簡介
本文說明如何在Contact Center Enterprise(CCE)綜合呼叫流程中保護會話初始協定(SIP)信令。
必要條件
憑證產生和匯入不在本檔案的範圍之內,因此必須建立思科整合通訊管理員(CUCM)、客戶語音入口網站(CVP)通話伺服器、思科虛擬語音瀏覽器(CVVB)和思科整合邊界元件(CUBE)的憑證,並將其匯入到各自的元件。如果使用自簽名證書,則必須在不同元件之間執行證書交換。
需求
思科建議您瞭解以下主題:
採用元件
本檔案中的資訊是根據套件客服中心企業版(PCCE)、CVP、CVVB和CUCM版本12.6,但也適用於之前的版本。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
設定
下圖顯示了在聯絡中心綜合呼叫流程中參與SIP信令的元件。當語音呼叫進入系統時,首先通過入口網關或CUBE,因此在CUBE上開始安全SIP配置。接下來,配置CVP、CVVB和CUCM。
![Inbound SIP Call Flow](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-00.png)
任務1.CUBE安全配置
在此任務中,配置CUBE以保護SIP協定消息。
必需的配置:
- 為SIP使用者代理(UA)配置預設信任點
- 修改撥號對等體以使用傳輸層安全(TLS)
步驟:
- 開啟與CUBE的安全殼層(SSH)會話。
- 運行這些命令以使SIP堆疊使用CUBE的證書頒發機構(CA)證書。CUBE建立與CUCM(198.18.133.3)和CVP(198.18.133.13)之間的SIP TLS連線。
conf t sip-ua transport tcp tls v1.2 crypto signaling remote-addr 198.18.133.3 255.255.255.255 trustpoint ms-ca-name crypto signaling remote-addr 198.18.133.13 255.255.255.255 trustpoint ms-ca-name exit
![CUBE SSH Console](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-01.png)
- 運行這些命令以在傳出撥號對等體上啟用CVP。在此示例中,撥號對等標籤6000用於將呼叫路由到CVP。
Conf t dial-peer voice 6000 voip session target ipv4:198.18.133.13:5061 session transport tcp tls exit
![CUBE SSH Console](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-02.png)
任務2.CVP安全配置
在此任務中,配置CVP呼叫伺服器以保護SIP協定消息(SIP TLS)。
步驟:
- 登入到
UCCE Web Administration
.
- 導航至
Call Settings > Route Settings > SIP Server Group
.
![SIP Server Group Configuration on CCE Admin Portal](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-03.png)
根據您的配置,您為CUCM、CVVB和CUBE配置了SIP伺服器組。您需要將所有安全SIP埠設定為5061。在此示例中,使用以下SIP伺服器組:
cucm1.dcloud.cisco.com
對於CUCM
vvb1.dcloud.cisco.com
適用於CVVB
cube1.dcloud.cisco.com
對於CUBE
- 按一下
cucm1.dcloud.cisco.com
然後在 Members
頁籤,其中顯示SIP伺服器組配置的詳細資訊。設定 SecurePort
成長至 5061
然後按一下 Save
.
![Setting Secure SIP Port for CUCM Server Group](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-04.png)
- 按一下
vvb1.dcloud.cisco.com
然後在 Members
頁籤。將SecurePort設定為 5061
然後按一下 Save
.
![Setting Secure SIP Port for VVB Server Group](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-05.png)
任務3.CVVB安全配置
在此任務中,配置CVVB以保護SIP協定消息(SIP TLS)。
步驟:
- 登入到
Cisco VVB Administration
頁面。
- 導航至
System > System Parameters
.
![VVB System Parameters](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-06.png)
- 在
Security Parameters
部分,選擇 Enable
對於 TLS(SIP)
. 保留 Supported TLS(SIP) version
作為 TLSv1.2
.
![VVB Security Parameters](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-07.png)
- 按一下「Update」。按一下
Ok
當提示重新啟動CVVB引擎時。
![Update Security Parameters](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-08.png)
- 這些更改需要重新啟動Cisco VVB引擎。要重新啟動VVB引擎,請導航至
Cisco VVB Serviceability
然後按一下 Go
.
![Cisco VVB Serviceability](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-09.png)
- 導航至
Tools > Control Center – Network Services
.
![Control Center - Network Services](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-10.png)
- 選擇
Engine
然後按一下 Restart
.
![Control Center - Network Services](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-11.png)
任務4.CUCM安全配置
要保護CUCM上的SIP消息,請執行以下配置:
- 將CUCM安全模式設定為混合模式
- 為CUBE和CVP配置SIP中繼安全配置檔案
- 將SIP中繼安全配置檔案關聯到各自的SIP中繼
- 安全代理與CUCM的裝置通訊
將CUCM安全模式設定為混合模式
CUCM支援兩種安全模式:
步驟:
- 若要將安全模式設定為混合模式,請登入到
Cisco Unified CM Administration
介面.
![CUCM Administration Interface](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-12.png)
- 成功登入到CUCM後,導航至
System > Enterprise Parameters
.
![CUCM Enterprise Parameters](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-13.png)
- 在下面
Security Parameters
部分,檢查是否 Cluster Security Mode
設定為 0
.
![CUCM Security Parameters](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-14.png)
- 如果群集安全模式設定為0,則表示群集安全模式設定為非安全。您需要從CLI啟用混合模式。
- 開啟與CUCM的SSH會話。
- 通過SSH成功登入到CUCM後,請運行以下命令:
utils ctl set-cluster mixed-mode
- 類型
y
並在系統提示時按一下Enter。此命令將群集安全模式設定為混合模式。
![CUCM SSH Console](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-15.png)
- 要使更改生效,請重新啟動
Cisco CallManager
和 Cisco CTIManager
服務。
- 要重新啟動服務,請導航並登入到
Cisco Unified Serviceability
.
![Cisco Unified Serviceability](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-16.png)
- 成功登入後,導航至
Tools > Control Center – Feature Services
.
![Control Center - Feature Services](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-17.png)
- 選擇伺服器,然後按一下
Go
.
![Select Server](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-18.png)
- 在CM服務下,選擇
Cisco CallManager
然後按一下 Restart
按鈕。
![Restarting Cisco Call Manager Services](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-19.png)
- 確認彈出消息,然後按一下
OK
.等待服務成功重新啟動。
![Info Message](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-20.png)
- 成功重新啟動
Cisco CallManager
,選擇Cisco CTIManager
然後按一下 Restart
按鈕以重新啟動 Cisco CTIManager
服務。
![Restarting Cisco CTI Manager Service](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-21.png)
- 確認彈出消息,然後按一下
OK
.等待服務成功重新啟動。
![Info Message](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-22.png)
- 服務成功重新啟動後,驗證群集安全模式是否設定為混合模式,然後按照步驟5中的說明導航到CUCM管理。然後檢查
Cluster Security Mode
.現在必須設定為 1
.
![Cluster Security Mode is to the Value of '1'](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-23.png)
為CUBE和CVP配置SIP中繼安全配置檔案
步驟:
- 登入到
CUCM administration
介面.
- 成功登入到CUCM後,導航至
System > Security > SIP Trunk Security Profile
以便為CUBE建立裝置安全配置檔案。
![CUCM SIP Trunk Security Profile](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-24.png)
- 在左上角,按一下
Add New
以便新增新配置檔案。
![Add New CUCM SIP Trunk Security Profile](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-25.png)
- 設定
SIP Trunk Security Profile
如下圖所示,然後按一下 Save
位於頁面左下角 Save
它。
![Add CUCM SIP Trunk Security Profile for CUBE](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-26.png)
5.確保已設定好預設的 Secure Certificate Subject or Subject Alternate Name
CUBE證書的公用名(CN),因為它必須匹配。
6.按一下 Copy
按鈕並更改 Name
成長至 SecureSipTLSforCVP
和 Secure Certificate Subject
CVP呼叫伺服器證書的CN,因為它必須匹配。按一下 Save
按鈕。
![Add CUCM SIP Trunk Security Profile for CVP](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-27.png)
將SIP中繼安全配置檔案關聯到各自的SIP中繼
步驟:
- 在CUCM管理頁面上,導航至
Device > Trunk
.
![CUCM Trunk Configuration for CUBE](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-28.png)
- 搜尋CUBE中繼。在本示例中,CUBE中繼名稱是
vCube
. 按一下 Find
.
![Find SIP Trunks on CUCM for CUBE](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-29.png)
- 按一下vCUBE以開啟vCUBE中繼配置頁。
- 向下滾動到
SIP Information
部分,並更改 Destination Port
成長至 5061
.
- 變更
SIP Trunk Security Profile
成長至 SecureSIPTLSForCube
.
![SIP Trunk Configuration for CUBE](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-30.png)
- 按一下
Save
然後 Rest
以 Save
並應用更改。
![Save Configuration](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-31.png)
![Info Message](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-32.png)
- 導航至
Device > Trunk
,並搜尋CVP中繼。在本示例中,CVP中繼名稱是 cvp-SIP-Trunk
. 按一下 Find
.
![CUCM Trunk Configuration for CVP](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-33.png)
- 按一下
CVP-SIP-Trunk
以開啟CVP中繼配置頁面。
- 向下滾動到
SIP Information
小節和更改 Destination Port
成長至 5061
.
- 變更
SIP Trunk Security Profile
成長至 SecureSIPTLSForCvp
.
![Find SIP Trunks on CUCM for CVP](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-34.png)
- 按一下
Save
然後 Rest
以 save
並應用更改。
![SIP Trunk Configuration for CVP](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-35.png)
![Save Configuration](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-36.png)
安全代理與CUCM的裝置通訊
要為裝置啟用安全功能,必須安裝本地重要證書(LSC)並為該裝置分配安全配置檔案。LSC擁有端點的公鑰,該公鑰由憑證授權代理功能(CAPF)私鑰簽署。預設情況下,它不會安裝在電話上。
步驟:
- 登入到
Cisco Unified Serviceability Interface
.
- 導航至
Tools > Service Activation
.
![Info Message](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-37.png)
- 選擇CUCM伺服器並按一下
Go
.
![CUCM Service Activation](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-38.png)
- 支票
Cisco Certificate Authority Proxy Function
然後按一下 Save
啟用服務。按一下 Ok
確認。
![Select Server](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-39.png)
- 確保服務已啟用,然後導航至
Cisco Unified CM Administration
.
![Activate Cisco Certificate Authority Proxy Function Service](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-40.png)
- 成功登入到CUCM管理後,導航至
System > Security > Phone Security Profile
為代理裝置建立裝置安全配置檔案。
![CUCM Administration](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-41.png)
- 查詢與您的代理裝置型別對應的安全配置檔案。在此示例中,使用的是軟體電話,因此選擇
Cisco Unified Client Services Framework - Standard SIP Non-Secure Profile
. 按一下 Copy
以便複製此配置檔案。
![Copy Existing Phone Security Profile](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-43.png)
- 將配置檔案重新命名為
Cisco Unified Client Services Framework - Secure Profile
,更改此圖中所示的引數,然後按一下 Save
在頁面的左上角。
![Add New Phone Security Profile](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-44.png)
- 成功建立電話裝置配置檔案後,導航至
Device > Phone
.
![Phone Configuration](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-45.png)
- 按一下
Find
要列出所有可用電話,請按一下座席電話。
- 座席電話配置頁面開啟。尋找
Certification Authority Proxy Function (CAPF) Information
部分。要安裝LSC,請設定 Certificate Operation
成長至 Install/Upgrade
和 Operation Completes by
到任何未來的日子。
![Setting CAPF Parameters](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-46.png)
- 尋找
Protocol Specific Information
部分。變更 Device Security Profile
成長至 Cisco Unified Client Services Framework – Secure Profile
.
