Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3
Using the Cisco Unified Communication Wizard
Downloads: This chapterpdf (PDF - 250.0KB) The complete bookPDF (PDF - 22.37MB) | Feedback

Using the Cisco Unified Communication Wizard

Table Of Contents

Using the Cisco Unified Communication Wizard

Information the Cisco Unified Communication Wizard

Licensing Requirements for the Unified Communication Wizard

Guidelines and Limitations

Configuring the Mobility Advantage by using the Unified Communication Wizard

Configuring the Topology for the Cisco Mobility Advantage Proxy

Configuring the Server-Side Certificates for the Cisco Mobility Advantage Proxy

Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy

Configuring the Presence Federation Proxy by using the Unified Communication Wizard

Configuring the Topology for the Cisco Presence Federation Proxy

Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy

Configuring the Remote-Side Certificates for the Cisco Presence Federation Proxy

Configuring the UC-IME by using the Unified Communication Wizard

Configuring the Topology for the Cisco Intercompany Media Engine Proxy

Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy

Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy

Configuring the Public Network Settings for the Cisco Intercompany Media Engine Proxy

Configuring the Media Termination Address for the Cisco Intercompany Media Engine Proxy

Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy

Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy

Working with Certificates in the Unified Communication Wizard

Exporting an Identity Certificate

Installing a Certificate

Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy

Saving the Identity Certificate Request

Installing the ASA Identity Certificate on the Mobility Advantage Server

Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers


Using the Cisco Unified Communication Wizard


This chapter describes how to configure the adaptive security appliance for Cisco Unified Communications Proxy features.

This chapter includes the following sections:

Information the Cisco Unified Communication Wizard

Licensing Requirements for the Unified Communication Wizard

Guidelines and Limitations

Configuring the Mobility Advantage by using the Unified Communication Wizard

Configuring the Presence Federation Proxy by using the Unified Communication Wizard

Configuring the UC-IME by using the Unified Communication Wizard

Working with Certificates in the Unified Communication Wizard

Information the Cisco Unified Communication Wizard


Note The Unified Communication Wizard is supported for the adaptive security appliance version 8.3(1) and later.


The Unified Communication Wizard assists you in configuring the following Unified Communications proxies on the adaptive security appliance:

Cisco Mobility Advantage Proxy

See Configuring the Mobility Advantage by using the Unified Communication Wizard.

Cisco Presence Federation Proxy

See Configuring the Presence Federation Proxy by using the Unified Communication Wizard.

Cisco Intercompany Media Engine Proxy

See Configuring the UC-IME by using the Unified Communication Wizard.

The wizard simplifies the configuration of the Unified Communications proxies in the following ways:

You enter all required data in the wizard steps. You are not required to navigate various ASDM screens to configure the Unified Communications proxies.

The wizard generates configuration settings for the Unified Communications proxies where possible, automatically, without requiring you to enter data. For example, the wizard configures the required access lists, IP address translation (NAT and PAT) statements, self-signed certificates, TLS proxies, and application inspection.

The wizard displays network diagrams to illustrate data collection.

To access the Unified Communication Wizard, choose one of the following paths in the main ASDM application window:

Wizards > Unified Communication Wizard.

Configuration > Firewall > Unified Communications, and then click Unified Communication Wizard.

Mobility Advantage Proxy: Secure connectivity between Cisco Mobility Advantage server and Cisco Unified Mobile Communicator clients

Cisco Mobility Advantage solutions include the Cisco Unified Mobile Communicator (Cisco UMC), an easy-to-use software application for mobile handsets that extends enterprise communications applications and services to mobile phones and the Cisco Unified Mobility Advantage (Cisco UMA) server. The Cisco Mobility Advantage solution streamlines the communication experience, enabling single number reach and integration of mobile endpoints into the Unified Communications infrastructure.

The security appliance acts as a proxy, terminating and reoriginating the TLS signaling between the Cisco UMC and Cisco UMA. As part of the proxy security functionality, inspection is enabled for the Cisco UMA Mobile Multiplexing Protocol (MMP), the protocol between Cisco UMC and Cisco UMA.

Presence Federation Proxy: Secure connectivity between Cisco Unified Presence servers and Cisco/Microsoft Presence servers

Cisco Unified Presence solution collects information about the availability and status of users, such as whether they are using communication devices, such as IP phones at particular times. It also collects information regarding their communications capabilities, such as whether web collaboration or video conferencing is enabled. Using user information captured by Cisco Unified Presence, applications such as Cisco Unified Personal Communicator and Cisco UCM can improve productivity by helping users connect with colleagues more efficiently through determining the most effective way for collaborative communication.

Using the adaptive security appliance as a secure presence federation proxy, businesses can securely connect their Cisco Unified Presence (Cisco UP) servers to other Cisco or Microsoft Presence servers, enabling intra-enterprise communications. The security appliance terminates the TLS connectivity between the servers, and can inspect and apply policies for the SIP communications between the servers.

Cisco Intercompany Media Engine Proxy: Secure connectivity between Cisco UCM servers in different enterprises for IP Phone traffic

As more unified communications are deployed within enterprises, cases where business-to-business calls utilize unified communications on both sides with the Public Switched Network (PSTN) in the middle become increasingly common. All outside calls go over circuits to telephone providers and from there are delivered to all external destinations.

