Security Guide for Cisco Unity Release 8.x (With Microsoft Exchange)
Securing Subscriber Messages in Cisco Unity 8.x
Downloads: This chapterpdf (PDF - 240.0KB) The complete bookPDF (PDF - 2.3MB) | Feedback

Securing Subscriber Messages in Cisco Unity 8.x

Table Of Contents

Securing Subscriber Messages in Cisco Unity 8.x

How Cisco Unity 8.x Handles Messages That Are Marked Private

Secure Messaging in Cisco Unity 8.x

Understanding How Cisco Unity Handles Secure Messages

Automatic Message Aging for Secure Messaging

Secure Messaging with Networking Features in Cisco Unity

Backward Compatibility with Cisco Unity 4.x Servers

Limitations of Secure Messaging

Installing and Configuring Secure Messaging

Enabling MAPI Rich Text Format for All Contacts in the Active Directory

Enabling Secure Messaging for Messages from Unidentified Callers

Enabling Message Aging for Secure Messages

Configuring Cisco Unity Bridge, AMIS, VPIM, Connection Networking, or Trusted Internet Delivery Locations for Secure Messaging

Disabling or Changing the Time Period for Message Aging on the Voice Connector Server

Configuring Cisco Unity ViewMail for Microsoft Outlook for Secure Messaging

Customizing the TCP Port That ViewMail for Outlook Uses For Encrypting and Decrypting Messages

Disabling Backward Compatibility with Cisco Unity 4.x Servers

Enabling Secure Messaging for Messages From Subscribers

Maintenance Considerations When Secure Messaging Is in Use

Monitoring the Unaddressed Messages Distribution List for Messages with Encryption Errors

Performance Monitoring When Using Secure Messaging

Limiting Access to the Cisco Unity Server

Backing Up and Restoring Public and Private Keys

Secure Messaging and Legal Discoverability

Technical Details of Secure Messaging

Best Practices for Using Text to Speech (Unified Messaging) in Cisco Unity 8.x

Disabling the Copy to File Option in the Media Master for the 8.x Cisco Unity Inbox


Securing Subscriber Messages in Cisco Unity 8.x


Cisco Unity offers the following message security options:

All subscribers have the ability to mark messages private. Messages that are marked private cannot be forwarded by phone, from Cisco Unity ViewMail for Microsoft Outlook, or from the Cisco Unity Inbox.

Secure Messaging is an optional feature that you can enable for subscribers. When enabled, messages sent by that subscriber will be encrypted. You can also enable message aging for secure messages, which after a specified period of time, force encrypted messages to expire.

If you are using the Cisco Unity Inbox with Cisco Unity, you can disable the Copy to File option so that subscribers cannot save any message—regardless of its sensitivity—on their hard disks.

In addition, there are security issues you should consider before enabling the Text to Speech (TTS) feature for subscribers.

In this chapter, you will find descriptions of potential security issues related to securing messages; information on any actions you need to take; recommendations that will help you make decisions; discussion of the ramifications of the decisions you make; and in many cases, best practices.

See the following sections for details:

How Cisco Unity 8.x Handles Messages That Are Marked Private

Secure Messaging in Cisco Unity 8.x

Best Practices for Using Text to Speech (Unified Messaging) in Cisco Unity 8.x

Disabling the Copy to File Option in the Media Master for the 8.x Cisco Unity Inbox

How Cisco Unity 8.x Handles Messages That Are Marked Private

Messages that are marked private cannot be forwarded by phone, from Cisco Unity ViewMail for Microsoft Outlook, or from the Cisco Unity Inbox. This includes any voice message that a Cisco Unity subscriber marked private, and as applicable, any email message that a subscriber or another sender marked private in Outlook. In addition, when a message is marked private, the Copy and Copy To options are disabled on the Options menu on the Media Master in ViewMail for Outlook and the Cisco Unity Inbox.

For subscribers who require more secure messaging, consider the following:

You can set up secure messaging and enable subscribers to use it. Secure messaging provides security through the use of public/private key encryption for voice messages. Secure messages cannot be heard by anyone other than a Cisco Unity subscriber who is authenticated with their Cisco Unity server. For information on how to set up secure messaging, see the "Secure Messaging in Cisco Unity 8.x" section.

You can prevent subscribers from saving any voice message—regardless of its sensitivity—to their hard disks by disabling the Copy to File option on the Options menu of the Media Master control bar in the Cisco Unity Inbox. To learn more, see the "Disabling the Copy to File Option in the Media Master for the 8.x Cisco Unity Inbox" section.

Secure Messaging in Cisco Unity 8.x

The secure messaging feature provides security through the use of public and private key encryption for voice messages. Secure messaging is available for systems running on Microsoft Exchange, including the partner Exchange server, if applicable.

A Cisco Unity service, the Secure Messaging Service, installs and maintains public and private key encryption certificates on each Cisco Unity server.

See the following sections for information on how secure messaging works, how to set it up, and how to maintain systems that have the feature enabled:

Understanding How Cisco Unity Handles Secure Messages—Describes how and when secure messages can be sent and played.

Limitations of Secure Messaging—Lists limitations of secure messaging that subscribers should understand before using the feature.

Installing and Configuring Secure Messaging—Includes instructions for installing secure messaging, configuring the feature, and enabling subscribers to use it.

Maintenance Considerations When Secure Messaging Is in Use—Discusses maintenance issues you should consider when using the secure messaging feature.

Secure Messaging and Legal Discoverability—Discusses how you can respond to requests for legal discoverability of encrypted voice messages.

Technical Details of Secure Messaging—Provides in-depth detail of how secure messaging works.

