Cisco Unified CallManager Security Guide, Release 4.2(1)
Configuring Voice Mail Ports forSecurity
Downloads: This chapterpdf (PDF - 216.0KB) The complete bookPDF (PDF - 1.85MB) | Feedback

Configuring Voice Mail Ports for Security

Table Of Contents

Configuring Voice Mail Ports for Security

Voice Mail Security Overview

Configuring the Device Security Mode

Configuring the Security Device System Default

Configuring the Device Security Mode for a Single Device

Configuring the Device Security Mode in the Voice Mail Port Wizard

Finding Voice Mail Ports for Authentication or Encryption

Device Security Mode Configuration Settings

Secure Voice Mail Port Configuration Checklist


Configuring Voice Mail Ports for Security


This chapter contains information on the following topics:

Voice Mail Security Overview

Configuring the Device Security Mode

Configuring the Security Device System Default

Configuring the Device Security Mode for a Single Device

Configuring the Device Security Mode in the Voice Mail Port Wizard

Finding Voice Mail Ports for Authentication or Encryption

Device Security Mode Configuration Settings

Secure Voice Mail Port Configuration Checklist

Voice Mail Security Overview

When you configure security for Cisco CallManager voice mail ports and Cisco Unity SCCP devices, a TLS connection (handshake) opens for authenticated devices after each device accepts the certificate of the other device; likewise, the system sends SRTP streams between devices; that is, if you configure the devices for encryption.

When the device security mode equals authenticated or encrypted, the Cisco Unity TSP connects to Cisco CallManager through the Cisco CallManager TLS port. When the security mode equals nonsecure, the Cisco Unity TSP connects to Cisco CallManager through the Cisco CallManager SCCP port.

Consider the following information before you configure security:

In this document, the use of the term, server, refers to a server in the Cisco CallManager cluster. The use of the phrase, voice-mail server, refers to a Cisco Unity server.

You must run Cisco Unity 4.0(5) or later with this version of Cisco CallManager.

You must perform security tasks for Cisco Unity by using the Cisco Unity Telephony Integration Manager; for information on how to perform these tasks, refer to the Cisco CallManager Integration Guide for Cisco Unity 4.0.

In addition to the procedures described in this chapter, you must copy the Cisco Unity certificate to C:\Program Files\Cisco\Certificates on each server in the cluster. For more information on this task, refer to the Cisco CallManager Integration Guide for Cisco Unity 4.0.

After you copy the certificate, you must restart the Cisco CallManager service on each server in cluster.

If Cisco Unity certificates expire or change for any reason, ensure that the new certificates exist on each server in the cluster. The TLS authentication fails when certificates do not match, and voice mail will not work because it cannot register to Cisco CallManager.

The setting that you specify in the Cisco Unity Telephony Integration Manager must match the voice- mail device security mode that is configured in Cisco CallManager Administration.


Tip If the device security settings do not match for Cisco CallManager and Cisco Unity, the Cisco Unity ports fail to register with Cisco CallManager, and Cisco Unity cannot accept calls on those ports.


Changing the device security mode requires a reset of Cisco CallManager devices and a restart of the Cisco Unity Integration Manager. If you change the setting in Cisco CallManager Administration, you must change the setting in Cisco Unity.

Configuring the Device Security Mode

To configure the devices for authentication or encryption, perform one of the following tasks:

Configure the system default device security mode for voice mail ports and supported phone models.

Configure the device security mode for a single device in the Voice Mail Port Configuration window in Cisco CallManager Administration.

Configure the device security mode for a supported voice mail port by using the Cisco Bulk Administration Tool.

Related Topics

Voice Mail Security Overview

Interactions and Restrictions, page 1-5

Configuring the Security Device System Default

Configuring the Device Security Mode for a Single Device

Configuring the Device Security Mode in the Voice Mail Port Wizard

Device Security Mode Configuration Settings

Secure Voice Mail Port Configuration Checklist

Configuring the Security Device System Default


Note This procedure requires that you reset the devices and restart the Cisco CallManager service for the changes to take effect.


The Device Security Mode enterprise parameter applies for both phones and voice-mail ports; when you configure the enterprise parameter, the setting applies to all voice-mail ports and Cisco IP Phone models 7940, 7960, and 7970 in the cluster.

If this setting displayed as Authenticated or Encrypted prior to the 4.1(3) upgrade, be aware that the voice-mail port is configured as nonsecure until you update the Device Security Mode in the Voice Mail Port window.

To set the security device system default to Authenticated or Encrypted, perform the following procedure:

Procedure


Step 1 From Cisco CallManager Administration, choose System > Enterprise Parameters.

Step 2 In the Security Parameters section, locate Device Security Mode.

Step 3 From the drop-down list box, choose Authenticated or Encrypted. For more information on these options, see Table 6-1.

Step 4 At the top of the Enterprise Parameters window, click Update.

Step 5 Reset all devices in the cluster; see "Resetting the Devices, Restarting Services, or Rebooting the Server/Cluster" section on page 1-10.

Step 6 Restart the Cisco CallManager service for the changes to take effect.


Related Topics

Voice Mail Security Overview

Interactions and Restrictions, page 1-5

Device Security Mode Configuration Settings

Secure Voice Mail Port Configuration Checklist

Configuring the Device Security Mode for a Single Device

To configure the device security mode for a single device, perform the following procedure. This procedure assumes that you added the device to the database and installed a certificate in the phone, if a certificate does not already exist.

After you configure the device security mode for the first time or if you change the device security mode, you must reset the device.

The default setting for the Device Security Mode equals nonsecure.

Procedure


Step 1 In Cisco CallManager Administration, choose Feature > Voice Mail > Voice Mail Port.

Step 2 Specify the criteria to find the device and click Find or click Find to display a list of all voice mail ports.

If you have not added the voice mail port to the database, the port does not display in the list. For information on adding a voice-mail port, refer to the Cisco CallManager Administration Guide.

Step 3 To open the configuration window for the port, click the device name.

Step 4 Locate the Device Security Mode drop-down list box.

Step 5 From the Device Security Mode drop-down list box, choose the option that you want to configure. See Table 6-1 for information on the options.

Step 6 Click Update.

Step 7 Click Reset Port.


Related Topics

Voice Mail Security Overview

Interactions and Restrictions, page 1-5

Device Security Mode Configuration Settings

Secure Voice Mail Port Configuration Checklist

Configuring the Device Security Mode in the Voice Mail Port Wizard

You cannot change the Device Security Mode for existing voice mail servers through the Voice Mail Port Wizard. If you add ports to an existing voice-mail server, the device security mode that is currently configured automatically applies to the new ports.

To change the security setting for an existing voice-mail server, see the "Configuring the Device Security Mode for a Single Device" section.

To configure the Device Security Mode setting in the Voice Mail Port Wizard for a new voice-mail server, perform the following procedure:

Procedure


Step 1 In Cisco CallManager Administration, choose Feature > Voice Mail > Voice Mail Port Wizard.

Step 2 To add ports to a new voice-mail server, click the radio button that applies; click Next.

Step 3 Enter the name of the voice-mail server; click Next.

Step 4 Choose the number of ports that you want to add.

Step 5 In the Device Information window, choose Authenticated or Encrypted from the Device Security Mode drop-down list box. Configure the other device settings, as described in the Cisco CallManager Administration Guide. Click Next.

Step 6 Continue the configuration process, as described in the Cisco CallManager Administration Guide. When the Summary window displays, click Finish.


Finding Voice Mail Ports for Authentication or Encryption

To find a voice mail port that is associated with the security features, you can choose the Device Security Mode in the Voice-Mail Port Find/List window in Cisco CallManager Administration.

Choosing this option returns a list of voice mail ports that support authentication or encryption. If you choose this option, you can also specify whether the device is Authenticated or Encrypted.

For information on how to find and list voice mail ports, refer to the Cisco CallManager Administration Guide.

Related Topics

Cisco CallManager Administration Guide

Device Security Mode Configuration Settings

The options in Table 6-1 exist for the device security mode.

Table 6-1 Device Security Modes

Option
Description

Use System Default

The voice mail port uses the value that you specified for the enterprise parameter, Device Security Mode.

Non-secure

The voice mail port does not use any security features. A TCP connection opens to Cisco CallManager.

Authenticated

Cisco CallManager provides integrity and authentication for the voice mail port. A TLS connection that uses NULL/SHA opens between the voice mail port and Cisco CallManager.

Encrypted

Cisco CallManager provides integrity, authentication, and encryption for the voice mail port. A TLS connection that uses AES128/SHA opens between the voice mail port and Cisco CallManager.


Related Topics

Voice Mail Security Overview

Interactions and Restrictions, page 1-5

Secure Voice Mail Port Configuration Checklist

Secure Voice Mail Port Configuration Checklist

Use Table 6-2 as a reference when you configure security for voice mail ports.

Table 6-2 Configuration Checklist for Securing Voice Mail Ports 

Configuration Steps
Related Procedures and Topics

Step 1 

Verify that you installed and configured the Cisco CTL Client for mixed mode.

Configuring the Cisco CTL Client

Step 2 

Verify that you configured the phones for authentication or encryption.

Configuring the Phones for Security

Step 3 

Copy the Cisco Unity certificate to each server in the cluster; then, restart the Cisco CallManager service on each server.

Voice Mail Security Overview

Cisco CallManager Serviceability Administration Guide

Step 4 

In Cisco CallManager Administration, configure the device security mode for the voice mail ports.

Tip If you configured the Device Security Mode enterprise parameter prior to the 4.1(3) upgrade, you can skip this step. The voice-mail ports automatically use the enterprise parameter configuration.

Configuring the Security Device System Default

Configuring the Device Security Mode for a Single Device

Configuring the Device Security Mode in the Voice Mail Port Wizard

Device Security Mode Configuration Settings

Step 5 

Perform security-related configuration tasks for Cisco Unity voice mail ports; for example, configure Cisco Unity to point to the Cisco TFTP server.

Cisco CallManager 4.1 Integration Guide for Cisco Unity 4.0

Step 6 

Reset the devices in Cisco CallManager Administration and restart the Cisco Unity Integration Manager.

Cisco CallManager 4.1 Integration Guide for Cisco Unity 4.0

Resetting the Devices, Restarting Services, or Rebooting the Server/Cluster, page 1-10