cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2860
Views
5
Helpful
13
Replies

MX800 encrypted calls

JAMES WEST
Level 1
Level 1

Hi there,

We have recently purchassed some new MX800, MX300 G2 video endpoints which have replaced our legacy Tanberg 880 units. The Tandberg devices were registered to the VCS-C appliance, where as the newer endpoints have been migrated onto the CUCM server. We can make and recieve calls to these units, but when we try and call an encrypted devices outside of our organisation, the call is only set-up as non-encrypted.

We have witnessed this when we have tried to join a 3rd party VC call hosted by Blue Jeans. We join the BJ meeting ID, but once we add the PIN number, the call comes back notifying us that the call is not encypted and disconnects the call. When l look at the call going out from the endpoint, l see the calls goes out with encryption on, but when it joins BJ the call is uncrypted, although this does work from our one remaing legacy Tandberg unit, so this does work from a VCS-C registered device.

I have been looking at the following options for CUCM registered devices:

  1. Change the MX800/MX300 device profile from non-secure to secure, but l am unsure if the CUCM cluster needs to be runing in Mixed Mode for the TLS/Encrypted profile to work?
  2. Or the alternative l have been looking at is configuring the CUCM cluster to run in Mixed Mode (currently Default non-mixed mode). If l configure mixed mode l believe that all devices will then download a CTL file to the IP Phone and will set all calls on the cluster to be encrypted. Is this the case, or is it dependant on the Device Profile configured i.e. if the 7965 is configured for non-secure profile it will not download a CTL file?

Can someone please let me know if they have their VC endpoints registered to CUCM, and if they can make encrypted calls to hosted VC services? If they can, could they share how their deployment is configured?

Thanks and best regards,

James

1 Accepted Solution

Accepted Solutions

Hi James,

I can actually see CTL files installed on the phones with non secure profile configured. So what it means is that the following options decide whether the phone would like to have the authentication / encryption of its signaling and media in addition to whether the CTL file exists on the phone

Non Secure - unencrypted signaling and unencrypted media (voice / RTP / Real Time Protocol)
Authenticated - encrypted signaling and unencrypted media
Encrypted - encrypted signaling and encrypted media

Manish

View solution in original post

13 Replies 13

Manish Gogna
Cisco Employee
Cisco Employee

Hi James,

To your two questions above:

1. Yes, CUCM needs to be in mixed mode for the TLS/Encryption to work

2. Phone can still be in non-secure mode when you enable Mixed mode if the following Phone security profile is applied

Non Secure - unencrypted signaling and unencrypted media (voice / RTP / Real Time Protocol)

You may refer the following for details

https://supportforums.cisco.com/document/73611/ip-phone-security-and-ctl-certificate-trust-list#Create_and_Apply_Phone_Security_Profiles

Manish

Hi Manish,

Thanks for getting back to me.

In regards to the information you provide +5.

If you changed an endpoint to use the Secure / TLS under - System > Security Profile > Phone Security Profile, would this enable the use of the TLS functionality if the cluster was not configured for Mixed Mode? I think you may say no, but l just want to confirm :-)

Also if the phones were configured for the default Non Secure Profile and the cluster was configured for Mixed Mode, would the phones download a CTL file after the CUCM service is restarted?

Thanks,

James

Hi James ,

Yes, mixed mode is a pre requisite to make this work. As per my understanding the phone will not download ctl with non secure profile. I will check in the lab tomorrow for confirmation though.

Manish

Hi Manish,

I hope you are doing well.

Can you let me know if you managed to test this in your lab?

Regards,

James

Hi James,

I can actually see CTL files installed on the phones with non secure profile configured. So what it means is that the following options decide whether the phone would like to have the authentication / encryption of its signaling and media in addition to whether the CTL file exists on the phone

Non Secure - unencrypted signaling and unencrypted media (voice / RTP / Real Time Protocol)
Authenticated - encrypted signaling and unencrypted media
Encrypted - encrypted signaling and encrypted media

Manish

Hi James

Did you managed to get encrypted calls working to BlueJeans following Manish's suggesttions? Please share some insight as ine of my customer critical customer is also facing similar issue.

- Basant

Hi Basant,

You can open a new thread if there is no reply on this post so that others may respond to your query.

Manish

Hi Basant,

In the end we decided not to configure mixed mode on our CUCM. To resolve the issue we decided to buy multisite option keys for the TP VC units, so if the call needs to be encrypted it can be.

If your customer has their endpoints registered to the CUCM, they need to decide if they want to make the change on the CUCM, or buy TP Option keys.

James

Thanks for your reply James !

I assume customer would prefer to have multisite option instead of mixed mode as they have no other requirement for encrypted calls in CUCM other than to Bluejeans.

Could you guide me on how the design would look like in this case with Multisite licenses on TP endpoint? What configuration changed you did on CUCM? I thought it would not be possible to encrypt calls without having the CUCM in mixed mode?

Thanks again for your help !

- Basant 

Hi James

Just wondering if you had a chance to go through my last message. The response I am getting from TAC is to run encrypted calls, there is no option but to run CUCM in mixed mode which my customer is reluctant to however how you were able to resolved this issue by using TP options key's would be something very interesting to know.

Looking forward for your reply.

- Basant

Hi Basant,

I had responded to your post, but for some reason it looks like it never saved, ort something happened.

Anyway, we decided as your customer has, that installing mixed mode was a big thing to do, and we decided not to do this either.

In the end we installed the following option keys to all TelePresence endpoints that required to make encrypted calls.

Encryption - Enables encryption of media streams. 

Hope this helps.

James

Thanks James !

So is only installing "Encryption Keys" enough on TP endpoints or "Multisite" keys are also required as you mentioned in earlier post?

- Basant

Hi Basant,

If you are looking for just Encryption, the Encryption option key should be enough. The Multisite would be if you want the VC endpoint to conference more than one VC call.

James