Name
|
Enter a name for the security profile. When you save the new profile, the name displays in the SIP Trunk Security Profile drop-down list in the Trunk Configuration window.
|
Description
|
Enter a description for the security profile. The description
can include up to 50 characters in any language, but it cannot include
double-quotes ("), percentage sign (%), ampersand (&), back-slash (\), or
angle brackets (<>).
|
Device Security Mode
|
From the drop-down list, choose one of the following options:
-
Non Secure—No security features except image authentication apply. A TCP or UDP connection opens to Unified Communications Manager.
-
Authenticated—Unified Communications Manager provides integrity and authentication for the trunk. A TLS connection that uses NULL/SHA opens.
-
Encrypted— Unified Communications Manager provides integrity, authentication, and signaling encryption for the trunk. A TLS connection that uses AES128/SHA opens for
signaling.
Note
|
If the trunks are configured with Device Security Profile option selected as Authenticated, then Unified Communications Manager starts a TLS connection that uses NULL_SHA cipher (without data encryption).
These trunks will not register or make calls if the destination devices do not support NULL_SHA cipher.
For destination devices that do not support NULL_SHA cipher, the trunks should be configured with Device Security Profile
option selected as Encrypted. With this device security profile, the trunks offer additional TLS ciphers that enables data encryption.
|
|
Incoming Transport Type
|
When Device Security Mode is Non Secure TCP+UDP specifies the transport type.
When Device Security Mode is Authenticated or Encrypted, TLS specifies the transport type.
Note
|
The Transport Layer Security (TLS) protocol secures the connection between Unified Communications Manager and the trunk.
|
|
Outgoing Transport Type
|
From the drop-down list, choose the outgoing transport mode.
When Device Security Mode is Non Secure, choose TCP or UDP.
When Device Security Mode is Authenticated or Encrypted, TLS specifies the transport type.
Note
|
TLS ensures signaling integrity, device authentication, and signaling encryption for SIP trunks.
|
Note
|
You must use UDP as the outgoing transport type only when connecting SIP trunks between Unified Communications Manager systems and other application do not support TCP. Else, use TCP as the default option.
|
|
Enable Digest Authentication
|
Check this check box to enable digest authentication. If you check this check box, Unified Communications Manager challenges all SIP requests from the trunk.
Digest authentication does not provide device authentication, integrity or confidentiality. Choose a security mode of Authenticated
or Encrypted to use these features.
Tip
|
Use digest authentication to authenticate SIP trunk users on trunks that are using TCP or UDP transport.
|
|
Nonce Validity Time
|
Enter the number of minutes (in seconds) that the nonce value is valid. The default value equals 600 (10 minutes). When the
time expires, Unified Communications Manager generates a new value.
Note
|
A nonce value, a random number that supports digest authentication, gets used to calculate the MD5 hash of the digest authentication
password.
|
|
Secure Certificate Subject or Subject Alternate Name
|
This field applies if you configured TLS for the incoming and outgoing transport type.
For device authentication, enter the name of the Secure Certificate Subject or Subject Alternate Name certificate for the
SIP trunk device. If you have a Unified Communications Manager cluster or if you use SRV lookup for the TLS peer, a single trunk may resolve to multiple hosts, which results in multiple
Secure Certificate Subject or Subject Alternate Name for the trunks. If multiple Secure Certificate Subject or Subject Alternate
Name exists, enter one of the following characters to separate the names: space, comma, semicolon, or a colon.
You can enter up to 4096 characters in this field.
Tip
|
The subject name corresponds to the source connection TLS certificate. Ensure that subject names are unique for each subject
name and port. You cannot assign the same subject name and incoming port combination to different SIP trunks. Example: SIP
TLS trunk1 on port 5061 has Secure Certificate Subject or Subject Alternate Name my_cm1, my_cm2. SIP TLS trunk2 on port 5071
has Secure Certificate Subject or Subject Alternate Name my_cm2, my_cm3. SIP TLS trunk3 on port 5061 can have Secure Certificate
Subject or Subject Alternate Name my_ccm4 but cannot have Secure Certificate Subject or Subject Alternate Name my_cm1.
|
|
Incoming Port
|
Choose the incoming port. Enter a value that is a unique port
number from 0-65535. The default port value for incoming TCP and UDP SIP
messages specifies 5060. The default SIP secured port for incoming TLS messages
specifies 5061. The value that you enter applies to all SIP trunks that use the
profile.
