- Information about the Cisco Unified Communication Wizard
- Licensing Requirements for the Unified Communication Wizard
- Guidelines and Limitations
- Configuring the Phone Proxy by using the Unified Communication Wizard
- Configuring the Mobility Advantage by using the Unified Communication Wizard
- Configuring the Presence Federation Proxy by using the Unified Communication Wizard
- Configuring the UC-IME by using the Unified Communication Wizard
- Configuring the Topology for the Cisco Intercompany Media Engine Proxy
- Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy
- Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy
- Configuring the Public Network Settings for the Cisco Intercompany Media Engine Proxy
- Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy
- Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy
- Working with Certificates in the Unified Communication Wizard
- Exporting an Identity Certificate
- Installing a Certificate
- Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy
- Saving the Identity Certificate Request
- Installing the ASA Identity Certificate on the Mobility Advantage Server
- Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers
Cisco Unified Communication Wizard
This chapter describes how to configure the ASA for Cisco Unified Communications Proxy features.
This chapter includes the following sections:
- Information about the Cisco Unified Communication Wizard
- Licensing Requirements for the Unified Communication Wizard
- Guidelines and Limitations
- Configuring the Phone Proxy by using the Unified Communication Wizard
- Configuring the Mobility Advantage by using the Unified Communication Wizard
- Configuring the Presence Federation Proxy by using the Unified Communication Wizard
- Configuring the UC-IME by using the Unified Communication Wizard
- Working with Certificates in the Unified Communication Wizard
Information about the Cisco Unified Communication Wizard
Note The Unified Communication Wizard is supported for the ASA version 8.3(1) and later.
The Unified Communication Wizard assists you in configuring the following Unified Communications proxies on the ASA:
See Configuring the Phone Proxy by using the Unified Communication Wizard.
See Configuring the Mobility Advantage by using the Unified Communication Wizard.
See Configuring the Presence Federation Proxy by using the Unified Communication Wizard.
See Configuring the UC-IME by using the Unified Communication Wizard.
The wizard simplifies the configuration of the Unified Communications proxies in the following ways:
- You enter all required data in the wizard steps. You are not required to navigate various ASDM screens to configure the Unified Communications proxies.
- The wizard generates configuration settings for the Unified Communications proxies where possible, automatically, without requiring you to enter data. For example, the wizard configures the required ACLs, IP address translation (NAT and PAT) statements, self-signed certificates, TLS proxies, and application inspection.
- The wizard displays network diagrams to illustrate data collection.
To access the Unified Communication Wizard, choose one of the following paths in the main ASDM application window:
- Wizards > Unified Communication Wizard.
- Configuration > Firewall > Unified Communications, and then click Unified Communication Wizard.
Phone Proxy: Secure remote access for Cisco encrypted endpoints, and VLAN traversal for Cisco softphones
The phone proxy feature enables termination of Cisco SRTP/TLS-encrypted endpoints for secure remote access. The phone proxy allows large scale deployments of secure phones without a large scale VPN remote access hardware deployment. End-user infrastructure is limited to just the IP endpoint, without VPN tunnels or hardware.
The Cisco adaptive security appliance phone proxy is the replacement product for the Cisco Unified Phone Proxy. Additionally, the phone proxy can be deployed for voice/data VLAN traversal for softphone applications. Cisco IP Communicator (CIPC) traffic (both media and signaling) can be proxied through the ASA, thus traversing calls securely between voice and data VLANs.
For information about the differences between the TLS proxy and phone proxy, go to the following URL for Unified Communications content, including TLS Proxy vs. Phone Proxy white paper:
http://www.cisco.com/go/secureuc
Mobility Advantage Proxy: Secure connectivity between Cisco Mobility Advantage server and Cisco Unified Mobile Communicator clients
Cisco Mobility Advantage solutions include the Cisco Unified Mobile Communicator (Cisco UMC), an easy-to-use software application for mobile handsets that extends enterprise communications applications and services to mobile phones and the Cisco Unified Mobility Advantage (Cisco UMA) server. The Cisco Mobility Advantage solution streamlines the communication experience, enabling single number reach and integration of mobile endpoints into the Unified Communications infrastructure.
The security appliance acts as a proxy, terminating and reoriginating the TLS signaling between the Cisco UMC and Cisco UMA. As part of the proxy security functionality, inspection is enabled for the Cisco UMA Mobile Multiplexing Protocol (MMP), the protocol between Cisco UMC and Cisco UMA.
Presence Federation Proxy: Secure connectivity between Cisco Unified Presence servers and Cisco/Microsoft Presence servers
Cisco Unified Presence solution collects information about the availability and status of users, such as whether they are using communication devices, such as IP phones at particular times. It also collects information regarding their communications capabilities, such as whether web collaboration or video conferencing is enabled. Using user information captured by Cisco Unified Presence, applications such as Cisco Unified Personal Communicator and Cisco UCM can improve productivity by helping users connect with colleagues more efficiently through determining the most effective way for collaborative communication.
Using the ASA as a secure presence federation proxy, businesses can securely connect their Cisco Unified Presence (Cisco UP) servers to other Cisco or Microsoft Presence servers, enabling intra-enterprise communications. The security appliance terminates the TLS connectivity between the servers, and can inspect and apply policies for the SIP communications between the servers.
Cisco Intercompany Media Engine Proxy: Secure connectivity between Cisco UCM servers in different enterprises for IP Phone traffic
As more unified communications are deployed within enterprises, cases where business-to-business calls utilize unified communications on both sides with the Public Switched Network (PSTN) in the middle become increasingly common. All outside calls go over circuits to telephone providers and from there are delivered to all external destinations.
The Cisco Intercompany Media Engine (UC-IME) gradually creates dynamic, encrypted VoIP connections between businesses, so that a collection of enterprises that work together end up looking like one giant business with secure VoIP interconnections between them.
There are three components to a Cisco Intercompany Media Engine deployment within an enterprise: a Cisco Intercompany Media Engine server, a call agent (the Cisco Unified Communications Manager) and an ASA running the Cisco Intercompany Media Engine Proxy.
The ASA provides perimeter security by encrypting signaling connections between enterprises and preventing unauthorized calls. An ASA running the Cisco Intercompany Media Engine Proxy can either be deployed as an Internet firewall or be designated as a Cisco Intercompany Media Engine Proxy and placed in the DMZ, off the path of the regular Internet traffic.
Licensing Requirements for the Unified Communication Wizard
To run the Unified Communication Wizard in ASDM, you require the following license:
|
|
---|---|
However, to run each of the Unified Communications proxy features created by the wizard, you must have the appropriate Unified Communications Proxy licenses.
The Cisco Unified Communications proxy features supported by the ASA require a Unified Communications Proxy license:
- Cisco Phone Proxy
- TLS proxy for encrypted voice inspection
- Presence Federation Proxy
- Cisco Intercompany Media Engine Proxy
See Licensing for Cisco Unified Communications Proxy Features for more information.
Note The Cisco Intercompany Media Engine Proxy does not appear as an option in the Unified Communication Wizard unless the license required for this proxy is installed on the ASA.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Supported in routed and transparent firewall mode.
Additional Guidelines and Limitations
Using the Unified Communication Wizard to create the Unified Communications proxies has the following limitations and requirements:
- You must configure at least two interfaces on the ASA to use the UC Wizard to configure a Unified Communications proxy.
- For all Unified Communications proxies to function correctly, you must synchronize the clock on the ASA and all servers associated with each proxy, such as the Cisco Unified Communication Manager server, the Cisco Mobility Advantage server, the Cisco Unified Presence server, and the Cisco Intercompany Media Engine server.
- When you configure the Cisco Intercompany Media Engine Proxy for an off-path deployment, you must ensure that the public IP addresses and ports of the Cisco Unified Communications Manager servers and the public IP address for the media termination address are accessible from the Internet. The summary page of the Unified Communication Wizard reminds you of the requirements.
- If the ASA on which you configure the Cisco Mobility Advantage Proxy and the Cisco Presence Federation Proxy is located behind another firewall, you must ensure that the public IP addresses for the Cisco Mobility Advantage server and the Cisco Unified Presence server are accessible from the Internet.
- If you use the Unified Communication Wizard to create to the Presence Federation Proxy and the Cisco Intercompany Media Engine Proxy, you might be required to adjust the configuration of the ACLs created automatically by the wizard for each proxy. See Chapter 18, “ASA and Cisco Unified Presence” and Chapter 19, “ASA and Cisco Intercompany Media Engine Proxy”, respectively, for information about the ACL requirements required by each proxy.
Configuring the Phone Proxy by using the Unified Communication Wizard
To configure the Cisco Unified Presence proxy by using ASDM, choose Wizards > Unified Communications Wizard from the menu. The Unified Communications Wizard opens. From the first page, select the Phone Proxy option under the Remote Access section.
The wizard automatically creates the necessary TLS proxy, then guides you through creating the Phone Proxy instance, importing and installing the required certificates, and finally enables the SIP and SCCP inspection for the Phone Proxy traffic automatically.
Note Any configuration created by the wizard should be maintained through the wizard to ensure proper synchronization. For example, if you create a phone proxy configuration through the UC wizard and then modify the configuration outside of the wizard, the rest of the wizard configuration is not updated, and the wizard configuration is not synchronized.
Therefore, if you choose to change some part of the phone proxy configuration outside of the wizard, it is your responsibility to keep the rest of the configuration in synchronization.
The wizard guides you through four steps to configure the Phone Proxy:
Step 1 Select the Phone Proxy option.
Step 2 Specify settings to define the Cisco Unified Communications Manager (UCM) servers and TFTP servers, such the IP address and the address translation settings of each server, and the Cisco UCM cluster security mode. See Configuring the Private Network for the Phone Proxy and Configuring Servers for the Phone Proxy.
Step 3 If required, enable Certificate Authority Proxy Function (CAPF). See Enabling Certificate Authority Proxy Function (CAPF) for IP Phones.
Step 4 Configure the public IP phone network, such as address translation settings for remote IP phones, whether to enable service setting for IP phones, and the HTTP proxy used by the IP phones. Configuring the Public IP Phone Network
Step 5 Specify the media termination address settings of the Cisco UCM. Configuring the Media Termination Address for Unified Communication Proxies.
The wizard completes by displaying a summary of the configuration created for Phone Proxy.
Configuring the Private Network for the Phone Proxy
The values that you specify in this page configure the connection from the ASA to the Cisco UCMs and TFTP servers by creating the necessary address translation settings and access control list entries.
Additionally, you specify the security mode for the Cisco UCM cluster. In a nonsecure cluster mode or a mixed mode where the phones are configured as nonsecure, the phone proxy behaves in the following ways:
- The TLS connections from the phones are terminated on the ASA and a TCP connection is initiated to the Cisco UCM.
- SRTP sent from external IP phones to the internal network IP phone via the ASA is converted to RTP.
In a mixed mode cluster where the internal IP phones are configured as authenticated, the TLS connection is not converted to TCP to the Cisco UCM but the SRTP is converted to RTP.
In a mixed mode cluster where the internal IP phone is configured as encrypted, the TLS connection remains a TLS connection to the Cisco UCM and the SRTP from the remote phone remains SRTP to the internal IP phone.
Step 1 From the Interface drop-down list, choose the interface on which the ASA listens for the Cisco UCM servers and TFTP servers. The Cisco UCM servers and TFTP servers must reside on the same interface.
Step 2 Specify each entity in the network (all Cisco UCM and TFTP servers) that the IP phones must trust. Click Add to add the servers. See Configuring Servers for the Phone Proxy.
To modify the configuration of a server already added to the configuration, select the server in the table and click Edit. The Edit Server dialog appears. See Configuring Servers for the Phone Proxy. At least one Cisco UCM and at least one TFTP server must be configured for the phone proxy.
Step 3 Specify the security mode of the Cisco UCM cluster by clicking one of the following options in the Unified CM Cluster Mode field:
- Non-secure—Specifies the cluster to be in nonsecure mode when configuring the Phone Proxy feature.
- Mixed—Specifies the cluster to be in mixed mode when configuring the Phone Proxy feature.
If you selected the Mixed security mode, the Generate and Export LDC Certificate button becomes available.
Step 4 For a Mixed security mode only, configure local dynamic certificates (LDC) for the IP phones by performing the following steps:
a. Click the Generate and Export LDC Certificate button.
A dialog box appears stating “Enrollment succeeded,” which indicates that the LDC was generated.
b. Click OK to close the Enrollment Status dialog box. The Export certificate dialog box appears.
c. In the Export to File field, enter the file name and path for the LDC or click browse to locate and select an existing file.
d. Click the Export Certificate button. A dialog box appears indicating that the file was exported successfully.
e. Click OK to close the dialog box. A dialog box appears reminding you to install the LDC on the Cisco UCMs.
f. Click OK to close the dialog box.
Once configured, the ASA presents this unique, dynamically-created certificate to the Cisco UCM on behalf of the IP phones.
Configuring Servers for the Phone Proxy
The values that you specify in this page generate address translation settings, access list entries, trustpoints, and the corresponding CTL file entries for each server.
You must add a server for each entity in the network that the IP phones must trust. These servers include all Cisco UCM servers in the cluster and all the TFTP servers.
You must add at least one TFTP server and at least one Cisco UCM server for the phone proxy. You can configure up to five TFTP servers for the phone proxy. The TFTP server is assumed to be behind the firewall on the trusted network; therefore, the phone proxy intercepts the requests between the IP phones and TFTP server.
Note When you delete a TFTP server from the Server list in Step 2 of the wizard, ASDM deletes only the TFTP server IP address from the configuration and does not remove from the configuration all the ACLs, NAT statements, object groups, etc. attached to the TFTP server. To remove those attached configuration statements, you must delete them manually by using the appropriate area of ASDM or rerun the Unified Communications wizard without making any changes and apply the configuration to to remove these statements.
