cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2437
Views
29
Helpful
5
Replies

CUCM 8 & Office365

joel.salminen
Level 1
Level 1

We are currently using Microsoft Unified Messaging with CUCM 8.5 through a SIP trunk. This is working flawlessly and has been for the year now that it has been in place. Kudos to Microsoft and Cisco for good collaboration.

Presently we are looking to move our Exchange service into the Office365 system and eliminate any on-premise installations. That said, we understand that the two systems (CUCM and Exchange) will still work together, but by virtue of traversing the public Internet the SIP trunk needs to be converted to a secure SIP trunk. This is not an issue with the Exchange system, but is creating a lot of problems with our CUCM instance. Because the security for the SIP trunk will be TLS it will require a certificate and in using certificates both ends will need to trust who provided the certificate. In the case of our on-premise CUCM instance all the certificates are self-signed and here is the issue. We, nor anyone else, will be able to hand over a self-signed CA to Microsoft to load into their certificate store of the Office365 systems.

Since we cannot hand over our self-signed certs, we need to convert the CUCM self-signed to public CA certificates. I would like to know if this is possible and what is the official (or even unofficial) process to do this?

Microsoft's recommendation is to purchase a border session controller, but I'm not really interested in adding more expense to a architecture that should work if we are able to replace the CUCM certificates.

I appreciate any advice you may have for us.

Thanks

5 Replies 5

William Bell
VIP Alumni
VIP Alumni

Joel,

You can replace the self-signed certificates on CUCM with a cert signed by an external CA. I have done that several times. Of course, in all cases I have used an internal (customer provided) CA to generate the server certificates but the process is the same.

Links that should give you more info:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_configuration_example09186a0080b43504.shtml

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_5_1/secugd/secuview.html#wp1147888

-Bill (http://ucguerrilla.com)

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

In order to generate a public cert, the CSR needs to be 2048-bit.  In CUCM 8.5, the only CSR you can generate with a 2048-bit key is the tomcat cert.  Can that cert be leveraged by the Secure SIP trunk?

First off, who is saying you cannot use a self-signed certificate? There is nothing magic about a CA-signed certificate; it's just digitally signed by another entity. I would check the documentation to see whether that's actually a documented restriction or not. You can get equal trust between two devices by just exchanging the self-signed certs and trusting them directly vs. implicitly through an issuing CA.

Second, CUCM is not designed to be Internet facing (the customer-side of the SIP trunk must be for Exchange UM to do Play via Phone) and the use of TLS will prevent firewalls, even Application Layer Gateways, from performing NAT on the SIP headers (hidden by the TLS tunnel). The recommendation to use an SBC at the edge of your network is consistant from both Microsoft and Cisco and is not unique to Exchange UM.

Third, TLS encryption of the SIP dialog is separate from SRTP encryption of the media payload. Do you want your voicemails passing across the internet in the clear? If not you either need to use an SBC to interwork between RTP and SRTP; or, you have to put the entire CUCM cluster into mixed mode which would be massive overkill.

the tomcat cert.  Can that cert be leveraged by the Secure SIP trunk?

No. It would be the CallManager certificate which is per-node. This means each node of your CUCM cluster that is running the CallManager process would need to be trusted by Office 365.

I suggest you reconsider your aversion to an SBC. If you want to use a Cisco product this can be done on ISR hardware using the CUBE software feature.

Please remember to rate helpful responses and identify helpful or correct answers.

Thanks for the explanation, Jon.  If we were going to attempt to connect to Office365, we reasoned we would not be able to use a self-signed certificate from CUCM.  We know that with an on-premise Exchange server, we'd be able to export the root cert from CUCM and import into the Exchange server's cert store as a trusted root authority, but I don't think Microsoft would go for importing that same root cert into their Office365 environment.

Overall, great information that answers questions we had.

Aaron,

Good point. I was more focused on answering the general question of using certs from a CA.

SIP communications would use the CallManager cert in the trust store. I believe this is still 1024 bit, as you noted.

-Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: