CUCM > Conductor > Telepresence Server integration - does it need TLS or not ?

Unanswered Question
Sep 10th, 2014
User Badges:

Hi,

 

I have followed this document to deploy a CUCM with Conductor/Telepresence server integration.

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/con...

 

I have :

- CUCM v 10.5 (virtual)

- Conductor XC2.3 (virtual)

- Telepresence server v 4.0 on Multiparty Media 310

 

The doc says that Conductor can use Encrypted SIP (TLS) port 5061 and HTTPS port 443 but is it a prerequisite or not ?


I have configured everything with HTTP 80 and SIP (TCP+UDP) 5060 but I have this error message in the call history of Conductor when I try to do an ad-hoc conference :

B2BUA generated 404 Not Found due to a TLS failure on the Egress

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
adbaker Fri, 09/12/2014 - 03:24
User Badges:

Hi There,

I'm doing the same as you but with v10 of CUCM. I don't get the same error but calls are failing when I dial into a Meetme number mapped to a 'Rendezvous' service on Conductor/TPS.

Did you get things working?

Ade

Matthieu Malyga Tue, 09/16/2014 - 05:27
User Badges:

According to an answer from Cisco support, TLS is mandatory. You cannot make this work if you don't configure SIP TLS and HTTPS between CUCM, Conductor and the Telepresence server.

I made it work (ad-hoc and rendez-vous) with configuring TLS (following the configuration guide).

Matthieu Malyga Thu, 09/25/2014 - 05:54
User Badges:

You have to make the CUCM certificate being signed by a CA.

Under certificate management, click on CSR Request. Choose Call Manager.

Then download CSR, choose Call Manager.

Go to your CA (either private or public) and give it the CSR so that it can be signed.

Upload the certificate to the CUCM.

Do the exact same process for Conductor.

Then you also have to upload the CA certificate to both CUCM (Call Manager trust) and Conductor.

Everything is explained in the "deploying certificates guide" of Conductor.

Juan carlos Arc... Wed, 10/01/2014 - 21:13
User Badges:

hi Matthieu Malyga

thanks for you information.

 

but i've a doubt when the CA signed my CSR. i'm obtain my cucm CA signed.

first need upload CA root certificate on cucm (call manager trust) and then upload the new certificate CA for cucm on (call manager)

 

that's correct?

 

Matthieu Malyga Thu, 10/02/2014 - 01:49
User Badges:

Yes, first the CA certificate, then the CUCM certificate.

When you upload the CUCM certificate, you also have to indicate the name of the "root" certificate, the CN name of the CA certificate.

You can also not use any CA. Just upload the Conductor certificate (which is by default self-signed by a temporary CA, hence it is this default temporary CA that you would upload, not the Conductor certificate itself) on the CUCM and vice versa, upload the CUCM certificate (self-signed by default) to Conductor.

This is what I did lastly and it works fine. This is easier as you don't need any CA involved. OK for a lab, not for a production environnement.

tecvictor Mon, 03/02/2015 - 11:39
User Badges:

Matthieu Malyga ,

Can you explain more this step please ?

Just upload the Conductor certificate (which is by default self-signed by a temporary CA, hence it is this default temporary CA that you would upload, not the Conductor certificate itself) on the CUCM - In this step i take the certificate (sign) of the CUCM or CA ? I put in Trusted CA Certificate or in Server Certificate?

 

and vice versa, upload the CUCM certificate (self-signed by default) to Conductor. - Where in CUCM os administrator page ?

tecvictor Mon, 03/02/2015 - 12:04
User Badges:

How can i export the "default" temporary CA from Conductor?

j.house Mon, 03/02/2015 - 13:42
User Badges:

Does the UCM cluster need to be configured for mixed-mode for this to work?

Jonathan Els Thu, 08/13/2015 - 15:19
User Badges:

Hi Matthieu

 

This is not 100% correct.  

 

TLS is required between vTS and the Conductor.  You can use TCP and HTTP between the Conductor and CUCM.

kingvoice Tue, 11/17/2015 - 12:34
User Badges:

Hello Matthieu !

                         Do we need to upload certificate in TPS to make TLS communicate between

conductor ? 

KV

Acevirgil de Ocampo Tue, 11/17/2015 - 13:54
User Badges:
  • Silver, 250 points or more

No need to upload certificate in Telepresence Server. You will need the encryption key to be able to use TLS for encrypted communication (mandatory) between Telepresence Server and Conductor.

For Telepresence Server version 4.1(2.33) or earlier, encryption key is required. Beginning with version 4.2, it is no longer required.


regards,

Acevirgil


kingvoice Tue, 11/17/2015 - 14:01
User Badges:

Thanks ; By the way cucm can communicate without certificate ..Right ?by using HTTP?

Acevirgil de Ocampo Tue, 11/17/2015 - 14:54
User Badges:
  • Silver, 250 points or more

Correct. You can use HTTP as communication between CUCM and Conductor for XML RPC. 

But Cisco always recommend encrypted communication by using TLS and HTTPS so certificates are required.

You should have no problem using TCP for SIP trunk and HTTP for XML RPC between CUCM and Conductor. Have tried with some of my lab testings and works fine.

Refer to this guide under p.8 for reference.

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/con...


Regards,

Acevirgil

Actions

This Discussion