Guest

Cisco Unity Connection

Cisco Unified CallManager 5.1 SCCP Integration Guide for Cisco Unity Connection 1.2

 Feedback

Table Of Contents

Cisco Unified CallManager 5.1 SCCP Integration Guide for Cisco Unity Connection 1.2

Integration Tasks

Task List to Create the Integration by SCCP

Task List to Change the Number of Voice Messaging Ports

Task List to Add a Cisco Unified CallManager Express Server to a Cisco Unified CallManager Cluster

Requirements

Integration Description

Call Information

Integration Functionality

Integrations with Multiple Phone Systems

Planning How the Voice Messaging Ports Will Be Used by Cisco Unity Connection

Programming the Cisco Unified CallManager Phone System

Setting Up the Gateways That Service Cisco Unity Connection

Creating a New Integration with the Cisco Unified CallManager Phone System

Setting Up Cisco Unified CallManager Authentication and Encryption with Cisco Unity Connection

Testing the Integration

(Multiple Integrations Only) Adding New User Templates

Changing the Number of Voice Messaging Ports

Adding a Cisco Unified CallManager Express Server to a Cisco Unified CallManager Phone System Integration


Appendix: Cisco Unified CallManager Authentication and Encryption of Cisco Unity Connection Voice Messaging Ports

Cisco Unified CallManager Security Features

Functional Overview

Security Mode Settings in Cisco Unity Connection


Appendix: Documentation and Technical Assistance

Conventions

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Product Alerts and Field Notices

Obtaining Technical Assistance

Cisco Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Cisco Unified CallManager 5.1 SCCP Integration Guide for Cisco Unity Connection 1.2


Published December 20, 2006

This document provides instructions for integrating the Cisco Unified CallManager phone system with Cisco Unity Connection by Skinny Call Control Protocol (SCCP).

Cisco Unity Connection supports an SCCP integration with the Cisco Unified CallManager phone system under either of the following conditions:

Cisco Unified CallManager phone system has only IP phones.

Cisco Unified CallManager phone system has both IP phones and SIP phones but does not have a media termination point (MTP).

Cisco Unified CallManager phone system has both IP phones and SIP phones and has a media termination point (MTP).


Note If you are configuring MWI relay across trunks in a distributed phone system, you must refer to the Cisco Unified CallManager documentation for requirements and instructions. Configuring MWI relay across trunks does not involve Cisco Unity Connection settings.


Integration Tasks

Before doing the following tasks to integrate Cisco Unity Connection with the Cisco Unified CallManager phone system, confirm that the Cisco Unity Connection server is ready for the integration by completing the applicable tasks in the Cisco Unity Connection Installation Guide.

The following task lists describe the process for creating and changing integrations.

Task List to Create the Integration by SCCP

Use the following task list to set up a new integration with the Cisco Unified CallManager phone system. If you are installing a new Cisco Unity Connection server by using the Cisco Unity Connection Installation Guide, you may have already completed some of the following tasks.

1. Review the system and equipment requirements to confirm that all phone system and Cisco Unity Connection server requirements have been met. See the "Requirements" section.

2. Plan how the voice messaging ports will be used by Cisco Unity Connection. See the "Planning How the Voice Messaging Ports Will Be Used by Cisco Unity Connection" section.

3. Program Cisco Unified CallManager. See the "Programming the Cisco Unified CallManager Phone System" section.

4. Set up the gateways that service Cisco Unity Connection. See the "Setting Up the Gateways That Service Cisco Unity Connection" section.

5. Create the integration. See the "Creating a New Integration with the Cisco Unified CallManager Phone System" section.


Note An additional Cisco Unified CallManager cluster can be added by creating a new phone system integration through the Phone System Integration Wizard. Each Cisco Unified CallManager cluster is a separate phone system integration.


6. Test the integration. See the "Testing the Integration" section.

7. If this integration is a second or subsequent integration, add the applicable new user templates for the new phone system. See the (Multiple Integrations Only) Adding New User Templates.

Task List to Change the Number of Voice Messaging Ports

Use the following task list to change the number of voice messaging ports for an integration after it has been created.

1. Change the number of voice messaging ports in Cisco Unified CallManager Administration and in Cisco Unity Connection Administration. See the "Changing the Number of Voice Messaging Ports" section.

Task List to Add a Cisco Unified CallManager Express Server to a Cisco Unified CallManager Cluster

Use the following task list to add a Cisco Unified CallManager Express server to a Cisco Unified CallManager cluster.

1. Confirm that the Cisco Unified CallManager Express server meets the requirements for integrating with Cisco Unity Connection. Refer to the applicable Cisco Unified CallManager Express integration guide at http://www.cisco.com/en/US/products/ps6509/products_installation_and_configuration_guides_list.html.

2. Add the Cisco Unified CallManager Express server to the port group for the Cisco Unified CallManager phone system integration. See "Adding a Cisco Unified CallManager Express Server to a Cisco Unified CallManager Phone System Integration" section.

3. If needed, add voice messaging ports. See the "Changing the Number of Voice Messaging Ports" section.

Requirements

The Cisco Unified CallManager integration supports configurations of the following components:

Phone System

A Cisco IP telephony applications server consisting of Cisco Unified CallManager 5.1(x), running on a Cisco Media Convergence Server (MCS) or customer-provided server meeting approved Cisco configuration standards.

The following phones or combinations of phones for the Cisco Unified CallManager extensions:

Only IP phones for the Cisco Unified CallManager extensions.

Both IP phones and SIP phones for the Cisco Unified CallManager extensions without a media termination point (MTP) on the Cisco Unified CallManager server.

Both IP phones and SIP phones for the Cisco Unified CallManager extensions with a media termination point (MTP) on the Cisco Unified CallManager server.

A LAN connection in each location where you will plug the applicable phone into the network.

For multiple Cisco Unified CallManager clusters, the capability for users to dial an extension on another Cisco Unified CallManager cluster without having to dial a trunk access code or prefix.

Cisco Unity Connection Server

The applicable version of Cisco Unity Connection. For details on compatible versions of Cisco Unity Connection, refer to the Compatibility Matrix: Cisco Unity Connection, the Cisco Unity-CM TSP, Cisco Unified CallManager, and Cisco Unified CallManager Express at http://www.cisco.com/en/US/products/ps6509/products_device_support_tables_list.html.

Cisco Unity Connection installed and ready for the integration, as described in the Cisco Unity Connection Installation Guide at http://www.cisco.com/en/US/products/ps6509/prod_installation_guides_list.html.

The applicable Cisco Unity-CM TSP, installed. For details on compatible versions of the TSP, refer to the Compatibility Matrix: Cisco Unity Connection, the Cisco Unity-CM TSP, Cisco Unified CallManager, and Cisco Unified CallManager Express at http://www.cisco.com/en/US/products/ps6509/products_device_support_tables_list.html.

A license that enables the appropriate number of voice messaging ports.

Integration Description

The Cisco Unified CallManager integration uses the LAN to connect Cisco Unity Connection and the phone system. The gateway provides connections to the PSTN. Figure 1 shows the connections.

Figure 1 Connections Between the Phone System and Cisco Unity Connection

Call Information

The phone system sends the following information with forwarded calls:

The extension of the called party

The extension of the calling party (for internal calls) or the phone number of the calling party (if it is an external call and the system uses caller ID)

The reason for the forward (the extension is busy, does not answer, or is set to forward all calls)

Cisco Unity Connection uses this information to answer the call appropriately. For example, a call forwarded to Cisco Unity Connection is answered with the personal greeting of the user. If the phone system routes the call to Cisco Unity Connection without this information, Cisco Unity Connection answers with the opening greeting.

Integration Functionality

The Cisco Unified CallManager integration with Cisco Unity Connection provides the following features:

Call forward to personal greeting

Call forward to busy greeting

Caller ID

Easy message access (a user can retrieve messages without entering an ID; Cisco Unity Connection identifies a user based on the extension from which the call originated; a password may be required)

Identified subscriber messaging (Cisco Unity Connection automatically identifies a user who leaves a message during a forwarded internal call, based on the extension from which the call originated)

Message waiting indication (MWI)

The functionality of this integration may be affected by the issues described below.

Use of Cisco Unified Survivable Remote Site Telephony (SRST) Router

When a Cisco Unified Survivable Remote Site Telephony (SRST) router is part of the network and the Cisco Unified SRST router takes over call processing functions from Cisco Unified CallManager (for example, because the WAN link is down), phones at a branch office can continue to function. In this situation, however, the integration features have the following limitations:

Call forward to busy greeting—When the Cisco Unified SRST router uses FXO/FXS connections to the PSTN and a call is forwarded from a branch office to Cisco Unity Connection, the busy greeting cannot play.

Call forward to internal greeting—When the Cisco Unified SRST router uses FXO/FXS connections to the PSTN and a call is forwarded from a branch office to Cisco Unity Connection, the internal greeting cannot play. Because the PSTN provides the calling number of the FXO line, the caller is not identified as a user.

Call transfers—Because an access code is needed to reach the PSTN, call transfers from Cisco Unity Connection to a branch office will fail.

Identified user messaging—When the Cisco Unified SRST router uses FXO/FXS connections to the PSTN and a user at a branch office leaves a message or forwards a call, the user is not identified. The caller appears as an unidentified caller.

Message waiting indication—MWIs are not updated on branch office phones, so MWIs will not correctly reflect when new messages arrive or when all messages have been listened to. We recommend resynchronizing MWIs after the WAN link is reestablished.

Message notification—Because an access code is needed to reach the PSTN, message notifications from Cisco Unity Connection to a branch office will fail.

Routing rules—When the Cisco Unified SRST router uses FXO/FXS connections to the PSTN and a call arrives from a branch office to Cisco Unity Connection (either a direct or forwarded call), routing rules will fail.

When the Cisco Unified SRST router uses PRI/BRI connections, the caller ID for calls from a branch office to Cisco Unity Connection may be the full number (exchange plus extension) provided by the PSTN and therefore may not match the extension of the Cisco Unity Connection user. If this is the case, you can let Cisco Unity Connection recognize the caller ID by using alternate extensions (for instructions, see the "Appendix: Using Alternate Extensions and MWIs" section).

Redirected Dialed Number Information Service (RDNIS) needs to be supported when using SRST.

For information on setting up Cisco Unified SRST routers, refer to the "Integrating Voice Mail with Cisco Unified SRST" section of the Cisco Unified SRST System Administrator Guide at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122z/122zj15/index.htm.

Impact of Non-Delivery of RDNIS on Voice Mail Calls Routed via AAR

RDNIS needs to be supported when using Automated Alternate Routing (AAR).

AAR can route calls over the PSTN when the WAN is oversubscribed. However, when calls are rerouted over the PSTN, RDNIS can be affected. Incorrect RDNIS information can affect voice mail calls that are rerouted over the PSTN by AAR when Cisco Unity Connection is remote from its messaging clients. If the RDNIS information is not correct, the call will not reach the voice mail box of the dialed user but will instead receive the automated attendant prompt, and the caller might be asked to reenter the extension number of the party they wish to reach. This behavior is primarily an issue when the telephone carrier is unable to ensure RDNIS across the network. There are numerous reasons why the carrier might not be able to ensure that RDNIS is properly sent. Check with your carrier to determine whether it provides guaranteed RDNIS delivery end-to-end for your circuits. The alternative to using AAR for oversubscribed WANs is simply to let callers hear reorder tone in an oversubscribed condition.

Integrations with Multiple Phone Systems

Cisco Unity Connection can be integrated with multiple phone systems at one time. For information on and instructions for integrating Cisco Unity Connection with multiple phone systems, refer to the Multiple Phone System Integration Guide at http://www.cisco.com/en/US/products/ps6509/products_installation_and_configuration_guides_list.html.

Planning How the Voice Messaging Ports Will Be Used by Cisco Unity Connection

Before programming the phone system, you need to plan how the voice messaging ports will be used by Cisco Unity Connection. The following considerations will affect the programming for the phone system (for example, setting up the hunt group or call forwarding for the voice messaging ports):

The number of voice messaging ports installed.

The number of voice messaging ports that will answer calls.

The number of voice messaging ports that will only dial out, for example, to send message notification, to set message waiting indicators (MWIs), and to make telephone record and playback (TRAP) connections.

The following table describes the voice messaging port settings in Cisco Unity Connection that can be set on Telephony Integrations > Port of Cisco Unity Connection Administration.

Table 1 Settings for the Voice Ports 

Field
Considerations

Enabled

Check this check box to enable the port. The port is enabled during normal operation.

Uncheck this check box to disable the port. When the port is disabled, calls to the port get a ringing tone but are not answered. Typically, the port is disabled only by the installer during testing.

Extension

Enter the extension for the port as assigned on the phone system.

Answer Calls

Check this check box to designate the port for answering calls. These calls can be incoming calls from unidentified callers or from users.

Perform Message Notification

Check this check box to designate the port for notifying users of messages. Assign Perform Message Notification to the least busy ports.

Send MWI Requests

Check this check box to designate the port for turning MWIs on and off. Assign Send MWI Requests to the least busy ports.

Allow TRAP Connections

Check this check box so that users can use the port for recording and playback through the phone in Cisco Unity Connection web applications. Assign Allow TRAP Connections to the least busy ports.

Outgoing Hunt Order

Enter the priority order in which Cisco Unity Connection will use the ports when dialing out (for example, if the Perform Message Notification, Send MWI Requests, or Allow TRAP Connections check box is checked). The highest numbers are used first. However, when multiple ports have the same Outgoing Hunt Order number, Cisco Unity Connection will use the port that has been idle the longest.

Security Mode

Click the applicable security mode:

Non-secure—The integrity and privacy of call-signaling messages will not be ensured because call-signaling messages will be sent as clear (unencrypted) text and will be connected to Cisco Unified CallManager through a non-authenticated port rather than an authenticated TLS port. In addition, the media stream will not be encrypted.

Authenticated—The integrity of call-signaling messages will be ensured because they will be connected to Cisco Unified CallManager through an authenticated TLS port. However, the privacy of call-signaling messages will not be ensured because they will be sent as clear (unencrypted) text. In addition, the media stream will not be encrypted.

Encrypted—The integrity and privacy of call-signaling messages will be ensured on this port because they will be connected to Cisco Unified CallManager through an authenticated TLS port, and the call-signaling messages will be encrypted. In addition, the media stream will be encrypted.


The Number of Voice Messaging Ports to Install

The number of voice messaging ports to install depends on numerous factors, including:

The number of calls Cisco Unity Connection will answer when call traffic is at its peak.

The expected length of each message that callers will record and that users will listen to.

The number of users.

The number of ports that will be set to dial out only.

The number of calls made for message notification.

The number of MWIs that will be activated when call traffic is at its peak.

The number of TRAP connections needed when call traffic is at its peak. (TRAP connections are used by Cisco Unity Connection web applications to play back and record over the phone.)

The number of calls that will use the automated attendant and call handlers when call traffic is at its peak.

It is best to install only the number of voice messaging ports that are needed so that system resources are not allocated to unused ports.

The Number of Voice Messaging Ports That Will Answer Calls

The calls that the voice messaging ports answer can be incoming calls from unidentified callers or from users. Typically, the voice messaging ports that answer calls are the busiest.

You can set voice messaging ports to both answer calls and to dial out (for example, to send message notifications). However, when the voice messaging ports perform more than one function and are very active (for example, answering many calls), the other functions may be delayed until the voice messaging port is free (for example, message notifications cannot be sent until there are fewer calls to answer). For best performance, dedicate certain voice messaging ports for only answering incoming calls, and dedicate other ports for only dialing out. Separating these port functions eliminates the possibility of a collision, in which an incoming call arrives on a port at the same time that Cisco Unity Connection takes the port off-hook to dial out.

The Number of Voice Messaging Ports That Will Only Dial Out, and Not Answer Calls

Ports that will only dial out and will not answer calls can do one or more of the following:

Notify users by phone, pager, or e-mail of messages that have arrived.

Turn MWIs on and off for user extensions.

Make a TRAP connection so that users can use the phone as a recording and playback device in Cisco Unity Connection web applications.

Typically, these voice messaging ports are the least busy ports.


Caution In programming the phone system, do not send calls to voice messaging ports in Cisco Unity Connection that cannot answer calls (voice messaging ports that are not set to Answer Calls). For example, if a voice messaging port is set only to Send MWI Requests, do not send calls to it.

Preparing for Programming the Phone System

Record your decisions about the voice messaging ports to guide you in programming the phone system.

Programming the Cisco Unified CallManager Phone System

After Cisco Unified CallManager software is installed, do the following procedures in the order given.

To Add Partitions and a Calling Search Space to Contain the Voice Mail Ports


Step 1 In the Cisco Unified CallManager Administration, click Call Routing > Class of Control > Partition.

Step 2 On the Find and List Partitions page, click Add New.

Step 3 On the Partition Configuration page, enter the name and description you want for the partition that will contain all voice mail port directory numbers. For example, enter "VMRestrictedPT, Partition for voice mail port directory numbers."

Step 4 Click Save.

Step 5 Click Add New.

Step 6 Enter the name and description you want for the partition that will contain the hunt pilot, which will be the voice mail pilot number. For example, enter "VMPilotNumberPT, Partition for the voice mail pilot number."

Step 7 Click Save.

Step 8 Click Call Routing > Class of Control > Calling Search Space.

Step 9 On the Find and List Calling Search Spaces page, click Add New.

Step 10 On the Calling Search Space Configuration page, in the Name field, enter a name for the calling search space that will include the partition created in Step 2 through Step 4. For example, enter "VMRestrictedCSS."

Step 11 Optionally, in the Description field, enter a description of the calling search space. For example, enter "Voice mail port directory numbers."

Step 12 In the Available Partitions list, click the name of the partition created in Step 2 through Step 4. For example, click "VMRestrictedPT."

Step 13 Click the down arrow below the Available Partitions list.

The name of the partition appears in the Selected Partitions list.

Step 14 Click Save.

Step 15 On the Find and List Calling Search Spaces page, click Find.

Step 16 Click the name of the calling search space that is used by user phones.

Step 17 On the Calling Search Space Configuration page, in the Available Partitions list, click the name of the partition created in Step 5 through Step 7. For example, click "VMPilotNumberPT."


Caution If the partition that contains the hunt pilot (which will be the voice mail pilot number) is not in the calling search space that is used by user phones, the phones will not be able to dial the Cisco Unity Connection server.

Step 18 Click the down arrow below the Available Partition list.

The name of the partition appears in the Selected Partitions list.

Step 19 Click Save.

Step 20 Repeat Step 16 through Step 19 for each remaining calling search space that needs to access Cisco Unity Connection.


To Add a Device Pool for the Voice Mail Ports


Step 1 In the Cisco Unified CallManager Administration, click System > Device Pool.

Step 2 On the Find and List Device Pools page, click Add New.

Step 3 On the Device Pool Configuration page, enter the following device pool settings.

Table 2 Settings for the Device Pool Configuration Page 

Field
Setting

Device Pool Name

Enter Cisco Unity Connection Voice Mail Ports or other description for this device pool.

Cisco Unified CallManager Group

Click the Cisco Unified CallManager group to assign to the voice mail ports in this device pool.

Date/Time Group

Click the date/time group to assign to the voice mail ports in this device pool.

Region

Click the Cisco Unified CallManager region to assign to the voice mail ports in this device pool.

Softkey Template

Click the softkey template to assign to the voice mail ports in this device pool.

SRST Reference

If applicable, click the survivable remote site telephony (SRST) reference to assign to the voice mail ports in this device pool.

Network Hold MOH Source

Click None.

User Hold MOH Audio Source

Click None.


Step 4 Click Save.


In the following procedure, add a voice mail port to Cisco Unified CallManager for each voice mail port that you will connect to Cisco Unity Connection.

To Add Voice Mail Ports to Cisco Unified CallManager


Step 1 In the Cisco Unified CallManager Administration, click Voice Mail > Cisco Voice Mail Port Wizard.

Step 2 On the What Would You Like to Do page, click Create a New Cisco Voice Mail Server and Add Ports to It, and click Next.

Step 3 On the Cisco Voice Mail Server page, the name of the voice mail server appears. We recommend that you accept the default name for the voice mail server. If you must use a different name, however, the name must have no more than nine characters.

The voice mail server name must match the Device Name Prefix field in Cisco Unity Connection on the Port Group Basics page for the voice messaging ports.

Step 4 Click Next.

Step 5 On the Cisco Voice Mail Ports page, click the number of voice mail ports that you want to add (which must not be more voice mail ports than the Cisco Unity Connection license enables), then click Next.

If you will integrate Cisco Unity Connection with multiple clusters of Cisco Unified CallManager, the number you enter here cannot bring the total number of ports on all clusters integrated with Cisco Unity Connection to more than the number of ports enabled by the Cisco Unity Connection license.

Step 6 On the Cisco Voice Mail Device Information page, enter the following voice mail device settings.

Table 3 Settings for the Voice Mail Device Information Page 

Field
Setting

Description

Enter Cisco Voice Mail Port or another description for the voice mail device.

Device Pool

Click the name of the device pool you created for the voice mail ports. For example, click Cisco Unity Connection Voice Mail Ports.

Calling Search Space

Click the name of a calling search space that allows calls to the user phones and any required network devices.

This calling search space must include partitions that contain all devices Cisco Unity Connection needs to access (for example, during call transfers, message notifications, and MWI activations).

AAR Calling Search Space

Accept the default of None.

Location

Accept the default of None.


Step 7 Click Next.

Step 8 On the Cisco Voice Mail Directory Numbers page, enter the following voice mail directory number settings.

Table 4 Settings for the Voice Mail Directory Numbers Page 

Field
Setting

Beginning Directory Number

Enter the extension number of the first voice mail port.

Partition

Click the name of the partition that you set up for all voice mail port directory numbers. For example, click "VMRestrictedPT."

Calling Search Space

Click the name of a calling search space that you set up to contain the partition with all voice mail port directory numbers, as set in Step 9 of the "To Add Partitions and a Calling Search Space to Contain the Voice Mail Ports" procedure. For example, click "VMRestrictedCSS."

Because this calling search space is not used by user phones, users are not able to dial the voice mail ports. However, users can dial the voice mail pilot number.

AAR Group

Click the automated alternate routing (AAR) group for the voice mail ports. The AAR group provides the prefix digits that are used to route calls that are otherwise blocked due to insufficient bandwidth. If you click None, no rerouting of blocked calls will be attempted.

Internal Caller ID Display

Accept the default of Voicemail.

This text appears on the phone when the pilot number is dialed.

Internal Caller ID Display (ASCII Format)

Accept the default of Voicemail.

This text appears on the phone when the pilot number is dialed.

External Number Mask

Leave this field blank, or specify the mask used to format caller ID information for external (outbound) calls. The mask can contain up to 50 characters. Enter the literal digits that you want to appear in the caller ID information, and enter X for each digit in the directory number of the device.

Device Security Mode

Click the security mode that you want to use for the voice mail ports. For details on the settings for Cisco Unified CallManager authentication and encryption of the voice mail ports, see the "Appendix: Cisco Unified CallManager Authentication and Encryption of Cisco Unity Connection Voice Messaging Ports" section.


Step 9 Click Next.

Step 10 On the Do You Want to Add These Directory Numbers to a Line Group page, click No, I Will Add Them Later, and click Next.

Step 11 On the Ready to Add Cisco Voice Mail Ports page, confirm that the settings for the voice mail ports are correct, and click Finish.

If the settings are not correct, click Back and enter the correct settings.


To Add Voice Mail Ports to Line Groups


Step 1 In the Cisco Unified CallManager Administration, click Call Routing > Route/Hunt > Line Group.

Step 2 On the Find and List Line Groups page, click Add New.

This line group will contain directory numbers for voice mail ports that will answer calls. Directory numbers for voice mail ports that will only dial out (for example, to set MWIs) must not be included in this line group.

Step 3 On the Line Group Configuration page, enter the following settings.

Table 5 Settings for the Line Group Configuration Page for Answering Ports 

Field
Setting

Line Group Name

Enter Cisco Unity Connection Answering Ports or another unique name for line groups.

RNA Reversion Timeout

Accept the default of 10.

Distribution Algorithm

Accept the default of Top Down.

No Answer

Accept the default of Try Next Member; Then, Try Next Group in Hunt List.

Busy

Accept the default of Try Next Member; Then, Try Next Group in Hunt List.

Not Available

Accept the default of Try Next Member; Then, Try Next Group in Hunt List.


Step 4 Under Line Group Member Information, in the Partition list, click the name of the partition that you set up for all voice mail port directory numbers. For example, click "VMRestrictedPT."

Step 5 Click Find.

Step 6 In the Available DN/Route Partition list, click the first directory number of a voice mail port that will answer calls, and click Add to Line Group.


Caution The directory numbers in the Selected DN/Route Partition list must appear in numerical sequence with the lowest number on top.

Step 7 Repeat Step 6 for all remaining directory numbers of voice mail ports that will answer calls.


Caution Do not include directory numbers of voice mail ports that will only dial out (for example, to set MWIs).

Step 8 Click Save.

Step 9 If you will have voice mail ports that will only dial out (will not answer calls), do Step 10 through Step 16.

Otherwise, skip the remaining steps in this procedure and continue on to the "To Add the Line Group to a Hunt List" procedure.

Step 10 Click Add New.

This line group will contain directory numbers for voice mail ports that will only dial out. Directory numbers for voice mail ports that answer calls must not be included in this line group.

Step 11 On the Line Group Configuration page, enter the following settings.

Table 6 Settings for the Line Group Configuration Page for Dial-Out Ports 

Field
Setting

Line Group Name

Enter Cisco Unity Connection Dial-Out Ports or another unique name.

RNA Reversion Timeout

Accept the default of 10.

Distribution Algorithm

Accept the default of Top Down.

No Answer

Click Stop Hunting.

Busy

Click Stop Hunting.

Not Available

Click Stop Hunting.


Step 12 Under Line Group Member Information, in the Partition list, click the name of the partition that you set up for all voice mail port directory numbers. For example, click "VMRestrictedPT."

Step 13 Click Find.

Step 14 In the Available DN/Route Partition list, click the first directory number of a voice mail port that will only dial out, and click Add to Line Group.


Caution The directory numbers in the Selected DN/Route Partition list must appear in numerical sequence with the lowest number on top.

Step 15 Repeat Step 14 for all remaining voice mail ports that will only dial out.


Caution Do not include directory numbers of voice mail ports that will answer calls.

Step 16 Click Save.


To Add the Line Group to a Hunt List


Step 1 In the Cisco Unified CallManager Administration, click Call Routing > Route/Hunt > Hunt List.

Step 2 On the Find and List Hunt Lists page, click Add New.

Step 3 On the Hunt List Configuration page, enter the following settings for the hunt list.

Table 7 Settings for the Hunt List Configuration Page for Answering Ports 

Field
Setting

Name

Enter Cisco Unity Connection Answering Ports or another unique name for the hunt list.

Description

Enter Cisco Unity Connection ports that answer calls or another description.

Cisco Unified CallManager Group

Click Default or the name of the Cisco Unified CallManager group you are using.


Step 4 Click Save.

Step 5 Under Hunt List Member Information, click Add Line Group.

Step 6 On the Hunt List Detail Configuration page, in the Line Group list, click the line group you created for the directory numbers of voice mail ports that will answer calls, then click Save.


Caution In the hunt list, do not include line groups with voice mail ports that Cisco Unity Connection will use to dial out. Otherwise, the integration will not function correctly.

Step 7 When alerted that the line group has been inserted, click OK.

Step 8 On the Hunt List Configuration page, click Reset.

Step 9 When asked to confirm resetting the hunt list, click OK.

Step 10 When alerted that the hunt list has been reset, click OK.


To Add the Hunt List to a Hunt Pilot Number


Step 1 In the Cisco Unified CallManager Administration, click Call Routing > Route/Hunt > Hunt Pilot.

Step 2 On the Find and List Hunt Pilots page, click Add New.

Step 3 On the Hunt Pilot Configuration page, enter the following settings for the hunt pilot.

Table 8 Settings for Hunt Pilot Configuration Page 

Field
Setting

Hunt Pilot

Enter the hunt pilot number for the voice mail ports. The hunt pilot number must be different from the extension numbers of the voice mail ports.

The hunt pilot number is the extension number that users enter to listen to their voice messages.

Partition

Click the name of the partition that you set up for the voice mail pilot number. For example, click "VMPilotNumberPT."

Description

Enter Connection Hunt Pilot or another description.

Numbering Plan

Accept the default setting, or click the numbering plan that you have set up for your system.

Route Filter

Click None, or click the name of the route filter that you set up for your system.

MLPP Precedence

Accept the default setting, or click another setting.

Hunt List

Click the hunt list of voice mail ports that answer calls, which you set up in the "To Add the Line Group to a Hunt List" procedure.

Route Option

Click Route This Pattern.

Provide Outside Dial Tone

Uncheck the check box.


Step 4 Click Save.


To Specify MWI Directory Numbers


Step 1 In the Cisco Unified CallManager Administration, click Voice Mail > Message Waiting.

Step 2 On the Find and List Message Waiting Numbers page, click Add New.

Step 3 On the Message Waiting Configuration page, enter the following settings for turning MWIs on.

Table 9 Settings for Turning MWIs On 

Field
Setting

Message Waiting Number

Enter the unique extension that turns MWIs on.

Partition

Click the name of the partition that you set up for the voice mail pilot number. For example, click "VMPilotNumberPT."

Description

Enter DN to turn MWIs on or another description.

Message Waiting Indicator

Click On.

Calling Search Space

Click a calling search space that is used by user phones.


Step 4 Click Save.

Step 5 Click Add New.

Step 6 Enter the following settings for turning MWIs off.

Table 10 Settings for Turning MWIs Off 

Field
Setting

Directory Number

Enter the unique extension that turns MWIs off.

Partition

Click the name of the partition that you set up for the voice mail pilot number. For example, click "VMPilotNumberPT."

Description

Enter DN to turn MWIs off or another description.

Message Waiting Indicator

Click Off.

Calling Search Space

Click a calling search space that is used by user phones.


Step 7 Click Save.


In the following procedure, you will add the voice mail pilot number, which is the extension that you dial to listen to your voice messages. Your Cisco IP phone automatically dials the voice mail pilot number when you press the Messages button.

To Add a Voice Mail Pilot Number for the Voice Mail Ports


Step 1 In the Cisco Unified CallManager Administration, click Voice Mail > Voice Mail Pilot.

Step 2 On the Find and List Voice Mail Pilots page, click Add New.

Step 3 On the Voice Mail Pilot Configuration page, enter the following voice mail pilot number settings.

Table 11 Settings for the Voice Mail Pilot Configuration Page 

Field
Setting

Voice Mail Pilot Number

Enter the voice mail pilot number that users will dial to listen to their voice messages. This number must be the same as the hunt pilot number that you entered when adding voice mail ports earlier.

Calling Search Space

Click the calling search space that includes partitions containing the user phones and the partition you set up for the voice mail pilot number.

Description

Enter Cisco Unity Connection Pilot or another description.

Make This the Default Voice Mail Pilot for the System

Check this check box. When this check box is checked, this voice mail pilot number replaces the current default pilot number.


Step 4 Click Save.


To Set Up the Voice Mail Profile


Step 1 In the Cisco Unified CallManager Administration, click Voice Mail > Voice Mail Profile.

Step 2 On the Find and List Voice Mail Profiles page, click Add New.

Step 3 On the Voice Mail Profile Configuration page, enter the following voice mail profile settings.

Table 12 Settings for the Voice Mail Profile Configuration Page 

Field
Setting

Voice Mail Profile Name

Enter a name to identify the voice mail profile.

Description

Enter Cisco Unity Connection Profile or another description.

Voice Mail Pilot

Click one of the following:

The applicable voice mail pilot number that you defined on the Voice Mail Pilot Configuration page

Use Default

Voice Mail Box Mask

When multitenant services are not enabled on Cisco Unified CallManager, leave this field blank.

When multitenant services are enabled, each tenant uses its own voice mail profile and must create a mask to identify the extensions (directory numbers) in each partition that is shared with other tenants. For example, one tenant can use a mask 972813XXXX, while another tenant can use the mask 214333XXXX. Each tenant also uses its own translation patterns for MWIs.

