-
Cisco Unified CallManager Security Guide, Release 5.1(3)
-
Index
-
Preface
-
Security Overview
-
Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)
-
Configuring the Cisco CTL Client
-
Phone Security Overview
-
Configuring a Phone Security Profile
-
Using the Certificate Authority Proxy Function
-
Configuring Encrypted Phone Configuration Files
-
Configuring Digest Authentication for the SIP Phone
-
Phone Hardening
-
Configuring Voice-Messaging Ports for Security
-
Configuring Authentication and Encryption for CTI, JTAPI, and TAPI
-
Configuring a Secure Survivable Remote Site Telephony (SRST) Reference
-
Configuring Encryption for Gateways and Trunks
-
Configuring a SIP Trunk Security Profile
-
Configuring Digest Authentication for the SIP Trunk
-
Feedback
Table Of Contents
Understanding How Security Works for Phones
Viewing Security Settings on the Phone
Phone Security Configuration Checklist
Where to Find More Information
Phone Security Overview
This chapter contains information on the following topics:
•
Understanding How Security Works for Phones
•
•
•
Understanding How Security Works for Phones
At installation of Cisco Unified CallManager, the Cisco Unified CallManager cluster boots up in nonsecure mode. When the phones boot up after the Cisco Unified CallManager installation, all devices register as nonsecure with Cisco Unified CallManager.
After you upgrade from Cisco Unified CallManager 4.0(1) or a later release, the phones boot up in the device security mode that you enabled prior to the upgrade; all devices register by using the chosen security mode.
The Cisco Unified CallManager 5.1 installation creates a self-signed certificate on Cisco Unified CallManager and TFTP servers. You may also choose to use a third-party, CA-signed certificate for Cisco Unified CallManager instead of the self-signed certificate. After you configure authentication, Cisco Unified CallManager uses the certificate to authenticate with supported Cisco Unified IP Phones. After a certificate exists on the Cisco Unified CallManager and TFTP servers, Cisco Unified CallManager does not reissue the certificates during each Cisco Unified CallManager upgrade. You must create a new CTL file with the new certificate entries.
Tip
Cisco Unified CallManager maintains the authentication and encryption status at the device level. If all devices that are involved in the call register as secure, the call status registers as secure. If one device registers as nonsecure, the call registers as nonsecure, even if the phone of the caller or recipient registers as secure.
Cisco Unified CallManager retains the authentication and encryption status of the device when a user uses Cisco Extension Mobility. Cisco Unified CallManager also retains the authentication and encryption status of the device when shared lines are configured.
Tip
Supported Phone Models
This security document does not list the security features that are supported on your Cisco Unified IP Phone. For a list of security features that are supported on your phone, refer to the phone administration and user documentation that supports this Cisco Unified CallManager release or the firmware documentation that supports your firmware load.
Although you may be able to configure the security features in Cisco Unified CallManager Administration, the features may not work until you install a compatible firmware load on the Cisco TFTP server.
Viewing Security Settings on the Phone
You can configure and view certain security-related settings on phones that support security; for example, you can view whether a phone has a locally significant certificate or manufacture-installed certificate installed. For additional information on the security menu and icons, refer to the Cisco Unified IP Phone administration and user documentation that supports your phone model and this version of Cisco Unified CallManager.
When Cisco Unified CallManager classifies a call as authenticated or encrypted, an icon displays on the phone to indicate the call state. To determine when Cisco Unified CallManager classifies the call as authenticated or encrypted, refer to the "Security Icons" section and the"Interactions and Restrictions" section.
Phone Security Configuration Checklist
Table 4-1 describes the tasks to configure security for supported phones.
Table 4-1 Phone Security Configuration Checklist
Step 1
If you have not already done so, configure the Cisco CTL Client and ensure that the cluster security mode equals Mixed Mode.
Step 2
If the phone does not contain a locally significant certificate (LSC) or manufacture-installed certificate (MIC), install a LSC by using the Certificate Authority Proxy Function (CAPF).
Step 3
Configure phone security profiles.
Step 4
Apply a phone security profile to the phone.
Step 5
If a SIP phone supports digest authentication, configure the digest credentials in the End User window in Cisco Unified CallManager Administration.
•
Step 6
After you configure digest credentials, choose the Digest User from the Phone Configuration window in Cisco Unified CallManager Administration.
Configuring the Digest User in the Phone Configuration Window
Step 7
On Cisco Unified IP Phone 7960 or 7940 (SIP only), enter the digest authentication username and password (digest credentials) that you configured in the End User Configuration window.
The Cisco Unified CallManager Security Guide does not provide procedures on how to enter the digest authentication credentials on the phone. For information on how to perform this task, refer to the Cisco Unified IP Phone administration guide that supports your phone model and this version of Cisco Unified CallManager.
Step 8
Encrypt the phone configuration file, if the phone supports this functionality.
Step 9
To harden the phone, disable phone settings in Cisco Unified CallManager Administration.
Where to Find More Information
Related Topics
•
•
•
•
•
•
•
Related Cisco Documentation
•
•
