The mixed mode or secure mode supports secure and non-secure endpoints. When you install Unified Communications Manager fresh on a cluster or server, by default it's in non-secure mode. However, you can convert the security mode from non-secure
to secure or mixed mode.
To change a cluster from a non-secure mode to a mixed mode (secure mode), perform the following:
When a Call Manager certificate is self-signed, the CTL file contains a server certificate, public key, serial number, signature,
issuer name, subject name, server function, DNS name, and IP address for each server.
In the case of a Multi-SAN Call Manager certificate, the CTL file contains the Publisher's Call Manager certificate.
The next time that the phone initializes, it downloads the CTL file from the TFTP server. If the CTL file contains a TFTP
server entry that has a self-signed certificate, the phone requests a signed configuration file in.sgn format. If no TFTP
server contains a certificate, the phone requests an unsigned file.
You can update the CTL file running the following commands:
utils ctl set-cluster mixed-mode
Updates the CTL file and sets the cluster to mixed mode.
utils ctl set-cluster non-secure-mode
Updates the CTL file and sets the cluster to non-secure mode.
utils ctl update CTLFile
Updates the CTL file on each node in the cluster.
For endpoint security, Transport Layer Security (TLS) is used for signaling and Secure RTP (SRTP) is used for media.
To enable mixed mode, log in to the Command Line Interface on the publisher node and Run the CLI command
utils ctl set-cluster mixed-mode.
Make sure that Unified Communications Manager is registered with the Cisco Smart Software Manager or Cisco Smart Software Manager satellite. The Registration Token received
from the Smart account or Virtual account has Allow Export-Controlled functionality enabled while registering with this cluster.
For the tokenless CTL file, administrators must ensure that the endpoints download the uploaded CTL file generated using USB
tokens on Unified Communications Manager Release 12.0(1) or later. After the download, they can switch to tokenless CTL file.
Then, they can run the util ctl update CLI command.
You can verify the security mode, if you have changed it from non-secure to secure or mixed mode. To verify the mode, navigate
to the Enterprise Parameters Configuration page to verify if your cluster or server is in mixed mode or not. See Verify Security Mode topic for more information.