CUCM & Phone Proxy

Unanswered Question
Jun 13th, 2011

I'm looking to have a go with the ASA phone proxy.

I've found lots of stuff on the web about configuring the ASA side of things. The thing I can't find, is how you tell the phone the external TFTP IP address.

One person says it's something you have to statically configure into the phone. I don't like the idea of that - doesn't make it very user friendly. Especially when you then have to de-configure this if you bring the phone back into the office.

Another person one time told me that you can put the information "somewhere" into CUCM (I'm on 8.0.3) and it will provision the info down to the phone. (Assuming the phone is in the office before going out)

Can anyone help ? Google just keeps on giving me ASA configuration guides :-(

Ta,

GTG

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (5 ratings)
Rob Huffman Mon, 06/13/2011 - 07:07

Hi Gordon,

Adding or Editing the TFTP Server for a Phone Proxy

Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.

Step 1 Open the Configuration > Firewall > Unified Communications > Phone Proxy pane.

Step 2 Check the Enable Phone Proxy check box to enable the feature.

Step 3 To add or edit the TFTP Server information for the phone proxy, click the Add or Edit button. The

Add/Edit TFTP Server dialog box appears.

Use the Add/Edit TFTP Server dialog box to specify the IP address of the TFTP server and the interface

on which the TFTP server resides.

The Phone Proxy must have at least one CUCM TFTP server configured. Up to five TFTP servers can

be configured for the Phone Proxy.

The TFTP server is assumed to be behind the firewall on the trusted network; therefore, the Phone Proxy

intercepts the requests between the IP phones and TFTP server.

Note If NAT is configured for the TFTP server, the NAT configuration must be configured prior to specifying

the TFTP server while creating the Phone Proxy instance.

Step 4 In the TFTP Server IP Address field, specify the address of the TFTP server. Create the TFTP server

using the actual internal IP address.

Step 5 (Optional) In the Port field, specify the port the TFTP server is listening in on for the TFTP requests.

This should be configured if it is not the default TFTP port 69.

Step 6 In the Interface field, specify the interface on which the TFTP server resides. The TFTP server must

reside on the same interface as the Cisco Unified Call Manager (CUCM).

Step 7 Click OK to apply the settings.

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/unified_comm_phoneproxy.pdf

Cheers!

Rob

lusandi Wed, 07/13/2011 - 10:57

Gordon,

I would like to let you knwo that the alternate TFTP server have to be configured on the phone itself by the user:

Phone Configuration and Tasks

  • To perform a soft-restart of the phone, press "* * # * *" from the "Settings" menu

Setting the tftp-server

  • To set the TFTP server on the phone, do the following

  1. Press the "Settings" button
  2. Choose "3 - Network Configuration"
  3. Press "* * #" to unlock the phone. You will see the lock icon in the upper right of the phone change to an unlocked symbol.
  4. Ensure that option "24 Alternate TFTP" (on older phones it might be option 32) is set to "YES"
  5. Set the correct TFTP server address under option "8 TFTP Server 1"

Deleting the CTL file on the phone

  1. Press the "Settings" button
  2. Choose "6 - Security Configuration"
  3. Unlock the phone with "* * #"
  4. Choose "5 - CTL file"
  5. Press the "Erase" button

Viewing the status messages on the phone

  1. Press the "Settings" button
  2. Choose "5 - Status"
  3. Choose "1 - Status Messages"

I hope this will be helpful.

Regards,

Luis Sandi

Joe Martini Wed, 07/13/2011 - 13:08

You have to either manually set the TFTP (alternate TFTP) on the phone or you would have to have control over the user's DHCP server options if they are using DHCP.  This would often mean for a home user configuring a TFTP option 150 or option 66 on their home router to pass it to the phone manually.  There's no way to set anything on CUCM or the ASA to pass the TFTP address to the phone, the TFTP address is how you point your device to CUCM or in this case the ASA to then get it's configuration.  You could set a manual TFTP on the phone locally in the office and then have the user take the phone home, that way the alternate TFTP would be saved ahead of time.

