I have done this only in lab environment with 4.1. Encryption was brought into CM world for the military.My advise to you is that unless there is a strict requirement for encryption, dont enable the feature.
It works pretty well if you make sure your time is sync'ed properly while generating certificates and all that. Also make sure that you get two USB tokens and safely store them as the first one is your master key.
Downsides include auto registration turned off system wide. Also conference calls today doesnt support encryption. For signalling traffic to be encrypted (especially for MGCP) you have to setup ipsec tunnels from the IPSEC management console. (CM 5.1 is a lot better from an administrative stand point to setup ipsec).
Deploying remote sites with encryption with SRST can be a pain. There is currently no way other than manual cut and paste of certificate information into the router. I was successfully able to lab it in a few hours time, but i really do hate the procedure involved in setting up Secure SRST.
When deploying remote sites you should also consider the extra bandwidth required for secure calls.
Thank you for the info. We are local lan only and are doing this to be hipaa and sox compliant. So to understand, I will not be able to do this on my 7935 conference phones because they do not support encryption on 4.2?
I meant to say that when three phones are in a conference, even if the phones are capable of encryption on a peer-peer call, the conference will be non-encrypted. Limitation of Conf bridge. Also here are some of the specifics of what calls are encrypted and what is not.
a. When encrypted phones call each other, you get a lock sign indicating that the call is encrypted.
b. When encrypted phones call a non encrypted phones, the call is not encrypted
c. non encrypted phones continue calls without encryption
d. When three encrypted phones are in a conference, the call is not encrypted (limitation of conf bridge)
e. When an encrypted phone calls a MGCP or H323 gateway, (which has encryption config on it), a lock sign is shown on the phone, indicating the call is encrypted.
f. When an encrypted phone calls Unity voice mail that is encryption enabled, a lock sign is shown on the phone, indicating call is encrypted.
You have reached the Cisco Logistics Support Center.. To Check Status of
your RMA, visit Product Returns & Replacements (RMA). Need help? Contact
us by Phone or Email. North Americas Phone: 1800 553 2447 Option 4
Email: email@example.com Europe Phone: +3...
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...