the service account:

1. Ensure you have signed out of all Microsoft accounts on your device, including the Microsoft Azure portal.
2. From the Management Node, go to One-touch Join > OTJ Exchange Integrations, select the Exchange integration you have just
created. At the bottom of the Change OTJ Exchange Integration page, select Sign in to service account:

You will be taken to the Sign in to service account page.:

© 2023 Pexip AS Version 33.a October 2023 Page 47 of 121

 Pexip One-Touch Join Deployment Guide Configuring Office 365 using EWS for One-Touch Join

3. Copy the Sign in link and paste it into a new browser tab.
4. Sign in as the service account.
You are asked to permit the OTJ application to sign in as the service account, and to access the mailboxes that the service account
has been granted access to. (The service account will only have access to the mailboxes of the OTJ room resources, if you
completed the steps in Configuring Application Impersonation on the service account.)

If there is an option to Consent on behalf of your organization, do not select this — consent only needs to be given to the
service account.
5. Select Accept.
You are returned to the Management Node.
6. You may be asked to sign in to the Management Node again. If so, you must sign in to the Management Node (using your
Management Node credentials) to complete the process of signing in to the service account.

When complete, you are returned to the Sign in to service account page and see the message Successfully signed in.

Next steps
You must now configure the remainder of the One-Touch Join components on Pexip Infinity, as described in Configuring Pexip Infinity
for One-Touch Join.

© 2023 Pexip AS Version 33.a October 2023 Page 48 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

Configuring Google Workspace for One-Touch Join

This topic describes how to configure Google Workspace in order to implement Pexip Infinity's One-Touch Join feature in a Google
Workspace environment.
The process involves the following steps, described in more detail in the sections that follow:

1. Creating a Service Account to use for One-Touch Join.

2. Creating a room resource for each physical room that will have a One-Touch Join endpoint in it.
3. Configuring the room resource with the necessary permissions and settings to support One-Touch Join.
4. Updating the quota for the number of user requests per 100 seconds.
5. For larger deployments, Requesting an increase to API limits.
6. Adding a One-Touch Join Google Workspace integration on Pexip Infinity.

If you have already set up a One-Touch Join Google Workspace integration and simply wish to add an existing room to it, you need
only configure the room resource in Google Workspace and then add the endpoint to the Google Workspace integration in Pexip
Infinity.
We recommend that you authorize One-Touch Join to access calendar information using a service account, as described in the
following steps. This method (sometimes referred to as two-legged OAuth) offers the easiest setup for One-Touch Join, and is
recommend by Google because it is designed for server-to-server applications (for more information, see
https://developers.google.com/identity/protocols/oauth2/service-account). Alternatively, you may need to use a Google Workspace
domain user for authorization (sometimes refered to as three-legged OAuth); for instructions on how to do this, see Configuring
Google Workspace for domain user authorization.

Prerequisites
In the deployment model described below, the service account will require access to the endpoints' calendars. Google Workspace
service accounts always use the iam.gserviceaccount.com domain rather than your own domain, so you will need to configure Google
Workspace to allow endpoint calendars to be shared externally. This does not in itself allow any external accounts to access the
calendars — each calendar must then also explicitly nominate the accounts with whom it is to be shared.
Some enterprises will require internal approval for this configuration, so you should confirm that it will be permitted within your
deployment. If not, you can consider Configuring Google Workspace for domain user authorization as an alternative.

Creating a service account

In this step, you create a project to use for One-Touch Join. You then create the service account that One-Touch Join will use to access
the room resources' calendars, and generate a private key that One-Touch Join will use to authenticate when signing in to Google
Workspace as the service account.
The service account belongs to the project you have created for OTJ. It can be used for multiple One-Touch JoinGoogle Workspace
integrations.

1. Creating a new project:

a. Go to https://console.developers.google.com (logged in as a Google Workspace administrator).
b. From the top left of the page, select the down arrow:

c. Select New Project.

d. Enter a Project name (e.g. One-Touch Join) and select Create.

© 2023 Pexip AS Version 33.a October 2023 Page 49 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

2. Enabling the Calendar API for the project:

a. Go to https://console.developers.google.com
b. From the top left of the page, select the down arrow, select your newly-created project, and select Open. Your new project
should now be showing at the top left of the page:

c. From the navigation menu on the left of the screen, select APIs & Services > Library, then scroll down and select the Google
Calendar API tile:

d. Select Enable:

3. Creating the service account:

a. Go to https://console.developers.google.com
b. From the navigation menu on the left of the screen, select IAM & Admin > Service Accounts.
c. Select Create Service Account:

d. Enter a name (e.g. One-Touch Join Calendar Reader) and select Create:

© 2023 Pexip AS Version 33.a October 2023 Page 50 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

e. On the next page, which asks about permissions, select Cancel (the account does not need any of these permissions):

4. Generating a key file:

a. From the Service accounts page, select the service account.
Take note of the service account's Email address here - you will need it in later steps:

© 2023 Pexip AS Version 33.a October 2023 Page 51 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

b. From the Service account details page, select Edit, then Create Key:

c. Select a Key type of JSON and select Create:

© 2023 Pexip AS Version 33.a October 2023 Page 52 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

This will download a JSON file containing the private key. This key will be required when Adding a One-Touch JoinGoogle
Workspace integration.

For more information on using OAuth 2.0 to authenticate the service account, see
https://developers.google.com/identity/protocols/OAuth2ServiceAccount.

Creating a room resource

(Required only if your room resources do not already exist - otherwise you can skip this step.)
In this step, you create a room resource in Google Workspace for each physical room that is to be used for One-Touch Join. Google
Workspace will automatically assign an email address to the room.

1. If a building for the room resource does not already exist, create one as follows:
a. Go to https://admin.google.com (logged in as a Google Workspace administrator).
b. Select the Buildings and resources tile, and then from the Resource management section select Open:

From the drop-down along the top left of the screen, select Buildings:

© 2023 Pexip AS Version 33.a October 2023 Page 53 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

c. Select + to Add new building:

d. Enter a Name and the list of Floors, and select Add Building.
2. Create the room resource:
a. Go back to the Resources page and Select + to Add new resource:

© 2023 Pexip AS Version 33.a October 2023 Page 54 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

b. For the Category, select Meeting space (room, phone booth,...).

c. Select the Building and Floor in which the room is located, enter a Name and the room's Capacity, then select Add Resource:

The resource will be created and added to the list. You can click on the new resource to view information about it, such as the email
address it was automatically assigned.
For more information on setting up buildings and other resources in Google Workspace, including how to add buildings and
resource in bulk and using CSV imports, see https://support.google.com/a/answer/1033925.

Configuring the room resource

In these steps, you permit the One-Touch Join service account to access the calendar of each room resource that you want to use for
One-Touch Join, and then set the calendar to auto-accept invitations. We also recommend that you make the calendar available to all
users in your domain in such a way that allows them to book meetings using the resource, without being able to view the details of any
other meetings in the resource's calendar.

Sharing calendars externally

In this step, you configure Google Workspace to permit endpoint calendars within your domain to be shared externally. This
permission is required because the service account uses the external iam.gserviceaccount.com domain and is therefore considered an
"outsider". Granting this permission does not in itself allow any external accounts to access the calendars — each calendar must then
be shared with the service account. For more information, see Prerequisites.
To enable calendars to be shared externally:

1. Go to https://admin.google.com/ (logged in as a Google Workspace administrator) and select Apps > Google Workspace >
Calendar.

© 2023 Pexip AS Version 33.a October 2023 Page 55 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

2. In the Sharing settings section, ensure that External sharing options for primary calendars is set to Share all information, and
outsiders can change calendars:

3. In the General Settings section, under External sharing options for secondary calendars, select Share all information, and
outsiders can change calendars:

Selecting these options to ... and outsiders can change calendars will enable users to use One-Touch Join to join all meetings,
including private meetings. If you will not be using One-Touch Join with private meetings in your deployment, both these options
can be set to ... but outsiders cannot change calendars.

Sharing individual calendars with the service account

Note that the Google calendar API limits the number of calendars that can be shared within a 24 hour period to 750 (for more
information, see this Google article). This means that if you have more than 750 room resources that you wish to use for OTJ, they will
need to be set up over a period of days.
For deployments with more than around 50 rooms, we have developed a Python script that can be used to share your room resource
calendars with the service account, and create a CSV that can be used to import endpoint configuration to One-Touch Join. You must
be familiar with Python in order to use this script; contact your Pexip authorized support representative for more information.
To share calendars with the service account:

© 2023 Pexip AS Version 33.a October 2023 Page 56 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

1. Go to https://calendar.google.com (logged in as a Google Workspace administrator so that you have permission to share the
calendars).
2. From the left-hand panel, select the + next to Other calendars and then select Browse resources.
3. Expand the sections if necessary, and tick the boxes of all the room resources whose calendars you want to share with the service
account.
This will add the room resources to the Settings for other calendars section in the left-hand panel.
4. For each of the rooms:
a. From the Settings for my calendars section, select the room resource and then select Share with specific people.
b. Select Add people.
c. In the Share with specific people dialog, enter the email address of the One-Touch Join service account. Ensure the
Permissions are set to either:
n Make changes to events (if you want users to be able to use OTJ to join all meetings, including private meetings, from
this endpoint)
n See all event details (if you don't want to offer OTJ for private meetings on this endpoint).
If the option to Make changes to events is grayed out, then check that you have selected the options to Share all
information, and outsiders can change calendars when Sharing calendars externally.
If your deployment includes personal endpoints that are associated with a user's personal calendar, then either you or the
end user will need to ensure that their calendar allows the One-Touch Join service account to Make changes to events if they
wish to use OTJ to join their own private meetings from their endpoint.

For more information on sharing room and resource calendars in Google Workspace, see
https://support.google.com/a/answer/1034381.

Auto-accepting invitations
By default, when creating room resources in Google Workspace, calendar processing is set to Auto-accept invitations that do not
conflict. You must ensure you keep this setting for all room resources, so that the room will automatically accept meeting requests if it
is available, and automatically decline an invitation if it is already booked.
To check this setting:

© 2023 Pexip AS Version 33.a October 2023 Page 57 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

1. Go to https://calendar.google.com (logged in as a Google Workspace administrator so that you have permission to share the
calendars).
2. From the left-hand panel, select the room resource and select Settings and sharing.
3. In the Auto-accept invitations section, ensure that Auto-accept invitations that do not conflict is selected:

Allowing users to book resources

We recommend that you configure your Google Workspace calendar settings to allow end users to book a room resource without
seeing details of the room's other bookings. To do this, you configure the room resource's calendar so that all users in your domain
have permission to see its free/busy status, without being able to see the invitation details. You then on a global basis permit users to
book resources to which they have free/busy access.
To do this:

1. Go to https://calendar.google.com (logged in as a Google Workspace administrator so that you have permission to share the
calendars).
2. From the left-hand panel, select the room resource and select Settings and sharing.
3. In the Access permissions section, select Make available for <your domain>, and ensure that See only free/busy (hide details) is
selected:

© 2023 Pexip AS Version 33.a October 2023 Page 58 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

4. Go to admin.google.com (logged in as a Google Workspace administrator).

5. From the left-hand menu, select Apps > Google Workspace > Calendar.
6. Scroll down to General Settings and select Resource Booking Permissions.
7. Ensure that Allow users to book resources that are shared as See only free/busy is set to ON:

Updating the per-user request quota

In this step you increase the limit on the number of queries per 100 seconds per user to the Google Calendar API.

© 2023 Pexip AS Version 33.a October 2023 Page 59 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

The default number of queries per 100 seconds per user is 500. In this context, the "user" is the service account. In deployments with
fewer than around 180 rooms, each room resource calendar is queried every 30 seconds by two conferencing nodes (both using the
same service account), resulting in 5,760 queries per room per day. (In larger deployments, room resource calendars are queried less
frequently.)
We recommend that you increase the number of queries per 100 seconds per user to 10,000 to provide sufficient processing overhead
and room for expansion (there is currently no additional cost to this increase).
To increase this quota to 10,000:

1. Go to https://console.developers.google.com (logged in as a Google Workspace administrator).

2. From the top left of the page, select the project you created for One-Touch Join:

3. From the navigation menu at the top left of the page, select IAM & Admin > Quotas.
4. From the Quotas page, select Edit Quotas and then select Google Calendar API - Queries per 100 seconds per user.
You will be taken to the Google Calendar API > Quotas page.
5. Change Queries per 100 seconds per user to 10,000:

You may also need to request an increase to the number of Queries per day for larger deployments - for more information,
see Requesting an increase to API limits.

Requesting an increase to API limits

This optional step applies to larger deployments only (more than around 170 room resources), and should be performed if you wish to
reduce the amount of time taken for endpoints to be updated with additions or changes to their corresponding room resource
calendar.
The maximum frequency with which an endpoint will be updated with meeting information is every 30 seconds. For deployments with
more than around 170 endpoints, this frequency will decrease in line with the number of endpoints (up to around 20 minutes for
deployments with around 6,000 endpoints). This is due to a limit on the number of Calendar API requests permitted by Google in a 24-
hour period — for more information, see https://developers.google.com/calendar/pricing.
To reduce the time taken to update endpoints in these larger deployments, you can request an increase to the number of Calendar API
requests One-Touch Join can make.

© 2023 Pexip AS Version 33.a October 2023 Page 60 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

When your request has been implemented by Google, you must then increase the Maximum Google Workspace API requests on
Pexip Infinity in order to take advantage of the increase.
To request an increase to the API limits:

1. If you do not already have one, create a Cloud Billing Account (note that this is different from a Google Workspace billing account).
Full instructions are available via https://cloud.google.com/billing/docs/how-to/manage-billing-account#create_a_new_billing_
account.
2. Link the Cloud Billing Account to the project you created when Creating a service account:
a. Go to https://console.developers.google.com (logged in as a Google Workspace administrator).
b. Ensure that the project shown in the top left corner is the one you created for One-Touch Join when Creating a service
account.
c. Select the burger menu from the top left of the page and select Billing. When the following message appears, select Link a
billing account:

d. Select the account to link to:

3. Request an increase to your quota:

a. From the navigation menu at the top left of the page, select IAM & admin > Quotas.
b. From the Quotas page, select Edit Quotas and then select Google Calendar API.
In the panel that appears on the right, enter the New quota limit that you wish to request, and in the Request description
field, enter the reason for requesting the increase:

© 2023 Pexip AS Version 33.a October 2023 Page 61 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

c. Select Submit request.

Quota increase requests typically take two business days to process.

Adding a One-Touch Join Google Workspace integration on Pexip Infinity

In this step you configure Pexip Infinity with details of the Google Workspace deployment configured above, including details of the
service account used to access calendars.
From the Pexip Infinity Administrator interface, go to One-Touch Join > OTJ Google Workspace Integrations.

