Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
311
Views
0
Helpful
4
Replies

Does a TLS connection from an external phone to the CUCM needs an ASA, or can be done directly between the phone and the CUCM

rfrometar
Level 1
Level 1

‎09-17-2014 12:49 PM - edited ‎03-17-2019 12:11 AM

Hi

I'm studying CUCM and testing it. I have question about security:

Does a TLS connection from an external phone to the CUCM needs an ASA, or can be done directly between the phone and the CUCM?>

Best Regards,

Labels:
0 Helpful
4 Replies 4

o.melendres
Level 1
Level 1

‎09-18-2014 01:12 PM

SIP TLS is used for signaling on port TCP 5061

If the CUCM is behind a firewall and the phone is connected through the Internet, would be necessary to allow TCP port 5061 and SRTP.

In the following article, there are several scenarios explained in more detail,

http://www.cisco.com/web/about/security/intelligence/IP_Phone_Security_WP.html

0 Helpful

rfrometar
Level 1
Level 1
In response to o.melendres

‎09-18-2014 03:03 PM

Hi thanks for answer,

I read this article but I have a doubt because they said that: Cisco IP phones will only work with the Cisco ASA Phone Proxy and will not establish secure connectivity with the Cisco Unified Communications Manager.

Provisioning Cisco IP phones with LSC Certificates

By default, LSC certificates are not installed on Cisco IP phones. Cisco IP phones that are required to use LSC certificates must be provisioned to allow TLS transactions before deployment in the field. LSC certificates can be provisioned to the Cisco IP phones through the Certificate Authority Proxy Function (CAPF) process. This process is completed using TLS and USB tokens coupled with the CTL client. Moreover, the Cisco ASA Phone Proxy feature can serve LSC certificates to the Cisco IP phones. Cisco IP phones will only work with the Cisco ASA Phone Proxy and will not establish secure connectivity with the Cisco Unified Communications Manager.

0 Helpful

o.melendres
Level 1
Level 1
In response to rfrometar

‎09-19-2014 01:42 AM

Hi,

There are two modes explained about provisioning ip phones using TLS.

Using Cisco Unified Communications Manager (with USB Tokens)

In this case is necessary to install certificates and follow certain procedure. The phone communication is encrypted to the CUCM.

The second option:

Using Cisco ASA Phone Proxy (without USB tokens)

This is a simplification and quite nice solution to securely connect ip phones from Internet. The encrypted communication goes from the phone to the ASA. Then the ASA relays the communication to the CUCM non encrypted.

In this case, would not be necessary to open ports or expose the CUCM to the Internet.

0 Helpful

rfrometar
Level 1
Level 1
In response to o.melendres

‎09-19-2014 06:08 AM

Hi Melendres,

 

Thanks a lot for your help...

Best regards,

0 Helpful
Customers Also Viewed These Support Documents