09-17-2014 12:49 PM - edited 03-17-2019 12:11 AM
Hi
I'm studying CUCM and testing it. I have question about security:
Does a TLS connection from an external phone to the CUCM needs an ASA, or can be done directly between the phone and the CUCM?>
Best Regards,
09-18-2014 01:12 PM
SIP TLS is used for signaling on port TCP 5061
If the CUCM is behind a firewall and the phone is connected through the Internet, would be necessary to allow TCP port 5061 and SRTP.
In the following article, there are several scenarios explained in more detail,
http://www.cisco.com/web/about/security/intelligence/IP_Phone_Security_WP.html
09-18-2014 03:03 PM
Hi thanks for answer,
I read this article but I have a doubt because they said that: Cisco IP phones will only work with the Cisco ASA Phone Proxy and will not establish secure connectivity with the Cisco Unified Communications Manager.
By default, LSC certificates are not installed on Cisco IP phones. Cisco IP phones that are required to use LSC certificates must be provisioned to allow TLS transactions before deployment in the field. LSC certificates can be provisioned to the Cisco IP phones through the Certificate Authority Proxy Function (CAPF) process. This process is completed using TLS and USB tokens coupled with the CTL client. Moreover, the Cisco ASA Phone Proxy feature can serve LSC certificates to the Cisco IP phones. Cisco IP phones will only work with the Cisco ASA Phone Proxy and will not establish secure connectivity with the Cisco Unified Communications Manager.
09-19-2014 01:42 AM
Hi,
There are two modes explained about provisioning ip phones using TLS.
Using Cisco Unified Communications Manager (with USB Tokens)
In this case is necessary to install certificates and follow certain procedure. The phone communication is encrypted to the CUCM.
The second option:
Using Cisco ASA Phone Proxy (without USB tokens)
This is a simplification and quite nice solution to securely connect ip phones from Internet. The encrypted communication goes from the phone to the ASA. Then the ASA relays the communication to the CUCM non encrypted.
In this case, would not be necessary to open ports or expose the CUCM to the Internet.
09-19-2014 06:08 AM
Hi Melendres,
Thanks a lot for your help...
Best regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide