Cisco Unified Communications Manager Security Guide, Release 9.1(1)
Secure and nonsecure indication tone setup
Downloads: This chapterpdf (PDF - 303.0KB) The complete bookPDF (PDF - 3.54MB) | Feedback

Secure and nonsecure indication tone setup

Secure and nonsecure indication tone setup

This chapter provides information about secure and nonsecure indication tone setup. The system plays secure and nonsecure indication tones on a protected phone to indicate whether a call is encrypted.

Secure and nonsecure indication tones

The secure indication tone plays on a protected phone when the overall status of the call specifies protected; that is, when the system determines that the call is encrypted. The tone denotes that the call is protected and that confidential information may be exchanged. The tone comprises three long beeps. If the overall status of the call specifies protected, the tone begins to play on a protected phone as soon as the called party answers.

When the overall status of the call is not protected, the system plays nonsecure indication tone, which comprises six short beeps, on a protected phone.


Note


Only callers on protected phones can hear secure and nonsecure indication tones. Callers on phones that are not protected never hear these tones.


Protected devices

Configuration designates a protected device in Cisco Unified Communications Manager. You can configure only supported Cisco Unified IP Phones and MGCP E1 PRI gateways as protected devices in Cisco Unified Communications Manager.

Cisco Unified Communications Manager can also direct an MGCP IOS gateway to play secure and nonsecure indication tones when the system determines the protected status of a call.

You can make the following types of calls that can use the secure and nonsecure indication tones:

  • Intracluster IP-to-IP calls
  • Intercluster calls that the system determines are protected
  • IP-to-Time-Division-Multiplexing (TDM) calls through a protected MGCP E1 PRI gateway

Supported devices

You can use Cisco Unified Reporting to determine which Cisco Unified IP Phone models support secure and nonsecure indication tones. From Cisco Unified Reporting, click Unified CM Phone Feature List. For the Feature pull-down menu, choose Secure Tone. The system displays a list of products that support the feature.

For more information about using Cisco Unified Reporting, see the Cisco Unified Reporting Administration Guide.

Secure and nonsecure indication tones important information

This section provides information that pertains to the impact of using the secure indication tone feature:

  • Facts about protected devices
    • You can configure phones that are running SCCP or SIP as protected devices.
    • Protected devices can call nonprotected devices that are either encrypted or nonencrypted. In such cases, the call specifies nonprotected and the nonsecure indication tone will play.
    • When a protected phone calls another protected phone, but the media is not encrypted, the call does not drop. In this case, the system plays nonsecure indication tone to the phones on the call.
  • For video calls, the system plays secure and nonsecure indication tones on protected devices.

    Note


    For video calls, the user may first hear secure indication tone for the audio portion of the call and then nonsecure indication tone for overall nonsecure media.


  • A lock icon that displays on a Cisco Unified IP Phone indicates that the media is encrypted, but does not necessarily mean that the phone has been configured as a protected device. However, the lock icon must be present for a protected call to occur.
  • The following services and features are impacted:
    • Multiline supplementary services (such as call transfer, conference, and call waiting) are supported on protected phones. When the user invokes a supplementary service on a protected phone, the system plays secure or nonsecure indication tone to reflect the updated status of the call.
    • Cisco Extension Mobility and Join Across Line services are disabled on protected phones.
    • Shared-line configuration is not available on protected phones.
    • Hold/Resume and Call Forward All are supported for protected calls.
  • Facts about MGCP E1 PRI gateways
    • You must configure the MGCP gateway for SRTP encryption. Configure the gateway with this command: mgcp package-capability srtp-package.
    • The MGCP gateway must specify an Advanced IP Services or Advanced Enterprise Services image (for example, c3745-adventerprisek9-mz.124-6.T.bin).
    • Protected status gets exchanged with the MGCP E1 PRI gateway by using proprietary FacilityIE in the MGCP PRI Setup, Alert, and Connect messages.
    • Cisco Unified Communications Manager plays the secure indication tone only to the Cisco Unified IP Phone. A PBX in the network plays the tone to the gateway end of the call.
    • If the media between the Cisco Unified IP Phone and the MGCP E1 PRI gateway is not encrypted, the call drops.

      Note


      For more information about encryption for MGCP gateways, refer to Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways for the version of Cisco IOS software that you are using.


Secure tone setup requirements

You must configure the following items for the secure tone to play:

  • In the Phone Configuration window, which you can navigate to by choosing Device > Phone in Cisco Unified Communications Manager Administration, configure the following items:
    • From the Softkey Template drop-down list in the Device Information portion of the window, choose Standard Protected Phone.

      Note


      You must use a new softkey template without supplementary service softkeys for a protected phone.


    • For the Join Across Lines option (also in the Device Information portion of the window), choose Off.
    • Check the Protected Device check box (also in the Device Information portion of the window).
    • From the Device Security Profile drop-down list (in the Protocol Specific Information portion of the window), choose a secure phone profile that is already configured in the Phone Security Profile Configuration window (System > Security Profile > Phone Security Profile).
  • Go to the Directory Number Configuration window that displays when you add a directory number from the Phone Configuration window. In the Multiple Call/Call Waiting Settings on Device DeviceName area of the Directory Number Configuration window, set the following options to a value of 1:
    • Maximum Number of Calls
    • Busy Trigger
  • In Cisco Unified Communications Manager Administration, choose System > Service Parameters. In the first Service Parameter Configuration window, choose your server and choose the Cisco CallManager service. In the second Service Parameter Configuration window, locate the Clusterwide Parameters (Feature - Secure Tone) area, and set the Play Secure Indication Tone option to True. (The default value specifies False.)
  • If you are configuring a protected MGCP E1 PRI gateway, choose Device > Gateway > Add New in Cisco Unified Communications Manager Administration and choose a supported gateway. Choose MCGP as the protocol. When the Gateway Configuration window displays, specify the following configuration choices:
    • Set Global ISDN Switch Type to Euro.
    • After you complete the rest of the MGCP Gateway configuration, click Save; then, click the endpoint icon that appears to the right of subunit 0 in the window. The Enable Protected Facility IE check box displays. Check this check box. This configuration allows the system to pass protected status of the call between Cisco Unified IP Phone endpoints and the protected PBX phones that connect to the MGCP gateway.