Cisco Unified Communications Manager Security Guide, Release 6.1(1)
Configuring a SIP Trunk Security Profile
Downloads: This chapterpdf (PDF - 401.0KB) The complete bookPDF (PDF - 4.76MB) | Feedback

Configuring the SIP Trunk Security Profile

Table Of Contents

Configuring the SIP Trunk Security Profile

SIP Trunk Security Profile Overview

Configuration Tips for SIP Trunk Security Profile

Finding a SIP Trunk Security Profile

Configuring the SIP Trunk Security Profile

SIP Trunk Security Profile Configuration Settings

Applying a SIP Trunk Security Profile

Deleting a SIP Trunk Security Profile

Where to Find More Information


Configuring the SIP Trunk Security Profile


This chapter contains information on the following topics:

SIP Trunk Security Profile Overview

Configuration Tips for SIP Trunk Security Profile

Finding a SIP Trunk Security Profile

Configuring the SIP Trunk Security Profile

SIP Trunk Security Profile Configuration Settings

Applying a SIP Trunk Security Profile

Deleting a SIP Trunk Security Profile

Where to Find More Information

SIP Trunk Security Profile Overview

Cisco Unified Communications Manager Administration groups security-related settings for the SIP trunk to allow you to assign a single security profile to multiple SIP trunks. Security-related settings include device security mode, digest authentication, and incoming/outgoing transport type settings. You apply the configured settings to the SIP trunk when you choose the security profile in the Trunk Configuration window.

Installing Cisco Unified Communications Manager provides a predefined, nonsecure SIP trunk security profile for autoregistration. To enable security features for a SIP trunk, configure a new security profile and apply it to the SIP trunk. If the trunk does not support security, choose a nonsecure profile.

Only security features that the SIP trunk supports display in the security profile settings window.

Configuration Tips for SIP Trunk Security Profile

Consider the following information when you configure SIP trunk security profiles in Cisco Unified Communications Manager Administration:

When you are configuring a SIP trunk, you must select a security profile in the Trunk Configuration window. If the device does not support security, apply a nonsecure profile.

You cannot delete a security profile that is currently assigned to a device.

If you change the settings in a security profile that is already assigned to a SIP trunk, the reconfigured settings apply to all SIP trunks that are assigned that profile.

You can rename security files that are assigned to devices. The SIP trunks that are assigned the old profile name and settings assume the new profile name and settings.

If you configured the device security mode prior to a Cisco Unified Communications Manager 5.0 or later upgrade, Cisco Unified Communications Manager creates a profile for the SIP trunk and applies the profile to the device.

Finding a SIP Trunk Security Profile

To find a SIP trunk security profile, perform the following procedure:

Procedure


Step 1 Choose System > Security Profile > SIP Trunk Security Profile.

The Find and List window displays. Records from an active (prior) query may also display in the window.

Step 2 To find all records in the database, ensure the dialog box is empty; go to Step 3.

To filter or search records

From the drop-down list box, choose a search parameter.

From the drop-down list box, choose a search pattern.

Specify the appropriate search text, if applicable.


Note To add additional search criteria, click the + button. When you add criteria, the system searches for a record that matches all criteria that you specify. To remove criteria, click the - button to remove the last added criterion or click the Clear Filter button to remove all added search criteria.


Step 3 Click Find.

All matching records display. You can change the number of items that display on each page by choosing a different value from the Rows per Page drop-down list box.

Step 4 From the list of records that display, click the link for the record that you want to view.


Note To reverse the sort order, click the up or down arrow, if available, in the list header.


The window displays the item that you choose.


Additional Information

See the "Related Topics" section.

Configuring the SIP Trunk Security Profile

To add, update, or copy a SIP trunk security profile, perform the following procedure:

Procedure


Step 1 In Cisco Unified Communications Manager Administration, choose System > Security Profile > SIP Trunk Security Profile.

Step 2 Perform one of the following tasks:

To add a new profile, click Add New in the Find window. (You can also display a profile and then click Add New.) The configuration window displays with the default settings for each field.

To copy an existing security profile, locate the appropriate profile as described in "Finding a SIP Trunk Security Profile" section and click the Copy icon for that record in the Copy column. (You can also display a profile and then click Copy.) The configuration window displays with the configured settings.

To update an existing profile, locate and display the appropriate security profile as described in "Finding a SIP Trunk Security Profile" section. The configuration window displays with the current settings.

Step 3 Enter the appropriate settings as described in Table 15-1.

Step 4 Click Save.


Next Steps

After you create the security profile, apply it to the trunk, as described in the "Applying a SIP Trunk Security Profile" section.

If you configured digest authentication for SIP trunks, you must configure the digest credentials in the SIP Realm window for the trunk and Application User window for applications that are connected through the SIP trunk, if you have not already done so.

If you enabled application-level authorization for applications that are connected through the SIP trunk, you must configure the methods that are allowed for the application in the Application User window, if you have not already done so.

Additional Information

See the "Related Topics" section.

SIP Trunk Security Profile Configuration Settings

Table 15-1 describes the settings for the SIP Trunk Security Profile.

For configuration tips, refer to the "Configuration Tips for SIP Trunk Security Profile" section.

For related information and procedures, see the "Related Topics" section.

Table 15-1 SIP Trunk Security Profile Configuration Settings 

Setting
Description

Name

Enter a name for the security profile. When you save the new profile, the name displays in the SIP Trunk Security Profile drop-down list box in the Trunk Configuration window.

Description

Enter a description for the security profile.

Device Security Mode

From the drop-down list box, choose one of the following options:

Non Secure—No security features except image authentication apply. A TCP or UDP connection opens to Cisco Unified Communications Manager.

Authenticated—Cisco Unified Communications Manager provides integrity and authentication for the trunk. A TLS connection that uses NULL/SHA opens.

Encrypted—Cisco Unified Communications Manager provides integrity, authentication, and signaling encryption for the trunk. A TLS connection that uses AES128/SHA opens for signaling.

Note SIP trunks support signaling encryption (not SRTP).

Incoming Transport Type

When Device Security Mode is Non Secure, TCP+UDP specifies the transport type.

When Device Security Mode is Authenticated or Encrypted, TLS specifies the transport type.

Note The Transport Layer Security (TLS) protocol secures the connection between Cisco Unified Communications Manager and the trunk.

Outgoing Transport Type

From the drop-down list box, choose the outgoing transport mode.

When Device Security Mode is Non Secure, choose TCP or UDP.

When Device Security Mode is Authenticated or Encrypted, TLS specifies the transport type.

Note TLS ensures signaling integrity, device authentication, and signaling encryption for SIP trunks.

Tip You must use UDP as the outgoing transport type when connecting SIP trunks between Cisco Unified Communications Manager systems and IOS gateways that do not support TCP connection reuse. See "Understanding Session Initiation Protocol (SIP)" in the Cisco Unified Communications Manager System Guide for more information.

Enable Digest Authentication

Check this check box to enable digest authentication. If you check this check box, Cisco Unified Communications Manager challenges all SIP requests from the trunk.

Digest authentication does not provide device authentication, integrity or confidentiality. Choose a security mode of authenticated or encrypted to use these features.

For more information on digest authentication, see Digest Authentication, page 1-19 and Configuring Digest Authentication for the SIP Trunk, page 16-1.

Tip Use digest authentication to authenticate SIP trunk users on trunks that are using TCP or UDP transport.

Nonce Validity Time

Enter the number of minutes (in seconds) that the nonce value is valid. The default value equals 600 (10 minutes). When the time expires, Cisco Unified Communications Manager generates a new value.

Note A nonce value, a random number that supports digest authentication, gets used to calculate the MD5 hash of the digest authentication password.

X.509 Subject Name

This field applies if you configured TLS for the incoming and outgoing transport type.

For device authentication, enter the subject name of the X.509 certificate for the SIP trunk device. If you have a Cisco Unified Communications Manager cluster or if you use SRV lookup for the TLS peer, a single trunk may resolve to multiple hosts, which results in multiple X.509 subject names for the trunk. If multiple X.509 subject names exist, enter one of the following characters to separate the names: space, comma, semicolon, or a colon.

You can enter up to 4096 characters in this field.

Tip The subject name corresponds to the source connection TLS certificate. Ensure subject names are unique for each subject name and port. You cannot assign the same subject name and incoming port combination to different SIP trunks.

Example: SIP TLS trunk1 on port 5061 has X.509 Subject Names my_cm1, my_cm2. SIP TLS trunk2 on port 5071 has X.509 Subject Names my_cm2, my_cm3. SIP TLS trunk3 on port 5061 can have X.509 Subject Name my_ccm4 but cannot have X.509 Subject Name my_cm1.

Incoming Port

Choose the incoming port. Enter a value that is a unique port number from 1024-65535. The default port value for incoming TCP and UDP SIP messages specifies 5060. The default SIP secured port for incoming TLS messages specifies 5061. The value that you enter applies to all SIP trunks that use the profile.

Tip All SIP trunks that use TLS can share the same incoming port; all SIP trunks that use TCP + UDP can share the same incoming port. You cannot mix SIP TLS transport trunks with SIP non-TLS transport trunk types on the same port.
Tip If the incoming packet rate on a SIP trunk UDP port from a single IP address exceeds the configured SIP Trunk UDP Port Throttle Threshold during normal traffic, reconfigure the threshold. When a SIP trunk and SIP station share the same incoming UDP port, Cisco Unified Communications Manager throttles packets based on the higher of the two service parameter values. You must restart the Cisco CallManager service for changes to this parameter to take effect.

Enable Application Level Authorization

Application-level authorization applies to applications that are connected through the SIP trunk.

If you check this check box, you must also check the Enable Digest Authentication check box and configure digest authentication for the trunk. Cisco Unified Communications Manager authenticates a SIP application user before checking the allowed application methods.

When application level authorization is enabled, trunk-level authorization occurs first, and application-level authorization then occurs, meaning Cisco Unified Communications Manager checks the methods that are authorized for the trunk (in this security profile) before the methods that are authorized for the SIP application user in the Application User Configuration window.

Tip Consider using application-level authorization if you do not trust the identity of the application or if the application is not trusted on a particular trunk; that is, application requests may come from a different trunk than you expect.

For information on configuring digest authentication for the trunk, see the Configuring Digest Authentication for the SIP Trunk, page 16-1. For more information about authorization, refer to Authorization, page 1-21, and Interactions, page 1-7. For more information about configuring application level authorization at the Application User Configuration window, see the Cisco Unified Communications Manager Administration Guide.

Accept Presence Subscription

If you want Cisco Unified Communications Manager to accept presence subscription requests that come via the SIP trunk, check this check box.

If you checked the Enable Application Level Authorization check box, go to the Application User Configuration window and check the Accept Presence Subscription check box for any application users that are authorized for this feature.

When application-level authorization is enabled, if you check the Accept Presence Subscription check box for the application user but not for the trunk, a 403 error message gets sent to the SIP user agent that is connected to the trunk.

Accept Out-of-Dialog Refer

If you want Cisco Unified Communications Manager to accept incoming non-INVITE, Out-of-Dialog REFER requests that come via the SIP trunk, check this check box.

If you checked the Enable Application Level Authorization check box, go to the Application User Configuration window and check the Accept Out-of-Dialog Refer check box for any application users that are authorized for this method.

Accept Unsolicited Notification

If you want Cisco Unified Communications Manager to accept incoming non-INVITE, unsolicited notification messages that come via the SIP trunk, check this check box.

If you checked the Enable Application Level Authorization check box, go to the Application User Configuration window and check the Accept Unsolicited Notification check box for any application users that are authorized for this method.

Accept Header Replacement

If you want Cisco Unified Communications Manager to accept new SIP dialogs, which have replaced existing SIP dialogs, check this check box.

If you checked the Enable Application Level Authorization check box, go to the Application User Configuration window and check the Accept Header Replacement check box for any application users that are authorized for this method.


Applying a SIP Trunk Security Profile

You apply a SIP trunk security profile to the trunk in the Trunk Configuration window. To apply a security profile to a device, perform the following procedure:

Procedure


Step 1 Find the trunk, as described in the Cisco Unified Communications Manager Administration Guide.

Step 2 After the Trunk Configuration window displays, locate the SIP Trunk Security Profile setting.

Step 3 From the security profile drop-down list box, choose the security profile that applies to the device.

Step 4 Click Save.

Step 5 To reset the trunk, click Reset.


Next Steps

If you applied a profile enabling digest authentication for SIP trunks, you must configure the digest credentials in the SIP Realm window for the trunk. See "Configuring a SIP Realm" section on page 16-4.

If you applied a profile enabling application-level authorization, you must configure the digest credentials and allowed authorization methods in the Application User window, if you have not already done so.

Additional Information

See the "Related Topics" section.

Deleting a SIP Trunk Security Profile

This section describes how to delete a SIP trunk security profile from the Cisco Unified Communications Manager database.

Before You Begin

Before you can delete a security profile from Cisco Unified Communications Manager Administration, you must apply a different profile to the devices or delete all devices that use the profile. To find out which devices use the profile, choose Dependency Records from the Related Links drop-down list box in the SIP Trunk Security Profile Configuration window and click Go.

If the dependency records feature is not enabled for the system, the dependency records summary window displays a message that shows the action that you can take to enable the dependency records; the message also displays information about high CPU consumption that is related to the dependency records feature. For more information about dependency records, refer to the Cisco Unified Communications Manager System Guide.

Procedure


Step 1 Find the security profile by using the procedure in the "Finding a SIP Trunk Security Profile" section.

Step 2 Perform one of the following tasks:

To delete multiple security profiles, perform one of these tasks in the Find and List window:

Check the check boxes next to the security profiles that you want to delete; then, click Delete Selected.

You can delete all configurable records for this selection by clicking Select All and then clicking Delete Selected.

To delete a single security profile, perform one of these tasks in the Find and List window:

Check the check box next to the security profile that you want to delete; then, click Delete Selected.

Click the Name link for the security profile. After the specific Security Profile Configuration window displays, click Delete Selected.

Step 3 When prompted to confirm the delete operation, click OK to delete or Cancel to cancel the delete operation.


Additional Information

See the "Related Topics" section.

Where to Find More Information

Related Topics

SIP Trunk Security Profile Overview

Configuration Tips for SIP Trunk Security Profile

Finding a SIP Trunk Security Profile

Configuring the SIP Trunk Security Profile

SIP Trunk Security Profile Configuration Settings

Applying a SIP Trunk Security Profile

Deleting a SIP Trunk Security Profile

Authorization, page 1-21

Interactions, page 1-7

Digest Authentication, page 1-19

Related Cisco Documentation

Cisco Unified Communications Manager Administration Guide

Cisco Unified Communications Manager System Guide