Support for SSL VPN client on 7942, 7945, 7962, 7965, and 7975

Unanswered Question
Feb 23rd, 2010

I have noticed that the SSL VPN client capability was added to the 7942, 7945, 7962, 7965, and 7975G phones in phone load release 9.0(2). This feature is also supported on the SPA525G phones. The release notes for this phone load release can be found at the URL below:

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/firmware/9_0_2/english/release/notes/7900_902SR1.html

The SSL VPN client is currently supported on the SPA525G phones on the UC500 platform. When will a 9.0(2) or later phone load for TNP phones be included in the UC500 software pack?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcos Hernandez Wed, 02/24/2010 - 05:41

We are looking into this, but there is not a timeframe for implementation. For now, SPA525G is the choice for UC500 integration. The Phone VPN Wizard in the new CCA will be released this Friday. With just a few clicks, you will be able to provision the SSL VPN Client feature.


Thanks,

Marcos

Jesus Sanchez Wed, 09/01/2010 - 23:26

Do you know if a PC is connnected to the PC port of one of those IP Phones, if DHCP is configured, does it take an address of my remote network or does it takes an address from, for example, my ADSL router?

What i mean is, if the PC can use the VPN tunnel that the IP Phone built or not.

Regards!

Jesus Sanchez Thu, 04/07/2011 - 08:48

Hi,

I asked some folk from Cisco and they told me that PC port does not use the VPN tunnel. So, the PC will be assigned with your local IP addressing scheme (if DHCP is enabled) and will be connected directly to internet and not to your coporate network.

e.cormier Tue, 11/02/2010 - 08:45

Any update on SSL VPN Support with the 79X2, 79X5 phones with a UC500? Or maybe it can do the SSL VPN to the ASA but still register to a UC500 behind it? We are a cisco partner and have a customer with many 7965 phones and this will be a great option for them.  Knowing Cisco, it is probably technically feasible but the marketing people will tell us that's why they have the SPA525 phone for the UC500 line.  Any input will be appreciated, thank you.

John Platts Tue, 11/09/2010 - 12:05

The SSL VPN client capability on the 7942G, 7945G, 7962G, 7965G, and 7975G phones is supported in Cisco Unified CME 8.5 and later. There are actually new commands that can be used to enable the SSL Client on the 7942G, 7945G, 7962G, 7965G, and 7975G phones in CME 8.5 and later. However, I do not know when CCA will support the new SSL VPN client commands introduced in CME 8.5.

John Platts Tue, 11/09/2010 - 17:47

The latest available version of the UC500 software pack release is the 8.0.4 software pack release. The 8.1.0 software pack, which will include CME 8.1, is planned for release in the next few weeks. For UC500 platforms, the 8.5.0 software pack (which is still a few months away from final release) will include the updated IOS image that includes CME 8.5.

e.cormier Wed, 12/22/2010 - 15:18

Good news, I followed the doc on configuring SSL VPN on SCCP IP Phones with CME 8.5, and with my ASA5505 and 2811 CME router, my 7975 phone SSL VPN'd into my network and worked.  Now is there a doc that shows how to configure the 2811 so the phone will SSL VPN directly to it?  Meaning, is an ASA required for the SSL VPN client to work with the VPN phones?  It seems it should be possible for an ISR router to act as the SSL VPN server for the phones.  I assume it must be some how since this feature will be possible on the UC500 products.

pquarenghi Thu, 03/10/2011 - 10:36

RE: "Good news, I followed the doc on configuring SSL VPN on SCCP IP Phones with CME 8.5, and with my ASA5505 and 2811 CME router, my 7975 phone SSL VPN'd into my network and worked"

Can you share a pointer to this document?

pquarenghi Thu, 03/10/2011 - 13:16

I'm looking to ensure that I can use a 7942G IP Phone as a SSL VPN client with an 3945E ISR running CME.  I assume I'll need an ASA55xx on the head-end.  What licensing is required?

e.cormier Thu, 03/10/2011 - 13:25

It is part of the CUCME Admin guide, http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucme/admin/configuration/guide/cmevpn.html

My testing was with a 2811 ISR router, CME 8.5 is not available on the UC500 yet.