For information on troubleshooting secure messaging, see the "Troubleshooting Secure Voice Messages in Cisco Unity 8.x" section in the "Troubleshooting Messages in Cisco Unity 8.x" chapter of the Troubleshooting Guide for Cisco Unity Release 8.x. The guide is available at http://www.cisco.com/en/US/docs/voice_ip_comm/unity/8x/troubleshooting/guide/8xcutsgx.html.

Understanding How Cisco Unity Handles Secure Messages

When a secure message is recorded, Cisco Unity encrypts the WAV file before submitting the message to Exchange. When a recipient attempts to listen to the message, Cisco Unity attempts to decrypt it by using session keys that are stored in the message and encryption keys that are stored on the server. If the attempt fails, the recipient hears an error message explaining that the message cannot be decrypted. If the certificate has expired due to message aging, the recipient is informed that the message has expired.

Subscribers can play and send secure messages by using the phone interface, the Cisco Unity Inbox, or Cisco Unity ViewMail for Microsoft Outlook as long as the interfaces can authenticate the subscriber with the Cisco Unity server. When subscribers view a secure message by using Microsoft Outlook or any other SMTP email client, the following text message is displayed along with the message:

"This message and any files transmitted with it are intended solely for the individual or entity to which they are addressed. If you received this message in error, delete it immediately and notify the sender."

Cisco Unity plays the following decoy message when anyone attempts to play a secure message by using media player software other than the Cisco Unity Inbox or ViewMail:

"This voice message is secure and can be played only by using a Cisco Unity supported client. If you received this message in error, delete it immediately and notify the sender."

When forwarding secure messages, the original message always remains encrypted. The introduction, if any, may be encrypted based on the security settings of the subscriber who forwarded the message. If message aging is enabled, the original secure message keeps its original expiration time and any introductions are aged, based on the date that the message was forwarded. Depending on your aging interval and when the message was forwarded, it is possible that the original message has expired and cannot be played, but the introduction can be. If this condition occurs and the subscriber is listening to messages by phone, the subscriber will hear a prompt saying that some portions of the message have expired. The subscriber can then listen to the unexpired portions. If this condition occurs and the subscriber is using the Cisco Unity Inbox or ViewMail for Outlook, an error message will explain that some parts of the message have expired and that only the portions of the message that have not expired can be played.

Automatic Message Aging for Secure Messaging

Message aging can be enabled for secure messages. After a specified period of time, the certificate used to encrypt a message will expire and Cisco Unity will no longer be able to decrypt the message. Message aging applies to all encrypted messages regardless of whether the message recipient has listened to the message.

When message aging is enabled, a new security certificate is created each day, and certificates that are older than the message expiration period are deleted. This prevents any messages that were encrypted by using the older certificates from being decrypted, and thus renders the messages inaccessible.

Expired secure messages remain in the recipient mailbox. If the recipient attempts to play an expired message, the recipient is informed that the message has expired and cannot be played.

Message aging of secure messages works in tandem with the Message Store Manager utility, by making secure messages that are older than the configured time period inaccessible until such time as the Message Store Manager and Exchange can delete them.

When messages expire, they expire at 12:00 a.m. coordinated universal time (UTC). We recommend that you set the time frame to 30 days or more. A short expiration period could result in undesired behavior. For example, if message aging is configured for a time frame of one day, and an encrypted message is recorded at 11:50 p.m. UTC, the recipient of that message has only ten minutes to listen to it before Cisco Unity will no longer be able to decrypt the message.

Secure Messaging with Networking Features in Cisco Unity

If you are using networking features in Cisco Unity, VPIM, Bridge, and Connection Networking locations can be configured to encrypt incoming messages before they are delivered to the recipients. The locations can be configured to encrypt:

All incoming messages

Only messages that are flagged as private

(Connection Networking only) Only messages that were originally flagged secure by Cisco Unity Connection.

By default, VPIM, Bridge, and Connection Networking locations are configured not to encrypt incoming messages.

In addition, VPIM, Bridge, Connection Networking, AMIS, and Trusted Internet locations can be configured to decrypt outgoing secure messages. The locations can be configured to decrypt:

All outgoing secure messages; or

Only secure messages that are not flagged as private

By default, all locations are configured not to decrypt outgoing secure messages, in which case all secure messages that are sent to the location are undeliverable and will generate an NDR to the sender. Similarly, if a location is configured to decrypt only secure messages that are flagged as non-private, private secure messages that are sent to the location will generate an NDR to the sender.

Secure messages to Internet subscribers are sent directly by the Exchange server and cannot be decrypted and therefore cannot be played by the recipient. If you want to use secure messaging and also be able to send messages to Internet subscribers, configure trusted Internet subscribers instead. Trusted Internet subscribers are Internet subscribers that are trusted with decrypted secure messages. Trusted Internet subscribers must be associated with a Trusted Internet location. Based on the security settings of the Trusted Internet location, secure messages to Trusted Internet subscribers are decrypted by the Cisco Unity Voice Connector for Microsoft Exchange or the Interoperability Gateway for Microsoft Exchange before they are sent by the Exchange server.

Backward Compatibility with Cisco Unity 4.x Servers

In Cisco Unity version 5.x, improvements were made to the encryption and decryption of secure messages. Messages encrypted by using the new format cannot be played on earlier versions of Cisco Unity. To address this issue, Cisco Unity version 5.x and later encrypts messages by using both the old and new formats, thus allowing secure messages to be played on both a Cisco Unity version 5.x and later or version 4.x server.