Tip
|
All SIP trunks that use TLS can share the same incoming port; all SIP trunks that use TCP + UDP can share the same incoming
port. You cannot mix SIP TLS transport trunks with SIP non-TLS transport trunk types on the same port.
|
|
Enable Application Level Authorization
|
Application-level authorization applies to applications that are connected through the SIP trunk.
If you check this check box, you must also check the Enable Digest Authentication check box and configure digest authentication for the trunk. Unified Communications Manager authenticates a SIP application user before checking the allowed application methods.
When application level authorization is enabled, trunk-level authorization occurs first, and application-level authorization
then occurs, which means that Unified Communications Manager checks the methods that are authorized for the trunk (in this security profile) before the methods that are authorized for
the SIP application user in the Application User Configuration window.
Tip
|
Consider using application-level authorization if you do not trust the identity of the application or if the application is
not trusted on a particular trunk; that is, application requests may come from a different trunk than you expect.
|
|
Accept Presence Subscription
|
If you want Unified Communications Manager to accept presence subscription requests that come via the SIP trunk, check this check box.
If you checked the Enable Application Level Authorization check box, go to the Application User Configuration window and check the Accept Presence Subscription check box for any application users that are authorized for this feature.
When application-level authorization is enabled, if you check the Accept Presence Subscription check box for the application user but not for the trunk, a 403 error message gets sent to the SIP user agent that is connected
to the trunk.
|
Accept Out-of-Dialog Refer
|
If you want Unified Communications Manager to accept incoming non-INVITE, Out-of-Dialog REFER requests that come via the SIP trunk, check this check box.
If you checked the Enable Application Level Authorization check box, go to the Application User Configuration window and check the Accept Out-of-Dialog Refer check box for any application users that are authorized for this method.
|
Accept Unsolicited Notification
|
If you want Unified Communications Manager to accept incoming non-INVITE, unsolicited notification messages that come via the SIP trunk, check this check box.
If you checked the Enable Application Level Authorization check box, go to the Application User Configuration window and check the Accept Unsolicited Notification check box for any application users that are authorized for this method.
|
Accept Replaces Header
|
If you want Unified Communications Manager to accept new SIP dialogs, which have replaced existing SIP dialogs, check this check box.
If you checked the Enable Application Level Authorization check box, go to the Application User Configuration window and check the Accept Header Replacement check box for any application users that are authorized for this method.
|
Transmit Security Status
|
If you want Unified Communications Manager to transmit the security icon status of a call from the associated SIP trunk to the SIP peer, check this check box.
Default: This box is not checked.
|
SIP V.150 Outbound SDP Offer Filtering
|
From the drop-down list, select one of the following filter options:
-
Use Default Filter—The SIP trunk uses the default filter that is indicated in the SIP V.150 Outbound SDP Offer Filtering service parameter.
To locate the service parameter, go to in Cisco Unified Communications Manager Administration.
-
No Filtering—The SIP trunk performs no filtering of V.150 SDP lines in outbound offers.
-
Remove MER V.150—The SIP trunk removes V.150 MER SDP lines in outbound offers. Select this option to reduce ambiguity when the trunk is connected
to a pre-MER V.150 Unified Communications Manager.
-
Remove Pre-MER V.150—The SIP trunk removes any non-MER compliant V.150 lines in outbound offers. Select this option to reduce ambiguity when your
cluster is contained in a network of MER-compliant devices that are incapable of processing offers with pre-MER lines.
|
SIP V.150 Outbound SDP Offer Filtering
|
From the drop-down list, select one of the following filter options:
-
Use Default Filter—The SIP trunk uses the default filter that is indicated in the SIP V.150 Outbound SDP Offer Filtering service parameter.
To locate the service parameter, go to in Cisco Unified Communications Manager Administration.
-
No Filtering—The SIP trunk performs no filtering of V.150 SDP lines in outbound offers.
-
Remove MER V.150—The SIP trunk removes V.150 MER SDP lines in outbound offers. Select this option to reduce ambiguity when the trunk is connected
to a pre-MER V.150 Unified Communications Manager.
-
Remove Pre-MER V.150—The SIP trunk removes any non-MER compliant V.150 lines in outbound offers. Select this option to reduce ambiguity when your
cluster is contained in a network of MER compliant devices that are incapable of processing offers with pre-MER lines.
|