ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.1
Configuring the TLS Proxy for Encrypted Voice Inspection
Downloads: This chapterpdf (PDF - 211.0KB) The complete bookPDF (PDF - 14.7MB) | The complete bookePub (ePub - 7.44MB) | The complete bookMobi (Mobi - 7.36MB) | Feedback

Table of Contents

Configuring the TLS Proxy for Encrypted Voice Inspection

Information about the TLS Proxy for Encrypted Voice Inspection

Decryption and Inspection of Unified Communications Encrypted Signaling

Supported Cisco UCM and IP Phones for the TLS Proxy

Licensing for the TLS Proxy

Prerequisites for the TLS Proxy for Encrypted Voice Inspection

Configuring the TLS Proxy for Encrypted Voice Inspection

CTL Provider

Add/Edit CTL Provider

Configure TLS Proxy Pane

Adding a TLS Proxy Instance

Add TLS Proxy Instance Wizard – Server Configuration

Add TLS Proxy Instance Wizard – Client Configuration

Add TLS Proxy Instance Wizard – Other Steps

Edit TLS Proxy Instance – Server Configuration

Edit TLS Proxy Instance – Client Configuration

TLS Proxy

Add/Edit TLS Proxy

Feature History for the TLS Proxy for Encrypted Voice Inspection

Configuring the T LS Proxy for Encrypted Voice Inspection

This chapter describes how to configure the ASA for the TLS Proxy for Encrypted Voice Inspection feature.

This chapter includes the following sections:

Information about the TLS Proxy for Encrypted Voice Inspection

End-to-end encryption often leaves network security appliances “blind” to media and signaling traffic, which can compromise access control and threat prevention security functions. This lack of visibility can result in a lack of interoperability between the firewall functions and the encrypted voice, leaving businesses unable to satisfy both of their key security requirements.

The ASA is able to intercept and decrypt encrypted signaling from Cisco encrypted endpoints to the Cisco Unified Communications Manager (Cisco UCM), and apply the required threat protection and access control. It can also ensure confidentiality by re-encrypting the traffic onto the Cisco UCM servers.

Typically, the ASA TLS Proxy functionality is deployed in campus unified communications network. This solution is ideal for deployments that utilize end to end encryption and firewalls to protect Unified Communications Manager servers.

The security appliance in Figure 18-1 serves as a proxy for both client and server, with Cisco IP Phone and Cisco UCM interaction.

Figure 18-1 TLS Proxy Flow

 

Decryption and Inspection of Unified Communications Encrypted Signaling

With encrypted voice inspection, the security appliance decrypts, inspects and modifies (as needed, for example, performing NAT fixup), and re-encrypts voice signaling traffic while all of the existing VoIP inspection functions for Skinny and SIP protocols are preserved. Once voice signaling is decrypted, the plaintext signaling message is passed to the existing inspection engines.

The security appliance acts as a TLS proxy between the Cisco IP Phone and Cisco UCM. The proxy is transparent for the voice calls between the phone and theCisco UCM. Cisco IP Phones download a Certificate Trust List from the Cisco UCM before registration which contains identities (certificates) of the devices that the phone should trust, such as TFTP servers and Cisco UCM servers. To support server proxy, the CTL file must contain the certificate that the security appliance creates for the Cisco UCMs. To proxy calls on behalf of the Cisco IP Phone, the security appliance presents a certificate that the Cisco UCM can verify, which is a Local Dynamic Certificate for the phone, issued by the certificate authority on the security appliance.

TLS proxy is supported by the Cisco Unified CallManager Release 5.1 and later. You should be familiar with the security features of the Cisco UCM. For background and detailed description of Cisco UCM security, see the Cisco Unified CallManager document:

http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/5_0/sec_vir/ae/sec504/index.htm

TLS proxy applies to the encryption layer and must be configured with an application layer protocol inspection. You should be familiar with the inspection features on the ASA, especially Skinny and SIP inspection.

Supported Cisco UCM and IP Phones for the TLS Proxy

Cisco Unified Communications Manager

The following releases of the Cisco Unified Communications Manager are supported with the TLS proxy:

  • Cisco Unified CallManager Version 4. x
  • Cisco Unified CallManager Version 5.0
  • Cisco Unified CallManager Version 5.1
  • Cisco Unified Communications Manager 6.1
  • Cisco Unified Communications Manager 7.0
  • Cisco Unified Communications Manager 8.0

Cisco Unified IP Phones

The following IP phones in the Cisco Unified IP Phones 7900 Series are supported with the TLS proxy:

  • Cisco Unified IP Phone 7985
  • Cisco Unified IP Phone 7975
  • Cisco Unified IP Phone 7971
  • Cisco Unified IP Phone 7970
  • Cisco Unified IP Phone 7965
  • Cisco Unified IP Phone 7962
  • Cisco Unified IP Phone 7961
  • Cisco Unified IP Phone 7961G-GE
  • Cisco Unified IP Phone 7960
  • Cisco Unified IP Phone 7945
  • Cisco Unified IP Phone 7942
  • Cisco Unified IP Phone 7941
  • Cisco Unified IP Phone 7941G-GE
  • Cisco Unified IP Phone 7940
  • Cisco Unified Wireless IP Phone 7921
  • Cisco Unified Wireless IP Phone 7925
  • Cisco IP Communicator (CIPC) for softphones

Licensing for the TLS Proxy

The TLS proxy for encrypted voice inspection feature supported by the ASA require a Unified Communications Proxy license.

The following table shows the Unified Communications Proxy license details by platform:


NoteThis feature is not available on No Payload Encryption models.


 

Model
License Requirement 1

ASA 5505

Base License and Security Plus License: 2 sessions.

Optional license: 24 sessions.

ASA 5510

Base License and Security Plus License: 2 sessions.

Optional licenses: 24, 50, or 100 sessions.

ASA 5520

Base License: 2 sessions.

Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions.

ASA 5540

Base License: 2 sessions.

Optional licenses: 24, 50, 100, 250, 500, 750, 1000, or 2000 sessions.

ASA 5550

Base License: 2 sessions.

Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions.

ASA 5580

Base License: 2 sessions.

Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions.2

ASA 5512-X

Base License: 2 sessions.

Optional licenses: 24, 50, 100, 250, or 500 sessions.

ASA 5515-X

Base License: 2 sessions.

Optional licenses: 24, 50, 100, 250, or 500 sessions.

ASA 5525-X

Base License: 2 sessions.

Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions.

ASA 5545-X

Base License: 2 sessions.

Optional licenses: 24, 50, 100, 250, 500, 750, 1000, or 2000 sessions.

ASA 5555-X

Base License: 2 sessions.

Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions.

ASA 5585-X with SSP-10

Base License: 2 sessions.

Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions.

ASA 5585-X with SSP-20, -40, or -60

Base License: 2 sessions.

Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2

ASASM

Base License: 2 sessions.

Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2

1.The following applications use TLS proxy sessions for their connections. Each TLS proxy session used by these applications (and only these applications) is counted against the UC license limit:
- Phone Proxy
- Presence Federation Proxy
- Encrypted Voice Inspection

Other applications that use TLS proxy sessions do not count towards the UC limit, for example, Mobility Advantage Proxy (which does not require a license) and IME (which requires a separate IME license).

Some UC applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used.

You independently set the TLS proxy limit using the Configuration > Firewall > Unified Communications > TLS Proxy pane. When you apply a UC license that is higher than the default TLS proxy limit, the ASA automatically sets the TLS proxy limit to match the UC limit. The TLS proxy limit takes precedence over the UC license limit; if you set the TLS proxy limit to be less than the UC license, then you cannot use all of the sessions in your UC license.

Note: For license part numbers ending in “K8” (for example, licenses under 250 users), TLS proxy sessions are limited to 1000. For license part numbers ending in “K9” (for example, licenses 250 users or larger), the TLS proxy limit depends on the configuration, up to the model limit. K8 and K9 refer to whether the license is restricted for export: K8 is unrestricted, and K9 is restricted.

Note: If you clear the configuration, then the TLS proxy limit is set to the default for your model; if this default is lower than the UC license limit, then you see an error message to use the to raise the limit again (in ASDM, use the TLS Proxy pane). If you use failover and use File > Save Running Configuration to Standby Unit on the primary unit to force a configuration synchronization, the clear configure all command is generated on the secondary unit automatically, so you may see the warning message on the secondary unit. Because the configuration synchronization restores the TLS proxy limit set on the primary unit, you can ignore the warning.

You might also use SRTP encryption sessions for your connections:
- For K8 licenses, SRTP sessions are limited to 250.
- For K9 licenses, there is not limit.

Note: Only calls that require encryption/decryption for media are counted towards the SRTP limit; if passthrough is set for the call, even if both legs are SRTP, they do not count towards the limit.

2.With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000.

Table 18-1 shows the default and maximum TLS session details by platform.

 

Table 18-1 Default and Maximum TLS Sessions on the Security Appliance

Security Appliance Platform
Default TLS Sessions
Maximum TLS Sessions

ASA 5505

10

80

ASA 5510

100

200

ASA 5520

300

1200

ASA 5540

1000

4500

ASA 5550

2000

4500

ASA 5580

4000

13,000

For more information about licensing, see “Managing Feature Licenses,” in the general operations configuration guide.

Prerequisites for the TLS Proxy for Encrypted Voice Inspection

Before configuring TLS proxy, the following prerequisites are required:

  • You must set clock on the security appliance before configuring TLS proxy. To set the clock manually and display clock, use the clock set and show clock commands. We recommend that the security appliance use the same NTP server as the Cisco Unified CallManager cluster. TLS handshake may fail due to certificate validation failure if clock is out of sync between the security appliance and the Cisco Unified CallManager server.
  • 3DES-AES license is needed to interoperate with the Cisco Unified CallManager. AES is the default cipher used by the Cisco Unified CallManager and Cisco IP Phone.
  • Import the following certificates which are stored on the Cisco UCM. These certificates are required by the ASA for the phone proxy.

Cisco_Manufacturing_CA

CAP-RTP-001

CAP-RTP-002

CAPF certificate (Optional)

If LSC provisioning is required or you have LSC enabled IP phones, you must import the CAPF certificate from the Cisco UCM. If the Cisco UCM has more than one CAPF certificate, you must import all of them to the ASA.

See Chapter17, “Configuring the Cisco Phone Proxy”For example, the CA Manufacturer certificate is required by the phone proxy to validate the IP phone certificate.

CTL Provider

Use the CTL Provider option to configure Certificate Trust List provider service.

The CTL Provider pane lets you define and configure Certificate Trust List provider service to enable inspection of encrypted traffic.

Fields

  • CTL Provider Name—Lists the CTL Provider name.
  • Client Details—Lists the name and IP address of the client.

Interface Name—Lists the defined interface name.

IP Address—Lists the defined interface IP address.

  • Certificate Name—Lists the certificate to be exported.
  • Add—Adds a CTL Provider.
  • Edit—Edits a CTL Provider.
  • Delete—Deletes a CTL Provider.

Add/Edit CTL Provider

The Add/Edit CTL Provider dialog box lets you define the parameters for the CTL Provider.

Fields

  • CTL Provider Name—Specifies the CTL Provider name.
  • Certificate to be Exported—Specifies the certificate to be exported to the client.

Certificate Name—Specifies the name of the certificate to be exported to the client.

Manage—Manages identity certificates.

  • Client Details—Specifies the clients allowed to connect.

Client to be Added—Specifies the client interface and IP address to add to the client list.

Interface—Specifies client interface.

IP Address—Specifies the client IP address.

Add—Adds the new client to the client list.

Delete—Deletes the selected client from the client list.

  • More Options—Specifies the available and active algorithms to be announced or matched during the TLS handshake.

Parse the CTL file provided by the CTL Client and install trustpoints—Trustpoints installed by this option have names prefixed with “_internal_CTL_.” If disabled, each Call Manager server and CAPF certificate must be manually imported and installed.

Port Number—Specifies the port to which the CTL provider listens. The port must be the same as the one listened to by the CallManager servers in the cluster (as configured under Enterprise Parameters on the CallManager administration page). The default is 2444.

Authentication—Specifies the username and password that the client authenticates with the provider.

Username—Client username.

Password—Client password.

Confirm Password—Client password.

 

Configure TLS Proxy Pane


NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2.


You can configure the TLS Proxy from the Configuration > Firewall > Unified Communications > TLS Proxy pane.

Configuring a TLS Proxy lets you use the TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and enable the ASA for the Cisco Unified Communications features:

  • TLS Proxy for the Cisco Unified Presence Server (CUPS), part of Presence Federation
  • TLS Proxy for the Cisco Unified Mobility Advantage (CUMA) server, part of Mobile Advantage
  • Phone Proxy

Fields

  • TLS Proxy Name—Lists the TLS Proxy name.
  • Server Proxy Certificate—Lists the trustpoint, which is either self-signed or enrolled with a certificate server.
  • Local Dynamic Certificate Issuer—Lists the local certificate authority to issue client or server dynamic certificates.
  • Client Proxy Certificate—Lists the proxy certificate for the TLS client. The ASA uses the client proxy certificate to authenticate the TLS client during the handshake between the proxy and the TLS client. The certificate can be either self-signed, enrolled with a certificate authority, or issued by the third party.
  • Add—Adds a TLS Proxy by launching the Add TLS Proxy Instance Wizard. See Adding a TLS Proxy Instance for the steps to create a TLS Proxy instance.
  • Edit—Edits a TLS Proxy. The fields in the Edit panel area identical to the fields displayed when you add a TLS Proxy instance. See Edit TLS Proxy Instance – Server Configuration and Edit TLS Proxy Instance – Client Configuration.
  • Delete—Deletes a TLS Proxy.
  • Maximum Sessions—Lets you specify the maximum number of TLS Proxy sessions to support.

Specify the maximum number of TLS Proxy sessions that the ASA needs to support.

Maximum number of sessions—The minimum is 1. The maximum is dependent on the platform:

Cisco ASA 5505 security appliance: 10

Cisco ASA 5510 security appliance: 100

Cisco ASA 5520 security appliance: 300

Cisco ASA 5540 security appliance: 1000

Cisco ASA 5550 security appliance: 2000

Cisco ASA 5580 security appliance: 4000


Note The maximum number of sessions is global to all TLS proxy sessions.


Adding a TLS Proxy Instance


NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2.


Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.

This wizard is available from the Configuration > Firewall > Unified Communications > TLS Proxy pane.


Step 1 Open the Configuration > Firewall > Unified Communications > TLS Proxy pane.

Step 2 To add a new TLS Proxy Instance, click Add .

The Add TLS Proxy Instance Wizard opens.

Step 3 In the TLS Proxy Name field, type the TLS Proxy name.

Step 4 Click Next .

The Add TLS Proxy Instance Wizard – Server Configuration dialog box opens. In this step of the wizard, configure the server proxy parameters for original TLS Server—the Cisco Unified Call Manager (CUCM) server, the Cisco Unified Presence Server (CUPS), or the Cisco Unified Mobility Advantage (CUMA) server. See Add TLS Proxy Instance Wizard – Server Configuration.

After configuring the server proxy parameters, the wizard guides you through configuring client proxy parameters (see Add TLS Proxy Instance Wizard – Client Configuration) and provides instructions on the steps to complete outside the ASDM to make the TLS Proxy fully functional (see Add TLS Proxy Instance Wizard – Other Steps).


 

Add TLS Proxy Instance Wizard – Server Configuration


NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2.


Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.

The Add TLS Proxy Instance Wizard is available from the Configuration > Firewall > Unified Communications > TLS Proxy pane.


Step 1 Complete the first step of the Add TLS Proxy Instance Wizard. See Adding a TLS Proxy Instance.

The Add TLS Proxy Instance Wizard – Server Configuration dialog box opens.

Step 2 Specify the server proxy certificate by doing one of the following:

    • To add a new certificate, click Manage . The Manage Identify Certificates dialog box opens.

When the Phone Proxy is operating in a mixed-mode CUCM cluster, you must import the CUCM certificate by clicking Add in the Manage Identify Certificates dialog box. See the “Configuring Identity Certificates Authentication” section in the general operations configuration guide.

    • To select an existing certificate, select one from the drop-down list.

When you are configuring the TLS Proxy for the Phone Proxy, select the certificate that has a filename beginning with _internal_PP_ . When you create the CTL file for the Phone Proxy, the ASA, creates an internal trustpoint used by the Phone Proxy to sign the TFTP files. The trustpoint is named _internal_PP_ ctl-instance_filename .

The server proxy certificate is used to specify the trustpoint to present during the TLS handshake. The trustpoint can be self-signed or enrolled locally with the certificate service on the proxy. For example, for the Phone Proxy, the server proxy certificate is used by the Phone Proxy during the handshake with the IP phones.

Step 3 To install the TLS server certificate in the ASA trust store, so that the ASA can authenticate the TLS server during TLS handshake between the proxy and the TLS server, click Install TLS Server’s Certificate .

The Manage CA Certificates dialog box opens. See the “Guidelines and Limitations” section in the general operations configuration guide. Click Add to open the Install Certificate dialog box. See the “Adding or Installing a CA Certificate” section in the general operations configuration guide.

When you are configuring the TLS Proxy for the Phone Proxy, click Install TLS Server’s Certificate and install the Cisco Unified Call Manager (CUCM) certificate so that the proxy can authenticate the IP phones on behalf of the CUCM server.

Step 4 To require the ASA to present a certificate and authenticate the TLS client during TLS handshake, check the Enable client authentication during TLS Proxy handshake check box.

When adding a TLS Proxy Instance for Mobile Advantage (the CUMC client and CUMA server), disable the check box when the client is incapable of sending a client certificate.

Step 5 Click Next .

The Add TLS Proxy Instance Wizard – Client Configuration dialog box opens. In this step of the wizard, configure the client proxy parameters for original TLS Client—the CUMC client for Mobile Advantage, CUP or MS LCS/OCS client for Presence Federation, or the IP phone for the Phone Proxy. See Add TLS Proxy Instance Wizard – Client Configuration.

After configuring the client proxy parameters, the wizard provides instructions on the steps to complete outside the ASDM to make the TLS Proxy fully functional (see Add TLS Proxy Instance Wizard – Other Steps).


 

Add TLS Proxy Instance Wizard – Client Configuration


NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2.


Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.

This wizard is available from the Configuration > Firewall > Unified Communications > TLS Proxy pane.


Step 1 Complete the first two steps of the Add TLS Proxy Instance Wizard. See Adding a TLS Proxy Instance and Add TLS Proxy Instance Wizard – Client Configuration.

The Add TLS Proxy Instance Wizard – Client Configuration dialog box opens.

Step 2 To specify a client proxy certificate to use for the TLS Proxy, perform the following. Select this option when the client proxy certificate is being used between two servers; for example, when configuring the TLS Proxy for Presence Federation, which uses the Cisco Unified Presence Server (CUPS), both the TLS client and TLS server are both servers.

a. Check the Specify the proxy certificate for the TLS Client... check box.

b. Select a certificate from the drop-down list.

Or

To create a new client proxy certificate, click Manage . The Manage Identify Certificates dialog box opens. See the “Configuring Identity Certificates Authentication” section in the general operations configuration guide.


NoteWhen you are configuring the TLS Proxy for the Phone Proxy and it is using the mixed security mode for the CUCM cluster, you must configure the LDC Issuer. The LDC Issuer lists the local certificate authority to issue client or server dynamic certificates.


Step 3 To specify an LDC Issuer to use for the TLS Proxy, perform the following. When you select and configure the LDC Issuer option, the ASA acts as the certificate authority and issues certificates to TLS clients.

a. Click the Specify the internal Certificate Authority to sign the local dynamic certificate for phones... check box.

b. Click the Certificates radio button and select a self-signed certificate from the drop-down list or click Manage to create a new LDC Issuer. The Manage Identify Certificates dialog box opens. See the “Configuring Identity Certificates Authentication” section in the general operations configuration guide.

Or

Click the Certificate Authority radio button to specify a Certificate Authority (CA) server. When you specify a CA server, it needs to be created and enabled in the ASA. To create and enable the CA server, click Manage . The Edit CA Server Settings dialog box opens. See the “Authenticating Using the Local CA” section in the general operations configuration guide.


Note To make configuration changes after the local certificate authority has been configured for the first time, disable the local certificate authority.


c. In the Key-Pair Name field, select a key pair from the drop-list. The list contains the already defined RSA key pair used by client dynamic certificates. To see the key pair details, including generation time, usage, modulus size, and key data, click Show .

Or

To create a new key pair, click New . The Add Key Pair dialog box opens. See the “Configuring Identity Certificates Authentication” section in the general operations configuration guide for details about the Key Pair fields.

Step 4 In the Security Algorithms area, specify the available and active algorithms to be announced or matched during the TLS handshake.

  • Available Algorithms—Lists the available algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.

Add—Adds the selected algorithm to the active list.

Remove—Removes the selected algorithm from the active list.

  • Active Algorithms—Lists the active algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting as a TLS client to the server), the user-defined algorithms replace the original ones from the hello message for asymmetric encryption method between the two TLS legs. For example, the leg between the proxy and Call Manager may be NULL cipher to offload the Call Manager.

Move Up—Moves an algorithm up in the list.

Move Down—Moves an algorithm down in the list.

Step 5 Click Next .

The Add TLS Proxy Instance Wizard – Other Steps dialog box opens. The Other Steps dialog box provides instructions on the steps to complete outside the ASDM to make the TLS Proxy fully functional (see Add TLS Proxy Instance Wizard – Other Steps).


 

Add TLS Proxy Instance Wizard – Other Steps


NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2.


The last dialog box of the Add TLS Proxy Instance Wizard specifies the additional steps required to make TLS Proxy fully functional. In particular, you need to perform the following tasks to complete the TLS Proxy configuration:

  • Export the local CA certificate or LDC Issuer and install them on the original TLS server.

To export the LDC Issuer, go to Configuration > Firewall > Advanced > Certificate Management > Identity Certificates > Export. See the “Exporting an Identity Certificate” section in the general operations configuration guide.

  • For the TLS Proxy, enable Skinny and SIP inspection between the TLS server and TLS clients. See SIP Inspection and Skinny (SCCP) Inspection. When you are configuring the TLS Proxy for Presence Federation (which uses CUP), you only enable SIP inspection because the feature supports only the SIP protocol.
  • For the TLS Proxy for CUMA, enable MMP inspection.
  • When using the internal Certificate Authority of the ASA to sign the LDC Issuer for TLS clients, perform the following:

Use the Cisco CTL Client to add the server proxy certificate to the CTL file and install the CTL file on the ASA.

For information on the Cisco CTL Client, see “Configuring the Cisco CTL Client” in Cisco Unified CallManager Security Guide .

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/5_0_4/secuauth.html

To install the CTL file on the ASA, go to Configuration > Firewall > Unified Communications > CTL Provider > Add. The Add CTL Provider dialog box opens. For information on using this dialog box to install the CTL file, see Add/Edit CTL Provider.

Create a CTL provider instance for connections from the CTL clients. See Add/Edit CTL Provider.

Edit TLS Proxy Instance – Server Configuration


NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2.


The TLS Proxy enables inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.

Use the Edit TLS Proxy – Server Configuration tab to edit the server proxy parameters for the original TLS Server—the Cisco Unified Call Manager (CUCM) server, the Cisco Unified Presence Server (CUPS), or the Cisco Unified Mobility Advantage (CUMA) server.


Step 1 Open the Configuration > Firewall > Unified Communications > TLS Proxy pane.

Step 2 To edit a TLS Proxy Instance, click Edit .

The Edit TLS Proxy Instance dialog box opens.

Step 3 If necessary, click the Server Configuration tab.

Step 4 Specify the server proxy certificate by doing one of the following:

    • To add a new certificate, click Manage . The Manage Identify Certificates dialog box opens.

When the Phone Proxy is operating in a mixed-mode CUCM cluster, you must import the CUCM certificate by clicking Add in the Manage Identify Certificates dialog box. See the “Configuring CA Certificate Authentication” section in the general operations configuration guide.

    • To select an existing certificate, select one from the drop-down list.

When you are configuring the TLS Proxy for the Phone Proxy, select the certificate that has a filename beginning with _internal_PP_ . When you create the CTL file for the Phone Proxy, the ASA, creates an internal trustpoint used by the Phone Proxy to sign the TFTP files. The trustpoint is named _internal_PP_ ctl-instance_filename .

The server proxy certificate is used to specify the trustpoint to present during the TLS handshake. The trustpoint can be self-signed or enrolled locally with the certificate service on the proxy. For example, for the Phone Proxy, the server proxy certificate is used by the Phone Proxy during the handshake with the IP phones.

Step 5 To install the TLS server certificate in the ASA trust store, so that the ASA can authenticate the TLS server during TLS handshake between the proxy and the TLS server, click Install TLS Server’s Certificate .

The Manage CA Certificates dialog box opens. See the “Guidelines and Limitations” section in the general operations configuration guide. Click Add to open the Install Certificate dialog box. See the “Configuring CA Certificate Authentication” section in the general operations configuration guide.

When you are configuring the TLS Proxy for the Phone Proxy, click Install TLS Server’s Certificate and install the Cisco Unified Call Manager (CUCM) certificate so that the proxy can authenticate the IP phones on behalf of the CUCM server.

Step 6 To require the ASA to present a certificate and authenticate the TLS client during TLS handshake, check the Enable client authentication during TLS Proxy handshake check box.

When adding a TLS Proxy Instance for Mobile Advantage (the CUMC client and CUMA server), disable the check box when the client is incapable of sending a client certificate.

Step 7 Click Apply to save the changes.


 

Edit TLS Proxy Instance – Client Configuration


NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2.


The TLS Proxy enables inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.

The fields in the Edit TLS Proxy dialog box are identical to the fields displayed when you add a TLS Proxy instance. Use the Edit TLS Proxy – Client Configuration tab to edit the client proxy parameters for the original TLS Client, such as IP phones, CUMA clients, the Cisco Unified Presence Server (CUPS), or the Microsoft OCS server.


Step 1 Open the Configuration > Firewall > Unified Communications > TLS Proxy pane.

Step 2 To edit a TLS Proxy Instance, click Edit .

The Edit TLS Proxy Instance dialog box opens.

Step 3 If necessary, click the Client Configuration tab.

Step 4 To specify a client proxy certificate to use for the TLS Proxy, perform the following. Select this option when the client proxy certificate is being used between two servers; for example, when configuring the TLS Proxy for Presence Federation, which uses the Cisco Unified Presence Server (CUPS), both the TLS client and TLS server are both servers.

a. Check the Specify the proxy certificate for the TLS Client... check box.

b. Select a certificate from the drop-down list.

Or

To create a new client proxy certificate, click Manage . The Manage Identify Certificates dialog box opens. See the “Configuring Identity Certificates Authentication” section in the general operations configuration guide.


NoteWhen you are configuring the TLS Proxy for the Phone Proxy and it is using the mixed security mode for the CUCM cluster, you must configure the LDC Issuer. The LDC Issuer lists the local certificate authority to issue client or server dynamic certificates.


Step 5 To specify an LDC Issuer to use for the TLS Proxy, perform the following. When you select and configure the LDC Issuer option, the ASA acts as the certificate authority and issues certificates to TLS clients.

a. Click the Specify the internal Certificate Authority to sign the local dynamic certificate for phones... check box.

b. Click the Certificates radio button and select a self-signed certificate from the drop-down list or click Manage to create a new LDC Issuer. The Manage Identify Certificates dialog box opens. See the “Configuring Identity Certificates Authentication” section in the general operations configuration guide.

Or

Click the Certificate Authority radio button to specify a Certificate Authority (CA) server. When you specify a CA server, it needs to be created and enabled in the ASA. To create and enable the CA server, click Manage . The Edit CA Server Settings dialog box opens. See the “Authenticating Using the Local CA” section in the general operations configuration guide.


Note To make configuration changes after the local certificate authority has been configured for the first time, disable the local certificate authority.


c. In the Key-Pair Name field, select a key pair from the drop-list. The list contains the already defined RSA key pair used by client dynamic certificates. To see the key pair details, including generation time, usage, modulus size, and key data, click Show .

