Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3237
Views
0
Helpful
11
Replies

Phone book from TMS over HTTPS

scott.j.hanson
Level 1
Level 1

‎04-23-2013 08:02 AM - edited ‎03-18-2019 12:59 AM

I'm having some difficulty using HTTPS for phone books coming from TMS.

As long as I don't require SSL in IIS, the phone book is downloaded from TMS successfully. However, if I enable the "Require SSL" setting, the codecs are no longer able receive the phone book.

A couple of potential obstacles that come to mind:

- DNS is not available on the VLAN where the C-series codecs are connected, so I must use the server's IP address rather than hostname in the phone book URL. However, the SSL certificate is signed using the server's hostname.

- The SSL certificate on the TMS server is signed by our company's CA, not an external CA. I'm not sure if I need to upload a "Trusted CA list" (PEM format) and if so, how to generate the file.

But this makes me wonder, since the phone book evidently is capable of being downloaded via HTTPS, what is it about requiring SSL that is causing a problem?

1 person had this problem
Labels:
0 Helpful
11 Replies 11

Patrick Sparkman
VIP Alumni
VIP Alumni

‎04-23-2013 08:05 AM

Go into the codec, check or change the external manager to use HTTPS if it isn't already set to that.  If it's on HTTP than it won't work when trying to communicate to TMS that is set to send via HTTPS.

0 Helpful

scott.j.hanson
Level 1
Level 1
In response to Patrick Sparkman

‎04-23-2013 08:09 AM

Patrick,

Thanks for the quick reply - here are the ExternalManager settings - it is already set to HTTPS:

Provisioning ExternalManager AddressTANDBERG C-series Endpoint
Provisioning ExternalManager PathTANDBERG C-series Endpointtms/public/external/management/systemmanagementservice.asmx
Provisioning ExternalManager ProtocolTANDBERG C-series EndpointHTTPS
Provisioning HttpMethodTANDBERG C-series EndpointPOST
Provisioning ModeTANDBERG C-series EndpointTMS
0 Helpful

Patrick Sparkman
VIP Alumni
VIP Alumni
In response to scott.j.hanson

‎04-23-2013 08:13 AM

Interesting don't know then.

Can TMS communicate with the codec for management over HTTPS?

Is it just the phonebook that is affected?

0 Helpful

scott.j.hanson
Level 1
Level 1
In response to Patrick Sparkman

‎04-23-2013 08:17 AM

Yes, TMS management over HTTPS works fine. (I have HTTP disabled on the codecs.)

The strange thing is the phone book even works over HTTPS as long as I don't use the Require SSL setting in IIS. However I would like to use that setting so that web browsers accessing TMS will be required to use HTTPS.

0 Helpful

Patrick Sparkman
VIP Alumni
VIP Alumni
In response to scott.j.hanson

‎04-23-2013 08:23 AM

Have you enabled or tried "Secure-Only Device Communication" under Administrative Tools > Configuration > Network Settings?  This would require each codec to use HTTPS in their external manager, not sure if it affects the phonebooks though.

One work around I've done for our TMS is use a redirect in IIS to change  the url to HTTPS.  That might be a quick easy solution if you can't get  the Require SSL to work.

0 Helpful

mahkrish
Level 3
Level 3

‎04-23-2013 05:55 PM

Hi Scott, Please refer to following document - Configuring Secure HTTPS between Cisco TelePresence products Reference Guide from  http://www.cisco.com/en/US/docs/telepresence/infrastructure/tms/config_guide/Cisco_TelePresence_Implementing_Secure_Management_Config_Guide.pdf

Yes, this is old document but the steps will be the same for 13.x version. Please refer to the steps for C - series and TMS in the document.

HTH.

BR, Mahesh Adithiyha

0 Helpful

scott.j.hanson
Level 1
Level 1
In response to mahkrish

‎04-24-2013 10:49 AM

mahkrish,

I've read through the document but I don't see anything that addresses the issue at hand (phone book failure when "Require SSL" is set in IIS.) I'm not having any problems with device managment generally over HTTPS, and even the phone book works over HTTPS as long as "Require SSL" is unchecked. Is there something specific in this document you wanted me to verify?

0 Helpful

mahkrish
Level 3
Level 3
In response to scott.j.hanson

‎04-24-2013 09:01 PM

Hi Scott, Most SSL certificates are bound to the hostname of the machine and not the ip address.

IMHO, you should have DNS enabled in the C series connected Vlan and try the phonebook.

Please take a look at http://stackoverflow.com/questions/2043617/is-it-possible-to-have-ssl-certificate-for-ip-address-not-domain-name?lq=1

BR, Mahesh Adithiyha

0 Helpful

scott.j.hanson
Level 1
Level 1
In response to mahkrish

‎04-25-2013 07:18 AM

mahkrish,

Thanks for the advice... unfortunately, I'm not in a position to add DNS service to the VLAN. However, since the Phone Book URL is pointing directly to an IP address and not the server name, how would DNS fix this problem? Remember that the phone book does download over HTTPS as long as I don't require SSL in IIS.

0 Helpful

Magnus Ohm
Cisco Employee
Cisco Employee
In response to scott.j.hanson

‎04-26-2013 01:25 AM

Hi Scott

I just enabled require SSL in my IIS server and I am able to get phonebooks still, not on http of course, only if I set the phonebook server to https. Do you have ignore client certificates or do you require validation on this? If you have set it to require client certificate then that might be the problem, what happens if you set it to ignore? Users will still have to use HTTPS to access the application.

/Magnus

0 Helpful

scott.j.hanson
Level 1
Level 1
In response to Magnus Ohm

‎04-29-2013 01:11 PM

That's a good suggestion, but I do have both VerifyClientCertificate and VerifyServerCertificate set to Off.

0 Helpful
Customers Also Viewed These Support Documents