The servers that the IP phones must trust can be deployed on the network in one of the following ways:
- All the services required by the Cisco UCM server, namely the Cisco UCM, TFTP, and CAPF services, are running on one server. In this deployment, only one instance of each service exists. For this deployment, you can select Unified CM+ TFTP as the server type. You can either use Address only or Address and ports for address translation. Cisco recommends that you specify Address and ports for increased security.
- Deployments for larger enterprises might have redundant Cisco UCMs and dedicated servers for TFTP and CAPF services. In that type of deployment, use Address only for voice address translation and Address only or Address and ports for TFTP.
Table 14-1 lists the ports that are configured for Address and port translation by default:
|
|
|
---|---|---|
Step 1 In the Server Type field, select the server from the drop-down list: Unified CM, TFTP, or Unified CM + TFTP. Select Unified CM + TFTP when the Cisco UCM and TFTP server reside on the same device.
Note Depending on which type of server you select (Unified CM or TFTP), only the necessary fields in this dialog box become available. Specifically, if the server type is Unified CM, the TFTP section in the dialog is unavailable. If the server type is TFTP, the Voice section is unavailable.
Step 2 In the Private Address field, specify the actual internal IP address of the server.
Step 3 In the FQDN field, enter the fully-qualified domain name of the server, which includes the hostname and domain name; for example, ucm.cisco.com
(where ucm
is the hostname and cisco.com
is the domain name).
If you are configuring a Unified CM server, enter the fully-qualified domain name configured on the Cisco UCM.
If you are configuring a TFTP server, only specify the TFTP server fully-qualified domain name when that server is configured with FQDN. If the TFTP server is not configured with FQDN, you can leave the field blank.
Note Entering the fully-qualified domain name allows the ASA to perform hostname resolution when DNS lookup is not configured on the ASA or the configured DNS servers are unavailable.See the command reference for information about the dns domain-lookup command.
Step 4 In the Address Translation section, select whether to use the interface IP address or to enter a different IP address.
Selecting the Use interface IP radio button configures the server to use the IP address of the public interface. You select the public interface in step 4 of the wizard when you configure the public network for the phone proxy.
If the Use interface IP radio button is selected, you must specify port translation settings in the Voice and TFTP sections. Address-only translation is available only when you specify an IP address other than the IP address of the public interface.
When you select the Address only radio button, the ASA performs address translation on all traffic between the server and the IP phones. Selecting the Address and ports radio button limits address translation to the specified ports.
Step 5 (Unified CM or Unified CM + TFTP servers only) In the Voice section, configure inspection of SIP or SCCP protocol traffic, or both SIP and SCCP protocol traffic by completing the following fields:
a. In the Translation Type field, specify whether to use the Address only or the Address and ports.
When the deployment has redundant Cisco UCM servers and dedicated servers for TFTP and CAPF services, select Address only for voice address translation.
Select the Address and ports option when you want to limit address translation to the specified ports.
b. In the Voice Protocols field, select the inspection protocols supported by the IP phones deployed in the enterprise. Depending on which inspection protocols you select—SCCP, SIP, or SCCP and SIP—only the ports fields for the selected voice protocols are available.
c. In the Port Translation section, enter the private and public ports for the voice protocols.
The default values for the voice ports appear in the text fields. If necessary, change the private ports to match the settings on the Cisco UCM. The values you set for the public ports are used by the IP phones to traverse the ASA and communicate with the Cisco UCM.
The secure SCCP private port and public port are automatically configured. These port numbers are automatically set to the value of the non-secure port number plus 443.
Step 6 (TFTP or Unified CM + TFTP servers only) In the TFTP section, you can select either Address only or Address and port for address translation. Cisco recommends that you specify Address and port for increased security. Specifying Address and port configures the TFTP server to listen on port 69 for TFTP requests.
When the server type is Unified CM + TFTP, the wizard configures the same type of address translation for Voice and TFTP; for example, when the server type is Unified CM + TFTP and the Address only option is selected, the wizard creates a global address translation rule for all traffic to and from the server. In this case, configuring port translation for the TFTP server would be redundant.
Step 7 Click OK to add the server to the phone proxy configuration and return to step 2 of the wizard.
Enabling Certificate Authority Proxy Function (CAPF) for IP Phones
As an alternative to authenticating remote IP phones through the TLS handshake, you can configure authentication via locally significant certificate (LSC) provisioning. With LSC provisioning, you create a password for each remote IP phone user and each user enters the password on the remote IP phones to retrieve the LSC.
Because using LSC provisioning to authenticate remote IP phones requires the IP phones first register in nonsecure mode, Cisco recommends LSC provisioning be done inside the corporate network before giving the IP phones to end-users. Otherwise, having the IP phones register in nonsecure mode requires the Administrator to open the nonsecure signaling port for SIP and SCCP on the ASA.
See also the Cisco Unified Communications Manager Security Guide for information on Using the Certificate Authority Proxy Function (CAPF) to install a locally significant certificate (LSC).
If your network includes Cisco IP Communicators (CIPC) or you have LSC enabled IP phones, you must import the CAPF certificate from the Cisco UCM. The certificate will be used to generate the LSC on the IP phones.
If the Cisco UCM has more than one CAPF certificate, you must import all of them to the ASA. However, the wizard supports configuring only one CAPF certificate, which is the default. To import more than one CAPF certificate, go to Configuration > Device Management > Certificate Management > Identity Certificates.
You can configure LSC provisioning for additional end-user authentication. See the Cisco Unified Communications Manager configuration guide for information.
Step 1 Check the Enable Certificate Authority Proxy Function check box. The remaining fields in the page become available.
Step 2 Enter the private IP address of the LSC provider.
Step 3 In the Public Address field, specify whether to use the IP address of the ASA public interface or enter an IP address.
Specifying the private and public IP addresses for the LSC provider, creates an access list entry that allows the IP phones to contact the Cisco UCM by opening the CAPF port for LSC provisioning.
Step 4 In the Translation Type field, select the Address only or Address and ports radio button.
The IP phones must contact the CAPF service on the Cisco UCM. The address translation type (Address only versus Address and ports) you select for CAPF must match the address translation type of the Cisco UCM on which the CAPF service is running. You set the address translation type for that Cisco UCM server in the previous step of this wizard (see Configuring Servers for the Phone Proxy),
By default, the CAPF Service uses port 3804. Modify this default value only when it is modified on the Cisco UCM.
Step 5 If you selected the Address and ports radio button, enter the private and public ports for the CAPF service.
Step 6 Click the Install CAPF Certificate button. The Install Certificate dialog box appears. See Installing a Certificate.
Configuring the Public IP Phone Network
The values that you specify in this page generate the address translation rules used for the IP phones and configure how the ASA handles IP phone settings.
Step 1 From the Interface drop-down list, choose the interface on which the ASA listens for connections from IP phones.
Step 2 To preserve Call Manager configuration on the IP phones, check the Preserve the Unified CM’s configuration on the phone’s service check box. When this check box is uncheck, the following service settings are disabled on the IP phones:
Step 3 To configure address translation for IP phones, check the Enable address translation for IP phones check box. Select whether to use the IP address of the ASA private interface (which you selected in step 2 of the wizard) or enter an IP address.
Configuring address translation for IP phone configures the address used by the IP phones. All traffic from the outside network converges into one source IP address so that, if there is another corporate firewall in the network, a pinhole needs to be opened only for that IP address rather than for all traffic.
Step 4 To configure an HTTP proxy for the Phone Proxy feature that is written into the IP phone's configuration file under the <proxyServerURL> tag, do the following:
a. Check the Configure an HTTP proxy to redirect phone URLs... check box.
b. In the IP Address field, type the IP address of the HTTP proxy
c. In the Port field, enter the listening port of the HTTP proxy.
The IP address you enter should be the global IP address based on where the IP phone and HTTP proxy server is located. You can enter a hostname in the IP Address field when that hostname can be resolved to an IP address by the adaptive security appliance (for example, DNS lookup is configured) because the adaptive security appliance will resolve the hostname to an IP address. If a port is not specified, the default will be 8080.
d. In the Interface field, select the interface on which the HTTP proxy resides on the adaptive security appliance.
Setting the proxy server configuration option for the Phone Proxy allows for an HTTP proxy on the DMZ or external network in which all the IP phone URLs are directed to the proxy server for services on the phones. This setting accommodates nonsecure HTTP traffic, which is not allowed back into the corporate network.
Configuring the Media Termination Address for Unified Communication Proxies
The data from this step generates the MTA instance to be added to the Phone Proxy and the UC-IME proxy.
The phone proxy and the UC-IME proxy use the media termination address for Secure RTP (SRTP) and RTP traffic. SRTP traffic sent from external IP phones to the internal network IP phone via the ASA is converted to RTP traffic. The traffic is terminated on the adaptive security appliance. SRTP provides message authentication and replay protection to Internet media traffic such as audio and video. RTP defines a standardized packet format for delivering audio and video over the Internet.
For the UC-IME proxy and the Phone Proxy to be fully functional, you must ensure that the public IP address for the media termination address (MTA) is accessible from the Internet. The summary page of the Unified Communication Wizard reminds you of this requirement.
The MTA IP addresses that you specify must meet specific requirements. See Media Termination Instance Prerequisites for information.
Step 1 In the field for the private IP address, enter the IP address on which private media traffic terminates. The IP address must be within the same subnet as the private interface IP address. The correct subnet range is provided to the right of the field for the private IP address.
Step 2 In the field for the public IP address, enter the IP address on which public media traffic terminates. The IP address must be within the same subnet as the public interface IP address. The correct subnet range is provided to the right of the field for the public IP address.
Step 3 Specify the minimum and maximum values for the RTP port range for the media termination instance.
Port values must be within the range of 1024 to 65535.
The wizard completes by displaying a summary of the configuration created for proxy.
Configuring the Mobility Advantage by using the Unified Communication Wizard
Note The Unified Communication Wizard is supported for the ASA version 8.3(1) and later.
The Unified Communication wizard guides you through the steps to configure the Mobility Advantage proxy. Choose Wizards > Unified Communication Wizard from the menu. The Unified Communication Wizard opens. Click the Cisco Mobility Advantage Proxy radio button under the Remote Access section.
When using the wizard to create the Mobility Advantage proxy, ASDM automatically creates the necessary TLS proxies, enables MMP inspection for the Mobility Advantage traffic, generates address translation (NAT) statements, and creates the access rules that are necessary to allow traffic between the Cisco Mobility Advantage server and the mobility clients.
The following steps provide the high-level overview for configuring the Mobility Advantage proxy:
Step 1 Specify settings to define the private and public network topology, such the public and private network interfaces, and the IP addresses of the Cisco Mobility Advantage server. See Configuring the Topology for the Cisco Mobility Advantage Proxy.
Step 2 Configure the certificates that are exchanged between the Cisco Mobility Advantage server and the ASA. See Configuring the Server-Side Certificates for the Cisco Mobility Advantage Proxy.
Step 3 Configure the client-side certificate management, namely the certificates that are exchanged between the Unified Mobile Communicator clients and the ASA. See Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy.
The wizard completes by displaying a summary of the configuration created for Mobility Advantage Proxy.
Configuring the Topology for the Cisco Mobility Advantage Proxy
When configuring the Mobility Advantage Proxy, you specify settings to define the private and public network topology, such the private and public network interfaces, and the private and public IP addresses of the Cisco Mobility Advantage server.
The values that you specify in this page generate the following configuration settings for the Mobility Advantage Proxy:
- Static PAT for the Cisco Mobility Advantage server
- Static NAT for Cisco Unified Mobile Communicator clients if the Enable address translation for Mobility clients check box is checked.
- ACLs to allow Cisco Unified Mobile Communicator clients to access the Cisco Mobility Advantage server
Step 1 In the Private Network area, choose the interface from the drop-down list.
Step 2 In the Unified MA Server area, enter the private and public IP address for the Cisco Mobility Advantage server. Entering ports for these IP addresses is optional. By default port number 5443 is entered, which is the default TCP port for MMP inspection.
Step 3 In the FQDN field, enter the domain name for the Cisco Mobility Advantage server. This domain name is included in the certificate signing request that you generate later in this wizard.
Step 4 In the Public Network area, choose an interface from the drop-down list.
The proxy uses this interface for configuring static PAT for the Cisco Mobility Advantage server and the ACLs to allow Cisco Unified Mobile Communicator clients to access the Cisco Mobility Advantage server.
Step 5 To configure whether address translation (NAT) is used by Cisco Unified Mobile Communicator clients, check the Enable address translation for Mobility clients check box and choose whether to use the IP address of the public interface or whether to enter an IP address.
Configuring the Server-Side Certificates for the Cisco Mobility Advantage Proxy
A trusted relationship between the ASA and the Cisco UMA server can be established with self-signed certificates. The ASA's identity certificate is exported, and then uploaded on the Cisco UMA server truststore. The Cisco UMA server certificate is downloaded, and then uploaded on the ASA truststore.
The supports using self-signed certificates only at this step.
Step 1 In the ASA’s Identity Certificate area, click Generate and Export ASA’s Identity Certificate.
An information dialog boxes appear indicating that the enrollment seceded. In the Enrollment Status dialog box, click OK. The Export certificate dialog box appears.
Note ● If an identity certificate for the ASA has already been created, the button in this area appears as Export ASA’s Identity Certificate and the Export certificate dialog box immediately appears.
- When using the wizard to configure the Cisco Mobility Advantage proxy, the wizard only supports installing self-signed certificates.
Step 2 Export the identity certificate generated by the wizard for the ASA. See Exporting an Identity Certificate.
Step 3 In the Unified MA Server’s Certificate area, click Install Unified MA Server’s Certificate. The Install Certificate dialog appears.
Step 4 Locate the file containing the Cisco Mobility Advantage server certificate or paste the certificate details in the dialog box. See Installing a Certificate.
Note See the Cisco Mobility Advantage server documentation for information on how to export the certificate for this server.
Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy
To establish a trust relationship between the Cisco Unified Mobile Communicator (UMC) clients and the ASA, the ASA uses a CA-signed certificate that is configured with the Cisco Mobility Advantage server’s FQDN (also referred to as certificate impersonation).
In the Client-Side Certificate Management page, you enter both the intermediate CA certificate (if applicable, as in the cases of Verisign) and the signed ASA identity certificate.
Note If the ASA already has a signed identity certificate, you can skip Step 1 in this procedure and proceed directly to Step 2.
Step 1 In the ASA’s Identity Certificate area, click Generate CSR. The CSR parameters dialog box appears.
For information about specifying additional parameters for the certificate signing request (CSR), see Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy.
Information dialog boxes appear indicating that the wizard is delivering the settings to the ASA and retrieving the certificate key pair information. The Identity Certificate Request dialog box appears.
For information about saving the CSR that was generated and submitting it to a CA, see Saving the Identity Certificate Request.
Step 2 Click Install ASA’s Identity Certificate. Install the certificate. See Installing the ASA Identity Certificate on the Mobility Advantage Server.
Step 3 Click Install Root CA’s Certificate. The Install Certificate dialog box appears. Install the certificate. See Installing a Certificate.
The wizard completes by displaying a summary of the configuration created for Mobility Advantage Proxy.
Configuring the Presence Federation Proxy by using the Unified Communication Wizard
Note The Unified Communication Wizard is supported for the ASA version 8.3(1) and later.
To configure the Cisco Unified Presence proxy by using ASDM, choose Wizards > Unified Communication Wizard from the menu. The Unified Communication Wizard opens. From the first page, select the Cisco Unified Presence Proxy option under the Business-to-Business section.
When using the wizard to create the Cisco Presence Federation proxy, ASDM automatically creates the necessary TLS proxies, enables SIP inspection for the Presence Federation traffic, generates address translation (static PAT) statements for the local Cisco Unified Presence server, and creates ACLs to allow traffic between the local Cisco Unified Presence server and remote servers.
The following steps provide the high-level overview for configuring the Presence Federation Proxy:
Step 1 Specify settings to define the private and public network topology, such the private and public IP address of the Presence Federation server. See Configuring the Topology for the Cisco Presence Federation Proxy.
Step 2 Configure the local-side certificate management, namely the certificates that are exchanged between the local Unified Presence Federation server and the ASA. See Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy.
Step 3 Configure the remote-side certificate management, namely the certificates that are exchanged between the remote server and the ASA. See Configuring the Remote-Side Certificates for the Cisco Presence Federation Proxy.
The wizard completes by displaying a summary of the configuration created for the Presence Federation proxy.
Configuring the Topology for the Cisco Presence Federation Proxy
When configuring the Presence Federation Proxy, you specify settings to define the private and public network topology, such the private and public network interfaces, and the private and public IP addresses of the Cisco Unified Presence server.
The values that you specify in this page generate the following configuration settings for the Presence Federation Proxy:
- Static PAT for the local Cisco Unified Presence server
- ACLs for traffic between the local Cisco Unified Presence server and remote servers
Step 1 In the Private Network area, choose the interface from the drop-down list.
Step 2 In the Unified Presence Server area, enter the private and public IP address for the Unified Presence server. Entering ports for these IP addresses is optional. By default port number 5061 is entered, which is the default TCP port for SIP inspection.
Step 3 In the FQDN field, enter the domain name for the Unified Presence server. This domain name is included in the certificate signing request that you generate later in this wizard.
Step 4 In the Public Network area, choose the interface of the public network from the drop-down list. The proxy uses this interface for configuring static PAT for the local Cisco Unified Presence server and for configuring ACLs to allow remote servers to access the Cisco Unified Presence server.
Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy
Within an enterprise, setting up a trust relationship is achievable by using self-signed certificates. The supports using self-signed certificates only at this step.
Step 1 In the ASA’s Identity Certificate area, click Generate and Export ASA’s Identity Certificate.
An information dialog box appears indicating that enrollment succeeded. In the Enrollment Status dialog box, click OK. The Export certificate dialog box appears.
Note ● If an identity certificate for the ASA has already been created, the button in this area appears as Export ASA’s Identity Certificate and the Export certificate dialog box immediately appears.
- When using the wizard to configure the Cisco Presence Federation proxy, the wizard only supports installing self-signed certificates.
Step 2 Export the identity certificate generated by the wizard for the ASA. See Exporting an Identity Certificate.
Step 3 Local Unified Presence Server’s Certificate area, click Install Server’s Certificate. The Install Certificate dialog appears.
Step 4 Locate the file containing the Cisco Unified Presence server certificate or paste the certificate details in the dialog box. See Installing a Certificate.
Note See the Cisco Unified Presence server documentation for information on how to export the certificate for this server.
Configuring the Remote-Side Certificates for the Cisco Presence Federation Proxy
Establishing a trust relationship across enterprises or across administrative domains is key for federation. Across enterprises you must use a trusted third-party CA (such as, VeriSign). The security appliance obtains a certificate with the FQDN of the Cisco Unified Presence server (certificate impersonation).
For the TLS handshake, the two entities, namely the local entity and a remote entity, could validate the peer certificate via a certificate chain to trusted third-party certificate authorities. The local entity and the remote entity enroll with the CAs. The ASA as the TLS proxy must be trusted by both the local and remote entities. The security appliance is always associated with one of the enterprises. Within that enterprise, the entity and the security appliance authenticate each other by using a self-signed certificate.
To establish a trusted relationship between the security appliance and the remote entity, the security appliance can enroll with the CA on behalf of the Cisco Unified Presence server for the local entity. In the enrollment request, the local entity identity (domain name) is used.
To establish the trust relationship, the security appliance enrolls with the third party CA by using the Cisco Unified Presence server FQDN as if the security appliance is the Cisco Unified Presence server.
Note If the ASA already has a signed identity certificate, you can skip Step 1 in this procedure and proceed directly to Step 2.
Step 1 In the ASA’s Identity Certificate area, click Generate CSR. The CSR parameters dialog box appears.
For information about specifying additional parameters for the certificate signing request (CSR), see Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy.
Information dialog boxes appear indicating that the wizard is delivering the settings to the ASA and retrieving the certificate key pair information. The Identity Certificate Request dialog box appears.
For information about saving the CSR that was generated and submitting it to a CA, see Saving the Identity Certificate Request.
Step 2 Click Install ASA’s Identity Certificate. See Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers.
Step 3 Click Remote Server’s CA’s Certificate. The Install Certificate dialog box appears. Install the certificate. See Installing a Certificate.
Note You must install a root CA certificate for each remote entity that communicates with the ASA because different organizations might be using different CAs.
The wizard completes by displaying a summary of the configuration created for the Presence Federation proxy.
Configuring the UC-IME by using the Unified Communication Wizard
Note The Unified Communication Wizard is supported for the ASA version 8.3(1) and later.
