Secure conference
The Secure Conferencing feature provides authentication and encryption to secure a conference. A conference gets considered secure when all participating devices have encrypted signaling and media. The secure conference feature supports SRTP encryption over a secure TLS or IPSec connection.
The system provides a security icon for the overall security status of the conference, which is determined by the lowest security level of the participating devices. For example, a secure conference that includes two encrypted connections and one authenticated connection has a conference security status of authenticated.
To configure secure ad hoc and meet-me conferences, you configure a secure conference bridge.
- If a user initiates a conference call from a phone that is authenticated or encrypted, Cisco Unified Communications Manager allocates the secure conference bridge
- If a user initiates a call from a phone that is nonsecure, Cisco Unified Communications Manager allocates a nonsecure conference bridge.
When you configure conference bridge resources as nonsecure, the conference remains nonsecure, regardless of the security configuration for the phone.
For meet-me conference calls, the phone that initiates the conference must also meet the minimum security requirement that is configured for the meet-me number. If no secure conference bridge is available or if the initiator security level does not meet the minimum, Cisco Unified Communications Manager rejects the conference attempt.
To secure conferences with barge, configure phones to use encrypted mode. After the Barge key is pressed and if the device is authenticated or encrypted, Cisco Unified Communications Manager establishes a secure connection between the barging party and the built-in bridge at the target device. The system provides a conference security status for all connected parties in the barge call.
 Note | Nonsecure or authenticated Cisco Unified IP Phones that are running release 8.3 or later can now barge encrypted calls. |
Conference bridge requirements
A conference bridge can register as a secure media resource when you add a hardware conference bridge to your network and configure a secure conference bridge in Cisco Unified Communications Manager Administration.
Note | Due to the performance impact to Cisco Unified Communications Manager processing, Cisco does not support secure conferencing on software conference bridge. |
A Digital Signal Processor (DSP) farm, which provides conferencing on a H.323 or MGCP gateway, acts as the network resource for IP telephony conferencing. The conference bridge registers to Cisco Unified Communications Manager as a secure SCCP client.
- The conference bridge root certificate must exist in CallManager trust store, and the Cisco Unified Communications Manager certificate must exist in the conference bridge trust store.
- The secure conference bridge security setting must match the security setting in Cisco Unified Communications Manager to register.
For more information about conferencing routers, refer to the IOS router documentation that is provided with your router.
Cisco Unified Communications Manager assigns conference resources to calls on a dynamic basis. The available conference resource and the enabled codec provide the maximum number of concurrent, secure conferences allowed per router. Because transmit and receive streams are individually keyed for each participating endpoint (so no rekeying is necessary when a participant leaves the conference), the total secure conference capacity for a DSP module equals one-half the nonsecure capacity that you can configure.
See "Understanding Conference Devices" in the Cisco Unified Communications Manager System Guide for more information.
Secure conference icons
Cisco Unified IP Phones display a conference security icon for the security level of the entire conference. These icons match the status icons for a secure two-party call, as described in the user documentation for your phone.
The audio and video portions of the call provide the basis for the conference security level. The call gets considered secure only if both the audio and video portions are secure.
For ad hoc and meet-me secure conferences, the security icon for the conference displays next to the conference softkey in the phone window for conference participants. The icon that displays depends on the security level of the conference bridge and all participants:
- A lock icon displays if the conference bridge is secure and all participants in the conference are encrypted.
- A shield icon displays if the conference bridge is secure and all participants in the conference are authenticated. Some phone models do not display the shield icon.
- When the conference bridge or any participant in the conference is nonsecure, the call state icon (active, hold, and so on) displays, or, on some older phone models, no icon displays.
When an encrypted phone connects to a secure conference bridge, the media streaming between the device and the conference bridge gets encrypted; however, the icon for the conference can be encrypted, authenticated, or nonsecure depending on the security levels of the other participants. A nonsecure status indicates that one of the parties is not secure or cannot be verified.
When a user presses Barge, the icon that displays next to the Barge softkey provides the security level for the barge conference. If the barging device and the barged device support encryption, the system encrypts the media between the two devices, but the barge conference status can be nonsecure, authenticated, or encrypted, depending on the security levels of the connected parties.
Secure conference status
Conference status can change as participants enter and leave the conference. An encrypted conference can revert to a security level of authenticated or nonsecure if an authenticated or nonsecure participant connects to the call. Likewise, the status can upgrade if an authenticated or nonsecure participant drops off the call. A nonsecure participant that connects to a conference call renders the conference nonsecure.
Conference status can also change when participants chain conferences together, when the security status for a chained conference changes, when a held conference call is resumed on another device, when a conference call gets barged, or when a transferred conference call completes to another device.
Note | The Advanced Ad Hoc Conference Enabled service parameter determines whether ad hoc conferences can be linked together by using features such as conference, join, direct transfer, and transfer. |
Cisco Unified Communications Manager provides these options to maintain a secure conference:
Related References
