01-01-2015 03:33 AM - edited 03-17-2019 04:46 PM
Hi,
We have issues with using secure security profiles on Jabber clients. We have UC infrastructure with CUCMs (10.5.2.10000-5), CUCM IM&P (10.5.2.10000-9) and Expressway-C/E (X8.5), ... . In the our corporate network (LAN or WiFi), all services work normally as expected when we use secure security profiles on Jabber clients. But, for Jabber clients (Windows, Android,...), accessing to phone services via internet (using Expressway) is possible only if Jabber clients have non-secure profile. To be worse, in the time when Jabber clients with secure security profile trying to connect to phone services, Cisco CallManager service on primary CUCM is restarted.
CUCM cluster is in mixed-mode, all servers use FQDN instead of IP address, all necessary certificates (tomcat and Call Manager on CUCMs, tomcat and cup-xmpp on IM&P, Expressway-C. Expressway-E) are issued by internal CAs, etc. Secure security profiles on particular Jabber clients have names, which we use during generating certificate request on Expressway-C in the field: Unified CM phone security profile names.
Obviously, temporary workaround can be using non-secure security profiles, but ideally for us is to use secure security profiles.
Please help with comments, suggestions, solutions or similar. :)
Regards,
Zlatko
04-10-2015 05:47 AM
hi Zlatko,
have you manage this issue?
04-14-2015 12:33 AM
Ruslan,
Yes, this issues were solved. The key problem was with certificates on UC servers, issued only with server authentication. Certificates should be issued by CA with appropriate template including server authentication, client authentication, IP security end system.
04-14-2015 12:56 AM
thank you for answer
yeah it's common problem with all those certificates for MRA.
in my case I couldn't get it work earlier because of non-mixed mode of my cluster. however I still can't get phone services working on Jabber for iPhone but JfW, for Android is ok.
04-27-2015 11:24 PM
I am having trouble with my secure SIP profiles. Without TLS phone services register ok, using a secure TLS phone profile the phone service doesn't register.
I am using an internal CA server for the certificates, are you using a separate template for each authentication type (server/client/IPSec) or have you made a template that includes all three (server/client/IPSec) ?
04-28-2015 01:19 AM
hi,
I created certificate generation template in Windows Server CA as mentioned in this document - http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf, in "Appendix 5: Configuring Windows Server Manager with a "client and server" certificate template" and after that signed my CSR from Expressway.
and as I remeber correctly IPsec authentication is included by default, but I may be wrong. try to sign up you certificate and check it after.
don't forget to include subject alternative names for security profiles:
this screenshot from the certificate requirements for Expressway-C. it's from guide mentioned above. you can find there certificate requirements for both - Expressway-C and Expressway-E.
does your UCM cluster is in Mixed Security Mode?
04-28-2015 05:14 PM
that is the steps I am following, my UCM is in mixed security mode. What format are your phone security profile names using? It mentions in the guide that they need a FQDN format. I have created mine with:
iPhone = "CDMIphone.lab-cucm01.lab.local"
Android = "cdmAndroid.lab-cucm01.lab.local"
should these have an external address instead?
I have configured them with the following:
Device Security Mode: Encrypted
Authentication Mode: By Authentication String
Key Size: 1024
Sip Phone Port: 5061
I have a SIP trunk to the Expressway-C for outbound calls using SIP port 5065. Should these security profiles be using the same SIP port?
04-29-2015 12:32 AM
does your phone security profiles FQDN's refers to your UC deployment FQDN's?
I assume you can find useful next two links:
https://supportforums.cisco.com/discussion/12221716/creating-csr-using-expressway
http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/118696-config-cucm-00.html
no, those security profiles can use usual secure SIP port - 5061.
04-30-2015 02:44 AM
does your phone security profiles FQDN's refers to your UC deployment FQDN's?
I assume you can find useful next two links:
https://supportforums.cisco.com/discussion/12221716/creating-csr-using-expressway
http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/118696-config-cucm-00.html
no, those security profiles can use usual secure SIP port - 5061.
04-27-2015 11:26 PM
I am having trouble with my secure SIP profiles. Without TLS phone services register ok, using a secure TLS phone profile the phone service doesn't register.
I am using an internal CA server for the certificates, are you using a separate template for each authentication type (server/client/IPSec) or have you made a template that includes all three (server/client/IPSec) ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide