Cisco Unified CallManager Security Guide, Release 4.2(3)
Configuring a Secure Survivable Remote Site Telephony (SRST)Reference
Downloads: This chapterpdf (PDF - 196.0KB) The complete bookPDF (PDF - 2.03MB) | Feedback

Configuring a Secure Survivable Remote Site Telephony (SRST) Reference

Table Of Contents

Configuring a Secure Survivable Remote Site Telephony (SRST) Reference

Overview for Securing the SRST

Secure SRST Configuration Checklist

Configuring Secure SRST References

Security Configuration Settings for SRST References


Configuring a Secure Survivable Remote Site Telephony (SRST) Reference


This chapter contains information on the following topics:

Overview for Securing the SRST

Secure SRST Configuration Checklist

Configuring Secure SRST References

Security Configuration Settings for SRST References

Overview for Securing the SRST

A SRST-enabled gateway provides limited call-processing tasks if the Cisco Unified CallManager cannot complete the call. Secure SRST-enabled gateways contain a self-signed or certificate-authority issued certificate. After you perform SRST configuration tasks in Cisco Unified CallManager Administration, Cisco Unified CallManager uses a TLS connection to authenticate with the Certificate Provider service in the SRST-enabled gateway. Cisco Unified CallManager then retrieves the certificate from the SRST-enabled gateway and adds the certificate to the Cisco Unified CallManager database.

After you reset the dependent devices in Cisco Unified CallManager Administration, the TFTP server adds the SRST certificate to the phone cnf.xml file and sends the file to the phone. A secure phone then uses a TLS connection to interact with the SRST-enabled gateway.


Tip Cisco Unified CallManager only supports depth-1 chaining for the SRST certificates; that is, the phone configuration file only contains a certificate from a single issuer. In this case, the system does not support HSRP.


Ensure that the following criteria are met, so the TLS handshake occurs between the secure phone and the SRST-enabled gateway:

The SRST reference contains a self-signed or certificate-authority-issued certificate.

You configured the cluster for mixed mode through the Cisco CTL client.

You configured the phone for authentication or encryption.

You configured the SRST reference in Cisco Unified CallManager Administration.

You reset the SRST-enabled gateway and the dependent phones after the SRST configuration.

When the cluster security mode equals nonsecure, the device security mode is nonsecure in the phone configuration file, even though Cisco Unified CallManager Administration may indicate that the device security mode is authenticated or encrypted. Under these circumstances, the phone attempts nonsecure connections with the SRST-enabled gateway and the Cisco Unified CallManager servers in the cluster.

When the cluster security mode equals nonsecure, the security-related configuration in Cisco Unified CallManager Administration is ignored; for example, the device security mode, the IS SRST Secure check box, and so on. The configuration is not deleted in Cisco Unified CallManager Administration, but security is not provided.

The phone attempts a secure connection to the SRST-enabled gateway only when the cluster security mode equals Mixed Mode, the device security mode in the phone configuration file is set to authenticated or encrypted, the Is SRST Secure? check box is checked in the SRST Configuration window, and a valid SRST certificate exists in the phone configuration file.

Related Topics

Secure SRST Configuration Checklist

Configuring Secure SRST References

Security Configuration Settings for SRST References

Troubleshooting, page 9-1

Secure SRST Configuration Checklist

Use Table 7-1 to guide you through the SRST configuration process for security.

Table 7-1 Configuration Checklist for Securing the SRST

Configuration Steps
Related Procedures and Topics

Step 1 

Verify that you performed all necessary tasks on the SRST-enabled gateway, so the device supports Cisco Unified CallManager and security.

Cisco IOS SRST Version 3.3 System Administrator Guide that supports this version of Cisco Unified CallManager, which you can obtain at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/voice/srst/srst33/srst33ad/index.htm

Step 2 

Verify that you performed all necessary tasks to install and configure the Cisco CTL client.