The Cisco Intercompany Media Engine (UC-IME) gradually creates dynamic, encrypted VoIP connections between businesses, so that a collection of enterprises that work together end up looking like one giant business with secure VoIP interconnections between them.

There are three components to a Cisco Intercompany Media Engine deployment within an enterprise: a Cisco Intercompany Media Engine server, a call agent (the Cisco Unified Communications Manager) and an adaptive security appliance running the Cisco Intercompany Media Engine Proxy.

The adaptive security appliance provides perimeter security by encrypting signaling connections between enterprises and preventing unauthorized calls. An adaptive security appliance running the Cisco Intercompany Media Engine Proxy can either be deployed as an Internet firewall or be designated as a Cisco Intercompany Media Engine Proxy and placed in the DMZ, off the path of the regular Internet traffic.

Licensing Requirements for the Unified Communication Wizard

To run the Unified Communication Wizard in ASDM, you require the following license:

Model
License Requirement

All models

Base License


However, to run each of the Unified Communications proxy features created by the wizard, you must have the appropriate Unified Communications Proxy licenses.

The Cisco Unified Communications proxy features supported by the adaptive security appliance require a Unified Communications Proxy license:

TLS proxy for encrypted voice inspection

Presence Federation Proxy

Cisco Intercompany Media Engine Proxy

See Licensing for Cisco Unified Communications Proxy Features for more information.


Note The Cisco Intercompany Media Engine Proxy does not appear as an option in the Unified Communication Wizard unless the license required for this proxy is installed on the adaptive security appliance.


Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in all modes (single context, multicontext, and transparent mode).

Firewall Mode Guidelines

Supported in routed firewall mode only.

IPv6 Guidelines

Supports IPv6 addresses.

Additional Guidelines and Limitations

Using the Unified Communication Wizard to create the Unified Communications proxies has the following limitations and requirements:

You must configure at least two interfaces on the adaptive security appliance to use the UC Wizard to configure a Unified Communications proxy.

For all Unified Communications proxies to function correctly, you must synchronize the clock on the adaptive security appliance and all servers associated with each proxy, such as the Cisco Unified Communication Manager server, the Cisco Mobility Advantage server, the Cisco Unified Presence server, and the Cisco Intercompany Media Engine server.

When you configure the Cisco Intercompany Media Engine Proxy for an off-path deployment, you must ensure that the public IP addresses and ports of the Cisco Unified Communications Manager servers and the public IP address for the media termination address are accessible from the Internet. The summary page of the Unified Communication Wizard reminds you of the requirements.

If the adaptive security appliance on which you configure the Cisco Mobility Advantage Proxy and the Cisco Presence Federation Proxy is located behind another firewall, you must ensure that the public IP addresses for the Cisco Mobility Advantage server and the Cisco Unified Presence server are accessible from the Internet.

If you use the Unified Communication Wizard to create to the Presence Federation Proxy and the Cisco Intercompany Media Engine Proxy, you might be required to adjust the configuration of the access lists created automatically by the wizard for each proxy. See Chapter 47 "Configuring Cisco Unified Presence" and Chapter 48 "Configuring Cisco Intercompany Media Engine Proxy", respectively, for information about the access list requirements required by each proxy.

Configuring the Mobility Advantage by using the Unified Communication Wizard


Note The Unified Communication Wizard is supported for the adaptive security appliance version 8.3(1) and later.


The Unified Communication wizard guides you through the steps to configure the Mobility Advantage proxy. Choose Wizards > Unified Communication Wizard from the menu. The Unified Communication Wizard opens. Click the Cisco Mobility Advantage Proxy radio button under the Remote Access section.

When using the wizard to create the Mobility Advantage proxy, ASDM automatically creates the necessary TLS proxies, enables MMP inspection for the Mobility Advantage traffic, generates address translation (NAT) statements, and creates the access rules that are necessary to allow traffic between the Cisco Mobility Advantage server and the mobility clients.

The following steps provide the high-level overview for configuring the Mobility Advantage proxy:


Step 1 Specify settings to define the private and public network topology, such the public and private network interfaces, and the IP addresses of the Cisco Mobility Advantage server. See Configuring the Topology for the Cisco Mobility Advantage Proxy.

Step 2 Configure the certificates that are exchanged between the Cisco Mobility Advantage server and the adaptive security appliance. See Configuring the Server-Side Certificates for the Cisco Mobility Advantage Proxy.

Step 3 Configure the client-side certificate management, namely the certificates that are exchanged between the Unified Mobile Communicator clients and the adaptive security appliance. See Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy.


The wizard completes by displaying a summary of the configuration created for Mobility Advantage Proxy.

Configuring the Topology for the Cisco Mobility Advantage Proxy

When configuring the Mobility Advantage Proxy, you specify settings to define the private and public network topology, such the private and public network interfaces, and the private and public IP addresses of the Cisco Mobility Advantage server.

The values that you specify in this page generate the following configuration settings for the Mobility Advantage Proxy:

Static PAT for the Cisco Mobility Advantage server

Static NAT for Cisco Unified Mobile Communicator clients if the Enable address translation for Mobility clients check box is checked.

Access lists to allow Cisco Unified Mobile Communicator clients to access the Cisco Mobility Advantage server


Step 1 In the Private Network area, choose the interface from the drop-down list.

