25-83
Cisco Security Appliance Command Line Configuration Guide
OL-12172-03
Chapter 25 Configuring Application Layer Protocol Inspection
TLS Proxy for Encrypted Voice Inspection
•
3DES-AES license is needed to interoperate with the Cisco Unified CallManager. AES is the default
cipher used by the Cisco Unified CallManager and Cisco IP Phone.
To configure the security appliance for TLS proxy, perform the following steps:
Step 1
(Optional) Set the maximum number of TLS proxy sessions to be supported by the security appliance
using the following command, for example:
hostname(config)#
tls-proxy maximum-sessions 1200
Note
The
tls-proxy maximum-sessions
command controls the memory size reserved for
cryptographic applications such as TLS proxy. Crypto memory is reserved at the time of system
boot. You may need to reboot the security appliance for the configuration to take effect if the
configured maximum sessions number is greater than the currently reserved.
Step 2
Create necessary RSA key pairs using the following commands, for example:
hostname(config)#
crypto key generate rsa label ccm_proxy_key modulus 1024
hostname(config)#
crypto key generate rsa label ldc_signer_key modulus 1024
hostname(config)#
crypto key generate rsa label phone_common modulus 1024
We recommend to use a different key pair for each role.
Step 3
Create the proxy certificate for the Cisco Unified CallManager cluster using the following commands,
for example:
hostname(config)#
! for self-signed CCM proxy certificate
hostname(config)#
crypto ca trustpoint ccm_proxy
hostname(config-ca-trustpoint)#
enrollment self
hostname(config-ca-trustpoint)#
fqdn none
hostname(config-ca-trustpoint)#
subject-name cn=EJW-SV-1-Proxy
hostname(config-ca-trustpoint)#
keypair ccm_proxy_key
hostname(config)#
crypto ca enroll ccm_proxy
The Cisco Unified CallManager proxy certificate could be self-signed or issued by a third-party CA. The
certificate is exported to the CTL client.
Note
Cisco IP Phones require certain fields from the X.509v3 certificate to be present to validate the
certificate via consulting the CTL file. Consequently, the
subject-name
entry must be
configured for a proxy certificate trustpoint. The subject name must be composed of the ordered
concatenation of the CN, OU and O fields. The CN field is mandatory; the others are optional.
Each of the concatenated fields (when present) are separated by a semicolon, yielding one of the
following forms:
CN=xxx;OU=yyy;O=zzz
CN=xxx;OU=yyy
CN=xxx;O=zzz
CN=xxx
Step 4
Create an internal local CA to sign the LDC for Cisco IP Phones using the following commands, for
example:
hostname(config)#
! for the internal local LDC issuer
hostname(config)#
crypto ca trustpoint ldc_server
hostname(config-ca-trustpoint)#
enrollment self
Содержание 500 Series
Страница 38: ...Contents xxxviii Cisco Security Appliance Command Line Configuration Guide OL 12172 03 ...
Страница 45: ...P A R T 1 Getting Started and General Information ...
Страница 46: ......
Страница 277: ...P A R T 2 Configuring the Firewall ...
Страница 278: ......
Страница 354: ...17 38 Cisco Security Appliance Command Line Configuration Guide OL 12172 03 Chapter 17 Configuring NAT NAT Examples ...
Страница 561: ...P A R T 3 Configuring VPN ...
Страница 562: ......
Страница 891: ...P A R T 4 System Administration ...
Страница 892: ......
Страница 975: ...P A R T 5 Reference ...
Страница 976: ......