Make This the Default Voice Mail Profile for the System

Check this check box to make this voice mail profile the default.

When this check box is checked, this voice mail profile replaces the current default voice mail profile.


Step 4 Click Save.


To Set Up the Voice Mail Server Service Parameters


Step 1 In the Cisco Unified CallManager Administration, click System > Service Parameters.

Step 2 On the Service Parameters Configuration page, in the Server field, click the name of the Cisco Unified CallManager server.

Step 3 In the Service list, click Cisco Unified CallManager. The list of parameters appears.

Step 4 Under Clusterwide Parameters (Feature - General), locate the Multiple Tenant MWI Modes parameter.

Step 5 If you use multiple tenant MWI notification, click True.

When this parameter is set to True, Cisco Unified CallManager uses any configured translation patterns to convert voice mail extensions into directory numbers when turning on or off an MWI.

Step 6 If you changed any settings, click Save. Then shut down and restart the Cisco Unified CallManager server.


Setting Up the Gateways That Service Cisco Unity Connection

In certain situations, DTMF digits are not recognized when processed through VoIP dial-peer gateways. To avoid this problem, certain gateways must be configured to enable DTMF relay. The DTMF relay feature is available in Cisco IOS software version 12.0(5) and later.

Cisco IOS software-based gateways that use H.245 out-of-band signaling must be configured to enable DTMF relay.

The Catalyst 6000 T1/PRI and FXS gateways enable DTMF relay by default and do not need additional configuration to enable this feature.

To Enable DTMF Relay


Step 1 On a VoIP dial-peer servicing Cisco Unity Connection, use the following command:

dtmf-relay h245-alphanumeric

Step 2 Create a destination pattern that matches the Cisco Unified CallManager voice mail port numbers. For example, if the system has voice mail ports 1001 through 1016, enter the dial-peer destination pattern 10xx.

Step 3 Repeat Step 1 and Step 2 for all remaining VoIP dial-peers servicing Cisco Unity Connection.


Creating a New Integration with the Cisco Unified CallManager Phone System

After ensuring that the Cisco Unified CallManager phone system and Cisco Unity Connection are ready for the integration, do the following procedures to set up the integration and to enter the port settings.

To Create an Integration


Step 1 Log on to Cisco Unity Connection Administration.

Step 2 In Cisco Unity Connection Administration, expand Telephony Integrations, then click Phone System.

Step 3 On the Search Phone Systems page, on the Phone System menu, click New Phone System. The Phone System Integration Wizard appears.

Step 4 On the Select Phone System Manufacturer page, in the Manufacturer field, click Cisco Systems and click Next.

Step 5 On the Select Phone System Model page, in the Model field, click CallManager and click Next.

Step 6 On the Set Up Phone System page, in the Phone System Name field, accept the default name or enter the descriptive name that you want, and click Next.

Step 7 On the Select Port Group Template page, in the Port Group Template field, click SCCP - Skinny Client Control Protocol and click Next.

Step 8 On the Set Up Port Group page, enter the following settings and click Next.

Table 13 Settings for the Set Up Port Group Page 

Field
Setting

Port Group Name

<the display name for the port group; accept the default name, which is composed of the phone system display name followed by an incrementing number, or enter another descriptive name>

Device Name Prefix

<the prefix that Cisco Unified CallManager adds to the device name for voice ports; this prefix must match the prefix used by Cisco Unified CallManager>

MWI On Extension

<the extension that you specified in Cisco Unified CallManager Administration for turning MWIs on>

MWI Off Extension

<the extension that you specified in Cisco Unified CallManager Administration for turning MWIs off>

Security Mode

<the Cisco Unified CallManager security mode that you want to use for the voice messaging ports in this port group>

Number of Ports

<the number of voice messaging ports that you want to create in this port group>

IP Address or Host Name

<the IP address (or host name) of the primary Cisco Unified CallManager server that you are integrating with Cisco Unity Connection>

Test Address

Click this button to test the IP address that you entered. The results of the test appear in the field to the right of the button.

Port

<the TCP port of the primary Cisco Unified CallManager server that you are integrating with Cisco Unity Connection; we recommend that you use the default setting>

TLS Port

<the TLS port of the primary Cisco Unified CallManager server that you are integrating with Cisco Unity Connection; we recommend that you use the default setting>

Server Type

Cisco Unified CallManager


Step 9 On the Confirm Phone System Settings page, confirm the settings that you have entered and click Finish.

Step 10 On the Phone System Creation Summary page, click Close.

Step 11 If Cisco Unity Connection does not connect to an AXL server, skip to Step 17. Otherwise, on the Search Phone Systems page, click the display name of the phone system that you created in Step 9.

Step 12 On the Phone System Basics page, in the Edit menu, click Cisco Unified CallManager AXL Servers.

Connecting to an AXL server is needed when Cisco Unity Connection must have access to the Cisco Unified CallManager database for importing Cisco Unified CallManager users and for changing certain phone settings for users of Cisco Unity Connection personal call transfer rules.


Caution If you plan to import Cisco Unified CallManager users, confirm that the Primary Extension field on the End User Configuration page for each user is filled in. Otherwise, the search will not find any users to select for importing.

Step 13 Under AXL Servers, click Add New.

Step 14 Enter the following settings for the AXL server and click Save.

Table 14 Settings for the AXL Servers 

Field
Setting

Order

<the order of priority for the AXL server; the lowest number is the primary AXL server, the higher numbers are the secondary servers>

IP Address or Host Name

<the IP address (or host name) of the AXL server>

Port

<the AXL server port that Cisco Unity Connection connects to; this setting must match the port that the AXL server will use>

The port number is typically 8443.


Step 15 Repeat Step 13 and Step 14 for all remaining AXL servers.

Step 16 Under AXL Server Settings, enter the following settings and click Save.

Table 15 Settings for the AXL Settings 

Field
Setting

User Name

<the user name that Cisco Unity Connection will use to log on to the AXL server>

Password

<the password that Cisco Unity Connection will use to log on to the AXL server>

Cisco Unified CallManager Version

5.0 or Greater (SSL)

The AXL port must be an SSL-enabled port (typically port 8443).



Note After the changes to this page are saved, you can click Test (next to the AXL server port number) to verify the connection to the AXL server.


Step 17 In Cisco Unity Connection Administration, expand Telephony Integrations, then click Port Group.

Step 18 On the Search Port Groups page, click the display name of the port group that you created with the phone system integration in Step 9.


Note By default, the display name for a port group is composed of the phone system display name followed by an incrementing number.


Step 19 On the Port Group Basics page, on the Edit menu, click Servers.

Step 20 On the Edit Servers page, do the following substeps if the Cisco Unified CallManager cluster has secondary servers. Otherwise, skip to Step 21.

a. Under Cisco Unified CallManager Servers, click Add.

b. Enter the following settings for the secondary Cisco Unified CallManager server and click Save.

Table 16 Settings for the Cisco Unified CallManager Server 

Field
Setting

Order

<the order of priority for the Cisco Unified CallManager server; the lowest number is the primary Cisco Unified CallManager server, the higher numbers are the secondary servers>

IP Address or Host Name

<the IP address (or host name) of the secondary Cisco Unified CallManager server>

Port

<the TCP port of the Cisco Unified CallManager server that you are integrating with Cisco Unity Connection; we recommend that you use the default setting>

TLS Port

<the TLS port of the Cisco Unified CallManager server that you are integrating with Cisco Unity Connection; we recommend that you use the default setting>

Server Type

Cisco Unified CallManager



Note You can click Ping to verify the IP address (or host name) of the Cisco Unified CallManager server.


c. Repeat Step 20a. and Step 20b. for all remaining Cisco Unified CallManager servers in the cluster.

Step 21 Do the following substeps if the Cisco Unified CallManager cluster uses authentication or encryption for the voice messaging ports. Otherwise, skip to Step 22.

a. Under TFTP Servers, click Add.

b. Enter the following settings for the TFTP server and click Save.

Table 17 Settings for the TFTP Server 

Field
Setting

Order

<the order of priority for the TFTP server; the lowest number is the primary TFTP server, the higher numbers are the secondary servers>

IP Address or Host Name

<the IP address (or host name) of the TFTP server>



Note You can click Ping to verify the IP address (or host name) of the TFTP server.


c. Repeat Step 21a. and Step 21b. for all remaining TFTP servers in the cluster.

Step 22 In Cisco Unity Connection Administration, expand Telephony Integrations, then click Port.

Step 23 On the Search Ports page, click the display name of the first voice messaging port that you created for this phone system integration.


Note By default, the display names for the voice messaging ports are composed of the port group display name followed by incrementing numbers.


Step 24 On the Port Basics page, set the voice messaging port settings as applicable. The fields in the following table are the ones that you can change.

Table 18 Settings for the Voice Ports 

Field
Considerations

Enabled

Check this check box to enable the port. The port is enabled during normal operation.

Uncheck this check box to disable the port. When the port is disabled, calls to the port get a ringing tone but are not answered. Typically, the port is disabled only by the installer during testing.

Extension

Enter the extension for the port as assigned on the phone system.

Answer Calls

Check this check box to designate the port for answering calls. These calls can be incoming calls from unidentified callers or from users.

Perform Message Notification

Check this check box to designate the port for notifying users of messages. Assign Perform Message Notification to the least busy ports.

Send MWI Requests

Check this check box to designate the port for turning MWIs on and off. Assign Send MWI Requests to the least busy ports.

Allow TRAP Connections

Check this check box so that users can use the port for recording and playback through the phone in Cisco Unity Connection web applications. Assign Allow TRAP Connections to the least busy ports.

Outgoing Hunt Order

Enter the priority order in which Cisco Unity Connection will use the ports when dialing out (for example, if the Perform Message Notification, Send MWI Requests, or Allow TRAP Connections check box is checked). The highest numbers are used first. However, when multiple ports have the same Outgoing Hunt Order number, Cisco Unity Connection will use the port that has been idle the longest.

Security Mode

Click the applicable security mode:

Non-secure—The integrity and privacy of call-signaling messages will not be ensured because call-signaling messages will be sent as clear (unencrypted) text and will be connected to Cisco Unified CallManager through a non-authenticated port rather than an authenticated TLS port. In addition, the media stream will not be encrypted.

Authenticated—The integrity of call-signaling messages will be ensured because they will be connected to Cisco Unified CallManager through an authenticated TLS port. However, the privacy of call-signaling messages will not be ensured because they will be sent as clear (unencrypted) text. In addition, the media stream will not be encrypted.

Encrypted—The integrity and privacy of call-signaling messages will be ensured on this port because they will be connected to Cisco Unified CallManager through an authenticated TLS port, and the call-signaling messages will be encrypted. In addition, the media stream will be encrypted.


Step 25 Click Save.

Step 26 Click Next.

Step 27 Repeat Step 24 through Step 26 for all remaining voice messaging ports for the phone system.

