Cisco Cisco TelePresence Video Communication Server Expressway
Update Device Profiles to Encrypt Calls to Unified CM-registered Endpoints
Endpoints registered to Unified CM need to be configured with a "SIP Secure profile" to provide encrypted media and
call negotiation. If such profiles are not available by default, create them at System > Security > Phone Security. On
the secure profiles, you must set Device Security Mode to Encrypted.
call negotiation. If such profiles are not available by default, create them at System > Security > Phone Security. On
the secure profiles, you must set Device Security Mode to Encrypted.
for further information on using the Cisco CTL Client and configuring
Unified CM for secure communications.
Update the VCS Neighbor Zone to Unified CM to Use TLS
Note that VCS will report that the Unified CM zone is active even while it is communicating with Unified CM over TCP.
The changes below are necessary to enable communications over TLS.
The changes below are necessary to enable communications over TLS.
On VCS:
1.
Go to Configuration > Zones > Zones, then select the zone to Unified CM.
2.
Configure the following fields:
SIP section
Port
5061
Transport
TLS
TLS verify mode
On
Authentication trust mode
Off
Leave other parameters as previously configured.
3.
Click Save.
Verify That the TLS Connection is Operational
To verify correct TLS operation, check that the VCS zone reports its status as active and then make some test calls.
1.
Check the VCS zone is active:
a.
Go to Configuration > Zones > Zones.
b.
Check the SIP status of the zone.
If the zone is not active, try resetting or restarting the trunk again on Unified CM.
2.
Make a test call from a VCS registered endpoint to a Unified CM phone.
3.
Make a test call from a Unified CM phone to a VCS registered endpoint.
Choose how to route from other VCSs to Unified CM
If there is a network of VCSs behind this VCS neighbored to Unified CM, then, either:
■
Unified CM must trust the certificates of all the VCSs in the network ('optimal' routing mode), or
■
The VCS neighbor zone to Unified CM must 'always' route the signaling. In effect this sets up this VCS as a
gateway to Unified CM, and is the preferred option. The Cisco Unified Communications Manager and Cisco
Unified Communications Manager (8.6.1 or later) zone profiles are pre-configured to ‘always’ route the
signaling, thus no additional configuration is required providing one of these profiles is used.
gateway to Unified CM, and is the preferred option. The Cisco Unified Communications Manager and Cisco
Unified Communications Manager (8.6.1 or later) zone profiles are pre-configured to ‘always’ route the
signaling, thus no additional configuration is required providing one of these profiles is used.
33
Cisco VCS SIP Trunk to Unified CM Deployment Guide
Connecting VCS to Unified CM Using TLS