Cisco Systems ASA 5580 Manual De Usuario
15-22
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 15 Using the Cisco Unified Communication Wizard
Configuring the UC-IME by using the Unified Communication Wizard
Configuring the Remote-Side Certificates for the Cisco Intercompany Media
Engine Proxy
Engine Proxy
Establishing a trust relationship cross enterprises or across administrative domains is key. Cross
enterprises you must use a trusted third-party CA (such as, VeriSign). The ASA obtains a certificate with
the FQDN of the Cisco Unified Communications Manager server (certificate impersonation).
enterprises you must use a trusted third-party CA (such as, VeriSign). The ASA obtains a certificate with
the FQDN of the Cisco Unified Communications Manager server (certificate impersonation).
For the TLS handshake, the two entities could validate the peer certificate via a certificate chain to
trusted third-party certificate authorities. Both entities enroll with the CAs. The ASA as the TLS proxy
must be trusted by both entities. The ASA is always associated with one of the enterprises. Within that
enterprise, the entity and the ASA could authenticate each other via a local CA, or by using self-signed
certificates.
trusted third-party certificate authorities. Both entities enroll with the CAs. The ASA as the TLS proxy
must be trusted by both entities. The ASA is always associated with one of the enterprises. Within that
enterprise, the entity and the ASA could authenticate each other via a local CA, or by using self-signed
certificates.
To establish a trusted relationship between the ASA and the remote entity, the ASA can enroll with the
CA on behalf of the local enterprise. In the enrollment request, the local Cisco UCM identity (domain
name) is used.
CA on behalf of the local enterprise. In the enrollment request, the local Cisco UCM identity (domain
name) is used.
To establish the trust relationship, the ASA enrolls with the third party CA by using the Cisco Unified
Communications Manager server FQDN as if the security appliance is the Cisco UCM.
Communications Manager server FQDN as if the security appliance is the Cisco UCM.
Note
If the ASA already has a signed identity certificate, you can skip
in this procedure and proceed
directly to
Step 1
In the ASA’s Identity Certificate area, click Generate CSR. The CSR parameters dialog box appears.
For information about specifying additional parameters for the certificate signing request (CSR), see
Information dialog boxes appear indicating that the wizard is delivering the settings to the ASA and
retrieving the certificate key pair information. The Identity Certificate Request dialog box appears.
retrieving the certificate key pair information. The Identity Certificate Request dialog box appears.
For information about saving the CSR that was generated and submitting it to a CA, see
Step 2
In the ASA’s Identity Certificate area, click Install ASA’s Identity Certificate.
Step 3
In the Remote Server’s CA’s Certificate area, click Install Remote Server’s CA’s Certificate. Installing
the root certificates of the CA for the remote servers is necessary so that the ASA can determine that the
remote servers are trusted.
the root certificates of the CA for the remote servers is necessary so that the ASA can determine that the
remote servers are trusted.
The Install Certificate dialog box appears. Install the certificate. See
Note
You must install the root certificates only when the root certificates for the remote servers are
received from a CA other than the one that provided the identity certificate for the ASA
received from a CA other than the one that provided the identity certificate for the ASA
Step 4
Click Next.
The wizard completes by displaying a summary of the configuration created for the Cisco Intercompany
Media Engine.
Media Engine.