I have noticed that the SSL VPN client capability was added to the 7942, 7945, 7962, 7965, and 7975G phones in phone load release 9.0(2). This feature is also supported on the SPA525G phones. The release notes for this phone load release can be found at the URL below:
The SSL VPN client is currently supported on the SPA525G phones on the UC500 platform. When will a 9.0(2) or later phone load for TNP phones be included in the UC500 software pack?
We are looking into this, but there is not a timeframe for implementation. For now, SPA525G is the choice for UC500 integration. The Phone VPN Wizard in the new CCA will be released this Friday. With just a few clicks, you will be able to provision the SSL VPN Client feature.
Do you know if a PC is connnected to the PC port of one of those IP Phones, if DHCP is configured, does it take an address of my remote network or does it takes an address from, for example, my ADSL router?
What i mean is, if the PC can use the VPN tunnel that the IP Phone built or not.
I asked some folk from Cisco and they told me that PC port does not use the VPN tunnel. So, the PC will be assigned with your local IP addressing scheme (if DHCP is enabled) and will be connected directly to internet and not to your coporate network.
Any update on SSL VPN Support with the 79X2, 79X5 phones with a UC500? Or maybe it can do the SSL VPN to the ASA but still register to a UC500 behind it? We are a cisco partner and have a customer with many 7965 phones and this will be a great option for them. Knowing Cisco, it is probably technically feasible but the marketing people will tell us that's why they have the SPA525 phone for the UC500 line. Any input will be appreciated, thank you.
The SSL VPN client capability on the 7942G, 7945G, 7962G, 7965G, and 7975G phones is supported in Cisco Unified CME 8.5 and later. There are actually new commands that can be used to enable the SSL Client on the 7942G, 7945G, 7962G, 7965G, and 7975G phones in CME 8.5 and later. However, I do not know when CCA will support the new SSL VPN client commands introduced in CME 8.5.
That is great news. I see it just came out last Friday, Nov 5th. I can not find an IOS version for CME 8.5 on the UC500s or ISR 2800s. I will keep checking, I hope it will be available soon.
The latest available version of the UC500 software pack release is the 8.0.4 software pack release. The 8.1.0 software pack, which will include CME 8.1, is planned for release in the next few weeks. For UC500 platforms, the 8.5.0 software pack (which is still a few months away from final release) will include the updated IOS image that includes CME 8.5.
Good news, I followed the doc on configuring SSL VPN on SCCP IP Phones with CME 8.5, and with my ASA5505 and 2811 CME router, my 7975 phone SSL VPN'd into my network and worked. Now is there a doc that shows how to configure the 2811 so the phone will SSL VPN directly to it? Meaning, is an ASA required for the SSL VPN client to work with the VPN phones? It seems it should be possible for an ISR router to act as the SSL VPN server for the phones. I assume it must be some how since this feature will be possible on the UC500 products.
RE: "Good news, I followed the doc on configuring SSL VPN on SCCP IP Phones with CME 8.5, and with my ASA5505 and 2811 CME router, my 7975 phone SSL VPN'd into my network and worked"
Can you share a pointer to this document?
You may be getting out ahead of us :-)
UC500 doesnt support those phone loads yet.
We do support SSL VPN on SPA525G and G2:
I'm looking to ensure that I can use a 7942G IP Phone as a SSL VPN client with an 3945E ISR running CME. I assume I'll need an ASA55xx on the head-end. What licensing is required?
It is part of the CUCME Admin guide, http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucme/admin/configuration/guide/cmevpn.html
My testing was with a 2811 ISR router, CME 8.5 is not available on the UC500 yet.
I will also mention I did get the VPN phone to work with certificate authentication. At last check, this is still not documented by Cisco anywhere so it took quite a bit of trial and error. The process is to first get the phones to be authenticated locally following the CME security doc, then establish the trust between the 2811 and the ASA as it described in the link above, then change the ASA VPN group to use certificate authentication. This makes for a very eloquent end user solution where they simply have to plug in the phone to an internet connection. I actually used it from a hotel wireless network through my laptop using internet sharing for port 443 only. It worked fine.