Integration Guide for Configuring Cisco Unified Presence Release 8.6 for Interdomain Federation
Configuring the TLS Proxy on Cisco Adaptive Security Appliance
Downloads: This chapterpdf (PDF - 222.0KB) The complete bookPDF (PDF - 3.95MB) | Feedback

Configuring the TLS Proxy on Cisco Adaptive Security Appliance

Table Of Contents

Configuring the TLS Proxy on Cisco Adaptive Security Appliance

TLS Proxy

Access List Configuration Requirements

Configuring the TLS Proxy Instances

Associating an Access List with a TLS Proxy Instance Using Class Maps

Enabling the TLS Proxy

Configuring Cisco Adaptive Security Appliance for an Intercluster Deployment


Configuring the TLS Proxy on Cisco Adaptive Security Appliance


June 18, 2013

Note For up to date release information on configuring the TLS proxy, please refer to the Cisco Adaptive Security Appliance Configuration Guide at the following URL: http://www.cisco.com/en/US/products/ps6120/tsd_products_support_configure.html


TLS Proxy

Access List Configuration Requirements

Configuring the TLS Proxy Instances

Associating an Access List with a TLS Proxy Instance Using Class Maps

Enabling the TLS Proxy

Configuring Cisco Adaptive Security Appliance for an Intercluster Deployment


Note Only Cisco Unified Presence Release 8.5(2) or later supports interdomain federation with Microsoft Lync. For Cisco Unified Presence Release 8.5(2) or later, any reference to interdomain federation with OCS also includes Microsoft Lync, unless explicitly stated otherwise.


TLS Proxy

Cisco Adaptive Security Appliance acts as a TLS proxy between the Cisco Unified Presence and the foreign server. This allows Cisco Adaptive Security Appliance to proxy TLS messages on behalf of the server (that initiates the TLS connection), and route the TLS messages from the proxy to the client. The TLS proxy decrypts, inspects and modifies the TLS messages as required on the incoming leg, and then re-encrypts traffic on the return leg.


Note Before configuring the TLS proxy, you must configure the Cisco Adaptive Security Appliance security certificates between Cisco Adaptive Security Appliance and Cisco Unified Presence, and Cisco Adaptive Security Appliance and the foreign server. Complete the procedures in the following sections to accomplish this:

How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance

How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA


Related Topics

Common Cisco Adaptive Security Appliance Problems and Recommended Actions.

Access List Configuration Requirements

This section lists the access list configuration requirements for a single Cisco Unified Presence deployment.


NoteFor each access list, you must configure a corresponding class-map, and configure an entry in the policy-map global policy.

You can check the peer auth listener port on Cisco Unified Presence by selecting Cisco Unified Presence Administration > System > Application Listeners.


Deployment Scenario:

A Cisco Unified Presence server federating with one or more foreign domains

Configuration Requirement:

Configure the following two access lists for each foreign domain that Cisco Unified Presence is federates with:

Configure an access list to allow Cisco Unified Presence to send messages to the foreign domain on port 5061.

Configure an access list to allow Cisco Unified Presence to receive messages from the foreign domain on port 5061, or if you use Cisco Adaptive Security Appliance Release 8.3, the actual port that Cisco Unified Presence listens on for SIP federation (check the peer auth listener port on Cisco Unified Presence).

Configuration Example:

access-list ent_cup_to_foreign_server extended permit tcp host 
<routing cup private address> host <foreign public address> eq 
5061
 
        

Cisco Adaptive Security Appliance Release 8.2:

 
        
access-list ent_foreign_server_to_cup extended permit tcp host 
<foreign public address> host < CUP public address> eq 5061
 
        

Cisco Adaptive Security Appliance Release 8.3:

access-list ent_foreign_server_to_cup extendedpermit tcp host 
<foreign public address> host <CUP private address> eq 5061
 
        

Note In the access list above 5061 is the port that Cisco Unified Presence listens on for SIP messaging. If Cisco Unified Presence listens on port 5062, specify 5062 in the access list.


Deployment Scenario:

Intercluster deployment

(This also applies to a multi-node deployment)

 
        

Configuration Requirement:

Configure the following two access lists for each intercluster Cisco Unified Presence server.

Configure an access list to allow Cisco Unified Presence to send messages to the foreign domain on port 5061.

Configure an access list to allow Cisco Unified Presence to receive messages from the foreign domain on the arbitrary port 5061, or if you use Cisco Adaptive Security Appliance Release 8.3, the actual port that Cisco Unified Presence listens on for SIP federation (check the peer auth listener port on Cisco Unified Presence)

 
        

Configuration Example:

access-list ent_intercluster_cup_to_foreign_server extended 
permit tcp host <intercluster cup private address> host <foreign 
public address> eq 5061
 
        

Cisco Adaptive Security Appliance Release 8.2:

 
        
access-list ent_foreign_server_to_intercluster_cup extended 
permit tcp host <foreign public address> host <cup public 
address> eq <arbitrary port>
 
        

Cisco Adaptive Security Appliance Release 8.3:

ent_foreign_server_to_intercluster_cup
extended permit tcp host <foreign public address> host <cup 
private address> eq 5061
 
        
In the access list above 5061 is the port that Cisco Unified Presence 
listens on for SIP messaging. If Cisco Unified Presence listens on port 
5062, specify 5062 in the access list.

