Create Software Phone Devices
Software phones let users send and receive audio and video through their computers.
Create CSF Devices
Complete the steps in this task to create CSF devices.
Procedure
Step 1 |
Open the Cisco Unified CM Administration interface. |
||
Step 2 |
Select .The Find and List Phones window opens. |
||
Step 3 |
Select Add New. |
||
Step 4 |
Select Cisco Unified Client Services Framework from the Phone Type drop-down list and then select Next. The Phone Configuration window opens. |
||
Step 5 |
Specify a name for the CSF device in the Device Name field. You should use the CSFusername format for CSF device names. For example, you create a CSF device for a user named Tanya Adams, whose username is tadams. In this case, you should specify CSFtadams as the device name. |
||
Step 6 |
Set the Owner User ID field to the appropriate user.
|
||
Step 7 |
Specify configuration settings on the Phone Configuration window as appropriate. See the Phone Setup topic in the Cisco Unified Communications Manager documentation for more information about the configuration settings on the Phone Configuration window. See the Set Up Secure Phone Capabilities for instructions on configuring secure CSF devices. |
||
Step 8 |
Select Save. A message displays to inform you if the device is added successfully. The Association Information section becomes available on the Phone Configuration window. |
What to do next
Add a directory number to the device and apply the configuration.
Video Desktop Sharing
Binary Floor Control Protocol (BFCP) provides video desktop sharing capabilities for software phone devices, also known as CSF devices. Cisco Unified Communications Manager handles the BFCP packets that users transmit when using video desktop sharing capabilities. On Cisco Unified Communications Manager version 9.0(1) and later, BFCP presentation sharing is automatically enabled. For this reason, you do not need to perform any steps to enable video desktop sharing on CSF devices.
-
You can enable video desktop sharing only on software phone devices. You cannot enable video desktop sharing on desk phone devices.
-
Users must be on active calls to use video desktop sharing capabilities. You can only initiate video desktop sharing sessions from active calls.
Tip |
|
Set Up Secure Phone Capabilities
You can optionally set up secure phone capabilities for CSF devices. Secure phone capabilities provide secure SIP signaling, secure media streams, and encrypted device configuration files.
Before you begin
What to do next
Configure the Security Mode
To use secure phone capabilities, configure the Cisco Unified Communications Manager security mode using the Cisco CTL Client. You cannot use secure phone capabilities with the non secure security mode. At a minimum, you must use mixed mode security.
-
Allows authenticated, encrypted, and non secure phones to register with Cisco Unified Communications Manager.
-
Cisco Unified Communications Manager supports both RTP and SRTP media.
-
Authenticated and encrypted devices use secure port 5061 to connect to Cisco Unified Communications Manager.
See the Cisco Unified Communications Manager Security Guide for instructions on configuring mixed mode with the Cisco CTL Client.
Create a Phone Security Profile
The first step to setting up secure phone capabilities is to create a phone security profile that you can apply to the device.
Before you begin
Configure the Cisco Unified Communications Manager security to use mixed mode.
Procedure
Step 1 |
Select . |
Step 2 |
Select Add New. |
Step 3 |
Select the appropriate phone security profile from the Phone Security Profile type drop-down list and select Next. The Phone Security Profile Configuration window opens. |
Configure the Phone Security Profile
After you add a phone security profile, you must configure it to suit your requirements.
Procedure
Step 1 |
Specify a name for the phone security profile in the Name field on the Phone Security Profile Configuration window.
|
||
Step 2 |
Specify values for the phone security profile as follows:
|
||
Step 3 |
Select Save. |
Configure CSF Devices
Add the phone security profile to the devices and complete other configuration tasks for secure phone capabilities.
Procedure
Step 1 |
Open the CSF device configuration window. |
Step 2 |
Select Allow Control of Device from CTI in the Device Information section. |
Step 3 |
Select Save. |
Step 4 |
Locate the Protocol Specific Information section. |
Step 5 |
Select the phone security profile from the Device Security Profile drop-down list. |
Step 6 |
Select Save. |
At this point in the secure phone set up, existing users can no longer use their CSF devices. You must complete the secure phone set up for users to be able to access their CSF devices.
What to do next
Specify the certificate settings and generate the authentication string for users.
Specify Certificate Settings
Specify certificate settings in the CSF device configuration and generate the authentication strings that you provide to users.
Procedure
Step 1 |
Locate the Certification Authority Proxy Function (CAPF) Information section on the Phone Configuration window. |
Step 2 |
Specify values as follows:
|
Step 3 |
Select Save. |
Step 4 |
To create the authentication string you can do one of the following:
|
What to do next
Provide users with the authentication string.
Provide Users with Authentication Strings
If you are using CAPF enrollment to configure secure phones, then you must provide users with authentication strings. Users must specify the authentication string in the client interface to access their devices and securely register with Cisco Unified Communications Manager.
Note |
The time it takes for the enrollment process to complete can vary depending on the user's computer or mobile device and the current load for Cisco Unified Communications Manager. It can take up to one minute for the client to complete the CAPF enrollment process. |
-
Users enter an incorrect authentication string.
Users can attempt to enter authentication strings again to complete the CAPF enrollment. However, if a user continually enters an incorrect authentication string, the client might reject any string the user enters, even if the string is correct. In this case, you must generate a new authentication string on the user's device and then provide it to the user.
-
Users do not enter the authentication string before the expiration time you set in the Operation Completes By field.
In this case, you must generate a new authentication string on the user's device. The user must then enter that authentication string before the expiration time.
Important |
Users must not belong to the Standard CTI Secure Connection user group. |
Secure Phone Details
Secure Connections
-
SIP connections between CSF devices and Cisco Unified Communications Manager are over TLS.
-
If you select Authenticated as the value for the Device Security Mode field on the phone security profile, the SIP connection is over TLS using NULL-SHA encryption.
-
If you select Encrypted as the value for the Device Security Mode field on the phone security profile, the SIP connection is over TLS using AES 128/SHA encryption.
-
-
Mutual TLS ensures that only CSF devices with the correct certificates can register to Cisco Unified Communications Manager. Likewise, CSF devices can register only to Cisco Unified Communications Manager instances that provide the correct certificate.
If you enable secure phone capabilities for users, their CSF device connections to Cisco Unified Communications Manager are secure. If the other end point also has a secure connection to Cisco Unified Communications Manager, then the call can be secure. However, if the other end point does not have a secure connection to Cisco Unified Communications Manager, then the call is not secure.
Encrypted Media
Media Stream | Encryption |
---|---|
Main video stream | Can be encrypted |
Main audio stream | Can be encrypted |
Presentation video stream
Refers to video desktop sharing using BFCP. |
Not encrypted |
BFCP application stream
Refers to BFCP flow control. |
Not encrypted |
-
You enable media encryption for user A and user B. In other words, Device Security Mode is set to Encrypted on the phone security profile for the users' CSF devices.
-
You do not enable media encryption for user C. In other words, Device Security Mode is set to Authenticated on the phone security profile for the user's CSF device.
-
User A calls user B. The client encrypts the main video stream and audio stream.
-
User A calls user C. The client does not encrypt the main video stream and audio stream.
-
User A, user B, and user C start a conference call. The client does not encrypt the main video stream or audio stream for any user.
Note |
The client displays a lock icon when it can use SRTP for encrypted media streams to other secured clients or conference bridges. However, not all versions of Cisco Unified Communications Manager provide the ability to display the lock icon. If the version of Cisco Unified Communications Manager you are using does not provide this ability, the client cannot display a lock icon even when it sends encrypted media. |
Using Expressway for Mobile and Remote Access
-
You configure a user's CSF device for secure phone capabilities.
-
That user connects to the internal corporate network through Expressway for Mobile and Remote Access.
-
The client notifies the user that it cannot use secure phone capabilities instead of prompting the user to enter an authentication string.
-
Media is encrypted on the call path between the Cisco Expressway-C and devices that are registered to the Cisco Unified Communications Manager using Expressway for Mobile and Remote Access.
-
Media is not encrypted on the call path between the Cisco Expressway-C and devices that are registered locally to Cisco Unified Communications Manager.
Note |
If you change the phone security profile while the client is connected through Expressway for Mobile and Remote Access, you must restart the client for that change to take effect. |
Stored Files
-
Certificate trust list (.tlv)
-
Locally significant certificate (.lsc)
-
Private key for the CSF device (.key)
The client downloads and stores certificate trust lists whenever you configure Cisco Unified Communications Manager security as mixed mode. Certificate trust lists enable the client to verify the identity of Cisco Unified Communications Manager servers.
Note |
The client encrypts the private key before saving it to the file system. |
The client stores these files in the following folder: %User_Profile%\AppData\Roaming\Cisco\Unified Communications\Jabber\CSF\Security
Because the client stores the files in the user's Roaming folder, users can log in to any Microsoft Windows account on the Windows domain to register their CSF devices.
Conference Calls
On conference, or multi-party, calls, the conferencing bridge must support secure phone capabilities. If the conferencing bridge does not support secure phone capabilities, calls to that bridge are not secure. Likewise, all parties must support a common encryption algorithm for the client to encrypt media on conference calls.
CSF device security reverts to the lowest level available on multi-party calls. For example, user A, user B, and user C join a conference call. User A and user B have CSF devices with secure phone capabilities. User C has a CSF device without secure phone capabilities. In this case, the call is not secure for all users.
Sharing Secure CSF Devices between Clients
Clients that do not support secure phone capabilities cannot register to secure CSF devices.
Multiple Users on a Shared Microsoft Windows Account
Multiple users can have unique credentials for the client and share the same Windows account. However, the secure CSF devices are restricted to the Windows account that the users share. Users who share the same Windows account cannot make calls with their secure CSF devices from different Windows accounts.
You should ensure that multiple users who share the same Windows account have CSF devices with unique names. Users cannot register their CSF devices if they share the same Windows account and have CSF devices with identical names, but connect to different Cisco Unified Communications Manager clusters.
For example, user A has a CSF device named CSFcompanyname and connects to cluster 1. User B has a CSF device named CSFcompanyname and connects to cluster 2. In this case, a conflict occurs for both CSF devices. Neither user A or user B can register their CSF devices after both users log in to the same Windows account.
Multiple Users on a Shared Computer
The client caches the certificates for each user's secure CSF device in a location that is unique to each Windows user. When a user logs in to their Windows account on the shared computer, that user can access only the secure CSF device that you provision to them. That user cannot access the cached certificates for other Windows users.
Add Directory Number to the Device for Desktop Applications
You must add directory numbers to devices in Cisco Unified Communications Manager. This topic provides instructions on adding directory numbers using the menu option after you create your device. Under this menu option, only the configuration settings that apply to the phone model or CTI route point display. See the Cisco Unified Communications Manager documentation for more information about different options to configure directory numbers.
Procedure
Step 1 |
Locate the Association Information section on the Phone Configuration window. |
Step 2 |
Select Add a new DN. |
Step 3 |
Specify a directory number in the Directory Number field. |
Step 4 |
Specify all other required configuration settings as appropriate. |
Step 5 |
Associate end users with the directory number as follows: |
Step 6 |
Select Save. |
Step 7 |
Select Apply Config. |
Step 8 |
Follow the prompts on the Apply Configuration window to apply the configuration. |