CTL Provider
Use the CTL Provider option to configure Certificate Trust List provider service.
The CTL Provider pane lets you define and configure Certificate Trust List provider service to enable inspection of encrypted traffic.
Fields
-
CTL Provider Name—Lists the CTL Provider name.
-
Client Details—Lists the name and IP address of the client.
– Interface Name—Lists the defined interface name.
– IP Address—Lists the defined interface IP address.
-
Certificate Name—Lists the certificate to be exported.
-
Add—Adds a CTL Provider.
-
Edit—Edits a CTL Provider.
-
Delete—Deletes a CTL Provider.
Add/Edit CTL Provider
The Add/Edit CTL Provider dialog box lets you define the parameters for the CTL Provider.
Fields
-
CTL Provider Name—Specifies the CTL Provider name.
-
Certificate to be Exported—Specifies the certificate to be exported to the client.
– Certificate Name—Specifies the name of the certificate to be exported to the client.
– Manage—Manages identity certificates.
-
Client Details—Specifies the clients allowed to connect.
– Client to be Added—Specifies the client interface and IP address to add to the client list.
Interface—Specifies client interface.
IP Address—Specifies the client IP address.
Add—Adds the new client to the client list.
Delete—Deletes the selected client from the client list.
-
More Options—Specifies the available and active algorithms to be announced or matched during the TLS handshake.
– Parse the CTL file provided by the CTL Client and install trustpoints—Trustpoints installed by this option have names prefixed with “_internal_CTL_.” If disabled, each Call Manager server and CAPF certificate must be manually imported and installed.
– Port Number—Specifies the port to which the CTL provider listens. The port must be the same as the one listened to by the CallManager servers in the cluster (as configured under Enterprise Parameters on the CallManager administration page). The default is 2444.
– Authentication—Specifies the username and password that the client authenticates with the provider.
Username—Client username.
Password—Client password.
Confirm Password—Client password.
Configure TLS Proxy Pane
Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.
You can configure the TLS Proxy from the Configuration > Firewall > Unified Communications > TLS Proxy pane.
Configuring a TLS Proxy lets you use the TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and enable the ASA for the Cisco Unified Communications features:
-
TLS Proxy for the Cisco Unified Presence Server (CUPS), part of Presence Federation
-
TLS Proxy for the Cisco Unified Mobility Advantage (CUMA) server, part of Mobile Advantage
-
Phone Proxy
Fields
-
TLS Proxy Name—Lists the TLS Proxy name.
-
Server Proxy Certificate—Lists the trustpoint, which is either self-signed or enrolled with a certificate server.
-
Local Dynamic Certificate Issuer—Lists the local certificate authority to issue client or server dynamic certificates.
-
Client Proxy Certificate—Lists the proxy certificate for the TLS client. The ASA uses the client proxy certificate to authenticate the TLS client during the handshake between the proxy and the TLS client. The certificate can be either self-signed, enrolled with a certificate authority, or issued by the third party.
-
Add—Adds a TLS Proxy by launching the Add TLS Proxy Instance Wizard. See Adding a TLS Proxy Instance for the steps to create a TLS Proxy instance.
-
Edit—Edits a TLS Proxy. The fields in the Edit panel area identical to the fields displayed when you add a TLS Proxy instance. See Edit TLS Proxy Instance – Server Configuration and Edit TLS Proxy Instance – Client Configuration.
-
Delete—Deletes a TLS Proxy.
-
Maximum Sessions—Lets you specify the maximum number of TLS Proxy sessions to support.
– Specify the maximum number of TLS Proxy sessions that the ASA needs to support.
– Maximum number of sessions—The minimum is 1. The maximum is dependent on the platform:
Cisco ASA 5505 security appliance: 10
Cisco ASA 5510 security appliance: 100
Cisco ASA 5520 security appliance: 300
Cisco ASA 5540 security appliance: 1000
Cisco ASA 5550 security appliance: 2000
Cisco ASA 5580 security appliance: 4000
Note The maximum number of sessions is global to all TLS proxy sessions.
Adding a TLS Proxy Instance
Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.
Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.
This wizard is available from the Configuration > Firewall > Unified Communications > TLS Proxy pane.
Step 1 Open the Configuration > Firewall > Unified Communications > TLS Proxy pane.
Step 2 To add a new TLS Proxy Instance, click
Add
.
The Add TLS Proxy Instance Wizard opens.
Step 3 In the TLS Proxy Name field, type the TLS Proxy name.
Step 4 Click
Next
.
The Add TLS Proxy Instance Wizard – Server Configuration dialog box opens. In this step of the wizard, configure the server proxy parameters for original TLS Server—the Cisco Unified Call Manager (CUCM) server, the Cisco Unified Presence Server (CUPS), or the Cisco Unified Mobility Advantage (CUMA) server. See Add TLS Proxy Instance Wizard – Server Configuration.
After configuring the server proxy parameters, the wizard guides you through configuring client proxy parameters (see Add TLS Proxy Instance Wizard – Client Configuration) and provides instructions on the steps to complete outside the ASDM to make the TLS Proxy fully functional (see Add TLS Proxy Instance Wizard – Other Steps).
Add TLS Proxy Instance Wizard – Server Configuration
Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.
Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.
The Add TLS Proxy Instance Wizard is available from the Configuration > Firewall > Unified Communications > TLS Proxy pane.
Step 1 Complete the first step of the Add TLS Proxy Instance Wizard. See Adding a TLS Proxy Instance.
The Add TLS Proxy Instance Wizard – Server Configuration dialog box opens.
Step 2 Specify the server proxy certificate by doing one of the following:
-
To add a new certificate, click
Manage
. The Manage Identify Certificates dialog box opens.
When the Phone Proxy is operating in a mixed-mode CUCM cluster, you must import the CUCM certificate by clicking
Add
in the Manage Identify Certificates dialog box. See the “Configuring Identity Certificates Authentication” section in the general operations configuration guide.
-
To select an existing certificate, select one from the drop-down list.
When you are configuring the TLS Proxy for the Phone Proxy, select the certificate that has a filename beginning with
_internal_PP_
. When you create the CTL file for the Phone Proxy, the ASA, creates an internal trustpoint used by the Phone Proxy to sign the TFTP files. The trustpoint is named
_internal_PP_
ctl-instance_filename
.
The server proxy certificate is used to specify the trustpoint to present during the TLS handshake. The trustpoint can be self-signed or enrolled locally with the certificate service on the proxy. For example, for the Phone Proxy, the server proxy certificate is used by the Phone Proxy during the handshake with the IP phones.
Step 3 To install the TLS server certificate in the ASA trust store, so that the ASA can authenticate the TLS server during TLS handshake between the proxy and the TLS server, click
Install TLS Server’s Certificate
.
The Manage CA Certificates dialog box opens. See the “Guidelines and Limitations” section in the general operations configuration guide. Click
Add
to open the Install Certificate dialog box. See the “Adding or Installing a CA Certificate” section in the general operations configuration guide.
When you are configuring the TLS Proxy for the Phone Proxy, click
Install TLS Server’s Certificate
and install the Cisco Unified Call Manager (CUCM) certificate so that the proxy can authenticate the IP phones on behalf of the CUCM server.
Step 4 To require the ASA to present a certificate and authenticate the TLS client during TLS handshake, check the Enable client authentication during TLS Proxy handshake check box.
When adding a TLS Proxy Instance for Mobile Advantage (the CUMC client and CUMA server), disable the check box when the client is incapable of sending a client certificate.
Step 5 Click
Next
.
The Add TLS Proxy Instance Wizard – Client Configuration dialog box opens. In this step of the wizard, configure the client proxy parameters for original TLS Client—the CUMC client for Mobile Advantage, CUP or MS LCS/OCS client for Presence Federation, or the IP phone for the Phone Proxy. See Add TLS Proxy Instance Wizard – Client Configuration.
After configuring the client proxy parameters, the wizard provides instructions on the steps to complete outside the ASDM to make the TLS Proxy fully functional (see Add TLS Proxy Instance Wizard – Other Steps).
Add TLS Proxy Instance Wizard – Client Configuration
Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.
Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.
This wizard is available from the Configuration > Firewall > Unified Communications > TLS Proxy pane.
Step 1 Complete the first two steps of the Add TLS Proxy Instance Wizard. See Adding a TLS Proxy Instance and Add TLS Proxy Instance Wizard – Client Configuration.
The Add TLS Proxy Instance Wizard – Client Configuration dialog box opens.
Step 2 To specify a client proxy certificate to use for the TLS Proxy, perform the following. Select this option when the client proxy certificate is being used between two servers; for example, when configuring the TLS Proxy for Presence Federation, which uses the Cisco Unified Presence Server (CUPS), both the TLS client and TLS server are both servers.
a. Check the Specify the proxy certificate for the TLS Client... check box.
b. Select a certificate from the drop-down list.
Or
To create a new client proxy certificate, click
Manage
. The Manage Identify Certificates dialog box opens. See the “Configuring Identity Certificates Authentication” section in the general operations configuration guide.
Note When you are configuring the TLS Proxy for the Phone Proxy and it is using the mixed security mode for the CUCM cluster, you must configure the LDC Issuer. The LDC Issuer lists the local certificate authority to issue client or server dynamic certificates.
Step 3 To specify an LDC Issuer to use for the TLS Proxy, perform the following. When you select and configure the LDC Issuer option, the ASA acts as the certificate authority and issues certificates to TLS clients.
a. Click the Specify the internal Certificate Authority to sign the local dynamic certificate for phones... check box.
b. Click the Certificates radio button and select a self-signed certificate from the drop-down list or click
Manage
to create a new LDC Issuer. The Manage Identify Certificates dialog box opens. See the “Configuring Identity Certificates Authentication” section in the general operations configuration guide.
Or
Click the Certificate Authority radio button to specify a Certificate Authority (CA) server. When you specify a CA server, it needs to be created and enabled in the ASA. To create and enable the CA server, click
Manage
. The Edit CA Server Settings dialog box opens. See the “Authenticating Using the Local CA” section in the general operations configuration guide.
Note To make configuration changes after the local certificate authority has been configured for the first time, disable the local certificate authority.
c. In the Key-Pair Name field, select a key pair from the drop-list. The list contains the already defined RSA key pair used by client dynamic certificates. To see the key pair details, including generation time, usage, modulus size, and key data, click
Show
.
Or
To create a new key pair, click
New
. The Add Key Pair dialog box opens. See the “Configuring Identity Certificates Authentication” section in the general operations configuration guide for details about the Key Pair fields.
Step 4 In the Security Algorithms area, specify the available and active algorithms to be announced or matched during the TLS handshake.
-
Available Algorithms—Lists the available algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.
Add—Adds the selected algorithm to the active list.
Remove—Removes the selected algorithm from the active list.
-
Active Algorithms—Lists the active algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting as a TLS client to the server), the user-defined algorithms replace the original ones from the hello message for asymmetric encryption method between the two TLS legs. For example, the leg between the proxy and Call Manager may be NULL cipher to offload the Call Manager.
Move Up—Moves an algorithm up in the list.
Move Down—Moves an algorithm down in the list.
Step 5 Click
Next
.
The Add TLS Proxy Instance Wizard – Other Steps dialog box opens. The Other Steps dialog box provides instructions on the steps to complete outside the ASDM to make the TLS Proxy fully functional (see Add TLS Proxy Instance Wizard – Other Steps).
Add TLS Proxy Instance Wizard – Other Steps
Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.
The last dialog box of the Add TLS Proxy Instance Wizard specifies the additional steps required to make TLS Proxy fully functional. In particular, you need to perform the following tasks to complete the TLS Proxy configuration:
-
Export the local CA certificate or LDC Issuer and install them on the original TLS server.
To export the LDC Issuer, go to Configuration > Firewall > Advanced > Certificate Management > Identity Certificates > Export. See the “Exporting an Identity Certificate” section in the general operations configuration guide.
-
For the TLS Proxy, enable Skinny and SIP inspection between the TLS server and TLS clients. See SIP Inspection and Skinny (SCCP) Inspection. When you are configuring the TLS Proxy for Presence Federation (which uses CUP), you only enable SIP inspection because the feature supports only the SIP protocol.
-
For the TLS Proxy for CUMA, enable MMP inspection.
-
When using the internal Certificate Authority of the ASA to sign the LDC Issuer for TLS clients, perform the following:
– Use the Cisco CTL Client to add the server proxy certificate to the CTL file and install the CTL file on the ASA.
For information on the Cisco CTL Client, see “Configuring the Cisco CTL Client” in
Cisco Unified CallManager Security Guide
.
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/5_0_4/secuauth.html
To install the CTL file on the ASA, go to Configuration > Firewall > Unified Communications > CTL Provider > Add. The Add CTL Provider dialog box opens. For information on using this dialog box to install the CTL file, see Add/Edit CTL Provider.
– Create a CTL provider instance for connections from the CTL clients. See Add/Edit CTL Provider.
Edit TLS Proxy Instance – Server Configuration
Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.
The TLS Proxy enables inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.
Use the Edit TLS Proxy – Server Configuration tab to edit the server proxy parameters for the original TLS Server—the Cisco Unified Call Manager (CUCM) server, the Cisco Unified Presence Server (CUPS), or the Cisco Unified Mobility Advantage (CUMA) server.
Step 1 Open the Configuration > Firewall > Unified Communications > TLS Proxy pane.
Step 2 To edit a TLS Proxy Instance, click
Edit
.
The Edit TLS Proxy Instance dialog box opens.
Step 3 If necessary, click the Server Configuration tab.
Step 4 Specify the server proxy certificate by doing one of the following:
-
To add a new certificate, click
Manage
. The Manage Identify Certificates dialog box opens.
When the Phone Proxy is operating in a mixed-mode CUCM cluster, you must import the CUCM certificate by clicking
Add
in the Manage Identify Certificates dialog box. See the “Configuring CA Certificate Authentication” section in the general operations configuration guide.
-
To select an existing certificate, select one from the drop-down list.
When you are configuring the TLS Proxy for the Phone Proxy, select the certificate that has a filename beginning with
_internal_PP_
. When you create the CTL file for the Phone Proxy, the ASA, creates an internal trustpoint used by the Phone Proxy to sign the TFTP files. The trustpoint is named
_internal_PP_
ctl-instance_filename
.
The server proxy certificate is used to specify the trustpoint to present during the TLS handshake. The trustpoint can be self-signed or enrolled locally with the certificate service on the proxy. For example, for the Phone Proxy, the server proxy certificate is used by the Phone Proxy during the handshake with the IP phones.
Step 5 To install the TLS server certificate in the ASA trust store, so that the ASA can authenticate the TLS server during TLS handshake between the proxy and the TLS server, click
Install TLS Server’s Certificate
.
The Manage CA Certificates dialog box opens. See the “Guidelines and Limitations” section in the general operations configuration guide. Click
Add
to open the Install Certificate dialog box. See the “Configuring CA Certificate Authentication” section in the general operations configuration guide.
When you are configuring the TLS Proxy for the Phone Proxy, click
Install TLS Server’s Certificate
and install the Cisco Unified Call Manager (CUCM) certificate so that the proxy can authenticate the IP phones on behalf of the CUCM server.
Step 6 To require the ASA to present a certificate and authenticate the TLS client during TLS handshake, check the Enable client authentication during TLS Proxy handshake check box.
When adding a TLS Proxy Instance for Mobile Advantage (the CUMC client and CUMA server), disable the check box when the client is incapable of sending a client certificate.
Step 7 Click
Apply
to save the changes.
Edit TLS Proxy Instance – Client Configuration
Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.
The TLS Proxy enables inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.
The fields in the Edit TLS Proxy dialog box are identical to the fields displayed when you add a TLS Proxy instance. Use the Edit TLS Proxy – Client Configuration tab to edit the client proxy parameters for the original TLS Client, such as IP phones, CUMA clients, the Cisco Unified Presence Server (CUPS), or the Microsoft OCS server.
Step 1 Open the Configuration > Firewall > Unified Communications > TLS Proxy pane.
Step 2 To edit a TLS Proxy Instance, click
Edit
.
The Edit TLS Proxy Instance dialog box opens.
Step 3 If necessary, click the Client Configuration tab.
Step 4 To specify a client proxy certificate to use for the TLS Proxy, perform the following. Select this option when the client proxy certificate is being used between two servers; for example, when configuring the TLS Proxy for Presence Federation, which uses the Cisco Unified Presence Server (CUPS), both the TLS client and TLS server are both servers.
a. Check the Specify the proxy certificate for the TLS Client... check box.
b. Select a certificate from the drop-down list.
Or
To create a new client proxy certificate, click
Manage
. The Manage Identify Certificates dialog box opens. See the “Configuring Identity Certificates Authentication” section in the general operations configuration guide.
Note When you are configuring the TLS Proxy for the Phone Proxy and it is using the mixed security mode for the CUCM cluster, you must configure the LDC Issuer. The LDC Issuer lists the local certificate authority to issue client or server dynamic certificates.
Step 5 To specify an LDC Issuer to use for the TLS Proxy, perform the following. When you select and configure the LDC Issuer option, the ASA acts as the certificate authority and issues certificates to TLS clients.
a. Click the Specify the internal Certificate Authority to sign the local dynamic certificate for phones... check box.
b. Click the Certificates radio button and select a self-signed certificate from the drop-down list or click
Manage
to create a new LDC Issuer. The Manage Identify Certificates dialog box opens. See the “Configuring Identity Certificates Authentication” section in the general operations configuration guide.
Or
Click the Certificate Authority radio button to specify a Certificate Authority (CA) server. When you specify a CA server, it needs to be created and enabled in the ASA. To create and enable the CA server, click
Manage
. The Edit CA Server Settings dialog box opens. See the “Authenticating Using the Local CA” section in the general operations configuration guide.
Note To make configuration changes after the local certificate authority has been configured for the first time, disable the local certificate authority.
c. In the Key-Pair Name field, select a key pair from the drop-list. The list contains the already defined RSA key pair used by client dynamic certificates. To see the key pair details, including generation time, usage, modulus size, and key data, click
Show
.
Or
To create a new key pair, click
New
. The Add Key Pair dialog box opens. See the “Configuring Identity Certificates Authentication” section in the general operations configuration guide for details about the Key Pair fields.
Step 6 In the Security Algorithms area, specify the available and active algorithms to be announced or matched during the TLS handshake.
-
Available Algorithms—Lists the available algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.
Add—Adds the selected algorithm to the active list.
Remove—Removes the selected algorithm from the active list.
-
Active Algorithms—Lists the active algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting as a TLS client to the server), the user-defined algorithms replace the original ones from the hello message for asymmetric encryption method between the two TLS legs. For example, the leg between the proxy and Call Manager may be NULL cipher to offload the Call Manager.
Move Up—Moves an algorithm up in the list.
Move Down—Moves an algorithm down in the list.
Step 7 Click
Apply
to save the changes.
TLS Proxy
This feature is supported only for ASA versions 8.0.x prior to 8.0.4 and for version 8.1.
Note This feature is not supported for the Adaptive Security Appliance versions prior to 8.0.4 and for version 8.1.2.
Use the TLS Proxy option to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco CallManager.
The TLS Proxy pane lets you define and configure Transaction Layer Security Proxy to enable inspection of encrypted traffic.
Fields
-
TLS Proxy Name—Lists the TLS Proxy name.
-
Server—Lists the trustpoint, which is either self-signed or enrolled with a certificate server.
-
Local Dynamic Certificate Issuer—Lists the local certificate authority to issue client or server dynamic certificates.
-
Local Dynamic Certificate Key Pair—Lists the RSA key pair used by client or server dynamic certificates.
-
Add—Adds a TLS Proxy.
-
Edit—Edits a TLS Proxy.
-
Delete—Deletes a TLS Proxy.
-
Maximum Sessions—Lets you specify the maximum number of TLS Proxy sessions to support.
– Specify the maximum number of TLS Proxy sessions that the ASA needs to support. By default, ASA supports 300 sessions.—Enables maximum number of sessions option.
– Maximum number of sessions:—The minimum is 1. The maximum is dependent on the platform. The default is 300.
Add/Edit TLS Proxy
Note This feature is not supported for the Adaptive Security Appliance versions prior to 8.0.4 and for version 8.1.2.
The Add/Edit TLS Proxy dialog box lets you define the parameters for the TLS Proxy.
Fields
-
TLS Proxy Name—Specifies the TLS Proxy name.
-
Server Configuration—Specifies the proxy certificate name.
– Server—Specifies the trustpoint to be presented during the TLS handshake. The trustpoint could be self-signed or enrolled locally with the certificate service on the proxy.
-
Client Configuration—Specifies the local dynamic certificate issuer and key pair.
– Local Dynamic Certificate Issuer—Lists the local certificate authority to issue client or server dynamic certificates.
Certificate Authority Server—Specifies the certificate authority server.
Certificate—Specifies a certificate.
Manage—Configures the local certificate authority. To make configuration changes after it has been configured for the first time, disable the local certificate authority.
– Local Dynamic Certificate Key Pair—Lists the RSA key pair used by client dynamic certificates.
Key-Pair Name—Specifies a defined key pair.
Show—Shows the key pair details, including generation time, usage, modulus size, and key data.
New—Lets you define a new key pair.
-
More Options—Specifies the available and active algorithms to be announced or matched during the TLS handshake.
– Available Algorithms—Lists the available algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.
Add—Adds the selected algorithm to the active list.
Remove—Removes the selected algorithm from the active list.
– Active Algorithms—Lists the active algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting as a TLS client to the server), the user-defined algorithms replace the original ones from the hello message for asymmetric encryption method between the two TLS legs. For example, the leg between the proxy and CallManager may be NULL cipher to offload the CallManager.
Move Up—Moves an algorithm up in the list.
Move Down—Moves an algorithm down in the list.