![Assigning Device Security Profile to IP Phone](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-47.png)
- 按一下
Save
在頁面的左上角。確保更改已成功儲存,然後按一下 Reset
.
![Save Configuration](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-48.png)
- 此時將開啟一個彈出視窗,按一下
Reset
確認操作。
![Phone Reset](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-49.png)
- 代理裝置再次向CUCM註冊後,請刷新當前頁面並驗證LSC是否安裝成功。支票
Certification Authority Proxy Function (CAPF) Information
部分, Certificate Operation
必須設定為 No Pending Operation
,和 Certificate Operation Status
設定為 Upgrade Success
.
![CAPF Information is Updated](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-50.png)
- 請參閱步驟。7-13,以保護要用於通過CUCM保護SIP的其他代理裝置。
驗證
要驗證SIP信令是否正確安全,請執行以下步驟:
- 開啟與vCUBE的SSH會話,運行命令
show sip-ua connections tcp tls detail
,並確認當前未與CVP(198.18.133.13)建立TLS連線。
![show sip-ua connections tcp tls detail Output on CUBE SSH Console](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-51.png)
注意:此時,在CUCM(198.18.133.3)上僅啟用一個具有CUCM的SIP選項的活動TLS會話。如果未啟用SIP選項,則不存在SIP TLS連線。
- 登入到CVP並啟動Wireshark。
- 向聯絡中心號碼發出測試呼叫。
- 導航到CVP會話;在Wireshark上,運行此過濾器以使用CUBE檢查SIP信令:
ip.addr == 198.18.133.226 && tls && tcp.port==5061
![Packet Capture Filtering CVP Secure SIP Signals Between CVP and CUBE](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-52.png)
檢查:是否已建立SIP over TLS連線?如果是,則輸出確認CVP和CUBE之間的SIP訊號是安全的。
5.檢查CVP和CVVB之間的SIP TLS連線。在同一Wireshark會話中,運行此過濾器:
ip.addr == 198.18.133.143 && tls && tcp.port==5061
![Packet Capture Filtering CVP Secure SIP Signals Between CVP and VVB](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-53.png)
檢查:是否已建立SIP over TLS連線?如果是,則輸出確認CVP和CVVB之間的SIP訊號是安全的。
6.您還可以通過CUBE驗證與CVP的SIP TLS連線。導航到vCUBE SSH會話,然後運行此命令以檢查安全sip訊號:
show sip-ua connections tcp tls detail
![SIP TLS Connection Between CVP and CUBE from CUBE SSH Console](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-54.png)
檢查:SIP over TLS是否與CVP建立連線?如果是,則輸出確認CVP和CUBE之間的SIP訊號是安全的。
7.此時,呼叫處於活動狀態,並且您聽到「通話等待音樂」(MOH),因為沒有可以應答呼叫的座席。
8.使座席可以應答呼叫。
.![Make Agent Ready on Finesse Agent Desktop](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-55.png)
9.座席將被保留,並且呼叫將被轉接給他/她。按一下 Answer
來接電話。
![Answer Incoming Call on Finesse Desktop](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-56.png)
10.呼叫連線到座席。
11.為了驗證CVP和CUCM之間的SIP訊號,請導航到CVP會話,然後在Wireshark中運行此過濾器:
ip.addr == 198.18.133.3 && tls && tcp.port==5061
![Packet Capture Filtering Secure SIP Signals between CVP and CUCM](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-57.png)
檢查:是否所有與CUCM(198.18.133.3)的SIP通訊均通過TLS?如果是,則輸出確認CVP和CUCM之間的SIP訊號是安全的。
疑難排解
如果未建立TLS,請在CUBE上運行以下命令以啟用debug TLS進行故障排除:
Debug ssl openssl errors
Debug ssl openssl msg
Debug ssl openssl states