Call manager 4.1.3 & Phone Proxy deployement

Unanswered Question
Nov 5th, 2008
User Badges:

Hey guys,


We have CCM v4.1.3 and ASA 8.0(4) and are looking to implement (or attempt) Phone proxy/TLS proxy. Essentially we'd like to know if anyone has "successfully" deployed TLS proxy/phone proxy through the ASA v8 to CCM v4.1.3 or do we need to upgrade to a later version of CCM?


Any info, gotcha's etc much appreciated.


Pete


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
p.weighand Fri, 11/07/2008 - 06:53
User Badges:

Ok we have deployed the config on to the ASA 8.0(4) hardware but the certificate install onto CCM4 is problematic. The documentation I am using for the config is using CCM6 and the options for installing the certificate are nowhere to be seen in CCM4.


Anyone configured this with CCM4 or am I wasting my time with this version of CCM?


Any help appreciated guys.


Pete

edip.gumuskaya Fri, 11/14/2008 - 07:27
User Badges:

I'm in the same boat as you. Which documentation are you following?

p.weighand Fri, 11/14/2008 - 07:40
User Badges:

I've been using the following white paper:


http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns165/ns391/white_paper_c11-493584.html


It's not specific to CCM 4 but I don't have much in the way of documentation for this specific setup from what I've searched thus far.


I've configured our test CUCM6 server and now have the issue with the CTL client install asking for a usb secure token, a token we don't actually have and have never created or requested.


I'l let you know if I get any further.


Pete

solokalina Sun, 11/30/2008 - 06:18
User Badges:

Pete

Dis you every get this working on CM 4 1 3 and ASA 8 04

I have woking on cm 7 but not 4 1 3


p.weighand Wed, 12/03/2008 - 00:56
User Badges:

I'm afraid not. I got most of the way on CCM6 but nowhere on v4.1.3.


This has taken a back seat at the moment whilst we deploy MPLS with Juniper kit :(


I'll return to this hopefully over the coming weeks.


Pete



solokalina Tue, 12/02/2008 - 10:44
User Badges:

Have this working in cm 4.1 AND VER 7

TO MAKE IT WORK ON cm VER 4.1 3 used the pem ca from CUCM ver 7

redrobish Wed, 12/03/2008 - 18:33
User Badges:

I am on the same situation, hopefully someone has done it on CM4.1(3).


BTW,


my ASA have an existing Ipsec VPN, will the adding of the Phone proxy works?


Thanks

solokalina Wed, 12/03/2008 - 19:56
User Badges:

CM 4.1.3 works with ASA 8 04 use this link http://supportwiki.cisco.com/ViewWiki/index.php/ASA_Phone_Proxy_sample_configuration_via_ASDM


and when it says to load files from cm 4 1 3

to create trustpoints

I used the same files from CUCM 7.0


Rate this post it works



step 7 from above doc


. It is necessary to load the Cisco Manufacturer CA certificates onto the firewall so that phones that use MIC certificates and the firewall can make a secure connection. Therefore, we'll create a trustpoint for each of the CA certificates CAP-RTP-001, CAP-RTP-002, and Cisco_Manufacturing_CA. These CA certificates can be downloaded from the Call Manager by doing the following (these steps might be different depending on the Call Manager version): I used the file that were on CUCM ver 7





redrobish Wed, 12/03/2008 - 20:15
User Badges:

Hi solokalina,


Nice to hear that! but how can I grab the files from CUCM 7.0 when we don't have any of that version.


Can a copy from others will work?


Thanks

davidstevenscisco Thu, 12/11/2008 - 00:35
User Badges:

Hi, I am trying to get phone proxy working with 4.2. I can find te Cisco_Manufacturing_CA but there is no CAP_RTP_001 and CAP_RTP_02 on our 4.2 CCM server. Are you saying I can use the certificates from another UCM such as Ver 6?


Thanks


David Stevens

redrobish Tue, 01/06/2009 - 23:53
User Badges:

Hi solokalina,


hope you can give us a workaround on how to get CA certificates from the CM ver 7. We only have CM ver 4.1(3).


Can a copy from other ver 7 be working on our current ver (4.1)?


thanks

redrobish Tue, 01/20/2009 - 20:37
User Badges:

Hi experts,


I tried the phone proxy on our ASA. The phone already downloaded the CTL but somehow cannot get the config file from the CM.


debug phone-proxy tftp:

PP: opened 0x36c442fa

PP: y.y.y.y/49161 requesting SEP001E7EEEEEEE.cnf.xml.sgn

PP: Client outside:y.y.y.y/49161 retransmitting request for Config file SEP001E7EEEEEEE.cnf.xml.sgn

PP: opened 0x36c442fa

PP: y.y.y.y/49161 requesting SEP001E7EEEEEEE.cnf.xml.sgn

PP: Client outside:y.y.y.y/49161 retransmitting request for Config file SEP001E7EEEEEEE.cnf.xml.sgn

PP: opened 0x36c442fa

PP: y.y.y.y/49161 requesting SEP001E7EEEEEEE.cnf.xml.sgn

PP: Client outside:y.y.y.y/49161 retransmitting request for Config file SEP001E7EEEEEEE.cnf.xml.sgn

PP: opened 0x36c442fa


and the status message on the phone is:

TFTP not authorized


hopefully someone can help me out!


thanks


benharned Mon, 02/23/2009 - 08:46
User Badges:

In same situation with 4.2. Wondering where to get the cert files from 7.0 (or 6) as you mention w/o it loaded anywhere.

redrobish Mon, 02/23/2009 - 15:39
User Badges:

I have mine working with 4.1(3). I only used the CiscoCA, CiscoRootCA2048 and CiscoManufacturingCA from my CM. I didn't get any cert files from 7.0 or 6.0, i'll work, just get it form your CM cert files...


hth

calmichael Tue, 03/03/2009 - 19:07
User Badges:

You can actually use the three certificates from the wiki document as they are manufacturer certificates meaning that they are not unique per install.


Or you can spelunk your system for The CiscoCA.pem file (CAP-RTP-001), one of the tokenized filenames ending in .0 ext (CAP-RTP-002), and either of the two CiscoManufacturingCA.pem or another of the tokenized filenames ending in the .0 ext is the third.


This works with CCM 4.2(3) fine though I wouldn't mind figuring out how to use http-proxy to beat the directory/services/information button issue.


Cheers


Actions

This Discussion