Step 28 If another phone system integration exists, In Cisco Unity Connection Administration, expand Telephony Integrations, then click Trunk. Otherwise, skip to Step 32.

Step 29 On the Search Phone System Trunks page, on the Phone System Trunk menu, click New Phone System Trunk.

Step 30 On the New Phone System Trunk page, enter the following settings for the phone system trunk and click Save.

Table 19 Settings for the Phone System Trunk 

Field
Setting

From Phone System

<the display name of the phone system that you are creating a trunk for>

To Phone System

<the display name of the previously existing phone system that the trunk will connect to>

Trunk Access Code

<the extra digits that Cisco Unity Connection must dial to transfer calls through the gateway to extensions on the previously existing phone system>


Step 31 Repeat Step 29 and Step 30 for all remaining phone system trunks that you want to create.

Step 32 If prompted to restart Cisco Unity Connection, in the Windows task bar, right-click the Cisco Unity Connection icon and click Restart > Voice Processing Server Role.

Step 33 When prompted to confirm stopping the Voice Processing server role, click Yes.

Step 34 In Cisco Unity Connection Administration, in the Related Links drop-down list, click Check Telephony Configuration and click Go to confirm the phone system integration settings.

If the test is not successful, the Task Execution Results displays one or more messages with troubleshooting steps. After correcting the problems, test the connection again.

Step 35 In the Task Execution Results window, click Close.

Step 36 If you do not want to set up for Cisco Unified CallManager authentication and encryption, log off Cisco Unity Connection Administration, skip the remaining procedures, and continue with the "Testing the Integration" section.

If you want to set up for Cisco Unified CallManager authentication and encryption, continue with the "Setting Up Cisco Unified CallManager Authentication and Encryption with Cisco Unity Connection" below.


Setting Up Cisco Unified CallManager Authentication and Encryption with Cisco Unity Connection

If you are not setting up Cisco Unified CallManager authentication and encryption, skip to the "Testing the Integration" section.

If you are setting up Cisco Unified CallManager authentication and encryption, do the following two procedures.

For additional information about authentication and encryption with Cisco Unified CallManager and Cisco Unity Connection, see the "Appendix: Cisco CallManager Authentication and Encryption of Voice Messaging Ports" section.


Caution The Cisco Unity Connection system clock must be synchronized with the Cisco Unified CallManager system clock for Cisco Unified CallManager authentication to function immediately. Otherwise, Cisco Unified CallManager will reject the Cisco Unity Connection voice messaging ports until the Cisco Unified CallManager system clock has passed the time stamp in the Cisco Unity Connection device certificates.

To Ensure That the Tftp.exe File Is Present on Cisco Unity Connection Server


Step 1 On the Cisco Unity Connection server, determine whether the computer is one of the following models:

MCS-7825H-2.2-ECS1

MCS-7825H-3.0-ECS1

MCS-7835H-2.4-ECS1

MCS-7835H-3.4-ECS1

MCS-7845H-2.4-ECS1

MCS-7845H-3.0-ECS1

MCS-7815I-3.0-ECS1

MCS-7815-I1-ECS1

MCS-7815-I1-UC1

MCS-7825-I1-ECS1

MCS-7825-I1-UC1

MCS-7835-I1-ECS1

MCS-7835-I1-UC1

MCS-7845-I1-ECS1

MCS-7845-I1-UC1

Step 2 If the computer is not one of the computer models listed above, skip the remaining steps in this procedure and continue to the "To Enable Cisco Unified CallManager Authentication and Encryption for Cisco Unity Connection Voice Messaging Ports" procedure.

Otherwise, on the Start menu, click Run.

Step 3 In the Run field, enter cmd and click OK.

Step 4 In the command prompt window, enter c: and press Enter.

Step 5 Enter cd i386 and press Enter.

Step 6 Enter expand.exe tftp.ex_ c:\windows\system32\tftp.exe and press Enter.

Step 7 Close the compand prompt window.


To Enable Cisco Unified CallManager Authentication and Encryption for Cisco Unity Connection Voice Messaging Ports


Step 1 If Cisco Unity Connection Administration is not already open, log on to Cisco Unity Connection Administration.

Step 2 In Cisco Unity Connection Administration, expand Telephony Integrations, then click Port.

Step 3 On the Search Ports page, click the display name of the first voice messaging port for the Cisco Unified CallManager phone system integration.


Note By default, the display names for the voice messaging ports are composed of the port group display name followed by incrementing numbers.


Step 4 On the Port Basics page, confirm that the Security Mode field is set to the applicable setting.


Caution The Security Mode setting for Cisco Unity Connection voice messaging ports must match the security mode setting for the Cisco Unified CallManager ports. Otherwise, Cisco Unified CallManager authentication and encryption will fail.

Table 20 Security Mode Settings 

Setting
Effect

Non-secure

The integrity and privacy of call-signaling messages will not be ensured because call-signaling messages will be sent as clear (unencrypted) text and will be connected to Cisco Unified CallManager through a non-authenticated port rather than an authenticated TLS port.

In addition, the media stream will not be encrypted.

Authenticated

The integrity of call-signaling messages will be ensured because they will be connected to Cisco Unified CallManager through an authenticated TLS port. However, the privacy of call-signaling messages will not be ensured because they will be sent as clear (unencrypted) text.

In addition, the media stream will not be encrypted.

Encrypted

The integrity and privacy of call-signaling messages will be ensured because they will be connected to Cisco Unified CallManager through an authenticated TLS port, and the call-signaling messages will be encrypted.

In addition, the media stream can be encrypted.


Step 5 If you changed the setting, click Save and click Next.

Step 6 Repeat Step 4 and Step 5 for all remaining voice messaging ports for the Cisco Unified CallManager phone system integration.

Step 7 Restart the Cisco Unity Connection software.

Cisco Unity Connection generates the voice messaging port device certificates and the Cisco Unity Connection root certificate.

Step 8 In Cisco Unity Connection Administration, expand Telephony Integrations, then click Phone System.

Step 9 On the Search Phone Systems page, click the name of the Cisco Unified CallManager phone system for which you want to enable authentication and encryption of the Cisco Unity Connection voice messaging ports.

Step 10 On the Phone System Basics page, on the Edit menu, click Root Certificate.

Step 11 On the View Root Certificate page, right-click the Right-click to Save the Certificate as a File link, and click Save Target As.

Step 12 In the Save As dialog box, browse to the location on the Cisco Unity Connection server where you want to save the Cisco Unity Connection root certificate as a file.

Step 13 In the File Name field, confirm that the extension is .pem (rather than .htm), and click Save.


Caution The certificate must be saved as a file with the extension .pem (rather than .htm) or Cisco Unified CallManager will not recognize the certificate.

When Cisco Unity Connection is integrated with both Cisco Unified CallManager 4.x and Cisco Unified CallManager 5.x servers, you must copy the .pem file to the Cisco Unified CallManager 5.x server and the .0 file to the Cisco Unified CallManager 4.x server. Otherwise, authentication and encryption will not function correctly.

Step 14 In the Download Complete dialog box, click Close.

Step 15 Copy the Cisco Unity Connection root certificate to all Cisco Unified CallManager servers in this Cisco Unified CallManager phone system integration by doing the following substeps.


Caution The Cisco Unity Connection system clock must be synchronized with the Cisco Unified CallManager system clock for Cisco Unified CallManager authentication to function immediately. Otherwise, Cisco Unified CallManager will not let the Cisco Unity Connection voice messaging ports register until the Cisco Unified CallManager system clock has passed the time stamp in the Cisco Unity Connection device certificates.

a. On the Cisco Unified CallManager server, in Cisco Unified CallManager Platform Administration, on the Security menu, click Certificate Management > Upload Certificate/CTL.

b. On the Cisco IPT Platform Administration page, click Upload Trust Certificate and CallManager - Trust, then click OK.

c. Browse to the Cisco Unity Connection root certificate that you saved in Step 13.

d. Follow the on-screen instructions.

e. Repeat Step 15a. through Step 15d. on all remaining Cisco Unified CallManager servers in the cluster.

f. In Cisco Unity Connection Administration, in the Related Links drop-down list, click Check Telephony Configuration and click Go to confirm the connection to the Cisco Unified CallManager servers.

If the test is not successful, the Task Results list displays one or more messages with troubleshooting steps. After correcting the problems, test the connection again.

g. In the Task Results window, click Close.

Step 16 If prompted, restart the Cisco Unity Connection software.

Step 17 Log off Cisco Unity Connection Administration.


Testing the Integration

To test whether Cisco Unity Connection and the phone system are integrated correctly, do the following procedures in the order listed.

If any of the steps indicate a failure, refer to the following documentation as applicable:

The installation guide for the phone system.

The setup information earlier in this guide.

To Set Up the Test Configuration


Step 1 Set up two test extensions (Phone 1 and Phone 2) on the same phone system that Cisco Unity Connection is connected to.

Step 2 Set Phone 1 to forward calls to the Cisco Unity Connection pilot number when calls are not answered.


Caution The phone system must forward calls to the Cisco Unity Connection pilot number in no fewer than four rings. Otherwise, the test may fail.

Step 3 To create a test user for testing, in Cisco Unity Connection Administration, expand Users, then click Users.

Step 4 On the Search Users page, on the User menu, click New User.

Step 5 On the New User page, enter the following settings.

Table 21 Settings for the New User Page 

Field
Setting

User Type

User with Voice Mailbox

Based on Template

<the applicable user template>

Alias

testuser

First Name

Test

Last Name

User

Display Name

Test User

Extension

<the extension of Phone 1>


Step 6 Click Save.

Step 7 On the Edit User Basics page, in the Voice Name field, record a voice name for the test user.

Step 8 In the Phone System field, confirm that the phone system selected is the phone system that Phone 1 is connected to.

Step 9 Uncheck the Set for Self-enrollment at Next Login check box.

Step 10 Click Save.

Step 11 On the Edit menu, click Message Waiting Indicators.

Step 12 On the Message Waiting Indicators page, click the message waiting indicator. If no message waiting indication is in the table, click Add New.

Step 13 On the Edit Message Waiting Indicator page, enter the following settings.

Table 22 Settings for the Edit MWI Page 

Field
Setting

Enabled

Check this check box to enable MWIs for the test user.

Display Name

Accept the default or enter a different name.

Inherit User's Extension

Check this check box to enable MWIs on Phone 1.


Step 14 Click Save.

Step 15 On the Edit menu, click Transfer Options.

Step 16 On the Transfer Options page, click the active option.

Step 17 On the Edit Transfer Option page, under Transfer Action, click the Extension option and enter the extension of Phone 1.

Step 18 In the Transfer Type field, click Release to Switch.

Step 19 Click Save.

Step 20 Minimize the Cisco Unity Connection Administration window.

Do not close the Cisco Unity Connection Administration window because you will use it again in a later procedure.

Step 21 On the Cisco Unity Connection desktop, double-click the Tools Depot icon.

