Solved: Re: EExpressway-C MRA encryption

j.huizinga · ‎09-24-2021

Hi

I have an Expressway-C & E for MRA.I know that from the outside till Expressway-C all is encrypted. By default Expressway-C to CUCM is unencrypted. We also want this to be encrypted.

On CUCM we use self signed for the Callmanager certificate and Tomcat is CA signed (Private CA)

I uploaded the callmanager certificates on expressway-C as trusted, and the CA that signed the expressway-C as a callmanager trust on the CUCM servers, the CUCM are in mixed mode and the expressway C has tcp and tls zones

When I try to register a jabber over MRA, I get an error on Expressway-c 403 (forbidden) and warning: "TLS authentication failure"

So definitely something with certificates, but as far as I understand the documentation I have done the correct procedure

Any help would be appreciated

Thanks

JH

Sankar Voleti · ‎10-06-2021

For secure SIP registrations, you also must ensure that the secure device profile name on the CUCM that is applied to the device is listed as a SAN on the Expressway-C certificate. If this does not contain the secure register messages, it would fail with a "403" from the CUCM, which indicates a TLS failure.

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213872-configure-and-troubleshoot-collaboration.html#anc15

Check the section 'Configuring Trust Between CUCM and Expressway-C' in the above guide.

-Sankar

View solution in original post

Jaime Valencia · ‎09-24-2021

Review the MRA configuration as well as the certificate creation guides, you don't mention any changes to your certificates based on the phone security profiles, so pay special attention in those areas in the documentation.

HTH

java

if this helps, please rate

Maren Mahoney · ‎09-27-2021

One thing to know is that the signaling between Expressway and CUCM is already encrypted providing the proper self-signed certificates are installed from CUCM onto the Expressway-C. If you also want to encrypt media (RTP), this is where is gets more complicated.

Here is a link to information on the how/why of encryption:

Preferred Architecture for Cisco Collaboration 12.x Enterprise On-Premises Deployments, CVD - Expressway

And here is information on end-to-end media encryption.

Mobile and Remote Access Through Cisco Expressway Deployment Guide (X12.5) - Chapter: ICE Passthrough Support (Optional

That should get you started from an information standpoint. You will need to do more research. As Jaime said, what you are asking to do is bigger than just a checkbox.

Maren

j.huizinga · ‎09-28-2021

Hi

Thanks for the info

I have already encrypted a lot, the phones between them are encrypted (small lock on screen). The IOS conference bridge is encrypted, the trunk with the CUBE is encrypted, the communication with Unity Connection is encrypted (in all these cases a small lock on screen).

Just some encryption issues with Expressway-C <=> CUCM using MRA

I shall do some extra reading

Thanks

JH

Sankar Voleti · ‎10-06-2021

Hi,

Can you send the output of this command from CUCM cli?

admin:run sql select * from ExpresswayCConfiguration

Also a screenshot of Configuration > Zones > Zones.

-Sankar

Sankar Voleti · ‎10-06-2021

For secure SIP registrations, you also must ensure that the secure device profile name on the CUCM that is applied to the device is listed as a SAN on the Expressway-C certificate. If this does not contain the secure register messages, it would fail with a "403" from the CUCM, which indicates a TLS failure.

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213872-configure-and-troubleshoot-collaboration.html#anc15

Check the section 'Configuring Trust Between CUCM and Expressway-C' in the above guide.

-Sankar

j.huizinga · ‎10-18-2021

That was it, sorry missed it in the documnetation

Works perfectly

JH