- Supplementary Services Feature Roadmap
- Overview of Supplementary Services for FXS Ports on Cisco IOS Voice Gateways
- Configuring FXS Ports for Basic Calls
- Enabling Fallback to Cisco Unified SRST for Call Control on Analog (FXS) Ports
- Configuring Supplementary Features
- Configuring Feature Mode
- Configuring CallBack on Busy for Analog Phones
- Configuring CallBack on No Answer
- Configuring Call Waiting Tone Cadence
- Configuring AMWI and VMWI
- Configuring DC Voltage Based VMWI for SCCP Controlled Analog Ports
- Configuring Call Hold/Resume for Shared Lines for Analog Ports
- Configuring cBarge and Privacy for Shared Lines
- Configuring Single Number Reach for Analog Phones
- Media Renegotiation
- Configuring DTMF Relay, Fax Relay and Modem Relay
- Configuring Secure Signaling and Media Encryption for the Cisco VG224
- Configuring Secure SCCP Analog Endpoints over TLS with CM
- Implementing Enhanced Serviceability
- Contents
- Prerequisites for Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
- Restrictions for Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
- Benefits of Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
- Information About Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
Configuring Secure SCCP Analog Endpoints over TLS with Cisco Unified Communications Manager
First Published: November 19, 2010
This module describes how the Secure Skinny Client Control Protocol (SCCP) enhances SCCP telephony control (STC) application (STCAPP) Foreign Exchange Station (FXS) security analog endpoints through secure signaling and media encryption using Transport Layer Security (TLS). This feature is supported for analog SCCP endpoints that are controlled by the Cisco Unified Communications Manager (Cisco Unified CM) only.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the “Feature Information for Secure SCCP Analog Endpoints over TLS with Cisco Unified CM” section.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
- Prerequisites for Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
- Restrictions for Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
- Benefits of Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
- Information About Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
- How to Configure Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
- Configuration Examples for Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
- Additional References
- Feature Information for Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
Prerequisites for Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
Secure SCCP Analog Endpoints over TLS with Cisco Unified CM require the following software component:
- Cisco IOS Release 15.1(3)T or a later version
- Cisco voice gateway is set up and configured for operation. For information, see the appropriate Cisco configuration documentation.
- Analog FXS voice ports are set up and configured for operation. For information, see Cisco IOS Voice Port Configuration Guide.
- SCCP and the STCAPP are enabled on the Cisco voice gateway. For configuration information, see Configuring FXS Ports for Basic Calls.
Restrictions for Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
– Cisco ISR 1861/2801/2811/2821/2851/3825/3845
Benefits of Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
The Secure SCCP enhances STCAPP FXS analog endpoints through signaling integrity and media encryption using TLS and Secured Real-time Transport Protocol (SRTP) with Cisco Unified CM.
This feature provides parity with incumbent time-division multiplexing systems.
Information About Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
To enable SCCP supplementary features on analog phones connected to FXS ports on a Cisco voice gateway, you should understand the following concept:
Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
In a nonsecure Cisco Unified CM-gateway environment, the SCCP connection between the Cisco Unified CM and the Cisco IOS Voice Gateway is established through a TCP connection on port 2000 and media between the gateway and the Cisco Unified CM is RTP. Since these connections are not encrypted, hackers create damage by disrupting signaling or by listening to the media connection.
The Secure SCCP over TLS feature enhances STCAPP security endpoints by using an existing Cisco IOS Public Key Infrastructure (PKI) to manage security certificates on Cisco IOS Voice Gateways and connect to the Cisco Unified CM.
This feature aims to provide call signaling integrity and media encryption in the IP telephony environment through the following:
SCCP signaling authentication, integrity and encryption using TLS
Dynamic, secure SCCP signaling per media channel instead of secure signaling through the IPSEC tunnel, which is complex to configure in large-scale deployments, complements the secure media through SRTP and avoids the complexity necessary to setup static IPSEC tunnels.
Signaling can be secured by implementing a secure TLS connection between multiple IOS SCCP Analog Voice Gateways and the Cisco Unified CM through the following steps:
- Establish an identity for the STCAPP by getting a digital security certificate (that contains public keys used for encryption and digital signatures) from a root Certificate Authority (CA) server used by both the Cisco Unified CM and the STCAPP.
Note Since the gateway is running the Cisco IOS with a PKI subsystem there is no need for a proxy function called the Certificate Authority Proxy Function (CAPF) to issue certificates. For Cisco Unified CM, any third-party CA supporting standards based on the Simple Certificate Exchange Protocol (SCEP) or a dedicated Cisco IOS router acts as a CA server. The Cisc o Unified CM can also get a certificate from the Cisco IOS CA server using built-in support to manually request and import certificates from external CAs. Each Cisco IOS Voice Gateway receives its own security certificate from the Cisco IOS CA server through PKI autoprovisioning to allow large-scale deployments.
- Establish an identity for the gateway and Cisco Unified CM by getting a certificate from the same root CA. The TLS uses a standard handshake with mutual authentication. The gateway and the Cisco Unified CM authenticate each other by exchanging and validating the certificates during the TLS handshake. In addition to the standard TLS handshake, the Cisco Unified CM also examines the device name or MAC address from the gateway’s certificate Subject field.
Note Registration is rejected and an error message indicating a mismatch in the configuration is received when a secure gateway attempts to register with a nonsecure Cisco Unified CM or a nonsecure gateway attempts to register with a secure Cisco Unified CM.
Theoretically, up to 24 certificates can be issued to each of the 24 analog phones on the Cisco VG224 Voice Gateway. However, only one certificate is issued to a single VG224 box with all the analog phones sharing this certificate while establishing TLS connection to the Cisco Unified CM. The reasons for this are:
Media protection by SRTP
SRTP is used to encrypt the call control signaling and the media streams from one end to the other for IP endpoints. For media encryption, the two analog endpoints controlled by the Cisco Unified CM exchange keys used to encrypt and decrypt the call control signaling packets. The transmission end has a key (tx key) used to encrypt the packets while the receiving end has a similar key (rx key) required to decrypt the packets. To decrypt the packets properly, the receiving end’s “rx key” must be similar to the transmitter’s “tx key”.
Security keys generation and the distribution
The security keys are generated at the Cisco Unified CM and distributed to the SCCP analog endpoints as part of the SCCP signaling messages over the TLS protocol.
Media security through digital signal processor (DSP) programming using security keys
The SCCP FXS analog endpoints using the PVDM2 and PVDM3 packet voice DSP modules are supported.
To achieve media security through SRTP with secure capable end points, the SRTP keys are exchanged before the media really starts or the commands are sent to the endpoints.
The DSP is programmed by the Cisco IOS to use SRTP after the DSP is put in voice mode. A DSP channel (associated with a call leg) toggles from secure to nonsecure modes and vice versa when supplementary services are used. The DSP is reprogrammed based on the instructions from the application. The reprogramming of the DSP occurs after the DSP is reset and put in voice mode.
How to Configure Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
Note This document does not contain details about configuring Cisco Unified CM or an IOS CA server. See the documentation for these products for installation and configuration instructions.
To enable dynamic, secure SCCP signaling to complement secure media through SRTP on a Cisco voice gateway connected to a Cisco Unified CM, perform the following tasks:
- Creating a Trustpoint on a Cisco IOS Voice Gateway
- Configuring Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
Creating a Trustpoint on a Cisco IOS Voice Gateway
To create a security trustpoint on a Cisco IOS gateway, perform the following steps:
Note While using Cisco Voice Gateway 3xx Series (VG 310, VG 320, VG 350), activate securityK9 licenses for enabling secure SRTP Calls.
SUMMARY STEPS
3. crypto pki trustpoint label
DETAILED STEPS
Configuring Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
Note This document does not contain details about configuring STCAPP. For more information, see the “Enabling SCCP on the Voice Gateway” section.
To configure secure SCCP analog endpoints, perform the following steps on the Cisco IOS voice gateway:
SUMMARY STEPS
3. stcapp security trustpoint line
4. stcapp security mode { authenticated | encrypted | none }
DETAILED STEPS
Configuration Examples for Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
This section provides the following configuration examples:
Example: Configuring a Cisco IOS CA Server
The following example shows how to configure a Cisco IOS CA server, where the IP address of the CA server is entered as the enrollment url:
Example: Configuring a Cisco IOS VG224 Voice Gateway
The following example shows how to configure a Cisco IOS VG224 Voice Gateway, where the IP address of the CA server is entered as the enrollment url:
Additional References
The following sections provide references related to SCCP analog phone support for FXS ports on the Cisco voice gateway.
Related Documents
|
|
---|---|
|
RFCs
|
|
---|---|
Technical Assistance
Feature Information for Secure SCCP Analog Endpoints over TLS with Cisco Unified CM
Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 15.1(3)T or a later release appear in the table.
For information on a feature in this technology that is not documented here, see the “Supplementary Services Features Roadmap” section.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Table 1 Feature Information for Secure SCCP Analog Endpoints over TLS with Cisco Unified CM