Option Description

Name The name of this One-Touch JoinGoogle Workspace integration.

Description An optional description of this One-Touch JoinGoogle Workspace integration.

Account email If you are authorizing using a service account, enter the email address of the service account that One-Touch Join will
use to log in to Google Workspace.

If you are authorizing using a Google Workspace domain user, enter the email address of the user.

Enable user If you are authorizing using a service account — the recommended method — this should be left blank.
authorization
Select this option only if you will be authorizing using a Google Workspace domain user.

Private key (Available when authorizing using a service account, i.e. user consent authorization has not been enabled)

The private key used by One-Touch Join to authenticate the service account when logging in to Google Workspace. For
instructions on how to obtain this, see Generating a key file.

This must include all the text in the file between (and including) -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY--
---

Advanced options

Maximum Google The maximum number of API requests that can be made by One-Touch Join to your Google Workspace Domain in a 24-
Workspace API hour period.
requests
We recommend you set this value to 90% of your total permitted requests. Google's default is 1,000,000 so by default
this is set to 900,000 on Pexip Infinity. If you increase the number of API requests, you should also increase this setting
to 90% of that number.

For more information, see Frequency of and limitations on calendar requests.

Google OAuth 2.0 The URI of the Google OAuth 2.0 endpoint.
endpoint

© 2023 Pexip AS Version 33.a October 2023 Page 62 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for One-Touch Join

Option Description

Google The URI of the Google authorization server.

authorization
server

Next steps
You must now configure the remainder of the One-Touch Join components on Pexip Infinity, as described in Configuring Pexip Infinity
for One-Touch Join.

© 2023 Pexip AS Version 33.a October 2023 Page 63 of 121

 Pexip One-Touch Join Deployment Guide Configuring Pexip Infinity for One-Touch Join

Configuring Pexip Infinity for One-Touch Join

This topic describes how to configure Pexip Infinity when enabling the One-Touch Join feature. It covers configuration of the various
Pexip Infinity components, each described in detail in the sections that follow:

1. Adding a One-Touch Join profile

2. Adding One-Touch Join endpoint groups
3. Adding One-Touch Join endpoints
4. Adding One-Touch Join meeting processing rules

The diagram below shows (in blue) the components that are configured on Pexip Infinity and how they are related to each other. It also
shows (in orange) how the Pexip Infinity components are associated with your calendar/email service — in this example we have used
Google Workspace, with support for Google Meet and Pexip Service meeting types:

Prerequisites
Before you start configuring Pexip Infinity, you must first do one of the following, depending on your calendar/email service:
l Configure Google Workspace for One-Touch Join, including Adding a One-Touch Join Google Workspace integration on Pexip
Infinity, or
l Configure Exchange on-premises for One-Touch Join, including Adding a One-Touch Join Exchange integration on Pexip Infinity
l Configure Office 365 for One-Touch Join, including Adding a One-Touch Join Graph integration on Pexip Infinity.

Existing customers may have previously implemented One-Touch Join in a Microsoft Office 365 environment using a service
account authenticated using OAuth and the EWS API. The EWS API is being deprecated by Microsoft, so we do not recommend its
use for new deployments; for existing customers, these deployments are described in Adding a One-Touch Join Exchange
integration on Pexip Infinity.

Adding a One-Touch Join profile

In this step you create a profile that you will use to link together all the components for this particular deployment: the Exchange or
Google Workspace integration, the endpoint groups (and therefore endpoints), and the rules to be used to process meeting invitations.
A single Pexip Infinity One-Touch Join profile is associated with a single integration type — Exchange, Google Workspace, or O365
Graph. However, a One-Touch Join profile can contain a mixture of Cisco and Poly endpoints.
An endpoint group, and therefore an endpoint (and its room resource), can belong to only one One-Touch Join profile. If you do not
assign an endpoint group to a One-Touch Join profile, the endpoints in that group will not be used for One-Touch Join.

© 2023 Pexip AS Version 33.a October 2023 Page 64 of 121

 Pexip One-Touch Join Deployment Guide Configuring Pexip Infinity for One-Touch Join

To add a One-Touch Join profile, from the Pexip Infinity Administrator interface, go to One-Touch Join > OTJ Profiles.

Option Description

Name The name of this One-Touch Join profile.

Description An optional description of this One-Touch Join profile.

No. of upcoming days The number of days of upcoming One-Touch Join meetings to be shown on endpoints. This will also be the
number of days of future meetings shown on the One-Touch Join Status page.

Enable non-video meetings Enabled: If One-Touch Join has not been able to obtain a video address from the meeting, then the meeting
will still appear on the endpoint as a scheduled meeting, showing the information that was able to be
parsed, but the Join button will not appear.

Disabled: If there is no video address, the available meeting information will not appear on the endpoint.
Note that the meeting will still exist in the room resource's calendar, so conflicting meetings cannot occur.

Enable private meetings Determines whether or not meetings flagged as private are processed by the One-Touch Join service.

Enabled: Private meetings will be processed in the same way as any other meeting.

Disabled: Private meetings are not processed by One-Touch Join, and therefore the meeting information
will not appear on the endpoint. Note that the meeting will still exist in the room resource's calendar, so
conflicting meetings cannot occur.

Note that if this is set to Enabled, you can still prevent private meeting details from being displayed on
individual Poly endpoints by disabling the endpoint's Show Private Meeting Information setting.

Process alias for private (Applies if Enable private meetings has been selected)
meetings
Enabled: For private meetings, the meeting alias will be extracted from the invitation in the usual way.

Disabled: For private meetings, the available meeting information — apart from the meeting alias — will
appear on the endpoint and therefore the Join button will be disabled.

Replace subject Always: For all meetings, the endpoint will display either the text in the Replace subject string (if present)
or the organizer's name, in place of the meeting subject.

Never: For all meetings, including private meetings, the endpoint will display the meeting subject in the
usual way.

Private meetings only: For private meetings, the endpoint will display either the text in the Replace subject
string (if present) or the organizer's name, in place of the meeting subject. For all other meetings, the
endpoint will display the meeting subject in the usual way.

For more information and examples, see Hiding or changing the meeting subject.

Replace subject string (Applies if Replace subject is set to Always or Private meetings only)

A Jinja2 snippet that defines how the subject should be replaced (when this has been enabled). If this field
is left blank, the subject will be replaced with the name of the organizer.

For more information and examples, see Hiding or changing the meeting subject.

Replace empty subject Enabled: For meetings that do not have a subject, the endpoint will display the organizer's name in place of
the subject.

Disabled: For meetings that do not have a subject, the endpoint will display a blank field in place of the
subject.

© 2023 Pexip AS Version 33.a October 2023 Page 65 of 121

 Pexip One-Touch Join Deployment Guide Configuring Pexip Infinity for One-Touch Join

Option Description

Exchange integration (Applies if this OTJ profile is for an Exchange on premises integration, or an Office 365 integration that uses
the EWS API)

The Exchange integration used by this One-Touch Join profile.

You should already have created this as part of either Configuring Exchange on-premises for One-Touch
Join or Configuring Office 365 using EWS for One-Touch Join, but you can configure it now by selecting the
green plus symbol to the right of the field.

Google Workspace integration (Applies if this OTJ profile is for a Google Workspace integration)

The Google Workspace integration used by this One-Touch Join profile.

You should have already created this as part of Configuring Google Workspace for One-Touch Join, but you
can configure it now by selecting the green plus symbol to the right of the field.

O365 Graph integration (Applies if this OTJ profile is for an Office 365 integration that uses the Graph API)

The Exchange integration used by this One-Touch Join profile.

You should already have created this as part of Configuring Office 365 using Graph for One-Touch Join, but
you can configure it now by selecting the green plus symbol to the right of the field.

Endpoint Groups The Endpoint Groups used by this One-Touch Join profile.

Cisco OBTP endpoint configuration

Start buffer The number of minutes before a meeting's scheduled start time that the "Join" button on the endpoint will
become enabled for that meeting.

An endpoint can offer more than one "Join" button if there is an overlap between different meetings' start
and end buffers.

End buffer The number of minutes after a meeting's scheduled end time that the "Join" button on the endpoint will
become disabled for that meeting.

Default API username The user name and password used by One-Touch Join to access a Cisco OBTP endpoint's API. The API is
used by the Conferencing Node to configure the endpoint with meeting information. The account being
Default API password
used must have a role of either User or Admin.

The Default API username and password is only used if the configuration for the Cisco OBTP endpoint in
within One-Touch Join does not include an API username and password. A default is offered because some
deployments will have the same username and password for all endpoints.

Verify endpoint certificates by Whether or not to verify the TLS certificate of a Cisco OBTP endpoint by default when accessing its API. Can
default be overridden per endpoint using the endpoint's Verify endpoint API TLS certificate setting.

For more information, see Managing trusted CA certificates.

Use HTTPS for endpoint API Whether or not to use HTTPS by default when accessing a Cisco OBTP endpoint's API. Can be overridden
per endpoint using the endpoint's Use HTTPS setting.

Enabled: Use HTTPS to access an endpoint's API.

Disabled: Use HTTP to access an endpoint's API.

Cisco Webex Cloud configuration

Enable Webex Cloud Select this option to if you have endpoints that are registered to Webex or Webex Edge for devices, and
you want to enable them to use One-Touch Join. Note that you must first create a Webex Integration.

Client ID The Client ID that was generated when you created a Webex Integration.

© 2023 Pexip AS Version 33.a October 2023 Page 66 of 121

 Pexip One-Touch Join Deployment Guide Configuring Pexip Infinity for One-Touch Join

Option Description

Client secret The Client Secret that was generated when you created a Webex Integration.

Redirect URI The Redirect URI you entered when you created a Webex Integration. This must point to the IP address or
FQDN of the Management Node, and be in the format https://<Management
Node Address>/admin/platform/mjxintegration/oauth_redirect/

Hiding or changing the meeting subject

In some cases, you may not want the subject of upcoming meetings to be displayed on an endpoint. One-Touch Join allows you to
replace the subject for either all meetings, or only those meetings flagged as private. When replacing the subject, you can elect to
replace it with the name of the meeting organizer, or you can use a Jinja2 snippet to re-write the meeting subject. Note that this
method does not affect the meeting invitation, just what is displayed on the endpoint for that meeting.
Where a meeting subject has been changed or hidden, the original subject is not shown on the Management Node Administrator
interface — it will only display the altered subject.
The Jinja2 snippet used in the Replace subject string has the same access to calendar_event information as the Custom meeting type,
including the meeting subject and organizer's name. For more information on using Jinja2 with Pexip Infinity, see Jinja2 templates and
filters.
Hiding meeting subjects on endpoints is done on a per-profile basis. Therefore, if you want to hide the subject for just some of the
endpoints in your deployment, you should create a separate profile for these endpoints with Replace subject enabled, and then
add the endpoints to an Endpoint Group that you associate with that profile.

Example: Add text after organizer's name for private meetings

In this example we want to replace the meeting subject for all private meetings with the name of the organizer followed by the text 's
meeting
To do this, we set Replace subject to Private meetings only, and enter the following Jijna2 snippet in the Replace subject string field:
{{ calendar_event.organizer_full_name }}'s meeting

Example: add text to meetings with an external organizer

In this example, we want to check the email address of the meeting organizer and, if the organizer is not from our own example.com
domain, prepend the subject of the meeting with the text External:
To do this, we set Replace subject to Always, and enter the following Jijna2 snippet in the Replace subject string field:
{% set domain = pex_regex_search("@([a-z0-9.-]+.com)", calendar_event.organizer_email) %}
{% if domain[0] != "example.com" %}
External: {{ calendar_event.subject }}
{% endif %}

Adding One-Touch Join endpoint groups

In this step you create endpoint groups, and optionally add endpoints to each group. Each endpoint can belong to only one endpoint
group; an endpoint group can contain a mix of Cisco OBTP and Poly OTD endpoints. In general, we recommend that all endpoints in the
same physical location are assigned to one endpoint group.
Each endpoint group is associated with a system location; if there are more than 5 Conferencing Node in one location, only 5 will be
actively running One-Touch Join. This is because each Conferencing Node will be connecting to Exchange, and the messaging overhead
needs to be limited.
From the Pexip Infinity Administrator interface, go to One-Touch Join > OTJ Endpoint Groups.

© 2023 Pexip AS Version 33.a October 2023 Page 67 of 121

 Pexip One-Touch Join Deployment Guide Configuring Pexip Infinity for One-Touch Join

Option Description

Name The name of this One-Touch Join endpoint group.

Description An optional description of this One-Touch Join endpoint group.

System location The system location of the Conferencing Nodes which will provide One-Touch Join services for this
endpoint group.

OTJ profile The One-Touch Join profile to which this endpoint group belongs.

Disable web proxy Select this option to bypass the web proxy (where configured for this system location) when sending
requests to Cisco OBTP endpoints in this this One-Touch Join endpoint group.

Endpoints The endpoints that belong to this One-Touch Join endpoint group.

Adding One-Touch Join endpoints

In this step you add details of the endpoints that will be used for One-Touch Join, and the room resource that each endpoint is
associated with. You can add endpoints individually, or in bulk using a CSV import.
After you have added details of your One-Touch Join endpoints to Pexip Infinity, you will also need to configure the settings on each
endpoint to support One-Touch Join. We recommend that you do this after you have completed the following configuration.
If there are multiple endpoints in a single room, you should associate each endpoint with the same room resource, so that each
endpoint will receive the same meeting details.

Adding endpoints individually

From the Pexip Infinity Administrator interface, go to One-Touch Join > OTJ Endpoints.

Option Description

Endpoint name The name of this One-Touch Join endpoint.

Description An optional description of this One-Touch Join endpoint.

Endpoint type The type of "click to join" feature supported by this endpoint.

Cisco OBTP: an endpoint that supports Cisco's One Button to Push (OBTP) and is located on the same
network as the OTJ Conferencing Nodes. You should ensure that this endpoint has already been set up in
accordance with Configuring OBTP endpoints on the same network.

Webex Cloud registered: an endpoint that supports Cisco's One Button to Push (OBTP) and is located on a
different network as the OTJ Conferencing Nodes. The endpoint must be registered to Webex or Webex
Edge for Devices. You must also complete the steps described in Configuring Cisco Webex Cloud registered
endpoints.

Poly OTD: an endpoint that supports Poly's One Touch Dial (OTD). You must complete the steps in this
Adding One-Touch Join Endpoints section before you set up your Poly endpoints in accordance with
Configuring Poly OTD endpoints for OTJ.

Configuration options for Cisco OBTP endpoints

Endpoint address The IP address or FQDN of the endpoint's API.

Endpoint API port The port of the endpoint's API.

Default: 443 if HTTPS is used, otherwise 80 for HTTP.

© 2023 Pexip AS Version 33.a October 2023 Page 68 of 121

 Pexip One-Touch Join Deployment Guide Configuring Pexip Infinity for One-Touch Join

Option Description

Endpoint API username The user name and password used by One-Touch Join to access a Cisco OBTP endpoint's API. The API is
used by the Conferencing Node to configure the endpoint with meeting information. The account being
Endpoint API password
used must have a role of either User or Admin.

Either both these fields must be configured, or both these fields must be left blank.

If both these fields are left blank, the One-Touch Join profile's Default API username and password will be
used.

Verify endpoint API TLS Whether to enable TLS verification when accessing this endpoint's API. Only applicable if using HTTPS to
certificate access this endpoint's API.

Use OTJ profile default: Use the Verify endpoint certificates by default setting configured for the One-
Touch Join profile that this endpoint is associated with.

On: Enable TLS verification.

Off: Do not use TLS verification.

For more information, see Managing trusted CA certificates.

Use HTTPS Whether to use HTTPS to access this endpoint's API.

Use OTJ profile default: Use the Use HTTPS for endpoint API setting configured for the One-Touch Join
profile that this endpoint is associated with.

On: Use HTTPS to access this endpoint's API.

Off: Use HTTP to access this endpoint's API.

Configuration options for Poly OTD endpoints

Poly Calendaring Username The username the endpoint will use when connecting and authenticating to the calendaring service on the
Conferencing Node, to obtain meeting information.

This must be the same as the User Name or User (the field name will vary) configured on the Poly
endpoint, and must be unique.

This field is case-sensitive.

Poly Calendaring password The password the endpoint will use when connecting and authenticating to the calendaring service on the
Conferencing Node, to obtain meeting information.

This must be the same as the Password configured on the Poly endpoint.

This field is case-sensitive.

Configuration options for Webex Cloud registered endpoints

Webex Device ID The Webex endpoint's unique identifier. You can find the IDs for all devices in your Webex deployment by
going to https://developer.webex.com/docs/api/v1/devices/list-devices and from the right-hand panel
selecting Run.

Configuration options for all endpoints

© 2023 Pexip AS Version 33.a October 2023 Page 69 of 121

 Pexip One-Touch Join Deployment Guide Configuring Pexip Infinity for One-Touch Join

Option Description

Raise alarms When enabled, an alarm will be raised:

l for Poly endpoints: when this endpoint has not contacted the calendaring service on the Conferencing
Node in the last 10 minutes
l for Cisco OBTP endpoints: when an attempt to push calendar updates to the endpoint was
unsuccessful
l for Webex Cloud registered endpoints: when an attempt to push calendar updates from the
Conferencing Node to Webex Cloud, or from Webex Cloud to the endpoint, was unsuccessful.
Default: enabled.

Room resource email The email address of the room resource associated with this endpoint. This must match an email address
that has been configured in Exchange or Google Workspace.

For Poly endpoints, this must be the same as the Email or Mailbox (where this setting is available)
configured on the Poly endpoint.

Endpoint Group The Endpoint Group to which this endpoint belongs.

Adding OTJ endpoints in bulk

You can add multiple One-Touch Join endpoints by importing a CSV file.
When formatting your import file:
l A header row in the CSV file is optional. If included, it must use the same field names as shown in the following sections, but you
may change the order of the fields. If a header row is not used, fields must be in the same order as shown.
l All non-blank fields must contain valid data.
l If non-ASCII characters are used, the file must be encoded as UTF-8 text.
l All fields are case-sensitive.
l Values may optionally be enclosed in double quotation marks; any strings containing commas must be enclosed in double
quotation marks e.g. "description for x, y and z".

Note that you can perform an export of existing data to produce an example file in the correct format.
To add multiple endpoints by importing a CSV file:

1. Create the CSV file, using the following format:

name,description,endpoint_type,api_address,api_port,api_username,api_password,poly_username,poly_password,poly_raise_alarms_
for_this_endpoint,webex_device_id,verify_cert,use_https,room_resource_email,mjx_endpoint_group_name

where
Field name Content Required field
for...

name This field cannot be blank. Cisco

The name of this One-Touch Join endpoint. Poly

You should ensure there are no duplicate names, either within the CSV file, or Webex
between the CSV file and the existing endpoints (unless you wish the existing
configuration to be overwritten).

description An optional description of this One-Touch Join endpoint.

© 2023 Pexip AS Version 33.a October 2023 Page 70 of 121

 Pexip One-Touch Join Deployment Guide Configuring Pexip Infinity for One-Touch Join

Field name Content Required field

for...

endpoint_type The type of "click to join" feature supported by this endpoint. Cisco

Valid values are: Poly

o CISCO Webex
o POLY
o WEBEX

api_address The IP address or FQDN of the Cisco OBTP endpoint's API. Cisco

api_port The port of the Cisco OBTP endpoint's API.

If this is left blank, the defaults (443 if HTTPS is used, otherwise 80 for HTTP) will be
used.

api_username The username used by OTJ to access the Cisco OBTP endpoint's API.

api_password The password used by OTJ to access the Cisco OBTP endpoint's API.

poly_username The username and password the endpoint will use when connecting and Poly
authenticating to the calendaring service on the Conferencing Node, to obtain
meeting information.

poly_password The password the endpoint will use when connecting and authenticating to the Poly
calendaring service on the Conferencing Node, to obtain meeting information.

poly_raise_alarms_for_this_ Whether to raise an alarm if OTJ is unable to provide this endpoint with meeting
endpoint information. (Note that despite the field name, this applies to all endpoint types.)

Valid values are:

o TRUE
o YES
o FALSE
o NO
If this is left blank, the default TRUE (enabled) will be used.

webex_device_id The Webex endpoint's unique identifier. Webex

verify_cert Whether to enable TLS verification when accessing the Cisco OBTP endpoint's API.
Only applicable if using HTTPS to access this endpoint's API.

Valid values are:

o GLOBAL: Use the Verify endpoint certificates by default setting configured for the
One-Touch Join profile that this endpoint is associated with.
o YES: Enable TLS verification.
o NO: Do not use TLS verification.

use_https Whether to use HTTPS to access the Cisco OBTP endpoint's API.
o GLOBAL: Use the Use HTTPS for endpoint API setting configured for the One-
Touch Join profile that this endpoint is associated with.
o YES: Use HTTPS to access this endpoint's API.
o NO: Use HTTP to access this endpoint's API.

© 2023 Pexip AS Version 33.a October 2023 Page 71 of 121

 Pexip One-Touch Join Deployment Guide Configuring Pexip Infinity for One-Touch Join

Field name Content Required field

for...

room_resource_email This field cannot be blank. Cisco

The email address of the room resource associated with this endpoint. This must Poly
match the email address that has been configured in Exchange or Google Workspace.
Webex

mjx_endpoint_group_name The endpoint group to which this endpoint belongs.

If this field is set, it must contain the name of an existing endpoint group.

2. From the Pexip Infinity Administrator interface, go to One-Touch Join > OTJ Endpoints and from the bottom right of the screen,
select Import.
3. From the Import OTJ Endpoint Configuration page, select Choose file and then navigate to the CSV file you have created.
4. Select Save.

The imported endpoints will be added to your One-Touch Join configuration.

Duplicates
If any records in the CSV file have the same name field (regardless of whether or not any of the other fields are different), only one
endpoint with that name will be created. This endpoint will use the last record that was imported.
If any records in the CSV file have the same name as an existing endpoint, the existing configuration will be overwritten by the
imported endpoint's configuration.

Adding One-Touch Join meeting processing rules

In this step you create a prioritized set of rules that specifies each of the meeting types you expect users in your deployment to
encounter, and how the invitations for these meetings should be processed in order to obtain the alias that the endpoint must dial in
order to join the meeting.
One-Touch Join supports meetings from a number of different providers. For each of these supported meeting types, One-Touch Join
knows what information to look for in the meeting invitation, and how to use what it finds to derive an alias that the endpoint can dial
in order to join that meeting. In most cases, you can simply use the default processing for each supported meeting type. However, you
also have the option to override the default processing with your own transform pattern to change how the alias is constructed. You
can also write your own regex and custom rules if you wish to enable One-Touch Join for other meeting types or conferencing
providers not currently supported.
A single One-Touch Join profile will normally have multiple meeting processing rules associated with it — we recommend that you
create one rule for each Meeting type you expect users in your environment to encounter, including any invitations received from
external contacts where users may wish to use an internal meeting room to join the meeting. The Priority option should be used to
ensure that all rules for supported meeting types are processed before any Domain, Regex or Custom rules. (Note that the order in
which the supported meeting types are prioritized between themselves is not important.)
When One-Touch Join processes a meeting invitation, it goes through each meeting rule in order of priority to find a match.
l If a match is found, it uses the information in the invitation, processed in accordance with the rule's settings, to derive an alias to
use to join the meeting.
l If none of the meeting processing rules match (or there are no meeting processing rules configured or enabled), One-Touch Join
will search the invitation for a URI or address with a sip:, sips: or h323: prefix, and use that as the alias.

One-Touch Join then provides the endpoint with the alias, along with other meeting information such as the start time, end time,
subject, and organizer's name.
If no alias has been obtained, One-Touch Join may still provide the meeting information to the endpoint, depending on the Enable non-
video meetings and Enable private meetings settings for the profile being used.
Each meeting processing rule is associated with a single One-Touch Join profile, and therefore will apply to either an Exchange
integration or a Google Workspace integration, but not both.

© 2023 Pexip AS Version 33.a October 2023 Page 72 of 121

 Pexip One-Touch Join Deployment Guide Configuring Pexip Infinity for One-Touch Join

To view, edit and create meeting processing rules, from the Pexip Infinity Administrator interface, go to One-Touch Join > OTJ Meeting
Processing Rules.

Option Description

Name The name of this One-Touch Join meeting processing rule.

Description An optional description of this meeting processing rule.

OTJ profile The One-Touch Join profile associated with this meeting processing rule.

Priority The priority of this rule. Rules are checked in ascending priority order (starting at 1) until the first matching
rule is found, and it is then applied.

We recommend that meeting types other than Domain, Regex or Custom are given highest priority. You
can then use lower Priority options to determine the order in which any Domain, Regex and Custom rules
are applied, particularly if you are using more than one of these meeting types.

Meeting type The type of meeting invitation to which this rule applies. You can select one of the supported meeting
types from the drop-down list, or select Regex or Custom if you wish to define your own meeting
processing rule.

For a full list of available meeting types, and guidance on which to use in your deployment, particularly
when joining Teams or Skype for Business meetings, see Supported meeting types.

Include password (Available when a Meeting type of Zoom has been selected)

Enable this option to search the meeting information for the meeting password, and if found, include the
password to the alias used to join the meeting, so that users do not need to enter the password
themselves.

Default processing enabled (Does not apply to Custom meeting types)

l For meeting types other than Regex:
o check this box to use the default transform pattern for the selected meeting type (for a list of the
default transform patterns for each meeting type, see Supported meeting types), or
o clear this box to write your own Transform pattern for this meeting type.
l For Regex meeting type:
o check this box to use the matched string, unchanged, as the alias that the endpoint will dial to
join the meeting, or
o clear this box to use a regex Replace string to transform the matched string into the alias to dial.
For more information, see Regex meeting type.

Transform pattern (Available and required when Default processing is disabled and any Meeting type option other than
Custom or Regex has been selected.)

A Jinja2 snippet that is used to process the meeting information from calendar events of the selected
Meeting type in order to derive the meeting alias.

If you disable Default processing after creating and saving the rule, this field will show the default
transform pattern, which you can then edit.

For a list of the valid variables for each meeting type, see Supported meeting types.

Match string (Available and required when a Meeting type of Regex has been selected.)

The regular expression that defines the string to search for in the invitation.

© 2023 Pexip AS Version 33.a October 2023 Page 73 of 121

 Pexip One-Touch Join Deployment Guide Configuring Pexip Infinity for One-Touch Join

Option Description

Replace string (Available and required when Default processing is disabled and a Meeting type of Regex has been
selected.)

A regular expression that defines how to transform the matched string into the alias to dial.

Domain (Available and required when a Meeting type of Domain, Microsoft Teams Meeting Properties or Google
Meet SIP Guest Join has been selected.)
l For a Meeting type of Domain, this is the domain that OTJ will search for in the meeting body, in
order to match this rule.
l For a Meeting type of Microsoft Teams Meeting Properties, this is the domain that OTJ will append to
the meeting ID after the rule has been matched, in order to create the alias that the endpoint will dial
to join the meeting.
l For a Meeting type of Google Meet SIP Guest Join, this is the domain that OTJ will append to the
meeting ID after the rule has been matched, in order to create the alias that the endpoint will dial to
join the meeting. In this case it should be the domain of the service providing the Pexip Google interop
— for the Pexip Service this is google.pexip.me.

Custom template (Available and required when a Meeting type of Custom has been selected.)

A Jinja2 script which is used to process the meeting information from calendar events in order to extract
the meeting alias.

For more information, see Custom meeting type.

Enabled Determines whether or not the rule is enabled. Any disabled rules still appear in the rules list but are
ignored. Use this setting to test configuration changes, or to temporarily disable specific rules.

Testing the rule

When you have created and saved a meeting processing rule, a Test OTJ Meeting Processing Rule button will appear at the bottom of
the page. This will take you to the Test Meeting Processing page, which allows you to test that the rule works as expected for the
selected deployment and meeting type, and also allows you to edit the configuration for that rule until you get the desired results.
When searching a meeting invitation for the text to transform into an alias, OTJ will search either the invitation's properties, or the
invitation's body (depending on the selected Meeting type) — and so when testing a rule, you will see either a Calendar event
properties field or a Calendar event body field as appropriate. These fields will in most cases contain some example text in the format
expected by OTJ, but you can enter other text here to help you test the rule, for example if you know that the format will be different
in your deployment. However, since these two fields are there purely to assist you when testing the rule, and do not make up part of
the rule itself, any changes to these fields will not be saved.
To test the rule:

© 2023 Pexip AS Version 33.a October 2023 Page 74 of 121

 Pexip One-Touch Join Deployment Guide Configuring Pexip Infinity for One-Touch Join

1. Review and complete the following fields:

Option Description

Read-only fields

Integration type This read-only field shows whether the rule will be applied to a Google Workspace or Exchange
integration. This is based on the integration option selected in the OTJ profile associated with the rule.

Meeting type This read-only field shows the meeting type associated with this rule.

Configuration that can be edited and saved

The available fields will depend on the selected meeting type.

You can edit these fields and re-test the rule until you get the desired results.

Domain The Domain currently configured for this rule.

Match string The Match string (and Replace string, where applicable) currently configured for this rule.

Replace string

Transform pattern The pattern that will be used to transform specific text in the meeting invitation into an alias to dial.
o If you selected Default processing enabled, this will be the default transform pattern for this
meeting type.
o If you did not select Default processing enabled, this will be the Transform pattern you entered.

Custom template The Custom template currently configured for this rule.

Example text used when testing the rule

Calendar event properties (Available for some meeting types)

A JSON field representing the event properties that OTJ expects to find for the selected Meeting type
(for Google Workspace integrations, this will contain a subset of the Google Event Properties; for
Exchange integrations, this will be the Exchange MAPI Properties). This data will be used to generate
the meeting alias.

In most cases this field will be populated automatically, but you can edit it if you know that the format
used in your deployment will be different.

Calendar event body (Available for some meeting types)

An example of the text that OTJ expects to find in the body of the invitation for the selected Meeting
type, and which will be used to generate the meeting alias. In most cases this will be populated
automatically, but you can paste in the full text from an actual meeting invitation used in your
deployment and test the rule against this.

2. Select Test OTJ Meeting Processing Rule.

The Result field shows the meeting alias that would be extracted based on the rule's current configuration and the example
calendar event properties or body.
o If this is blank, the example calendar event properties / body did not contain any text that could be matched and transformed
according to the rule as currently configured.
o If the result is not as expected, edit the fields above as appropriate.
3. When the configuration is producing the desired result, to save the changes you have made, select Save changes and return.

Next steps
You should now complete the steps in Configuring endpoints to support One-Touch Join for each endpoint.

© 2023 Pexip AS Version 33.a October 2023 Page 75 of 121

 Pexip One-Touch Join Deployment Guide Configuring endpoints to support One-Touch Join

Configuring endpoints to support One-Touch Join

This topic describes how to configure each of the supported endpoint types — Cisco OBTP (either when on the same network as the
One-Touch Join Conferencing Nodes, or when on a different network), or Poly OTD — so they can be used with Pexip Infinity One-
Touch Join.

Prerequisites
We recommend that you have already completed the steps in Configuring Pexip Infinity for One-Touch Join. In particular, you will need
some of the information that you previously entered when Adding One-Touch Join endpoints to Pexip Infinity, to complete the
configuration on each endpoint.

Configuring Cisco OBTP endpoints for OTJ

For endpoints on the same network as the OTJ Conferencing Node, we recommend you configure the endpoint to allow the npde to
connect directly to it, as per the instructions in Configuring OBTP endpoints on the same network.
For endpoints on a different network to the OTJ Conferencing Node, these endpoints must be registered to Webex Cloud, and OTJ
must be configured to connect to the endpoint via Webex Cloud. For full instructions, see Configuring Cisco Webex Cloud registered
endpoints.

Configuring OBTP endpoints on the same network

For Cisco OBTP endpoints to obtain OTJ meeting information, the Conferencing Node associated with the endpoint uses the endpoint's
API to push the information out to the endpoint.
The endpoint must have an account set up with a role of either Admin or User that can be used by OTJ to access the endpoint's API.

© 2023 Pexip AS Version 33.a October 2023 Page 76 of 121

 Pexip One-Touch Join Deployment Guide Configuring endpoints to support One-Touch Join

Configuring Cisco Webex Cloud registered endpoints

For endpoints registered to Cisco Webex Cloud to obtain OTJ meeting information, the Conferencing Node connects to the Webex
Cloud, which then uses the endpoint's API to push the meeting information to the endpoint. To enable this, you must set up a Webex
integration for use by OTJ, and then configure OTJ with details of the integration.

Prerequisites
Webex Cloud registered endpoints must be:
l registered to either Webex or Webex Edge for Devices
l running one of the following software versions:
o CE (9.14 or later)
o TC (any version supported by Webex Cloud)
o RoomOS
l have Cloud Calendar disabled
l be running in Room mode (not Personal mode).

Creating a Webex Integration

In this step, you create a new Webex integration to use for OTJ.

1. Go to https://developer.webex.com/my-apps/new/integration and sign in with your account.

2. Configure the following fields as follows (all other fields can be configured as appropriate for your environment):
o Redirect URI(s): this should point to the IP address or FQDN of your Management Node, and be in the format
https://<Management Node_address>/admin/platform/mjxintegration/oauth_redirect/
The OAuth Redirect URI is the page on the Pexip Infinity Administrator interface the administrator is sent to, after they
have successfully signed in to the Webex Integration. Because it is a page on the Management Node, this URI is internal
to your deployment and only needs to be accessible from the administrator's web browser; you do not need to make it
externally accessible.
o Scopes: select spark:xapi_commands
3. Select Add Integration.
Your integration is created.
4. Take note of the Client ID and Client Secret (which will be generated for you after the integration has been created) and the
Redirect URI (which you entered in step 2 above). These will be required when you are Enabling a One-Touch Join profile to use
Webex Cloud.

Enabling a One-Touch Join profile to use Webex Cloud

1. On the Management Node, go to One-Touch Join > OTJ Profiles and either select an existing profile, or create a new profile.
2. In the Cisco Webex Endpoint Config Options section, select Enable Webex Cloud and in the fields that then appear, enter the
Client ID, Client Secret and Redirect URI from the previous steps.
3. Select Save.
You are taken back to the main OTJ Profiles page.
4. Select the profile you have just edited/created, and at the bottom of the page select Authorize Webex Cloud API access.
5. From the Authorize Login to Webex Integration page, select Authorize:

© 2023 Pexip AS Version 33.a October 2023 Page 77 of 121

 Pexip One-Touch Join Deployment Guide Configuring endpoints to support One-Touch Join

6. Sign in to Webex, and accept the permissions being requested.

You are redirected back to the Management Node.
7. You may be asked to sign in to the Management Node again. If so, you must sign in to the Management Node (using your
Management Node credentials) to complete the authorization process.

When complete, you see the message Successful sign in to Webex Cloud.

Adding a Webex endpoint

1. On the Management Node, go to One-Touch Join > OTJ Endpoints and select Add OTJ Endpoint.
2. Select an Endpoint type of Webex Cloud registered.
3. Enter the Webex Device ID.
You can find the IDs for all devices in your Webex deployment by going to https://developer.webex.com/docs/api/v1/devices/list-
devices and from the right-hand panel selecting Run.
4. Enter the Room resource email associated with this endpoint.

Disabling the calendar

1. Sign in to https://admin.webex.com/
2. From the panel on the left, select Workspaces.
3. Ensure that for each workspace containing an endpoint to be used for OTJ, the Calendar column shows Not configured.

© 2023 Pexip AS Version 33.a October 2023 Page 78 of 121

 Pexip One-Touch Join Deployment Guide Configuring endpoints to support One-Touch Join

o If a calendar is listed, select Actions > Edit Calendar and from the Calendar drop-down menu select Off:

Configuring Poly OTD endpoints for OTJ

© 2023 Pexip AS Version 33.a October 2023 Page 79 of 121

 Pexip One-Touch Join Deployment Guide Configuring endpoints to support One-Touch Join

In order for Poly OTD endpoints to obtain One-Touch Join meeting information, each One-Touch Join Conferencing Node emulates a
Microsoft Exchange server. The Poly endpoint then connects to the Conferencing Node and registers to the calendaring service on the
node in order to pull meeting information, as shown in the diagram below.
Note that this emulation of an Exchange calendaring service on the Conferencing Node is purely to provide the Poly endpoint with its
meeting information. It is completely separate to the process by which the Conferencing Node initially obtains the meeting information
from the calendar/email service being used for One-Touch Join — which can be either Exchange or Google Workspace.
It is important that you do not set up your Poly endpoints until after you have completed the steps to add the endpoint details to Pexip
Infinity.

Enabling the client API

To use Poly endpoints with One-Touch Join, you must ensure that the Client API is enabled on Pexip Infinity, via the global setting
Enable support for Pexip Infinity Connect clients and Client API.
If you are deploying One-Touch Join as a dedicated stand-alone platform that includes Poly endpoints, you must still enable the
client API. However, for added security you can disable some or all call protocols (i.e. SIP, SIP UDP, H.323, WebRTC and RTMP).

DNS records
If you have a One-Touch Join deployment that includes Poly endpoints in a location with more than one Conferencing Node, you
should spread the Poly endpoint registrations across all nodes in the location to maximize performance and provide redundancy. To
achieve this, we recommend that all Poly endpoints in a location register to a single FQDN which uses round-robin DNS to resolve to
each Conferencing Node in turn. This requires you to set up appropriate DNS records for all Conferencing Nodes in the location, and
ensure that your DNS server is configured to round-robin between these records.

Poly authentication
In normal Pexip Infinity usage Poly endpoints authenticate to One-Touch Join using digest authentication, with the exception of HDX
endpoints which require NTLMv2.

© 2023 Pexip AS Version 33.a October 2023 Page 80 of 121

 Pexip One-Touch Join Deployment Guide Configuring endpoints to support One-Touch Join

When Pexip Infinity has been deployed in a secure mode of operation (and therefore FIPS compliance has been enabled), NTLMv2 and
digest authentication are disabled and basic authentication is used. As a result, when in this mode:
l HDX endpoints are not supported
l Trio endpoints must be configured to allow basic authentication.

Deployments with a load balancer

If there is a load balancer between the Poly endpoints and the One-Touch Join Conferencing Node, the load balancer should be
configured to set the X-Forwarded-For header. This preserves the endpoint's IP address in communications, allowing requests and
subsequent responses to be directed to the correct endpoint.

Configuring Poly RealPresence Group series

One-Touch Join supports Poly RealPresence Group Series endpoints running v5.0.0 or later.
To configure a Poly RealPresence Group Series for One-Touch Join, use the following settings (which can be found on the endpoint
under Admin settings > Servers > Calendering service):

Field Poly configuration Matching Infinity Additional info

configuration

Email The email address of the room resource This must be the same as
configured in Exchange or Google Workspace the Room resource email
that is associated with this endpoint. configured on Pexip
Infinity for this endpoint.

Domain Leave blank. This is the Exchange domain, and is not

required for One-Touch Join.

User Name The username and password the endpoint will This must be the same as These fields are case-sensitive.
use when connecting and authenticating to the the Poly Calendaring
Password Each Poly endpoint must have a unique
calendaring service on the Conferencing Node, Username and Password
User Name.
to obtain meeting information. configured on Pexip
Infinity for this endpoint.

Auto Discover Do not select this button. Auto Discovery is not supported.
Using Instead, you should manually configure
the Microsoft Exchange Server settings.

Microsoft l If you have a single Conferencing Node in

Exchange Server this location, enter the IP Address or FQDN
of the node (in the format 192.168.0.0 or
host.example.com).
l If you have multiple Conferencing Nodes in
this location, you should use DNS round
robin; therefore this will be the FQDN of
the DNS record for this location (in the
format host.example.com).
In both cases, the location is the Pexip Infinity
location associated with the Endpoint Group to
which this endpoint belongs.

Secure Connection Select Automatic.

Protocol

© 2023 Pexip AS Version 33.a October 2023 Page 81 of 121

 Pexip One-Touch Join Deployment Guide Configuring endpoints to support One-Touch Join

Field Poly configuration Matching Infinity Additional info

configuration

Meeting Reminder Optional Can still be used in conjunction with

Time in Minutes One-Touch Join.

Play Reminder Optional Can still be used in conjunction with

Tone When Not in One-Touch Join.
a Call

Show Information Optional Enable private meetings must be

for Meetings Set to enabled on the One-Touch Join Profile
Private associated with this endpoint in order
for this setting to apply.

If Enable private meetings has been

disabled on the One-Touch Join Profile,
this setting will have no effect.

To confirm that the Poly RealPresence Group Series endpoint has registered successfully with the calendaring service:

1. On the endpoint, go to Admin Settings > Servers > Calendaring Service.

2. Confirm that the Registration Status is showing as Registered.

Configuring Poly Trio series

When configuring Poly Trio series endpoints for One-Touch Join, you should use a Generic base profile unless your deployment
specifically requires you to use a Skype for Business base profile. Configuration instructions for each are given below.

Configuring Poly Trio using a generic base profile

1. Open the endpoint's web UI at https://<ipaddress>, select Admin, and log in using the admin password.
2. From Simple Setup > Base Profile select Generic and then select Save.
3. Edit the config file as follows (this can be done via Utilities > Import & Export Configuration):
o add the following:
feature.contactPhotoIntegration.enabled="0"
o if the Trio is running software version 5.9.1.11135 or later and Pexip Infinity has been deployed in a secure mode of operation
(and therefore FIPS compliance has been enabled), you must allow the Trio to use basic authentication by adding:
feature.exchange.allowBasicAuth="1"

4. From Settings > Applications, configure the Poly trio as follows:

Field Poly configuration Matching Infinity Additional info
configuration

Exchange Applications

Exchange Select Enable.

Calendar

Auto Discover Select Disable. Auto Discover is not supported.

Using Instead, you should manually configure
the Exchange Server URL settings.

© 2023 Pexip AS Version 33.a October 2023 Page 82 of 121

 Pexip One-Touch Join Deployment Guide Configuring endpoints to support One-Touch Join

Field Poly configuration Matching Infinity Additional info

configuration

Exchange Server Enter Note that the URL is case-sensitive; in

URL https://<address>/EWS/Exchange.asmx particular, ensure that EWS and
Exchange are capitalized as shown.
For <address>:
o If you have a single Conferencing Node in
this location, enter the IP Address or
FQDN of the node (in the format
192.168.0.0 or host.example.com).
o If you have multiple Conferencing Nodes
in this location, you should use DNS
round robin; therefore this will be the
FQDN of the DNS record for this location
(in the format host.example.com).
In both cases, the location is the Pexip Infinity
location associated with the Endpoint Group
to which this endpoint belongs.

Exchange Sign-In *

Exchange Email Leave blank.

Domain Leave blank. This is the Exchange domain, and is not

required for One-Touch Join.

User The username and password the endpoint This must be the same as These fields are case-sensitive.
will use when connecting and authenticating the Poly Calendaring
Password Each Poly endpoint must have a
to the calendaring service on the Username and Password
unique User name.
Conferencing Node, to obtain meeting configured on Pexip
information. Infinity for this endpoint.

* Available for endpoints running version 5.9.2.7727 or later. For earlier versions, you must have physical access to the endpoint's touch
screen; use this to log in using the User and Password credentials as described above.

To confirm that the Poly Trio endpoint has registered successfully with the calendaring service:

1. On the endpoint, go to Diagnostics > Exchange Status.

2. Confirm that Exchange Calendar is showing as Synchronized.

Configuring Poly Trio using Skype for Business base profile

You should only use the Skype for Business base profile if specifically required in your deployment (for example, if you wish to place
PSTN calls via Skype for Business server); otherwise use the generic base profile.
When the Trio is configured as described below, it will still register with the calendaring service on the Conferencing Node to obtain
meeting information, but it will also register with Skype for Business and use that to place outbound calls.

1. Open the endpoint's web UI at https://<ipaddress>, select Admin, and log in using the admin password.
2. From Simple Setup > Base Profile select Skype for Business and then select Save.
3. Edit the config file (this can be done via Utilities > Import & Export Configuration) by adding:
feature.exchangeVoiceMail.enabled="0"
exchange.showSeparateAuth="1"
feature.exchangeContacts.enabled="0"

© 2023 Pexip AS Version 33.a October 2023 Page 83 of 121

 Pexip One-Touch Join Deployment Guide Configuring endpoints to support One-Touch Join

4. From Settings > Skype For Business SignIn, configure the Poly trio as follows:
Field Poly configuration Matching Infinity Additional info
configuration

Skype for Business

Use User Select Enable.

Credentials

Authentication Select User Credentials.

Type

Sign-in Address The endpoint's Skype for Business address.

Domain The endpoint's Skype for Business domain.

User The name and password the endpoint will use

to authenticate with Skype for Business.
Password

Microsoft Exchange Server Configuration

Exchange Email The email address of the room resource that This must be the same as
is associated with this endpoint. the Exchange target
mailbox configured on
the endpoint, and Room
resource email
configured on Pexip
Infinity for this endpoint.

Exchange Domain Leave blank.

Exchange User The username and password the endpoint This must be the same as These fields are case-sensitive.
will use when connecting and authenticating the Poly Calendaring
Exchange Each Poly endpoint must have a
to the calendaring service on the Username and Password
Password unique User name.
Conferencing Node, to obtain meeting configured on Pexip
information. Infinity for this endpoint.

Exchange Target The email address of the room resource that This must be the same as
Mailbox is associated with this endpoint. the Exchange Email
configured on the
endpoint, and Room
resource email
configured on Pexip
Infinity for this endpoint.

5. From Settings > Applications, configure the Poly trio as follows:

Field Poly configuration Matching Infinity Additional info
configuration

Exchange Applications

Exchange Select Enable.

Calendar

Auto Discover Select Disable. Auto Discover is not supported.

Instead, you should manually configure
the Exchange Server URL settings.

© 2023 Pexip AS Version 33.a October 2023 Page 84 of 121

 Pexip One-Touch Join Deployment Guide Configuring endpoints to support One-Touch Join

Field Poly configuration Matching Infinity Additional info

configuration

Exchange Server Enter Note that the URL is case-sensitive; in

URL https://<address>/EWS/Exchange.asmx particular, ensure that EWS and
Exchange are capitalised as shown.
For <address>:
o If you have a single Conferencing Node in
this location, enter the IP Address or
FQDN of the node (in the format
192.168.0.0 or host.example.com).
o If you have multiple Conferencing Nodes
in this location, you should use DNS
round robin; therefore this will be the
FQDN of the DNS record for this location
(in the format host.example.com).
In both cases, the location is the Pexip Infinity
location associated with the Endpoint Group
to which this endpoint belongs.

To confirm that the Poly Trio endpoint has registered successfully with the calendaring service:
a. On the endpoint, go to Diagnostics > Exchange Status.
b. Confirm that Exchange Calendar is showing as Synchronized.

Configuring Poly HDX series

To configure the Poly HDX for One-Touch Join, go to the endpoint's IP address.
From Admin Settings > Global Services > Calendaring Service, enter the following:

Field Poly configuration Matching Infinity Additional info

configuration

Enable Calendaring Select this option.

Service

Microsoft l If you have a single Conferencing Node in

Exchange Server this location, enter the IP Address or FQDN
Address of the node (in the format 192.168.0.0 or
host.example.com).
l If you have multiple Conferencing Nodes in
this location, you should use DNS round
robin; therefore this will be the FQDN of
the DNS record for this location (in the
format host.example.com).
In both cases, the location is the Pexip Infinity
location associated with the Endpoint Group to
which this endpoint belongs.

Domain Leave blank. This is the Exchange domain, and is not

required for One-Touch Join.

© 2023 Pexip AS Version 33.a October 2023 Page 85 of 121

 Pexip One-Touch Join Deployment Guide Configuring endpoints to support One-Touch Join

Field Poly configuration Matching Infinity Additional info

configuration

User Name The username the endpoint will use when This must be the same as This field is case-sensitive.
connecting and authenticating to the the Poly Calendaring
Each Poly endpoint must have a unique
calendaring service on the Conferencing Node, Username configured on
User Name.
to obtain meeting information. Pexip Infinity for this
endpoint.

Password Select this option. The New Password and

Confirm Password fields will appear.

New Password The password the endpoint will use when This must be the same as This field is case-sensitive.
Confirm Password connecting and authenticating to the the Poly Calendaring
calendaring service on the Conferencing Node, password configured on
to obtain meeting information. Pexip Infinity for this
endpoint.

Mailbox For Exchange integrations: the email address of For Exchange

the room resource configured in Exchange that integrations, this must be
is associated with this endpoint. the same as the Room
resource email configured
For Google Workspace integrations: the User
on Pexip Infinity for this
Name entered above.
endpoint.

Reminder Time in Optional Can still be used in conjunction with

Minutes One-Touch Join.

Play Reminder Optional Can still be used in conjunction with

Tone One-Touch Join.

Show Private Optional Enable private meetings must be

Meeting enabled on the One-Touch Join Profile
Information associated with this endpoint in order
for this setting to apply.

If Enable private meetings has been

disabled on the One-Touch Join Profile,
this setting will have no effect.

To confirm that the Poly HDX endpoint has registered successfully with the calendaring service:

1. On the endpoint, go to Admin Settings > Global Services > Calendaring Service.
2. Confirm that there is a green tick next to Enable Calendaring Service.

Configuring Poly Studio X series and Poly G7500 series

To configure the Poly Studio or Poly G7500 for One-Touch Join, go to the endpoint's IP address and sign in to the endpoint if required.
From Servers > Calendaring Service, enter the following:

Field Poly configuration Matching Infinity Additional info

configuration
Enable Calendaring Select this option.
Service

© 2023 Pexip AS Version 33.a October 2023 Page 86 of 121

 Pexip One-Touch Join Deployment Guide Configuring endpoints to support One-Touch Join

Field Poly configuration Matching Infinity Additional info

configuration
Email The email address of the room resource This must be the same as
configured in Exchange or Google Workspace the Room resource email
that is associated with this endpoint. configured on Pexip
Infinity for this endpoint.

Domain Leave blank. This is the Exchange domain, and is not

required for One-Touch Join.

User Name The username and password the endpoint will This must be the same as These fields are case-sensitive.
use when connecting and authenticating to the the Poly Calendaring
Password Each Poly endpoint must have a unique
calendaring service on the Conferencing Node, Username and Password
User Name.
to obtain meeting information. configured on Pexip
Infinity for this endpoint.

Microsoft l If you have a single Conferencing Node in

Exchange Server this location, enter the IP Address or FQDN
of the node (in the format 192.168.0.0 or
host.example.com).
l If you have multiple Conferencing Nodes in
this location, you should use DNS round
robin; therefore this will be the FQDN of
the DNS record for this location (in the
format host.example.com).
In both cases, the location is the Pexip Infinity
location associated with the Endpoint Group to
which this endpoint belongs.

Meeting Reminder Optional Can still be used in conjunction with

Time in Minutes One-Touch Join.

Play Reminder Optional Can still be used in conjunction with

Tone When Not in One-Touch Join.
a Call

Show Information Optional Enable private meetings must be

for Meetings set to enabled on the One-Touch Join Profile
Private associated with this endpoint in order
for this setting to apply.

If Enable private meetings has been

disabled on the One-Touch Join Profile,
this setting will have no effect.

To confirm that the Poly Studio / Poly G7500 endpoint has registered successfully with the calendaring service:

1. On the endpoint, go to Servers > Calendaring Service.

2. Confirm that the Registration Status is showing as Registered.

Configuring Poly Debut series

To configure the Poly Debut for One-Touch Join, from Server Settings > Calendar, enter the following:

© 2023 Pexip AS Version 33.a October 2023 Page 87 of 121

 Pexip One-Touch Join Deployment Guide Configuring endpoints to support One-Touch Join

Field Poly configuration Matching Infinity Additional info

configuration
Enable Calendar Select Enable.

Microsoft l If you have a single Conferencing Node in

Exchange Server this location, enter the IP Address or FQDN
of the node (in the format 192.168.0.0 or
host.example.com).
l If you have multiple Conferencing Nodes in
this location, you should use DNS round
robin; therefore this will be the FQDN of
the DNS record for this location (in the
format host.example.com).
In both cases, the location is the Pexip Infinity
location associated with the Endpoint Group to
which this endpoint belongs.

Domain Leave blank. This is the Exchange domain, and is not

required for One-Touch Join.

User Name The username and password the endpoint will This must be the same as These fields are case-sensitive.
use when connecting and authenticating to the the Poly Calendaring
Password Each Poly endpoint must have a unique
calendaring service on the Conferencing Node, Username and Password
User Name.
to obtain meeting information. configured on Pexip
Infinity for this endpoint.

To confirm that the Poly Debut endpoint has registered successfully with the calendaring service:

1. On the endpoint, go to the Device Status page.

2. In the Calendar row of the table, check that the Status is showing as Registered.

© 2023 Pexip AS Version 33.a October 2023 Page 88 of 121

 Pexip One-Touch Join Deployment Guide One-Touch Join meeting types and transforms

One-Touch Join meeting types and transforms

This topic details the meeting types, transform patterns and variables that are supported when Adding One-Touch Join meeting
processing rules.
You must configure One-Touch Join with information about all the different types of meeting invitations you expect to encounter in
your deployment, and rules for how the information in each of these invitations should be used to derive the alias that the endpoint
will dial to join the meeting.
You can select from the currently supported meeting types (which you can edit if necessary), or create your own regex or custom rules
if you wish to enable One-Touch Join for other meeting types or conferencing providers not already supported. There are also some
non-configurable fallback settings that are used when no other rules match.
You must also ensure that your deployment has appropriate Call Routing Rules to enable the OTJ endpoint to dial the meeting aliases
that are derived for each meeting type.

Fallback alias matching

If One-Touch Join cannot find a valid meeting alias because none of the meeting processing rules match, or because there are no
meeting processing rules configured or enabled, as a fallback it will always search the body and the location of the invitation for one of
the following patterns to use as the alias to dial:
l sip:<uri>
l sips:<uri>
l h323:<address>

Supported meeting types

The table below lists the currently supported configurable Meeting types. For each type, the Default transform pattern shows how,
when default processing is enabled, One-Touch Join uses the information it finds in the meeting invitation to derive the alias that the
endpoint will dial to join the meeting. The table also lists the Valid variables that can be used when creating a custom transform
pattern for this meeting type.
These meeting types are supported by the current version of Pexip Infinity at the time of its release, but sometimes conferencing
providers change the format of their meeting invitations. Until these changes are incorporated into a subsequent release of Pexip
Infinity, you may need to use a custom rule in order to continue to use One-Touch Join for these meeting types. Where possible
we will provide these for you in the Custom meeting type section of the Pexip documentation, so we suggest that you check this
content regularly between upgrades.

Meeting type Usage and notes Default transform pattern Valid variables
(if not using
default transform)

Pexip Infinity For meetings scheduled using Pexip's VMR Scheduling {{meeting_id}}@{{domain}} l meeting_id
for Exchange feature, and which use the default l domain
Joining instructions template. These meetings typically
include a join link in the format pexip://<meeting_
id>@<domain>.

If your VMR Scheduling for Exchange deployment does

not use the default template, or uses an alias in a
different format, you should select a Meeting type of
Domain or Custom instead.

© 2023 Pexip AS Version 33.a October 2023 Page 89 of 121

 Pexip One-Touch Join Deployment Guide One-Touch Join meeting types and transforms

Meeting type Usage and notes Default transform pattern Valid variables
(if not using
default transform)

Pexip Service For meetings held in Pexip Service VMRs. {{meeting_id}}@pexip.me l meeting_id

By default, the resulting alias will use the domain l domain

pexip.me

Microsoft Teams Meeting (Not currently supported for Google Workspace {{meeting_id}}@{{domain}} l meeting_id
Properties integrations) l domain
For meetings hosted in Microsoft Teams. This rule
should be sufficient if all your Teams meetings are
internal; otherwise we recommend that you also add
any relevant Microsoft Teams Meeting Body for ...
rules.

You must provide the Domain that will be used when

deriving the alias — this should be the domain from
which the meeting invitation was sent.

Microsoft Teams SIP For Microsoft Teams meetings hosted on another {{base32_encoded_blob}}.
Guest Join domain where the hosting domain does not have {{tenant_id}}@pex.ms
Pexip Teams interop but your organization does have
access to Pexip Teams interop through the Pexip
Service.

Leave Default processing enabled checked. Any

changes that you make to the default processing will
not take effect for this rule.

Microsoft Teams Meeting If you expect users in your deployment to receive {{prefix}}{{meeting_id}}@ l meeting_id
Body for Pexip Infinity invitations to Microsoft Teams meetings sent from {{domain}} l domain
domains other than your own, where the meeting l prefix
organizer is using a Pexip Infinity — Teams integration.

Microsoft Teams Meeting If you expect users in your deployment to receive {{meeting_id}}@{{domain}} l meeting_id
Body for Pexip Service invitations to Microsoft Teams meetings sent from l domain
domains other than your own, where the meeting
organizer is using a Pexip Service — Teams integration.

Microsoft Teams Meeting If you expect users in your deployment to receive {{tenant_id}}.{{meeting_ l meeting_id
Body for Poly invitations to Microsoft Teams meetings sent from id}}@t.plcm.vc l domain
domains other than your own, where the meeting l tenant_id
organizer is using a Poly — Teams integration.

By default, the resulting alias will use the domain

t.plcm.vc

Microsoft Teams Meeting If you expect users in your deployment to receive {{tenant_id}}.{{meeting_ l meeting_id
Body for BlueJeans invitations to Microsoft Teams meetings sent from id}}@teams.bjn.vc l domain
domains other than your own, where the meeting l tenant_id
organizer is using a BlueJeans — Teams integration.

By default, the resulting alias will use the domain

teams.bjn.vc

Microsoft Teams Meeting If you expect users in your deployment to receive {{conf_id}}.{{tenant_key}}@ l conf_id
Body for Cisco invitations to Microsoft Teams meetings sent from {{domain}} l tenant_key
domains other than your own, where the meeting l domain
organizer is using a Cisco — Teams integration.

