Cisco Unified Communications Manager Security Guide, Release 9.1(1)
VPN gateway setup
Downloads: This chapterpdf (PDF - 266.0KB) The complete bookPDF (PDF - 3.54MB) | Feedback

VPN gateway setup

VPN gateway setup

This chapter provides information about VPN gateway setup. To configure a VPN gateway, you must first upload the VPN concentrator certificates and then configure the VPN gateway.


Note


The VPN menu and its options are not available in the U.S. export unrestricted version of Cisco Unified Communications Manager.


Upload VPN concentrator certificates

Cisco recommends that you generate a certificate on the ASA when you set it up to support the VPN feature. Download the generated certificate to your PC or workstation and then upload it to Cisco Unified Communications Manager using the procedure in this section. Cisco Unified Communications Manager saves the certificate in the Phone-VPN-trust list.

The ASA will send this certificate during the SSL handshake and the Cisco Unified IP Phone compares it against the values stored in the Phone-VPN-trust list.

The Cisco Unified IP Phone sends its Manufacturer Installed Certificate (MIC) by default, or if you configure the CAPF service, the Cisco Unified IP Phone sends its Locally Significant Certificate (LSC).

If you want to use device level certificate authentication, then they you need to install the root MIC or CAPF certificate in the ASA, so that the Cisco Unified IP Phones are trusted.

You upload certificates to Cisco Unified Communications Manager using the Cisco Unified Communications Operating System. Follow this procedure to upload VPN concentrator certificates:

Procedure
    Step 1   From Cisco Unified Communications Operating System Administration, choose Security > Certificate Management.

    The Certificate List window displays.

    Step 2   Click Upload Certificate.

    The Upload Certificate popup window displays.

    Step 3   From the Certificate Name pull-down menu, choose Phone-VPN-trust.
    Step 4   Click Browse to choose the file you want to upload.
    Step 5   Click Upload File.
    Step 6   Choose another file to upload or click Close.

    For more information about certificate management, see Chapter 6, "Security," in the Cisco Unified Communications Operating System Administration Guide.


    VPN gateway setup

    Find VPN gateway

    To find a VPN gateway, perform the following procedure:

    Procedure
      Step 1   In Cisco Unified Communications Manager Administration, choose Advanced Features > VPN > VPN Gateway.

      The Find and List VPN Gateways window displays. Records from an active (prior) query may also display in the window.

      Step 2   To find all records in the database, ensure the dialog box is empty; go to Step 3.

      To filter or search records

      1. From the first drop-down list box, choose a search parameter.
      2. From the second drop-down list box, choose a search pattern.
      3. Specify the appropriate search text, if applicable.
        Note   

        To add additional search criteria, click the + button. When you add criteria, the system searches for a record that matches all criteria that you specify. To remove criteria, click the button to remove the last added criterion or click the Clear Filter button to remove all added search criteria.

      Step 3   Click Find.

      All matching records display. You can change the number of items that display on each page by choosing a different value from the Rows per Page drop-down list box.

      Step 4   From the list of records that display, click the link for the record that you want to view.
      Note   

      To reverse the sort order, click the up or down arrow, if available, in the list header.

      The window displays the item that you choose.


      Set up VPN gateway

      To add, update, or copy a VPN Gateway, perform the following procedure:

      Procedure
        Step 1   In Cisco Unified Communications Manager Administration, choose Advanced Features > VPN > VPN Gateway.
        Step 2   Perform one of the following tasks:
        1. To add a new profile, click Add New in the Find window and continue with VPN gateway setup.
        2. To copy an existing VPN gateway, locate the appropriate profile, click the Copy button next to the VPN gateway that you want to copy, and continue with VPN gateway setup.
        3. To update an existing profile, locate the appropriate VPN gateway and continue with VPN gateway setup.

          When you click Add New, the configuration window displays with the default settings for each field. When you click Copy, the configuration window displays with the copied settings.

        Step 3   Enter the appropriate settings.

        See Table 1 for field descriptions.

        Step 4   Click Save.

        Related Tasks

        VPN gateway settings

        The following table provides field descriptions for VPN gateway configuration settings.

        Table 1 VPN Gateway Configuration Settings

        Field

        Description

        VPN Gateway Name

        Enter the name of the VPN gateway.

        VPN Gateway Description

        Enter a description of the VPN gateway.

        VPN Gateway URL

        Enter the URL for the main VPN concentrator in the gateway.

        Note   

        You must configure the VPN concentrator with a group-URL and use this URL as the gateway URL.

        For configuration information, refer to the documentation for the VPN concentrator; such the following:

        • SSL VPN Client (SVC) on ASA with ASDM Configuration Example

        VPN Certificates in this Gateway

        Use the up and down arrow keys to assign certificates to the gateway. If you do not assign a certificate for the gateway, the VPN client will fail to connect to that concentrator.

        Note   

        You can assign up to 10 certificates to a VPN Gateway, and you must assign at least one certificate to each gateway. Only certificates that are associated with the Phone-VPN-trust role display in the available VPN certificates list.