This document describes two different security features available on Cisco TelePresence infrastructure devices, the Cisco TelePresence Multipoint Switch (CTMS), Cisco TelePresence Recording Server (CTRS), and Cisco TelePresence Manager (CTS-Manager).
Inter-device security provides secure communication between devices on your Cisco TelePresence network. In the case of the CTMS, this security feature also enables you to determine the default security policy (secure or best effort) for mulitpoint meetings.
Browser security secures communication between a web browser and your infrastructure device administrative interface.
Note You can configure either inter-device security or browser security on an infrastructure device. You cannot configure both security features on one device.
Inter-Device Security Overview
Cisco TelePresence devices support secure communication between devices using Certificate Authority Proxy Function (CAPF). Cisco TelePresence is part of Cisco Unified Communications and shares security architecture using CAPF. This functionality is similar to Cisco Unified IP phone security architecture. Other key architectural elements that are used include the Certificate Trust List (CTL), Locally Significant Certificate (LSC), and Computer Telephony Integration (CTI).
The following is an overview of how CAPF is configured on Cisco TelePresence components:
1. CAPF service is started in Cisco Unified CM so that the Cisco Unified CM becomes the CAPF server.
2. The Cisco TelePresence Multipoint Switch (CTMS), Cisco TelePresence Recording Server (CTRS), and Cisco TelePresence Manager (CTS-Manager) are configured as CAPF clients.
3. A common application user ID is configured for each CAPF client, and separate instance IDs are created for the CTMS, CTRS, and Cisco TelePresence Manager.
4. CAPF authenticates information between the Cisco TelePresence devices using a Locally Significant Certificate (LSC).
The LCS can be downloaded from the CAPF Server (same as the Cisco Unified CM host in most cases) using CTI secured connections over TLS. As part of the Cisco Unified Communications architecture, Cisco TelePresence endpoints follow the configuration on the Cisco Unified CM to automatically download their LSC during initial setup. CTMS, CRTS, and CTS-Manager, on the other hand, do not register to the Cisco Unified CM and therefore require manual steps to obtain the LCS from the CAPF server.
To create secure services, you must activate and start CAPF service, create application users, create Cisco Unified CM root certificates for every Cisco Unified CM server associated with a Cisco TelePresence service, and create a CAPF root certificate. Then in the administration interface for each Cisco TelePresence device, you must upload the applicable Cisco Unified CM and CAPF root certificates and download the appropriate LSCs. When all certificates are in place and the LSC is downloaded, the Cisco TelePresence device reboots so that the security settings take effect.
You can set up an encrypted link between the web server of a Cisco TelePresence infrastructure device (a CTMS, CTRS, or CTS-Manager), and the browser through which you access the Administrative UI. If multiple infrastructure devices exist in your Cisco TelePresence topology, you can optionally set up browser security for each one.
Setting up browser security is comprised of these steps, which can be performed over one or more days:
5. Request a Secure Sockets Layer (SSL) certificate from a certificate authority (CA), which is comprised of these substeps:
a. Generate a Certificate Signing Request (CSR).
b. Apply for the SSL certificate from a CA.
c. Wait for the SSL certificate from the CA, which can take a few seconds to a few days.
6. Install the certificate on the device.
Ensuring Secure CTS Integration with the Cisco TelePresence Server
To secure media on calls to a Cisco TelePresence Server, you will need to do the following:
1. Make the endpoint secure by using the configuration steps in this guide.
2. Add the encryption release key to the Cisco TelePresence Server. To obtain your encryption key, contact the Cisco Technical Assistance Center (TAC). See the “Technical Assistance Center” section to choose a contact option.
See the following Cisco TelePresence Server support documentation on Cisco.com:
When the recommended action of a sysop log message advises that you contact Cisco technical support, open a case with the Cisco Technical Assistance Center (TAC). Read the following methods to obtain additional information.
Cisco.com is a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at any time, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
If you have a priority level 1 (P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website:
P1—Your production network is down, causing a critical impact to business operations if service is not restored quickly. No workaround is available.
P2—Your production network is severely degraded, affecting significant aspects of your business operations. No workaround is available.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation , which also lists all new and revised Cisco technical documentation, at the following URL:
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.