Solved: UCM V11.X voice encyption

Paul Austin · ‎04-26-2017

Hello All, I need to encrypt voice in a UCM cluster with associated CUC/UCCX and gateways. It will all be V11.5 but looking for documentation about the procedure there are lots of confusing and conflicting documentation - is there a good, plain english explanation on how to achieve this, what is required (USB tokens or do it with software) etc

Thanks

Paul

Manish Gogna · ‎04-26-2017

Hi Paul,

Signalling between CUCM and gateways is protected through IPSEC and RTP through sRTP.

IP Security (IPSec) provides secure and reliable data transfer between Cisco Unified Communications Manager and gateways. IPSec implements signaling authentication and encryption to Cisco IOS MGCP and H.323 gateways.

For secure signalling between CUCM and phone you will need to put the cluster into mixed mode, for that you can use the tokenless option as described here

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html

Regarding UCCX, To secure the media streams between the application and CTIManager, add the application users or the end users to the Standard CTI Allow Reception of SRTP Key Material user group in Cisco Unified Communications Manager Administration. If these users also exist in the Standard CTI Secure Connection user group and if the cluster security mode equals Mixed Mode, CTIManager establishes a TLS connection with the application and provides the key materials to the application in a media event.

The following section of the CUCM security guide covers pretty much everything about CTI/JTAP/TAPI related config for security

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_010111.html

Gateway/Trunk related config is explained here

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_011010.html

For Voice ports meant for Unity Connection it is covered here

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_01111.html

The secure Collaboration end to end architecture is explained well in the following ppt

http://www.cisco.com/web/offer/emear/38586/images/Presentations/P6.pdf

My suggestion is to start with CUCM config first, then you can secure the gateway/trunk side and then complete the CUC/UCCX related config.

HTH

Manish

View solution in original post

Manish Gogna · ‎04-26-2017

Hi Paul,

Signalling between CUCM and gateways is protected through IPSEC and RTP through sRTP.

IP Security (IPSec) provides secure and reliable data transfer between Cisco Unified Communications Manager and gateways. IPSec implements signaling authentication and encryption to Cisco IOS MGCP and H.323 gateways.

For secure signalling between CUCM and phone you will need to put the cluster into mixed mode, for that you can use the tokenless option as described here

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html

Regarding UCCX, To secure the media streams between the application and CTIManager, add the application users or the end users to the Standard CTI Allow Reception of SRTP Key Material user group in Cisco Unified Communications Manager Administration. If these users also exist in the Standard CTI Secure Connection user group and if the cluster security mode equals Mixed Mode, CTIManager establishes a TLS connection with the application and provides the key materials to the application in a media event.

The following section of the CUCM security guide covers pretty much everything about CTI/JTAP/TAPI related config for security

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_010111.html

Gateway/Trunk related config is explained here

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_011010.html

For Voice ports meant for Unity Connection it is covered here

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_01111.html

The secure Collaboration end to end architecture is explained well in the following ppt

http://www.cisco.com/web/offer/emear/38586/images/Presentations/P6.pdf

My suggestion is to start with CUCM config first, then you can secure the gateway/trunk side and then complete the CUC/UCCX related config.

HTH

Manish

Bernardo34 · ‎06-17-2018

I am struggling with the UCCX integration. inbound calls with SRTP do not work.

I have assigned the Standard CTI Allow Reception of SRTP Key Material and Standard CTI Secure Connection user group to the UCCXCTI User and have restarted CTI Manager.

but then CTI Route Points are not registering.

I guess i have to create a Application User CAPF Profile but how can i install the Certificate?

with the jtapi client it seems not to work.

also i found other support forum message stating that SRTP is not supported?

can you please clarify?

best regards,

Bernhard

Paul Austin · ‎04-26-2017

Hi Manish, Excellent.

Many Thanks