If a subscriber is using Cisco Unity version 4.x, secure messages can only be recorded and played by using the phone interface. If a subscriber is using Cisco Unity 5.x and later, secure messages that are sent from either a Cisco Unity version 4.x or Cisco Unity 5.x and later server can be played from within ViewMail for Outlook, the Cisco Unity Inbox, or by phone.

When all of the Cisco Unity servers in your Active Directory (AD) forest are installed with Cisco Unity version 5.x or later, you can disable the backward compatibility with Cisco Unity version 4.x servers. See the "Disabling Backward Compatibility with Cisco Unity 4.x Servers" section.

Limitations of Secure Messaging

Consider the following limitations of the secure messaging feature, and make sure that subscribers, administrators, and support desk personnel are aware of them.

Broadcast messages are not encrypted.

If your subscribers access secure messages by using clients such as Cisco Unified Personal Communicator, Cisco Unified Mobile Communicator (through Cisco Unified Mobility Advantage), and Cisco Unified Messaging with IBM Lotus Sametime, the Cisco Unity Voicemail Web Service (VMWS) must be running on the Cisco Unity server.

If your subscribers use Cisco Unity ViewMail for Microsoft Outlook and you are using Secure Messaging, you must use ViewMail for Outlook version 5.0(1) or later. Earlier versions of ViewMail will not encrypt messages and subscribers could unknowingly send unsecured messages. Before deploying ViewMail for Outlook version 5.0(1) or later, you must customize the ViewMail installation program to configure subscriber workstations for secure messaging.

When a subscriber plays a secure message in the Cisco Unity Inbox or ViewMail for Outlook, the Copy and Copy To options on the Options menu on the Media Master control bar will not be available.

If a subscriber attempts to play a secure message by using ViewMail for Outlook while using Outlook in an off-line mode—or if ViewMail for Outlook cannot communicate with the Cisco Unity sever for any other reason—the subscriber will be warned that the secure message cannot be decrypted or played at that time.

If a subscriber attempts to send a secure message by using ViewMail for Outlook while using Outlook in an off-line mode—or if ViewMail for Outlook cannot communicate with the Cisco Unity sever for any other reason—the subscriber may not be able to send unencrypted messages (depending on how you have configured ViewMail for Outlook). See the "Configuring Cisco Unity ViewMail for Microsoft Outlook for Secure Messaging" section.

Subscribers who use an IMAP4 compatible email client to access their voice messages will not be able to play secure messages from the email client unless they are using Microsoft Outlook and they have installed ViewMail for Outlook.

Recipients who are associated with servers outside of the Active Directory forest cannot listen to a secure message, because the key required to decrypt the message is not available.

The private keys that are required to decrypt secure messages are not specific to individual subscribers or workstations. Thus, if a secure message is sent to an unintended recipient—perhaps because of an addressing mistake made by the sender or due to a system problem—Cisco Unity will play the message for any recipient who receives the message as long as the recipient is authenticated with a Cisco Unity server or is a valid recipient on a networked voice mail system.

If a subscriber is out of the office and not listening to messages for a period of time that is longer than the message aging period, then some messages will have expired before the subscriber has an opportunity to listen to them.

If your deployment uses integrated messaging —where voice messages and email are stored in separate mail stores, but subscribers use the IMAP protocol to view their voice messages in the same Outlook profile as their email—encrypted voice messages that are sent or forwarded from Outlook must be sent to voice mail addresses. If encrypted voice messages are sent to email addresses, they will become emails with WAV file attachments rather than native Cisco Unity voice messages, and the recipient will hear the decoy WAV file. To avoid this issue, you can add an LDAP address book with voice mail addresses to be used with the IMAP account for sending or forwarding voice messages.

If subscribers configure the email program to download voice messages off of the email server by using POP3 or another protocol, they will not be able to listen to encrypted voice messages. They must configure their email program to leave copies of the voice messages on the server so that they can play secure messages by using an alternative interface such as the phone interface or Cisco Unity Inbox.

Secure messages that are sent to AMIS, Bridge, Connection Networking, VPIM, or Trusted Internet subscribers are either decrypted by the Voice Connector or Interoperability Gateway before being sent, or are undeliverable and will generate an NDR to the sender. See the "Configuring Cisco Unity Bridge, AMIS, VPIM, Connection Networking, or Trusted Internet Delivery Locations for Secure Messaging" section for details.

When Cisco Unity is configured for networking with other voice mail systems by using either the Cisco Unity Bridge or VPIM, messages that are sent from users on the other voice mail system to Cisco Unity subscribers can be encrypted, but only at the point at which they reach the Voice Connector or Interoperability Gateway, if the delivery location is configured for this functionality. See the "Configuring Cisco Unity Bridge, AMIS, VPIM, Connection Networking, or Trusted Internet Delivery Locations for Secure Messaging" section for details.

When Cisco Unity is configured for networking with other voice mail systems by using the AMIS protocol, messages that are sent from users on the other voice mail system to Cisco Unity subscribers cannot be encrypted and therefore are not affected by the message aging functionality of Secure Messaging.

Subscribers cannot use blind addressing to send messages to users at Trusted Internet locations.

If Cisco Unity is unable to encrypt messages, the unencrypted message will be sent to the Unaddressed Messages distribution list with information about who the message is from and who it was addressed to.

Installing and Configuring Secure Messaging

During installation or upgrade, a secure messaging certificate is installed automatically on each Cisco Unity server and on any Exchange server on which the Voice Connector is installed, if applicable.

Secure Messaging is disabled by default. The following task list leads you through configuring and enabling the secure messaging feature. Do the procedures in the following sections, as applicable. If a section or procedure does not apply to your situation, skip it.

