12-06-2012 12:47 PM - edited 03-16-2019 02:36 PM
We're working with a customer who is moving from UCM 7.x to 9.x and has phone proxy in plae today. With the PHone Proxy no longer supported in 9.x, they are forced to move to the SSL VPN for IP Phones. The design doc states that the phones need to be brought up on the internal network first to download configs,certs, etc. before taking out to the field.
So, is there any known workaround to configure remote users' phones WITHOUT bringing them inside the network. For multinationals, this could prove to be a HUGE headache.
jyoungta replied to another thread with this:
"If you can get a copy of the new phone config file and put it on a tftp that is accessible via the internet, then you can just point the phone to the tftp server (alternate tftp server option). It will go and grab the new config file."
this sounds great (Thank you Jay) but it sounds easy... too easy. Is there a procedure we need to follow that is documented we can follow?
(Pardon my lack of specific technical knowledge, I'm in management)
-Sam
Solved! Go to Solution.
12-11-2012 05:29 PM
Hello Sam:
I was able to successfully convert a phone proxy phone to anyconnect vpn with a standard certificate only deployment. The phone had a connection to the CallManager through TFTP outside the network as part of the phone proxy configuration.
I configured the anyconnect phone VPN settings on the ASA.
Pushed the ASA SSL certificate to the CallManager
Configured the CallManager for the proper VPN phone settings.
Applied the Common Phone Settings to the phone and reset the phone.
- Up to this point, you are just following the guide. https://supportforums.cisco.com/docs/DOC-21469
In network settings on the phone I changed the alternate TFTP from the public IP (needed for phone proxy) to the private IP (needed for anyconnect VPN).
Deleted the CTL File under Settings - Security Configuration - Trust List
Reset the phone
- At this time I saw the phone reboot, connect to the VPN and I was able to verify VPN operation on the phone and make some prank calls.
12-06-2012 02:51 PM
Hi Sam,
The reason the IP phone needs to be brought up in the internal network first is so that it can download it's tftp config file. The content of the tftp file looks like this:
------ some lines ommitted -----
https://X.X.X.X/PhoneVPN
0
2eD0l4VEI0CGZQGKlMBGE2bRhUg=
------ some lines ommitted -----
When the ip phone is outside the network and is turned it, the phone is not able to contact the internal tftp server and so, it will boot up with the cached config file. In your case, the cache config file contains the information required to reach the ASA to terminate the SSL VPN.
Now with what you have research, ie:
"If you can get a copy of the new phone config file and put it on a tftp that is accessible via the internet, then you can just point the phone to the tftp server (alternate tftp server option). It will go and grab the new config file." it will allow the phone to grab the config file and store it in the cache. This will work.
Unfortunately for you, this is not a supported Cisco method and so, there will be no Cisco documenation on how to do this. But on a high level, the steps I see happening is this:
1. identify all the remote phones
2. download the remote phones tftp configuration and upload the config files onto your publicly accessible tftp server
3. Change the remote phones alternate tftp server setting to point to the publicly accessible tftp server
4. Reboot the phones so it downloads the tftp config from the public tftp server. The phone will download the config, but don't expect it to register at this point.
5. Remove the alternate tftp setting, reboot the phone, and it will be setup for IP phone ssl vpn
********* Note: There is a security risk having the configuration file on a publicly accessible server *********
Please rate if you find this useful
12-11-2012 05:29 PM
Hello Sam:
I was able to successfully convert a phone proxy phone to anyconnect vpn with a standard certificate only deployment. The phone had a connection to the CallManager through TFTP outside the network as part of the phone proxy configuration.
I configured the anyconnect phone VPN settings on the ASA.
Pushed the ASA SSL certificate to the CallManager
Configured the CallManager for the proper VPN phone settings.
Applied the Common Phone Settings to the phone and reset the phone.
- Up to this point, you are just following the guide. https://supportforums.cisco.com/docs/DOC-21469
In network settings on the phone I changed the alternate TFTP from the public IP (needed for phone proxy) to the private IP (needed for anyconnect VPN).
Deleted the CTL File under Settings - Security Configuration - Trust List
Reset the phone
- At this time I saw the phone reboot, connect to the VPN and I was able to verify VPN operation on the phone and make some prank calls.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide