Raees Shaikh is a customer support engineer at the Cisco Technical Assistance Center in Bangalore. He has over two years of experience, serving Cisco partners and customers in the European time zone. As part of the call control and multiservices modules, he focuses on Cisco Unified Communications Manager, Cisco Unified Border Element, gateways, Cisco Unified SIP Proxy, and other voice over IP (VoIP)–related devices. Prior to joining Cisco he was a network engineer with Microland Ltd, supporting networks for Fortune 500 companies. He holds a bachelor of engineering degree in electronics and telecommunication from Goa University and holds CCNP and CCIE voice certification (number 34220).
Amit Singh is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has six and half years of experience in his areas of expertise: wireless, Cisco Unified Communications Manager, multiservices, Cisco Unity, and Cisco Unified Contact Center Express. He has been involved in various escalation requests from India, Singapore, and Australia and is currently working as a technical lead for the Voice team in Bangalore, India. He is a computer science graduate.
This document contains the answers provided for the questions asked during the live "Ask the Expert" Webcast session on the Topic - Cisco Unified CallManager and IP Phone Security.
Expert, Chirag Katudia was helping Amit and Raees Shaikh to answer few of the questions asked during the session. He is a customer support engineer at Cisco and hold a CCIE.
The related Ask The Expert session is available here.
You can download the slides of the presentation in PDF format here.
The Complete Recording of this live Webcast can be accessed here.
A. Phone will get new firmware from the TFTP Server.
A. CTL file is still required for Media and Signaling encryption. The ITL file is introduced to reduce burden over the phone to verify certificates. TFTP keys (certificates and private key) are by default part of DRS backup as the Cisco CallManager Platform component.
A. You really do not need to have an internet connectivity available at that moment. Once you have the specific certificate being installed in the cluster of the CUCM, then you do not need to go back to identify the certificate since you already have the authority with the root certificate installed on your Cisco CallManager.
A. Yes, CTL file is always required for Media and Signaling encryption.
A. CUCM + TFTP and TVS.
A. All the end points by Cisco support ITL file. For more specific information about this question, please check the "Ask the expert session" to get the exact answer from the Experts.
Q. Do we need to choose some options or by default, is TFTP key backup included in DRS backup?
A. TFTP keys (certificates and private key) are by default part of DRS backup as Cisco CallManager Platform component.
A. Yes, this is very rare scenario but it is manual operation at phone. However, this is being enhanced to handle centrally by CUCM in an upcoming version of CUCM.
A. Ensure TVS Port 2445 is open in your network. Whenever you plan to move your cluster to CUCM 8.x for the upgrade, ensure TVS Port 2445 and TLS protocol allowed just in case if you have highly secured network. If these ports are blocked, phones will not be able to contact TVS server and will fail to download the ITL files and phones will not get registered.
A. Well, you run CTL client and get your cluster in Mixed mode.. To have secure communication, you can decide and use phone security profiles enable security on certain phones. You can enable security profile for certain phones like CEO/CTO's phones and non-secured for other normal phones like lobby phones and this is nothing but the Mixed mode.
A. Phone Hardening is nothing but disabling some of the features on the phone, for example, disabling the web access http/https, disabling the phone settings to the end users, disabling the voice VLAN access settings and disabling the PC port setting. You can do it by accessing the Phone device or by using the BAT tool. Refer this link for more information,
A. In CUCM OS Administration Page, there is a feature called Service Monitor, which you can define the Alarm and trigger it when the Certificate will be expired and the frequency of the alarm. This sends an alarm before one month and you can monitor using RTMT and also you can send it to the e-mail alias.
A. No, the certificate will be replicated to the Trust Store of all the nodes & the change notification service will inform the TVS service on the node.
A. Yes, we need CAPF certificate in ITL inorder to authenticate to the CAPF service for LSC installation if the cluster is configured to be in mixed mode.
A. The phone will first try to authenticate using CTL, if the certificate is not found in CTL it will look up the ITL file.
A. The ITL file concept is not applicable to CUCM 7.1.
A. No drawbacks. Only time that you want to use this is when you move from one version to another version and from one cluster to another cluster, so the phones get the TVS /ITL files and register. Once the registration is over, you need to change the parameter to false and restart the TFTP and Cisco CallManager service so that they download the ITL files with exact certificates.
A. Right now the security feature is only available for Cisco phones and not for 3rd party phones.
A. The CTL file needs to have the certificates from all nodes in the cluster. File size is not limited but the memory of the phone is limited, so we need to be careful in which certificate needs to have in the CTL file.
A. Good Question. There are very specific steps to be followed for migration specially from Physical cluster to virtual. First upgrade the cluster to 8.x, take CLUSTER wide backup. Prepare virtual cluster with same version, restore the cluster wide backup. Or, take the backup of 7.x cluster, setup virtual cluster with 7.x version, restore cluster wide, make sure things are working properly and then upgrade cluster to 8.x.
A. Take the backup of 7.x cluster, setup virtual cluster with 7.x version, restore cluster wide, make sure things are working properly and then upgrade cluster to 8.x.
A. One can use the “Prepare Cluster for Rollback to pre-8.0” enterprise parameter to download empty ITL files in the cluster. Once the empty ITL file has been downloaded, the phone will accept any ITL file coming its way next. Now you can move this set of phone to another cluster & set the enterprise parameter back to false.
A. Admin PC.
A. Contact your Account Manager with the Product and Key ID who can provide more information.
A. You cannot backup the contents of eToken.
A. The eTokens are supposed to be kept safely as we will need these tokens even to move the cluster from mixed to non secure mode.ou cannot backup the contents of eToken.
Q. Will the presentation be available for download or later review?
A. Yes, it will be available so that you can review and download.