Step 22 In the left pane of the Tools Depot window, expand Switch Integration Tools, then double-click Port Status Monitor. The Port Status Monitor window appears.

Step 23 On the Ports menu, click Start All, and arrange the port monitors so that you can notice which port will handle the calls that you will make.


To Test an External Call with Release Transfer


Step 1 From Phone 2, enter the access code necessary to get an outside line, then enter the number outside callers use to dial directly to Cisco Unity Connection.

Step 2 In the Port Status Monitor, note which port handles this call.

Step 3 When you hear the opening greeting, enter the extension for Phone 1. Hearing the opening greeting means that the port is configured correctly.

Step 4 Confirm that Phone 1 rings and that you hear a ringback tone on Phone 2. Hearing a ringback tone means that Cisco Unity Connection correctly released the call and transferred it to Phone 1.

Step 5 Leaving Phone 1 unanswered, confirm that the state of the port handling the call changes to "Idle." This state means that release transfer is successful.

Step 6 Confirm that, after the number of rings that the phone system is set to wait, the call is forwarded to Cisco Unity Connection and that you hear the greeting for the test user. Hearing the greeting means that the phone system forwarded the unanswered call and the call-forward information to Cisco Unity Connection, which correctly interpreted the information.

Step 7 On the Port Status Monitor, note which port handles this call.

Step 8 Leave a message for the test user and hang up Phone 2.

Step 9 In the Port Status Monitor, confirm that the state of the port handling the call changes to "Idle." This state means that the port was successfully released when the call ended.

Step 10 Confirm that the MWI on Phone 1 is activated. The activated MWI means that the phone system and Cisco Unity Connection are successfully integrated for turning on MWIs.


To Test Listening to Messages


Step 1 From Phone 1, enter the internal pilot number for Cisco Unity Connection.

Step 2 When asked for your password, enter the password for the test user. Hearing the request for your password means that the phone system sent the necessary call information to Cisco Unity Connection, which correctly interpreted the information.

Step 3 Confirm that you hear the recorded voice name for the test user (if you did not record a voice name for the test user, you will hear the extension number for Phone 1). Hearing the voice name means that Cisco Unity Connection correctly identified the user by the extension.

Step 4 Listen to the message.

Step 5 After listening to the message, delete the message.

Step 6 Confirm that the MWI on Phone 1 is deactivated. The deactivated MWI means that the phone system and Cisco Unity Connection are successfully integrated for turning off MWIs.

Step 7 Hang up Phone 1.

Step 8 On the Port Status Monitor, confirm that the state of the port handling the call changes to "Idle." This state means that the port was successfully released when the call ended.


To Set Up Supervised Transfer on Cisco Unity Connection


Step 1 In Cisco Unity Connection Administration, on the Edit Transfer Option page for the test user, in the Transfer Type field, click Supervise Transfer.

Step 2 In the Rings to Wait For field, enter 3.

Step 3 Click Save.

Step 4 Minimize the Cisco Unity Connection Administration window.

Do not close the Cisco Unity Connection Administration window because you will use it again in a later procedure.


To Test Supervised Transfer


Step 1 From Phone 2, enter the access code necessary to get an outside line, then enter the number outside callers use to dial directly to Cisco Unity Connection.

Step 2 On the Port Status Monitor, note which port handles this call.

Step 3 When you hear the opening greeting, enter the extension for Phone 1. Hearing the opening greeting means that the port is configured correctly.

Step 4 Confirm that Phone 1 rings and that you do not hear a ringback tone on Phone 2. Instead, you should hear the indication your phone system uses to mean that the call is on hold (for example, music).

Step 5 Leaving Phone 1 unanswered, confirm that the state of the port handling the call remains "Busy." This state and hearing an indication that you are on hold mean that Cisco Unity Connection is supervising the transfer.

Step 6 Confirm that, after three rings, you hear the greeting for the test user. Hearing the greeting means that Cisco Unity Connection successfully recalled the supervised-transfer call.

Step 7 During the greeting, hang up Phone 2.

Step 8 On the Port Status Monitor, confirm that the state of the port handling the call changes to "Idle." This state means that the port was successfully released when the call ended.

Step 9 Exit the Port Status Monitor.


To Delete the Test User


Step 1 In Cisco Unity Connection Administration, expand Users, then click Users.

Step 2 On the Search Users page, check the check box to the left of the test user.

Step 3 Click Delete Selected.


If Cisco Unity Connection is set up for Cisco Unified CallManager authentication or encryption, do the following procedure.

To Test Cisco Unified CallManager Authentication and Encryption


Step 1 From Phone 1, dial the internal pilot number for Cisco Unity Connection.

Step 2 Confirm that the authentication icon and/or the encryption icon appear on the LCD of the phone.

Step 3 Hang up Phone 1.


(Multiple Integrations Only) Adding New User Templates

When you create the first phone system integration, this phone system is automatically selected in the default user template. The users that you add after creating this phone system integration will be assigned to this phone system by default.

However, for each additional phone system integration that you create, you must add the applicable new user templates that will assign users to the new phone system. You must add the new templates before you add new users who will be assigned to the new phone system.

For details on adding new user templates, refer to the "Adding, Changing, or Deleting an Account Template" chapter in the Cisco Unity Connection User Moves, Adds, and Changes Guide at http://www.cisco.com/en/US/products/ps6509/prod_maintenance_guides_list.html.

For details on selecting a user template when adding a new user, refer to the applicable chapter for adding user accounts in the Cisco Unity Connection User Moves, Adds, and Changes Guide at http://www.cisco.com/en/US/products/ps6509/prod_maintenance_guides_list.html.

Changing the Number of Voice Messaging Ports

To change the number of voice messaging ports in Cisco Unified CallManager and in Cisco Unity Connection for an existing integration, do the following procedures.

To Change the Number of Voice Mail Ports in Cisco Unified CallManager Administration


Step 1 On the Cisco Unified CallManager server, use Cisco Voice Mail Port Wizard to change the number of voice mail ports. Refer to the following:

To add voice mail ports in Cisco Unified CallManager Administration by using the Cisco Voice Mail Port Wizard, see the "To Add Voice Mail Ports to Cisco Unified CallManager" procedure.

To remove voice mail ports in Cisco Unified CallManager Administration by using the Cisco Voice Mail Port Wizard, refer to the Cisco Unified CallManager Administration Help.


If you are adding voice messaging ports, do the "To Add Voice Messaging Ports in Cisco Unity Connection Administration" procedure.

If you are deleting voice messaging ports, do the "To Delete Voice Messaging Ports in Cisco Unity Connection Administration" procedure.

To Add Voice Messaging Ports in Cisco Unity Connection Administration


Step 1 If the Cisco Unity Connection license does not enable the additional voice messaging ports you added, see your sales representative to request the applicable license.

Step 2 When you have the license, log on to Cisco Unity Connection Administration.

Step 3 In Cisco Unity Connection Administration, expand System Settings, then click Licenses.

Step 4 On the License page, on the License menu, click Add New License.

Step 5 On the Add New License page, click Browse.

Step 6 In the Choose File dialog box, browse to license file and click Open.

Step 7 On the Add New License page, click Add.

Step 8 On the Licenses page, check the check box for the license file that you added in Step 7 and click Install Selected.

Step 9 In Cisco Unity Connection Administration, expand Telephony Integrations, then click Port.

Step 10 On the Search Ports page, under Port Search Results, click Add New.

Step 11 On the New Port page, enter the applicable settings and click Save.


Caution Make sure that there are an appropriate number of ports set to answer calls and an appropriate number of ports set to dial out. Otherwise, the integration will not function correctly. For details, see to the "Planning How the Voice Messaging Ports Will be Used by Cisco Unity Connection" section.

Step 12 If prompted to restart Cisco Unity Connection, in the Windows task bar, right-click the Cisco Unity Connection icon and click Restart > Voice Processing Server Role.

Step 13 When prompted to confirm stopping the Voice Processing server role, click Yes.

Step 14 If you are not using Cisco Unified CallManager authentication and encryption, skip to Step 22.

If you are using Cisco Unified CallManager authentication and encryption, in Cisco Unity Connection Administration, expand Telephony Integrations, then click Phone System.


Caution Confirm that you have set up the TFTP server on the Edit Servers page for the port group that the voice messaging ports belong to. Otherwise, the integration will not function correctly with Cisco Unified CallManager authentication and encryption.

Step 15 On the Search Phone Systems page, click the name of the Cisco Unified CallManager phone system for which you want to enable authentication and encryption of the Cisco Unity Connection voice messaging ports.

Step 16 On the Phone System Basics page, on the Edit menu, click Root Certificate.

Step 17 On the View Root Certificate page, right-click the Right-click to Save the Certificate as a File link, and click Save Target As.

Step 18 In the Save As dialog box, browse to the location on the Cisco Unity Connection server where you want to save the Cisco Unity Connection root certificate as a file.

Step 19 In the File Name field, confirm that the extension is .pem (rather than .htm), and click Save.


Caution The certificate must be saved as a file with the extension .pem (rather than .htm) or Cisco Unified CallManager will not recognize the certificate.

When Cisco Unity Connection is integrated with both Cisco Unified CallManager 4.x and Cisco Unified CallManager 5.x servers, you must copy the .pem file to the Cisco Unified CallManager 5.x server and the .0 file to the Cisco Unified CallManager 4.x server. Otherwise, authentication and encryption will not function correctly.

Step 20 In the Download Complete dialog box, click Close.

Step 21 Upload the Cisco Unity Connection root certificate to all Cisco Unified CallManager servers in this Cisco Unified CallManager phone system integration by doing the following substeps.


Caution The Cisco Unity Connection system clock must be synchronized with the Cisco Unified CallManager system clock for Cisco Unified CallManager authentication to function immediately. Otherwise, Cisco Unified CallManager will not let the Cisco Unity Connection voice messaging ports register until the Cisco Unified CallManager system clock has passed the time stamp in the Cisco Unity Connection device certificates.

a. On the Cisco Unified CallManager server, in Cisco Unified CallManager Platform Administration, on the Security menu, click Certificate Management > Upload Certificate/CTL.

b. On the Cisco IPT Platform Administration page, click Upload Trust Certificate and CallManager - Trust, then click OK.

c. Browse to the Cisco Unity Connection root certificate that you saved in Step 19.

d. Follow the on-screen instructions.

e. Repeat Step 15a. through Step 15d. on all remaining Cisco Unified CallManager servers in the cluster.

f. In Cisco Unity Connection Administration, in the Related Links drop-down list, click Check Telephony Configuration and click Go to confirm the connection to the Cisco Unified CallManager servers.

If the test is not successful, the Task Results list displays one or more messages with troubleshooting steps. After correcting the problems, test the connection again.

g. In the Task Results window, click Close.

Step 22 If prompted, restart the Cisco Unity Connection software.

Step 23 Log off Cisco Unity Connection Administration.


