Solved: CUCM redirects to IP when logging in.

TechnoNOtice · ‎08-28-2025

We have CUCM 15.
If I go to the CUCM site using a DNS name, I am brought to the selector page (Manager or Self Care) with the DNS name in the address bar. Selecting Cisco Unified Communications manager I am then brought to the management Login page, also using the DNS name.

Filling in my user credentials, and clicking login, I am logged in BUT the address is switched to an IP address, breaking HTTPS as the IP is not in the Cert. We are Not able to add the IP to the Certificate.

What do I need to change to enable the logged on Management page to use the DNS name ?
Can this DNS name be an alias?

Brad Magnani · ‎08-28-2025

Hi @TechnoNOtice,

Have you looked into Step 14 here to see if it possibly helps at all? https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/install/15/cucm_b_install-guide-cucm-imp-15/cucm_m_postinstallation-tasks.html#postinstall-tasks-for-cisco-unified-communications-manager

Step 14

Ensure that you configure the Trusted List of Hosts in HTTP Referer/Host Header and add the public IP address or DNS alias in the Cisco Unified CM Administration Enterprise Parameters page.

This configuration is necessary if your network topology has a public IP address configured for external interfaces along with private IP address for the individual nodes in the cluster. Unified CM will now validate the IP address or hostname present in the Host header with the servers configured in the Unified CM cluster first before allowing access to Unified CM. You must also configure the DNS alias used to access the Unified CM under the Trusted List of Hosts configuration. For example, if your server is cm1.example.local, and you use phone.example.local to access the server, you must add phone.example.local to the Trusted List of Hosts configuration.

From the private network using a private IP address, navigate to the Cisco Unified CM Administration user interface and select System > Enterprise Parameters to configure the external IP addresses or DNS alias used.

You must restart the Cisco Tomcat service after performing this activity for all the web pages to load correctly.

View solution in original post

Nithin Eluvathingal · ‎08-28-2025

You cannot add an IP address to a CUCM certificate. Is this really an issue?

Jonathan Schulenberg · ‎08-28-2025

That's not normal. I do not recall seeing that before. Do you have SAML SSO configured? If yes, check the IdP configuration to ensure it's redirecting the client back to a DNS FQDN URL, not IPv4.

If no SSO my next guess would be System > Servers: are they defined by FQDN or IPv4? If IPv4 do not just change them spur of the moment; that's a huge change to make. I'll dig for documentation if they're IP.

TechnoNOtice · ‎08-28-2025

Thanks Jonathan for the reply.

We don't use SAML SSO. All users are local to CUCM.
In system> Servers both servers are listed with their FQDN.

Just to check, I used the FQDN listed In system> Servers and when logging in it does continue to use the FQDN in the address.
If an alias is used it reverts to the IP address.

TechnoNOtice · ‎08-28-2025

I would prefer to be able to use an alias as company server naming convention is quite human unfriendly.

Jonathan Schulenberg · ‎08-28-2025

Ok, that's a slightly different problem statement then. Aliases aren't normally a problem either; I usually add one for the same reason you are. Is the alias included in the Tomcat certificate as an additional Subject Alternate Name?

TechnoNOtice · ‎08-28-2025

Yes, the alias is included in the Certificate for CUCM web site.

Brad Magnani · ‎08-28-2025

Hi @TechnoNOtice,

Have you looked into Step 14 here to see if it possibly helps at all? https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/install/15/cucm_b_install-guide-cucm-imp-15/cucm_m_postinstallation-tasks.html#postinstall-tasks-for-cisco-unified-communications-manager

Step 14

Ensure that you configure the Trusted List of Hosts in HTTP Referer/Host Header and add the public IP address or DNS alias in the Cisco Unified CM Administration Enterprise Parameters page.

This configuration is necessary if your network topology has a public IP address configured for external interfaces along with private IP address for the individual nodes in the cluster. Unified CM will now validate the IP address or hostname present in the Host header with the servers configured in the Unified CM cluster first before allowing access to Unified CM. You must also configure the DNS alias used to access the Unified CM under the Trusted List of Hosts configuration. For example, if your server is cm1.example.local, and you use phone.example.local to access the server, you must add phone.example.local to the Trusted List of Hosts configuration.

From the private network using a private IP address, navigate to the Cisco Unified CM Administration user interface and select System > Enterprise Parameters to configure the external IP addresses or DNS alias used.

You must restart the Cisco Tomcat service after performing this activity for all the web pages to load correctly.

TechnoNOtice · ‎09-08-2025

Hi.

Thanks for the detailed response. It was exactly the cause.
We had the aliases in place for 12.x but due to a bug in one of the releases it was removed. The admin forgot about it and never restored the entry

It has triggered a review of all the system parameters to check them against out internal documentation.

TechnoNOtice · ‎08-28-2025

Company policy and systems blocks the addition of IP's to certificates.

Also, according to CA Browser Forum (followed by Browsers) Issuance of certificates to reserved IP addresses is not allowed.. (1 October 2016.) -

https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.1.7.pdf
See section 4.2.2, 7.1.2.7.12 (although in this document its listed in the changes as 7.1.4.2.1 )