I will also mention I did get the VPN phone to work with certificate authentication.  At last check, this is still not documented by Cisco anywhere so it took quite a bit of trial and error.  The process is to first get the phones to be authenticated locally following the CME security doc, then establish the trust between the 2811 and the ASA as it described in the link above, then change the ASA VPN group to use certificate authentication.  This makes for a very eloquent end user solution where they simply have to plug in the phone to an internet connection.  I actually used it from a hotel wireless network through my laptop using internet sharing for port 443 only.  It worked fine.

Mohamed Shameer... Wed, 04/04/2012 - 14:01

Hi

Can you please share some ASA and CME side configuration for this remote SSL vpn phone.

I have beed trying to acoomplish this for nearly a week now.

Certificate is properly authenticating between CME and ASA. even web Vpn is working fine.

But cannot get the phones to work from remote broadband home router.

As soon as i entered username/password, i get authentication fail message.

If i use a certificate authentication method do i need to enter user/pass under Vpn configuration menu. or the phones will just register automatically.

Thanks shameer

seandickson Tue, 04/24/2012 - 19:08

Has anyone had any luck with this?  I am running into an issue that seems to be related to the use of an existing self-signed signature that is in use for other SSL VPN users.  Is there a way, on CUCME, to store a certificate and trust it on the IP phones?  I see this functionality on CUCM but I am having trouble finding a way to do this on CUCME.

Sean Dickson

Rick Mancinelli Wed, 04/25/2012 - 04:11

Back to the original question... does anyone know when SSL VPN capabilities for 79xx phones will be supported on the UC540/60?   This is TNP firmware 9.x.

Thanks in advance!

Rick

Paolo Bevilacqua Wed, 04/25/2012 - 05:03

I don't know and don't comment the Cisco offical statement on the matter, but It should work fine especially with latest IOS, 12.4(4)M4.

There is a chapter about it, quite consuing and not so clear, in the Administrator Guide.

Rick Mancinelli Wed, 04/25/2012 - 05:12

Paolo-  the SPA 525 g2 is supported in the current UC5xx release, but my understanding is that the 79xx phones are not.   This support requires CME 8.5 and the UC5xx platform is still stuck on 8.0.x. 

The new release is supposed to be CME 8.6 (if it ever actually releases!) but I would like to hear from Cisco that SSL VPN for 79xx WILL or WILL NOT be supported.   I'm not ready to go on another Cisco led wild goose chase....

Paolo Bevilacqua Wed, 04/25/2012 - 10:50

As mentioned in other threads, 8.6 is released as beta now and shortly to everyone..

I've still have to complete testing with a 7945 on the same identical IOS version, using an ISR router.

Once I have done that, I'll report here.

kevinsoliz Thu, 09/06/2012 - 04:37

Any updates for offical spport for SSL VPN on 79xx phones on the UC500?   We have several situations where this would be extremely helpful.

Paolo Bevilacqua Thu, 09/06/2012 - 07:22

From my understanding, it should work already.

The issue is that one has first to configure the phones as local secure phones, due to that onerous requirement, I haven't completed my testing yet.

gregatatt Thu, 04/25/2013 - 10:33

Any new information/update on this topic?

If it is supported, is there a config doc available?

Thanks!

ripratt Fri, 05/10/2013 - 09:35

Correction:   The Small Business Support Center does NOT support SSL VPN on the UC500 using a 79xx phone.   The only supported SSL VPN phone on the UC500 is a SPA525g(2).    We will NOT be able to assist a customer attempting to use a 79xx phone for a SSL VPN connection either via CCA or CLI.

Thanks....Richard....SBSC supervisor.

gregclarkson Tue, 05/14/2013 - 15:41

As we might not receive the same level of help as you did given it is not officially supported, can you please provide configuration examples for us to follow?

thanks in advance.

fredsson1 Sun, 08/11/2013 - 02:10

i would love to see a sample config, too.

thanks in andvance. This topic is still relevant for me.

Actions

This Discussion

Related Content