Security Guide for Cisco Unity Release 5.x (With Microsoft Exchange)
Using SSL to Secure Client/Server Connections
Downloads: This chapterpdf (PDF - 165.0KB) The complete bookPDF (PDF - 2.41MB) | Feedback

Using SSL to Secure Client/Server Connections

Table Of Contents

Using SSL to Secure Client/Server Connections

Determining Whether to Set Up Cisco Unity Applications to Use SSL

Manually Setting Up the System to Use SSL

Installing the Microsoft Certificate Services Component

Creating and Submitting a Certificate Request

Issuing and Installing the Certificate

Setting Up Cisco Unity Web Applications to Use SSL

Distributing the Root Certificate to the Trusted Root Store

Distributing the Root Certificate to the Trusted Root Store for All Users in the Domain

Adding the Cisco Unity Certificate to the Trusted Root Store on Subscriber Workstations

Setting Up SSL Redirection

Managing Security Alerts When Using SSL Connections with BlackBerry Servers


Using SSL to Secure Client/Server Connections


In this chapter, you will find descriptions of potential security issues related to the Secure Sockets Layer (SSL) protocol; information on any actions you need to take; recommendations that will help you make decisions; discussion of the ramifications of the decisions you make; and in many cases, best practices.

SSL can be used as a method of providing security for transmission of Cisco Unity data across the network through the use of public/private key encryption. SSL protects the security of Cisco Unity subscriber credentials when they are passed across the network. SSL also protects the security of all data entered in Cisco Unity web applications.

You can set up SSL during a new Cisco Unity installation or upgrade, or at any time after the Cisco Unity installation or upgrade is complete. (The Cisco Unity installation guide and the Reconfiguration and Upgrade Guide for Cisco Unity contain the procedures that an installer uses to set up Cisco Unity, the Cisco Personal Communications Assistant (PCA), and the Status Monitor to use SSL during a new installation or upgrade.)

This chapter describes the manual process that an administrator uses to set up Cisco Unity to use SSL at any time after the successful completion of a Cisco Unity installation or upgrade. This chapter also includes procedures that a network administrator or subscriber uses to set up subscriber workstations to access Cisco Unity web applications by using SSL.

See the following sections for more information:

Determining Whether to Set Up Cisco Unity Applications to Use SSL

Manually Setting Up the System to Use SSL

Determining Whether to Set Up Cisco Unity Applications to Use SSL

When subscribers log on to the Cisco Personal Communications Assistant (PCA), their credentials are sent across the network to Cisco Unity in clear text. The same is true when the Cisco Unity Administrator and the Status Monitor are configured to use the Anonymous authentication method. In addition, the information that subscribers enter on the pages of the Cisco PCA and of the Cisco Unity Administrator (regardless of which authentication method it uses) is not encrypted.

For increased security, we recommend that you set up Cisco Unity to use the Secure Sockets Layer (SSL) protocol. SSL uses public/private key encryption to provide a secure connection between servers and clients, and uses digital certificates to authenticate servers or servers and clients. (A digital certificate is a file that contains encrypted data that attests to the identity of an organization or entity, such as a computer.)

Using the SSL protocol ensures that all Cisco Unity subscriber credentials—as well as the information that a subscriber enters on any page of the Cisco Unity Administrator and the Cisco PCA—are encrypted as the data is sent across the network. In addition, when you set up Cisco Unity to use SSL, each time that a subscriber tries to access any Cisco Unity web application, the browser will confirm that it is connected with the real Cisco Unity server—and not an entity falsely posing as such—before allowing the subscriber to log on.

In addition, if you plan to offer Mobile Message Access for BlackBerry to subscribers, we recommend that you set up Cisco Unity to use SSL for its communications with the BlackBerry server. By default, data—including subscriber phone passwords—is sent between the Cisco Unity server and the BlackBerry server in clear text.

To set up a web server such as Cisco Unity to use SSL, you can either obtain a digital certificate from a certificate authority (CA) or use Microsoft Certificate Services available with Windows to issue your own certificate. (A CA is a trusted organization or entity that issues and manages certificates at the request of another organization or entity.) Cost, certificate features, ease of setup and maintenance, and the security policies practiced by the organization are some of the issues to consider when determining whether you should purchase a certificate from a CA or issue your own.

Information on third-party CAs, Microsoft Certificate Services, and SSL is widely available on the Internet, as well as in the Windows and IIS online documentation. Such sources can help you determine whether to use SSL and how to set up a web server to use it.

Manually Setting Up the System to Use SSL

The following task list guides you through the process of manually setting up Cisco Unity to use SSL with Microsoft Certificate Services. Do the procedures in each section, in the order listed. If a procedure does not apply to your situation, skip it.


Note This section provides information on setting up Cisco Unity to use SSL with Microsoft Certificate Services. If you decide to set up SSL, but do not want to use Microsoft Certificate Services, refer to the third-party Certificate Authority documentation.


1. Designate a server to act as your certificate authority and install the Microsoft Certificate Services component. See the "Installing the Microsoft Certificate Services Component" section.

2. Create and submit a certificate request using Microsoft Certificate Services. See the "Creating and Submitting a Certificate Request" section.

3. Issue the certificate and install it on the Cisco Unity server. See the "Issuing and Installing the Certificate" section.

4. Set up the Cisco Unity Administrator, Status Monitor, and Cisco PCA to use SSL. Optionally, if you are planning to offer Mobile Message Access for BlackBerry to subscribers, set up Cisco Unity to use SSL when it communicates with the BlackBerry server. See the "Setting Up Cisco Unity Web Applications to Use SSL" section.

5. Set up subscriber workstations to use SSL when subscribers access the Cisco Unity Administrator, Status Monitor, and Cisco PCA. See the "Distributing the Root Certificate to the Trusted Root Store" section, and the "Setting Up SSL Redirection" section.

6. As applicable, prevent BlackBerry devices from displaying the resulting security alert. See the "Managing Security Alerts When Using SSL Connections with BlackBerry Servers" section.

Installing the Microsoft Certificate Services Component

Do the procedure in this section to install the Microsoft Certificate Services component (available with Windows) on the Cisco Unity server or on another server.

To Install the Microsoft Certificate Services Component


Step 1 On the server that will act as your certificate authority (CA) and issue certificates, on the Windows Start menu, click Settings > Control Panel > Add/Remove Programs.

Step 2 Click Add/Remove Windows Components.

Step 3 In the Windows Components dialog box, check the Certificate Services check box. Do not change any other items. When the warning appears about not being able to rename the computer, or to join or be removed from a domain, click Yes.

Step 4 Click Next.

Step 5 Click Stand-alone Root CA, and click Next. (A stand-alone CA is a CA that does not require Active Directory.)

Step 6 Follow the on-screen prompts to complete the installation. For information, refer to the Windows documentation.

If a message appears that Internet Information Services is running on the computer and must be stopped before proceeding, click OK to stop the services.

Step 7 In the Completing the Windows Components Wizard dialog box, click Finish.

Step 8 Close the Add Remove Programs dialog box and Control Panel.


Creating and Submitting a Certificate Request

Do the two procedures in this section to create and submit a certificate request on the Cisco Unity server.

To Create a Certificate Request by Using Microsoft Certificate Services


Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager.

Step 2 Expand the name of the Cisco Unity server.

Step 3 If the Cisco Unity server is running Windows Server 2003, expand Web Sites.

Otherwise, skip to Step 4.

Step 4 Right-click Default Web Site, and click Properties.

Step 5 In the Default Web Site Properties dialog box, click the Directory Security tab.

Step 6 Under Secure Communications, click Server Certificate.

Step 7 On the Web Server Certificate wizard Welcome page, click Next.

Step 8 Click Create a New Certificate, and click Next.

Step 9 Click Prepare the Request Now, But Send It Later, and click Next.

Step 10 Enter a name and a bit length for the certificate.

We recommend that you choose a bit length of 512. Greater bit lengths may decrease performance.

Step 11 Click Next.

Step 12 Enter the organization information, and click Next.

Step 13 For the common name of the site, enter either the system name of the Cisco Unity server or the fully qualified domain name.


Caution The name must exactly match the host portion of any URL that will access the system by using a secure connection.

Step 14 Click Next.

Step 15 Enter the geographical information, and click Next.

Step 16 Specify the certificate request file name and location, and write down the file name and location because you will need the information for the next procedure.

Save the file to a disk or to a directory that the certificate authority (CA) server can access.

Step 17 Click Next.

Step 18 Verify the request file information, and click Next.

Step 19 Click Finish to exit the Web Server Certificate wizard.

Step 20 Click OK to Close the Default Web Site Properties dialog box.

Step 21 Close the Internet Services Manager window.


To Submit the Certificate Request


Step 1 On the CA server, on the Windows Start menu, click Run, then run certreq.

Step 2 Browse to the directory where you saved the certificate request file in Step 16 of the "To Create a Certificate Request by Using Microsoft Certificate Services" procedure, and double-click it.

Step 3 Click the CA to use, and click OK.


Issuing and Installing the Certificate

By default, when the CA processes the certificate request, it assigns a pending status for added security. This means that you must verify the authenticity of the request and manually issue the certificate on the virtual directories that will use it.

To Issue the Certificate


Step 1 On the server that is acting as the CA, on the Windows Start menu, click Programs > Administrative Tools > Certification Authority.

Step 2 In the left pane of the Certification Authority window, expand Certification Authority.

Step 3 Expand <Certification Authority name>.

Step 4 Click Pending Requests.

Step 5 In the right pane, right-click the request, and click All Tasks > Issue.

Step 6 In the left pane, click Issued Certificates.

Step 7 In the right pane, double-click the certificate to open it.

Step 8 Click the Details tab.

Step 9 In the Show list, choose <All>, and click Copy to File.

Step 10 On the Certificate Export wizard Welcome page, click Next.

Step 11 Accept the default export file format DER encoded binary X.509 (.CER), and click Next.

Step 12 Specify a file name and a location that the Cisco Unity server can access, and click Next.

Step 13 Verify the settings, and click Finish.

Step 14 Click OK to close the Certificate Details dialog box.

Step 15 Close the Certification Authority window.


To Install the Certificate


Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager.

Step 2 Expand the name of the Cisco Unity server.

Step 3 If the Cisco Unity server is running Windows Server 2003, expand Web Sites.

Otherwise, skip to Step 4.

Step 4 Right-click Default Website, and click Properties.

Step 5 In the Properties dialog box, click the Directory Security tab.

Step 6 Under Secure Communications, click Server Certificate.

Step 7 On the Web Server Certificate wizard welcome screen, click Next.

Step 8 Click Process the Pending Request and Install the Certificate, and click Next.

Step 9 Browse to the directory of the certificate (.cer) file, and double-click it.

Step 10 Verify the certificate information, and click Next.

Step 11 Click Finish to close the Web Server Certificate wizard window.

Step 12 Click OK to close the Default Website Properties dialog box.

Step 13 Close the Internet Services Manager window.

Step 14 Repeat Step 1 through Step 13 on each Cisco Unity server in your network, including if applicable both servers in a failover pair.


Setting Up Cisco Unity Web Applications to Use SSL

After the certificate has been installed, do the following procedure to set up the Cisco Unity Administrator, Status Monitor, and Cisco Personal Communications Assistant to use SSL. If you plan to offer Mobile Message Access for BlackBerry to subscribers, do the "To Set Up the Cisco Unity Server and the BlackBerry Server to Use SSL" procedure to set up Cisco Unity to use SSL when communicating with the BlackBerry server.

To Set Up the Cisco Unity Administrator, the Status Monitor, and the Cisco PCA to Use SSL


Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager.

Step 2 Expand the name of the Cisco Unity server.

Step 3 If the Cisco Unity server is running Windows Server 2003, expand Web Sites.

Otherwise, skip to Step 4.

Step 4 Expand Default Web Site.

Step 5 Under Default Web Site, right-click Web, and click Properties.

Step 6 In the Properties dialog box, set the Web directory to use SSL:

a. Click the Directory Security tab.

b. Under Secure Communications, click Edit.

c. Check the Require Secure Channel (SSL) check box.

d. Click OK to close the Secure Communications dialog box.

e. Click OK to close the Properties dialog box.

Step 7 Under Default Web Site, right-click SAWeb, and click Properties.

Step 8 Repeat Step 6 to set the SAWeb directory to use SSL.

Step 9 Under Default Web Site, right-click Status, and click Properties.

Step 10 Repeat Step 6 to set the Status directory to use SSL.

