Unified Phone Proxy Directory/Services Button not working

Unanswered Question
Jan 28th, 2009

After configuring the ASA Phone Proxy feature the user cannot access the Corp Directory or Services buttons. What do we need to do to allow access from an IP Endpoint utilizing the Phone Proxy feature to the corp directory?

Phone URLS in CCM are ip address not NetBios or DNS names.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
abertram Tue, 02/03/2009 - 17:56

The URL queries from an IP handset are just that, http/https queries like any browser would make, so if your standard URL entries for various services point to the internal non-routable IP of your UCM, then the phone sitting remotely would simply try to query this IP/url from wherever it is and obviously not be able to reach it.

When I sat training for this functionality a while ago, the mention of internal services was brought up and I believe the answer at the time was that these services URLs would need to be statically NAT translated to the outside world and then changed for the phone's individual URLs inside of UCM. A slight security risk and exposure yes.

I'm not sure if this has changed but that would be easy enough to accomplish, and for a little bit of security you could use an abscure port number for the URL and translate it on the ASA to the standard port on the inside.

There is also mention of an http-proxy field:

"Setting the proxy server configuration option for the Phone Proxy allows for an HTTP proxy on the DMZ or external network in which all the IP phone URLs are directed to the proxy server for services on the phones. This setting accommodates nonsecure HTTP traffic, which is not allowed back into the corporate network."

I haven't gotten to test this on my ASA however.

TODD BERGMAN Wed, 02/04/2009 - 05:43

I spoke with TAC. So far no feature enhancements are in the works for the ASA PHone proxy feature.

So far the only way I know to offer a slight increase in security is to setup a reverse proxy in the DMZ that proxies the CM's on the inside. At least no direct connections to the CM's but I do not like the fact that the information is still not encrypted. When can we do SSL on the phones???? Cisco?

Joshua Warcop Fri, 02/05/2010 - 15:25

With the following configuration update as outlined below. The ASA will insert a value for "Proxy Server" on a 7900 series phone. You can check this on the phone pressing Settings | Device Configuration | HTTP Configuration | Proxy server. The ASA will insert the global address for the CUCM server and dynamically update the access-list for a registered phone.

You can correct this issue through ASDM or through CLI.

Open ASDM

Expand Firewall | Advanced | Encrypted Traffic Inspection | Phone Proxy

Click "Configure a http-proxy which would be written into the phone's config file so that phone URLs are directed for services on the phone.

Insert the IP address of your CUCM server, port 8080, interface "Inside" (normally).

CLI:

phone-proxy asdm_phone-proxy

proxy-server address X.X.X.X interface inside      (where X.X.X.X = your CUCM server)

riko.arizona Tue, 06/29/2010 - 21:14

Hi.. I have the same problem.

Now it works. Don't forget to add URL in the enterprise parameter for IP Phone proxy address.

Thanks

sweetfait Wed, 04/20/2011 - 04:46

I have changed the field proxy-server address to my internal IP address of ourcall manager.

Do i now put the external proxy address for the cucm in enterprise parameters or can i do it on a per phone basis...?

Actions

This Discussion