Cisco Unified Communications Manager Security Guide, Release 8.5(1)
Configuring Secure and Nonsecure Indication Tone
Downloads: This chapterpdf (PDF - 359.0KB) The complete bookPDF (PDF - 6.01MB) | Feedback

Configuring Secure and Nonsecure Indication Tones

Table Of Contents

Configuring Secure and Nonsecure Indication Tones

Overview

Protected Devices

Supported Devices

Important Information About Secure and Nonsecure Indication Tones

Configuration Requirements


Configuring Secure and Nonsecure Indication Tones


The system plays secure and nonsecure indication tones on a protected phone to indicate whether a call is encrypted.

This chapter contains information on the following topics:

Overview

Supported Devices

Important Information About Secure and Nonsecure Indication Tones

Configuration Requirements

Overview

The secure indication tone plays on a protected phone when the overall status of the call specifies protected; that is, when the system determines that the call is encrypted. The tone denotes that the call is protected and that confidential information may be exchanged. The tone comprises three long beeps. If the overall status of the call specifies protected, the tone begins to play on a protected phone as soon as the called party answers.

When the overall status of the call is not protected, the system plays nonsecure indication tone, which comprises six short beeps, on a protected phone.


Note Only callers on protected phones can hear secure and nonsecure indication tones. Callers on phones that are not protected never hear these tones.


Protected Devices

Configuration designates a protected device in Cisco Unified Communications Manager. You can configure only supported Cisco Unified IP Phones and MGCP E1 PRI gateways as protected devices in Cisco Unified Communications Manager.

Cisco Unified Communications Manager can also direct an MGCP IOS gateway to play secure and nonsecure indication tones when the system determines the protected status of a call.

You can make the following types of calls that can use the secure and nonsecure indication tones:

Intracluster IP-to-IP calls

Intercluster calls that the system determines are protected

IP-to-Time-Division-Multiplexing (TDM) calls through a protected MGCP E1 PRI gateway

To determine which Cisco Unified IP Phone models can be configured as protected devices, see the "Supported Devices" section.

Supported Devices

You can use Cisco Unified Reporting to determine which Cisco Unified IP Phone models support secure and nonsecure indication tones. From Cisco Unified Reporting, click Unified CM Phone Feature List. For the Feature pull-down menu, choose Secure Tone. The system displays a list of products that support the feature.

For more information about using Cisco Unified Reporting, see the Cisco Unified Reporting Administration Guide.

Important Information About Secure and Nonsecure Indication Tones

This section provides information that pertains to the impact of using the secure indication tone feature:

Facts about protected devices

You can configure phones that are running SCCP or SIP as protected devices.

Protected devices can call nonprotected devices that are either encrypted or nonencrypted. In such cases, the call specifies nonprotected and the nonsecure indication tone will play.

When a protected phone calls another protected phone, but the media is not encrypted, the call does not drop. In this case, the system plays nonsecure indication tone to the phones on the call.

For video calls, the system plays secure and nonsecure indication tones on protected devices.


Note For video calls, the user may first hear secure indication tone for the audio portion of the call and then nonsecure indication tone for overall nonsecure media.


A lock icon that displays on a Cisco Unified IP Phone indicates that the media is encrypted, but does not necessarily mean that the phone has been configured as a protected device. However, the lock icon must be present for a protected call to occur.

The following services and features are impacted:

Multiline supplementary services (such as call transfer, conference, and call waiting) are supported on protected phones. When the user invokes a supplementary service on a protected phone, the system plays secure or nonsecure indication tone to reflect the updated status of the call.

Cisco Extension Mobility and Join Across Line services are disabled on protected phones.

Shared-line configuration is not available on protected phones.

Hold/Resume and Call Forward All are supported for protected calls.

Facts about MGCP E1 PRI gateways

You must configure the MGCP gateway for SRTP encryption. Configure the gateway with this command: mgcp package-capability srtp-package.

The MGCP gateway must specify an Advanced IP Services or Advanced Enterprise Services image (for example, c3745-adventerprisek9-mz.124-6.T.bin).

Protected status gets exchanged with the MGCP E1 PRI gateway by using proprietary FacilityIE in the MGCP PRI Setup, Alert, and Connect messages.

Cisco Unified Communications Manager plays the secure indication tone only to the Cisco Unified IP Phone. A PBX in the network plays the tone to the gateway end of the call.

If the media between the Cisco Unified IP Phone and the MGCP E1 PRI gateway is not encrypted, the call drops.


Note For more information about encryption for MGCP gateways, refer to Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways for the version of Cisco IOS software that you are using.


Configuration Requirements

You must configure the following items for the secure tone to play:

In the Phone Configuration window, which you can navigate to by choosing Device > Phone in Cisco Unified Communications Manager Administration, configure the following items:

From the Softkey Template drop-down list in the Device Information portion of the window, choose Standard Protected Phone.


Note You must use a new softkey template without supplementary service softkeys for a protected phone.


For the Join Across Lines option (also in the Device Information portion of the window), choose Off.

Check the Protected Device check box (also in the Device Information portion of the window).

From the Device Security Profile drop-down list (in the Protocol Specific Information portion of the window), choose a secure phone profile that is already configured in the Phone Security Profile Configuration window (System > Security Profile > Phone Security Profile).

Go to the Directory Number Configuration window that displays when you add a directory number from the Phone Configuration window. In the Multiple Call/Call Waiting Settings on Device DeviceName area of the Directory Number Configuration window, set the following options to a value of 1:

Maximum Number of Calls

Busy Trigger

In Cisco Unified Communications Manager Administration, choose System > Service Parameters. In the first Service Parameter Configuration window, choose your server and choose the Cisco CallManager service. In the second Service Parameter Configuration window, locate the Clusterwide Parameters (Feature - Secure Tone) area, and set the Play Secure Indication Tone option to True. (The default value specifies False.)

If you are configuring a protected MGCP E1 PRI gateway, choose Device > Gateway > Add New in Cisco Unified Communications Manager Administration and choose a supported gateway. Choose MCGP as the protocol. When the Gateway Configuration window displays, specify the following configuration choices:

Set Global ISDN Switch Type to Euro.

After you complete the rest of the MGCP Gateway configuration, click Save; then, click the endpoint icon that appears to the right of subunit 0 in the window. The Enable Protected Facility IE check box displays. Check this check box.

This configuration allows the system to pass protected status of the call between Cisco Unified IP Phone endpoints and the protected PBX phones that connect to the MGCP gateway.