Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Does a TLS connection from an external phone to the CUCM needs an ASA, or can be done directly between the phone and the CUCM

Hi

I'm studying CUCM and testing it. I have question about security:

Does a TLS connection from an external phone to the CUCM needs an ASA, or can be done directly between the phone and the CUCM?>

Best Regards,

Everyone's tags (1)
4 REPLIES
New Member

SIP TLS is used for signaling

SIP TLS is used for signaling on port TCP 5061

If the CUCM is behind a firewall and the phone is connected through the Internet, would be necessary to allow TCP port 5061 and SRTP.

In the following article, there are several scenarios explained in more detail,

http://www.cisco.com/web/about/security/intelligence/IP_Phone_Security_WP.html

New Member

Hi thanks for answer,I read

Hi thanks for answer,

I read this article but I have a doubt because they said that: Cisco IP phones will only work with the Cisco ASA Phone Proxy and will not establish secure connectivity with the Cisco Unified Communications Manager.

Provisioning Cisco IP phones with LSC Certificates

By default, LSC certificates are not installed on Cisco IP phones. Cisco IP phones that are required to use LSC certificates must be provisioned to allow TLS transactions before deployment in the field. LSC certificates can be provisioned to the Cisco IP phones through the Certificate Authority Proxy Function (CAPF) process. This process is completed using TLS and USB tokens coupled with the CTL client. Moreover, the Cisco ASA Phone Proxy feature can serve LSC certificates to the Cisco IP phones. Cisco IP phones will only work with the Cisco ASA Phone Proxy and will not establish secure connectivity with the Cisco Unified Communications Manager.

New Member

Hi,There are two modes

Hi,

There are two modes explained about provisioning ip phones using TLS.

Using Cisco Unified Communications Manager (with USB Tokens)

In this case is necessary to install certificates and follow certain procedure. The phone communication is encrypted to the CUCM.

The second option:

Using Cisco ASA Phone Proxy (without USB tokens)

This is a simplification and quite nice solution to securely connect ip phones from Internet. The encrypted communication goes from the phone to the ASA. Then the ASA relays the communication to the CUCM non encrypted.

In this case, would not be necessary to open ports or expose the CUCM to the Internet.

New Member

Hi Melendres, Thanks a lot

Hi Melendres,

 

Thanks a lot for your help...

Best regards,

88
Views
0
Helpful
4
Replies
CreatePlease to create content