Cisco Unified CallManager Security Guide, Release 5.0(2)
Configuring Voice Messaging Ports for Security
Downloads: This chapterpdf (PDF - 184.0KB) The complete bookPDF (PDF - 4.67MB) | Feedback

Configuring Voice Messaging Ports for Security

Table Of Contents

Configuring Voice Messaging Ports for Security

Voice Messaging Security Overview

Secure Voice Messaging Port Configuration Checklist

Applying a Security Profile to a Single Voice Messaging Port

Applying the Security Profile in the Voice Messaging Port Wizard

Where to Find More Information


Configuring Voice Messaging Ports for Security


This chapter contains information on the following topics:

Voice Messaging Security Overview

Secure Voice Messaging Port Configuration Checklist

Applying a Security Profile to a Single Voice Messaging Port

Applying the Security Profile in the Voice Messaging Port Wizard

Where to Find More Information

Voice Messaging Security Overview

When you configure security for Cisco Unified CallManager voice messaging ports and Cisco Unity SCCP devices, a TLS connection (handshake) opens for authenticated devices after each device accepts the certificate of the other device; likewise, the system sends SRTP streams between devices; that is, if you configure the devices for encryption.

When the device security mode equals authenticated or encrypted, the Cisco Unity-CM TSP connects to Cisco Unified CallManager through the Cisco Unified CallManager TLS port. When the device security mode equals nonsecure, the Cisco Unity TSP connects to Cisco Unified CallManager through the Cisco Unified CallManager SCCP port.

Consider the following information before you configure security:

In this document, the use of the term, server, refers to a server in the Cisco Unified CallManager cluster. The use of the phrase, voice-mail server, refers to a Cisco Unity server.

You must run Cisco Unity 4.0(5) or later with this version of Cisco Unified CallManager.

You must perform security tasks for Cisco Unity by using the Cisco Unity Telephony Integration Manager; for information on how to perform these tasks, refer to the Cisco Unified CallManager 5.0 Integration Guide for Cisco Unity 4.x.

In addition to the procedures described in this chapter, you must use the certificate management feature in the Cisco Unified Communications Operating System Administration to the Cisco Unity certificate to the trusted store. For more information on this task, refer to the Cisco Unified Communications Operating System Administration Guide.

After you copy the certificate, you must restart the Cisco CallManager service on each server in cluster.

If Cisco Unity certificates expire or change for any reason, use the certificate management feature in the Cisco Unified Communications Operating System Administration to update the certificates in the trusted store. The TLS authentication fails when certificates do not match, and voice messaging does not work because it cannot register to Cisco Unified CallManager.

The setting that you specify in the Cisco Unity Telephony Integration Manager must match the voice messaging port device security mode that is configured in Cisco Unified CallManager Administration. In Cisco Unified CallManager Administration, you apply the device security mode to the voice messaging port when you apply a SCCP phone security profile to the port.


Tip If the device security mode settings do not match for Cisco Unified CallManager and Cisco Unity, the Cisco Unity ports fail to register with Cisco Unified CallManager, and Cisco Unity cannot accept calls on those ports.


Changing the security profile for the port requires a reset of Cisco Unified CallManager devices and a restart of the Cisco Unity software. If you apply a security profile in Cisco Unified CallManager Administration that uses a different device security mode than the previous profile, you must change the setting in Cisco Unity.

When you apply a security profile to the port, Cisco Unified CallManager ignores the Certificate Authority Proxy Function (CAPF) settings that exist for the profile because voice messaging ports do not support these settings. Choose a profile based on the device security mode, not the CAPF settings.

For information on settings that you configure in the SCCP phone security profile, see the "Configuring a Phone Security Profile" section.

Secure Voice Messaging Port Configuration Checklist

Use Table 10-1 as a reference when you configure security for voice messaging ports.

Table 10-1 Configuration Checklist for Securing Voice Messaging Ports 

Configuration Steps
Related Procedures and Topics

Step 1 

Verify that you installed and configured the Cisco CTL Client for secure mode.