1. If you are configuring secure messaging on a Cisco Unity system that had previously been running Cisco Unity version 4.0(4)SR1 or earlier, enable MAPI Rich Text Format for all subscribers who are listed as contacts in Active Directory. See the "Enabling MAPI Rich Text Format for All Contacts in the Active Directory" section.

2. Enable secure messaging for messages from unidentified callers. See the "Enabling Secure Messaging for Messages from Unidentified Callers" section.

3. If you want secure messages to automatically expire after a specified period of time, enable message aging for secure messages. See the "Enabling Message Aging for Secure Messages" section.

4. If you are using networking features in Cisco Unity and want the secure messaging functionality available for messages to and from remote subscribers:

a. Set up outgoing and incoming secure message handling for each delivery location. See the "Configuring Cisco Unity Bridge, AMIS, VPIM, Connection Networking, or Trusted Internet Delivery Locations for Secure Messaging" section.

b. If your networking features use the Cisco Unity Voice Connector for Microsoft Exchange but the Voice Connector is not installed on the Cisco Unity server, you must install the Secure Messaging Service on the Voice Connector server. Follow the installation instructions in the release notes for the applicable Voice Connector version. Release notes can be found at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_release_notes_list.html.

c. If you have configured message aging on the Voice Connector server and want to either disable or change the time period for message aging, see the "Disabling or Changing the Time Period for Message Aging on the Voice Connector Server" section.

5. If your subscribers use ViewMail for Outlook, you must alter the installation files for ViewMail for Outlook before deploying it on client workstations. See the "Configuring Cisco Unity ViewMail for Microsoft Outlook for Secure Messaging" section.

6. Optionally, if your subscribers use ViewMail for Outlook, you can change the TCP port that ViewMail for Outlook uses to connect to the Cisco Unity server for encrypting and decrypting secure messages. See the "Customizing the TCP Port That ViewMail for Outlook Uses For Encrypting and Decrypting Messages" section.

7. Enable secure messaging for individual subscribers or all subscribers. See the "Enabling Secure Messaging for Messages From Subscribers" section.

8. If you do not have multiple Cisco Unity servers networked together or if all of your Cisco Unity servers have been upgraded to Cisco Unity 5.x or later, disable backward compatibility with Cisco Unity 4.x servers. See the "Disabling Backward Compatibility with Cisco Unity 4.x Servers" section.

Enabling MAPI Rich Text Format for All Contacts in the Active Directory

If you are installing secure messaging on an existing Cisco Unity system that had previously been running Cisco Unity version 4.0(4)SR1 or earlier, do the following procedure to enable MAPI Rich Text Format for all subscribers who are listed as contacts in Active Directory. Otherwise, skip to the "Enabling Secure Messaging for Messages from Unidentified Callers" section.

Depending on the number of contact records to be updated, the Active Directory synchronization process can take several hours or more to complete. The synchronization process may also use a considerable percentage of available computer and network resources. Therefore, we recommend that you run the Enable Rich Text Format utility at a time when demand on Cisco Unity system resources is low, for example, on a weekend evening.

To Enable MAPI Rich Text Format


Step 1 Log on to the Cisco Unity server by using an account that is a member of the Domain Admins group.

Step 2 On the Cisco Unity server, double-click the Cisco Unity Tools Depot icon.

Step 3 In the left pane, under Administration Tools, double-click EnableRichTextFormat. The Enable Rich Text Format window appears and displays all Contact records that do not have MAPI Rich Text Format enabled.

Step 4 Click Process Contacts. A status bar shows the progress of the Active Directory update.

Step 5 When the Active Directory update is complete, click OK.

Step 6 If desired, click Save Report to view and save a record of the updates that were made to the Active Directory.

Step 7 Click Exit.


Enabling Secure Messaging for Messages from Unidentified Callers

To Enable Secure Messaging for Messages from Unidentified Callers


Step 1 In the Cisco Unity Administrator, go to the System > Configuration > Message Security Settings page.

Step 2 Indicate whether messages from unidentified callers are encrypted:

Do Not Encrypt Messages—Messages are not encrypted.

Encrypt All Messages—All messages are encrypted.


Enabling Message Aging for Secure Messages

To Enable Message Aging for Secure Messages


Step 1 In the Cisco Unity Administrator, go to the System > Configuration > Message Security Settings page.

Step 2 Check the Enable check box to enable message aging for secure messages.

Step 3 In the Days Before Encrypted Messages Become Unavailable field, enter a time frame that is consistent with the message retention policy of your organization.

Step 4 Repeat Step 1 through Step 3 on all Cisco Unity servers in your organization.


Note If you are using networking features in Cisco Unity, you must also configure message aging when installing the Secure Messaging Service on the Voice Connector server.



Configuring Cisco Unity Bridge, AMIS, VPIM, Connection Networking, or Trusted Internet Delivery Locations for Secure Messaging

If you are using networking features in Cisco Unity and want secure messaging to be available for messages to and from remote subscribers, you need to configure how outgoing secure and incoming voice messages will be handled for each delivery location.

To Configure Bridge, Connection Networking, or VPIM Delivery Locations to Encrypt Incoming Messages


Step 1 In the Cisco Unity Administrator, go to the Delivery Locations page for each VPIM or Bridge location in your system. For Connection Networking, go to the Profile page.

Step 2 In the Incoming Messages From This Location field, select the applicable option:

Do Not Encrypt Messages—The Voice Connector or Interoperability Gateway will not encrypt any messages.

Encrypt Only Private Messages—The Voice Connector or Interoperability Gateway will encrypt only messages that are flagged private.

Encrypt All Messages—The Voice Connector or Interoperability Gateway will encrypt all messages.