To Delete Voice Messaging Ports in Cisco Unity Connection Administration


Step 1 Log on to the Cisco Unity Connection Administration.

Step 2 Go to the Telephony Integrations > Port page.

Step 3 Under Port Search Results, check the check boxes next to the voice messaging ports that you want to delete.

Step 4 Click Delete Selected.

Step 5 For the remaining voice messaging ports in the port group, change the settings as necessary so that there are an appropriate number of voice messaging ports set to answer calls and an appropriate number of voice messaging ports set to dial out.

Step 6 In the Windows task bar, right-click the Cisco Unity Connection icon and click Restart > Voice Processing Server Role.

Step 7 When prompted to confirm stopping the Voice Processing server role, click Yes.

Step 8 In Cisco Unity Connection Administration, in the Related Links drop-down list, click Check Telephony Configuration and click Go to confirm the phone system integration settings.

If the test is not successful, the Task Execution Results displays one or more messages with troubleshooting steps. After correcting the problems, test the connection again.

Step 9 In the Task Execution Results window, click Close.

Step 10 Log off the Cisco Unity Connection Administration.


Adding a Cisco Unified CallManager Express Server to a Cisco Unified CallManager Phone System Integration

Cisco Unity Connection can integrate a Cisco Unified CallManager phone system integration that has a port group of Cisco Unified CallManager servers and a port group of a Cisco Unified CallManager Express server. This configuration is typically used to ensure call processing functionality at a branch office when the WAN link is down.

There are, however, the following considerations:

The version of Cisco Unified CallManager Express and the version of the Cisco Unity-CM TSP must be a supported combination in the Compatibility Matrix: Cisco Unity, the Cisco Unity-CM TSP, Cisco Unified CM, and Cisco Unified CM Express at http://www.cisco.com/en/US/docs/voice_ip_comm/unity/compatibility/matrix/cutspmtx.html

The Cisco Unified CallManager phone system integration is typically already created before adding the Cisco Unified CallManager Express server.

The Cisco Unified CallManager Express server is in its own port group, which is separate from the port group for the Cisco Unified CallManager servers.

The Cisco Unified CallManager Express port group has its own voice messaging ports that connect only to the Cisco Unified CallManager Express server.

To add a Cisco Unified CallManager Express server to a Cisco Unified CallManager phone system integration, do the following procedure.

To Add a Cisco Unified CallManager Express Server to a Cisco Unified CallManager Phone System Integration


Step 1 Log on to Cisco Unity Connection Administration.

Step 2 In Cisco Unity Connection Administration, expand Telephony Integrations, then click Port Group.

Step 3 On the Search Port Groups page, under Port Group Search Results, click Add New.

Step 4 On the New Port Group page, enter the following settings.

Table 23 Settings for the Cisco Unified CallManager Express Server 

Field
Setting

Display Name

Enter the display name for the port group. Accept the default name, which is composed of the phone system display name followed by an incrementing number, or enter another descriptive name.

Phone System

Click the name of the Cisco Unified CallManager phone system.

Create From

Click Port Group Template and, in the drop-down box, click SCCP - Skinny Client Control Protocol.

Device Name Prefix

Enter the prefix that was added in Cisco Unified CallManager Express to the device name for voice messaging ports; this prefix must match the prefix used by Cisco Unified CallManager Express.

MWI On Extension

Enter the extension that you specified in Cisco Unified CallManager Express for turning MWIs on.

MWI Off Extension

Enter the extension that you specified in Cisco Unified CallManager Express for turning MWIs off.

IP Address or Host Name

Enter the IP address (or host name) of the Cisco Unified CallManager Express server that you are adding to the Cisco Unified CallManager phone system integration.

Port

Enter the TCP port of the Cisco Unified CallManager Express server that you are adding to the Cisco Unified CallManager phone system integration. We recommend that you use the default setting.

TLS Port

Enter the TLS port of the Cisco Unified CallManager Express server that you are adding to the Cisco Unified CallManager phone system integration. We recommend that you use the default setting.


Step 5 Click Save.

Step 6 On the Port Group Basics page, on the Edit menu, click Servers.

Step 7 On the Edit Servers page, in the Server Type field, click Cisco Unified CallManager Express.


Note You can click Ping to verify the IP address of the Cisco Unified CallManager Express server.


Step 8 Click Save.

Step 9 On the Edit menu, click Advanced Settings.

Step 10 On the Edit Advanced Settings page, in the Delay Before Opening Greeting field, enter 1000 and click Save.

Step 11 In Cisco Unity Connection Administration, expand Telephony Integrations, then click Port.

Step 12 On the Search Ports page, under Port Search Results, click Add New.

Step 13 On the New Port page, enter the following settings.

Table 24 Settings for the New Port Page 

Field
Setting

Number of Ports

Enter the number of voice messaging ports that you want to create on Cisco Unity Connection for connecting to the Cisco Unified CallManager Express server.

Phone System

Click the display name of the Cisco Unified CallManager phone system integration.

Port Group

Click the display name of the port group that you created for the Cisco Unified CallManager Express server in Step 5.


Step 14 Click Save.

Step 15 On the Search Ports page, click the display name of the first voice messaging port that you created for the Cisco Unified CallManager Express port group.


Note By default, the display names for the voice messaging ports are composed of the port group display name followed by incrementing numbers.


Step 16 On the Port Basics page, set the voice messaging port settings as applicable. The fields in the following table are the ones that you can change.

Table 25 Settings for the Voice Ports 

Field
Considerations

Enabled

Check this check box to enable the port. The port is enabled during normal operation.

Uncheck this check box to disable the port. When the port is disabled, calls to the port get a ringing tone but are not answered. Typically, the port is disabled only by the installer during testing.

Extension

Enter the extension for the port as assigned on the phone system.

Answer Calls

Check this check box to designate the port for answering calls. These calls can be incoming calls from unidentified callers or from users.

Perform Message Notification

Check this check box to designate the port for notifying users of messages. Assign Perform Message Notification to the least busy ports.

Send MWI Requests

Check this check box to designate the port for turning MWIs on and off. Assign Send MWI Requests to the least busy ports.

Allow TRAP Connections

Check this check box so that users can use the port for recording and playback through the phone in Cisco Unity Connection web applications. Assign Allow TRAP Connections to the least busy ports.

Outgoing Hunt Order

Enter the priority order in which Cisco Unity Connection will use the ports when dialing out (for example, if the Perform Message Notification, Send MWI Requests, or Allow TRAP Connections check box is checked). The highest numbers are used first. However, when multiple ports have the same Outgoing Hunt Order number, Cisco Unity Connection will use the port that has been idle the longest.

Security Mode

Click Non-secure.

(Cisco Unified CallManager authentication and encryption are not available.)


Step 17 Click Save.

Step 18 Click Next.

Step 19 Repeat Step 16 through Step 18 for all remaining voice messaging ports in the Cisco Unified CallManager Express port group.

Step 20 In the Windows task bar, right-click the Cisco Unity Connection icon and click Restart > Voice Processing Server Role.

Step 21 When prompted to confirm stopping the Voice Processing server role, click Yes.

Step 22 In Cisco Unity Connection Administration, in the Related Links drop-down list, click Test Port Group and click Go to confirm the Cisco Unified CallManager port group settings.

Step 23 When prompted that the test will terminate call in progress, click OK.

If the test is not successful, the Task Execution Results displays one or more messages with troubleshooting steps. After correcting the problems, test the connection again.

Step 24 In the Task Execution Results window, click Close.

Step 25 Log off Cisco Unity Connection Administration.



Appendix: Cisco Unified CallManager Authentication and Encryption of Cisco Unity Connection Voice Messaging Ports


A potential point of vulnerability for a Cisco Unity Connection system is the connection between Cisco Unity Connection and Cisco Unified CallManager. Possible threats include:

Man-in-the-middle attacks (a process in which an attacker observes and modifies the information flow between Cisco Unified CallManager and the Cisco Unity Connection voice messaging ports)

Network traffic sniffing (a process in which an attacker uses software to capture phone conversations and signaling information that flow between Cisco Unified CallManager, the Cisco Unity Connection voice messaging ports, and IP phones that are managed by Cisco Unified CallManager)

Modification of call signaling between the Cisco Unity Connection voice messaging ports and Cisco Unified CallManager

Modification of the media stream between the Cisco Unity Connection voice messaging ports and the endpoint (for example, a phone or gateway)

Identity theft of the Cisco Unity Connection voice messaging port (a process in which a non-Cisco Unity Connection device presents itself to Cisco Unified CallManager as a Cisco Unity Connection voice messaging port)

Identity theft of the Cisco Unified CallManager server (a process in which a non-Cisco Unified CallManager server presents itself to Cisco Unity Connection voice messaging ports as a Cisco Unified CallManager server)

Cisco Unified CallManager Security Features

Cisco Unified CallManager 4.1(3) or later can secure the connection with Cisco Unity Connection against these threats. The Cisco Unified CallManager security features that Cisco Unity Connection can take advantage of are described in Table 26.

Table 26 Cisco Unified CallManager Security Features That Are Used by Cisco Unity Connection 

Security Feature
Description

Signaling authentication

The process that uses the Transport Layer Security (TLS) protocol to validate that no tampering has occurred to signaling packets during transmission. Signaling authentication relies on the creation of the Cisco Certificate Trust List (CTL) file.

Impact on Threats: This feature protects against:

Man-in-the-middle attacks that modify the information flow between Cisco Unified CallManager and the Cisco Unity Connection voice messaging ports.

Modification of the call signalling.

Identity theft of the Cisco Unity Connection voice messaging port.

Identity theft of the Cisco Unified CallManager server.

Device authentication

The process that validates the identity of the device and ensures that the entity is what it claims to be. This process occurs between Cisco Unified CallManager and Cisco Unity Connection voice messaging ports when each device accepts the certificate of the other device. When the certificates are accepted, a secure connection between the devices is established. Device authentication relies on the creation of the Cisco Certificate Trust List (CTL) file.

Impact on Threats: This feature protects against:

Man-in-the-middle attacks that modify the information flow between Cisco Unified CallManager and the Cisco Unity Connection voice messaging ports.

Modification of the media stream.

Identity theft of the Cisco Unity Connection voice messaging port.

Identity theft of the Cisco Unified CallManager server.

Signaling encryption

The process that uses cryptographic methods to protect (through encryption) the confidentiality of all SCCP signaling messages that are sent between the Cisco Unity Connection voice messaging ports and Cisco Unified CallManager. Signaling encryption ensures that the information that pertains to the parties, DTMF digits that are entered by the parties, call status, media encryption keys, and so on are protected against unintended or unauthorized access.

Impact on Threats: This feature protects against:

Man-in-the-middle attacks that observe the information flow between Cisco Unified CallManager and the Cisco Unity Connection voice messaging ports.

Network traffic sniffing that observes the signaling information flow between Cisco Unified CallManager and the Cisco Unity Connection voice messaging ports.

Media encryption

The process whereby the confidentiality of the media occurs through the use of cryptographic procedures. This process uses Secure Real Time Protocol (SRTP) as defined in IETF RFC 3711, and ensures that only the intended recipient can interpret the media streams between Cisco Unity Connection voice messaging ports and the endpoint (for example, a phone or gateway). Support includes audio streams only. Media encryption includes creating a media master key pair for the devices, delivering the keys to Cisco Unity Connection and the endpoint, and securing the delivery of the keys while the keys are in transport. Cisco Unity Connection and the endpoint use the keys to encrypt and decrypt the media stream.

Impact on Threats: This feature protects against:

Man-in-the-middle attacks that listen to the media stream between Cisco Unified CallManager and the Cisco Unity Connection voice messaging ports.

Network traffic sniffing that eavesdrops on phone conversations that flow between Cisco Unified CallManager, the Cisco Unity Connection voice messaging ports, and IP phones that are managed by Cisco Unified CallManager.


Authentication and signaling encryption serve as the minimum requirements for media encryption; that is, if the devices do not support signaling encryption and authentication, media encryption cannot occur.


Note Cisco Unified CallManager authentication and encryption protects only calls to Cisco Unity Connection. Messages recorded on the message store are not protected by the Cisco Unified CallManager authentication and encryption features but can be protected by the Cisco Unity Connection private secure messaging feature.


Functional Overview

The security features (authentication and encryption) between Cisco Unity Connection and Cisco Unified CallManager require the following:

A Cisco Unified CallManager CTL file that lists all Cisco Unified CallManager servers that are entered in Cisco Unity Connection Administration for secure clusters.

A Cisco Unity Connection server root certificate for each Cisco Unity Connection server that uses authentication and/or encryption. A root certificate is valid for 20 years from the time it was created.

Cisco Unity Connection voice messaging port device certificates that are rooted in the Cisco Unity Connection server root certificate and that the voice messaging ports present when registering with the Cisco Unified CallManager server.

The process of authentication and encryption of Cisco Unity Connection voice messaging ports is as follows:

1. Each Cisco Unity Connection voice messaging port connects to the TFTP server, downloads the CTL file, and extracts the certificates for all Cisco Unified CallManager servers.

2. Each Cisco Unity Connection voice messaging port establishes a network connection to the Cisco Unified CallManager TLS port through Winsock. By default, the TLS port is 2443, though the port number is configurable.

3. Each Cisco Unity Connection voice messaging port establishes a TLS connection to the Cisco Unified CallManager server, at which time the device certificate is verified and the voice messaging port is authenticated.

4. Each Cisco Unity Connection voice messaging port registers with the Cisco Unified CallManager server, specifying whether the voice messaging port will also use media encryption.

Behavior for Calls

When a call is made between Cisco Unity Connection and Cisco Unified CallManager, the call-signaling messages and the media stream are handled in the following manner:

If both end points are set for encrypted mode, the call-signaling messages and the media stream are encrypted.

If one end point is set for authenticated mode and the other end point is set for encrypted mode, the call-signaling messages are authenticated. But neither the call-signaling messages nor the media stream are encrypted.

If one end point is set for non-secure mode and the other end point is set for encrypted mode, neither the call-signaling messages nor the media stream are encrypted.

Security Mode Settings in Cisco Unity Connection

The Security Mode settings in Cisco Unity Connection Administration determine how the ports handle call-signaling messages and whether encryption of the media stream is possible. Table 27 describes the effect of the Security Mode settings on the Telephony Integrations > Port > Port Basics page for each port.

Table 27 Security Mode Settings for Voice Messaging Ports 

Setting
Effect

Non-secure

The integrity and privacy of call-signaling messages will not be ensured because call-signaling messages will be sent as clear (unencrypted) text and will be connected to Cisco Unified CallManager through a non-authenticated port rather than an authenticated TLS port.

In addition, the media stream cannot be encrypted.

Authenticated

The integrity of call-signaling messages will be ensured because they will be connected to Cisco Unified CallManager through an authenticated TLS port. However, the privacy of call-signaling messages will not be ensured because they will be sent as clear (unencrypted) text.

In addition, the media stream will not be encrypted.

Encrypted

The integrity and privacy of call-signaling messages will be ensured because they will be connected to Cisco Unified CallManager through an authenticated TLS port, and the call-signaling messages will be encrypted.

In addition, the media stream can be encrypted.


Caution Both end points must be registered in encrypted mode for the media stream to be encrypted. However, when one end point is set for non-secure or authenticated mode and the other end point is set for encrypted mode, the media stream will not be encrypted. Also, if an intervening device (such as a transcoder or gateway) is not enabled for encryption, the media stream will not be encrypted.

Disabling and Re-Enabling Security

The authentication and encryption features between Cisco Unity Connection and Cisco Unified CallManager can be enabled and disabled by changing the Security Mode for all Cisco Unified CallManager clusters to Non-Secure, and by changing the applicable settings in the Cisco Unified CallManager Administration.

Authentication and encryption can be re-enabled by changing the Security Mode to Authenticated or Encrypted.


Note After disabling or re-enabling authentication and encryption, it is not necessary to export the Cisco Unity Connection server root certificate and copy it to all Cisco Unified CallManager server.


Multiple Clusters Can Have Multiple Settings

When Cisco Unity Connection has multiple Cisco Unified CallManager phone system integrations, each Cisco Unified CallManager phone system integration can have different Security Mode settings. For example, one Cisco Unified CallManager phone system integration can be set to Encrypted, and a second Cisco Unified CallManager phone system integration can be set to Non-Secure.

Settings for Individual Voice Messaging Ports

For troubleshooting purposes, authentication and encryption for Cisco Unity Connection voice messaging ports can be individually enabled and disabled. At all other times, we recommend that the Security Mode setting for all individual voice messaging ports in a Cisco Unified CallManager port group be the same.


Appendix: Documentation and Technical Assistance


Conventions

The Cisco Unified CallManager 5.1 SCCP Integration Guide for Cisco Unity Connection 1.2 uses the following conventions.

Table 28 Cisco Unified CallManager 5.1 SCCP Integration Guide for Cisco Unity Connection 1.2 Conventions 

Convention
Description

boldfaced text

Boldfaced text is used for:

Key and button names. (Example: Click OK.)

Information that you enter. (Example: Enter Administrator in the User Name box.)

< >

(angle brackets)

Angle brackets are used around parameters for which you supply a value. (Example: In the Command Prompt window, enter ping <IP address>.)

-

(hyphen)

Hyphens separate keys that must be pressed simultaneously. (Example: Press Ctrl-Alt-Delete.)

>

(right angle
bracket)

A right angle bracket is used to separate selections that you make:

On menus. (Example: On the Windows Start menu, click Settings > Control Panel > Phone and Modem Options.)

In the navigation bar of Cisco Unity Connection Administration. (Example: In Cisco Unity Connection Administration, expand System Settings > Advanced.)

[x]

(square brackets)

Square brackets enclose an optional element (keyword or argument). (Example: [reg-e164])

[x | y]

(vertical line)

Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional choice. (Example: [transport tcp | transport udp])

{x | y}

(braces)

Braces enclosing keywords or arguments separated by a vertical line indicate a required choice. (Example: {tcp | udp})


The Cisco Unified CallManager 5.1 SCCP Integration Guide for Cisco Unity Connection 1.2 also uses the following conventions:


Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the document.



Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

For descriptions and URLs of Cisco Unity Connection documentation on Cisco.com, see the About Cisco Unity Connection Documentation. The document is shipped with Cisco Unity Connection and is available at http://www.cisco.com/en/US/products/ps6509/products_documentation_roadmaps_list.html.

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. This section explains the product documentation resources that Cisco offers.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

You must be a registered Cisco.com user to access Cisco Marketplace. Registered users may order Cisco documentation at the Product Documentation Store at this URL:

http://www.cisco.com/go/marketplace/docstore

If you do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Documentation Feedback

You can provide feedback about Cisco technical documentation on the Cisco Support site area by entering your comments in the feedback form available in every online document.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you will find information about how to do the following:

Report security vulnerabilities in Cisco products

Obtain assistance with security incidents that involve Cisco products

Register to receive security information from Cisco

A current list of security advisories, security notices, and security responses for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:

For emergencies only — security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.

For nonemergencies — psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:

1 877 228-7302

1 408 525-6532


Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.

Never use a revoked encryption key or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT to find other means of encrypting the data before sending any sensitive material.


Product Alerts and Field Notices

Modifications to or updates about Cisco products are announced in the Product Field Notice Summary. Registered users can sign up to receive email notifications. Alternately, you can subscribe to the Field Notice RSS Feed. For more information, visit:

http://www.cisco.com/en/US/support/tsd_products_field_notice_summary.html

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Support website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Support Website

The Cisco Support website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day at this URL:

http://www.cisco.com/en/US/support/index.html

Access to all tools on the Cisco Support website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do


Note Before you submit a request for service online or by phone, use the Cisco Product Identification Tool to locate your product serial number. You can access this tool from the Cisco Support website by clicking the Get Tools & Resources link, clicking the All Tools (A-Z) tab, and then choosing Cisco Product Identification Tool from the alphabetical list. This tool offers three search options: by product ID or model name; by tree view; or, for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.



Tip Displaying and Searching on Cisco.com

If you suspect that the browser is not refreshing a web page, force the browser to update the web page by holding down the Ctrl key while pressing F5.

To find technical information, narrow your search to look in technical documentation, not the entire Cisco.com website. After using the Search box on the Cisco.com home page, click the Advanced Search link next to the Search box on the resulting page and then click the Technical Support & Documentation radio button.

To provide feedback about the Cisco.com website or a particular technical document, click Contacts & Feedback at the top of any Cisco.com web page.


Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411
Australia: 1 800 805 227
EMEA: +32 2 704 55 55
USA: 1 800 553 2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—An existing network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of the network is impaired while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

The Cisco Online Subscription Center is the website where you can sign up for a variety of Cisco e-mail newsletters and other communications. Create a profile and then select the subscriptions that you would like to receive. To visit the Cisco Online Subscription Center, go to this URL:

http://www.cisco.com/offer/subscribe

The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL:

http://www.cisco.com/go/guide

Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

Cisco Press publishes a wide range of general networking, training, and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

Internet Protocol Journal is a quarterly journal published by Cisco for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

Networking products offered by Cisco, as well as customer support services, can be obtained at this URL:

http://www.cisco.com/en/US/products/index.html

Networking Professionals Connection is an interactive website where networking professionals share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL:

http://www.cisco.com/discuss/networking

"What's New in Cisco Documentation" is an online publication that provides information about the latest documentation releases for Cisco products. Updated monthly, this online publication is organized by product category to direct you quickly to the documentation for your products. You can view the latest release of "What's New in Cisco Documentation" at this URL:

http://www.cisco.com/univercd/cc/td/doc/abtunicd/136957.htm

World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html