cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2892
Views
20
Helpful
2
Replies

Phone Proxy to SSL Phone VPN Migration

Sam Alexander
Level 1
Level 1

We're working with a customer who is moving from UCM 7.x to 9.x and has phone proxy in plae today. With the PHone Proxy no longer supported in 9.x, they are forced to move to the SSL VPN for IP Phones. The design doc states that the phones need to be brought up on the internal network first to download configs,certs, etc. before taking out to the field.

So, is there any known workaround to configure remote users' phones WITHOUT bringing them inside the network. For multinationals, this could prove to be a HUGE headache.

jyoungta replied to another thread with this:

"If you can get a copy of the new phone config file and put it on a tftp that is accessible via the internet, then you can just point the phone to the tftp server (alternate tftp server option).  It will go and grab the new config file."

this sounds great (Thank you Jay) but it sounds easy... too easy. Is there a procedure we need to follow that is documented we can follow?

(Pardon my lack of specific technical knowledge, I'm in management)

-Sam

1 Accepted Solution

Accepted Solutions

munozm
Level 1
Level 1

Hello Sam:

I was able to successfully convert a phone proxy phone to anyconnect vpn with a standard certificate only deployment.  The phone had a connection to the CallManager through TFTP outside the network as part of the phone proxy configuration.

I configured the anyconnect phone VPN settings on the ASA. 

Pushed the ASA SSL certificate to the CallManager

Configured the CallManager for the proper VPN phone settings.

Applied the Common Phone Settings to the phone and reset the phone.

- Up to this point, you are just following the guide.  https://supportforums.cisco.com/docs/DOC-21469

In network settings on the phone I changed the alternate TFTP from the public IP (needed for phone proxy) to the private IP (needed for anyconnect VPN).

Deleted the CTL File under Settings - Security Configuration - Trust List

Reset the phone

- At this time I saw the phone reboot, connect to the VPN and I was able to verify VPN operation on the phone and make some prank calls.

View solution in original post

2 Replies 2

hunto
Level 1
Level 1

Hi Sam,

The reason the IP phone needs to be brought up in the internal network first is so that it can download it's tftp config file. The content of the tftp file looks like this:

------ some lines ommitted -----


https://X.X.X.X/PhoneVPN


0
2eD0l4VEI0CGZQGKlMBGE2bRhUg=

------ some lines ommitted -----

When the ip phone is outside the network and is turned it, the phone is not able to contact the internal tftp server and so, it will boot up with the cached config file. In your case, the cache config file contains the information required to reach the ASA to terminate the SSL VPN.

Now with what you have research, ie:

"If you can get a copy of the new phone config file and put it on a tftp  that is accessible via the internet, then you can just point the phone  to the tftp server (alternate tftp server option).  It will go and grab  the new config file." it will allow the phone to grab the config file and store it in the cache. This will work.

Unfortunately for you, this is not a supported Cisco method and so, there will be no Cisco documenation on how to do this. But on a high level, the steps I see happening is this:

1. identify all the remote phones

2. download the remote phones tftp configuration and upload the config files onto your publicly accessible tftp server

3. Change the remote phones alternate tftp server setting to point to the publicly accessible tftp server

4. Reboot the phones so it downloads the tftp config from the public tftp server. The phone will download the config, but don't expect it to register at this point.

5. Remove the alternate tftp setting, reboot the phone, and it will be setup for IP phone ssl vpn

********* Note: There is a security risk having the configuration file on a publicly accessible server *********

Please rate if you find this useful

munozm
Level 1
Level 1

Hello Sam:

I was able to successfully convert a phone proxy phone to anyconnect vpn with a standard certificate only deployment.  The phone had a connection to the CallManager through TFTP outside the network as part of the phone proxy configuration.

I configured the anyconnect phone VPN settings on the ASA. 

Pushed the ASA SSL certificate to the CallManager

Configured the CallManager for the proper VPN phone settings.

Applied the Common Phone Settings to the phone and reset the phone.

- Up to this point, you are just following the guide.  https://supportforums.cisco.com/docs/DOC-21469

In network settings on the phone I changed the alternate TFTP from the public IP (needed for phone proxy) to the private IP (needed for anyconnect VPN).

Deleted the CTL File under Settings - Security Configuration - Trust List

Reset the phone

- At this time I saw the phone reboot, connect to the VPN and I was able to verify VPN operation on the phone and make some prank calls.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: