Cisco Unity Security Guide (With Microsoft Exchange), Release 4.x - Securing Subscriber Messages [Cisco Unity]

Table Of Contents

Securing Subscriber Messages

How Cisco Unity Handles Messages That Are Marked Private

Private Secure Messaging (Cisco Unity Version 4.0(5) and Later)

Understanding How Cisco Unity Handles Messages Marked Private Secure

Limitations of Private Secure Messaging

Installing and Configuring Private Secure Messaging

Running Permissions Wizard to Set the Active Directory Permissions Required to Install a Certificate for Private Secure Messaging

Installing Private Secure Messaging Certificates on Cisco Unity Servers

Enabling MAPI Rich Text Format for All Contacts in the Active Directory

Configuring Cisco Unity Bridge or VPIM Delivery Locations for a Cisco Unity System When Private Secure Messaging Is In Use

Enabling Private Secure Messaging for All Subscribers or for Individual Subscribers

Maintenance Considerations When Private Secure Messaging Is in Use

Managing Private Secure Messaging Certificates

Performance Monitoring When Using Private Secure Messaging

Limiting Access to the Cisco Unity Server

Backing Up and Restoring Public and Private Keys

Upgrading Cisco Unity When Private Secure Messaging Certificates Are in Use

Best Practices for Using Text to Speech (Unified Messaging)

Disabling the Copy to File Option in the Media Master for the Cisco Unity Inbox (Cisco Unity Version 4.0(5) and Later)

Securing Subscriber Messages

Cisco Unity offers the following message security options:

•All subscribers have the ability to mark messages private. Messages that are marked private cannot be forwarded by phone or from the Cisco Unity Inbox.

•Private Secure Messaging is an optional feature that you can enable for subscribers if you are using Cisco Unity version 4.0(5) and later. Voice messages that are marked private and secure are encrypted and cannot be heard by anyone other than a Cisco Unity subscriber who is homed on a Cisco Unity server.

•If you are using the Cisco Unity Inbox with Cisco Unity version 4.0(5) and later, you can disable the Copy to File option so that subscribers cannot save any message—regardless of its sensitivity—on their hard disks.

In addition, there are security issues you should consider before enabling the Text to Speech (TTS) feature for subscribers.

In this chapter, you will find descriptions of potential security issues related to securing messages; information on any actions you need to take; recommendations that will help you make decisions; discussion of the ramifications of the decisions you make; and in many cases, best practices. See the following sections for details:

•How Cisco Unity Handles Messages That Are Marked Private

•Private Secure Messaging (Cisco Unity Version 4.0(5) and Later)

•Best Practices for Using Text to Speech (Unified Messaging)

•Disabling the Copy to File Option in the Media Master for the Cisco Unity Inbox (Cisco Unity Version 4.0(5) and Later)

How Cisco Unity Handles Messages That Are Marked Private

Messages marked private cannot be forwarded by phone or from the Cisco Unity Inbox. This includes any voice message that a Cisco Unity subscriber marked private, and as applicable, any e-mail message that a subscriber or another sender marked private in Outlook. In addition, when a message is marked private, the Copy and Copy To options are disabled on the Options menu on the Media Master control bar in the Cisco Unity Inbox.

For subscribers who require more secure messaging, consider the following (if you are using Cisco Unity version 4.0(5) and later):

•You can set up private secure messaging and enable subscribers to use it. Private secure messaging provides security through the use of public/private key encryption for voice messages that subscribers record when they log on to Cisco Unity by phone. Voice messages that are marked private secure cannot be heard by anyone other than a Cisco Unity subscriber who is homed on the Cisco Unity server. For information on how to set up private and secure messaging, see the "Private Secure Messaging (Cisco Unity Version 4.0(5) and Later)" section.

•You can prevent subscribers from saving any voice message—regardless of its sensitivity—to their hard disks by disabling the Copy to File option on the Options menu of the Media Master control bar in the Cisco Unity Inbox. To learn more, see the "Disabling the Copy to File Option in the Media Master for the Cisco Unity Inbox (Cisco Unity Version 4.0(5) and Later)" section.

Private Secure Messaging (Cisco Unity Version 4.0(5) and Later)

The private secure messaging feature provides security, through the use of public/private key encryption, for voice messages that subscribers send when they are logged on to Cisco Unity by phone. Private secure messaging is available in Cisco Unity version 4.0(5) and later, for systems running on Microsoft Exchange 2000 or Exchange 2003, including the partner Exchange server, if applicable.

Note that if you have multiple Cisco Unity servers in your network, private secure messaging is available only to subscribers who are homed on Cisco Unity servers that are running Cisco Unity version 4.0(5) or later. A Cisco Unity utility is used to install a public/private key encryption certificate on each Cisco Unity server in a network.

See the following sections for information on how private secure messaging works, how to set it up, and how to maintain systems that have the feature enabled:

•Understanding How Cisco Unity Handles Messages Marked Private Secure—Describes how and when private secure messages can be sent and played.

•Limitations of Private Secure Messaging—Lists limitations of private secure messaging that subscribers should understand before using the feature.

•Installing and Configuring Private Secure Messaging—Includes instructions for installing private secure messaging, configuring the feature, and enabling subscribers to use it.

•Maintenance Considerations When Private Secure Messaging Is in Use—Discusses maintenance issues you should consider when using the private secure messaging feature.

For information on troubleshooting private secure messaging, refer to the "Troubleshooting Private Secure Voice Messages" section in the "Messages" chapter of the Cisco Unity Troubleshooting Guide. The guide is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_troubleshooting_guides_list.html.

Understanding How Cisco Unity Handles Messages Marked Private Secure

In addition to preventing subscribers from using the Cisco Unity conversation and Cisco Unity Inbox to forward messages that are marked private secure, the private secure messaging feature provides enhanced privacy and security through the use of public/private key encryption for voice messages. When a subscriber records a voice message and marks it private secure, Cisco Unity encrypts the WAV file by using the public key of each Cisco Unity server in Active Directory. The public key for each Cisco Unity server is stored in the Cisco Unity database and is also shared across the network through the Active Directory. To send a private secure message, subscribers must log on to Cisco Unity by phone. As with other voice messages, subscribers can use any phone—inside or outside the organization—to record a private secure message.

In order to play a private secure message, Cisco Unity decrypts the message by using a private key stored on the server. Cisco Unity can play a private secure message only for the recipients who are homed on the same Cisco Unity server as the sender, and those who are homed on a Cisco Unity server in the same network as the sender. To hear the message, the recipients must log on to Cisco Unity by phone. They can use any phone—inside or outside the organization—to do so. Recipients who are associated with servers outside of the Cisco Unity Active Directory forest cannot listen to a private secure message, because the required public key is not available. Instead, Cisco Unity plays a decoy WAV file that says:

"This voice message is private and secure and can only be played if you log on to the voice mail system and check your messages by phone. If you received this message in error, notify the sender and delete it immediately."

Cisco Unity also plays the decoy message when anyone attempts to play a private secure message by using media player software, and subscribers hear the decoy message when they use Cisco Unity ViewMail for Microsoft Outlook or the Cisco Unity Inbox to play a private secure message—even when they specify the phone as the playback device for the Media Master.

Alternatively, if recipients attempt to play a private secure message by using Microsoft Outlook or any other SMTP e-mail program, the following text message is displayed:

"This message and any files transmitted with it are confidential and intended solely for the individual or entity to which they are addressed. If you received this message in error, notify the sender and delete it immediately."

Limitations of Private Secure Messaging

Consider the following limitations of the private secure messaging feature, and make sure that subscribers, administrators, and support desk personnel are aware of them.

•When private secure messaging is enabled for subscribers, the following statements are true:

–When subscribers log on to Cisco Unity by phone to send ("Press 2 to send") or reply to a message, the Cisco Unity conversation no longer offers them the option of marking a message private. The only privacy option offered is private secure.

–When subscribers leave a voice message after calling another subscriber and being transferred to voice mail, they cannot mark the message private secure.

–When subscribers reply to an ordinary private message or to a private secure message, the reply is automatically marked private secure.

–When subscribers forward messages (with or without recording an introduction), they do not have the option of marking the message private secure, though they can still mark it private.

•Subscribers cannot use Cisco Unity ViewMail for Microsoft Outlook or the Cisco Unity Inbox to send a private secure message or to play one—even when they specify the phone as the recording and playback device for the Media Master.

•Outside callers cannot leave or play private secure messages.

•The private keys that are required to decrypt private secure messages are not specific to individual subscribers or workstations. Thus, if a private secure message is sent to an unintended recipient—perhaps because of an addressing mistake made by the sender or due to a system problem—Cisco Unity will play the message for any recipient who receives the message as long as the recipient is homed on the same Cisco Unity server as the sender or is homed on a Cisco Unity server in the same network as the sender.

•When subscribers send private secure messages to Cisco Unity Bridge, AMIS, or VPIM subscribers, the following statements are true:

–Messages sent to Bridge or VPIM subscribers are either decrypted and sent as private messages, or are undeliverable and will generate an NDR. The Cisco Unity conversation does not inform subscribers that their private secure message will be decrypted during the message delivery process. See the "Configuring Cisco Unity Bridge or VPIM Delivery Locations for a Cisco Unity System When Private Secure Messaging Is In Use" section for details.

–Messages sent to AMIS subscribers are undeliverable and will generate an NDR in all cases.

•Private messages from Bridge and VPIM subscribers that are sent to Cisco Unity subscribers can be encrypted, but only at the point at which they reach the Voice Connector, if the delivery location is configured for this functionality. See the "Configuring Cisco Unity Bridge or VPIM Delivery Locations for a Cisco Unity System When Private Secure Messaging Is In Use" section for details.

Installing and Configuring Private Secure Messaging

The following task list leads you through installation and configuration of the private secure messaging feature. Do the procedures in the following sections, as applicable. If a section or procedure does not apply to your situation, skip it.

1. If you are upgrading to Cisco Unity version 4.0(5) or later, run Permissions wizard so that the required permissions for installing a certificate are set. See the "Running Permissions Wizard to Set the Active Directory Permissions Required to Install a Certificate for Private Secure Messaging" section.

2. Install a private secure messaging certificate on each Cisco Unity server in your network. Beginning with Cisco Unity version 4.0(5), during installation or upgrade, an exportable certificate is installed automatically on each Cisco Unity server that is running version 4.0(5) or later. However, you may want to install a different type of certificate, based on the needs of your site. See the "Installing Private Secure Messaging Certificates on Cisco Unity Servers" section.

3. If you are upgrading to Cisco Unity version 4.0(5) or later, enable MAPI Rich Text Format for all subscribers who are listed as Contacts in the Cisco Unity Active Directory. See the "Enabling MAPI Rich Text Format for All Contacts in the Active Directory" section.

4. If you have a Cisco Unity Bridge or VPIM system, and want the limited private secure messaging functionality available for these subscribers, set up outgoing and incoming private secure message handling for each delivery location. See the "Configuring Cisco Unity Bridge or VPIM Delivery Locations for a Cisco Unity System When Private Secure Messaging Is In Use" section.

5. Enable private secure messaging for individual subscribers or all subscribers. See the "Enabling Private Secure Messaging for All Subscribers or for Individual Subscribers" section.

Running Permissions Wizard to Set the Active Directory Permissions Required to Install a Certificate for Private Secure Messaging

Cisco Unity Permissions wizard sets the Active Directory permissions that are required to install a certificate for private secure messaging. If you installed a new Cisco Unity system or if you ran Cisco Unity Permissions wizard when you upgraded from Cisco Unity 3.x to version 4.0(5) or later, the correct permissions have already been set in Active Directory. If you upgraded from Cisco Unity 4.0(x) to version 4.0(5) or later, you were not required to re-run Permissions wizard, so the required permissions have not been set.

To set the permissions that private secure messaging requires, you usually need to run Permissions wizard only once, even if there are multiple Cisco Unity servers in the Active Directory forest. However, if not all Cisco Unity servers use the same directory services account, you need to run Permissions wizard once for each directory services account.

If you are installing Cisco Unity in a Voice Messaging configuration, the Permissions wizard will complete in under an hour, and possibly in just a few minutes. If you are installing Cisco Unity in a Unified Messaging configuration, note that the Permissions wizard has, in a few rare cases, taken considerably longer than an hour to complete. If the wizard takes longer than four hours, we ask that you contact Cisco TAC, and send them the Permissions wizard log file (PWDiag.Log) from the temp directory. To access the temp directory, start Windows Explorer and enter %temp% in the Address field.

Do the following procedure by using Permissions wizard version 4.0(5) or later to set the permissions required for private secure messaging.

To Run Cisco Unity Permissions Wizard to Set Permissions Required for Private Secure Messaging

Step 1 If a domain security policy is in effect, confirm that the domain security policy does not deny the installation and services accounts the rights to act as a part of the operating system, to log on as a service, and to log on as a batch job.

Step 2 Log on to the Cisco Unity server by using an account that meets the following conditions:

•Is a member of the Domain Admins group in the domain in which the Cisco Unity server is being installed.

•Is either an Exchange Full Administrator or a member of the Domain Admins group in the domain that contains all of the subdomains in which Cisco Unity subscribers are homed.

Caution If you try to run the Permissions wizard by using an account that has less than the default permissions for a Domain Admin, the wizard may not be able to set all of the permissions required.

Step 3 On Cisco Unity DVD 1 or CD 1, or from the location to which you saved the downloaded Cisco Unity CD 1 image files, browse to the Utilities\PermissionsWizard directory, and run PermissionsWizard.exe.

Step 4 On the Welcome to the Unity Permissions Wizard page, click the version of Exchange installed on the partner Exchange server.

Step 5 Click Next on every dialog box of Permissions wizard to accept all default values.

Permissions wizard retains all of the values you selected the last time you ran it. If Cisco Unity is functioning properly, these settings are still correct.

Step 6 If the Permissions wizard failed to grant one or more permissions, an error message appears that lists the number of permissions it was not able to grant. Click OK.

Step 7 To display a report listing the operations that succeeded and those that failed, if any, click View Detailed Results.

Step 8 If one or more permissions could not be granted, fix the problems, and run the Permissions wizard again.

Step 9 Click Finish.

Installing Private Secure Messaging Certificates on Cisco Unity Servers

A private secure messaging certificate must be installed individually on the following servers:

•Every Cisco Unity server in your network, including both servers in a failover pair, if applicable

•Any Exchange server on which the Voice Connector is installed, if applicable

Beginning with Cisco Unity version 4.0(5), during installation or upgrade, an exportable certificate is installed automatically on each Cisco Unity server running version 4.0(5) or later. However, you may want to install a different type of certificate, based on the needs of your site. Once installed, the certificate generates the public and private keys required to encrypt and to play private secure messages.

Certificates are created to be exportable or unexportable:

•Exportable—Exportable certificates pose a security risk because the keys created from these certificates can be copied to another server by anyone who can log on to the Cisco Unity server by using an account with local admin privileges.

•Unexportable—Keys created from unexportable certificates cannot be copied to another server.

Certificates can be installed and used for an unlimited period of time, or they can be installed and deleted as often as necessary:

•Unlimited—Certificates are used for an unlimited period of time and are never deleted. Retaining certificates allows subscribers to play their saved private secure messages at any time, regardless of the age of the message.

•Limited—Certificates are installed and deleted on a defined schedule. Deleting existing certificates and creating new certificates in effect limits the age of private secure messages that can be played by subscribers. Though private secure messages that require a private key from a deleted certificate are not automatically deleted, they cannot be played when the deleted certificate is no longer available.

To implement the most secure method of certificate management, delete existing certificates and install new unexportable certificates on each Cisco Unity server in your network as a regularly-scheduled task in your server maintenance plan.

There are two methods you can use to install and delete private secure messaging certificates:

•To install a new exportable certificate and retain existing certificates, use the Cisco Unity Private Secure Messaging Certificate wizard. Do the "To Install an Exportable Private Secure Messaging Certificate on a Cisco Unity Server" procedure, on each Cisco Unity server in your network.

•To install new unexportable or exportable certificates, and to delete or retain existing certificates as needed, run the Assignconfcert utility from a command prompt. Do the "To Install a Private Secure Messaging Certificate on a Cisco Unity Server, and Delete or Retain Existing Certificates" procedure, on each Cisco Unity server in your network.

Caution Do not create new certificates on a regular basis without deleting existing certificates. Creating multiple new certificates on a server without deleting existing certificates can adversely affect performance.

To Install an Exportable Private Secure Messaging Certificate on a Cisco Unity Server

Step 1 Log on to the Cisco Unity server by using an account with Domain Admin privileges.

Step 2 In Windows Explorer, browse to the CommServer\Utilities\CiscoUnitySrvrCertmgr directory.

Step 3 Double-click Assignconfcert.exe. The Cisco Unity Private Secure Messaging Certificate wizard appears.

Step 4 Click Next.

Step 5 Follow the on-screen instructions.

Step 6 When the certificate has been installed successfully, click Finish.

Step 7 Repeat Step 1 through Step 6 on each Cisco Unity server in your network, including if applicable both servers in a failover pair and any Exchange server on which the Voice Connector is installed. (Note that on the Exchange server on which the Voice Connector is installed, Assignconfcert.exe is located in the Voice Connector directory.)

Note Existing certificates are not deleted by the Cisco Unity Private Secure Messaging Certificate wizard.

To Install a Private Secure Messaging Certificate on a Cisco Unity Server, and Delete or Retain Existing Certificates

Step 1 Log on to the Cisco Unity server by using an account with Domain Admin privileges.

Step 2 On the Windows Start menu, click Programs > Accessories > Command Prompt.

Step 3 In the command prompt window, change to the CommServer\Utilities\CiscoUnitySrvrCertmgr directory.

Step 4 Do one of the following, as applicable:

•To install a new unexportable certificate and delete the existing certificate(s), enter

assignconfcert -c -e -d<days>
and press Enter

A new unexportable certificate is created and certificates older than <days> are deleted. A valid value for <days> is a number from 1 to 999. (You do not need to enter leading zeros if the number of days entered is one or two digits.)

•To install a new unexportable certificate and retain the existing certificate(s), enter

assignconfcert -c -e
and press Enter

A new unexportable certificate is created. The existing certificate(s) are not deleted and are still available for use.

•To install a new exportable certificate and delete the existing certificate(s), enter

assignconfcert -c -d<days>
and press Enter

A new exportable certificate is created and certificates older than <days> are deleted. A valid value for <days> is a number from 1 to 999. (You do not need to enter leading zeros if the number of days entered is one or two digits.)

•To install a new exportable certificate and retain the existing certificate(s), enter

assignconfcert -c
and press Enter

A new exportable certificate is created. The existing certificate(s) are not deleted and are still available for use.

•To delete the existing certificate(s), enter

assignconfcert -d<days>
and press Enter

Certificates older than <days> are deleted. A new certificate is not installed. A valid value for <days> is a number from 1 to 999. (You do not need to enter leading zeros if the number of days entered is one or two digits.)

Step 5 Close the Command Prompt window.

Step 6 Repeat Step 1 through Step 5 on each Cisco Unity server in your network, including if applicable both servers in a failover pair and any Exchange server on which the Voice Connector is installed. (Note that on the Exchange server on which the Voice Connector is installed, Assignconfcert.exe is located in the Voice Connector directory.)

Enabling MAPI Rich Text Format for All Contacts in the Active Directory

If you are installing private secure messaging on an existing Cisco Unity system that has been upgraded to Cisco Unity version 4.0(5) and later, do the following procedure to enable MAPI Rich Text Format for all subscribers who are listed as Contacts in the Cisco Unity Active Directory.

Depending on the number of Contact records to be updated, the Active Directory synchronization process can take several hours or more to complete. The synchronization process may also use a considerable percentage of available computer and network resources. Therefore, we recommend that you run the Enable Rich Text Format utility at a time when demand on Cisco Unity system resources is low, for example, on a weekend evening.

To Enable MAPI Rich Text Format

Step 1 Log on to the Cisco Unity server by using an account with Domain Admin privileges.

Step 2 On the Cisco Unity server, double-click the Cisco Unity Tools Depot icon.

Step 3 In the left pane, under Administration Tools, double-click EnableRichTextFormat. The Enable Rich Text Format window appears and displays all Contact records that do not have MAPI Rich Text Format enabled.

Step 4 Click Process Contacts. A status bar shows the progress of the Active Directory update.

Step 5 When the Active Directory update is complete, click OK.

Step 6 If desired, click Save Report to view and save a record of the updates that were made to the Active Directory.

Step 7 Click Exit.

Configuring Cisco Unity Bridge or VPIM Delivery Locations for a Cisco Unity System When Private Secure Messaging Is In Use

If you have a Cisco Unity Bridge or VPIM system, and want the limited private secure messaging functionality available for these subscribers, you need to decide how outgoing private secure and incoming private voice messages will be handled for each delivery location. By default, Cisco Unity Bridge and VPIM delivery locations are not set to encrypt incoming private voice messages or to decrypt outgoing private secure messages. Thus, the default configuration does not allow private secure messages sent by Cisco Unity subscribers to be decrypted and received by Bridge or VPIM subscribers. (In the default configuration these messages will generate an NDR.) The default configuration also does not allow private messages sent by Bridge or VPIM subscribers to Cisco Unity subscribers to be encrypted.

Bridge and VPIM subscribers have only limited private secure messaging functionality available to them because both the public keys required for encryption of private secure messages and the private keys required for decryption of private secure messages exist only on Cisco Unity servers, and on the Exchange servers on which the Voice Connector is installed.

Each delivery location has two configuration settings:

•Encrypt Incoming Private Messages—Check this check box to encrypt incoming private voice messages that are sent by subscribers at this delivery location. Private voice messages are not encrypted until they reach the Exchange server on which the Voice Connector is installed. If the check box for encrypting incoming private messages is not checked, private messages can still be sent by subscribers at this location, but these messages will not be encrypted and will simply be marked and treated as private messages.

•Decrypt Outgoing Private Messages—Check this check box to decrypt outgoing private secure messages that are sent to subscribers at this delivery location. Enabling the decryption of outgoing private secure messages for a delivery location allows voice messages marked private and secure to be decrypted and then delivered to subscribers at this location. These voice messages are decrypted when they leave the Voice Connector, and therefore are no longer secure after that point. When a subscriber receives a decrypted private secure message, the message is marked and played as a private message. Note that if the check box for decrypting outgoing private secure messages is not checked, private secure messages sent to subscribers at this location will be undeliverable and will generate an NDR.

For more information on private messages, see the "How Cisco Unity Handles Messages That Are Marked Private" section.

To Configure Bridge or VPIM Delivery Locations for a Cisco Unity System When Private Secure Messaging Is In Use

Step 1 In the Cisco Unity Administrator, go to the Delivery Locations page for each location in your system.

Step 2 Check the Encrypt Incoming Private Messages check box, as applicable.

Step 3 Check the Decrypt Outgoing Private Messages check box, as applicable.

Enabling Private Secure Messaging for All Subscribers or for Individual Subscribers

In order to allow subscribers to send private secure messages by using the Cisco Unity conversation, you must enable it for them. You can enable private secure messaging for all subscribers systemwide, or for a limited number of subscribers.

Note that subscribers are able to receive and listen to private secure messages after you complete the installation and basic configuration, as instructed in the previous sections. However, the feature is not fully implemented until subscribers are set up to send as well as receive private secure messages.

Choose one of the following methods, according to the needs of your subscribers:

•Enabling Private Secure Messaging for All Subscribers

•Enabling Private Secure Messaging for Individual Subscribers

Enabling Private Secure Messaging for All Subscribers

To make system administration easy, Cisco Unity offers a registry setting that enables private secure messaging for every subscriber account that is homed on a specific Cisco Unity server. If you have multiple Cisco Unity servers in a network configuration, repeat the procedure to enable the feature for subscribers on each Cisco Unity server, including both servers in a failover pair, if applicable.

To Enable Private Secure Messaging for All Subscribers That Are Homed on a Cisco Unity Server

Step 1 On the Cisco Unity desktop, double-click the Cisco Unity Tools Depot icon.

Step 2 In the left pane of the Tools Depot window, under Administration Tools, double-click Advanced Settings Tool.

Step 3 In the Unity Settings list, click Security—Enable All Subscribers to Encrypt All Messages Marked Private via the TUI.

Step 4 In the New Value field, enter 1.

Step 5 Click Set.

Step 6 If you have multiple Cisco Unity servers, repeat Step 1 through Step 5 on all other Cisco Unity servers in your network, including both servers in a failover pair, if applicable.

Enabling Private Secure Messaging for Individual Subscribers

You enable private secure messaging for individual existing subscribers on the Subscribers > Subscribers > Features page. Do the "To Enable Private Secure Messaging for an Individual Subscriber or Subscribers" procedure. To enable private secure messaging for multiple (but not all) existing subscribers, use the Bulk Edit utility, available in Tools Depot.

You can also enable private secure messaging for future new subscribers by changing a setting on the Subscribers > Subscriber Templates > Features page. Do the "To Enable Private Secure Messaging for Future New Subscribers" procedure.

Private secure messaging cannot be enabled by class of service.

Enabling private secure messaging only for certain subscribers may make system administration, troubleshooting, and training more labor-intensive than when the feature is enabled systemwide for all subscribers. For example, a subscriber who receives a private secure message may try to send a private secure message even if not enabled to do so, and may then believe that Cisco Unity is not behaving as expected.

To Enable Private Secure Messaging for an Individual Subscriber or Subscribers

Step 1 In the Cisco Unity Administrator, go to the applicable Subscribers > Subscribers > Features page.

Step 2 Check the Encrypt All Messages Marked Private check box.

Step 3 Click the Save icon.

Step 4 Repeat Step 1 through Step 3 for each additional subscriber, as applicable.

To Enable Private Secure Messaging for Future New Subscribers

Step 1 In the Cisco Unity Administrator, go to the applicable Subscribers > Templates > Features page.

Step 2 Check the Encrypt All Messages Marked Private check box.

Note The change you make here will not be applied to currently existing subscriber accounts that were created by using this template; the setting applies only to subscriber accounts that are created by using this template after the change has been made.

Step 3 Click the Save icon.

Maintenance Considerations When Private Secure Messaging Is in Use

Incorporate the information from the following sections into your Cisco Unity system maintenance plan:

•Managing Private Secure Messaging Certificates

•Performance Monitoring When Using Private Secure Messaging

•Limiting Access to the Cisco Unity Server

•Backing Up and Restoring Public and Private Keys

•Upgrading Cisco Unity When Private Secure Messaging Certificates Are in Use

Managing Private Secure Messaging Certificates

Private secure messaging certificates are stored in a certificate directory created on each server. Information about each certificate, including a certificate history, is also stored in the registry. You can use the Microsoft Certificate Manager tool (Certmgr.exe), available with Internet Explorer, to view the private secure messaging certificates on your servers.

Add maintenance of limited-duration private secure messaging certificates to the scheduled maintenance tasks for your Cisco Unity system. We recommend that on a regular basis, you install new certificates on each Cisco Unity server in your network, including if applicable both servers in a failover pair and any Exchange server on which the Voice Connector is installed. (You install new certificates by doing the "To Install a Private Secure Messaging Certificate on a Cisco Unity Server, and Delete or Retain Existing Certificates" procedure.) When you install new certificates, you also decide whether to retain or delete existing certificates, a decision that will depend on your security policies and the needs of your organization.

Caution Do not create new certificates on a regular basis without deleting existing certificates. Creating multiple new certificates on a server without deleting existing certificates may adversely affect performance.

Performance Monitoring When Using Private Secure Messaging

Enabling private secure messaging systemwide for all subscribers should not adversely affect Cisco Unity performance. However, if a Cisco Unity performance problem occurs when subscribers are using private secure messaging, include the performance counters % Processor Time and AvCsMgr Process Private Bytes in the performance testing and analysis. For more information on collecting and analyzing Cisco Unity performance data, refer to the "Performance Monitoring" chapter of the Cisco Unity Maintenance Guide. The guide is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_maintenance_guides_list.html.

Limiting Access to the Cisco Unity Server

Sites need to protect their private keys from unauthorized internal or external access. When an exportable certificate is installed on a server, anyone who can log on to that server as a user in the local administrator group can copy the private keys, and install them on any other server. Note that private secure messaging public and private keys should be present only on the Cisco Unity servers and on the Exchange servers on which the Voice Connector is installed. The keys are never created on subscriber workstations, and should never be copied to another server or workstation.

Backing Up and Restoring Public and Private Keys

When exportable certificates are installed on a Cisco Unity server, the public and private keys that are created from these certificates can be backed up and restored by using the Cisco Unity Disaster Recovery tool (DiRT).

For more information on backing up Cisco Unity data, refer to the "About Backing Up a Cisco Unity System" chapter of the Cisco Unity Maintenance Guide. The guide is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_maintenance_guides_list.html.

Upgrading Cisco Unity When Private Secure Messaging Certificates Are in Use

When exportable or unexportable certificates are installed on a Cisco Unity server, the keys that are created from these certificates are preserved during a Cisco Unity upgrade.

Best Practices for Using Text to Speech (Unified Messaging)

The Text to Speech (TTS) feature allows Unified Messaging subscribers to listen to their e-mail messages over the phone. Cisco Unity reads the text portion of e-mail messages and provides additional information such as the name of the sender (if the sender is a subscriber), and the time and date that the message was sent. No attachments are read over the phone.

TTS is a class of service offering. Before you enable subscribers to use TTS, consider the following best practices.

Best Practice: Use Enhanced Phone Security

Because a phone password is inherently less secure than a password that subscribers would typically use to log on to a workstation and/or their e-mail inboxes, offering TTS to subscribers can be considered a security risk. To provide a more secure way to authenticate subscribers when they access Cisco Unity by phone, and thereby increase the security of all subscriber messages, set up enhanced phone security. (See the "Determining Whether to Offer Enhanced Phone Security" section on page 7-12.)

Best Practice: Do Not Offer TTS if E-Mail Content Is Sensitive

Offering TTS can also be considered a security risk because subscribers can access Cisco Unity from any phone—inside or outside your organization. If the e-mail content in your organization contains classified information that you do not want played over unsecured connections, do not offer TTS to subscribers.

Disabling the Copy to File Option in the Media Master for the Cisco Unity Inbox (Cisco Unity Version 4.0(5) and Later)

By default, subscribers can save their messages, except for private messages, as WAV files on their hard disks by using the Copy to File option available on the Options menu on the Media Master control bar in the Cisco Unity Inbox. As an added security measure for Cisco Unity version 4.0(5) and later, you can disable the Copy to File option so that subscribers cannot save any message—regardless of its sensitivity—on their hard disks.

You can specify whether the Copy to File option is available in the Cisco Unity Inbox by using the Advanced Settings tool to change the registry. The registry change is applied systemwide to all subscribers who are associated with the Cisco Unity server. You cannot make the change for an individual subscriber or for a specific group of subscribers. Consider that when you prevent subscribers from archiving messages, they may choose to retain messages in their Inboxes and Deleted Items folders (if applicable) longer.

Note For Cisco Unity failover, registry changes on one Cisco Unity server must be made manually on the other Cisco Unity server, because registry changes are not replicated.

Do the following procedure to disable the Copy to File option in the Media Master for the Cisco Unity Inbox.

To Disable the Copy to File Option in the Media Master for the Cisco Unity Inbox

Step 1 On the Cisco Unity server desktop, double-click the Cisco Unity Tools Depot icon.

Step 2 In the left pane, under Administrative Tools, double-click Advanced Settings Tool.

Step 3 In the Unity Settings pane, click Unity Inbox—Disable Copy to File Option in Media Master.

Step 4 In the New Value list, click 1, and click Set.

Step 5 When prompted, click OK.

Step 6 Click Exit.

You do not need to restart the Cisco Unity server for the change to take effect.

	Cisco Unity Security Guide (With Microsoft Exchange), Release 4.x
	Securing Subscriber Messages
Cisco Unity Security Guide (With Microsoft Exchange), Release 4.x Index Preface Securing the Cisco Unity Server(s) and the Operating System Securing Microsoft Software on the Cisco Unity Server(s) Using Security Software Preventing Toll Fraud Securing the Connection Between Cisco Unity, Cisco CallManager, and IP Phones Securing Accounts Authentication for Cisco Unity Applications Password and Account Policy Management Using SSL to Secure Client/Server Connections Securing Subscriber Messages	Download this chapter Securing Subscriber Messages Download the complete book PDF Version of the Entire Book (PDF - 3 MB) Feedback Table Of Contents Securing Subscriber Messages How Cisco Unity Handles Messages That Are Marked Private Private Secure Messaging (Cisco Unity Version 4.0(5) and Later) Understanding How Cisco Unity Handles Messages Marked Private Secure Limitations of Private Secure Messaging Installing and Configuring Private Secure Messaging Running Permissions Wizard to Set the Active Directory Permissions Required to Install a Certificate for Private Secure Messaging Installing Private Secure Messaging Certificates on Cisco Unity Servers Enabling MAPI Rich Text Format for All Contacts in the Active Directory Configuring Cisco Unity Bridge or VPIM Delivery Locations for a Cisco Unity System When Private Secure Messaging Is In Use Enabling Private Secure Messaging for All Subscribers or for Individual Subscribers Maintenance Considerations When Private Secure Messaging Is in Use Managing Private Secure Messaging Certificates Performance Monitoring When Using Private Secure Messaging Limiting Access to the Cisco Unity Server Backing Up and Restoring Public and Private Keys Upgrading Cisco Unity When Private Secure Messaging Certificates Are in Use Best Practices for Using Text to Speech (Unified Messaging) Disabling the Copy to File Option in the Media Master for the Cisco Unity Inbox (Cisco Unity Version 4.0(5) and Later) Securing Subscriber Messages Cisco Unity offers the following message security options: •All subscribers have the ability to mark messages private. Messages that are marked private cannot be forwarded by phone or from the Cisco Unity Inbox. •Private Secure Messaging is an optional feature that you can enable for subscribers if you are using Cisco Unity version 4.0(5) and later. Voice messages that are marked private and secure are encrypted and cannot be heard by anyone other than a Cisco Unity subscriber who is homed on a Cisco Unity server. •If you are using the Cisco Unity Inbox with Cisco Unity version 4.0(5) and later, you can disable the Copy to File option so that subscribers cannot save any message—regardless of its sensitivity—on their hard disks. In addition, there are security issues you should consider before enabling the Text to Speech (TTS) feature for subscribers. In this chapter, you will find descriptions of potential security issues related to securing messages; information on any actions you need to take; recommendations that will help you make decisions; discussion of the ramifications of the decisions you make; and in many cases, best practices. See the following sections for details: •How Cisco Unity Handles Messages That Are Marked Private •Private Secure Messaging (Cisco Unity Version 4.0(5) and Later) •Best Practices for Using Text to Speech (Unified Messaging) •Disabling the Copy to File Option in the Media Master for the Cisco Unity Inbox (Cisco Unity Version 4.0(5) and Later) How Cisco Unity Handles Messages That Are Marked Private Messages marked private cannot be forwarded by phone or from the Cisco Unity Inbox. This includes any voice message that a Cisco Unity subscriber marked private, and as applicable, any e-mail message that a subscriber or another sender marked private in Outlook. In addition, when a message is marked private, the Copy and Copy To options are disabled on the Options menu on the Media Master control bar in the Cisco Unity Inbox. For subscribers who require more secure messaging, consider the following (if you are using Cisco Unity version 4.0(5) and later): •You can set up private secure messaging and enable subscribers to use it. Private secure messaging provides security through the use of public/private key encryption for voice messages that subscribers record when they log on to Cisco Unity by phone. Voice messages that are marked private secure cannot be heard by anyone other than a Cisco Unity subscriber who is homed on the Cisco Unity server. For information on how to set up private and secure messaging, see the "Private Secure Messaging (Cisco Unity Version 4.0(5) and Later)" section. •You can prevent subscribers from saving any voice message—regardless of its sensitivity—to their hard disks by disabling the Copy to File option on the Options menu of the Media Master control bar in the Cisco Unity Inbox. To learn more, see the "Disabling the Copy to File Option in the Media Master for the Cisco Unity Inbox (Cisco Unity Version 4.0(5) and Later)" section. Private Secure Messaging (Cisco Unity Version 4.0(5) and Later) The private secure messaging feature provides security, through the use of public/private key encryption, for voice messages that subscribers send when they are logged on to Cisco Unity by phone. Private secure messaging is available in Cisco Unity version 4.0(5) and later, for systems running on Microsoft Exchange 2000 or Exchange 2003, including the partner Exchange server, if applicable. Note that if you have multiple Cisco Unity servers in your network, private secure messaging is available only to subscribers who are homed on Cisco Unity servers that are running Cisco Unity version 4.0(5) or later. A Cisco Unity utility is used to install a public/private key encryption certificate on each Cisco Unity server in a network. See the following sections for information on how private secure messaging works, how to set it up, and how to maintain systems that have the feature enabled: •Understanding How Cisco Unity Handles Messages Marked Private Secure—Describes how and when private secure messages can be sent and played. •Limitations of Private Secure Messaging—Lists limitations of private secure messaging that subscribers should understand before using the feature. •Installing and Configuring Private Secure Messaging—Includes instructions for installing private secure messaging, configuring the feature, and enabling subscribers to use it. •Maintenance Considerations When Private Secure Messaging Is in Use—Discusses maintenance issues you should consider when using the private secure messaging feature. For information on troubleshooting private secure messaging, refer to the "Troubleshooting Private Secure Voice Messages" section in the "Messages" chapter of the Cisco Unity Troubleshooting Guide. The guide is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_troubleshooting_guides_list.html. Understanding How Cisco Unity Handles Messages Marked Private Secure In addition to preventing subscribers from using the Cisco Unity conversation and Cisco Unity Inbox to forward messages that are marked private secure, the private secure messaging feature provides enhanced privacy and security through the use of public/private key encryption for voice messages. When a subscriber records a voice message and marks it private secure, Cisco Unity encrypts the WAV file by using the public key of each Cisco Unity server in Active Directory. The public key for each Cisco Unity server is stored in the Cisco Unity database and is also shared across the network through the Active Directory. To send a private secure message, subscribers must log on to Cisco Unity by phone. As with other voice messages, subscribers can use any phone—inside or outside the organization—to record a private secure message. In order to play a private secure message, Cisco Unity decrypts the message by using a private key stored on the server. Cisco Unity can play a private secure message only for the recipients who are homed on the same Cisco Unity server as the sender, and those who are homed on a Cisco Unity server in the same network as the sender. To hear the message, the recipients must log on to Cisco Unity by phone. They can use any phone—inside or outside the organization—to do so. Recipients who are associated with servers outside of the Cisco Unity Active Directory forest cannot listen to a private secure message, because the required public key is not available. Instead, Cisco Unity plays a decoy WAV file that says: "This voice message is private and secure and can only be played if you log on to the voice mail system and check your messages by phone. If you received this message in error, notify the sender and delete it immediately." Cisco Unity also plays the decoy message when anyone attempts to play a private secure message by using media player software, and subscribers hear the decoy message when they use Cisco Unity ViewMail for Microsoft Outlook or the Cisco Unity Inbox to play a private secure message—even when they specify the phone as the playback device for the Media Master. Alternatively, if recipients attempt to play a private secure message by using Microsoft Outlook or any other SMTP e-mail program, the following text message is displayed: "This message and any files transmitted with it are confidential and intended solely for the individual or entity to which they are addressed. If you received this message in error, notify the sender and delete it immediately." Limitations of Private Secure Messaging Consider the following limitations of the private secure messaging feature, and make sure that subscribers, administrators, and support desk personnel are aware of them. •When private secure messaging is enabled for subscribers, the following statements are true: –When subscribers log on to Cisco Unity by phone to send ("Press 2 to send") or reply to a message, the Cisco Unity conversation no longer offers them the option of marking a message private. The only privacy option offered is private secure. –When subscribers leave a voice message after calling another subscriber and being transferred to voice mail, they cannot mark the message private secure. –When subscribers reply to an ordinary private message or to a private secure message, the reply is automatically marked private secure. –When subscribers forward messages (with or without recording an introduction), they do not have the option of marking the message private secure, though they can still mark it private. •Subscribers cannot use Cisco Unity ViewMail for Microsoft Outlook or the Cisco Unity Inbox to send a private secure message or to play one—even when they specify the phone as the recording and playback device for the Media Master. •Outside callers cannot leave or play private secure messages. •The private keys that are required to decrypt private secure messages are not specific to individual subscribers or workstations. Thus, if a private secure message is sent to an unintended recipient—perhaps because of an addressing mistake made by the sender or due to a system problem—Cisco Unity will play the message for any recipient who receives the message as long as the recipient is homed on the same Cisco Unity server as the sender or is homed on a Cisco Unity server in the same network as the sender. •When subscribers send private secure messages to Cisco Unity Bridge, AMIS, or VPIM subscribers, the following statements are true: –Messages sent to Bridge or VPIM subscribers are either decrypted and sent as private messages, or are undeliverable and will generate an NDR. The Cisco Unity conversation does not inform subscribers that their private secure message will be decrypted during the message delivery process. See the "Configuring Cisco Unity Bridge or VPIM Delivery Locations for a Cisco Unity System When Private Secure Messaging Is In Use" section for details. –Messages sent to AMIS subscribers are undeliverable and will generate an NDR in all cases. •Private messages from Bridge and VPIM subscribers that are sent to Cisco Unity subscribers can be encrypted, but only at the point at which they reach the Voice Connector, if the delivery location is configured for this functionality. See the "Configuring Cisco Unity Bridge or VPIM Delivery Locations for a Cisco Unity System When Private Secure Messaging Is In Use" section for details. Installing and Configuring Private Secure Messaging The following task list leads you through installation and configuration of the private secure messaging feature. Do the procedures in the following sections, as applicable. If a section or procedure does not apply to your situation, skip it. 1. If you are upgrading to Cisco Unity version 4.0(5) or later, run Permissions wizard so that the required permissions for installing a certificate are set. See the "Running Permissions Wizard to Set the Active Directory Permissions Required to Install a Certificate for Private Secure Messaging" section. 2. Install a private secure messaging certificate on each Cisco Unity server in your network. Beginning with Cisco Unity version 4.0(5), during installation or upgrade, an exportable certificate is installed automatically on each Cisco Unity server that is running version 4.0(5) or later. However, you may want to install a different type of certificate, based on the needs of your site. See the "Installing Private Secure Messaging Certificates on Cisco Unity Servers" section. 3. If you are upgrading to Cisco Unity version 4.0(5) or later, enable MAPI Rich Text Format for all subscribers who are listed as Contacts in the Cisco Unity Active Directory. See the "Enabling MAPI Rich Text Format for All Contacts in the Active Directory" section. 4. If you have a Cisco Unity Bridge or VPIM system, and want the limited private secure messaging functionality available for these subscribers, set up outgoing and incoming private secure message handling for each delivery location. See the "Configuring Cisco Unity Bridge or VPIM Delivery Locations for a Cisco Unity System When Private Secure Messaging Is In Use" section. 5. Enable private secure messaging for individual subscribers or all subscribers. See the "Enabling Private Secure Messaging for All Subscribers or for Individual Subscribers" section. Running Permissions Wizard to Set the Active Directory Permissions Required to Install a Certificate for Private Secure Messaging Cisco Unity Permissions wizard sets the Active Directory permissions that are required to install a certificate for private secure messaging. If you installed a new Cisco Unity system or if you ran Cisco Unity Permissions wizard when you upgraded from Cisco Unity 3.x to version 4.0(5) or later, the correct permissions have already been set in Active Directory. If you upgraded from Cisco Unity 4.0(x) to version 4.0(5) or later, you were not required to re-run Permissions wizard, so the required permissions have not been set. To set the permissions that private secure messaging requires, you usually need to run Permissions wizard only once, even if there are multiple Cisco Unity servers in the Active Directory forest. However, if not all Cisco Unity servers use the same directory services account, you need to run Permissions wizard once for each directory services account. If you are installing Cisco Unity in a Voice Messaging configuration, the Permissions wizard will complete in under an hour, and possibly in just a few minutes. If you are installing Cisco Unity in a Unified Messaging configuration, note that the Permissions wizard has, in a few rare cases, taken considerably longer than an hour to complete. If the wizard takes longer than four hours, we ask that you contact Cisco TAC, and send them the Permissions wizard log file (PWDiag.Log) from the temp directory. To access the temp directory, start Windows Explorer and enter %temp% in the Address field. Do the following procedure by using Permissions wizard version 4.0(5) or later to set the permissions required for private secure messaging. To Run Cisco Unity Permissions Wizard to Set Permissions Required for Private Secure Messaging Step 1 If a domain security policy is in effect, confirm that the domain security policy does not deny the installation and services accounts the rights to act as a part of the operating system, to log on as a service, and to log on as a batch job. Step 2 Log on to the Cisco Unity server by using an account that meets the following conditions: •Is a member of the Domain Admins group in the domain in which the Cisco Unity server is being installed. •Is either an Exchange Full Administrator or a member of the Domain Admins group in the domain that contains all of the subdomains in which Cisco Unity subscribers are homed. Caution If you try to run the Permissions wizard by using an account that has less than the default permissions for a Domain Admin, the wizard may not be able to set all of the permissions required. Step 3 On Cisco Unity DVD 1 or CD 1, or from the location to which you saved the downloaded Cisco Unity CD 1 image files, browse to the Utilities\PermissionsWizard directory, and run PermissionsWizard.exe. Step 4 On the Welcome to the Unity Permissions Wizard page, click the version of Exchange installed on the partner Exchange server. Step 5 Click Next on every dialog box of Permissions wizard to accept all default values. Permissions wizard retains all of the values you selected the last time you ran it. If Cisco Unity is functioning properly, these settings are still correct. Step 6 If the Permissions wizard failed to grant one or more permissions, an error message appears that lists the number of permissions it was not able to grant. Click OK. Step 7 To display a report listing the operations that succeeded and those that failed, if any, click View Detailed Results. Step 8 If one or more permissions could not be granted, fix the problems, and run the Permissions wizard again. Step 9 Click Finish. Installing Private Secure Messaging Certificates on Cisco Unity Servers A private secure messaging certificate must be installed individually on the following servers: •Every Cisco Unity server in your network, including both servers in a failover pair, if applicable •Any Exchange server on which the Voice Connector is installed, if applicable Beginning with Cisco Unity version 4.0(5), during installation or upgrade, an exportable certificate is installed automatically on each Cisco Unity server running version 4.0(5) or later. However, you may want to install a different type of certificate, based on the needs of your site. Once installed, the certificate generates the public and private keys required to encrypt and to play private secure messages. Certificates are created to be exportable or unexportable: •Exportable—Exportable certificates pose a security risk because the keys created from these certificates can be copied to another server by anyone who can log on to the Cisco Unity server by using an account with local admin privileges. •Unexportable—Keys created from unexportable certificates cannot be copied to another server. Certificates can be installed and used for an unlimited period of time, or they can be installed and deleted as often as necessary: •Unlimited—Certificates are used for an unlimited period of time and are never deleted. Retaining certificates allows subscribers to play their saved private secure messages at any time, regardless of the age of the message. •Limited—Certificates are installed and deleted on a defined schedule. Deleting existing certificates and creating new certificates in effect limits the age of private secure messages that can be played by subscribers. Though private secure messages that require a private key from a deleted certificate are not automatically deleted, they cannot be played when the deleted certificate is no longer available. To implement the most secure method of certificate management, delete existing certificates and install new unexportable certificates on each Cisco Unity server in your network as a regularly-scheduled