This discussion is locked

Ask the Expert: Cisco Unified CallManager and IP Phone Security

Unanswered Question
Apr 2nd, 2012

With Amit Singh 

Read the bioRead the bio

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to ask questions and learn about Unified CallManager and IP Phone Security with Cisco Experts Amit Singh and Raees Shaikh.

Raees Shaikh
is a customer support engineer at the Cisco Technical Assistance Center in Bangalore. He has over two years of experience, serving Cisco partners and customers in the European time zone. As part of the call control and multiservices modules, he focuses on Cisco Unified Communications Manager, Cisco Unified Border Element, gateways, Cisco Unified SIP Proxy, and other voice over IP (VoIP)-related devices. Prior to joining Cisco he was a network engineer with Microland Ltd, supporting networks for Fortune 500 companies. He holds a bachelor of engineering degree in electronics and telecommunication from Goa University and holds CCNP and CCIE voice certification (number 34220).

Amit Singh
is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has six and half years of experience in his areas of expertise: wireless, Cisco Unified Communications Manager, multiservices, Cisco Unity, and Cisco Unified Contact Center Express. He has been involved in various escalation requests from India, Singapore, and Australia and is currently working as a technical lead for the Voice team in Bangalore, India. He is a computer science graduate.

Amit and Raees might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the forum shortly after the event. This event lasts through April 13th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

This is a continuation of the April 3 Cisco Unified CallManager and IP Phone Security webcast. You can review the slides of the presentation here

Additional Webcast Related Links

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (5 ratings)
Tauqir Malik Mon, 04/02/2012 - 21:28

1. Is there any way I can configure a speen dial on cucm 8.6 not specific to a phone but on system level that  can be used by any one to access a paging server.

2. I have a pilot number (54444) configured on the cucm  to access a paging server connected to 2800 gateway via the T1.

when a user dials 54444, it connects to the paging server and server asks for "pager number to be paged. User enter the pager number 555 6666, hears a tone and dials his call back number and # to end the call.

All the pagers have a prefix of 555. Is there any way I can confugure the CUCM or gateway to dial 555 also once the connection is established after dialing 54444; so the user have to dial only 6666 and call back number.

3. I have also configured a tranlation pattern 54 which dials 54444. So I would like to dial 54 pause 555 and user can enter the last 4 digits of the pager 6666.

Gateway configuration:

dial-peer voice 101 pots

destination-pattern 54444

port 0/2/0:0


dial-peer voice 1 voip

voice-class codec 1

incoming called-number 54444

dtmf-relay h245-alphanumeric

no vad

Thankyou TM

Jason Ewing Tue, 04/03/2012 - 04:55

Thanks for hosting this event. 

With the newest version of CUCM 8.6 and 'security by default' can you reference some must read articles for those of us on the upgrade path to 8.6x who haven't used phone security in the past?

We're currently running CUCM 6.1.2 without security (no CTL, ITL, LSC) and migrating directly to 8.6.2x by building out a new cluster side by side with the old one.  Our plan is to simply point the phones at the new cluster at cutover time.  Are there any 'gotchas' to be aware of in this scenario?



amitsin Tue, 04/03/2012 - 05:21

You should be good to go and upgrade the cluster.Phones will trust the ITL files on CUCM 8.6 without any issue.

++ Please make sure, you have port 2445 open to allow TVS traffic and also TLS not blocked in your network.

++ If you plan to migrate your Cluster from Bare Metal Server to VmWARE, then at first we should upgrade the existing cluster to 8.x ---- > Take DRS Backup ---> Then migrate to vmWare.

You may reference to:

Amit Singh
Jason Ewing Tue, 04/03/2012 - 05:33

Thanks for your reply Amit! Most helpful!

Does Cisco have any plans to offer a tool or utility to remotely delete ITL certs from phones?  After reading some issues in the forums where individuals have had to manually delete ITL files from phones it seems it could be a major issue....I can't imagine having to visit 1000+ phones or asking staff to delete these files.


amitsin Wed, 04/04/2012 - 07:19

Hello Jay,

If the migration is well thought, then you should not run into such situation.

Thats right, we do have it on CUCM roadmap to have the ability to delete ITL files remotely.

I hope this helps to answer your query.

Have a nice extended weekend ahead

Amit Singh

Jason Ewing Wed, 04/04/2012 - 10:49

Hello Amit,

Glad to hear it's on the roadmap.

Thanks for your help and have a great weekend as well!


Jason Ewing Tue, 04/10/2012 - 08:25

Hi again Amit,

Is the phone URL for authentication (found in CUCM Enterprise parameters) used by the TVS or in the certificates any where? The reason I ask is that we use SingleWire's InformaCast product and change the authentication URL to point to our InformaCast server.  If we change this URL in CUCM 8.x do we need to regenerate certficates or do anything in particular before registering phones to the 8.x cluster?

Thanks again!

Stephen Welsh Wed, 04/04/2012 - 13:29


In the interim, if you do need a solution for deleting ITL Files (or any kind of remote phone management) I suggest you have a look into PhoneView from Unified FX (

Have a look at Jonathan Monestel (Cisco TAC) instructions on how to do this:

You can request a trial here:

Here is a short video on how to do this, no need to visit any phones:



tenaro.gusatu.novici Tue, 04/10/2012 - 11:50

Hi guys,

I'm still trying to figure out some basics here and I hope this is valid question for your discussion: what is the purpose of the eToken? I do understand that IP phones will come with certificates installed in a factory and I can accept that CUCM will have preinstalled list of certificate authorities so it can recognize that certificates in the phones are signed by Cisco. What I don't see yet is the role of eToken



John Ventura Tue, 04/10/2012 - 21:48

Hi Guys,

Thanks for providing the webcast video.

I have a question; Do we need to upload the 3rd party certificate in every node in CUCM 8.x?


Raees Shaikh Wed, 04/11/2012 - 04:08

Hi John,

There is no need to upload the 3rd party certificate in every node in the cluster. Once you upload it to the Publisher server, it will be replicated to the other nodes via DB Replication & the change notification will inform the TVS service running on the Subs server of the new addition of certificate it needs to trust.

Hope that helps.

Raees Shaikh 

Stephen Welsh Wed, 04/11/2012 - 04:13

Just to add to Raees's comment on certificate replication, it's my understanding that the replication process can take up to 20 minutes to complete, so keep that delay in mind when testing.



John Ventura Tue, 04/10/2012 - 21:51

Have one more question; Is there anyway we can disable security by default feature if the client does not have security enabled in his cluster?



This Discussion

Related Content