To configure the Cisco Intercompany Media Engine Proxy by using ASDM, choose Wizards > Unified Communication Wizard from the menu. The Unified Communication Wizard opens. From the first page, select the Cisco Intercompany Media Engine Proxy option under the Business-to-Business section and click Next.
Note The Cisco Intercompany Media Engine Proxy does not appear as an option in the Unified Communication Wizard unless the license required for this proxy is installed on the ASA.
When using the wizard to create the Cisco Intercompany Media Engine Proxy, ASDM automatically creates the necessary TLS proxies, enables SIP inspection for Cisco Intercompany Media Engine traffic, generates address translation (static PAT) statements for local Cisco Unified Communications Manager servers, and creates ACLs to allow traffic between the local Cisco Unified Communications Manager servers and the remote servers.
The following steps provide the high-level overview for configuring the Cisco Intercompany Media Engine Proxy:
Step 1 Select the topology of the Cisco Intercompany Media Engine Proxy, namely whether the security appliance is an edge firewall with all Internet traffic flowing through it or whether the security appliance is off the path of the main Internet traffic (referred to as an off-path deployment). See Configuring the Topology for the Cisco Intercompany Media Engine Proxy.
Step 2 Specify private network settings such as the Cisco UCM IP addresses and the ticket settings. See Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy.
Step 3 Specify the public network settings. See Configuring the Public Network Settings for the Cisco Intercompany Media Engine Proxy.
Step 4 Specify the media termination address settings of the Cisco UMC. See Configuring the Media Termination Address for Unified Communication Proxies.
Step 5 Configure the local-side certificate management, namely the certificates that are exchanged between the local Cisco Unified Communications Manager servers and the security appliance. See Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy.
Step 6 Configure the remote-side certificate management, namely the certificates that are exchanged between the remote server and the ASA. This certificate is presented to remote servers so that they can authenticate the ASA as a trusted server. See Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy.
The wizard completes by displaying a summary of the configuration created for the Cisco Intercompany Media Engine.
Configuring the Topology for the Cisco Intercompany Media Engine Proxy
Step 1 Select the topology of your ICME deployment by clicking one of the following options:
In a basic deployment, the Cisco Intercompany Media Engine Proxy sits in-line with the Internet firewall such that all Internet traffic traverses the ASA. In this deployment, a single Cisco UCM or a Cisco UCM cluster is centrally deployed within the enterprise, along with a Cisco Intercompany Media Engine server (and perhaps a backup). A single Internet connection traverses the ASA, which is enabled with the Cisco Intercompany Media Engine Proxy.
The ASA sits on the edge of the enterprise and inspects SIP signaling by creating dynamic SIP trunks between enterprises.
In an off path deployment, inbound and outbound Cisco Intercompany Media Engine calls pass through an ASA enabled with the Cisco Intercompany Media Engine Proxy. The ASA is located in the DMZ and configured to support primarily Cisco Intercompany Media Engine. Normal Internet facing traffic does not flow through this ASA.
For all inbound calls, the signaling is directed to the ASA because destined Cisco UCMs are configured with the global IP address on the ASA. For outbound calls, the called party could be any IP address on the Internet; therefore, the ASA is configured with a mapping service that dynamically provides an internal IP address on the ASA for each global IP address of the called party on the Internet.
Cisco UCM sends all outbound calls directly to the mapped internal IP address on the ASA instead of the global IP address of the called party on the Internet. The ASA then forwards the calls to the global IP address of the called party.
Note When you configure the Cisco Intercompany Media Engine for an off-path deployment, you must ensure that the public IP addresses and ports of the Cisco Unified Communications Manager servers and the public IP address for the media termination address are accessible from the Internet. The summary page of the Unified Communication Wizard reminds you of the requirements.
Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy
When configuring the Cisco Intercompany Media Engine Proxy, you specify settings to define the private network topology, such the private network interface, the IP addresses of the Cisco Unified Communications servers, and ticket verification. Additionally, when the Cisco Unified Communications servers are operating in secure mode, you specify the X.509 subject name for the Cisco Intercompany Media Engine Proxy,
The values that you specify in this page generate the following configuration settings for the Cisco Intercompany Media Engine Proxy:
- The list of Cisco Unified Communications servers
- The ticket epoch and password used by the Cisco Intercompany Media Engine Proxy
- For an off-path deployment only, the mapping service on the same interface as the Cisco Unified Communications server
Step 1 To configure the Cisco Intercompany Media Engine Proxy as part of a basic deployment, select the interface that connects to the local Cisco Unified Communications servers.
To configure the Cisco Intercompany Media Engine Proxy as part of an off-path deployment, complete the following steps:
a. From the Listening Interface drop-down list, choose the interface on which the ASA listens for the mapping requests.
b. In the Port field, enter a number between 1024 and 65535 as the TCP port on which the ASA listens for the mapping requests. The port number must be 1024 or higher to avoid conflicts with other services on the device, such as Telnet or SSH. By default, the port number is TCP 8060.
c. From the UC-IME Interface drop-down list, choose the interface that the ASA uses to connect to the remote ASA that is enabled with the Cisco Intercompany Media Engine Proxy.
Note In a basic and an off-path deployment, all Cisco Unified Communications servers must be on the same interface.
Step 2 In the Unified CM Servers area, the wizard displays the private IP address, public IP address, and security mode of any Cisco Unified Communications server configured on the ASA. If necessary, click Add to add a Cisco Unified Communications server. You must include an entry for each Cisco UCM in the cluster with Cisco Intercompany Media Engine that has a SIP trunk enabled.
Step 3 In the Ticket Epoch field, enter a integer from 1-255.
The epoch indicates the number of times that password has changed. When the proxy is configured the first time and a password entered for the first time, enter 1 for the epoch integer. Each time you change the password, increment the epoch to indicate the new password. You must increment the epoch value each time your change the password. Typically, you increment the epoch sequentially; however, the security appliance allows you to choose any value when you update the epoch.
If you change the epoch value, the current password is invalidated and you must enter a new password.
Step 4 In the Ticket Password field, enter a minimum of 10 and a maximum of 64 printable character from the US-ASCII character set. The allowed characters include 0x21 to 0x73 inclusive, and exclude the space character. The ticket password is stored onto flash.
Note We recommend a password of at least 20 characters. Only one password can be configured at a time.
The epoch and password that you configure on the ASA must match the epoch and password configured on the Cisco Intercompany Media Engine server. See the Cisco Intercompany Media Engine server documentation for information.
Step 5 In the Confirm Password field, reenter the password.
Step 6 In the X.509 Subject Name field, enter the distinguished name (DN) of the local enterprise. The name that you enter must match the name configured for the Cisco Unified Communications servers in the cluster. See the Cisco Unified Communications server documentation for information.
Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy
You must include an entry for each Cisco UCM in the cluster with Cisco Intercompany Media Engine Proxy that has a SIP trunk enabled.
Step 1 Enter the private IP address and port number (in the range 5000-6000) for the Cisco UCM server.
Step 2 In the Address Translation area, enter the public IP address for the Cisco UCM server.