task in your server maintenance plan. There are two methods you can use to install and delete private secure messaging certificates: •To install a new exportable certificate and retain existing certificates, use the Cisco Unity Private Secure Messaging Certificate wizard. Do the "To Install an Exportable Private Secure Messaging Certificate on a Cisco Unity Server" procedure, on each Cisco Unity server in your network. •To install new unexportable or exportable certificates, and to delete or retain existing certificates as needed, run the Assignconfcert utility from a command prompt. Do the "To Install a Private Secure Messaging Certificate on a Cisco Unity Server, and Delete or Retain Existing Certificates" procedure, on each Cisco Unity server in your network. Caution Do not create new certificates on a regular basis without deleting existing certificates. Creating multiple new certificates on a server without deleting existing certificates can adversely affect performance. To Install an Exportable Private Secure Messaging Certificate on a Cisco Unity Server Step 1 Log on to the Cisco Unity server by using an account with Domain Admin privileges. Step 2 In Windows Explorer, browse to the CommServer\Utilities\CiscoUnitySrvrCertmgr directory. Step 3 Double-click Assignconfcert.exe. The Cisco Unity Private Secure Messaging Certificate wizard appears. Step 4 Click Next. Step 5 Follow the on-screen instructions. Step 6 When the certificate has been installed successfully, click Finish. Step 7 Repeat Step 1 through Step 6 on each Cisco Unity server in your network, including if applicable both servers in a failover pair and any Exchange server on which the Voice Connector is installed. (Note that on the Exchange server on which the Voice Connector is installed, Assignconfcert.exe is located in the Voice Connector directory.) Note Existing certificates are not deleted by the Cisco Unity Private Secure Messaging Certificate wizard. To Install a Private Secure Messaging Certificate on a Cisco Unity Server, and Delete or Retain Existing Certificates Step 1 Log on to the Cisco Unity server by using an account with Domain Admin privileges. Step 2 On the Windows Start menu, click Programs > Accessories > Command Prompt. Step 3 In the command prompt window, change to the CommServer\Utilities\CiscoUnitySrvrCertmgr directory. Step 4 Do one of the following, as applicable: •To install a new unexportable certificate and delete the existing certificate(s), enter assignconfcert -c -e -d<days> and press Enter A new unexportable certificate is created and certificates older than <days> are deleted. A valid value for <days> is a number from 1 to 999. (You do not need to enter leading zeros if the number of days entered is one or two digits.) •To install a new unexportable certificate and retain the existing certificate(s), enter assignconfcert -c -e and press Enter A new unexportable certificate is created. The existing certificate(s) are not deleted and are still available for use. •To install a new exportable certificate and delete the existing certificate(s), enter assignconfcert -c -d<days> and press Enter A new exportable certificate is created and certificates older than <days> are deleted. A valid value for <days> is a number from 1 to 999. (You do not need to enter leading zeros if the number of days entered is one or two digits.) •To install a new exportable certificate and retain the existing certificate(s), enter assignconfcert -c and press Enter A new exportable certificate is created. The existing certificate(s) are not deleted and are still available for use. •To delete the existing certificate(s), enter assignconfcert -d<days> and press Enter Certificates older than <days> are deleted. A new certificate is not installed. A valid value for <days> is a number from 1 to 999. (You do not need to enter leading zeros if the number of days entered is one or two digits.) Step 5 Close the Command Prompt window. Step 6 Repeat Step 1 through Step 5 on each Cisco Unity server in your network, including if applicable both servers in a failover pair and any Exchange server on which the Voice Connector is installed. (Note that on the Exchange server on which the Voice Connector is installed, Assignconfcert.exe is located in the Voice Connector directory.) Enabling MAPI Rich Text Format for All Contacts in the Active Directory If you are installing private secure messaging on an existing Cisco Unity system that has been upgraded to Cisco Unity version 4.0(5) and later, do the following procedure to enable MAPI Rich Text Format for all subscribers who are listed as Contacts in the Cisco Unity Active Directory. Depending on the number of Contact records to be updated, the Active Directory synchronization process can take several hours or more to complete. The synchronization process may also use a considerable percentage of available computer and network resources. Therefore, we recommend that you run the Enable Rich Text Format utility at a time when demand on Cisco Unity system resources is low, for example, on a weekend evening. To Enable MAPI Rich Text Format Step 1 Log on to the Cisco Unity server by using an account with Domain Admin privileges. Step 2 On the Cisco Unity server, double-click the Cisco Unity Tools Depot icon. Step 3 In the left pane, under Administration Tools, double-click EnableRichTextFormat. The Enable Rich Text Format window appears and displays all Contact records that do not have MAPI Rich Text Format enabled. Step 4 Click Process Contacts. A status bar shows the progress of the Active Directory update. Step 5 When the Active Directory update is complete, click OK. Step 6 If desired, click Save Report to view and save a record of the updates that were made to the Active Directory. Step 7 Click Exit. Configuring Cisco Unity Bridge or VPIM Delivery Locations for a Cisco Unity System When Private Secure Messaging Is In Use If you have a Cisco Unity Bridge or VPIM system, and want the limited private secure messaging functionality available for these subscribers, you need to decide how outgoing private secure and incoming private voice messages will be handled for each delivery location. By default, Cisco Unity Bridge and VPIM delivery locations are not set to encrypt incoming private voice messages or to decrypt outgoing private secure messages. Thus, the default configuration does not allow private secure messages sent by Cisco Unity subscribers to be decrypted and received by Bridge or VPIM subscribers. (In the default configuration these messages will generate an NDR.) The default configuration also does not allow private messages sent by Bridge or VPIM subscribers to Cisco Unity subscribers to be encrypted. Bridge and VPIM subscribers have only limited private secure messaging functionality available to them because both the public keys required for encryption of private secure messages and the private keys required for decryption of private secure messages exist only on Cisco Unity servers, and on the Exchange servers on which the Voice Connector is installed. Each delivery location has two configuration settings: •Encrypt Incoming Private Messages—Check this check box to encrypt incoming private voice messages that are sent by subscribers at this delivery location. Private voice messages are not encrypted until they reach the Exchange server on which the Voice Connector is installed. If the check box for encrypting incoming private messages is not checked, private messages can still be sent by subscribers at this location, but these messages will not be encrypted and will simply be marked and treated as private messages. •Decrypt Outgoing Private Messages—Check this check box to decrypt outgoing private secure messages that are sent to subscribers at this delivery location. Enabling the decryption of outgoing private secure messages for a delivery location allows voice messages marked private and secure to be decrypted and then delivered to subscribers at this location. These voice messages are decrypted when they leave the Voice Connector, and therefore are no longer secure after that point. When a subscriber receives a decrypted private secure message, the message is marked and played as a private message. Note that if the check box for decrypting outgoing private secure messages is not checked, private secure messages sent to subscribers at this location will be undeliverable and will generate an NDR. For more information on private messages, see the "How Cisco Unity Handles Messages That Are Marked Private" section. To Configure Bridge or VPIM Delivery Locations for a Cisco Unity System When Private Secure Messaging Is In Use Step 1 In the Cisco Unity Administrator, go to the Delivery Locations page for each location in your system. Step 2 Check the Encrypt Incoming Private Messages check box, as applicable. Step 3 Check the Decrypt Outgoing Private Messages check box, as applicable. Enabling Private Secure Messaging for All Subscribers or for Individual Subscribers In order to allow subscribers to send private secure messages by using the Cisco Unity conversation, you must enable it for them. You can enable private secure messaging for all subscribers systemwide, or for a limited number of subscribers. Note that subscribers are able to receive and listen to private secure messages after you complete the installation and basic configuration, as instructed in the previous sections. However, the feature is not fully implemented until subscribers are set up to send as well as receive private secure messages. Choose one of the following methods, according to the needs of your subscribers: •Enabling Private Secure Messaging for All Subscribers •Enabling Private Secure Messaging for Individual Subscribers Enabling Private Secure Messaging for All Subscribers To make system administration easy, Cisco Unity offers a registry setting that enables private secure messaging for every subscriber account that is homed on a specific Cisco Unity server. If you have multiple Cisco Unity servers in a network configuration, repeat the procedure to enable the feature for subscribers on each Cisco Unity server, including both servers in a failover pair, if applicable. To Enable Private Secure Messaging for All Subscribers That Are Homed on a Cisco Unity Server Step 1 On the Cisco Unity desktop, double-click the Cisco Unity Tools Depot icon. Step 2 In the left pane of the Tools Depot window, under Administration Tools, double-click Advanced Settings Tool. Step 3 In the Unity Settings list, click Security—Enable All Subscribers to Encrypt All Messages Marked Private via the TUI. Step 4 In the New Value field, enter 1. Step 5 Click Set. Step 6 If you have multiple Cisco Unity servers, repeat Step 1 through Step 5 on all other Cisco Unity servers in your network, including both servers in a failover pair, if applicable. Enabling Private Secure Messaging for Individual Subscribers You enable private secure messaging for individual existing subscribers on the Subscribers > Subscribers > Features page. Do the "To Enable Private Secure Messaging for an Individual Subscriber or Subscribers" procedure. To enable private secure messaging for multiple (but not all) existing subscribers, use the Bulk Edit utility, available in Tools Depot. You can also enable private secure messaging for future new subscribers by changing a setting on the Subscribers > Subscriber Templates > Features page. Do the "To Enable Private Secure Messaging for Future New Subscribers" procedure. Private secure messaging cannot be enabled by class of service. Enabling private secure messaging only for certain subscribers may make system administration, troubleshooting, and training more labor-intensive than when the feature is enabled systemwide for all subscribers. For example, a subscriber who receives a private secure message may try to send a private secure message even if not enabled to do so, and may then believe that Cisco Unity is not behaving as expected. To Enable Private Secure Messaging for an Individual Subscriber or Subscribers Step 1 In the Cisco Unity Administrator, go to the applicable Subscribers > Subscribers > Features page. Step 2 Check the Encrypt All Messages Marked Private check box. Step 3 Click the Save icon. Step 4 Repeat Step 1 through Step 3 for each additional subscriber, as applicable. To Enable Private Secure Messaging for Future New Subscribers Step 1 In the Cisco Unity Administrator, go to the applicable Subscribers > Templates > Features page. Step 2 Check the Encrypt All Messages Marked Private check box. Note The change you make here will not be applied to currently existing subscriber accounts that were created by using this template; the setting applies only to subscriber accounts that are created by using this template after the change has been made. Step 3 Click the Save icon. Maintenance Considerations When Private Secure Messaging Is in Use Incorporate the information from the following sections into your Cisco Unity system maintenance plan: •Managing Private Secure Messaging Certificates •Performance Monitoring When Using Private Secure Messaging •Limiting Access to the Cisco Unity Server •Backing Up and Restoring Public and Private Keys •Upgrading Cisco Unity When Private Secure Messaging Certificates Are in Use Managing Private Secure Messaging Certificates Private secure messaging certificates are stored in a certificate directory created on each server. Information about each certificate, including a certificate history, is also stored in the registry. You can use the Microsoft Certificate Manager tool (Certmgr.exe), available with Internet Explorer, to view the private secure messaging certificates on your servers. Add maintenance of limited-duration private secure messaging certificates to the scheduled maintenance tasks for your Cisco Unity system. We recommend that on a regular basis, you install new certificates on each Cisco Unity server in your network, including if applicable both servers in a failover pair and any Exchange server on which the Voice Connector is installed. (You install new certificates by doing the "To Install a Private Secure Messaging Certificate on a Cisco Unity Server, and Delete or Retain Existing Certificates" procedure.) When you install new certificates, you also decide whether to retain or delete existing certificates, a decision that will depend on your security policies and the needs of your organization. Caution Do not create new certificates on a regular basis without deleting existing certificates. Creating multiple new certificates on a server without deleting existing certificates may adversely affect performance. Performance Monitoring When Using Private Secure Messaging Enabling private secure messaging systemwide for all subscribers should not adversely affect Cisco Unity performance. However, if a Cisco Unity performance problem occurs when subscribers are using private secure messaging, include the performance counters % Processor Time and AvCsMgr Process Private Bytes in the performance testing and analysis. For more information on collecting and analyzing Cisco Unity performance data, refer to the "Performance Monitoring" chapter of the Cisco Unity Maintenance Guide. The guide is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_maintenance_guides_list.html. Limiting Access to the Cisco Unity Server Sites need to protect their private keys from unauthorized internal or external access. When an exportable certificate is installed on a server, anyone who can log on to that server as a user in the local administrator group can copy the private keys, and install them on any other server. Note that private secure messaging public and private keys should be present only on the Cisco Unity servers and on the Exchange servers on which the Voice Connector is installed. The keys are never created on subscriber workstations, and should never be copied to another server or workstation. Backing Up and Restoring Public and Private Keys When exportable certificates are installed on a Cisco Unity server, the public and private keys that are created from these certificates can be backed up and restored by using the Cisco Unity Disaster Recovery tool (DiRT). For more information on backing up Cisco Unity data, refer to the "About Backing Up a Cisco Unity System" chapter of the Cisco Unity Maintenance Guide. The guide is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_maintenance_guides_list.html. Upgrading Cisco Unity When Private Secure Messaging Certificates Are in Use When exportable or unexportable certificates are installed on a Cisco Unity server, the keys that are created from these certificates are preserved during a Cisco Unity upgrade. Best Practices for Using Text to Speech (Unified Messaging) The Text to Speech (TTS) feature allows Unified Messaging subscribers to listen to their e-mail messages over the phone. Cisco Unity reads the text portion of e-mail messages and provides additional information such as the name of the sender (if the sender is a subscriber), and the time and date that the message was sent. No attachments are read over the phone. TTS is a class of service offering. Before you enable subscribers to use TTS, consider the following best practices. Best Practice: Use Enhanced Phone Security Because a phone password is inherently less secure than a password that subscribers would typically use to log on to a workstation and/or their e-mail inboxes, offering TTS to subscribers can be considered a security risk. To provide a more secure way to authenticate subscribers when they access Cisco Unity by phone, and thereby increase the security of all subscriber messages, set up enhanced phone security. (See the "Determining Whether to Offer Enhanced Phone Security" section on page 7-12.) Best Practice: Do Not Offer TTS if E-Mail Content Is Sensitive Offering TTS can also be considered a security risk because subscribers can access Cisco Unity from any phone—inside or outside your organization. If the e-mail content in your organization contains classified information that you do not want played over unsecured connections, do not offer TTS to subscribers. Disabling the Copy to File Option in the Media Master for the Cisco Unity Inbox (Cisco Unity Version 4.0(5) and Later) By default, subscribers can save their messages, except for private messages, as WAV files on their hard disks by using the Copy to File option available on the Options menu on the Media Master control bar in the Cisco Unity Inbox. As an added security measure for Cisco Unity version 4.0(5) and later, you can disable the Copy to File option so that subscribers cannot save any message—regardless of its sensitivity—on their hard disks. You can specify whether the Copy to File option is available in the Cisco Unity Inbox by using the Advanced Settings tool to change the registry. The registry change is applied systemwide to all subscribers who are associated with the Cisco Unity server. You cannot make the change for an individual subscriber or for a specific group of subscribers. Consider that when you prevent subscribers from archiving messages, they may choose to retain messages in their Inboxes and Deleted Items folders (if applicable) longer. Note For Cisco Unity failover, registry changes on one Cisco Unity server must be made manually on the other Cisco Unity server, because registry changes are not replicated. Do the following procedure to disable the Copy to File option in the Media Master for the Cisco Unity Inbox. To Disable the Copy to File Option in the Media Master for the Cisco Unity Inbox Step 1 On the Cisco Unity server desktop, double-click the Cisco Unity Tools Depot icon. Step 2 In the left pane, under Administrative Tools, double-click Advanced Settings Tool. Step 3 In the Unity Settings pane, click Unity Inbox—Disable Copy to File Option in Media Master. Step 4 In the New Value list, click 1, and click Set. Step 5 When prompted, click OK. Step 6 Click Exit. You do not need to restart the Cisco Unity server for the change to take effect.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks