Table Of Contents
Cisco Unified Communications Manager SCCP Integration Guide for Cisco Unity Connection in Cisco Unified CMBE 6.x
Integration Tasks
Task List to Create the Integration
Requirements
Integration Description
Call Information
Integration Functionality
Integrations with Multiple Phone Systems
Planning How the Voice Messaging Ports Will Be Used by Cisco Unity Connection
Programming the Cisco Unified Communications Manager Phone System
Creating a New Integration with Cisco Unified Communications Manager
Setting Up Cisco Unified CM Authentication and Encryption with Cisco Unity Connection
Testing the Integration
Appendix: Cisco Unified Communications Manager Authentication and Encryption of Cisco Unity Connection Voice Messaging Ports
Cisco Unified CM Security Features
Functional Overview
Requirements
Security Mode Settings in Cisco Unity Connection
Appendix: Documentation and Technical Assistance
Conventions
Obtaining Documentation, Obtaining Support, and Security Guidelines
Cisco Unified Communications Manager SCCP Integration Guide for Cisco Unity Connection in Cisco Unified CMBE 6.x
Revised May 28, 2008
This document provides instructions for integrating Cisco Unified Communications Manager (CM) (formerly known as Cisco Unified CallManager) with Cisco Unity Connection by Skinny Call Control Protocol (SCCP) in a Cisco Unified CMBE installation.
This document applies only when Cisco Unity Connection is installed as Cisco Unified Communications Manager Business Edition (CMBE)—on the same server with Cisco Unified Communications Manager. This document does not apply to the configuration in which Cisco Unity Connection is installed on a separate server from Cisco Unified Communications Manager.
Cisco Unity Connection supports an SCCP integration when Cisco Unified CM has only SCCP phones or has both SCCP and SIP phones.
Integration Tasks
Before doing the following tasks to integrate Cisco Unity Connection with the Cisco Unified Communications Manager phone system, confirm that the Cisco Unity Connection server is ready for the integration by completing the applicable tasks in the Installation Guide for Cisco Unity Connection.
The following task lists describe the process for creating the integration.
Task List to Create the Integration
Use the following task list to set up a new integration with the Cisco Unified Communications Manager SCCP phone system when it is installed as Cisco Unified CMBE.
1. 
Review the system and equipment requirements to confirm that all phone system and Cisco Unity Connection server requirements have been met. See the "Requirements" section.
2. Plan how the voice messaging ports will be used by Cisco Unity Connection. See the "Planning How the Voice Messaging Ports Will Be Used by Cisco Unity Connection" section.
3. Program Cisco Unified Communications Manager. See the "Programming the Cisco Unified Communications Manager Phone System" section.
4. Create the integration. See the "Creating a New Integration with Cisco Unified Communications Manager" section.
5. Test the integration. See the "Testing the Integration" section.
Requirements
The Cisco Unified Communications Manager integration supports configurations of the following components:
Phone System
•A Cisco IP telephony applications server consisting of Cisco Unified Communications Manager Business Edition (CMBE) 6.x.
•The following phones or combinations of phones for the Cisco Unified CM extensions:
–Only IP phones for the Cisco Unified CM extensions.
–Both IP phones and SIP phones for the Cisco Unified CM extensions without a media termination point (MTP) on the Cisco Unified CM server.
–Both IP phones and SIP phones for the Cisco Unified CM extensions with a media termination point (MTP) on the Cisco Unified CM server.
•A LAN connection in each location where you will plug the applicable phone into the network.
Cisco Unity Connection Server
•Cisco Unity Connection installed as Cisco Unified CMBE.
Caution Cisco Unity Connection cannot be installed on a separate computer from Cisco Unified CM. Otherwise, the integration for the Cisco Unified CMBE installation may not function correctly.
•A license that enables the appropriate number of voice messaging ports.
Integration Description
The Cisco Unified Communications Manager integration makes connections through a LAN or WAN. A gateway provides connections to the PSTN.
Call Information
The phone system sends the following information with forwarded calls:
•The extension of the called party
•The extension of the calling party (for internal calls) or the phone number of the calling party (if it is an external call and the system uses caller ID)
•The reason for the forward (the extension is busy, does not answer, or is set to forward all calls)
Cisco Unity Connection uses this information to answer the call appropriately. For example, a call forwarded to Cisco Unity Connection is answered with the personal greeting of the user. If the phone system routes the call to Cisco Unity Connection without this information, Cisco Unity Connection answers with the opening greeting.
Integration Functionality
The Cisco Unified Communications Manager integration with Cisco Unity Connection provides the following features:
•Call forward to personal greeting
•Call forward to busy greeting
•Caller ID
•Easy message access (a user can retrieve messages without entering an ID because Cisco Unity Connection identifies the user based on the extension from which the call originated; a password may be required)
•Identified user messaging (Cisco Unity Connection identifies the user who leaves a message during a forwarded internal call, based on the extension from which the call originated)
•Message waiting indication (MWI)
Integrations with Multiple Phone Systems
When Cisco Unity Connection is installed as Cisco Unified Communications Manager Business Edition (CMBE)—on the same server with Cisco Unified CM—Cisco Unity Connection cannot be integrated with multiple phone systems at one time. In the Cisco Unified CMBE configuration, Cisco Unity Connection can integrate only with Cisco Unified CM by Skinny Call Control Protocol (SCCP). No other phone system integrations are supported.
Planning How the Voice Messaging Ports Will Be Used by Cisco Unity Connection
Before programming the phone system, you need to plan how the voice messaging ports will be used by Cisco Unity Connection. The following considerations will affect the programming for the phone system (for example, setting up the hunt group or call forwarding for the voice messaging ports):
•The number of voice messaging ports installed.
•The number of voice messaging ports that will answer calls.
•The number of voice messaging ports that will only dial out, for example, to send message notification, to set message waiting indicators (MWI), and to make telephone record and playback (TRAP) connections.
The following table describes the voice messaging port settings in Cisco Unity Connection that can be set on Telephony Integrations > Port page of Cisco Unity Connection Administration.
Table 1 Settings for the Voice Messaging Ports
Field
|
Considerations
|
Enabled
|
Check this check box to enable the port. The port is enabled during normal operation.
Uncheck this check box to disable the port. When the port is disabled, calls to the port get a ringing tone but are not answered. Typically, the port is disabled only by the installer during testing.
|
Extension
|
Enter the extension for the port as assigned on the phone system.
|
Answer Calls
|
Check this check box to designate the port for answering calls. These calls can be incoming calls from unidentified callers or from users.
|
Perform Message Notification
|
Check this check box to designate the port for notifying users of messages. Assign Perform Message Notification to the least busy ports.
|
Send MWI Requests
|
Check this check box to designate the port for turning MWIs on and off. Assign Send MWI Requests to the least busy ports.
|
Allow TRAP Connections
|
Check this check box so that users can use the port for recording and playback through the phone in Cisco Unity Connection web applications. Assign Allow TRAP Connections to the least busy ports.
|
Outgoing Hunt Order
|
Enter the priority order in which Cisco Unity Connection will use the ports when dialing out (for example, if the Perform Message Notification, Send MWI Requests, or Allow TRAP Connections check box is checked). The highest numbers are used first. However, when multiple ports have the same Outgoing Hunt Order number, Cisco Unity Connection will use the port that has been idle the longest.
|
Security Mode
|
Click the applicable security mode:
•Non-secure—The integrity and privacy of call-signaling messages will not be ensured because call-signaling messages will be sent as clear (unencrypted) text and will be connected to Cisco Unified CM through a non-authenticated port rather than an authenticated TLS port. In addition, the media stream will not be encrypted.
•Authenticated—The integrity of call-signaling messages will be ensured because they will be connected to Cisco Unified CM through an authenticated TLS port. However, the privacy of call-signaling messages will not be ensured because they will be sent as clear (unencrypted) text. In addition, the media stream will not be encrypted.
•Encrypted—The integrity and privacy of call-signaling messages will be ensured on this port because they will be connected to Cisco Unified CM through an authenticated TLS port, and the call-signaling messages will be encrypted. In addition, the media stream will be encrypted.
|
The Number of Voice Messaging Ports to Install
The number of voice messaging ports to install depends on numerous factors, including:
•The number of calls Cisco Unity Connection will answer when call traffic is at its peak.
•The expected length of each message that callers will record and that users will listen to.
•The number of users.
•The number of ports that will be set to dial out only.
•The number of calls made for message notification.
•The number of MWIs that will be activated when call traffic is at is peak.
•The number of TRAP connections needed when call traffic is at its peak. (TRAP connections are used by Cisco Unity Connection web applications to play back and record over the phone.)
•The number of calls that will use the automated attendant and call handlers when call traffic is at its peak.
It is best to install only the number of voice messaging ports that are needed so that system resources are not allocated to unused ports.
The Number of Voice Messaging Ports That Will Answer Calls
The calls that the voice messaging ports answer can be incoming calls from unidentified callers or from users. Typically, the voice messaging ports that answer calls are the busiest.
You can set voice messaging ports to both answer calls and to dial out (for example, to send message notifications). However, when the voice messaging ports perform more than one function and are very active (for example, answering many calls), the other functions may be delayed until the voice messaging port is free (for example, message notifications cannot be sent until there are fewer calls to answer). For best performance, dedicate certain voice messaging ports for only answering incoming calls, and dedicate other ports for only dialing out. Separating these port functions eliminates the possibility of a collision, in which an incoming call arrives on a port at the same time that Cisco Unity Connection takes the port off-hook to dial out.
The Number of Voice Messaging Ports That Will Only Dial Out, and Not Answer Calls
Ports that will only dial out and will not answer calls can do one or more of the following:
•Notify users by phone, pager, or e-mail of messages that have arrived.
•Turn MWIs on and off for user extensions.
•Make a TRAP connection so that users can use the phone as a recording and playback device in Cisco Unity Connection web applications.
Typically, these voice messaging ports are the least busy ports.
Caution In programming the phone system, do not send calls to voice messaging ports in Cisco Unity Connection that cannot answer calls (voice messaging ports that are not set to Answer Calls). For example, if a voice messaging port is set only to Send MWI Requests, do not send calls to it.
Preparing for Programming the Phone System
Record your decisions about the voice messaging ports to guide you in programming the phone system.
Programming the Cisco Unified Communications Manager Phone System
After Cisco Unified Communications Manager software is installed, do the following procedures in the order given.
To Add Partitions and a Calling Search Space to Contain the Voice Mail Ports
Step 1 In Cisco Unified CM Administration, click Call Routing > Class of Control > Partition.
Step 2 On the Find and List Partitions page, click Add New.
Step 3 On the Partition Configuration page, enter the name and description you want for the partition that will contain all voice mail port directory numbers. For example, enter "VMRestrictedPT, Partition for voice mail port directory numbers."
Step 4 Click Save.
Step 5 Click Add New.
Step 6 Enter the name and description you want for the partition that will contain the hunt pilot, which will be the voice mail pilot number. For example, enter "VMPilotNumberPT, Partition for the voice mail pilot number."
Step 7 Click Save.
Step 8 Click Call Routing > Class of Control > Calling Search Space.
Step 9 On the Find and List Calling Search Spaces page, click Add New.
Step 10 On the Calling Search Space Configuration page, in the Name field, enter a name for the calling search space that will include the partition created in Step 2 through Step 4. For example, enter "VMRestrictedCSS."
Step 11 Optionally, in the Description field, enter a description of the calling search space. For example, enter "Voice mail port directory numbers."
Step 12 In the Available Partitions list, click the name of the partition created in Step 2 through Step 4. For example, click "VMRestrictedPT."
Step 13 Click the down arrow below the Available Partitions list.
The name of the partition appears in the Selected Partitions list.
Step 14 Click Save.
Step 15 In the Related Links field, click Back to Find/List and click Go.
Step 16 On the Find and List Calling Search Spaces page, click Find.
Step 17 Click the name of the calling search space that is used by user phones.
Step 18 On the Calling Search Space Configuration page, in the Available Partitions list, click the name of the partition created in Step 5 through Step 7. For example, click "VMPilotNumberPT."
Caution If the partition that contains the hunt pilot (which will be the voice mail pilot number) is not in the calling search space that is used by user phones, the phones will not be able to dial the Cisco Unity Connection server.
Step 19 Click the down arrow below the Available Partition list.
The name of the partition appears in the Selected Partitions list.
Step 20 Click Save.
Step 21 Repeat Step 17 through Step 20 for each remaining calling search space that needs to access Cisco Unity Connection.
To Add a Device Pool for the Voice Mail Ports
Step 1 In Cisco Unified CM Administration, click System > Device Pool.
Step 2 On the Find and List Device Pools page, click Add New.
Step 3 On the Device Pool Configuration page, enter the following device pool settings.
Table 2 Settings for the Device Pool Configuration Page
Field
|
Setting
|
Device Pool Name
|
Enter Cisco Unity Connectionn Voice Mail Ports or other description for this device pool.
|
Cisco Unified Communications Manager Group
|
Click the Cisco Unified Communications Manager group to assign to the voice mail ports in this device pool.
|
Date/Time Group
|
Click the date/time group to assign to the voice mail ports in this device pool.
|
Region
|
Click the Cisco Unified CM region to assign to the voice mail ports in this device pool.
|
SRST Reference
|
If applicable, click the survivable remote site telephony (SRST) reference to assign to the voice mail ports in this device pool.
|
Step 4 Click Save.
In the following procedure, add a voice mail port to Cisco Unified CM for each voice mail port that you will connect to Cisco Unity Connection.
To Add Voice Mail Ports to Cisco Unified CM
Step 1 In Cisco Unified CM Administration, click Voice Mail > Cisco Voice Mail Port Wizard.
Step 2 On the Cisco Voice Mail Server page, the name of the voice mail server appears. We recommend that you accept the default name for the voice mail server. If you must use a different name, however, the name must have no more than nine characters.
The voice mail server name must match the Device Name Prefix field in Cisco Unity Connection on the Port Group Basics page for the voice messaging ports.
Step 3 Click Next.
Step 4 On the Cisco Voice Mail Ports page, click the number of voice mail ports that you want to add (which must not be more voice mail ports than the Cisco Unity Connection license enables), then click Next.
If you will integrate Cisco Unity Connection with multiple clusters of Cisco Unified CM, the number you enter here cannot bring the total number of ports on all clusters integrated with Cisco Unity Connection to more than the number of ports enabled by the Cisco Unity Connection license.
Step 5 On the Cisco Voice Mail Device Information page, enter the following voice mail device settings.
Table 3 Settings for the Cisco Voice Mail Device Information Page
Field
|
Setting
|
Description
|
Enter Cisco Voice Mail Port or another description for the voice mail device.
|
Device Pool
|
Click the name of the device pool you created for the voice mail ports. For example, click Cisco Unity Connection Voice Mail Ports.
|
Calling Search Space
|
Click the name of a calling search space that allows calls to the user phones and any required network devices.
This calling search space must include partitions that contain all devices Cisco Unity Connection needs to access (for example, during call transfers, message notifications, and MWI activations).
|
AAR Calling Search Space
|
Accept the default of None.
|
Location
|
Click Hub_None.
|
Device Security Mode
|
Click the security mode that you want to use for the voice mail ports. For details on the settings for Cisco Unified CM authentication and encryption of the voice mail ports, see the "Appendix: Cisco Unified Communications Manager Authentication and Encryption of Cisco Unity Connection Voice Messaging Ports" section.
|
Step 6 Click Next.
Step 7 On the Cisco Voice Mail Directory Numbers page, enter the following voice mail directory number settings.
Table 4 Settings for the Cisco Voice Mail Directory Numbers Page
Field
|
Setting
|
Beginning Directory Number
|
Enter the extension number of the first voice mail port.
|
Partition
|
Click the name of the partition that you set up for all voice mail port directory numbers. For example, click "VMRestrictedPT."
|
Calling Search Space
|
Click the name of a calling search space that you set up to contain the partition with all voice mail port directory numbers, as set in Step 9 of the "To Add Partitions and a Calling Search Space to Contain the Voice Mail Ports" procedure. For example, click "VMRestrictedCSS."
Because this calling search space is not used by user phones, users are not able to dial the voice mail ports. However, users can dial the voice mail pilot number.
|
AAR Group
|
Click the automated alternate routing (AAR) group for the voice mail ports. The AAR group provides the prefix digits that are used to route calls that are otherwise blocked due to insufficient bandwidth. If you click None, no rerouting of blocked calls will be attempted.
|
Internal Caller ID Display
|
Accept the default of VoiceMail.
This text appears on the phone when the pilot number is dialed.
|
Internal Caller ID Display (ASCII Format)
|
Accept the default of VoiceMail.
This text appears on the phone when the pilot number is dialed.
|
External Number Mask
|
Leave this field blank, or specify the mask used to format caller ID information for external (outbound) calls. The mask can contain up to 50 characters. Enter the literal digits that you want to appear in the caller ID information, and enter X for each digit in the directory number of the device.
|
Step 8 Click Next.
Step 9 On the Do You Want to Add These Directory Numbers to a Line Group page, click No, I Will Add Them Later, and click Next.
Step 10 On the Ready to Add Cisco Voice Mail Ports page, confirm that the settings for the voice mail ports are correct, and click Finish.
If the settings are not correct, click Back and enter the correct settings.
To Add Voice Mail Ports to Line Groups
Step 1 In Cisco Unified CM Administration, click Call Routing > Route/Hunt > Line Group.
Step 2 On the Find and List Line Groups page, click Add New.
This line group will contain directory numbers for voice mail ports that will answer calls. Directory numbers for voice mail ports that will only dial out (for example, to set MWIs) must not be included in this line group.
Step 3 On the Line Group Configuration page, enter the following settings.
Table 5 Settings for the Line Group Configuration Page for Answering Ports
Field
|
Setting
|
Line Group Name
|
Enter Cisco Unity Connection Answering Ports or another unique name for line groups.
|
RNA Reversion Timeout
|
Accept the default of 10.
|
Distribution Algorithm
|
Click Top Down.
|
No Answer
|
Accept the default of Try Next Member; Then, Try Next Group in Hunt List.
|
Busy
|
Accept the default of Try Next Member; Then, Try Next Group in Hunt List.
|
Not Available
|
Accept the default of Try Next Member; Then, Try Next Group in Hunt List.
|
Step 4 Under Line Group Member Information, in the Partition list, click the name of the partition that you set up for all voice mail port directory numbers. For example, click "VMRestrictedPT."
Step 5 Click Find.
Step 6 In the Available DN/Route Partition list, click the first directory number of a voice mail port that will answer calls, and click Add to Line Group.
Caution The directory numbers in the Selected DN/Route Partition list must appear in numerical sequence with the lowest number on top. Otherwise, the integration will not function correctly.
Step 7 Repeat Step 6 for all remaining directory numbers of voice mail ports that will answer calls.
Caution Do not include directory numbers of voice mail ports that will only dial out (for example, to set MWIs). Otherwise, the integration will not function correctly.
Step 8 Click Save.
Step 9 If you will have voice mail ports that will only dial out (will not answer calls), do Step 10 through Step 16.
Otherwise, skip the remaining steps in this procedure and continue on to the "To Add the Line Group to a Hunt List" procedure.
Step 10 Click Add New.
This line group will contain directory numbers for voice mail ports that will only dial out. Directory numbers for voice mail ports that answer calls must not be included in this line group.
Step 11 On the Line Group Configuration page, enter the following settings.
Table 6 Settings for the Line Group Configuration Page for Dial-Out Ports
Field
|
Setting
|
Line Group Name
|
Enter Cisco Unity Connection Dial-Out Ports or another unique name.
|
RNA Reversion Timeout
|
Accept the default of 10.
|
Distribution Algorithm
|
Click Top Down.
|
No Answer
|
Click Stop Hunting.
|
Busy
|
Click Stop Hunting.
|
Not Available
|
Click Stop Hunting.
|
Step 12 Under Line Group Member Information, in the Partition list, click the name of the partition that you set up for all voice mail port directory numbers. For example, click "VMRestrictedPT."
Step 13 Click Find.
Step 14 In the Available DN/Route Partition list, click the first directory number of a voice mail port that will only dial out, and click Add to Line Group.
Caution The directory numbers in the Selected DN/Route Partition list must appear in numerical sequence with the lowest number on top. Otherwise, the integration will not function correctly.
Step 15 Repeat Step 14 for all remaining voice mail ports that will only dial out.
Caution Do not include directory numbers of voice mail ports that will answer calls. Otherwise, the integration will not function correctly.
Step 16 Click Save.
To Add the Line Group to a Hunt List
Step 1 In Cisco Unified CM Administration, click Call Routing > Route/Hunt > Hunt List.
Step 2 On the Find and List Hunt Lists page, click Add New.
Step 3 On the Hunt List Configuration page, enter the following settings for the hunt list.
Table 7 Settings for the Hunt List Configuration Page for Answering Ports
Field
|
Setting
|
Name
|
Enter Cisco Unity Connection Answering Ports or another unique name for the hunt list.
|
Description
|
Enter Cisco Unity Connection ports that answer calls or another description.
|
Cisco Unified Communications Manager Group
|
Click Default or the name of the Cisco Unified Communications Manager group that you are using.
|
Enable This Hunt List
|
Check this check box.
|
For Voice Mail Usage
|
Check this check box.
|
Step 4 Click Save.
Step 5 Under Hunt List Member Information, click Add Line Group.
Step 6 On the Hunt List Detail Configuration page, in the Line Group list, click the line group you created for the directory numbers of voice mail ports that will answer calls, then click Save.
Caution In the hunt list, do not include line groups with voice mail ports that Cisco Unity Connection will use to dial out. Otherwise, the integration will not function correctly.
Step 7 When alerted that the line group has been inserted, click OK.
Step 8 On the Hunt List Configuration page, click Reset.
Step 9 When asked to confirm resetting the hunt list, click Reset.
Step 10 When alerted that the hunt list has been reset, click Close.
To Add the Hunt List to a Hunt Pilot Number
Step 1 In Cisco Unified CM Administration, click Call Routing > Route/Hunt > Hunt Pilot.
Step 2 On the Find and List Hunt Pilots page, click Add New.
Step 3 On the Hunt Pilot Configuration page, enter the following settings for the hunt pilot.
Table 8 Settings for Hunt Pilot Configuration Page
Field
|
Setting
|
Hunt Pilot
|
Enter the hunt pilot number for the voice mail ports. The hunt pilot number must be different from the extension numbers of the voice mail ports.
The hunt pilot number is the extension number that users enter to listen to their voice messages.
|
Partition
|
Click the name of the partition that you set up for the voice mail pilot number. For example, click "VMPilotNumberPT."
|
Description
|
Enter Connection Hunt Pilot or another description.
|
Numbering Plan
|
Accept the default setting, or click the numbering plan that you have set up for your system.
|
Route Filter
|
Click None, or click the name of the route filter that you set up for your system.
|
MLPP Precedence
|
Accept the default setting, or click another setting.
|
Hunt List
|
Click the hunt list of voice mail ports that answer calls, which you set up in the "To Add the Line Group to a Hunt List" procedure.
|
Route Option
|
Click Route This Pattern.
|
Provide Outside Dial Tone
|
Uncheck the check box.
|
Step 4 Click Save.
To Specify MWI Directory Numbers
Step 1 In Cisco Unified CM Administration, click Voice Mail > Message Waiting.
Step 2 On the Find and List Message Waiting Numbers page, click Add New.
Step 3 On the Message Waiting Configuration page, enter the following settings for turning MWIs on.
Table 9 Settings for Turning MWIs On
Field
|
Setting
|
Message Waiting Number
|
Enter the unique extension that turns MWIs on.
|
Partition
|
Click the name of the partition that you set up for the voice mail pilot number. For example, click "VMPilotNumberPT."
|
Description
|
Enter DN to turn MWIs on or another description.
|
Message Waiting Indicator
|
Click On.
|
Calling Search Space
|
Click a calling search space that is used by user phones.
|
Step 4 Click Save.
Step 5 Click Add New.
Step 6 Enter the following settings for turning MWIs off.
Table 10 Settings for Turning MWIs Off
Field
|
Setting
|
Message Waiting Number
|
Enter the unique extension that turns MWIs off.
|
Partition
|
Click the name of the partition that you set up for the voice mail pilot number. For example, click "VMPilotNumberPT."
|
Description
|
Enter DN to turn MWIs off or another description.
|
Message Waiting Indicator
|
Click Off.
|
Calling Search Space
|
Click a calling search space that is used by user phones.
|
Step 7 Click Save.
In the following procedure, you will add the voice mail pilot number, which is the extension that you dial to listen to your voice messages. Your Cisco IP phone automatically dials the voice mail pilot number when you press the Messages button.
To Add a Voice Mail Pilot Number for the Voice Mail Ports
Step 1 In Cisco Unified CM Administration, click Voice Mail > Voice Mail Pilot.
Step 2 On the Find and List Voice Mail Pilots page, click Add New.
Step 3 On the Voice Mail Pilot Configuration page, enter the following voice mail pilot number settings.
Table 11 Settings for the Voice Mail Pilot Configuration Page
Field
|
Setting
|
Voice Mail Pilot Number
|
Enter the voice mail pilot number that users will dial to listen to their voice messages. This number must be the same as the hunt pilot number that you entered when adding voice mail ports earlier.
|
Calling Search Space
|
Click the calling search space that includes partitions containing the user phones and the partition you set up for the voice mail pilot number.
|
Description
|
Enter Cisco Unity Connection Pilot or another description.
|
Make This the Default Voice Mail Pilot for the System
|
Check this check box. When this check box is checked, this voice mail pilot number replaces the current default pilot number.
|
Step 4 Click Save.
To Set Up the Voice Mail Profile
Step 1 In Cisco Unified CM Administration, click Voice Mail > Voice Mail Profile.
Step 2 On the Find and List Voice Mail Profiles page, click Add New.
Step 3 On the Voice Mail Profile Configuration page, enter the following voice mail profile settings.
Table 12 Settings for the Voice Mail Profile Configuration Page
Field
|
Setting
|
Voice Mail Profile Name
|
Enter a name to identify the voice mail profile.
|
Description
|
Enter Cisco Unity Connection Profile or another description.
|
Voice Mail Pilot
|
Click one of the following:
•The applicable voice mail pilot number that you defined on the Voice Mail Pilot Configuration page
•Use Default
|
Voice Mail Box Mask
|
When multitenant services are not enabled on Cisco Unified CM, leave this field blank.
When multitenant services are enabled, each tenant uses its own voice mail profile and must create a mask to identify the extensions (directory numbers) in each partition that is shared with other tenants. For example, one tenant can use a mask 972813XXXX, while another tenant can use the mask 214333XXXX. Each tenant also uses its own translation patterns for MWIs.
|
Make This the Default Voice Mail Profile for the System
|
Check this check box to make this voice mail profile the default.
When this check box is checked, this voice mail profile replaces the current default voice mail profile.
|
Step 4 Click Save.
To Set Up the Voice Mail Server Service Parameters
Step 1 In Cisco Unified CM Administration, click System > Service Parameters.
Step 2 On the Service Parameters Configuration page, in the Server field, click the name of the Cisco Unified CM server.
Step 3 In the Service list, click Cisco CallManager. The list of parameters appears.
Step 4 Under Clusterwide Parameters (Feature - General), locate the Multiple Tenant MWI Modes parameter.
Step 5 If you use multiple tenant MWI notification, click True.
When this parameter is set to True, Cisco Unified CM uses any configured translation patterns to convert voice mail extensions into directory numbers when turning on or off an MWI.
Step 6 If you changed any settings, click Save. Then shut down and restart the Cisco Unified CM server.
Creating a New Integration with Cisco Unified Communications Manager
After ensuring that Cisco Unified Communications Manager and Cisco Unity Connection are ready for the integration, do the following procedure to set up the integration and to enter the port settings.
To Create an Integration
Step 1 Log on to Cisco Unity Connection Administration.
Step 2 In Cisco Unity Connection Administration, expand Telephony Integrations, then click Port Group.
Step 3 On the Search Port Groups page, click Add New.
Step 4 On the New Port Group page, enter the following settings and click Save.
Table 13 Settings for the New Port Group Page
Field
|
Setting
|
Display Name
|
Accept the default name, which is composed of the phone system display name followed by an incrementing number, or enter another descriptive name.
|
Phone System
|
Confirm that the Cisco Unified CM phone system is selected.
|
Create From
|
Click the Port Group Template radio button, and click SCCP - Skinny Client Control Protocol in the drop-down list box.
|
Device Name Prefix
|
Click the prefix that Cisco Unified CM adds to the device name for voice ports. This prefix must match the prefix used by Cisco Unified CM for the voice ports that the port group will have.
|
Create MWI On Extension From
|
Do one of the following:
•Click the Co-Resident Cisco Unified Communications Manager radio button, and click the extension that you specified in Cisco Unified CM Administration for turning MWIs on.
•Click Custom, and enter the custom extension that you want to use for turning MWIs on.
|
MWI Off Extension
|
Do one of the following:
•Click the Co-Resident Cisco Unified Communications Manager radio button, and click the extension that you specified in Cisco Unified CM Administration for turning MWIs off.
•Click Custom, and enter the custom extension that you want to use for turning MWIs off.
|
IP Address or Host Name
|
Confirm that the IP address (or host name) of the Cisco Unified CM server appears.
|
Port
|
Enter the TCP port of the Cisco Unified CM server. We recommend that you use the default setting.
|
TLS Port
|
Enter the TLS port of the Cisco Unified CM server. We recommend that you use the default setting.
|
Step 5 In Cisco Unity Connection Administration, expand Telephony Integrations, then click Port.
Step 6 On the Search Ports page, click Add New.
Step 7 On the New Port page, in the Number of Ports field, enter the following settings and click Save.
Table 14 Voice Messaging Port Settings
Field
|
Considerations
|
Enabled
|
Check this check box to enable the port. The port is enabled during normal operation.
Uncheck this check box to disable the port. When the port is disabled, calls to the port get a ringing tone but are not answered. Typically, the port is disabled only by the installer during testing.
|
Number of Ports
|
Enter the number of voice messaging ports that you want to add to the port group.
Note that you cannot add more voice messaging ports than you created in Cisco Unified CM Administration.
|
Phone System
|
Confirm that the Cisco Unified CM phone system is selected.
|
Port Group
|
Confirm that the port group that you created in Step 4 is selected.
|
Security Mode
|
Click the applicable security mode:
•Non-secure—The integrity and privacy of call-signaling messages will not be ensured because call-signaling messages will be sent as clear (unencrypted) text and will be connected to Cisco Unified CM through a non-authenticated port rather than an authenticated TLS port. In addition, the media stream will not be encrypted.
•Authenticated—The integrity of call-signaling messages will be ensured because they will be connected to Cisco Unified CM through an authenticated TLS port. However, the privacy of call-signaling messages will not be ensured because they will be sent as clear (unencrypted) text. In addition, the media stream will not be encrypted.
•Encrypted—The integrity and privacy of call-signaling messages will be ensured on this port because they will be connected to Cisco Unified CM through an authenticated TLS port, and the call-signaling messages will be encrypted. In addition, the media stream will be encrypted.
|
Step 8 On the Search Ports page, click the display name of the first voice messaging port that you created for this phone system integration.
Step 9 On the Port Basics page, set the voice messaging port settings as applicable. The fields in the following table are the ones that you can change.
Table 15 Settings for the Voice Messaging Ports
Field
|
Considerations
|
Enabled
|
Check this check box to enable the port. The port is enabled during normal operation.
Uncheck this check box to disable the port. When the port is disabled, calls to the port get a ringing tone but are not answered. Typically, the port is disabled only by the installer during testing.
|
Extension
|
Enter the extension for the port as assigned on the phone system.
|
Answer Calls
|
Check this check box to designate the port for answering calls. These calls can be incoming calls from unidentified callers or from users.
|
Perform Message Notification
|
Check this check box to designate the port for notifying users of messages. Assign Perform Message Notification to the least busy ports.
|
Send MWI Requests
|
Check this check box to designate the port for turning MWIs on and off. Assign Send MWI Requests to the least busy ports.
|
Allow TRAP Connections
|
Check this check box so that users can use the port for recording and playback through the phone in Cisco Unity Connection web applications. Assign Allow TRAP Connections to the least busy ports.
|
Outgoing Hunt Order
|
Enter the priority order in which Cisco Unity Connection will use the ports when dialing out (for example, if the Perform Message Notification, Send MWI Requests, or Allow TRAP Connections check box is checked). The highest numbers are used first. However, when multiple ports have the same Outgoing Hunt Order number, Cisco Unity Connection will use the port that has been idle the longest.
|
Security Mode
|
Click the applicable security mode:
•Non-secure—The integrity and privacy of call-signaling messages will not be ensured because call-signaling messages will be sent as clear (unencrypted) text and will be connected to Cisco Unified CM through a non-authenticated port rather than an authenticated TLS port. In addition, the media stream will not be encrypted.
•Authenticated—The integrity of call-signaling messages will be ensured because they will be connected to Cisco Unified CM through an authenticated TLS port. However, the privacy of call-signaling messages will not be ensured because they will be sent as clear (unencrypted) text. In addition, the media stream will not be encrypted.
•Encrypted—The integrity and privacy of call-signaling messages will be ensured on this port because they will be connected to Cisco Unified CM through an authenticated TLS port, and the call-signaling messages will be encrypted. In addition, the media stream will be encrypted.
|
Step 10 Click Save.
Step 11 Click Next.
Step 12 Repeat Step 9 through Step 11 for all remaining voice messaging ports for the phone system.
Step 13 If prompted to restart the Connection Conversation Manager service, do the following substeps. Otherwise, continue to Step 14.
a. In the Navigation drop-down list, click Cisco Unity Connection Serviceability and click Go.
b. On the Cisco Unity Connection Serviceability page, on the Tools menu, click Control Center - Feature Services.
c. On the Control Center - Feature Services page, in the Server drop-down list, click the name of the Cisco Unity Connection server and click Go.
d. Under Cisco Unity Connection Services, click Connection Conversation Manager.
e. At the top of the page, click Restart.
f. When prompted to confirm restarting the service, click Yes.
g. In the Navigation drop-down list, click Cisco Unity Connection Administration and click Go.
h. In Cisco Unity Connection Administration, expand Telephony Integrations, then click Phone System.
Step 14 In the Related Links drop-down list, click Check Telephony Configuration and click Go to confirm the phone system integration settings.
If the test is not successful, the Task Execution Results displays one or more messages with troubleshooting steps. After correcting the problems, test the connection again.
Step 15 In the Task Execution Results window, click Close.
Step 16 If you do not want to set up for Cisco Unified CM authentication and encryption, log off Cisco Unity Connection Administration, skip the remaining procedures in this chapter, and continue on to the "Testing the Integration" section.
If you want to set up for Cisco Unified CM authentication and encryption, continue with the "Setting Up Cisco Unified CM Authentication and Encryption with Cisco Unity Connection" section below.
Setting Up Cisco Unified CM Authentication and Encryption with Cisco Unity Connection
If you are not setting up Cisco Unified CM authentication and encryption, skip to the "Testing the Integration" section.
If you are setting up Cisco Unified CM authentication and encryption, do the following procedure.
For additional information about authentication and encryption with Cisco Unified CM and Cisco Unity Connection, see the "Appendix: Cisco Unified Communications Manager Authentication and Encryption of Cisco Unity Connection Voice Messaging Ports" section.
Caution The Cisco Unity Connection system clock must be synchronized with the Cisco Unified CM system clock for Cisco Unified CM authentication to function immediately. Otherwise, Cisco Unified CM will reject the Cisco Unity Connection voice messaging ports until the Cisco Unified CM system clock has passed the time stamp in the Cisco Unity Connection device certificates.
To Enable Cisco Unified CM Authentication and Encryption for Cisco Unity Connection Voice Messaging Ports
Step 1 If Cisco Unity Connection Administration is not already open, log on to Cisco Unity Connection Administration.
Step 2 In Cisco Unity Connection Administration, expand Telephony Integrations, then click Port.
Step 3 On the Search Ports page, click the display name of the first voice messaging port for the Cisco Unified CM phone system integration.
Note By default, the display names for the voice messaging ports are composed of the port group display name followed by incrementing numbers.
Step 4 On the Port Basics page, confirm that the Security Mode field is set to the applicable setting.
Caution The Security Mode setting for Cisco Unity Connection voice messaging ports must match the security mode setting for the Cisco Unified CM ports. Otherwise, Cisco Unified CM authentication and encryption will fail.
Table 16 Security Mode Settings
Setting
|
Effect
|
Non-secure
|
The integrity and privacy of call-signaling messages will not be ensured because call-signaling messages will be sent as clear (unencrypted) text and will be connected to Cisco Unified CM through a non-authenticated port rather than an authenticated TLS port.
In addition, the media stream will not be encrypted.
|
Authenticated
|
The integrity of call-signaling messages will be ensured because they will be connected to Cisco Unified CM through an authenticated TLS port. However, the privacy of call-signaling messages will not be ensured because they will be sent as clear (unencrypted) text.
In addition, the media stream will not be encrypted.
|
Encrypted
|
The integrity and privacy of call-signaling messages will be ensured because they will be connected to Cisco Unified CM through an authenticated TLS port, and the call-signaling messages will be encrypted.
In addition, the media stream can be encrypted.
|
Step 5 If you changed the setting, click Save and click Next.
Step 6 Repeat Step 4 and Step 5 for all remaining voice messaging ports for the Cisco Unified CM phone system integration.
Step 7 If prompted to restart the Connection Conversation Manager service, do the following substeps. Otherwise, continue to Step 8.
a. In the Navigation drop-down list, click Cisco Unity Connection Serviceability and click Go.
b. On the Cisco Unity Connection Serviceability page, on the Tools menu, click Control Center - Feature Services.
c. On the Control Center - Feature Services page, in the Server drop-down list, click the name of the Cisco Unity Connection server and click Go.
d. Under Cisco Unity Connection Services, click Connection Conversation Manager.
e. At the top of the page, click Restart.
f. When prompted to confirm restarting the service, click Yes.
Cisco Unity Connection generates the voice messaging port device certificates and the Cisco Unity Connection root certificate.
g. In the Navigation drop-down list, click Cisco Unity Connection Administration and click Go.
Step 8 In Cisco Unity Connection Administration, expand Telephony Integrations, then click Phone System.
Step 9 On the Search Phone Systems page, click the name of the Cisco Unified CM phone system for which you want to enable authentication and encryption of the Cisco Unity Connection voice messaging ports.
Step 10 On the Phone System Basics page, on the Edit menu, click Root Certificate.
Step 11 On the View Root Certificate page, right-click the Right-click to Save the Certificate as a File link, and click Save Target As.
Step 12 In the Save As dialog box, browse to the location where you want to save the Cisco Unity Connection root certificate as a file.
Step 13 In the File Name field, confirm that the extension is .pem (rather than .htm), and click Save.
Caution The certificate must be saved as a file with the extension .pem (rather than .htm) or Cisco Unified CM will not recognize the certificate.
Step 14 In the Download Complete dialog box, click Close.
Step 15 Copy the Cisco Unity Connection root certificate to all Cisco Unified CM servers in this Cisco Unified CM phone system integration by doing the following substeps.
Caution The Cisco Unity Connection system clock must be synchronized with the Cisco Unified CM system clock for Cisco Unified CM authentication to function immediately. Otherwise, Cisco Unified CM will not let the Cisco Unity Connection voice messaging ports register until the Cisco Unified CM system clock has passed the time stamp in the Cisco Unity Connection device certificates.
a. Log on to Cisco Unified Operating System Administration.
b. In Cisco Unified Operating System Administration, on the Security menu, click Certificate Management.
c. On the Certificate List page, click Upload Certificate.
d. On the Upload Certificate page, in the Certificate Name drop-down box, click CallManager-trust.
e. In the Root Certificate field, enter Cisco Unity Root Certificate.
f. To the right of the Upload File field, click Browse.
g. In the Choose File dialog box, browse to the Cisco Unity Connection root certificate that you saved in Step 13.
h. Click Open.
i. On the Upload Certificate page, click Upload File.
j. Click Close.
k. Restart the Cisco Unified CM server.
l. Repeat Step 15a. through Step 15k. on all remaining Cisco Unified CM servers in the cluster.
m. Repeat Step 15a. through Step 15l. to copy the Cisco Unity Connection root certificate to all Cisco Unified CM servers in all remaining Cisco Unified CM clusters.
Step 16 If prompted to restart the Connection Conversation Manager service, do the following substeps. Otherwise, continue to Step 17.
a. In the Navigation drop-down list, click Cisco Unity Connection Serviceability and click Go.
b. On the Cisco Unity Connection Serviceability page, on the Tools menu, click Control Center - Feature Services.
c. On the Control Center - Feature Services page, in the Server drop-down list, click the name of the Cisco Unity Connection server and click Go.
d. Under Cisco Unity Connection Services, click Connection Conversation Manager.
e. At the top of the page, click Restart.
f. When prompted to confirm restarting the service, click Yes.
Step 17 Log off Cisco Unity Connection Administration.
Testing the Integration
To test whether Cisco Unity Connection and the phone system are integrated correctly, do the following procedures in the order listed.
If any of the steps indicate a failure, see the following documentation as applicable:
•The installation guide for the phone system.
•The setup information earlier in this guide.
To Set Up the Test Configuration
Step 1 Set up two test extensions (Phone 1 and Phone 2) on the same phone system that Cisco Unity Connection is connected to.
Step 2 Set Phone 1 to forward calls to the Cisco Unity Connection pilot number when calls are not answered.
Caution The phone system must forward calls to the Cisco Unity Connection pilot number in no fewer than four rings. Otherwise, the test may fail.
Step 3 In Cisco Unity Connection Administration, expand Users, then click Users.
Step 4 On the Search Users page, click the display name of a user to use for testing. The extension for this user must be the extension for Phone 1.
Step 5 On the Edit User Basics page, uncheck the Set for Self-enrollment at Next Login check box.
Step 6 In the Voice Name field, record a voice name for the test user.
Step 7 Click Save.
Step 8 On the Edit menu, click Message Waiting Indicators.
Step 9 On the Message Waiting Indicators page, click the message waiting indicator. If no message waiting indication is in the table, click Add New.
Step 10 On the Edit Message Waiting Indicator page, enter the following settings.
Table 17 Settings for the Edit MWI Page
Field
|
Setting
|
Enabled
|
Check this check box to enable MWIs for the test user.
|
Display Name
|
Accept the default or enter a different name.
|
Inherit User's Extension
|
Check this check box to enable MWIs on Phone 1.
|
Step 11 Click Save.
Step 12 On the Edit menu, click Transfer Options.
Step 13 On the Transfer Options page, click the active option.
Step 14 On the Edit Transfer Option page, under Transfer Action, click the Extension option and enter the extension of Phone 1.
Step 15 In the Transfer Type field, click Release to Switch.
Step 16 Click Save.
Step 17 Minimize the Cisco Unity Connection Administration window.
Do not close the Cisco Unity Connection Administration window because you will use it again in a later procedure.
Step 18 Log on to the Real-Time Monitoring Tool (RTMT).
Step 19 On the Unity Connection menu, click Port Monitor. The Port Monitor tool appears in the right pane.
Step 20 In the right pane, click Start Polling. The Port Monitor will display which port is handling the calls that you will make.
To Test an External Call with Release Transfer
Step 1 From Phone 2, enter the access code necessary to get an outside line, then enter the number outside callers use to dial directly to Cisco Unity Connection.
Step 2 In the Port Monitor, note which port handles this call.
Step 3 When you hear the opening greeting, enter the extension for Phone 1. Hearing the opening greeting means that the port is configured correctly.
Step 4 Confirm that Phone 1 rings and that you hear a ringback tone on Phone 2. Hearing a ringback tone means that Cisco Unity Connection correctly released the call and transferred it to Phone 1.
Step 5 Leaving Phone 1 unanswered, confirm that the state of the port handling the call changes to "Idle." This state means that release transfer is successful.
Step 6 Confirm that, after the number of rings that the phone system is set to wait, the call is forwarded to Cisco Unity Connection and that you hear the greeting for the test user. Hearing the greeting means that the phone system forwarded the unanswered call and the call-forward information to Cisco Unity Connection, which correctly interpreted the information.
Step 7 On the Port Monitor, note which port handles this call.
Step 8 Leave a message for the test user and hang up Phone 2.
Step 9 In the Port Monitor, confirm that the state of the port handling the call changes to "Idle." This state means that the port was successfully released when the call ended.
Step 10 Confirm that the MWI on Phone 1 is activated. The activated MWI means that the phone system and Cisco Unity Connection are successfully integrated for turning on MWIs.
To Test Listening to Messages
Step 1 From Phone 1, enter the internal pilot number for Cisco Unity Connection.
Step 2 When asked for your password, enter the password for the test user. Hearing the request for your password means that the phone system sent the necessary call information to Cisco Unity Connection, which correctly interpreted the information.
Step 3 Confirm that you hear the recorded voice name for the test user (if you did not record a voice name for the test user, you will hear the extension number for Phone 1). Hearing the voice name means that Cisco Unity Connection correctly identified the user by the extension.
Step 4 Listen to the message.
Step 5 After listening to the message, delete the message.
Step 6 Confirm that the MWI on Phone 1 is deactivated. The deactivated MWI means that the phone system and Cisco Unity Connection are successfully integrated for turning off MWIs.
Step 7 Hang up Phone 1.
Step 8 On the Port Monitor, confirm that the state of the port handling the call changes to "Idle." This state means that the port was successfully released when the call ended.
To Set Up Supervised Transfer on Cisco Unity Connection
Step 1 In Cisco Unity Connection Administration, on the Edit Transfer Option page for the test user, in the Transfer Type field, click Supervise Transfer.
Step 2 In the Rings to Wait For field, enter 3.
Step 3 Click Save.
Step 4 Minimize the Cisco Unity Connection Administration window.
Do not close the Cisco Unity Connection Administration window because you will use it again in a later procedure.
To Test Supervised Transfer
Step 1 From Phone 2, enter the access code necessary to get an outside line, then enter the number outside callers use to dial directly to Cisco Unity Connection.
Step 2 On the Port Monitor, note which port handles this call.
Step 3 When you hear the opening greeting, enter the extension for Phone 1. Hearing the opening greeting means that the port is configured correctly.
Step 4 Confirm that Phone 1 rings and that you do not hear a ringback tone on Phone 2. Instead, you should hear the indication your phone system uses to mean that the call is on hold (for example, music).
Step 5 Leaving Phone 1 unanswered, confirm that the state of the port handling the call remains "Busy." This state and hearing an indication that you are on hold mean that Cisco Unity Connection is supervising the transfer.
Step 6 Confirm that, after three rings, you hear the greeting for the test user. Hearing the greeting means that Cisco Unity Connection successfully recalled the supervised-transfer call.
Step 7 During the greeting, hang up Phone 2.
Step 8 On the Port Monitor, confirm that the state of the port handling the call changes to "Idle." This state means that the port was successfully released when the call ended.
Step 9 Click Stop Polling.
Step 10 Exit RTMT.
If Cisco Unity Connection is set up for Cisco Unified CM authentication or encryption, do the following procedure.
To Test Cisco Unified CM Authentication and Encryption
Step 1 From Phone 1, dial the internal pilot number for Cisco Unity Connection.
Step 2 Confirm that the authentication icon and/or the encryption icon appear on the LCD of the phone.
Step 3 Hang up Phone 1.
Appendix: Cisco Unified Communications Manager Authentication and Encryption of Cisco Unity Connection Voice Messaging Ports
A potential point of vulnerability for a Cisco Unity Connection system is the connection between Cisco Unity Connection and Cisco Unified Communications Manager. Possible threats include:
•Man-in-the-middle attacks (a process in which an attacker observes and modifies the information flow between Cisco Unified CM and the Cisco Unity Connection voice messaging ports)
•Network traffic sniffing (a process in which an attacker uses software to capture phone conversations and signaling information that flow between Cisco Unified CM, the Cisco Unity Connection voice messaging ports, and IP phones that are managed by Cisco Unified CM)
•Modification of call signaling between the Cisco Unity Connection voice messaging ports and Cisco Unified CM
•Modification of the media stream between the Cisco Unity Connection voice messaging ports and the endpoint (for example, a phone or gateway)
•Identity theft of the Cisco Unity Connection voice messaging port (a process in which a non-Cisco Unity Connection device presents itself to Cisco Unified CM as a Cisco Unity Connection voice messaging port)
•Identity theft of the Cisco Unified CM server (a process in which a non-Cisco Unified CM server presents itself to Cisco Unity Connection voice messaging ports as a Cisco Unified CM server)
Cisco Unified CM Security Features
Cisco Unified CM can secure the connection with Cisco Unity Connection against these threats. The Cisco Unified CM security features that Cisco Unity Connection can take advantage of are described in Table 18.
Table 18 Cisco Unified CM Security Features That Are Used by Cisco Unity Connection
Security Feature
|
Description
|
Signaling authentication
|
The process that uses the Transport Layer Security (TLS) protocol to validate that no tampering has occurred to signaling packets during transmission. Signaling authentication relies on the creation of the Cisco Certificate Trust List (CTL) file.
Impact on Threats: This feature protects against:
•Man-in-the-middle attacks that modify the information flow between Cisco Unified CM and the Cisco Unity Connection voice messaging ports.
•Modification of the call signalling.
•Identity theft of the Cisco Unity Connection voice messaging port.
•Identity theft of the Cisco Unified CM server.
|
Device authentication
|
The process that validates the identity of the device and ensures that the entity is what it claims to be. This process occurs between Cisco Unified CM and Cisco Unity Connection voice messaging ports when each device accepts the certificate of the other device. When the certificates are accepted, a secure connection between the devices is established. Device authentication relies on the creation of the Cisco Certificate Trust List (CTL) file.
Impact on Threats: This feature protects against:
•Man-in-the-middle attacks that modify the information flow between Cisco Unified CM and the Cisco Unity Connection voice messaging ports.
•Modification of the media stream.
•Identity theft of the Cisco Unity Connection voice messaging port.
•Identity theft of the Cisco Unified CM server.
|
Signaling encryption
|
The process that uses cryptographic methods to protect (through encryption) the confidentiality of all SCCP signaling messages that are sent between the Cisco Unity Connection voice messaging ports and Cisco Unified CM. Signaling encryption ensures that the information that pertains to the parties, DTMF digits that are entered by the parties, call status, media encryption keys, and so on are protected against unintended or unauthorized access.
Impact on Threats: This feature protects against:
•Man-in-the-middle attacks that observe the information flow between Cisco Unified CM and the Cisco Unity Connection voice messaging ports.
•Network traffic sniffing that observes the signaling information flow between Cisco Unified CM and the Cisco Unity Connection voice messaging ports.
|
Media encryption
|
The process whereby the confidentiality of the media occurs through the use of cryptographic procedures. This process uses Secure Real Time Protocol (SRTP) as defined in IETF RFC 3711, and ensures that only the intended recipient can interpret the media streams between Cisco Unity Connection voice messaging ports and the endpoint (for example, a phone or gateway). Support includes audio streams only. Media encryption includes creating a media master key pair for the devices, delivering the keys to Cisco Unity Connection and the endpoint, and securing the delivery of the keys while the keys are in transport. Cisco Unity Connection and the endpoint use the keys to encrypt and decrypt the media stream.
Impact on Threats: This feature protects against:
•Man-in-the-middle attacks that listen to the media stream between Cisco Unified CM and the Cisco Unity Connection voice messaging ports.
•Network traffic sniffing that eavesdrops on phone conversations that flow between Cisco Unified CM, the Cisco Unity Connection voice messaging ports, and IP phones that are managed by Cisco Unified CM.
|
Authentication and signaling encryption serve as the minimum requirements for media encryption; that is, if the devices do not support signaling encryption and authentication, media encryption cannot occur.
Note Cisco Unified CM authentication and encryption protects only calls to Cisco Unity Connection. Messages recorded on the message store are not protected by the Cisco Unified CM authentication and encryption features.
Functional Overview
The security features (authentication and encryption) between Cisco Unity Connection and Cisco Unified CM require the following:
•A Cisco Unified CM CTL file that lists all Cisco Unified CM servers that are entered in Cisco Unity Connection Administration for secure clusters.
•A Cisco Unity Connection server root certificate for each Cisco Unity Connection server that uses authentication and/or encryption. A root certificate is valid for 20 years from the time it was created.
•Cisco Unity Connection voice messaging port device certificates that are rooted in the Cisco Unity Connection server root certificate and that the voice messaging ports present when registering with the Cisco Unified CM server.
The process of authentication and encryption of Cisco Unity Connection voice messaging ports is as follows:
1. Each Cisco Unity Connection voice messaging port connects to the TFTP server, downloads the CTL file, and extracts the certificates for all Cisco Unified CM servers.
2. Each Cisco Unity Connection voice messaging port establishes a network connection to the Cisco Unified CM TLS port. By default, the TLS port is 2443, though the port number is configurable.
3. Each Cisco Unity Connection voice messaging port establishes a TLS connection to the Cisco Unified CM server, at which time the device certificate is verified and the voice messaging port is authenticated.
4. Each Cisco Unity Connection voice messaging port registers with the Cisco Unified CM server, specifying whether the voice messaging port will also use media encryption.
Behavior for Calls
When a call is made between Cisco Unity Connection and Cisco Unified CM, the call-signaling messages and the media stream are handled in the following manner:
•If both end points are set for encrypted mode, the call-signaling messages and the media stream are encrypted.
•If one end point is set for authenticated mode and the other end point is set for encrypted mode, the call-signaling messages are authenticated. But neither the call-signaling messages nor the media stream are encrypted.
•If one end point is set for non-secure mode and the other end point is set for encrypted mode, neither the call-signaling messages nor the media stream are encrypted.
Requirements
Cisco Unified CM security features for voice messaging ports have the following requirements:
Cisco Unified Communications Manager Server
•A license that enables the applicable number of voice messaging ports.
•Two secure tokens, installed.
•In Cisco Unified CM Administration, on the System > Enterprise Parameters Configuration page, under Security Parameters, the Cluster Security Mode parameter set to 1 (enabled).
For instructions, refer to the "Configuring the Cisco CTL Client" chapter of the Cisco Unified Communications Manager Security Guide at http://www.cisco.com/en/US/products/sw/voicesw/ps556/prod_maintenance_guides_list.html.
•In Cisco Unified Serviceability, on the Tools > Control Center - Feature Services page, under CM Services, the Cisco CallManager and Cisco Tftp services restarted.
•A phone security profile with the device security mode set to the same security mode as the Cisco Unified CM ports and the Cisco Unity Connection ports.
•On the Device > Phone > Phone Configuration page for the applicable phones:
–Under Protocol Specific Information, the Device Security Profile field set to the applicable phone security profile.
–Under Certification Authority Proxy Function (CAPF) Information, the Certification Operation field set to Install/Upgrade.
•The Cisco Unified CM ports set to the same security mode as the applicable phones and the Cisco Unity Connection ports.
•The Cisco Unity Connection root certificate uploaded to all Cisco Unified CM servers in all clusters.
Cisco IP Phones
•The individual (physical) phones with the following settings on the Settings > Security Configuration screen:
–Security Mode set to the same security mode as the Cisco Unified CM ports and the Cisco Unity Connection ports.
–MIC set to Installed.
–LCS set to Installed.
Cisco Unity Connection Server
•A license that enables the applicable number of voice messaging ports.
•The Cisco Unity Connection ports set to the same security mode as the Cisco Unified CM ports and the applicable phones.
For instructions, see the applicable chapter in this guide.
Security Mode Settings in Cisco Unity Connection
The Security Mode settings in Cisco Unity Connection Administration determine how the ports handle call-signaling messages and whether encryption of the media stream is possible. Table 19 describes the effect of the Security Mode settings on the Telephony Integrations > Port > Port Basics page for each port.
Table 19 Security Mode Settings for Voice Messaging Ports
Setting
|
Effect
|
Non-secure
|
The integrity and privacy of call-signaling messages will not be ensured because call-signaling messages will be sent as clear (unencrypted) text and will be connected to Cisco Unified CM through a non-authenticated port rather than an authenticated TLS port.
In addition, the media stream cannot be encrypted.
|
Authenticated
|
The integrity of call-signaling messages will be ensured because they will be connected to Cisco Unified CM through an authenticated TLS port. However, the privacy of call-signaling messages will not be ensured because they will be sent as clear (unencrypted) text.
In addition, the media stream will not be encrypted.
|
Encrypted
|
The integrity and privacy of call-signaling messages will be ensured because they will be connected to Cisco Unified CM through an authenticated TLS port, and the call-signaling messages will be encrypted.
In addition, the media stream can be encrypted.
Caution Both end points must be registered in encrypted mode for the media stream to be encrypted. However, when one end point is set for non-secure or authenticated mode and the other end point is set for encrypted mode, the media stream will not be encrypted. Also, if an intervening device (such as a transcoder or gateway) is not enabled for encryption, the media stream will not be encrypted.
|
Disabling and Re-Enabling Security
The authentication and encryption features between Cisco Unity Connection and Cisco Unified CM can be enabled and disabled by changing the Security Mode for Cisco Unified CM to Non Secure, and by changing the applicable settings in the Cisco Unified CM Administration.
Authentication and encryption can be re-enabled by changing the Security Mode to Authenticated or Encrypted.
Note After disabling or re-enabling authentication and encryption, it is not necessary to export the Cisco Unity Connection server root certificate and copy it to Cisco Unified CM.
Settings for Individual Voice Messaging Ports
For troubleshooting purposes, authentication and encryption for Cisco Unity Connection voice messaging ports can be individually enabled and disabled. At all other times, we recommend that the Security Mode setting for all individual voice messaging ports in a Cisco Unified CM port group be the same.
Appendix: Documentation and Technical Assistance
Conventions
The Cisco Unified Communications Manager SCCP Integration Guide for Cisco Unity Connection in Cisco Unified CMBE 6.x uses the following conventions.
Table 20 Cisco Unified Communications Manager SCCP Integration Guide for Cisco Unity Connection in Cisco Unified CMBE 6.x Conventions
Convention
|
Description
|
boldfaced text
|
Boldfaced text is used for:
•Key and button names. (Example: Click OK.)
•Information that you enter. (Example: Enter Administrator in the User Name box.)
|
< >
(angle brackets)
|
Angle brackets are used around parameters for which you supply a value. (Example: In the Command Prompt window, enter ping <IP address>.)
|
-
(hyphen)
|
Hyphens separate keys that must be pressed simultaneously. (Example: Press Ctrl-Alt-Delete.)
|
>
(right angle
bracket)
|
A right angle bracket is used to separate selections that you make:
•On menus. (Example: On the Windows Start menu, click Programs > Cisco Unified Serviceability > Real-Time Monitoring Tool.)
•In the navigation bar of Cisco Unity Connection Administration. (Example: In Cisco Unity Connection Administration, expand System Settings > Advanced.)
|
[x]
(square brackets)
|
Square brackets enclose an optional element (keyword or argument). (Example: [reg-e164])
|
[x | y]
(vertical line)
|
Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional choice. (Example: [transport tcp | transport udp])
|
{x | y}
(braces)
|
Braces enclosing keywords or arguments separated by a vertical line indicate a required choice. (Example: {tcp | udp})
|
The Cisco Unified Communications Manager SCCP Integration Guide for Cisco Unity Connection in Cisco Unified CMBE 6.x also uses the following conventions:
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the document.
Caution Means
reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.
For descriptions and URLs of Cisco Unity Connection documentation on Cisco.com, see the Documentation Guide for Cisco Unity Connection. The document is shipped with Cisco Unity Connection and is available at http://www.cisco.com/en/US/products/ps6509/products_documentation_roadmaps_list.html.
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0805R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.
Feedback