Configuring the Cisco CTL Client

Step 2 

Verify that you configured the phones for authentication or encryption.

Phone Security Overview

Step 3 

Use the certificate management feature in the Cisco Unified Communications Operating System Administration to copy the Cisco Unity certificate to the trusted store on each server in the cluster; then, restart the Cisco CallManager service on each server.

Voice Messaging Security Overview

Cisco Unified Communications Operating System Administration Guide

Cisco Unified CallManager Serviceability Administration Guide

Step 4 

In Cisco Unified CallManager Administration, configure the security profile for the voice messaging ports; apply the profile to the port.

Applying a Security Profile to a Single Voice Messaging Port

Applying the Security Profile in the Voice Messaging Port Wizard

Step 5 

Perform security-related configuration tasks for Cisco Unity voice messaging ports; for example, configure Cisco Unity to point to the Cisco TFTP server.

Cisco Unified CallManager 5.0 Integration Guide for Cisco Unity 4.x

Step 6 

Reset the devices in Cisco Unified CallManager Administration and restart the Cisco Unity software.

Cisco Unified CallManager 5.0 Integration Guide for Cisco Unity 4.x

Applying a Security Profile to a Single Voice Messaging Port

Applying a Security Profile to a Single Voice Messaging Port

To apply a security profile to a single voice messaging port, perform the following procedure. This procedure assumes that you added the device to the database and installed a certificate in the phone, if a certificate does not already exist. After you apply a security profile for the first time or if you change the security profile, you must reset the device.

Before you apply a security profile, review the following sections:

Voice Messaging Security Overview

Secure Voice Messaging Port Configuration Checklist

Procedure


Step 1 Find the voice messaging port, as described in the Cisco Unified CallManager Administration Guide.

Step 2 After the configuration window for the port displays, locate the SCCP Phone Security Profile setting. From the drop-down list box, choose the profile that you want to apply to the port.

Step 3 Click Save.

Step 4 Click Reset.


Additional Information

See the "Related Topics" section.

Applying the Security Profile in the Voice Messaging Port Wizard

You cannot change the SCCP Phone Security Profile for existing voice messaging servers through the Voice Messaging Port Wizard. If you add ports to an existing voice-mail server, the device security mode that is currently configured for the profile automatically applies to the new ports.

To change the security setting for an existing voice-mail server, see the "Applying a Security Profile to a Single Voice Messaging Port" section.

Before you apply a security profile, review the following sections:

Voice Messaging Security Overview

Secure Voice Messaging Port Configuration Checklist

To apply the SCCP Phone Security Profile setting in the Voice Messaging Port Wizard for a new voice-mail server, perform the following procedure:

Procedure


Step 1 In Cisco Unified CallManager Administration, choose Voice Messaging > Voice Messaging Port Wizard.

Step 2 To add ports to a new voice-mail server, click the radio button that applies; click Next.

Step 3 Enter the name of the voice-mail server; click Next.

Step 4 Choose the number of ports that you want to add; click Next.

Step 5 In the Device Information window, choose the profile that you want to apply from the SCCP Phone Security Profile drop-down list box. Configure the other device settings, as described in the Cisco Unified CallManager Administration Guide. Click Next.

Step 6 Continue the configuration process, as described in the Cisco Unified CallManager Administration Guide. When the Summary window displays, click Finish.


Additional Information

See the "Related Topics" section.

Where to Find More Information

Related Topics

System Requirements

Interactions and Restrictions

Certificate Types

Configuration Checklist Overview

Voice Messaging Security Overview

Applying a Security Profile to a Single Voice Messaging Port

Applying the Security Profile in the Voice Messaging Port Wizard

Related Cisco Documentation

Cisco Unified CallManager 5.0 Integration Guide for Cisco Unity 4.x

Cisco Unified Communications Operating System Administration Guide