End-to-end encryption often leaves network security appliances “blind” to media and signaling traffic,
which can compromise access control and threat prevention security functions. This lack of visibility can
result in a lack of interoperability between the firewall functions and the encrypted voice, leaving
businesses unable to satisfy both of their key security requirements.

The ASA is able to intercept and decrypt encrypted signaling from Cisco encrypted endpoints to the
Cisco Unified Communications Manager (Cisco UCM), and apply the required threat protection and
access control. It can also ensure confidentiality by re-encrypting the traffic onto the Cisco UCM servers.

Typically, the ASA TLS Proxy functionality is deployed in campus unified communications network.
This solution is ideal for deployments that utilize end to end encryption and firewalls to protect Unified
Communications Manager servers.

Decryption and Inspection of Unified Communications Encrypted Signaling

With encrypted voice inspection, the security appliance decrypts, inspects and modifies (as needed, for
example, performing NAT fixup), and re-encrypts voice signaling traffic while all of the existing VoIP
inspection functions for Skinny and SIP protocols are preserved. Once voice signaling is decrypted, the
plaintext signaling message is passed to the existing inspection engines.