Or

To create a new key pair, click New . The Add Key Pair dialog box opens. See the “Configuring Identity Certificates Authentication” section in the general operations configuration guide for details about the Key Pair fields.

Step 6 In the Security Algorithms area, specify the available and active algorithms to be announced or matched during the TLS handshake.

  • Available Algorithms—Lists the available algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.

Add—Adds the selected algorithm to the active list.

Remove—Removes the selected algorithm from the active list.

  • Active Algorithms—Lists the active algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting as a TLS client to the server), the user-defined algorithms replace the original ones from the hello message for asymmetric encryption method between the two TLS legs. For example, the leg between the proxy and Call Manager may be NULL cipher to offload the Call Manager.

Move Up—Moves an algorithm up in the list.

Move Down—Moves an algorithm down in the list.

Step 7 Click Apply to save the changes.


 

TLS Proxy

This feature is supported only for ASA versions 8.0.x prior to 8.0.4 and for version 8.1.


NoteThis feature is not supported for the Adaptive Security Appliance versions prior to 8.0.4 and for version 8.1.2.


Use the TLS Proxy option to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco CallManager.

The TLS Proxy pane lets you define and configure Transaction Layer Security Proxy to enable inspection of encrypted traffic.

Fields

  • TLS Proxy Name—Lists the TLS Proxy name.
  • Server—Lists the trustpoint, which is either self-signed or enrolled with a certificate server.
  • Local Dynamic Certificate Issuer—Lists the local certificate authority to issue client or server dynamic certificates.
  • Local Dynamic Certificate Key Pair—Lists the RSA key pair used by client or server dynamic certificates.
  • Add—Adds a TLS Proxy.
  • Edit—Edits a TLS Proxy.
  • Delete—Deletes a TLS Proxy.
  • Maximum Sessions—Lets you specify the maximum number of TLS Proxy sessions to support.

Specify the maximum number of TLS Proxy sessions that the ASA needs to support. By default, ASA supports 300 sessions.—Enables maximum number of sessions option.

Maximum number of sessions:—The minimum is 1. The maximum is dependent on the platform. The default is 300.

Add/Edit TLS Proxy


NoteThis feature is not supported for the Adaptive Security Appliance versions prior to 8.0.4 and for version 8.1.2.


The Add/Edit TLS Proxy dialog box lets you define the parameters for the TLS Proxy.

Fields

  • TLS Proxy Name—Specifies the TLS Proxy name.
  • Server Configuration—Specifies the proxy certificate name.

Server—Specifies the trustpoint to be presented during the TLS handshake. The trustpoint could be self-signed or enrolled locally with the certificate service on the proxy.

  • Client Configuration—Specifies the local dynamic certificate issuer and key pair.

Local Dynamic Certificate Issuer—Lists the local certificate authority to issue client or server dynamic certificates.

Certificate Authority Server—Specifies the certificate authority server.

Certificate—Specifies a certificate.

Manage—Configures the local certificate authority. To make configuration changes after it has been configured for the first time, disable the local certificate authority.

Local Dynamic Certificate Key Pair—Lists the RSA key pair used by client dynamic certificates.

Key-Pair Name—Specifies a defined key pair.

Show—Shows the key pair details, including generation time, usage, modulus size, and key data.

New—Lets you define a new key pair.

  • More Options—Specifies the available and active algorithms to be announced or matched during the TLS handshake.

Available Algorithms—Lists the available algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.

Add—Adds the selected algorithm to the active list.

Remove—Removes the selected algorithm from the active list.

Active Algorithms—Lists the active algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting as a TLS client to the server), the user-defined algorithms replace the original ones from the hello message for asymmetric encryption method between the two TLS legs. For example, the leg between the proxy and CallManager may be NULL cipher to offload the CallManager.

Move Up—Moves an algorithm up in the list.

Move Down—Moves an algorithm down in the list.

 

Feature History for the TLS Proxy for Encrypted Voice Inspection

Table 18-2 lists the release history for this feature.

 

Table 18-2 Feature History for Cisco Phone Proxy

Feature Name
Releases
Feature Information

TLS Proxy

8.0(2)

The TLS proxy feature was introduced.