Step 11 Under Default Website, right-click Jakarta, and click Properties.

Step 12 Repeat Step 6 to set the Cisco PCA to use SSL.

Step 13 Under Default Web Site, double-click AvXml.

Step 14 In the right pane, right-click AvXml.dll, and click Properties.

Step 15 In the Properties dialog box, click the File Security tab.

Step 16 Under Secure Communications, click Edit.

Step 17 Check the Require Secure Channel (SSL) check box.

Step 18 Click OK to close the Secure Communications dialog box.

Step 19 Click OK to close the AvXml.dll Properties dialog box.

Step 20 Close the Internet Services Manager window.

Step 21 If the Cisco Unity server is running Windows Server 2003, restart the Cisco Unity server.


To Set Up the Cisco Unity Server and the BlackBerry Server to Use SSL

When setting up Mobile Message Access for BlackBerry, it is necessary to set up Cisco Unity to use the SSL protocol before installing the Mobile Message Access for BlackBerry plug-in on the BlackBerry server. If you have already installed this plug-in on the BlackBerry server without first setting up SSL, you will need to re-install the plug-in after you complete this procedure.

See the "Task List for Setting Up Mobile Message Access for BlackBerry" section in the "Setting Up Subscriber Workstations" chapter of the System Administration Guide for Cisco Unity for a task list of steps for setting up Mobile Message Access for Blackberry. The System Administration Guide for Cisco Unity is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_maintenance_guides_list.html.


Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager.

Step 2 Expand the name of the Cisco Unity server.

Step 3 If the Cisco Unity server is running Windows Server 2003, expand Web Sites.

Otherwise, skip to Step 4.

Step 4 Expand Default Web Site.

Step 5 Under Default Web Site, right-click Web, and click Properties.

Step 6 In the Properties dialog box, set the Web directory to use SSL:

a. Click the Directory Security tab.

b. Under Secure Communications, click Edit.

c. Check the Require Secure Channel (SSL) check box.

d. Click OK to close the Secure Communications dialog box.

e. Click OK to close the Properties dialog box.

Step 7 Under Default Web Site, right-click BAP, and click Properties.

Step 8 Repeat Step 6 to set the BAP directory to use SSL.

Step 9 Close the Internet Services Manager window.

Step 10 If the Cisco Unity server is running Windows Server 2003, restart the Cisco Unity server.


Distributing the Root Certificate to the Trusted Root Store

When Cisco Unity is set up to use SSL, it offers the digital certificate that you issued in the "Manually Setting Up the System to Use SSL" section as proof of its identity each time a subscriber tries to access the Cisco Unity Administrator, the Status Monitor, or the Cisco PCA. If the certificate is not also added to the trusted root store on subscriber workstations, the browser will display a message to alert subscribers that the authenticity of the site cannot be verified and, therefore, its content cannot be trusted. Note that the appearance of the browser message does not prevent SSL from functioning correctly. However, the message may be a source of confusion for subscribers and could result in calls to the help desk.

To add the certificate to the trusted root store on subscriber workstations, do one or both of the following, as applicable:

Distribute the certificate to all subscribers in the domain by adding it to the Group Policy. See the "Distributing the Root Certificate to the Trusted Root Store for All Users in the Domain" section.

Add the certificate to the trusted root store on individual subscriber workstations. See the "Adding the Cisco Unity Certificate to the Trusted Root Store on Subscriber Workstations" section.

To manage security alerts that subscribers see when they use their BlackBerry devices to access Cisco Unity voice messages, see the "Managing Security Alerts When Using SSL Connections with BlackBerry Servers" section.

Distributing the Root Certificate to the Trusted Root Store for All Users in the Domain

To distribute the certificate to the trusted root store for all users in the domain, do the following two procedures.

To Export the CA Root Certificate


Step 1 On the CA server, on the Windows Start menu, click Programs > Administrative Tools > Certification Authority.

Step 2 In the left pane of the Certification Authority window, right-click the <Root Certification Authority name>, and click Properties.

Step 3 Click View Certificate.

Step 4 Click the Details tab.

Step 5 In the Show list, choose All, and click Copy to File.

Step 6 On the Certificate Export wizard welcome screen, click Next.

Step 7 Accept the default export file format DER Encoded Binary X.509 (.CER), and click Next.

Step 8 Specify a file name and a location, and click Next.

The location must be accessible to the Domain Admin account that will modify the group policy.

Step 9 Verify the settings, and click Finish.

Step 10 Click OK to close the Certificate Details dialog box.

Step 11 Click OK to close the Properties dialog box for the Root Certification Authority.

Step 12 Close the Certification Authority window.


To Add the Root Certificate to the Domain Group Policy for Trusted Root Certificate Authorities


Step 1 On the CA server, log on to Windows by using an account that is a member of the Domain Admins group.

Step 2 On the Windows Start menu, click Run, then run mmc.

Step 3 On the top menu, click Console.

Step 4 Click Add/Remove Snap-in.

Step 5 On the Standalone tab, click Add.

Step 6 In the Add Standalone Snap-in dialog box, click Group Policy, and click Add.

Step 7 Click Browse.

Step 8 In the Browse for a Group Policy Object dialog box, click the Domains/OUs tab.

Step 9 In the Look In list, select the domain to which the Cisco Unity server belongs.

Step 10 In the Domains, OUs, and Linked Group Policy Objects list, click Default Domain Policy, and click OK.

Step 11 Click Finish.

Step 12 Close the Add Standalone Snap-in dialog box.

Step 13 Click OK to close the Add/Remove Snap-in dialog box.

Step 14 In the left pane of the console window, expand Default Domain Policy for the Cisco Unity server domain.

Step 15 Click Computer Configuration > Windows Settings > Security Settings > Public Key Policies.

Step 16 Right-click Trusted Root Certification Authorities, and click All Tasks > Import.

Step 17 On the Certificate Import wizard welcome screen, click Next.

Step 18 Browse to the location of the saved Root Certification Authority certificate, and double-click it.

Step 19 Click Next.

Step 20 Accept the default for the certificate store, and click Next.

Step 21 Verify the settings, and click Finish.

Step 22 Save the console settings.

Step 23 Close the console window.


Adding the Cisco Unity Certificate to the Trusted Root Store on Subscriber Workstations

The Cisco Unity certificate can be added to the trusted root store on subscriber workstations in the following circumstances:

If you choose not to distribute the certificate to the trusted root store for all users in the domain.

If subscribers can access Cisco Unity web applications from workstations that do not belong to a trusted domain, for example, from a computer at home. Tell subscribers how to add the certificate to the trusted root store on their own computers.

You can do the following procedure on all applicable workstations, or distribute the procedure to subscribers to do themselves, as needed. Keep in mind that you will need to do the procedure again each time a new subscriber workstation is installed after the initial setup of SSL.

To Add the Cisco Unity Certificate to the Trusted Root Store on Each Subscriber Workstation


Step 1 On each subscriber workstation, start Internet Explorer.

Step 2 Go to http://<The Certificate Authority server>/Certsrv.

Step 3 On the Microsoft Certificate Services page, under Select a Task, click Retrieve the CA Certificate or Certificate Revocation List.

Step 4 Click Next.

Step 5 Click the Install This CA Certification Path link.

Step 6 When prompted, click Yes to add the certificate to the Root Store.


Setting Up SSL Redirection

If the Cisco Unity server is running Windows Server 2003, SSL redirection from an http URL to an https URL may fail. If this happens, change the Windows shortcut that starts the Cisco Unity web application to point to the https URL instead of the http URL on each subscriber workstation, as applicable.

Managing Security Alerts When Using SSL Connections with BlackBerry Servers

When you configure Cisco Unity to use SSL in its communications with a BlackBerry server, the associated BlackBerry devices display a message to alert subscribers that the authenticity of the site cannot be verified and, therefore, its content cannot be trusted. Note that the appearance of the message does not prevent SSL from functioning correctly.

The message may be a source of confusion for subscribers and could result in calls to the help desk. To prevent the message from appearing, you can:

Add the certificate to the trusted root store on the BlackBerry server. Refer to the BlackBerry Enterprise Server documentation for details.

If applicable, tell subscribers to add Cisco Unity as a trusted server when prompted by their BlackBerry device. Depending on the device that subscribers use, the security alert may not offer subscribers the option of adding Cisco Unity as a trusted server.