Related Topics

Sample Cisco Adaptive Security Appliance Configuration

Configuring the TLS Proxy Instances

Associating an Access List with a TLS Proxy Instance Using Class Maps

Enabling the TLS Proxy

Configuring the TLS Proxy Instances

For this integration, you need to create two TLS proxy instances. The first TLS proxy handles the TLS connections initiated by Cisco Unified Presence, where Cisco Unified Presence is the client and the foreign domain is the server. In this case, the Cisco Adaptive Security Appliance acts as the TLS server facing the "client" which is Cisco Unified Presence. The second TLS Proxy handles the TLS connections initiated by the foreign domain, where the foreign domain is the client and Cisco Unified Presence is the server.

The TLS proxy instance defines "trustpoints" for both the server and the client. The direction from which the TLS handshake is initiated determines the trustpoint defined in the server and client commands:

If the TLS handshake initiates from Cisco Unified Presence to the foreign domain, the server command specifies the trustpoint that contains the Cisco Adaptive Security Appliance self-signed certificate. The client command specifies the trustpoint that contains the Cisco Adaptive Security Appliance certificate that is used in the TLS handshake between Cisco Adaptive Security Appliance and the foreign domain.

If the handshake initiates from the foreign domain to Cisco Unified Presence, the server command specifies the trustpoint that contains the Cisco Adaptive Security Appliance certificate the TLS handshake uses between Cisco Adaptive Security Appliance and the foreign domain. The client command specifies the trustpoint that contains the Cisco Adaptive Security Appliance self-signed certificate.

Before You Begin

Complete the steps in Access List Configuration Requirements.

Procedure


Step 1 Enter config mode:

>Enable 
>password
>config t
 
   

Step 2 Create a TLS proxy instance for TLS connections initiated by Cisco Unified Presence. This example creates a TLS proxy instance called cup_to_foreign:

tls-proxy ent_cup_to_foreign
server trust-point cup_proxy
client trust-point <trustpoint_name>
client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1
 
   

Step 3 Create a TLS proxy instance for TLS connections initiated by a foreign domain. This example creates a TLS proxy instance called foreign_to_cup:

tls-proxy ent_foreign_to_cup
server trust-point <trustpoint_name>
client trust-point cup_proxy
client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1
 
   

What To Do Next

Associating an Access List with a TLS Proxy Instance Using Class Maps

Associating an Access List with a TLS Proxy Instance Using Class Maps

Using the class map command, you need to associate a TLS Proxy instance to each of the foreign domain access lists you defined previously.

Before You Begin

Complete the steps in Configuring the TLS Proxy Instances

Procedure


Step 1 Enter config mode:

>Enable 
>password
>config t
 
   

Step 2 Associate each of your access lists with the TLS proxy instance that the class map uses. The TLS proxy you select depends on whether the class-map is for messages from Cisco Unified Presence to a foreign domain, or from a foreign domain to Cisco Unified Presence.

In the example below, the access list for messages sent from Cisco Unified Presence to a foreign domain is associated with the TLS proxy instance for TLS connections initiated by Cisco Unified Presence called "ent_cup_to_foreign":

class-map ent_cup_to_foreign
match access-list ent_cup_to_foreign
 
   

In the example below, the access list for messages sent from a foreign domain to Cisco Unified Presence is associated with the TLS proxy instance for TLS connections initiated by the foreign server called "ent_foreign_to_cup":

class-map ent_foreign_to_cup
match access-list ent_foreign_to_cup
 
   
 
   

Step 3 If you are have an intercluster Cisco Unified Presence deployment, configure a class map for each Cisco Unified Presence server, and associate this with the appropriate access-list for the server that you defined previously, for example:

class-map ent_second_cup_to_foreign
match access-list ent_second_cup_to_foreign
class-map ent_foreign_to_second_cup
match access-list ent_foreign_to_second_cup
 
   

What To Do Next

Enabling the TLS Proxy

Enabling the TLS Proxy

Using the policy map command, you need to enable the TLS proxy for each class map you created in the previous section.


Note You cannot use a High security sip-inspect policy map on Cisco Adaptive Security Appliance for a federated deployment because the configuration will fail. You must use a Low/Medium security policy map.


Before You Begin

Complete the steps in Associating an Access List with a TLS Proxy Instance Using Class Maps

Procedure


Step 1 Enter config mode:

>Enable 
>password
>config t
 
   

Step 2 Define the sip-inspect policy map, for example:

policy-map type inspect sip sip_inspect
	Parameters
		!SIP Inspection Parameters
 
   

Step 3 Define the global policy map, for example:

policy-map global_policy
class ent_cup_to_foreign
inspect sip sip_inspect tls-proxy ent_cup_to_foreign
 
   

Configuring Cisco Adaptive Security Appliance for an Intercluster Deployment

For an intercluster Cisco Unified Presence deployment, you must perform the following configuration on the Cisco Adaptive Security Appliance for each additional Cisco Unified Presence server.

Procedure


Step 1 Create an additional access list for the Cisco Unified Presence server.

Step 2 Generate and import the Cisco Adaptive Security Appliance security certificate onto the Cisco Unified Presence server.

Step 3 Generate and import the Cisco Unified Presence security certificate onto Cisco Adaptive Security Appliance.

Step 4 Configure a class map for each foreign domain.

Step 5 Include the class maps in the global policy map.


Related Topics

How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance

How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance

Associating an Access List with a TLS Proxy Instance Using Class Maps

Enabling the TLS Proxy

About Intercluster and Multi-node Deployments