© 2023 Pexip AS Version 33.a October 2023 Page 90 of 121

 Pexip One-Touch Join Deployment Guide One-Touch Join meeting types and transforms

Meeting type Usage and notes Default transform pattern Valid variables
(if not using
default transform)

Google Meet For meetings scheduled using Google Meet. {{meeting_id}}@{{domain}} l meeting_id

This is supported in Google Workspace integrations, l domain

and in Exchange integrations (on-premises or O365) if
the Google Meet invitation uses Long meeting IDs
(which automatically include a SIP dial-in address).

This option is not supported in Exchange integrations

(on-premises or O365) if the Google Meet invitation
uses Short meeting IDs only, because the SIP dial-in
address is not automatically included in these
invitations.

Google Meet SIP Guest For Google Meet meetings hosted on another domain {{meeting_id}}@{{domain}} l meeting_id
Join where the hosting domain does not have Pexip Google l domain
interop but your organization does have access to
Pexip Google interop through the Pexip Service.

Leave Default processing enabled checked, and enter

the Domain of the service providing the Pexip Google
interop — for the Pexip Service this is
google.pexip.me.

Skype for Business For Skype for Business meetings. __sfb__{{focus_id}}.{{user}}@ l focus_id
{{domain}} l domain
The domain used is the domain of the organizer’s
email address.

You must also ensure you have a Call Routing Rule

configured that includes the following settings
(replacing example\.com in the example below with the
domain of the organizer’s email address):
l Destination alias regex match:
__sfb__([a-z0-9]+)\.([a-z\.\-]+)@(example\.com)

l Regex replace string:

sip:\2@\3;gruu;opaque=app:conf:focus:id:\1

l Call target:

Lync / Skype for Business clients, or meetings via

a Virtual Reception

Skype for Business For Skype for Business meetings, where the meeting {{tenant_id}}.{{meeting_ l meeting_id
Meeting Body for Poly organizer is using a SfB — Poly integration. id}}@v.plcm.vc l domain
By default, the resulting alias will use the domain l tenant_id
v.plcm.vc

Webex For Webex meetings. {{meeting_id}}@{{domain}} l meeting_id

l domain

Zoom For Zoom meetings. {{meeting_id}}@zoomcrc.com l meeting_id

By default, the resulting alias will use the domain {{meeting_id}}. l domain
zoomcrc.com {{pin}}@zoomcrc.com l pin

Optionally, the meeting password (PIN) can be

included in the alias (not supported for Google
Workspace integrations).

© 2023 Pexip AS Version 33.a October 2023 Page 91 of 121

 Pexip One-Touch Join Deployment Guide One-Touch Join meeting types and transforms

Meeting type Usage and notes Default transform pattern Valid variables
(if not using
default transform)

BlueJeans For BlueJeans meetings. {{meeting_id}}@bjn.vc l meeting_id

By default, the resulting alias will use the domain l domain

bjn.vc

GoToMeeting For GoToMeeting meetings. {{meeting_id}}@{{domain}} l meeting_id

l domain

Domain If you expect users in your deployment to receive {{meeting_id}}@{{domain}} l meeting_id

invitations for meetings that do not fall into any of the l domain
above categories, you can use this rule to enable
meetings where the alias is from a known domain.

We recommend that Domain rules are given a lower

priority than any of the other rules.

You must provide the Domain that will be searched for

in order to match this rule.

This rule will search the body and the location for a
match.

The search will result in a match even if the URI

includes one or more subdomains of the domain being
searched for. The domain can also include
subdomains. When there is a match, the full URI will
be used as the meeting alias. For example, if the
domain is sales.example.com, that will match
alice@sales.example.com and
alice@us.sales.example.com but not
alice@example.com.

Regex See Regex meeting type

Custom See Custom meeting type

Regex meeting type

A Meeting type of Regex enables you to use a regular expression to search for a particular Match string in the body and location of the
invitation. You can then either:
l select Default processing enabled to use the matched string as the alias that the endpoint will dial to join the meeting, or
l disable Default processing enabled to use a regex Replace string to transform the matched string into the alias to dial.

For more information on using regular expressions with Pexip Infinity, see Regular expression reference.

Examples
Matching without a transform
This example searches the invitation for any alias in the format of <name>.vmr@example.com, and uses that as the alias to dial:

Meeting type Regex

Default processing enabled Yes

Match string [\w+].vmr@example.com

© 2023 Pexip AS Version 33.a October 2023 Page 92 of 121

 Pexip One-Touch Join Deployment Guide One-Touch Join meeting types and transforms

In this example, if the meeting body contains the following text:

From a video system (SIP/H.323): alice.vmr@example.com

then the alias that will be dialed to join the meeting will be alice.vmr@example.com

Transforming a URL into an alias

This example searches the invitation for a URL in the format https:://<domain>/meet/<name>and transforms that into an alias in the
format <name>@<domain>:

Meeting type Regex

Default processing enabled No

Match string https:\/\/([^\/]+)/meet\/(\d+)

Replace string \2@\1

In this example, if the meeting body contains the following text:

From web browser & other ways to join:
https://pexip.me/meet/123456

then the alias that will be dialed to join the meeting will be 123456@pexip.me

Custom meeting type

A Meeting type of Custom enables more advanced processing by allowing you to use a Jinja2 template with access to all calendar_
event information, which you can then use to generate the alias that the endpoint will dial to join the meeting. For more information
on using Jinja2 with Pexip Infinity, see Jinja2 templates and filters.
A custom meeting type can be used to enable meeting types or conferencing providers not listed above, or to provide a workaround if
any supported providers change their current implementations. (Any known workarounds will be given in the Examples section below.)
You can use the following calendar event dictionary items, in conjunction with any other literal values if required (e.g. if the domain is
always a known quantity), to create the Jinja script:

Item Type Additional information

subject string

organizer_full_name string

organizer_first_name string

organizer_last_name string

organizer_email string

start_time dictionary Properties:

end_time l year
l month
l day
l hour
l minute
l second

is_private boolean

body string

© 2023 Pexip AS Version 33.a October 2023 Page 93 of 121

 Pexip One-Touch Join Deployment Guide One-Touch Join meeting types and transforms

Item Type Additional information

location string

properties dictionary Google Workspace

A Google Workspace calendar_event will contain a Google Calendar Event resource. For
more information, see https://developers.google.com/calendar/v3/reference/events.

Exchange

An Exchange calendar_event may contain any EWS MAPI properties from the following
list:
l item_class (string): for options, see https://docs.microsoft.com/en-
gb/office/vba/outlook/Concepts/Forms/item-types-and-message-classes
l sensitivity (string): for options, see https://docs.microsoft.com/en-
us/dotnet/api/microsoft.exchange.webservices.data.sensitivity?view=exchange-ews-
api
l is_recurring (boolean): True if the meeting is part of a recurring series, otherwise
False.
l calendar_item_type (string): for options, see https://docs.microsoft.com/en-
us/exchange/client-developer/web-service-reference/calendaritemtype#text-value
l teams_vtc_conference_id: available for Teams meetings only.
l online_meeting_conf_link: available for Skype for Business meetings only.
l uc_capabilities: available for Webex meetings only.

Examples
The following examples show basic jinja templates that can be used in the Custom template field.

Searching by partial alias

This first example searches the calendar_event.body (i.e. the text in the body of the meeting invitation) for an alias that includes
.vmr@example.com. It then uses the full alias as the meeting alias to dial:
{% set matches = pex_regex_search("([\w.-]+\.vmr@example\.com)", calendar_event.body) %}
{% if matches %}
{{matches[0]}}
{% endif %}

In the above example, if the meeting body contains alice.vmr@example.com, this will be used as the alias for the meeting.

Searching by top-level domain

This next example searches the calendar_event.body (i.e. the text in the body of the meeting invitation) for an alias that includes a
domain ending in .com. It then uses the full alias as the meeting alias to dial:
{% set groups = pex_regex_search("([a-z0-9.-]+)@([a-z0-9.-]+.com)", calendar_event.body) %}
{% if groups %}
{{ groups[0] }}@{{ groups[1] }}
{% endif %}

In the above example, if the meeting body contains alice.vmr@example.com, this will be used as the alias for the meeting.

Searching the location for a partial alias

This example searches the calendar_event.location (i.e. the text in the location field of the meeting invitation) for an alias that includes
.vmr@example.com. It then uses the full alias as the meeting alias to dial:
{% set matches = pex_regex_search("([\w.-]+\.vmr@example\.com)", calendar_event.location) %}
{% if matches %}
{{matches[0]}}
{% endif %}

In the above example, if the meeting location contains alice.vmr@example.com, this will be used as the alias for the meeting.

© 2023 Pexip AS Version 33.a October 2023 Page 94 of 121

 Pexip One-Touch Join Deployment Guide One-Touch Join meeting types and transforms

Lifesize Cloud example

This example searches a standard Lifesize Cloud meeting invitation and converts the URL into a meeting alias:
{% set matches = pex_regex_search("https://call.lifesizecloud.com/([0-9.-]+)", calendar_event.body) %}
{% if matches %}
{{matches[0]}}@lifesizecloud.com
{% endif %}

In the above example, if the meeting body contains https://call.lifesizecloud.com/123456, the alias that will be used to join the
meeting will be 123456@lifesizecloud.com.

Skype for Business example: different organizer and endpoint domains

This example can be used if you have Skype for Business meeting invitations where the domain of the organizer's email address is not
the same as the domain of the alias of the SIP endpoint to be used for the meeting.
{% set matches = pex_regex_search("https:\/\/meet\.pajusa\.com\/([a-z0-9-.]+)\/([a-z0-9]+)\/([A-Z0-9]+)", calendar_event.body) %}
{% if matches %}
__sfb__{{matches[2]}}.{{matches[1]}}@{{matches[0]}}
{% endif %}

In the above example, if the meeting body contains https://meet.pajusa.com/pexample.com/alice/ABC123, the alias that will be used
to join the meeting will be __sfb__ABC123.alice@pexample.com.

© 2023 Pexip AS Version 33.a October 2023 Page 95 of 121

 Pexip One-Touch Join Deployment Guide Deploying a dedicated One-Touch Join platform

Deploying a dedicated One-Touch Join platform

In most cases, One-Touch Join will be implemented as a feature within a wider Pexip Infinity deployment, and run on Conferencing
Nodes alongside other Pexip Infinity services. However, you can also set up separate OTJ locations within your deployment that contain
Conferencing Nodes used solely for One-Touch Join. A third option appropriate in some situations is to implement a separate Pexip
Infinity deployment purely for One-Touch Join, for example if you are a Pexip Service customer wishing to use One-Touch Join, or you
are a large enterprise wishing to separate the resources used for your One-Touch Join deployment.
If you are implementing a dedicated One-Touch Join deployment alongside but separate from a Pexip Infinity deployment, they do not
need to be running the same software version, as there is no interaction between the two deployments. This means that existing Pexip
Infinity environments can implement a dedicated One-Touch Join deployment without having to upgrade their existing software.

Minimum hardware requirements

A dedicated One-Touch Join deployment consists of one Management Node and at least one Conferencing Node. Further Conferencing
Nodes can be deployed for redundancy.
For dedicated One-Touch Join-only deployments, the resource requirements are minimal, therefore you may use the minimum server
specifications outlined below. However, if you expect to broaden your deployment to implement some of the wider Pexip Infinity
features in the future, you will need to increase the specifications of your hardware.

On-premises deployments
When setting up a dedicated One-Touch Join deployment using servers in your own datacenters, we recommend the following as a
minimum:
l Management Node:
o 4 vCPU
o 4 GB RAM (minimum 1 GB RAM for each Management Node vCPU)
o AVX or later processor
o 100 GB SSD storage
o The Pexip Infinity VMs are delivered as VM images (.ova etc.) to be run directly on the hypervisor. No OS should be installed.
l Conferencing Nodes:
o 4 cores
o 4 GB RAM
o AVX or later processor
o 50 GB SSD storage per Conferencing Node, 500 GB total per server (to allow for snapshots etc.)
o The Pexip Infinity VMs are delivered as VM images (.ova etc.) to be run directly on the hypervisor. No OS should be installed.

For more information, see server design guidelines.

Cloud deployments
When setting up a dedicated One-Touch Join deployment using a cloud service, you can generally use the same sized server for the
Conferencing Node(s) as you do for the Management Node. We therefore recommend the following as a minimum:

GCP
l Management Node: a machine type with 4 vCPUs (n1-standard-4) or larger
l Conferencing Node: a machine type with 4 vCPUs (n1-standard-4) or larger

AWS
l Management Node: an m5.xlarge instance
l Conferencing Node: an m5.xlarge instance

© 2023 Pexip AS Version 33.a October 2023 Page 96 of 121

 Pexip One-Touch Join Deployment Guide Deploying a dedicated One-Touch Join platform

Azure
l Management Node: an F4s v2 instance
l Conferencing Node: an F4s v2 instance

Minimum Pexip Infinity platform configuration

You must ensure the following components of the Pexip Infinity platform are configured and working appropriately:
l DNS servers
l NTP servers
l Locations (note that you do not need to configure any media overflow locations, as this concept is not used by One-Touch Join).
l Licenses: you will need an OTJ license for each endpoint that will use the One-Touch Join feature.
l Custom CA certificates: only required if you are using One-Touch Join with Exchange on-premises, and your Exchange server does
not use a globally trusted certificate.

Call Routing Rules are not required on the dedicated One-Touch Join deployment, because these deployments do not handle any calls.
However, you must ensure that your call control system is configured so that calls being placed by the endpoints to each of the
supported meeting types can be routed appropriately.

One-Touch Join configuration

The process of configuring One-Touch Join in a dedicated environment is the same as when configuring it as part of a wider Pexip
Infinity deployment (although with a dedicated deployment you may be able to increase the frequency of calendar requests):

1. Configuring your calendar/email service:

o Configure Google Workspace for One-Touch Join, including Adding a One-Touch Join Google Workspace integration on Pexip
Infinity, or
o Configure Exchange on-premises for One-Touch Join, including Adding a One-Touch Join Exchange integration on Pexip
Infinity, or
o Configure Office 365 for One-Touch Join, including Adding a One-Touch Join Exchange integration on Pexip Infinity
2. Adding a One-Touch Join profile
3. Adding One-Touch Join endpoint groups
4. Adding One-Touch Join endpoints
5. Adding One-Touch Join meeting processing rules

For more information, see Configuring Pexip Infinity for One-Touch Join

© 2023 Pexip AS Version 33.a October 2023 Page 97 of 121

 Pexip One-Touch Join Deployment Guide Scheduling and joining meetings using One-Touch Join

Scheduling and joining meetings using One-Touch Join

You can use One-Touch Join to join meetings via the videoconferencing endpoints in your meeting rooms, or via your own personal
endpoints.

