Cisco Cisco Expressway 维护手册
Testing Secure Traversal
This utility tests whether a secure connection can be made from the Expressway-C to the Expressway-E. A secure
connection is required for a Unified Communications traversal zone, and is optional (recommended) for a normal
traversal zone.
connection is required for a Unified Communications traversal zone, and is optional (recommended) for a normal
traversal zone.
If the secure traversal test fails, the utility raises a warning with appropriate resolution where possible.
1.
On the Expressway-C, go to Maintenance > Security certificates > Secure traversal test.
2.
Enter the FQDN of the Expressway-E that is paired with this Expressway-C.
3.
Enter the TLS verify name of this Expressway-C, as it appears on the paired Expressway-E.
This setting is in the SIP section of the Expressway-E's traversal zone configuration page.
4.
Click Test connection.
The secure traversal test utility checks whether the hosts on either side of the traversal zone recognize each
other and trust each others' certificate chains.
other and trust each others' certificate chains.
Advanced Security
The Advanced security page (Maintenance > Advanced security) is used to configure the Expressway for use in
highly secure environments. You need to install the Advanced Account Security option key to see this page.
highly secure environments. You need to install the Advanced Account Security option key to see this page.
You can configure the system for:
■
Configuring FIPS140-2 Cryptographic Mode
FIPS140 is a U.S. and Canadian government standard that specifies security requirements for cryptographic modules.
FIPS140-1 became a mandatory standard for the protection of sensitive data in 1994 and was superseded by
FIPS140-2 in 2001.
FIPS140-1 became a mandatory standard for the protection of sensitive data in 1994 and was superseded by
FIPS140-2 in 2001.
Expressway X8.8 or later implements FIPS140-2 compliant features.
When in FIPS140-2 cryptographic mode, system performance may be affected due to the increased cryptographic
workload.
workload.
Prerequisites
Before you enable FIPS140-2 mode:
■
Ensure that the system is not using NTLM protocol challenges with a direct Active Directory Service
connection for device authentication; NTLM cannot be used while in FIPS140-2 mode.
connection for device authentication; NTLM cannot be used while in FIPS140-2 mode.
■
If login authentication via a remote LDAP server is configured, ensure that it uses TLS encryption if it is using
SASL binding.
SASL binding.
■
The Advanced Account Security option key must be installed.
FIPS140-2 compliance also requires the following restrictions:
■
System-wide SIP transport mode settings must be TLS: On, TCP: Off and UDP: Off.
■
All SIP zones must use TLS.
■
You can cluster Expressways that have FIPS140-2 mode enabled, but the cluster is not FIPS140-2 compliant.
267
Cisco Expressway Administrator Guide
Maintenance