Re: CUPC 8 and ASA Proxy?

ssmith · ‎10-04-2010

Is it possible to use CUPC 8 without haveing to fire up the Cisco VPN client?

htluo · ‎10-04-2010

If the PC is outside the office network (where CUPS server resides), you need VPN to use CUPC.

Some customers are comparing this with Microsoft Office Communicator (MOC). MOC was able to do "VPN-less" connection at the cost of an "Edge Server".

Technically, Cisco could do the same thing. But Cisco prefers using ASA. Down the road, VPN feature will be embedded into CSF (Common Service Framework) on client side, which provides seamless connection without lauching VPN client.

Michael

http://htluo.blogspot.com

ssmith · ‎10-04-2010

Thanks for the quick reply. So I guess there still is not a seamless way for users to use CUPC 8 without launching the VPN client and connecting first? With this new version I simply do not understand why the same functionality as some of the hardware based phones, or another solution, is not available.

Jonathan Schulenberg · ‎10-04-2010

Because the PM has a limited amount of developer resources for each build and has to choose what to spend time on carefully; every hour spent must be cost justified. I assure you, it's not just make us rap our fingers on the table in restless frustration.

If you were in their position, would you really have prioritized seamless secure access over the transition to XMPP? (rhetorical)

ssmith · ‎10-05-2010

Jonathan, thanks for your reply. I realize that XMPP will benefit us all down the road and there are some good new features in this version however my real frustration is that, IMO, the feature set that I need in this version has gone backwards (e.g. the outlook toolbar is gone now). Also when we purchased our Cisco VoIP system, the Cisco reps told us that SIP proxy on the ASA would allow us to have secure access for the softphone clients without the need for a manually fired VPN. Once we found out it did not work with the v. 7 client, we were then told version 8 would support SIP proxy. So as you can see, I am disappointed that one important feature is gone and I still don't have the other. I have a large and very mobile legal workforce. These two things are what is most important to them to get real adoption and productivity gains.

Honestly, I could get by without the toolbar as we only had CUPC 7 rolled out to a pilot group so most of our users would not know it ever existed. My real issue is they don't want to launch and fire the vpn first. If there is a solution or another option I am certainly open for ideas.

Stuart

htluo · ‎10-05-2010

Well, since you mentioned SIP proxy on ASA, let me re-phrase my answer.

Yes, it's technically possible to get CUPC work from outside network without launching VPN client. But it requires additional configuration on ASA and DNS.

Unfortunately, the CUPC business unit has NOT tested this scenario, thus no configuration template or guideline was provided by Cisco.

If you'd like to try it yourself, here's some information that might be helpful. Please note, this applies to SIP only.

1) CUPC use SOAP protocol to download configuration from CUPS. Thus if external DNS resolve the logon server's name to the ASA IP address, NAT needs to be configured so CUPC can talks to CUPS on SOAP (8443).

2) Once configuration was downloaded, CUPC needs to determine which server it sends the SIP request to (register server). CUPC uses two pieces of information to accomplish this:

A) The 'process node', which is configurable from CUPS Admin web GUI. Depending on the CUPS version, it could be under "System > Server" or "System > Cluster Topology".

B) The 'proxy domain', whcih is configurable from CUPS Admin web GUI under "System > Service Parameters > Cisco UP SIP Proxy".

CUPC follows some rules:

a) If 'process node' was a hostname, the register server will be 'process node' + 'proxy domain'. e.g. 'process node' = cup01, 'proxy domain' = mycompany.com, 'register server' = cup01.mycompany.com

b) if 'process node' was a dotted IP address, the register server will be 'process node'. e.g. 'process node' = 192.168.1.10, 'register server' = 192.168.1.10

c) if 'process node' was a dotted DNS name and can be matched with 'proxy domain', the register server will be 'process ndoe'. e.g. 'process node' = cup01.mycompany.com, 'proxy domain' = mycompany.com, 'register server' = cup01.mycompany.com

d) if 'process node' was a dotted DNS name but does not match with 'proxy domain', the register server will be 'process ndoe' + 'proxy domain'. e.g. 'process node' = cup01.mycompany.com, 'proxy domain' = company.com, 'register server' = cup01.mycompany.com.company.com

You want to make sure:

1) The derived 'register server' and be resolved to the ASA IP by external DNS

2) ASA use NAT or SIP Proxy to forward the SIP requests to CUPS server.

Hope this helps.

Michael

http://htluo.blogspot.com

jsanders · ‎12-07-2010

What if the CUPC and CUCM are on public IP addresses but the client is being NAT'd? Anyway to get that to work?

Chris Tolley · ‎10-04-2010

Is there a timeline for the integration of VPN is CSF?

htluo · ‎10-04-2010

I cannot speak for Cisco development. This feature will be built in different phases. The VPN module in CSF stack will be intelligent enough to tell which application needs VPN, which one does not. So it can intiate VPN connection on demand and separate different traffic.

Michael

Harrison Sauls · ‎10-06-2010

Michael,

What, if any, security concerns are there with the configuration you described? Are credentials passed in clear text?

Thanks,

Harrison

htluo · ‎10-06-2010

It was encrypted by HTTPS (TLS).

Michael