Haitham Hadad Wed, 07/13/2011 - 13:13

Hi,

It is good to know that phone proxy is working with old cucm versions

I was thinking it is only in 8

Only need to show some security words to understand this topic well

I have now a cucm 6.1 and ip phones 7945/65/75 and the needed ASA version

I see that I need to create a trust list which create a CTL file to be given to the ip phones via tftp to be trusted when trying to connect

The phone can have TLS on itself or to use the TLS proxy

Only i need to know how to create this trust list then the CTL file and how to use it , I think I'll get it from the ASA to import into CUCM OS page certificates which will be sent to the ip phones

and what is the CAPF mean

Finally, what I need in my network [cucm and ASA] to try this phone proxy

Regards

lusandi Wed, 07/13/2011 - 13:26
To configured the CTL file:

ctl-file ctl_phoneproxy_file

record-entry cucm-tftp trustpoint phoneproxy_trustpoint address (Public IP of CUCM)  
record-entry capf trustpoint capf_trustpoint address (Public IP of CUCM)
no shut

With that you create the CTL file that will tell the phones wich call managers he can use.

To configure the TLS proxy:

tls-proxy ASA-tls-proxy
server trust-point _internal_PP_ctl_phoneproxy_file

The server trust point need this format: _internal_PP_(Name of CTL FILE)

CAPF stands for Certificate Authority Proxy Function (This will be used to provision the LSC certificate to old phones like 7960 and 7940)

For your deployment it will not be required which means that you do not need this line on the CTL file:
record-entry capf trustpoint capf_trustpoint address (Public IP of CUCM) 

I hope this will be helpful.

Regards,

Luis Sandi


Haitham Hadad Wed, 07/13/2011 - 15:49

extremly helpful

to configure this CTL file,

1. Do I configure these commands above on the ASA, then ASA generate the CTL file ?

2. How to send this CTL file to the phone via tftp ?

3. Also I think I need to enable ip phone vpn feature on the ASA beside the premuim SSL vpn license

Finally is there a demo license for my ASA on Cisco to test this feature ?

thanks & Best Regards

lusandi Wed, 07/13/2011 - 16:02

1. Do I configure these commands above on the ASA, then ASA generate the CTL file ?

On the ASA you configure the flowing:

ctl-file ctl_phoneproxy_file
record-entry cucm-tftp trustpoint phoneproxy_trustpoint address (Public IP of CUCM)  
record-entry capf trustpoint capf_trustpoint address (Public IP of CUCM)
no shut

When you do the no shutdown the ASA will write the CTL file on flash.

2. How to send this CTL file to the phone via tftp ?

You need to point the IP phone to the public IP address you have configured to be the translation of the CUCM.

3. Also I think I need to enable IP phone VPN feature on the ASA beside the premium SSL VPN license

Phone  VPN and Phone Proxy are different features and for the Phone Proxy feature you will have 2 licenses on your ASA that you can use to test up  to two remote phones.

Here is the configuration example for ASA on version 8.0

https://supportforums.cisco.com/docs/DOC-5704

I hope this will be helpful.

Regards,

Luis Sandi

Nathan.Hardman Thu, 10/13/2011 - 07:41

HI All,

Sorry to steal the post.

Im looking to configure the Ip Phone Proxy.

Im currently using CUCM 8.0.2.3

ASA 5510 running 8.4 - is this compatible with IP Phone Proxy and CUCM version i am running.

Also the guides i have been referencing states i may need to configure IP Phone Proxy Address under Enterprise Parameters on the CUCM, if so do i put the int or ext address and do i put anything else in the url?

Thanks

Nathan

Actions

Login or Register to take actions

This Discussion

Posted June 13, 2011 at 6:46 AM
Stats:
Replies:9 Avg. Rating:
Views:2919 Votes:0
Shares:0

Related Content

Discussions Leaderboard