Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Information About Cisco Unified Communications [Cisco ASA 5500 Series Adaptive Security Appliances]

Table Of Contents

Information About Cisco Unified Communications Proxy Features

Information About the Adaptive Security Appliance in Cisco Unified Communications

TLS Proxy Applications in Cisco Unified Communications

Licensing for Cisco Unified Communications Proxy Features

Information About Cisco Unified Communications Proxy Features

This chapter describes how to configure the adaptive security appliance for Cisco Unified Communications Proxy features.

This chapter includes the following sections:

•Information About the Adaptive Security Appliance in Cisco Unified Communications

•TLS Proxy Applications in Cisco Unified Communications

•Licensing for Cisco Unified Communications Proxy Features

Information About the Adaptive Security Appliance in Cisco Unified Communications

This section describes the Cisco UC Proxy features on the Cisco ASA 5500 series appliances. The purpose of a proxy is to terminate and reoriginate connections between a client and server. The proxy delivers a range of security functions such as traffic inspection, protocol conformance, and policy control to ensure security for the internal network. An increasingly popular function of a proxy is to terminate encrypted connections in order to apply security policies while maintaining confidentiality of connections. The Cisco ASA 5500 Series appliances are a strategic platform to provide proxy functions for unified communications deployments.

The Cisco UC Proxy includes the following solutions:

Phone Proxy: Secure remote access for Cisco encrypted endpoints, and VLAN traversal for Cisco softphones

The phone proxy feature enables termination of Cisco SRTP/TLS-encrypted endpoints for secure remote access. The phone proxy allows large scale deployments of secure phones without a large scale VPN remote access hardware deployment. End-user infrastructure is limited to just the IP endpoint, without VPN tunnels or hardware.

The Cisco adaptive security appliance phone proxy is the replacement product for the Cisco Unified Phone Proxy. Additionally, the phone proxy can be deployed for voice/data VLAN traversal for softphone applications. Cisco IP Communicator (CIPC) traffic (both media and signaling) can be proxied through the adaptive security appliance, thus traversing calls securely between voice and data VLANs.

For information about the differences between the TLS proxy and phone proxy, go to the following URL for Unified Communications content, including TLS Proxy vs. Phone Proxy white paper:

http://www.cisco.com/go/secureuc

TLS Proxy: Decryption and inspection of Cisco Unified Communications encrypted signaling

End-to-end encryption often leaves network security appliances "blind" to media and signaling traffic, which can compromise access control and threat prevention security functions. This lack of visibility can result in a lack of interoperability between the firewall functions and the encrypted voice, leaving businesses unable to satisfy both of their key security requirements.

The adaptive security appliance is able to intercept and decrypt encrypted signaling from Cisco encrypted endpoints to the Cisco Unified Communications Manager (Cisco UCM), and apply the required threat protection and access control. It can also ensure confidentiality by re-encrypting the traffic onto the Cisco UCM servers.

Typically, the adaptive security appliance TLS Proxy functionality is deployed in campus unified communications network. This solution is ideal for deployments that utilize end to end encryption and firewalls to protect Unified Communications Manager servers.

Mobility Proxy: Secure connectivity between Cisco Unified Mobility Advantage server and Cisco Unified Mobile Communicator clients

Cisco Unified Mobility solutions include the Cisco Unified Mobile Communicator (Cisco UMC), an easy-to-use software application for mobile handsets that extends enterprise communications applications and services to mobile phones and the Cisco Unified Mobility Advantage (Cisco UMA) server. The Cisco Unified Mobility solution streamlines the communication experience, enabling single number reach and integration of mobile endpoints into the Unified Communications infrastructure.

The security appliance acts as a proxy, terminating and reoriginating the TLS signaling between the Cisco UMC and Cisco UMA. As part of the proxy security functionality, inspection is enabled for the Cisco UMA Mobile Multiplexing Protocol (MMP), the protocol between Cisco UMC and Cisco UMA.

Presence Federation Proxy: Secure connectivity between Cisco Unified Presence servers and Cisco/Microsoft Presence servers

Cisco Unified Presence solution collects information about the availability and status of users, such as whether they are using communication devices, such as IP phones at particular times. It also collects information regarding their communications capabilities, such as whether web collaboration or video conferencing is enabled. Using user information captured by Cisco Unified Presence, applications such as Cisco Unified Personal Communicator and Cisco UCM can improve productivity by helping users connect with colleagues more efficiently through determining the most effective way for collaborative communication.

Using the adaptive security appliance as a secure presence federation proxy, businesses can securely connect their Cisco Unified Presence (Cisco UP) servers to other Cisco or Microsoft Presence servers, enabling intra-enterprise communications. The security appliance terminates the TLS connectivity between the servers, and can inspect and apply policies for the SIP communications between the servers.

TLS Proxy Applications in Cisco Unified Communications

Table 45-1 shows the Cisco Unified Communications applications that utilize the TLS proxy on the adaptive security appliance.

Table 45-1 TLS Proxy Applications and the Security Appliance

Application

TLS Client

TLS Server

Client Authentication

Security Appliance Server Role

Security Appliance Client Role

Phone Proxy and TLS Proxy

IP phone

Cisco UCM

Yes

Proxy certificate, self-signed or by internal CA

Local dynamic certificate signed by the adaptive security appliance CA (might not need certificate for phone proxy application)

Mobility Proxy

Cisco UMC

Cisco UMA

No

Using the Cisco UMA private key or certificate impersonation

Any static configured certificate

Presence Federation Proxy

Cisco UP or MS LCS/OCS

Cisco UP or MS LCS/OCS

Yes

Proxy certificate, self-signed or by internal CA

Using the Cisco UP private key or certificate impersonation

The adaptive security appliance supports TLS proxy for various voice applications. For the phone proxy, the TLS proxy running on the adaptive security appliance has the following key features:

•The adaptive security appliance forces remote IP phones connecting to the phone proxy through the Internet to be in secured mode even when the Cisco UCM cluster is in non-secure mode.

•The TLS proxy is implemented on the adaptive security appliance to intercept the TLS signaling from IP phones.

•The TLS proxy decrypts the packets, sends packets to the inspection engine for NAT rewrite and protocol conformance, optionally encrypts packets, and sends them to Cisco UCM or sends them in clear text if the IP phone is configured to be in nonsecure mode on the Cisco UCM.

•The adaptive security appliance acts as a media terminator as needed and translates between SRTP and RTP media streams.

•The TLS proxy is a transparent proxy that works based on establishing trusted relationship between the TLS client, the proxy (the adaptive security appliance), and the TLS server.

For the Cisco Unified Mobility solution, the TLS client is a Cisco UMA client and the TLS server is a Cisco UMA server. The adaptive security appliance is between a Cisco UMA client and a Cisco UMA server. The mobility proxy (implemented as a TLS proxy) for Cisco Unified Mobility allows the use of an imported PKCS-12 certificate for server proxy during the handshake with the client. Cisco UMA clients are not required to present a certificate (no client authentication) during the handshake.

For the Cisco Unified Presence solution, the adaptive security appliance acts as a TLS proxy between the Cisco UP server and the foreign server. This allows the adaptive security appliance to proxy TLS messages on behalf of the server that initiates the TLS connection, and route the proxied TLS messages to the client. The adaptive security appliance stores certificate trustpoints for the server and the client, and presents these certificates on establishment of the TLS session.

Licensing for Cisco Unified Communications Proxy Features

The Cisco Unified Communications proxy features supported by the adaptive security appliance require a Unified Communications Proxy license:

•Phone proxy

•TLS proxy for encrypted voice inspection

•Mobility proxy

•Presence federation proxy

The Unified Communications proxy features are licensed by TLS session. For the phone proxy or TLS proxy, each IP phone may have a single connection to the Cisco UCM server or two connections —one connection to the primary Cisco UCM and one connection to the backup Cisco UCM. In the second scenario, the phone proxy uses two Unified Communications Proxy sessions because two TLS sessions are set up. For the mobility proxy and presence federation proxy, each endpoint utilizes one Unified Communications Proxy session.

Table 45-2 shows the Unified Communications Proxy license details by platform.

Table 45-2 License Requirements for the Security Appliance

Security Appliance Platform

Max UC Proxy Licenses

Tiers for UC Proxy Licenses

ASA 5505

24

24

ASA 5510

100

24, 50, 100

ASA 5520

1,000

24, 50, 100, 250, 500, 750, 1000

ASA 5540

2,000

24, 50, 100, 250, 500, 750, 1000, 2000

ASA 5550

3,000

24, 50, 100, 250, 500, 750, 1000, 2000, 3000

A Unified Communications Proxy license is applied the same way as other licensed features (such as, SSL VPN), via the activation-key command. To check the license on the adaptive security appliance, use the show version or show activation-key command:
hostname# show activation-key 
Serial Number:  P3000000179
Running Activation Key: 0xa700d24c 0x98caab35 0x88038550 0xaf383078 0x02382080 
Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited 
Maximum VLANs                : 150       
Inside Hosts                 : Unlimited 
Failover                     : Active/Active
VPN-DES                      : Enabled   
VPN-3DES-AES                 : Enabled   
Security Contexts            : 10        
GTP/GPRS                     : Enabled   
VPN Peers                    : 750       
WebVPN Peers                 : 750       
AnyConnect for Mobile        : Disabled  
AnyConnect for Linksys phone : Disabled  
Advanced Endpoint Assessment : Enabled   
UC Proxy Sessions            : 1000       
This platform has an ASA 5520 VPN Plus license.
The flash activation key is the SAME as the running key.
hostname# 
See the following links for additional information on licensing. If you are a registered user of Cisco.com and would like to obtain a Unified Communications Proxy license, go to the following website:

http://www.cisco.com/go/license

If you are not a registered user of Cisco.com, go to the following website:

https://tools.cisco.com/SWIFT/Licensing/RegistrationServlet

Provide your name, e-mail address, and the serial number for the adaptive security appliance as it appears in the show version command output.