Using One-Touch Join in meeting rooms

When the One-Touch Join feature is enabled for meeting rooms in your environment, you don't need to do anything special in order to
use it — everything happens automatically:

1. You or the meeting organizer creates a meeting invitation in Outlook, Google calendar, or via the Teams client in the usual way.
This includes any invitations that are created by using add-in buttons, for example for Pexip scheduled meetings or for Webex.
2. Add the meeting room to the invitation as a room resource.
3. Each endpoint in each meeting room displays a list of scheduled meetings for that room. When a meeting is due to start, the
endpoint in the room will show a Join or Join meeting button.
4. When you are ready to join the meeting, just press the Join button. The endpoint will dial into the meeting.

Using One-Touch Join with your personal endpoint

If you have a personal videoconferencing endpoint that supports One-Touch Join, you may be able to link this with your own calendar,
so that you can use OTJ on the endpoint to join any meetings to which you are invited. This depends on your organization's policies and
network, so you'll need to contact your system administrator to see if this is possible.

© 2023 Pexip AS Version 33.a October 2023 Page 98 of 121

 Pexip One-Touch Join Deployment Guide Viewing One-Touch Join status

Viewing One-Touch Join status

You can check the status of your One-Touch Join deployment by viewing a list of all currently scheduled One-Touch Join meetings, and
by viewing a list of all endpoints enabled for One-Touch Join.

Viewing One-Touch Join meetings

To view a list of all currently scheduled meetings that use Pexip Infinity's One-Touch Join feature in your deployment, go to Status >
One-touch Join Meetings.
This page lists all One-Touch Join meetings with a start time from one day in the past up to the number of days in the future specified
by the associated One-Touch Join profile's No. of upcoming days setting. For recurring meetings, this page will list only those
recurrences of the meeting that fall within this timeframe.
This information is updated each time the OTJ process runs. The OTJ process obtains meeting information by reading the room
resources' calendars, and then processing the information based on the currently configured OTJ profile settings and meeting
processing rules. This means that any changes to room resources' calendars (e.g. adding meetings, canceling meetings, or changing the
meeting information), or any changes to the way the meeting information is processed (e.g. changes to the OTJ profile settings, or to
meeting processing rules) will be reflected in the status after the OTJ process next runs. This could be between 30 seconds and many
minutes, depending on the number of OTJ rooms in your deployment.
To view full details about a meeting, click on the meeting subject. The following information is available for each meeting:

Field Description

Meeting subject The text that appears in the subject line of the meeting invitation.

This field will show the organizer's name instead of the meeting subject if:
l Replace subject is set to Always, and the and the Replace subject string is empty, or
l Replace subject is set to Private, the meeting was flagged as private, and the Replace subject string is
empty, or
l Replace empty subject has been enabled and there was no subject.

Organizer name * The name of the person who created the meeting invitation.

Organizer email The email address of the person who created the meeting invitation.

Start time The scheduled start time of the meeting. This does not include the Start buffer.

End time The scheduled end time of the meeting. This does not include the End buffer.

Endpoint name The name of the endpoint, as configured in Pexip Infinity.

OTJ Profile name The name of the OTJ profile used when processing this meeting.

Meeting alias The alias that the endpoint will use to dial in to the meeting.

This will be blank if either:

l Process alias for private meetings has been disabled and the meeting was flagged as private, or
l Enable non-video meetings has been enabled, but OTJ was not able to obtain a valid alias for the
meeting.

Meeting room email * The email address of the room resource in whose calendar the meeting has been scheduled.

Matched meeting The name of the meeting processing rule that was matched and used to process this meeting.
processing rule *
This will be blank if the meeting information did not match any meeting processing rules, and Enable non-
video meetings has been enabled.

* Only displayed when you have selected an individual OTJ meeting to view.

© 2023 Pexip AS Version 33.a October 2023 Page 99 of 121

 Pexip One-Touch Join Deployment Guide Viewing One-Touch Join status

Viewing One-Touch Join endpoints

To view a list of all endpoints in your deployment that are actively available for use by Pexip Infinity's One-Touch Join feature, go to
Status > One-touch Join Endpoints.
This page lists all Cisco/Webex endpoints that One-Touch Join has successfully contacted, and all Poly endpoints that have successfully
contacted One-Touch Join. For both, it lists the date and time of the most recent contact.
Cisco and Webex endpoints are contacted once an hour, or sooner if the OTJ process detects a change in the room resource's calendar
when it next runs. Poly endpoints make contact at least every 5 minutes.
To view full details about an endpoint, click on the endpoint name. The following information is available for each endpoint:

Field Description

Endpoint name The name of the endpoint, as configured in Pexip Infinity.

Endpoint type The type of "click to join" feature supported by this endpoint.

Endpoint address The IP address of the endpoint.

Meeting room email The email address of the room resource associated with this endpoint.

OTJ Profile name The name of the OTJ profile used when processing this meeting.

Current node * The IP address and name of the Conferencing Node that last had contact with the endpoint.

Last contacted The date and time that contact was last made with the endpoint.

Number of meetings * The number of currently scheduled One-Touch Join meetings that will use this endpoint.

* Only displayed when you have selected an individual OTJ meeting to view.

© 2023 Pexip AS Version 33.a October 2023 Page 100 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

Configuring Google Workspace for domain user authorization

This topic describes an alternative method to configuring Google Workspace for One-Touch Join in environments where the
recommended method of using a service account for authorization is not desirable. This alternative method uses a domain user for
authorization (referred to as the "authorization user"), which authenticates to Google Workspace using 3-legged OAuth.
The process involves the following steps, described in more detail in the sections that follow:

1. Setting up OAuth authentication for One-Touch Join.

2. Creating a room resource for each physical room that will have a One-Touch Join endpoint in it.
3. Configuring the room resource with the necessary permissions and settings to support One-Touch Join.
4. Updating the quota for the number of user requests per 100 seconds.
5. For larger deployments, Requesting an increase to API limits.
6. Adding a One-Touch Join Google Workspace integration on Pexip Infinity.

If you have already set up a One-Touch Join Google Workspace integration and simply wish to add an existing room to it, you need
only configure the room resource in Google Workspace and then add the endpoint to the Google Workspace integration in Pexip
Infinity.

Prerequisites
You must have already created a user account specifically to be used as the Google Workspace authorization user. This user account
does not need to have any special privileges; as part of the configuration described below you will grant this user access to all the One-
Touch Join room resource calendars.

Enabling authorization using OAuth

In this step you create a project to use for One-Touch Join. You then enable the Calendar API for this project, and create the OAuth
credentials to be used when One-Touch Join accesses the API as the authorization user.

1. Creating a new project:

a. Go to https://console.developers.google.com (logged in as a Google Workspace administrator).
b. From the top left of the page, select the down arrow:

c. Select New Project.

d. Enter a Project name (e.g. One-Touch Join) and select Create.
2. Enabling the Calendar API for the project:
a. Go to https://console.developers.google.com
b. From the top left of the page, select the down arrow, select your newly-created project, and select Open. Your new project
should now be showing at the top left of the page:

c. From the navigation menu on the left of the screen, select APIs & Services > Library, then scroll down and select the Google
Calendar API tile:

© 2023 Pexip AS Version 33.a October 2023 Page 101 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

d. Select Enable:

3. Creating an OAuth consent screen:

a. From https://console.developers.google.com, from the left-hand panel select OAuth consent screen. Select a User Type of
Internal and then select Create:

b. From the OAuth consent screen page:

n under Application name, enter a name for your OTJ application
n under Authorized domains, enter the domain of the Management Node.

© 2023 Pexip AS Version 33.a October 2023 Page 102 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

Select Save:

4. Creating the OAuth credentials:

a. From https://console.developers.google.com, from the left-hand panel select Credentials and then select Create Credentials
> OAuth client ID:

© 2023 Pexip AS Version 33.a October 2023 Page 103 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

b. From the Create OAuth client ID page:, select an Application type of Web application.
n Enter a Name for the application
n under Authorized redirect URIs, enter https://<Management Node
FQDN>/admin/platform/mjxgoogledeployment/oauth_redirect/
This must use the Management Node's FQDN; it cannot use its IP address. You must therefore ensure you have
appropriate internal DNS records set up for the Management Node.
The OAuth Redirect URI is the page on the Pexip Infinity Administrator interface the administrator is sent to, after
they have successfully signed in to the Google Workspace integration. Because it is a page on the Management
Node, this URI is internal to your deployment and only needs to be accessible from the administrator's web browser;
you do not need to make it externally accessible.
Select Create:

© 2023 Pexip AS Version 33.a October 2023 Page 104 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

c. The following OAuth client created screen will appear. Take note of the Your Client ID and Your Client secret; you will need
these when Adding a One-Touch Join Google Workspace integration on Pexip Infinity on the Management Node:

Creating a room resource

(Required only if your room resources do not already exist - otherwise you can skip this step.)

© 2023 Pexip AS Version 33.a October 2023 Page 105 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

In this step, you create a room resource in Google Workspace for each physical room that is to be used for One-Touch Join. Google
Workspace will automatically assign an email address to the room.

1. If a building for the room resource does not already exist, create one as follows:
a. Go to https://admin.google.com (logged in as a Google Workspace administrator).
b. Select the Buildings and resources tile, and then from the Resource management section select Open:

From the drop-down along the top left of the screen, select Buildings:

c. Select + to Add new building:

© 2023 Pexip AS Version 33.a October 2023 Page 106 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

d. Enter a Name and the list of Floors, and select Add Building.
2. Create the room resource:
a. Go back to the Resources page and Select + to Add new resource:

b. For the Category, select Meeting space (room, phone booth,...).

© 2023 Pexip AS Version 33.a October 2023 Page 107 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

c. Select the Building and Floor in which the room is located, enter a Name and the room's Capacity, then select Add Resource:

The resource will be created and added to the list. You can click on the new resource to view information about it, such as the email
address it was automatically assigned.
For more information on setting up buildings and other resources in Google Workspace, including how to add buildings and
resource in bulk and using CSV imports, see https://support.google.com/a/answer/1033925.

Configuring the room resource

In these steps, you allow the authorization user to access each calendar of each room resource that you want to use for One-Touch
Join, and set the calendar to auto-accept invitations. We also recommend that you make the calendar available to all users in your
domain in such a way that allows them to book meetings using the resource, without being able to view the details of any other
meetings in the resource's calendar.

Sharing individual calendars with the authorization user

Note that the Google calendar API limits the number of calendars that can be shared within a 24 hour period to 750 (for more
information, see this Google article). This means that if you have more than 750 room resources that you wish to use for OTJ, they will
need to be set up over a period of days.
To share calendars with the authorization user:

1. Go to https://calendar.google.com (logged in as a Google Workspace administrator so that you have permission to share the
calendars).
2. From the left-hand panel, select the + next to Other calendars and then select Browse resources.

© 2023 Pexip AS Version 33.a October 2023 Page 108 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

3. Expand the sections if necessary, and tick the boxes of all the room resources whose calendars you want to share with the
authorization user.
This will add the room resources to the Settings for other calendars section in the left-hand panel.
4. For each of the rooms:
a. From the Settings for my calendars section, select the room resource and then select Share with specific people.
b. Select Add people.
c. In the Share with specific people dialog, enter the email address of the One-Touch Join authorization user. Ensure the
Permissions are set to either:
n Make changes to events (if you want users to be able to use OTJ to join all meetings, including private meetings, from
this endpoint)
n See all event details (if you don't want to offer OTJ for private meetings on this endpoint).
If your deployment includes personal endpoints that are associated with a user's personal calendar, then either you or the
end user will need to ensure that their calendar allows the One-Touch Join authorization user to Make changes to events if
they wish to use OTJ to join their own private meetings from their endpoint.

For more information on sharing room and resource calendars in Google Workspace, see
https://support.google.com/a/answer/1034381.

Auto-accepting invitations
By default, when creating room resources in Google Workspace, calendar processing is set to Auto-accept invitations that do not
conflict. You must ensure you keep this setting for all room resources, so that the room will automatically accept meeting requests if it
is available, and automatically decline an invitation if it is already booked.
To check this setting:

1. Go to https://calendar.google.com (logged in as a Google Workspace administrator so that you have permission to share the
calendars).
2. From the left-hand panel, select the room resource and select Settings and sharing.

© 2023 Pexip AS Version 33.a October 2023 Page 109 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

3. In the Auto-accept invitations section, ensure that Auto-accept invitations that do not conflict is selected:

Allowing users to book resources

We recommend that you configure your Google Workspace calendar settings to allow end users to book a room resource without
seeing details of the room's other bookings. To do this, you configure the room resource's calendar so that all users in your domain
have permission to see its free/busy status, without being able to see the invitation details. You then on a global basis permit users to
book resources to which they have free/busy access.
To do this:

1. Go to https://calendar.google.com (logged in as a Google Workspace administrator so that you have permission to share the
calendars).
2. From the left-hand panel, select the room resource and select Settings and sharing.
3. In the Access permissions section, select Make available for <your domain>, and ensure that See only free/busy (hide details) is
selected:

© 2023 Pexip AS Version 33.a October 2023 Page 110 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

4. Go to admin.google.com (logged in as a Google Workspace administrator).

5. From the left-hand menu, select Apps > Google Workspace > Calendar.
6. Scroll down to General Settings and select Resource Booking Permissions.
7. Ensure that Allow users to book resources that are shared as See only free/busy is set to ON:

Updating the per-user request quota

In this step you increase the limit on the number of queries per 100 seconds per user to the Google Calendar API.

© 2023 Pexip AS Version 33.a October 2023 Page 111 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

The default number of queries per 100 seconds per user is 500. In this context, the "user" is the authorization user. In deployments
with fewer than around 180 rooms, each room resource calendar is queried every 30 seconds by two conferencing nodes (both using
the same authorization user account), resulting in 5,760 queries per room per day. (In larger deployments, room resource calendars
are queried less frequently.)
We recommend that you increase the number of queries per 100 seconds per user to 10,000 to provide sufficient processing overhead
and room for expansion (there is currently no additional cost to this increase).
To increase this quota to 10,000:

1. Go to https://console.developers.google.com (logged in as a Google Workspace administrator).

2. From the top left of the page, select the project you created for One-Touch Join:

3. From the navigation menu at the top left of the page, select IAM & Admin > Quotas.
4. From the Quotas page, select Edit Quotas and then select Google Calendar API - Queries per 100 seconds per user.
You will be taken to the Google Calendar API > Quotas page.
5. Change Queries per 100 seconds per user to 10,000:

You may also need to request an increase to the number of Queries per day for larger deployments - for more information,
see Requesting an increase to API limits.

Requesting an increase to API limits

This optional step applies to larger deployments only (more than around 170 room resources), and should be performed if you wish to
reduce the amount of time taken for endpoints to be updated with additions or changes to their corresponding room resource
calendar.
The maximum frequency with which an endpoint will be updated with meeting information is every 30 seconds. For deployments with
more than around 170 endpoints, this frequency will decrease in line with the number of endpoints (up to around 20 minutes for
deployments with around 6,000 endpoints). This is due to a limit on the number of Calendar API requests permitted by Google in a 24-
hour period — for more information, see https://developers.google.com/calendar/pricing.
To reduce the time taken to update endpoints in these larger deployments, you can request an increase to the number of Calendar API
requests One-Touch Join can make.