Configuring the Cisco CTL Client

Step 3 

Verify that a certificate exists in the phone.

Verifying That a Locally Significant Certificate Exists on the Phone, page 9-39

Verifying That a Manufacture-Installed Certificate (MIC) Exists in the Phone, page 9-40

Step 4 

Verify that you configured the phones for authentication or encryption.

Configuring the Device Security Mode

Step 5 

In Cisco Unified CallManager Administration, configure the SRST reference for security, including enabling the SRST reference in the Device Pool Configuration window.

Configuring Secure SRST References

Step 6 

Reset the SRST-enabled gateway and phones.

Configuring Secure SRST References

Configuring Secure SRST References

Consider the following information before you add, update, or delete the SRST reference in Cisco Unified CallManager Administration:

Adding a Secure SRST Reference—The first time that you configure the SRST reference for security, you must configure all settings that are described in Table 7-2.

Updating a Secure SRST Reference—Performing SRST updates in Cisco Unified CallManager Administration does not automatically update the SRST certificate. To update the certificate, you must click the Update SRST Certificate button; after you click the button, the contents of the certificate display, and you must accept or reject the certificate. If you accept the certificate, Cisco Unified CallManager replaces the SRST certificate in the trust folder on each server in the cluster.

Deleting a Secure SRST Reference—Deleting a secure SRST reference removes the SRST certificate from the Cisco Unified CallManager database and the cnf.xml file in the phone.

To configure a secure SRST reference, perform the following procedure:

Procedure


Step 1 In Cisco Unified CallManager Administration, choose System > SRST.

Step 2 Perform one of the following tasks:

Add a SRST reference for the first time. For information on how to perform this task, refer to the Cisco CallManager Administration Guide.

Find the SRST reference that you want to configure for security. For information on finding SRST references, refer to the Cisco CallManager Administration Guide. Use Table 7-2 to update an existing SRST reference for security.

Step 3 Click Insert or Update, depending on whether you added or updated the SRST reference.

Step 4 To update the SRST certificate in the database, click the Update SRST Certificate button.


Tip This button displays only when you update an existing SRST reference.


Step 5 Click Reset Devices.

Step 6 Verify that you enabled the SRST reference in the Device Pool Configuration window.


Related Topics

Overview for Securing the SRST

Secure SRST Configuration Checklist

Security Configuration Settings for SRST References

Troubleshooting, page 9-1

Security Configuration Settings for SRST References

Use Table 7-2 to configure secure SRST references.

Table 7-2 Configuration Settings for Secure SRST References 

Setting
Description

Is SRST Secure?

After you verify that the SRST-enabled gateway contains a self-signed or certificate-authority- issued certificate, check this check box.

After you configure the SRST and reset the gateway and dependent phones, the Cisco CTL Provider service authenticates to the Certificate Provider service on the SRST-enabled gateway. The Cisco CTL client retrieves the certificate from the SRST-enabled gateway and stores the certificate in the Cisco Unified CallManager database.

Tip To remove the SRST certificate from the database and phone, uncheck this check box, click Update, and reset the dependent phones.

SRST Certificate Provider Port

This port monitors requests for the Certificate Provider service on the SRST-enabled gateway. Cisco Unified CallManager uses this port to retrieve the certificate from the SRST-enabled gateway. The Cisco SRST Certificate Provider default port equals 2445.

After you configure this port on the SRST-enabled gateway, enter the port number in this field.

Tip You may need to configure a different port number if the port is currently used or if you use a firewall and you cannot use the port within the firewall.

Update SRST Certificate


Tip This button displays only for existing secure SRST references.


After you click this button, the Cisco CTL client replaces the existing SRST certificate that is stored in the Cisco Unified CallManager database. After you reset the dependent phones, the TFTP server sends the cnf.xml file (with the new SRST certificate) to the phones.


Related Topics

Overview for Securing the SRST

Secure SRST Configuration Checklist

Troubleshooting, page 9-1