Cisco Systems and the ASA Services Module Manual De Usuario
17-2
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection
Information about the TLS Proxy for Encrypted Voice Inspection
The security appliance acts as a TLS proxy between the Cisco IP Phone and Cisco UCM. The proxy is
transparent for the voice calls between the phone and theCisco UCM. Cisco IP Phones download a
Certificate Trust List from the Cisco UCM before registration which contains identities (certificates) of
the devices that the phone should trust, such as TFTP servers and Cisco UCM servers. To support server
proxy, the CTL file must contain the certificate that the security appliance creates for the Cisco UCMs.
To proxy calls on behalf of the Cisco IP Phone, the security appliance presents a certificate that the Cisco
UCM can verify, which is a Local Dynamic Certificate for the phone, issued by the certificate authority
on the security appliance.
transparent for the voice calls between the phone and theCisco UCM. Cisco IP Phones download a
Certificate Trust List from the Cisco UCM before registration which contains identities (certificates) of
the devices that the phone should trust, such as TFTP servers and Cisco UCM servers. To support server
proxy, the CTL file must contain the certificate that the security appliance creates for the Cisco UCMs.
To proxy calls on behalf of the Cisco IP Phone, the security appliance presents a certificate that the Cisco
UCM can verify, which is a Local Dynamic Certificate for the phone, issued by the certificate authority
on the security appliance.
TLS proxy is supported by the Cisco Unified CallManager Release 5.1 and later. You should be familiar
with the security features of the Cisco UCM. For background and detailed description of Cisco UCM
security, see the Cisco Unified CallManager document:
with the security features of the Cisco UCM. For background and detailed description of Cisco UCM
security, see the Cisco Unified CallManager document:
TLS proxy applies to the encryption layer and must be configured with an application layer protocol
inspection. You should be familiar with the inspection features on the ASA, especially Skinny and SIP
inspection.
inspection. You should be familiar with the inspection features on the ASA, especially Skinny and SIP
inspection.
Supported Cisco UCM and IP Phones for the TLS Proxy
Cisco Unified Communications Manager
The following releases of the Cisco Unified Communications Manager are supported with the TLS
proxy:
proxy:
•
Cisco Unified CallManager Version 4.x
•
Cisco Unified CallManager Version 5.0
•
Cisco Unified CallManager Version 5.1
•
Cisco Unified Communications Manager 6.1
•
Cisco Unified Communications Manager 7.0
•
Cisco Unified Communications Manager 8.0
Cisco Unified IP Phones
The following IP phones in the Cisco Unified IP Phones 7900 Series are supported with the TLS proxy:
•
Cisco Unified IP Phone 7985
•
Cisco Unified IP Phone 7975
•
Cisco Unified IP Phone 7971
•
Cisco Unified IP Phone 7970
•
Cisco Unified IP Phone 7965
•
Cisco Unified IP Phone 7962
•
Cisco Unified IP Phone 7961
•
Cisco Unified IP Phone 7961G-GE
•
Cisco Unified IP Phone 7960
•
Cisco Unified IP Phone 7945
•
Cisco Unified IP Phone 7942
•
Cisco Unified IP Phone 7941