© 2023 Pexip AS Version 33.a October 2023 Page 112 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

When your request has been implemented by Google, you must then increase the Maximum Google Workspace API requests on
Pexip Infinity in order to take advantage of the increase.
To request an increase to the API limits:

1. If you do not already have one, create a Cloud Billing Account (note that this is different from a Google Workspace billing account).
Full instructions are available via https://cloud.google.com/billing/docs/how-to/manage-billing-account#create_a_new_billing_
account.
2. Link the Cloud Billing Account to the project you created when Creating a service account:
a. Go to https://console.developers.google.com (logged in as a Google Workspace administrator).
b. Ensure that the project shown in the top left corner is the one you created for One-Touch Join when Creating a service
account.
c. Select the burger menu from the top left of the page and select Billing. When the following message appears, select Link a
billing account:

d. Select the account to link to:

3. Request an increase to your quota:

a. From the navigation menu at the top left of the page, select IAM & admin > Quotas.
b. From the Quotas page, select Edit Quotas and then select Google Calendar API.
In the panel that appears on the right, enter the New quota limit that you wish to request, and in the Request description
field, enter the reason for requesting the increase:

© 2023 Pexip AS Version 33.a October 2023 Page 113 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

c. Select Submit request.

Quota increase requests typically take two business days to process.

Adding a One-Touch Join Google Workspace integration on Pexip Infinity

In this step you configure Pexip Infinity with details of the Google Workspace deployment configured above. You must then log in to
Google Workspace as the authorization user and grant the One-Touch Join app access to the room resource calendars.

Configuring the Google Workspace integration

From the Pexip Infinity Administrator interface, go to One-Touch Join > OTJ Google Workspace Integrations.

Option Description

Name The name of this One-Touch JoinGoogle Workspace integration.

Description An optional description of this One-Touch JoinGoogle Workspace integration.

Account email If you are authorizing using a service account, enter the email address of the service account that One-Touch Join will
use to log in to Google Workspace.

If you are authorizing using a Google Workspace domain user, enter the email address of the user.

Enable user If you are authorizing using a service account — the recommended method — this should be left blank.
authorization
Select this option only if you will be authorizing using a Google Workspace domain user.

Client ID (Available when user consent authorization has been enabled)

The client ID of the application you created in the Google API Console, for use by OTJ.

Client secret (Available when user consent authorization has been enabled)

The client secret of the application you created in the Google API Console, for use by OTJ.

Redirect URI (Available when user consent authorization has been enabled)

The redirect URI you configured in the Google API Console. It must be in the format:
https://<Management Node FQDN>/admin/platform/mjxgoogledeployment/oauth_redirect/

This must use the Management Node's FQDN; it cannot use its IP address. You must therefore ensure you have
appropriate internal DNS records set up for the Management Node.

Advanced options

© 2023 Pexip AS Version 33.a October 2023 Page 114 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

Option Description

Maximum Google The maximum number of API requests that can be made by One-Touch Join to your Google Workspace Domain in a 24-
Workspace API hour period.
requests
We recommend you set this value to 90% of your total permitted requests. Google's default is 1,000,000 so by default
this is set to 900,000 on Pexip Infinity. If you increase the number of API requests, you should also increase this setting
to 90% of that number.

For more information, see Frequency of and limitations on calendar requests.

Google OAuth 2.0 The URI of the Google OAuth 2.0 endpoint.
endpoint

Google The URI of the Google authorization server.

authorization
server

When you have completed the above fields, select Save. You will be returned to the main OTJ Google Workspace Integration page. You
must now authorize calendar API access to the Google Workspace Integration using the account details you have just created, using
the following steps.

Authorizing calendar access

If you have enabled OAuth for the first time, after saving the configuration of the One-Touch Join Google Workspace integration you
must sign in to Google Workspace as the authorization user.
You may also need to re-sign in to the authorization user account if:
l you disable and then subsequently re-enable OAuth
l you update any of the following configuration for the One-Touch Join Google Workspace integration:
o Account email
o Client ID
o Client secret
o Google OAuth 2.0 endpoint
o Google authorization server
l the refresh token has expired (for more information about when this might happen, see
https://developers.google.com/identity/protocols/oauth2#expiration).

To sign in to Google Workspace as the authorization user:

1. Ensure you have signed out of all Google accounts on your device.
2. From the Management Node, go to One-touch Join > OTJ Google Workspace Integrations and select the Google Workspace
integration you have just created. At the bottom of the Change OTJ Google Workspace Integration page, select Authorize
calendar API access:

© 2023 Pexip AS Version 33.a October 2023 Page 115 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

3. You will be taken to the Authorize Calendar API access page. Select Authorize:

4. Enter the email address of the authorization user (which you previously entered as the Account email) and sign in.
5. At the consent screen, Allow the Pexip OTJ app to View your calendars:

© 2023 Pexip AS Version 33.a October 2023 Page 116 of 121

 Pexip One-Touch Join Deployment Guide Configuring Google Workspace for domain user authorization

6. You may be asked to sign in to the Management Node again. If so, you must sign in to the Management Node (using your
Management Node credentials) to complete the process of signing in as the authorization user.

When complete, you are returned to the Authorize Calendar API access page and see the message Successfully authorized.

Next steps
You must now configure the remainder of the One-Touch Join components on Pexip Infinity, as described in Configuring Pexip Infinity
for One-Touch Join.

© 2023 Pexip AS Version 33.a October 2023 Page 117 of 121

 Pexip One-Touch Join Deployment Guide Troubleshooting One-Touch Join

Troubleshooting One-Touch Join

This section provides guidance on troubleshooting issues with Pexip Infinity's One-Touch Join feature, including issues specific to Cisco
or Poly endpoints.
For guidance on the troubleshooting of general issues, see Troubleshooting the Pexip Infinity platform.

Symptom Possible cause Resolution

One-Touch Join issues

A meeting has been scheduled and is OTJ could not obtain a meeting room alias from Review the meeting processing rules.
showing on the room endpoint, but the invitation because it does not match a
there is no Join button. meeting processing rule and does not contain a
URI or address prefixed with sip:, sips: or
h323:.

The rule that you expect to match is associated 1. Check that the OTJ Endpoint is associated
with a different OTJ profile than the endpoint. with an OTJ Endpoint Group.
For example, the endpoint has an Exchange 2. Check that the OTJ Endpoint Group is
email address and is associated with an associated with the same OTJ Profile as
Exchange integration, but the rule that the the Meeting Processing Rule that you
meeting matches is associated with a Google expect to match.
Workspace integration, or vice versa.

The meeting is not a video meeting. If you do not want non-video meetings to
appear on the room endpoint, you can disable
the Enable non-video meetings option.

OTJ could not obtain a meeting room alias l Modify your Safe Links policy using the "Do
because the URL in the invitation was rewritten not rewrite the following URLs" list so that
for security reasons (for example, by Safe Links URLs in meeting invitations sent to OTJ
in Microsoft Defender for Office 365) and room resources are not rewritten.
therefore does not match the default rule. l Add a custom rule to match the rewritten
URLs.

The meeting was scheduled using the This is due to a known issue with the
Microsoft Teams plugin for Google Workspace. Microsoft Teams plugin for Google Workspace
where it does not include the required CVI
information in the meeting body.

A meeting is scheduled and is showing The endpoint is being managed by Webex Ensure that any endpoints used for One-Touch
on the room endpoint, but either there Cloud Calendar or TMS XE, and these systems Join are not also registered to the calendaring
is no Join button, or the Join button are overriding the meeting information from service on other systems such as the cloud-
appeared and then disappeared. OTJ. based Webex Hybrid Calendar Service, or Cisco
TMS XE.

Meetings are being deleted from an There is a known bug (CSCvv93408) with TMS Ensure that the following configuration for the
endpoint that is managed by TMS, version 15.9 and later whereby TMS will endpoint has been made in TMS:
without TMS XE. erroneously replace meetings that have been l Disable Allow booking for the endpoint
pushed to the endpoint using the endpoint's l Change Meeting Type to Reservation.
API.
If the problem persists, we recommend
removing the endpoint from TMS until this bug
is fixed by Cisco.

© 2023 Pexip AS Version 33.a October 2023 Page 118 of 121

 Pexip One-Touch Join Deployment Guide Troubleshooting One-Touch Join

Symptom Possible cause Resolution

A meeting is scheduled and is showing OTJ could not obtain a meeting room alias from Change the calendar processing rules for the
on the room endpoint, but there is no the invitation because the meeting information room to ensure that the meeting body is not
Join button. The support log shows the supplied in the body ("description") of the deleted. For instructions, see either Configuring
message: invitation was stripped by Exchange prior to calendar processing (for Exchange on-premises)
Could not find an alias for this One-Touch Join processing the meeting. or Configuring calendar processing (for O365).
meeting which had no body. This could
be a meeting room configuration issue.

An external Microsoft Teams meeting Your Microsoft Exchange environment uses a Ensure that the security application's URL re-
has been scheduled but there is no Join security application (such as Office 365 ATP, or write rules include an exception for any URL
button. Mimecast) to re-write URLs, meaning that One- starting with the domain
Touch Join could not obtain the join URL. For https://teams.microsoft.com/
more information, see Allowing forwarding of
external invitations (for Exchange on-premises)
or Allowing forwarding of external invitations
(for O365).

There is a delay between a meeting A short delay is expected due to internal For larger Google Workspace integrations you
invitation being sent and it appearing on processing, and the actual time taken depends can ask for an increase to the number of
the room endpoint. on the number of endpoints in your OTJ calendar API requests you can make in a 24-
deployment, and the number of daily API hour period, thus allowing you to update
requests you are allowed to make to your endpoints more frequently. For more
calendar service. Limits are also imposed so information, see Requesting an increase to API
that Conferencing Nodes do not become limits.
overloaded with OTJ requests.
You could also consider Deploying a dedicated
For more information, see Frequency of and One-Touch Join platform.
limitations on calendar requests.

On the status page and logs, the Alias Process alias for private meetings is disabled Review whether these settings are appropriate
field is blank. and the meeting is flagged as private. for your deployment.

Enable non-video meetings is enabled, but OTJ Ensure that Exchange calendar processing
could not obtain a valid alias for the meeting. properties are changed from the default, as per
the instructions in Configuring calendar
This may be because Exchange is using default
processing on room resource mailboxes.
calendar processing, which removes the header
and body of the invitation, and replaces the
subject with the organizer's name.

On the status page and logs, the Subject Replace subject is set to either: Review whether these settings are appropriate
field is showing the organizer's name. l Private meetings only (and the meeting is for your deployment.
flagged as private), or
l Always
and the Replace subject string is empty.

Replace empty subject is enabled and there Ensure that Exchange calendar processing
was no subject. This may be because Exchange properties are changed from the default, as per
is using default calendar processing, which the instructions in Configuring calendar
removes the header and body of the invitation, processing on room resource mailboxes.
and replaces the subject with the organizer's
name.

An endpoint has been deleted from the The status page is refreshed once an hour. Wait up to one hour for the endpoint's details
Pexip Infinity configuration but its to be removed.
details are still appearing on the OTJ
Endpoints status page.

© 2023 Pexip AS Version 33.a October 2023 Page 119 of 121

 Pexip One-Touch Join Deployment Guide Troubleshooting One-Touch Join

Symptom Possible cause Resolution

A canceled meeting is still appearing on The status page is refreshed once an hour. Wait up to one hour for the meeting's details to
the OTJ Meetings status page. be removed.

When configuring Exchange you are The service account being used for OTJ does l Ensure that the service account has the
getting the following errors or warnings: not exist, or does not have a valid license. correct username and
ErrorCode="InvalidUser" password/authentication information.
l Ensure that the service account has an
ErrorMessage="Invalid user"
appropriate Exchange license, such as
Office 365 Enterprise E1, Office 365
Business Basic (formerly Essentials) or one
of the Exchange Online plans.

An endpoint is not appearing on the OTJ Endpoints appear on this page after the initial Wait until a meeting has been created to which
Endpoints status page. contact between the endpoint and OTJ has the endpoint is invited. Then check again to
been made. For Cisco endpoints, this happens confirm that the endpoint is appearing on the
when a meeting has successfully been pushed status page.
to the endpoint. For Poly endpoints, this
happens when the Poly endpoint has
successfully polled the Conferencing Node.

Cisco endpoint issues

OTJ cannot contact an endpoint via its OTJ is configured to communicate with the Configure OTJ to use HTTPS to communicate
API. The following appears in the alarms endpoint via HTTP and the endpoint redirects with the endpoint.
and logs: to HTTPS.
Non-200 status code returned when
trying to upload OBTP bookings to
endpoint and
StatusCode="307"

A Cisco SX series endpoint running TC This is a known issue with the Cisco endpoint
software may display the "Meeting will when running this software.
automatically connect" message if there
is no URI in the meeting invitation.

Webex endpoint issues

Meetings are not appearing on the The endpoint is configured to use a Webex Disable the calendar.
Webex endpoint. Calendar service. This prevents OTJ from being
able to push meetings to the endpoint.

Poly endpoint issues

© 2023 Pexip AS Version 33.a October 2023 Page 120 of 121

 Pexip One-Touch Join Deployment Guide Troubleshooting One-Touch Join

Symptom Possible cause Resolution

Meetings are not appearing on the Poly The configuration for the endpoint on Pexip Ensure that the configuration for endpoint on
endpoint. Infinity or on the endpoint itself is incorrect. Pexip Infinity and on the endpoint itself is
correct, in particular that the username and
password configured on both match.

Ensure that the endpoint is showing as

registered to the calendaring service.

The Poly endpoint is registered to the View the Meeting status page to see if any
calendaring service but OTJ hasn't found any meetings have been found for this endpoint.
meetings.
Check for any Google Gatherer/Exchange
Gatherer alarms, which indicate issues with
reading specific calendars.

The Poly endpoint has lost connection with the On the Poly endpoint, disable and re-enable
OTJ calendaring service and has become the calendaring service.
unregistered, thus it is no longer receiving
updated meeting information.

To check if the endpoint has lost contact:

l If Raise alarms is enabled for this endpoint,
an OTJ Poly Endpoint Error alarm will
appear on the Pexip Infinity Administrator
interface if it is more than 10 minutes
since there was contact with the endpoint.
l If this option is not enabled, view the
Endpoint status and check the last contact
time. If this is more than 10 minutes ago
the endpoint may have lost connection.

© 2023 Pexip AS Version 33.a October 2023 Page 121 of 121