Cisco Unified CallManager and IP Phone Security

amitsin · ‎04-08-2012

Introduction
Related Information

Introduction

Raees Shaikh is a customer support engineer at the Cisco Technical Assistance Center in Bangalore. He has over two years of experience, serving Cisco partners and customers in the European time zone. As part of the call control and multiservices modules, he focuses on Cisco Unified Communications Manager, Cisco Unified Border Element, gateways, Cisco Unified SIP Proxy, and other voice over IP (VoIP)–related devices. Prior to joining Cisco he was a network engineer with Microland Ltd, supporting networks for Fortune 500 companies. He holds a bachelor of engineering degree in electronics and telecommunication from Goa University and holds CCNP and CCIE voice certification (number 34220).

Amit Singh is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has six and half years of experience in his areas of expertise: wireless, Cisco Unified Communications Manager, multiservices, Cisco Unity, and Cisco Unified Contact Center Express. He has been involved in various escalation requests from India, Singapore, and Australia and is currently working as a technical lead for the Voice team in Bangalore, India. He is a computer science graduate.

This document contains the answers provided for the questions asked during the live "Ask the Expert" Webcast session on the Topic - Cisco Unified CallManager and IP Phone Security.

Expert, Chirag Katudia was helping Amit and Raees Shaikh to answer few of the questions asked during the session. He is a customer support engineer at Cisco and hold a CCIE.

The related Ask The Expert session is available here.

You can download the slides of the presentation in PDF format here.

The Complete Recording of this live Webcast can be accessed here.

Q. From where will the phone get new firmware?

A. Phone will get new firmware from the TFTP Server.

Q. Is CTL not required if we move from 7.x to 8.x and if we have a secured cluster?

A. CTL file is still required for Media and Signaling encryption. The ITL file is introduced to reduce burden over the phone to verify certificates. TFTP keys (certificates and private key) are by default part of DRS backup as the Cisco CallManager Platform component.

Q. What happens if we do not have an Internet connection at that moment?

A. You really do not need to have an internet connectivity available at that moment. Once you have the specific certificate being installed in the cluster of the CUCM, then you do not need to go back to identify the certificate since you already have the authority with the root certificate installed on your Cisco CallManager.

Q. If a customer is using UC Proxy on their phones (over the Internet), will they will still need CTL files?

A. Yes, CTL file is always required for Media and Signaling encryption.

Q. Which two certificates should not be regenerating at the same time?

A. CUCM + TFTP and TVS.

Q. Do UC applications such as Cisco Jabber for iPhone use ITL file?

A. All the end points by Cisco support ITL file. For more specific information about this question, please check the "Ask the expert session" to get the exact answer from the Experts.

Q. Do we need to choose some options or by default, is TFTP key backup included in DRS backup?

A. TFTP keys (certificates and private key) are by default part of DRS backup as Cisco CallManager Platform component.

Q. Is deleting the CTL and ITL files on every phone a manual, phone by phone process that must be done in person/at the phone itself?

A. Yes, this is very rare scenario but it is manual operation at phone. However, this is being enhanced to handle centrally by CUCM in an upcoming version of CUCM.

Q. What are the Ports that need to be open?

A. Ensure TVS Port 2445 is open in your network. Whenever you plan to move your cluster to CUCM 8.x for the upgrade, ensure TVS Port 2445 and TLS protocol allowed just in case if you have highly secured network. If these ports are blocked, phones will not be able to contact TVS server and will fail to download the ITL files and phones will not get registered.

Q. What is Mixed mode cluster?

A. Well, you run CTL client and get your cluster in Mixed mode.. To have secure communication, you can decide and use phone security profiles enable security on certain phones. You can enable security profile for certain phones like CEO/CTO's phones and non-secured for other normal phones like lobby phones and this is nothing but the Mixed mode.

Q. What is phone hardening?

A. Phone Hardening is nothing but disabling some of the features on the phone, for example, disabling the web access http/https, disabling the phone settings to the end users, disabling the voice VLAN access settings and disabling the PC port setting. You can do it by accessing the Phone device or by using the BAT tool. Refer this link for more information,

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/7_0_1/secugd/secu_ph.html

Q. How do we know a Certificate has or is about to expire?

A. In CUCM OS Administration Page, there is a feature called Service Monitor, which you can define the Alarm and trigger it when the Certificate will be expired and the frequency of the alarm. This sends an alarm before one month and you can monitor using RTMT and also you can send it to the e-mail alias.

Q. Do we need to install 3rd Party certificates on all nodes in cluster ?

A. No, the certificate will be replicated to the Trust Store of all the nodes & the change notification service will inform the TVS service on the node.

Q. What do we need CAPF certificates in ITL?

A. Yes, we need CAPF certificate in ITL inorder to authenticate to the CAPF service for LSC installation if the cluster is configured to be in mixed mode.

Q. If we have both CTL and ITL present on phone, which file phone will use to authenticate?

A. The phone will first try to authenticate using CTL, if the certificate is not found in CTL it will look up the ITL file.

Q. We have a customer on CUCM 7.1 and the CUCM has problems with the CTL/ITL files and is unable to update their firmware. We are being asked to delete these files on every phone to fix the problem.

A. The ITL file concept is not applicable to CUCM 7.1.

Q. Are there any drawbacks using Rollback parameter to allow changes to DNS or other Cluster parameters? Any downside in using this parameter when not rolling back?

A. No drawbacks. Only time that you want to use this is when you move from one version to another version and from one cluster to another cluster, so the phones get the TVS /ITL files and register. Once the registration is over, you need to change the parameter to false and restart the TFTP and Cisco CallManager service so that they download the ITL files with exact certificates.

Q. Are the security features available for 3rd party phones?

A. Right now the security feature is only available for Cisco phones and not for 3rd party phones.

Q. Is the CTL file size limited and how many nodes can I implement within this CTL file?

A. The CTL file needs to have the certificates from all nodes in the cluster. File size is not limited but the memory of the phone is limited, so we need to be careful in which certificate needs to have in the CTL file.

Q. If I'm upgrading from CUCM 7.1(5) in Mixed mode to 8.6 replacing the server (from physical to virtual), what do I need to complete the migration? Do I need to regenerate the CTL file on the new cluster?

A. Good Question. There are very specific steps to be followed for migration specially from Physical cluster to virtual. First upgrade the cluster to 8.x, take CLUSTER wide backup. Prepare virtual cluster with same version, restore the cluster wide backup. Or, take the backup of 7.x cluster, setup virtual cluster with 7.x version, restore cluster wide, make sure things are working properly and then upgrade cluster to 8.x.

.

Q. I can't upgrade my cluster on the physical server. I need to upgrade it "off line" on the virtual server.

A. Take the backup of 7.x cluster, setup virtual cluster with 7.x version, restore cluster wide, make sure things are working properly and then upgrade cluster to 8.x.

Q. What If, I need to migrate only a set of phones from my existing 8.x cluster ?

A. One can use the “Prepare Cluster for Rollback to pre-8.0” enterprise parameter to download empty ITL files in the cluster. Once the empty ITL file has been downloaded, the phone will accept any ITL file coming its way next. Now you can move this set of phone to another cluster & set the enterprise parameter back to false.

Q. Is eToken connected to Admin PC or MCS directory?

A. Admin PC.

Q. How do we obtain the eTokens?

A. Contact your Account Manager with the Product and Key ID who can provide more information.

Q. How do I backup eToken?

A. You cannot backup the contents of eToken.

Q. What will happen if I loose my eToken?

A. The eTokens are supposed to be kept safely as we will need these tokens even to move the cluster from mixed to non secure mode.ou cannot backup the contents of eToken.