Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CUCM > Conductor > Telepresence Server integration - does it need TLS or not ?

Hi,

 

I have followed this document to deploy a CUCM with Conductor/Telepresence server integration.

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/conductor/config_guide/TelePresence-Conductor-Unified-CM-Deployment-Guide-XC2-3.pdf

 

I have :

- CUCM v 10.5 (virtual)

- Conductor XC2.3 (virtual)

- Telepresence server v 4.0 on Multiparty Media 310

 

The doc says that Conductor can use Encrypted SIP (TLS) port 5061 and HTTPS port 443 but is it a prerequisite or not ?


I have configured everything with HTTP 80 and SIP (TCP+UDP) 5060 but I have this error message in the call history of Conductor when I try to do an ad-hoc conference :

B2BUA generated 404 Not Found due to a TLS failure on the Egress

 

Everyone's tags (1)
15 REPLIES
New Member

Hi There,I'm doing the same

Hi There,

I'm doing the same as you but with v10 of CUCM. I don't get the same error but calls are failing when I dial into a Meetme number mapped to a 'Rendezvous' service on Conductor/TPS.

Did you get things working?

Ade

New Member

According to an answer from

According to an answer from Cisco support, TLS is mandatory. You cannot make this work if you don't configure SIP TLS and HTTPS between CUCM, Conductor and the Telepresence server.

I made it work (ad-hoc and rendez-vous) with configuring TLS (following the configuration guide).

 Hi Matthieu Malygai've have

 

Hi Matthieu Malyga

i've have the same problems.

 

please can you say, what certificarte downloaded on cucm to install on Conductor?.

New Member

You have to make the CUCM

You have to make the CUCM certificate being signed by a CA.

Under certificate management, click on CSR Request. Choose Call Manager.

Then download CSR, choose Call Manager.

Go to your CA (either private or public) and give it the CSR so that it can be signed.

Upload the certificate to the CUCM.

Do the exact same process for Conductor.

Then you also have to upload the CA certificate to both CUCM (Call Manager trust) and Conductor.

Everything is explained in the "deploying certificates guide" of Conductor.

hi Matthieu Malygathanks for

hi Matthieu Malyga

thanks for you information.

 

but i've a doubt when the CA signed my CSR. i'm obtain my cucm CA signed.

first need upload CA root certificate on cucm (call manager trust) and then upload the new certificate CA for cucm on (call manager)

 

that's correct?

 

New Member

Yes, first the CA certificate

Yes, first the CA certificate, then the CUCM certificate.

When you upload the CUCM certificate, you also have to indicate the name of the "root" certificate, the CN name of the CA certificate.

You can also not use any CA. Just upload the Conductor certificate (which is by default self-signed by a temporary CA, hence it is this default temporary CA that you would upload, not the Conductor certificate itself) on the CUCM and vice versa, upload the CUCM certificate (self-signed by default) to Conductor.

This is what I did lastly and it works fine. This is easier as you don't need any CA involved. OK for a lab, not for a production environnement.

New Member

Matthieu Malyga ,Can you

Matthieu Malyga ,

Can you explain more this step please ?

Just upload the Conductor certificate (which is by default self-signed by a temporary CA, hence it is this default temporary CA that you would upload, not the Conductor certificate itself) on the CUCM - In this step i take the certificate (sign) of the CUCM or CA ? I put in Trusted CA Certificate or in Server Certificate?

 

and vice versa, upload the CUCM certificate (self-signed by default) to Conductor. - Where in CUCM os administrator page ?

New Member

How can i export the "default

How can i export the "default" temporary CA from Conductor?

New Member

Does the UCM cluster need to

Does the UCM cluster need to be configured for mixed-mode for this to work?

New Member

No.

No.

New Member

Hi Matthieu This is not 100%

Hi Matthieu

 

This is not 100% correct.  

 

TLS is required between vTS and the Conductor.  You can use TCP and HTTP between the Conductor and CUCM.

New Member

Hello Matthieu !

Hello Matthieu !

                         Do we need to upload certificate in TPS to make TLS communicate between

conductor ? 

KV

No need to upload certificate

No need to upload certificate in Telepresence Server. You will need the encryption key to be able to use TLS for encrypted communication (mandatory) between Telepresence Server and Conductor.

For Telepresence Server version 4.1(2.33) or earlier, encryption key is required. Beginning with version 4.2, it is no longer required.

regards,

Acevirgil

New Member

Thanks ; By the way cucm can

Thanks ; By the way cucm can communicate without certificate ..Right ?by using HTTP?

Correct. You can use HTTP as

Correct. You can use HTTP as communication between CUCM and Conductor for XML RPC. 

But Cisco always recommend encrypted communication by using TLS and HTTPS so certificates are required.

You should have no problem using TCP for SIP trunk and HTTP for XML RPC between CUCM and Conductor. Have tried with some of my lab testings and works fine.

Refer to this guide under p.8 for reference.

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/conductor/config_guide/xc4-0_docs/TelePresence-Conductor-Unified-CM-Deployment-Guide-XC4-0.pdf

Regards,

Acevirgil

2768
Views
20
Helpful
15
Replies
CreatePlease to create content