Dear All,

I am looking at setting up Cisco IP VPN Phone on our ASAs. I would like to do this as securely as possible and I read here that an LSC on the phone is strongly recommended in preference to using the MIC.

1. To install LSC, I believe CAPF is needed and I will need to generate a bundle of certs using the CTL plugin. Does this therefore mean the cluster must be moved to mixed-mode and the phones will start sending SRTP and SecureSIP/SCCP?
2. Is it possible to use the LSC for authentication-only (not encryption) and only apply it to VPN phones? I'm looking to minimize my impact on the wider cluster.
3. Assuming I have to encryption SRTP and Secure SIP/Skinny, how would the BIB stream behave towards a recorder? Could CM setup an unencrypted BIB stream, even if the main call is encrypted?
4. Finally, has anyone tried BIB recording via ASA and does it work OK?

The VPN Phone/ASA setup assumes that one has a solid grasp of CM certificates and mixed mode and this is an area I'm still learning about.

Thank you for any insight.

Regards

James.