Step 3 If necessary, enter the port number for the public IP address by clicking the Translate address and port radio button and entering a number (in the range 5000-6000) in the Port field.
Step 4 In the Security Mode area, click the Secure or Non-secure radio button. Specifying secure for Cisco UCM or Cisco UCM cluster indicates that Cisco UCM or Cisco UCM cluster is initiating TLS.
If you specify that some of the Cisco UCM servers are operating in secure mode, the Unified Communications Wizard includes a step in the proxy configuration to generate certificates for the local-side communication between the ASA and that Cisco UCM server. See Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy.
Configuring the Public Network Settings for the Cisco Intercompany Media Engine Proxy
The public network configuration depends on the deployment scenario you selected in the topology step of this wizard. Specifically, when you are configuring the UC-IME proxy as part of an off-path deployment, this step of the wizard displays fields for address translation, requiring that you specify the private IP address for the UC-IME proxy. Specifying this private IP address, translates IP addresses for inbound traffic.
In an off-path deployment, any existing ASA that you have deployed in your environment are not capable of transmitting Cisco Intercompany Media Engine traffic. Therefore, off-path signaling requires that outside addresses translate to an inside (private) IP address. The inside interface address can be used for this mapping service configuration. For the Cisco Intercompany Media Engine Proxy, the ASA creates dynamic mappings for external addresses to the internal IP address.
The values that you specify in this page generate the following configuration settings for the Cisco Intercompany Media Engine Proxy:
- Static PAT for the Cisco Unified Communications servers
- ACLs for traffic between the local and the remote servers
Step 1 In the Configure public network area, choose an interface from the Interface drop-down list.
Step 2 When configuring an off-path deployment, in the Address Translation area, specify whether to use the private IP address for the public network.
Click the Specify IP address radio button and enter an IP address in the field.
Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy
Completing this step of the wizard generates a self-signed certificate for the ASA. The server proxy certificate is automatically generated using the subject name provided in an earlier step of this wizard.
The wizard supports using self-signed certificates only.
A trusted relationship between the ASA and the Cisco UMA server can be established with self-signed certificates. The certificates are used by the security appliance and the Cisco UCMs to authenticate each other, respectively, during TLS handshakes.
The ASA's identity certificate is exported, and then needs to be installed on each Cisco Unified Communications Manager (UCM) server in the cluster with the proxy and each identity certificate from the Cisco UCMs need to be installed on the security appliance.
This step in the Unified Communications Wizard only appears when the UC-IME proxy that you are creating has at least one secure Cisco Unified Communications Manager server defined. See Configuring the Topology for the Cisco Intercompany Media Engine Proxy for information.
Step 1 In the ASA’s Identity Certificate area, click Generate and Export ASA’s Identity Certificate.
An information dialog boxes appear indicating that the enrollment seceded. In the Enrollment Status dialog box, click OK. The Export certificate dialog box appears.
Note ● If an identity certificate for the ASA has already been created, the button in this area appears as Export ASA’s Identity Certificate and the Export certificate dialog box immediately appears.
- When using the wizard to configure the Cisco Intercompany Media Engine Proxy, the wizard only supports installing self-signed certificates.
Step 2 Export the identity certificate generated by the wizard for the ASA. See Exporting an Identity Certificate.
Step 3 In the Local Unified CM’s Certificate area, click Install Local Unified CM’s Certificate. The Install Certificate dialog appears.
Step 4 Locate the file containing the certificate from the Cisco Unified Communications Manager server or paste the certificate details in the dialog box. See Installing a Certificate. You must install the certificate from each Cisco Unified Communications Manager server in the cluster.
Note See the Cisco Intercompany Media Engine server documentation for information on how to export the certificate for this server.
Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy
Establishing a trust relationship cross enterprises or across administrative domains is key. Cross enterprises you must use a trusted third-party CA (such as, VeriSign). The ASA obtains a certificate with the FQDN of the Cisco Unified Communications Manager server (certificate impersonation).
For the TLS handshake, the two entities could validate the peer certificate via a certificate chain to trusted third-party certificate authorities. Both entities enroll with the CAs. The ASA as the TLS proxy must be trusted by both entities. The ASA is always associated with one of the enterprises. Within that enterprise, the entity and the ASA could authenticate each other via a local CA, or by using self-signed certificates.
To establish a trusted relationship between the ASA and the remote entity, the ASA can enroll with the CA on behalf of the local enterprise. In the enrollment request, the local Cisco UCM identity (domain name) is used.
To establish the trust relationship, the ASA enrolls with the third party CA by using the Cisco Unified Communications Manager server FQDN as if the security appliance is the Cisco UCM.
Note If the ASA already has a signed identity certificate, you can skip Step 1 in this procedure and proceed directly to Step 3.
Step 1 In the ASA’s Identity Certificate area, click Generate CSR. The CSR parameters dialog box appears.
For information about specifying additional parameters for the certificate signing request (CSR), see Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy.
Information dialog boxes appear indicating that the wizard is delivering the settings to the ASA and retrieving the certificate key pair information. The Identity Certificate Request dialog box appears.
For information about saving the CSR that was generated and submitting it to a CA, see Saving the Identity Certificate Request.
Step 2 In the ASA’s Identity Certificate area, click Install ASA’s Identity Certificate. Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers.
Step 3 In the Remote Server’s CA’s Certificate area, click Install Remote Server’s CA’s Certificate. Installing the root certificates of the CA for the remote servers is necessary so that the ASA can determine that the remote servers are trusted.
The Install Certificate dialog box appears. Install the certificate. See Installing a Certificate.
Note You must install the root certificates only when the root certificates for the remote servers are received from a CA other than the one that provided the identity certificate for the ASA
The wizard completes by displaying a summary of the configuration created for the Cisco Intercompany Media Engine.
Working with Certificates in the Unified Communication Wizard
This section includes the following topics:
- Exporting an Identity Certificate
- Installing a Certificate
- Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy
- Saving the Identity Certificate Request
- Installing the ASA Identity Certificate on the Mobility Advantage Server
- Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers
Exporting an Identity Certificate
The Cisco Mobility Advantage Proxy, Cisco Presence Federation Proxy, or Cisco Intercompany Media Engine Proxy require that you export the ASA identity certificate to install on the Cisco Mobility Advantage server, Cisco Presence Federation server, and Cisco Unified Communications server, respectfully.
You use the wizard to export a self-signed identity certificate. The identity certificate has all associated keys and is in PKCS12 format, which is the public key cryptography standard. When configuring a Unified Communications proxy by using the wizard, you click the Generate and Export ASA’s Identify Certificate button while in the local-side or server-side certificate management step of the wizard. The Export certificate dialog box appears.
From the Export certificate dialog box, perform these steps:
Step 1 Enter the name of the PKCS12 format file to use in exporting the certificate configuration. Alternatively, click Browse to display the Export ID Certificate File dialog box to find the file to which you want to export the certificate configuration.
Step 2 Click Export Certificate to export the certificate configuration.
An information dialog box appears informing you that the certificate configuration file has been successfully exported to the location that you specified.
You complete the configuration of the Cisco Mobility Advantage Proxy, Cisco Presence Federation Proxy, or Cisco Intercompany Media Engine Proxy, you must import the generated ASA identify certificate in to the Cisco Mobility Advantage server, Cisco Presence Federation server, and Cisco Unified Communications server, respectfully, depending on which proxy you are configuring.
See the documentation for the for each of these products for information about importing an identity certificate into each.
Installing a Certificate
When configuring certificates for the Phone Proxy, Cisco Mobility Advantage Proxy, the Cisco Presence Federation Proxy, and Cisco Intercompany Media Engine Proxy, you must install the certificates from the Cisco Unified Communications Manager servers, the Cisco Mobility Advantage server, the Cisco Presence Federation server, and the Cisco Unified Communications Manager servers, respectively, on the ASA. See the documentation for each of these products for information about obtaining the identity certificates from each.
When configuring the Cisco Phone Proxy, if LSC provisioning is required or you have LSC enabled IP phones, you must install the CAPF certificate from the Cisco UCM on the ASA. If the Cisco UCM has more than one CAPF certificate, you must import all of them to the ASA. See Enabling Certificate Authority Proxy Function (CAPF) for IP Phones.
Additionally, when configuring the Cisco Mobility Advantage Proxy, you use the Install Certificate dialog box to install the root certificate received from the certificate authority. The root certificate from the certificate authority is used to sign other certificates. The root certificate is used by the ASA to authenticate your signed identity certificate received from the certificate authority.
Note When using the wizard to configure the Unified Communications proxies, the wizard only supports installing self-signed certificates.
From the Install Certificate dialog box, perform these steps:
Step 1 Perform one of the following actions:
- To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate.
- To enroll manually, click the Paste certificate in PEM format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided.
Step 2 Click Install Certificate.
An information dialog box appears informing you that the certificate was installed on the ASA successfully.
Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy
When configuring certificates for the Cisco Mobility Advantage Proxy, Cisco Presence Federation Proxy, or Cisco Intercompany Media Engine Proxy, you must generate and identity certificate request for the ASA.
Note If the ASA already has a signed identity certificate, you do not need to generate a CSR and can proceed directly to installing this certificate on the ASA. See Installing the ASA Identity Certificate on the Mobility Advantage Server and Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers for the steps to install the identity certificate.
The identify certificate that you receive is presented to the following entities for each of the Unified Communication Proxies:
- Unified Mobile Communicator clients for the Cisco Mobility Advantage Proxy
- Remote Presence Federation servers for the Cisco Presence Federation Proxy
- The remote ASAfor the Cisco Intercompany Media Engine Proxy
Before generating the CSR, you can enter additional parameters.
When configuring a Unified Communications proxy by using the wizard, you click the Generate CSR button while in the client-side or remote-side certificate management step of the wizard. The CSR Parameters dialog box appears.
In the CSR Parameters dialog box, perform the following steps:
Step 1 From the Key Pair Size drop-down list, choose the size required for you certificate.
The key size that you select depends on the level of security that you want to configure and on any limitations imposed by the CA from which you are obtaining the certificate. The larger the number that you select, the higher the security level will be for the certificate. Most CAs recommend 2048 for the key modulus size; however, GoDaddy requires a key modulus size of 2048.
Step 2 (Cisco Intercompany Media Engine Proxy only) In the CN field, enter the domain name used by your enterprise or network. The subject DN you configure for the Cisco Intercompany Media Engine Proxy must match the domain name that set in the local Cisco Unified Communications Manager server.
Note For the Cisco Mobility Advantage Proxy and Cisco Presence Federation Proxy, the wizard provides the common name (CN), which is the FQDN of the Cisco Mobility Advantage server or Cisco Unified Presence server, respectively.
Step 3 In the Additional DN Attributes field, enter an attribute.
C lick Select to display the Additional DN Attributes dialog box.
a. In the Additional DN Attributes dialog box, choose an attribute from the drop-down list.
b. Enter a value for the attribute.
c. Click Add. The attribute appears in the list.
d. Click OK to return to the CSR Parameters dialog box.
The value you added appears in the Additional DN Attributes field in the CSR Parameters dialog box.
Saving the Identity Certificate Request
After successfully generating the identity certificate request for one of the Unified Communications proxies, the Identity Certificate Request dialog box appears and prompts you to save the request.
Step 1 In the Save CSR to File field, enter the CSR file name and path; for example, c:\asa-csr.txt.
Step 2 Click OK. An information dialog box appears indicating the CSR was saved successfully.
Step 3 Click OK to close the dialog and return to the wizard.
Submit the CSR to the certificate authority (CA), for example, by pasting the CSR text into the CSR enrollment page on the CA website.
When the CA returns the signed identity certificate, rerun the Unified Communications Wizard. From the client-side or remote-side certificate management step of the wizard, click Install ASA’s Identity Certificate. See Installing the ASA Identity Certificate on the Mobility Advantage Server and Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers for the steps to install the identity certificate.
Installing the ASA Identity Certificate on the Mobility Advantage Server
When configuring certificates for the Cisco Mobility Advantage Proxy, you must install the ASA identity certificate on the Cisco Mobility Advantage server.
Typically, a certificate authority returns two certificates: your signed identity certificate and the certificate authority’s certificate (referred to as the root certificate). However, some certificate authorities (for example, VeriSign) might also send you an intermediate certificate.
The root certificate from the certificate authority is used to sign other certificates. The root certificate is used by the ASA to authenticate your signed identity certificate received from the certificate authority.
If the certificate authority provided an intermediate certificate, you must enter the certificate text in the Intermediate Certificate (If Applicable) area of the Install ASA’s Identity Certificate dialog box.
For the Cisco Mobility Advantage Proxy, you install the root certificate in another dialog box. See Installing a Certificate for the steps to install the root certificate.
Step 1 In the Intermediate Certificate (If Applicable) area, perform on of the following actions:
- To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate.
- To enroll manually, click the Paste the certificate data in base-64 format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided.
Step 2 In the ASA’s Identity Certificate area, perform on of the following actions:
- To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate.
- To enroll manually, click the Paste the certificate data in base-64 format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided.
Step 3 Click Install Certificate.
Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers
When configuring certificates for the Cisco Presence Federation Proxy and Cisco Intercompany Media Engine Proxy, you must install the ASA identity certificate and the root certificate on the Cisco Presence Federation server and Cisco Intercompany Media Engine server, respectively.
Typically, a certificate authority returns two certificates: your signed identity certificate and the certificate authority’s certificate (referred to as the root certificate). The root certificate from the certificate authority is used to sign other certificates. The root certificate is used by the ASA to authenticate your signed identity certificate received from the certificate authority.
Step 1 In the Root CA’s Certificate area, perform on of the following actions:
- To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate.
- To enroll manually, click the Paste the certificate data in base-64 format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided.
Step 2 In the ASA’s Identity Certificate area, perform on of the following actions:
- To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate.
- To enroll manually, click the Paste the certificate data in base-64 format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided.
Step 3 Click Install Certificate.