06-13-2011 06:46 AM - edited 03-16-2019 05:25 AM
I'm looking to have a go with the ASA phone proxy.
I've found lots of stuff on the web about configuring the ASA side of things. The thing I can't find, is how you tell the phone the external TFTP IP address.
One person says it's something you have to statically configure into the phone. I don't like the idea of that - doesn't make it very user friendly. Especially when you then have to de-configure this if you bring the phone back into the office.
Another person one time told me that you can put the information "somewhere" into CUCM (I'm on 8.0.3) and it will provision the info down to the phone. (Assuming the phone is in the office before going out)
Can anyone help ? Google just keeps on giving me ASA configuration guides :-(
Ta,
GTG
06-13-2011 07:07 AM
Hi Gordon,
Adding or Editing the TFTP Server for a Phone Proxy
Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.
Step 1 Open the Configuration > Firewall > Unified Communications > Phone Proxy pane.
Step 2 Check the Enable Phone Proxy check box to enable the feature.
Step 3 To add or edit the TFTP Server information for the phone proxy, click the Add or Edit button. The
Add/Edit TFTP Server dialog box appears.
Use the Add/Edit TFTP Server dialog box to specify the IP address of the TFTP server and the interface
on which the TFTP server resides.
The Phone Proxy must have at least one CUCM TFTP server configured. Up to five TFTP servers can
be configured for the Phone Proxy.
The TFTP server is assumed to be behind the firewall on the trusted network; therefore, the Phone Proxy
intercepts the requests between the IP phones and TFTP server.
Note If NAT is configured for the TFTP server, the NAT configuration must be configured prior to specifying
the TFTP server while creating the Phone Proxy instance.
Step 4 In the TFTP Server IP Address field, specify the address of the TFTP server. Create the TFTP server
using the actual internal IP address.
Step 5 (Optional) In the Port field, specify the port the TFTP server is listening in on for the TFTP requests.
This should be configured if it is not the default TFTP port 69.
Step 6 In the Interface field, specify the interface on which the TFTP server resides. The TFTP server must
reside on the same interface as the Cisco Unified Call Manager (CUCM).
Step 7 Click OK to apply the settings.
Cheers!
Rob
06-13-2011 07:40 AM
But that's configuring the ASA - not CUCM or the phone !
07-13-2011 10:57 AM
Gordon,
I would like to let you knwo that the alternate TFTP server have to be configured on the phone itself by the user:
I hope this will be helpful.
Regards,
Luis Sandi
07-13-2011 01:08 PM
You have to either manually set the TFTP (alternate TFTP) on the phone or you would have to have control over the user's DHCP server options if they are using DHCP. This would often mean for a home user configuring a TFTP option 150 or option 66 on their home router to pass it to the phone manually. There's no way to set anything on CUCM or the ASA to pass the TFTP address to the phone, the TFTP address is how you point your device to CUCM or in this case the ASA to then get it's configuration. You could set a manual TFTP on the phone locally in the office and then have the user take the phone home, that way the alternate TFTP would be saved ahead of time.
07-13-2011 01:13 PM
Hi,
It is good to know that phone proxy is working with old cucm versions
I was thinking it is only in 8
Only need to show some security words to understand this topic well
I have now a cucm 6.1 and ip phones 7945/65/75 and the needed ASA version
I see that I need to create a trust list which create a CTL file to be given to the ip phones via tftp to be trusted when trying to connect
The phone can have TLS on itself or to use the TLS proxy
Only i need to know how to create this trust list then the CTL file and how to use it , I think I'll get it from the ASA to import into CUCM OS page certificates which will be sent to the ip phones
and what is the CAPF mean
Finally, what I need in my network [cucm and ASA] to try this phone proxy
Regards
07-13-2011 01:26 PM
To configured the CTL file:
ctl-file ctl_phoneproxy_file
record-entry cucm-tftp trustpoint phoneproxy_trustpoint address (Public IP of CUCM)
record-entry capf trustpoint capf_trustpoint address (Public IP of CUCM)
no shut
With that you create the CTL file that will tell the phones wich call managers he can use.
To configure the TLS proxy:
tls-proxy ASA-tls-proxy
server trust-point _internal_PP_ctl_phoneproxy_file
The server trust point need this format: _internal_PP_(Name of CTL FILE)
CAPF stands for Certificate Authority Proxy Function (This will be used to provision the LSC certificate to old phones like 7960 and 7940)
For your deployment it will not be required which means that you do not need this line on the CTL file:record-entry capf trustpoint capf_trustpoint address (Public IP of CUCM)
I hope this will be helpful.
Regards,
Luis Sandi
07-13-2011 03:49 PM
extremly helpful
to configure this CTL file,
1. Do I configure these commands above on the ASA, then ASA generate the CTL file ?
2. How to send this CTL file to the phone via tftp ?
3. Also I think I need to enable ip phone vpn feature on the ASA beside the premuim SSL vpn license
Finally is there a demo license for my ASA on Cisco to test this feature ?
thanks & Best Regards
07-13-2011 04:02 PM
1. Do I configure these commands above on the ASA, then ASA generate the CTL file ?
On the ASA you configure the flowing:
ctl-file ctl_phoneproxy_file
record-entry cucm-tftp trustpoint phoneproxy_trustpoint address (Public IP of CUCM)
record-entry capf trustpoint capf_trustpoint address (Public IP of CUCM)
no shut
When you do the no shutdown the ASA will write the CTL file on flash.
2. How to send this CTL file to the phone via tftp ?
You need to point the IP phone to the public IP address you have configured to be the translation of the CUCM.
3. Also I think I need to enable IP phone VPN feature on the ASA beside the premium SSL VPN license
Phone VPN and Phone Proxy are different features and for the Phone Proxy feature you will have 2 licenses on your ASA that you can use to test up to two remote phones.
Here is the configuration example for ASA on version 8.0
https://supportforums.cisco.com/docs/DOC-5704
I hope this will be helpful.
Regards,
Luis Sandi
10-13-2011 07:41 AM
HI All,
Sorry to steal the post.
Im looking to configure the Ip Phone Proxy.
Im currently using CUCM 8.0.2.3
ASA 5510 running 8.4 - is this compatible with IP Phone Proxy and CUCM version i am running.
Also the guides i have been referencing states i may need to configure IP Phone Proxy Address under Enterprise Parameters on the CUCM, if so do i put the int or ext address and do i put anything else in the url?
Thanks
Nathan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: