cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
799
Views
15
Helpful
6
Replies
j.huizinga
Frequent Contributor

EExpressway-C MRA encryption

Hi

I have an Expressway-C & E for MRA.I know that from the outside till  Expressway-C all is encrypted. By default Expressway-C to CUCM is unencrypted. We also want this to be encrypted.

 

On CUCM we use self signed for the Callmanager certificate and Tomcat is CA signed (Private CA)

I uploaded the callmanager certificates on expressway-C as trusted, and the CA that signed the expressway-C as a callmanager trust on the CUCM servers, the CUCM are in mixed mode and the expressway C has tcp and tls zones

When I try to register a jabber over MRA, I get an error on Expressway-c 403 (forbidden) and warning: "TLS authentication failure"

 

So definitely something with certificates, but as far as I understand the documentation I have done the correct procedure

 

Any help would be appreciated

 

Thanks

 

JH

 

1 ACCEPTED SOLUTION

Accepted Solutions

For secure SIP registrations, you also must ensure that the secure device profile name on the CUCM that is applied to the device is listed as a SAN on the Expressway-C certificate. If this does not contain the secure register messages, it would fail with a "403" from the CUCM, which indicates a TLS failure.

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213872-configure-and-troubleshoot-collaboration.html#anc15

 

Check the section 'Configuring Trust Between CUCM and Expressway-C' in the above guide.

 

-Sankar

View solution in original post

6 REPLIES 6
Jaime Valencia
Hall of Fame Cisco Employee

Review the MRA configuration as well as the certificate creation guides, you don't mention any changes to your certificates based on the phone security profiles, so pay special attention in those areas in the documentation.

HTH

java

if this helps, please rate
Maren Mahoney
Engager

One thing to know is that the signaling between Expressway and CUCM is already encrypted providing the proper self-signed certificates are installed from CUCM onto the Expressway-C. If you also want to encrypt media (RTP), this is where is gets more complicated.

Here is a link to information on the how/why of encryption:

Preferred Architecture for Cisco Collaboration 12.x Enterprise On-Premises Deployments, CVD - Expressway 

And here is information on end-to-end media encryption.

Mobile and Remote Access Through Cisco Expressway Deployment Guide (X12.5) - Chapter: ICE Passthrough Support (Optional 

That should get you started from an information standpoint. You will need to do more research. As Jaime said, what you are asking to do is bigger than just a checkbox.

Maren

j.huizinga
Frequent Contributor

Hi

 

Thanks for the info

I have already encrypted a lot, the phones between them are encrypted (small lock on screen). The IOS conference bridge is encrypted, the trunk with the CUBE is encrypted, the communication with Unity Connection is encrypted (in all these cases a small lock on screen).

Just some encryption issues with Expressway-C <=> CUCM using MRA

 

I shall do some extra reading

 

Thanks

 

JH

Hi,

   Can you send the output of this command from CUCM cli?

 

admin:run sql select * from ExpresswayCConfiguration

 

Also a screenshot of Configuration > Zones > Zones.

 

-Sankar

For secure SIP registrations, you also must ensure that the secure device profile name on the CUCM that is applied to the device is listed as a SAN on the Expressway-C certificate. If this does not contain the secure register messages, it would fail with a "403" from the CUCM, which indicates a TLS failure.

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213872-configure-and-troubleshoot-collaboration.html#anc15

 

Check the section 'Configuring Trust Between CUCM and Expressway-C' in the above guide.

 

-Sankar

View solution in original post

That was it, sorry missed it in the documnetation

Works perfectly

 

JH

Create
Recognize Your Peers
Content for Community-Ad