Step 2 In the Unified MA Server area, enter the private and public IP address for the Cisco Mobility Advantage server. Entering ports for these IP addresses is optional. By default port number 5443 is entered, which is the default TCP port for MMP inspection.

Step 3 In the Public Network area, choose an interface from the drop-down list.

The proxy uses this interface for configuring static PAT for the Cisco Mobility Advantage server and the access lists to allow Cisco Unified Mobile Communicator clients to access the Cisco Mobility Advantage server.

Step 4 To configure whether address translation (NAT) is used by Cisco Unified Mobile Communicator clients, check the Enable address translation for Mobility clients check box and choose whether to use the IP address of the public interface or whether to enter an IP address.

Step 5 Click Next.


Configuring the Server-Side Certificates for the Cisco Mobility Advantage Proxy

A trusted relationship between the adaptive security appliance and the Cisco UMA server can be established with self-signed certificates. The adaptive security appliance's identity certificate is exported, and then uploaded on the Cisco UMA server truststore. The Cisco UMA server certificate is downloaded, and then uploaded on the adaptive security appliance truststore.

The supports using self-signed certificates only at this step.


Step 1 In the ASA's Identity Certificate area, click Generate and Export ASA's Identity Certificate.

An information dialog boxes appear indicating that the enrollment seceded. In the Enrollment Status dialog box, click OK. The Export certificate dialog box appears.


NoteIf an identity certificate for the adaptive security appliance has already been created, the button in this area appears as Export ASA's Identity Certificate and the Export certificate dialog box immediately appears.

When using the wizard to configure the Cisco Mobility Advantage proxy, the wizard only supports installing self-signed certificates.


Step 2 Export the identity certificate generated by the wizard for the adaptive security appliance. See Exporting an Identity Certificate.

Step 3 In the Unified MA Server's Certificate area, click Install Unified MA Server's Certificate. The Install Certificate dialog appears.

Step 4 Locate the file containing the Cisco Mobility Advantage server certificate or paste the certificate details in the dialog box. See Installing a Certificate.

Step 5 Click Next.



Note See the Cisco Mobility Advantage server documentation for information on how to export the certificate for this server.


Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy

To establish a trust relationship between the Cisco Unified Mobile Communicator (UMC) clients and the adaptive security appliance, the adaptive security appliance uses a CA-signed certificate that is configured with the Cisco Mobility Advantage server's FQDN (also referred to as certificate impersonation).

In the Client-Side Certificate Management page, you enter both the intermediate CA certificate (if applicable, as in the cases of Verisign) and the signed adaptive security appliance identity certificate.


Note If the adaptive security appliance already has a signed identity certificate, you can skip Step 1 in this procedure and proceed directly to Step 2.



Step 1 In the ASA's Identity Certificate area, click Generate CSR. The CSR parameters dialog box appears.

For information about specifying additional parameters for the certificate signing request (CSR), see Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy.

Information dialog boxes appear indicating that the wizard is delivering the settings to the adaptive security appliance and retrieving the certificate key pair information. The Identity Certificate Request dialog box appears.

For information about saving the CSR that was generated and submitting it to a CA, see Saving the Identity Certificate Request.

Step 2 Click Install ASA's Identity Certificate. Install the certificate. See Installing the ASA Identity Certificate on the Mobility Advantage Server.

Step 3 Click Install Root CA's Certificate. The Install Certificate dialog box appears. Install the certificate. See Installing a Certificate.

Step 4 Click Next.


The wizard completes by displaying a summary of the configuration created for Mobility Advantage Proxy.

Configuring the Presence Federation Proxy by using the Unified Communication Wizard


Note The Unified Communication Wizard is supported for the adaptive security appliance version 8.3(1) and later.


To configure the Cisco Unified Presence proxy by using ASDM, choose Wizards > Unified Communication Wizard from the menu. The Unified Communication Wizard opens. From the first page, select the Cisco Unified Presence Proxy option under the Business-to-Business section.

When using the wizard to create the Cisco Presence Federation proxy, ASDM automatically creates the necessary TLS proxies, enables SIP inspection for the Presence Federation traffic, generates address translation (static PAT) statements for the local Cisco Unified Presence server, and creates access lists to allow traffic between the local Cisco Unified Presence server and remote servers.

The following steps provide the high-level overview for configuring the Presence Federation Proxy:


Step 1 Specify settings to define the private and public network topology, such the private and public IP address of the Presence Federation server. See Configuring the Topology for the Cisco Presence Federation Proxy.

Step 2 Configure the local-side certificate management, namely the certificates that are exchanged between the local Unified Presence Federation server and the adaptive security appliance. See Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy.

Step 3 Configure the remote-side certificate management, namely the certificates that are exchanged between the remote server and the adaptive security appliance. See Configuring the Remote-Side Certificates for the Cisco Presence Federation Proxy.


The wizard completes by displaying a summary of the configuration created for the Presence Federation proxy.

Configuring the Topology for the Cisco Presence Federation Proxy

When configuring the Presence Federation Proxy, you specify settings to define the private and public network topology, such the private and public network interfaces, and the private and public IP addresses of the Cisco Unified Presence server.

The values that you specify in this page generate the following configuration settings for the Presence Federation Proxy:

Static PAT for the local Cisco Unified Presence server

Access lists for traffic between the local Cisco Unified Presence server and remote servers


Step 1 In the Private Network area, choose the interface from the drop-down list.

Step 2 In the Unified Presence Server area, enter the private and public IP address for the Unified Presence server. Entering ports for these IP addresses is optional. By default port number 5061 is entered, which is the default TCP port for SIP inspection.

Step 3 In the Public Network area, choose the interface of the public network from the drop-down list. The proxy uses this interface for configuring static PAT for the local Cisco Unified Presence server and for configuring access lists to allow remote servers to access the Cisco Unified Presence server.

Step 4 Click Next.


Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy

Within an enterprise, setting up a trust relationship is achievable by using self-signed certificates. The supports using self-signed certificates only at this step.


Step 1 In the ASA's Identity Certificate area, click Generate and Export ASA's Identity Certificate.

An information dialog box appears indicating that enrollment succeeded. In the Enrollment Status dialog box, click OK. The Export certificate dialog box appears.


NoteIf an identity certificate for the adaptive security appliance has already been created, the button in this area appears as Export ASA's Identity Certificate and the Export certificate dialog box immediately appears.

When using the wizard to configure the Cisco Presence Federation proxy, the wizard only supports installing self-signed certificates.


Step 2 Export the identity certificate generated by the wizard for the adaptive security appliance. See Exporting an Identity Certificate.

Step 3 Local Unified Presence Server's Certificate area, click Install Server's Certificate. The Install Certificate dialog appears.

Step 4 Locate the file containing the Cisco Unified Presence server certificate or paste the certificate details in the dialog box. See Installing a Certificate.

Step 5 Click Next.



Note See the Cisco Unified Presence server documentation for information on how to export the certificate for this server.


Configuring the Remote-Side Certificates for the Cisco Presence Federation Proxy

Establishing a trust relationship across enterprises or across administrative domains is key for federation. Across enterprises you must use a trusted third-party CA (such as, VeriSign). The security appliance obtains a certificate with the FQDN of the Cisco Unified Presence server (certificate impersonation).

For the TLS handshake, the two entities, namely the local entity and a remote entity, could validate the peer certificate via a certificate chain to trusted third-party certificate authorities. The local entity and the remote entity enroll with the CAs. The adaptive security appliance as the TLS proxy must be trusted by both the local and remote entities. The security appliance is always associated with one of the enterprises. Within that enterprise, the entity and the security appliance authenticate each other by using a self-signed certificate.

To establish a trusted relationship between the security appliance and the remote entity, the security appliance can enroll with the CA on behalf of the Cisco Unified Presence server for the local entity. In the enrollment request, the local entity identity (domain name) is used.

To establish the trust relationship, the security appliance enrolls with the third party CA by using the Cisco Unified Presence server FQDN as if the security appliance is the Cisco Unified Presence server.


Note If the adaptive security appliance already has a signed identity certificate, you can skip Step 1 in this procedure and proceed directly to Step 2.



Step 1 In the ASA's Identity Certificate area, click Generate CSR. The CSR parameters dialog box appears.

For information about specifying additional parameters for the certificate signing request (CSR), see Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy.

Information dialog boxes appear indicating that the wizard is delivering the settings to the adaptive security appliance and retrieving the certificate key pair information. The Identity Certificate Request dialog box appears.

For information about saving the CSR that was generated and submitting it to a CA, see Saving the Identity Certificate Request.

Step 2 Click Install ASA's Identity Certificate. See Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers.

Step 3 Click Remote Server's CA's Certificate. The Install Certificate dialog box appears. Install the certificate. See Installing a Certificate.


Note You must install a root CA certificate for each remote entity that communicates with the adaptive security appliance because different organizations might be using different CAs.


Step 4 Click Next.


The wizard completes by displaying a summary of the configuration created for the Presence Federation proxy.

Configuring the UC-IME by using the Unified Communication Wizard


Note The Unified Communication Wizard is supported for the adaptive security appliance version 8.3(1) and later.


To configure the Cisco Intercompany Media Engine Proxy by using ASDM, choose Wizards > Unified Communication Wizard from the menu. The Unified Communication Wizard opens. From the first page, select the Cisco Intercompany Media Engine Proxy option under the Business-to-Business section and click Next.


Note The Cisco Intercompany Media Engine Proxy does not appear as an option in the Unified Communication Wizard unless the license required for this proxy is installed on the adaptive security appliance.


When using the wizard to create the Cisco Intercompany Media Engine Proxy, ASDM automatically creates the necessary TLS proxies, enables SIP inspection for Cisco Intercompany Media Engine traffic, generates address translation (static PAT) statements for local Cisco Unified Communications Manager servers, and creates access lists to allow traffic between the local Cisco Unified Communications Manager servers and the remote servers.

The following steps provide the high-level overview for configuring the Cisco Intercompany Media Engine Proxy:


Step 1 Select the topology of the Cisco Intercompany Media Engine Proxy, namely whether the security appliance is an edge firewall with all Internet traffic flowing through it or whether the security appliance is off the path of the main Internet traffic (referred to as an off-path deployment). See Configuring the Topology for the Cisco Intercompany Media Engine Proxy.

Step 2 Specify private network settings such as the Cisco UCM IP addresses and the ticket settings. See Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy.

Step 3 Specify the public network settings. See Configuring the Public Network Settings for the Cisco Intercompany Media Engine Proxy.

Step 4 Specify the media termination address settings of the Cisco UMC. See Configuring the Media Termination Address for the Cisco Intercompany Media Engine Proxy.

Step 5 Configure the local-side certificate management, namely the certificates that are exchanged between the local Cisco Unified Communications Manager servers and the security appliance. See Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy.

Step 6 Configure the remote-side certificate management, namely the certificates that are exchanged between the remote server and the adaptive security appliance. This certificate is presented to remote servers so that they can authenticate the adaptive security appliance as a trusted server. See Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy.


The wizard completes by displaying a summary of the configuration created for the Cisco Intercompany Media Engine.

Configuring the Topology for the Cisco Intercompany Media Engine Proxy


Step 1 Select the topology of your ICME deployment by click on the following options:

All Internet traffic flows through the ASA radio button. This option is also referred to as a basic deployment.

This ASA is off the path of the regular Internet traffic. This option is also referred to as an off-path deployment.

Step 2 Click Next.


Basic Deployment

In a basic deployment, the Cisco Intercompany Media Engine Proxy sits in-line with the Internet firewall such that all Internet traffic traverses the adaptive security appliance. In this deployment, a single Cisco UCM or a Cisco UCM cluster is centrally deployed within the enterprise, along with a Cisco Intercompany Media Engine server (and perhaps a backup). A single Internet connection traverses the adaptive security appliance, which is enabled with the Cisco Intercompany Media Engine Proxy.

The adaptive security appliance sits on the edge of the enterprise and inspects SIP signaling by creating dynamic SIP trunks between enterprises.

Off-path Deployment

In an off path deployment, inbound and outbound Cisco Intercompany Media Engine calls pass through an adaptive security appliance enabled with the Cisco Intercompany Media Engine Proxy. The adaptive security appliance is located in the DMZ and configured to support primarily Cisco Intercompany Media Engine. Normal Internet facing traffic does not flow through this adaptive security appliance.

For all inbound calls, the signaling is directed to the adaptive security appliance because destined Cisco UCMs are configured with the global IP address on the adaptive security appliance. For outbound calls, the called party could be any IP address on the Internet; therefore, the adaptive security appliance is configured with a mapping service that dynamically provides an internal IP address on the adaptive security appliance for each global IP address of the called party on the Internet.

Cisco UCM sends all outbound calls directly to the mapped internal IP address on the adaptive security appliance instead of the global IP address of the called party on the Internet. The adaptive security appliance then forwards the calls to the global IP address of the called party.


Note When you configure the Cisco Intercompany Media Engine for an off-path deployment, you must ensure that the public IP addresses and ports of the Cisco Unified Communications Manager servers and the public IP address for the media termination address are accessible from the Internet. The summary page of the Unified Communication Wizard reminds you of the requirements.


Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy

When configuring the Cisco Intercompany Media Engine Proxy, you specify settings to define the private network topology, such the private network interface, the IP addresses of the Cisco Unified Communications servers, and ticket verification. Additionally, when the Cisco Unified Communications servers are operating in secure mode, you specify the X.509 subject name for the Cisco Intercompany Media Engine Proxy,

The values that you specify in this page generate the following configuration settings for the Cisco Intercompany Media Engine Proxy:

The list of Cisco Unified Communications servers

The ticket epoch and password used by the Cisco Intercompany Media Engine Proxy

For an off-path deployment only, the mapping service on the same interface as the Cisco Unified Communications server


Step 1 To configure the Cisco Intercompany Media Engine Proxy as part of a basic deployment, select the interface that connects to the local Cisco Unified Communications servers.

Or

To configure the Cisco Intercompany Media Engine Proxy as part of an off-path deployment, complete the following steps:

a. From the Listening Interface drop-down list, choose the interface on which the adaptive security appliance listens for the mapping requests.

b. In the Port field, enter a number between 1024 and 65535 as the TCP port on which the adaptive security appliance listens for the mapping requests. The port number must be 1024 or higher to avoid conflicts with other services on the device, such as Telnet or SSH. By default, the port number is TCP 8060.

c. From the UC-IME Interface drop-down list, choose the interface that the adaptive security appliance uses to connect to the remote adaptive security appliance that is enabled with the Cisco Intercompany Media Engine Proxy.


Note In a basic and an off-path deployment, all Cisco Unified Communications servers must be on the same interface.


Step 2 In the Unified CM Servers area, the wizard displays the private IP address, public IP address, and security mode of any Cisco Unified Communications server configured on the adaptive security appliance. If necessary, click Add to add a Cisco Unified Communications server. You must include an entry for each Cisco UCM in the cluster with Cisco Intercompany Media Engine that has a SIP trunk enabled.

Step 3 In the Ticket Epoch field, enter a integer from 1-255.

The epoch indicates the number of times that password has changed. When the proxy is configured the first time and a password entered for the first time, enter 1 for the epoch integer. Each time you change the password, increment the epoch to indicate the new password. You must increment the epoch value each time your change the password. Typically, you increment the epoch sequentially; however, the security appliance allows you to choose any value when you update the epoch.

If you change the epoch value, the current password is invalidated and you must enter a new password.

Step 4 In the Ticket Password field, enter a minimum of 10 and a maximum of 64 printable character from the US-ASCII character set. The allowed characters include 0x21 to 0x73 inclusive, and exclude the space character. The ticket password is stored onto flash.


Note We recommend a password of at least 20 characters. Only one password can be configured at a time.


The epoch and password that you configure on the adaptive security appliance must match the epoch and password configured on the Cisco Intercompany Media Engine server. See the Cisco Intercompany Media Engine server documentation for information.

Step 5 In the Confirm Password field, reenter the password.

Step 6 In the X.509 Subject Name field, enter the distinguished name (DN) of the local enterprise. The name that you enter must match the name configured for the Cisco Unified Communications servers in the cluster. See the Cisco Unified Communications server documentation for information.

Step 7 Click Next.


Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy

You must include an entry for each Cisco UCM in the cluster with Cisco Intercompany Media Engine Proxy that has a SIP trunk enabled.


Step 1 Enter the private IP address and port number (in the range 5000-6000) for the Cisco UCM server.

Step 2 In the Address Translation area, enter the public IP address for the Cisco UCM server.

Step 3 If necessary, enter the port number for the public IP address by clicking the Translate address and port radio button and entering a number (in the range 5000-6000) in the Port field.

Step 4 In the Security Mode area, click the Secure or Non-secure radio button. Specifying secure for Cisco UCM or Cisco UCM cluster indicates that Cisco UCM or Cisco UCM cluster is initiating TLS.

If you specify that some of the Cisco UCM servers are operating in secure mode, the Unified Communications Wizard includes a step in the proxy configuration to generate certificates for the local-side communication between the adaptive security appliance and that Cisco UCM server. See Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy.

Step 5 Click OK.


Configuring the Public Network Settings for the Cisco Intercompany Media Engine Proxy

The public network configuration depends on the deployment scenario you selected in the topology step of this wizard. Specifically, when you are configuring the UC-IME proxy as part of an off-path deployment, this step of the wizard displays fields for address translation, requiring that you specify the private IP address for the UC-IME proxy. Specifying this private IP address, translates IP addresses for inbound traffic.

In an off-path deployment, any existing adaptive security appliance that you have deployed in your environment are not capable of transmitting Cisco Intercompany Media Engine traffic. Therefore, off-path signaling requires that outside addresses translate to an inside (private) IP address. The inside interface address can be used for this mapping service configuration. For the Cisco Intercompany Media Engine Proxy, the adaptive security appliance creates dynamic mappings for external addresses to the internal IP address.

The values that you specify in this page generate the following configuration settings for the Cisco Intercompany Media Engine Proxy:

Static PAT for the Cisco Unified Communications servers

Access lists for traffic between the local and the remote servers


Step 1 In the Configure public network area, choose an interface from the Interface drop-down list.

Step 2 When configuring an off-path deployment, in the Address Translation area, specify whether to use the private IP address for the public network.

Or

Click the Specify IP address radio button and enter an IP address in the field.

Step 3 Click Next.


Configuring the Media Termination Address for the Cisco Intercompany Media Engine Proxy

The data from this step generates the MTA instance to be added to the UC-IME proxy.

For the UC-IME proxy to be fully functional, you must ensure that the public IP address for the media termination address (MTA) is accessible from the Internet. The summary page of the Unified Communication Wizard reminds you of this requirement.

The MTA IP addresses that you specify must meet specific requirements. See Media Termination Instance Prerequisites for information.


Step 1 In the field for the private IP address, enter the private IP address for the MTA. The IP address of the MTA must be in within the same subnet as the private interface IP address. The correct subnet range is provided to the right of the field for the private IP address.

Step 2 In the field for the public IP address, enter the public IP address for the MTA. The IP address of the MTA must be in within the same subnet as the public interface IP address. The correct subnet range is provided to the right of the field for the public IP address.

Step 3 Click Next.


Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy

Completing this step of the wizard generates a self-signed certificate for the adaptive security appliance. The server proxy certificate is automatically generated using the subject name provided in an earlier step of this wizard.

The wizard supports using self-signed certificates only.

A trusted relationship between the adaptive security appliance and the Cisco UMA server can be established with self-signed certificates. The certificates are used by the security appliance and the Cisco UCMs to authenticate each other, respectively, during TLS handshakes.

The adaptive security appliance's identity certificate is exported, and then needs to be installed on each Cisco Unified Communications Manager (UCM) server in the cluster with the proxy and each identity certificate from the Cisco UCMs need to be installed on the security appliance.

This step in the Unified Communications Wizard only appears when the UC-IME proxy that you are creating has at least one secure Cisco Unified Communications Manager server defined. See Configuring the Topology for the Cisco Intercompany Media Engine Proxy for information.


Step 1 In the ASA's Identity Certificate area, click Generate and Export ASA's Identity Certificate.

An information dialog boxes appear indicating that the enrollment seceded. In the Enrollment Status dialog box, click OK. The Export certificate dialog box appears.


NoteIf an identity certificate for the adaptive security appliance has already been created, the button in this area appears as Export ASA's Identity Certificate and the Export certificate dialog box immediately appears.

When using the wizard to configure the Cisco Intercompany Media Engine Proxy, the wizard only supports installing self-signed certificates.


Step 2 Export the identity certificate generated by the wizard for the adaptive security appliance. See Exporting an Identity Certificate.

Step 3 In the Local Unified CM's Certificate area, click Install Local Unified CM's Certificate. The Install Certificate dialog appears.

Step 4 Locate the file containing the certificate from the Cisco Unified Communications Manager server or paste the certificate details in the dialog box. See Installing a Certificate. You must install the certificate from each Cisco Unified Communications Manager server in the cluster.

Step 5 Click Next.



Note See the Cisco Intercompany Media Engine server documentation for information on how to export the certificate for this server.


Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy

Establishing a trust relationship cross enterprises or across administrative domains is key. Cross enterprises you must use a trusted third-party CA (such as, VeriSign). The adaptive security appliance obtains a certificate with the FQDN of the Cisco Unified Communications Manager server (certificate impersonation).

For the TLS handshake, the two entities could validate the peer certificate via a certificate chain to trusted third-party certificate authorities. Both entities enroll with the CAs. The adaptive security appliance as the TLS proxy must be trusted by both entities. The adaptive security appliance is always associated with one of the enterprises. Within that enterprise, the entity and the adaptive security appliance could authenticate each other via a local CA, or by using self-signed certificates.

To establish a trusted relationship between the adaptive security appliance and the remote entity, the adaptive security appliance can enroll with the CA on behalf of the local enterprise. In the enrollment request, the local Cisco UCM identity (domain name) is used.

To establish the trust relationship, the adaptive security appliance enrolls with the third party CA by using the Cisco Unified Communications Manager server FQDN as if the security appliance is the Cisco UCM.


Note If the adaptive security appliance already has a signed identity certificate, you can skip Step 1 in this procedure and proceed directly to Step 3.



Step 1 In the ASA's Identity Certificate area, click Generate CSR. The CSR parameters dialog box appears.

For information about specifying additional parameters for the certificate signing request (CSR), see Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy.

Information dialog boxes appear indicating that the wizard is delivering the settings to the adaptive security appliance and retrieving the certificate key pair information. The Identity Certificate Request dialog box appears.

For information about saving the CSR that was generated and submitting it to a CA, see Saving the Identity Certificate Request.

Step 2 In the ASA's Identity Certificate area, click Install ASA's Identity Certificate. Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers.

Step 3 In the Remote Server's CA's Certificate area, click Install Remote Server's CA's Certificate. Installing the root certificates of the CA for the remote servers is necessary so that the adaptive security appliance can determine that the remote servers are trusted.

The Install Certificate dialog box appears. Install the certificate. See Installing a Certificate.


Note You must install the root certificates only when the root certificates for the remote servers are received from a CA other than the one that provided the identity certificate for the adaptive security appliance


Step 4 Click Next.


The wizard completes by displaying a summary of the configuration created for the Cisco Intercompany Media Engine.

Working with Certificates in the Unified Communication Wizard

This section includes the following topics:

Exporting an Identity Certificate

Installing a Certificate

Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy

Saving the Identity Certificate Request

Installing the ASA Identity Certificate on the Mobility Advantage Server

Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers

Exporting an Identity Certificate

The Cisco Mobility Advantage Proxy, Cisco Presence Federation Proxy, or Cisco Intercompany Media Engine Proxy require that you export the adaptive security appliance identity certificate to install on the Cisco Mobility Advantage server, Cisco Presence Federation server, and Cisco Unified Communications server, respectfully.

You use the wizard to export a self-signed identity certificate. The identity certificate has all associated keys and is in PKCS12 format, which is the public key cryptography standard. When configuring a Unified Communications proxy by using the wizard, you click the Generate and Export ASA's Identify Certificate button while in the local-side or server-side certificate management step of the wizard. The Export certificate dialog box appears.

From the Export certificate dialog box, perform these steps:


Step 1 Enter the name of the PKCS12 format file to use in exporting the certificate configuration. Alternatively, click Browse to display the Export ID Certificate File dialog box to find the file to which you want to export the certificate configuration.

Step 2 Click Export Certificate to export the certificate configuration.


An information dialog box appears informing you that the certificate configuration file has been successfully exported to the location that you specified.

You complete the configuration of the Cisco Mobility Advantage Proxy, Cisco Presence Federation Proxy, or Cisco Intercompany Media Engine Proxy, you must import the generated adaptive security appliance identify certificate in to the Cisco Mobility Advantage server, Cisco Presence Federation server, and Cisco Unified Communications server, respectfully, depending on which proxy you are configuring.

See the documentation for the for each of these products for information about importing an identity certificate into each.

Installing a Certificate

When configuring certificates for the Cisco Mobility Advantage Proxy, the Cisco Presence Federation Proxy, and Cisco Intercompany Media Engine Proxy, you must install the certificates from the Cisco Mobility Advantage server, Cisco Presence Federation server, and Cisco Unified Communications Manager servers, respectively, on the adaptive security appliance. See the documentation for each of these products for information about obtaining the identity certificates from each.

Additionally, when configuring the Cisco Mobility Advantage Proxy, you use the Install Certificate dialog box to install the root certificate received from the certificate authority. The root certificate from the certificate authority is used to sign other certificates. The root certificate is used by the adaptive security appliance to authenticate your signed identity certificate received from the certificate authority.


Note When using the wizard to configure the Unified Communications proxies, the wizard only supports installing self-signed certificates.


From the Install Certificate dialog box, perform these steps:


Step 1 Perform one of the following actions:

To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate.

To enroll manually, click the Paste certificate in PEM format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided.

Step 2 Click Install Certificate.


An information dialog box appears informing you that the certificate was installed on the adaptive security appliance successfully.

Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy

When configuring certificates for the Cisco Mobility Advantage Proxy, Cisco Presence Federation Proxy, or Cisco Intercompany Media Engine Proxy, you must generate and identity certificate request for the adaptive security appliance.


Note If the adaptive security appliance already has a signed identity certificate, you do not need to generate a CSR and can proceed directly to installing this certificate on the adaptive security appliance. See Installing the ASA Identity Certificate on the Mobility Advantage Server and Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers for the steps to install the identity certificate.


The identify certificate that you receive is presented to the following entities for each of the Unified Communication Proxies:

Unified Mobile Communicator clients for the Cisco Mobility Advantage Proxy

Remote Presence Federation servers for the Cisco Presence Federation Proxy

The remote adaptive security appliancefor the Cisco Intercompany Media Engine Proxy

Before generating the CSR, you can enter additional parameters.

When configuring a Unified Communications proxy by using the wizard, you click the Generate CSR button while in the client-side or remote-side certificate management step of the wizard. The CSR Parameters dialog box appears.

In the CSR Parameters dialog box, perform the following steps:


Step 1 From the Key Pair Size drop-down list, choose the size required for you certificate.

The key size that you select depends on the level of security that you want to configure and on any limitations imposed by the CA from which you are obtaining the certificate. The larger the number that you select, the higher the security level will be for the certificate. Most CAs recommend 2048 for the key modulus size; however, GoDaddy requires a key modulus size of 2048.

Step 2 In the first field of the Certificate Subject DN section, enter the domain name used by your enterprise or network.


Note The domain name that you configure for the Cisco Intercompany Media Engine Proxy must match the domain name that set in the local Cisco Unified Communications Manager server; for example, cisco.com. The fully-qualified domain name (FQDN) that you configure for the Cisco Mobility Advantage Proxy and Cisco Presence Federation Proxy must match the FQDN name set in the Cisco Mobility Advantage server and Cisco Unified Presence server, respectively; for example, myhost.cisco.com


Step 3 In the Additional DN Attributes field, enter an attribute.

Or

Click Select to display the Additional DN Attributes dialog box.

a. In the Additional DN Attributes dialog box, choose an attribute from the drop-down list.

b. Enter a value for the attribute.

c. Click Add. The attribute appears in the list.

d. Click OK to return to the CSR Parameters dialog box.

The value you added appears in the Additional DN Attributes field in the CSR Parameters dialog box.

Step 4 Click OK.


Saving the Identity Certificate Request

After successfully generating the identity certificate request for one of the Unified Communications proxies, the Identity Certificate Request dialog box appears and prompts you to save the request.


Step 1 In the Save CSR to File field, enter the CSR file name and path; for example, c:\asa-csr.txt.

Step 2 Click OK. An information dialog box appears indicating the CSR was saved successfully.

Step 3 Click OK to close the dialog and return to the wizard.


Submit the CSR to the certificate authority (CA), for example, by pasting the CSR text into the CSR enrollment page on the CA website.

When the CA returns the signed identity certificate, rerun the Unified Communications Wizard. From the client-side or remote-side certificate management step of the wizard, click Install ASA's Identity Certificate. See Installing the ASA Identity Certificate on the Mobility Advantage Server and Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers for the steps to install the identity certificate.

Installing the ASA Identity Certificate on the Mobility Advantage Server

When configuring certificates for the Cisco Mobility Advantage Proxy, you must install the adaptive security appliance identity certificate on the Cisco Mobility Advantage server.

Typically, a certificate authority returns two certificates: your signed identity certificate and the certificate authority's certificate (referred to as the root certificate). However, some certificate authorities (for example, VeriSign) might also send you an intermediate certificate.

The root certificate from the certificate authority is used to sign other certificates. The root certificate is used by the adaptive security appliance to authenticate your signed identity certificate received from the certificate authority.

If the certificate authority provided an intermediate certificate, you must enter the certificate text in the Intermediate Certificate (If Applicable) area of the Install ASA's Identity Certificate dialog box.

For the Cisco Mobility Advantage Proxy, you install the root certificate in another dialog box. See Installing a Certificate for the steps to install the root certificate.


Step 1 In the Intermediate Certificate (If Applicable) area, perform on of the following actions:

To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate.

To enroll manually, click the Paste the certificate data in base-64 format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided.

Step 2 In the ASA's Identity Certificate area, perform on of the following actions:

To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate.

To enroll manually, click the Paste the certificate data in base-64 format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided.

Step 3 Click Install Certificate.


Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers

When configuring certificates for the Cisco Presence Federation Proxy and Cisco Intercompany Media Engine Proxy, you must install the adaptive security appliance identity certificate and the root certificate on the Cisco Presence Federation server and Cisco Intercompany Media Engine server, respectively.

Typically, a certificate authority returns two certificates: your signed identity certificate and the certificate authority's certificate (referred to as the root certificate). The root certificate from the certificate authority is used to sign other certificates. The root certificate is used by the adaptive security appliance to authenticate your signed identity certificate received from the certificate authority.


Step 1 In the Root CA's Certificate area, perform on of the following actions:

To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate.

To enroll manually, click the Paste the certificate data in base-64 format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided.

Step 2 In the ASA's Identity Certificate area, perform on of the following actions:

To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate.

To enroll manually, click the Paste the certificate data in base-64 format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided.

Step 3 Click Install Certificate.