(Connection Networking only) Respect Message X-Header—The Interoperability Gateway will encrypt only messages that were originally flagged secure by Connection.


To Configure Bridge, VPIM. AMIS, Connection Networking, or Trusted Internet Delivery Locations to Decrypt Outgoing Messages


Step 1 In the Cisco Unity Administrator, go to the Delivery Locations page for each location in your system. (For Connection Networking, go to the Profile page.)

Step 2 In the Outgoing Messages to This Location field, select the applicable option:

Do Not Decrypt Messages—The Voice Connector or Interoperability Gateway will not decrypt or send secure messages, and will send an NDR back to the sender.

Decrypt Non-Private Messages—The Voice Connector or Interoperability Gateway will not decrypt or send secure messages that are flagged private. An NDR will be sent back to the sender. All other messages will be decrypted before sending them to the remote location.

Decrypt All Messages—The Voice Connector or Interoperability Gateway will decrypt all secure messages before sending them to the remote location. Depending on the configuration at the remote location, the message may or may not be re-encrypted before being delivered to the recipient.


Disabling or Changing the Time Period for Message Aging on the Voice Connector Server

To Disable or Change the Time Period for Message Aging on the Voice Connector Server


Step 1 Log on to the Exchange server on which the Voice Connector and Cisco Secure Messaging Service is installed.

Step 2 Open Control Panel > Add or Remove Programs.

Step 3 Click Cisco Unity Voice Gateway Secure Message Setup Wizard.

Step 4 Click Change. The Cisco Unity Secure Messaging Service Setup wizard launches.

Step 5 Click Modify, and then click Next.

Step 6 On the Message Security Settings page, enable or disable message aging, and specify the number of days, as applicable.

Step 7 Click Next, and then click Finish.

Step 8 Close Add or Remove Programs.


Configuring Cisco Unity ViewMail for Microsoft Outlook for Secure Messaging

Because the encryption certificates and keys are stored on the Cisco Unity server, Cisco Unity ViewMail for Microsoft Outlook can play and send secure messages only when a connection can be made to the Cisco Unity server. ViewMail installs the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Cisco Systems\Cisco Unity\VMO\Force Messages Secure on the subscriber workstations. If a subscriber attempts to send a secure message by using ViewMail while using Outlook in an off-line mode—or if ViewMail for Outlook cannot communicate with the Cisco Unity sever for any other reason, ViewMail will do one of the following, depending on the value of the registry key:

0—Send the message without encrypting it and without attempting to connect to the Cisco Unity server.

1—Warn the subscriber that a connection with Cisco Unity could not be made. (The subscriber will have to save the message and resend it at a later time.)

2—Warn the subscriber that the message will not be encrypted and offer the option to send it without encryption.

The registry key is set to zero by default—to send messages unencrypted without attempting to connect to the Cisco Unity server. If you want to send encyrpted messages from ViewMail, administrators must customize the ViewMail.msi file to change the value of the registry key before installing ViewMail for Outlook on subscriber workstations.

Note that once ViewMail version 5.0(1) or later is installed on a subscriber workstation, the registry setting cannot be changed by running the ViewMail installation program again. Administrators must use a configuration management tool (for example, Microsoft Systems Management Server) to change the registry setting, or must uninstall ViewMail, customize the ViewMail.msi file to change the setting, and install ViewMail again.

To Customize the ViewMail.msi File to Change the "Force Messages Secure" Registry Key


Step 1 Browse to the ViewMail directory on the network drive to which you downloaded the ViewMail files. If you do not have permission to write to the directory, move the files to a directory on which you have write privileges.

Step 2 In the ViewMail directory, browse to the ENU language directory (or to the language applicable to your installation).

Step 3 Open VMOInit.vbs in a text editor.

Step 4 Delete the rem text in front of the Session.Property("ForceMessagesSecure") = "1" line.

For example:

Function VMOInitFn()
rem Session.Property("EXTENSION") = ""
rem Session.Property("UNITYSERVER") = ""
rem To enable NoTextToVM, set property NOTEXTTOVM to 1
rem Session.Property("NOTEXTTOVM") = "1"
rem To enable g729a recording, set property DefaultWaveFormat to 5
rem Session.Property("DefaultWaveFormat") = "5"
rem To enable secure messaging, set property ForceMessagesSecure to 1 (Always Force 
Messages Secure) or 2 (Allow User To Choose). 
rem By default, it is set to 0 (Always Send Messages Unsecure).
Session.Property("ForceMessagesSecure") = "1"
rem To change RPC Port Number for Encryption and Decryption, set property 
RpcPortNumberForEncryptionAndDecryption to a new port number.
rem By default, it is set to 5050.
rem Session.Property("RpcPortNumberForEncryptionAndDecryption") = "5050"
End Function

Step 5 If you want subscribers to be able to choose to send unencrypted messages when ViewMail for Outlook is in an offline mode, change the "1" to "2".

Step 6 Save the script file and close the text editor.

Step 7 Open a Command Prompt window. (On the Windows Start menu, click Programs > Accessories > Command Prompt.)

Step 8 Change to the ViewMail > ENU directory (or to the language applicable to your installation).

Step 9 Enter vmaddbin ViewMail.msi VMOInit.vbs, and press Enter. When the script completes, your cursor returns to the command line.

Step 10 Run the file ViewMail.msi on a test machine to confirm that the installation completes successfully.

Step 11 Close the Command Prompt window.


Customizing the TCP Port That ViewMail for Outlook Uses For Encrypting and Decrypting Messages

By default, Cisco Unity uses TCP port number 5050 for incoming RPC connection requests from ViewMail for Outlook clients to encrypt and decrypt secure messages. In most cases, the default configuration is fine. However, you may want to change the port to configure for a firewall; any available TCP port can be used. If you need to change the port that is used, you must make the change on both the Cisco Unity server and on the ViewMail client workstations. Do the following procedures:

To Change the TCP Port for RPC Connections on the Cisco Unity Server

To Customize the ViewMail.msi File to Change the TCP Port on the Subscriber Workstations

ViewMail installs a registry key HKEY_LOCAL_MACHINE\SOFTWARE\Cisco Systems\Cisco Unity\VMO\RPC Port Number for Encryption and Decryption on the subscriber workstations.

Note that when ViewMail version 5.0(1) or later is installed on a subscriber workstation, the registry setting cannot be changed by running the ViewMail installation program again. Administrators must use a configuration management tool (for example, Microsoft Systems Management Server) to change the registry setting, or must uninstall ViewMail, customize the ViewMail.msi file to change the setting, and install ViewMail again.

To Change the TCP Port for RPC Connections on the Cisco Unity Server


Step 1 On the Cisco Unity server desktop, double-click the Cisco Unity Tools Depot icon.

Step 2 In the left pane, under Administrative Tools, double-click Advanced Settings Tool.

Step 3 In the Unity Settings pane, click Security - Configure TCP Port Number for Incoming RPC Connections for Encryption/Decryption.

Step 4 In the New Value list, enter the TCP port number and click Set.

Step 5 When prompted, click OK.

Step 6 Click Exit.

Step 7 Stop and restart the AvMMProxySvr service.


To Customize the ViewMail.msi File to Change the TCP Port on the Subscriber Workstations


Step 1 Browse to the ViewMail directory on the network drive on which you downloaded the ViewMail files. If you do not have permission to write to the directory, move the files to a directory on which you have write privileges.

Step 2 In the ViewMail directory, browse to the ENU language directory (or to the language applicable to your installation).

Step 3 Open the file VMOInit.vbs in a text editor.

Step 4 Delete the rem text in front of the Session.Property ("RpcPortNumberForEncryptionAndDecryption") = "5050" line.

For example:

Function VMOInitFn()
rem Session.Property("EXTENSION") = ""
rem Session.Property("UNITYSERVER") = ""
rem To enable NoTextToVM, set property NOTEXTTOVM to 1
rem Session.Property("NOTEXTTOVM") = "1"
rem To enable g729a recording, set property DefaultWaveFormat to 5
rem Session.Property("DefaultWaveFormat") = "5"
rem To enable secure messaging, set property ForceMessagesSecure to 1 (Always Force 
Messages Secure) or 2 (Allow User To Choose). 
rem By default, it is set to 0 (Always Send Messages Unsecure).
rem Session.Property("ForceMessagesSecure") = "1"
rem To change RPC Port Number for Encryption and Decryption, set property 
RpcPortNumberForEncryptionAndDecryption to a new port number.
rem By default, it is set to 5050.
Session.Property("RpcPortNumberForEncryptionAndDecryption") = "5050"
End Function

Step 5 Change the "5050" part of the line to the TCP port number that you entered on your Cisco Unity server(s) in Step 4 of the "To Change the TCP Port for RPC Connections on the Cisco Unity Server" procedure.

Step 6 Save the script file and close the text editor.

Step 7 Open a Command Prompt window. (On the Windows Start menu, click Programs > Accessories > Command Prompt.)

Step 8 Change to the ViewMail > ENU directory (or to the language applicable to your installation).

Step 9 Enter vmaddbin ViewMail.msi VMOInit.vbs, and press Enter. When the script completes, your cursor returns to the command line.

Step 10 Run the file ViewMail.msi on a test machine to confirm that the installation completes successfully.

Step 11 Close the Command Prompt window.


Disabling Backward Compatibility with Cisco Unity 4.x Servers

If all of the Cisco Unity servers in your Active Directory forest are installed with Cisco Unity version 5.0(1) or later, you can disable the backward compatibility with Cisco Unity version 4.x servers. There is a small CPU overhead when using secure messaging with backward compatibility enabled, so if you do not need it, you should disable it.

To Disable Backward Compatibility with Cisco Unity 4.x Servers

Note that you must change the setting on each Cisco Unity server in the AD forest. The change does not automatically replicate to other Cisco Unity servers.


Step 1 On the Cisco Unity server desktop, double-click the Cisco Unity Tools Depot icon.

Step 2 In the left pane, under Administrative Tools, double-click Advanced Settings Tool.

Step 3 In the Unity Settings pane, click Security - Configure Recording Format for Backward Compatibility with Cisco Unity 4.x Servers.

Step 4 In the New Value list, click 1, and then click Set.

Step 5 When prompted, click OK.

You do not need to restart Cisco Unity to enable the registry changes.

Step 6 Click Exit.


If you are using networking features with Cisco Unity and the Cisco Unity Voice Connector for Microsoft Exchange is not installed on the Cisco Unity server, you must also disable backward compatibility with Cisco Unity 4.x on the Exchange server on which the Voice Connector is installed.

To Disable Cisco Unity 4.x Backward Compatibility on the Voice Connector Server


Step 1 On the Exchange server on which the Voice Connector is installed, on the Windows Start menu, click Run.

Step 2 In the Open field, enter Regedit and press Enter. The Registry Editor appears.


Caution Changing the wrong registry key or entering an incorrect value can cause the server to malfunction. Before you edit the registry, confirm that you know how to restore it if a problem occurs. (See the "Restoring" topics in Registry Editor Help.) If you have any questions about changing registry key settings, contact Cisco TAC.

Step 3 If you do not have a current backup of the registry, click Registry > Export Registry File, and save the registry settings to a file.

Step 4 Go to HKEY_LOCAL_MACHINE\SOFTWARE\Active Voice\AvIvc.

Step 5 Double-click the SecureMsgInterOpMode value. The Edit DWORD Value dialog box appears.

Step 6 In the Value Data field, enter 0 and click OK.

Step 7 Close Regedit.


Enabling Secure Messaging for Messages From Subscribers

In order to allow subscribers to send secure messages, you must enable it for them.


Note All subscribers are able to receive and listen to secure messages after you complete the installation and basic configuration, as instructed in the previous sections. You must enable secure messaging for subscribers in order for them to also be able to send secure messages.


You enable secure messaging for individual existing subscribers on the Subscribers > Subscribers > Features page. You can also enable secure messaging for future new subscribers by changing a setting on the Subscribers > Subscriber Templates > Features page. Do the following "To Enable Secure Messaging for Subscribers" procedure.

Enabling secure messaging only for certain subscribers may make system administration, troubleshooting, and training more labor-intensive than when the feature is enabled for all subscribers.

To enable secure messaging for multiple (or all) existing subscribers, use the Bulk Edit utility, available in Tools Depot.

To Enable Secure Messaging for Subscribers


Step 1 In the Cisco Unity Administrator, go to the applicable page:

Subscribers > Subscribers > Features for an individual subscriber.

Subscribers > Subscriber Templates > Features to make the change on a subscriber template (note that the change you make here will not be applied to currently existing subscriber accounts that were created by using this template; the setting applies only to subscriber accounts that are created by using this template after the change has been made).

Step 2 Indicate whether messages will be encrypted when subscribers send messages to other subscribers:

Do Not Encrypt Messages—Messages are not encrypted.

Encrypt Only Private Messages—Only messages that are flagged private are encrypted.

Encrypt All Messages—All messages are encrypted.

Step 3 Click the Save icon.

Step 4 Repeat Step 1 through Step 3 for additional subscribers or subscriber templates, as applicable.


Maintenance Considerations When Secure Messaging Is in Use

Incorporate the information from the following sections into your Cisco Unity system maintenance plan:

Monitoring the Unaddressed Messages Distribution List for Messages with Encryption Errors

Performance Monitoring When Using Secure Messaging

Limiting Access to the Cisco Unity Server

Backing Up and Restoring Public and Private Keys

Monitoring the Unaddressed Messages Distribution List for Messages with Encryption Errors

If Cisco Unity is unable to encrypt a message from subscribers, unidentified callers or an incoming message from Bridge or VPIM locations, the unencrypted message will be sent to the Unaddressed Messages distribution list with information—text in the body of the message—about who the message was from (if available) and who the message was addressed to. To route these messages properly, ensure that the Unaddressed Messages distribution list has at least one member who will monitor the mailbox and handle messages that could not be encrypted.

Performance Monitoring When Using Secure Messaging

Enabling secure messaging for all subscribers should not adversely affect Cisco Unity performance. However, if a Cisco Unity performance problem occurs when subscribers are using secure messaging, include the following performance counters in the performance testing and analysis:

AvCSMgr Private MBytes

AvCSMgr Virtual MBytes

AvCSMgr % Processor Time

Total % Processor Time

Current Incoming Calls - Avg

Current Incoming Calls - Max

For more information on collecting and analyzing Cisco Unity performance data, see the "Performance Monitoring" chapter of the Maintenance Guide for Cisco Unity. The guide is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_maintenance_guides_list.html.

Limiting Access to the Cisco Unity Server

Sites need to protect their private keys from unauthorized internal or external access. Anyone who can log on to the Cisco Unity server as a user in the local administrator group can copy the private keys, and install them on any other server. Note that secure messaging public and private keys should be present only on the Cisco Unity servers and on the Exchange servers on which the Voice Connector is installed. The keys are never created on subscriber workstations, and should never be copied to another server or workstation.

Backing Up and Restoring Public and Private Keys

Exportable certificates are installed on a Cisco Unity server and the public and private keys that are created from these certificates can be backed up and restored by using the Cisco Unity Disaster Recovery tool (DiRT).

For more information on backing up Cisco Unity data, see the "About Backing Up a Cisco Unity System" chapter of the Maintenance Guide for Cisco Unity. The guide is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_maintenance_guides_list.html.

Secure Messaging and Legal Discoverability

Companies and other entities involved in federal litigation may need to produce electronically stored information as part of the discovery process when evidence is shared by both sides before a trial. Your lawyers may request that you produce copies of the existing and all future voice messages for one or more subscribers. They may also request the date and timestamp of each message and its subject, which contains either the sender name or caller ID.

The following task list provides an overview for responding to requests for legal discoverability:

1. Run a report from within Exchange to identify the list of voice messages by subject, date, and time stamp.

2. Create a trusted Internet subscriber account that has the destination email address of the mailbox that will be used to collect these messages. We recommend that you create a trusted Internet subscriber for each subscriber whose records are being requested. These trusted Internet subscriber accounts must be associated with a trusted Internet location that will decrypt outgoing secure messages.

3. Configure an Exchange forwarding rule to forward all of the applicable subscriber messages to the associated trusted Internet subscriber accounts.


Note It is not possible to create a rule that will selectively forward only voice messages. However, when the Cisco Unity Voice Connector for Microsoft Exchange processes the messages to forward to the trusted Internet subscriber account, it will not forward email messages, but will generate an non-delivery receipt (NDR) back to the Cisco Unity account of the subscriber. (This is a consideration only if your Cisco Unity is configured for Unified Messaging.)


4. Depending on the number of subscriber mailboxes and messages, you may want to consider installing and configuring a Voice Connector on a dedicated Exchange server just for processing these decryption requests.

5. Your lawyers can use the report created in task 1 to manually match up each decrypted message to determine the date and time stamp of the original voice message.

6. Turn off secure messaging for the subscriber so that future voice messages are no longer encrypted.

7. Modify the Exchange server forwarding rule to point to the mailbox that is collecting messages instead of the trusted Internet subscriber, thus bypassing the Voice Connector. Because the messages are no longer encrypted, they do not need to be decrypted.

Technical Details of Secure Messaging

Messages are secured by using public/private key encryption. When using digital networking, each Cisco Unity server in the organization generates its own public/private key pairs, and it publishes the public keys to the other Cisco Unity servers through Active Directory. When a secure message is recorded, a new session key is created for the message. The session key is used to encrypt the audio data, and this encrypted audio data is stored in the message. The public key from each Cisco Unity server is used to encrypt the session key, generating a list of encrypted session keys. This list of encrypted session keys is stored in the message.

When a secure message is played, the Cisco Unity server extracts the list of encrypted session keys and tries to decrypt one of the encrypted session keys by using its private key. If it is able to decrypt the session key by using its private key, the Cisco Unity server will then decrypt the audio data with that session key. If it is unable to decrypt the session key, the Cisco Unity server gives the subscriber the appropriate response, either that the message is expired or that it is not decryptable due to an error condition. The Cisco Unity server can differentiate between a message that has expired and a message that cannot be decrypted due to an error condition, and will give the appropriate response.

If message aging is enabled, each Cisco Unity server creates a new public/private key pair once a day at midnight UTC, and publishes the new public key to the other Cisco Unity servers via Active Directory. At the same time, Cisco Unity deletes the oldest private key from the operating system key store. This deletion of the private key is what causes a message to expire as soon as it is older than the configured message aging period. When the Cisco Unity server deletes the private key that corresponds to the public key that encrypted the session key, the session key cannot be decrypted, which thereby prevents decryption and play back of the audio data.

If subscribers are using ViewMail for Outlook or the Cisco Unity Inbox to record and play back secure messages, both the client PC and Cisco Unity server are involved in the operation. When a secure message is recorded on a client, the client PC generates the session key and encrypts the audio data. It then uses an encrypted channel to ask the Cisco Unity server to encrypt the session key. When that is complete, the client PC stores the list of encrypted session keys in the message and submits it to Microsoft Exchange. When a secure message is played back on a client, the client PC extracts the list of encrypted session keys from the message and uses an encrypted channel to ask the Cisco Unity server to decrypt the session key. If that succeeds, the client PC uses it to decrypt the audio data and play it back. If it fails, the client PC will inform the subscriber that the message has expired or is not decryptable due to an error condition, as appropriate.

Best Practices for Using Text to Speech (Unified Messaging) in Cisco Unity 8.x

The Text to Speech (TTS) feature allows Unified Messaging subscribers to listen to their email messages over the phone. Cisco Unity reads the text portion of email messages and provides additional information such as the name of the sender (if the sender is a subscriber), and the time and date that the message was sent. No attachments are read over the phone.

TTS is a class of service offering. Before you enable subscribers to use TTS, consider the following best practices:

Best Practice: Use Enhanced Phone Security

Because a phone password is inherently less secure than a password that subscribers would typically use to log on to a workstation and/or their email inboxes, offering TTS to subscribers can be considered a security risk. To provide a more secure way to authenticate subscribers when they access Cisco Unity by phone, and thereby increase the security of all subscriber messages, set up enhanced phone security. (See the "Determining Whether to Offer Enhanced Phone Security in Cisco Unity 8.x" section on page 8-10.)

Best Practice: Do Not Offer TTS If Email Content Is Sensitive

Offering TTS can also be considered a security risk because subscribers can access Cisco Unity from any phone—inside or outside your organization. If the email content in your organization contains classified information that you do not want played over unsecured connections, do not offer TTS to subscribers.

Disabling the Copy to File Option in the Media Master for the 8.x Cisco Unity Inbox

By default, subscribers can save their messages, except for secure messages and private messages, as WAV files on their hard disks by using the Copy to File option available on the Options menu on the Media Master control bar in the Cisco Unity Inbox. As an added security measure for Cisco Unity, you can disable the Copy to File option so that subscribers cannot save any message—regardless of its sensitivity—on their hard disks.

You can specify whether the Copy to File option is available in the Cisco Unity Inbox by using the Advanced Settings tool to change the registry. The registry change is applied system-wide to all subscribers who are associated with the Cisco Unity server. You cannot make the change for an individual subscriber or for a specific group of subscribers. Consider that when you prevent subscribers from archiving messages, they may choose to retain messages in their Inboxes and Deleted Items folders (if applicable) longer.


Note For Cisco Unity failover, registry changes on one Cisco Unity server must be made manually on the other Cisco Unity server, because registry changes are not replicated.


Do the following procedure to disable the Copy to File option in the Media Master for the Cisco Unity Inbox.

To Disable the Copy to File Option in the Media Master for the Cisco Unity Inbox


Step 1 On the Cisco Unity server desktop, double-click the Cisco Unity Tools Depot icon.

Step 2 In the left pane, under Administrative Tools, double-click Advanced Settings Tool.

Step 3 In the Unity Settings pane, click Unity Inbox—Disable Copy to File Option in Media Master.

Step 4 In the New Value list, click 1, and click Set.

Step 5 When prompted, click OK.

Step 6 Click Exit.

You do not need to restart the Cisco Unity server for the change to take effect.