Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
15-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 15 Information About Cisco Unified Communications Proxy Features Licensing for Cisco Unified Communications Proxy Features ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5515-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5525-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions. ASA 5545-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, or 2000 sessions. ASA 5555-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions. ASA 5585-X with SSP-10Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions. ASA 5585-X with SSP-20, -40, or -60Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2 ASA SM Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2 1. The following applications use TLS proxy sessions for their connections. Each TLS proxy session used by these applications (and only these applications) is counted against the UC license limit: - Phone Proxy - Presence Federation Proxy - Encrypted Voice Inspection Other applications that use TLS proxy sessions do not count towards the UC limit, for example, Mobility Advantage Proxy (which does not require a license) and IME (which requires a separate IME license). Some UC applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used. You independently set the TLS proxy limit using the Configuration > Firewall > Unified Communications > TLS Proxy pane. When you apply a UC license that is higher than the default TLS proxy limit, the security appliance automatically sets the TLS proxy limit to match the UC limit. The TLS proxy limit takes precedence over the UC license limit; if you set the TLS proxy limit to be less than the UC license, then you cannot use all of the sessions in your UC license. Note: For license part numbers ending in “K8” (for example, licenses under 250 users), TLS proxy sessions are limited to 1000. For license part numbers ending in “K9” (for example, licenses 250 users or larger), the TLS proxy limit depends on the configuration, up to the model limit. K8 and K9 refer to whether the license is restricted for export: K8 is unrestricted, and K9 is restricted. Note: If you clear the configuration, then the TLS proxy limit is set to the default for your model; if this default is lower than the UC license limit, then you see an error message to use the to raise the limit again (in ASDM, use the TLS Proxy pane). If you use failover and use File > Save Running Configuration to Standby Unit on the primary unit to force a configuration synchronization, the clear configure all command is generated on the secondary unit automatically, so you may see the warning message on the secondary unit. Because the configuration synchronization restores the TLS proxy limit set on the primary unit, you can ignore the warning. You might also use SRTP encryption sessions for your connections: - For K8 licenses, SRTP sessions are limited to 250. - For K9 licenses, there is not limit. Note: Only calls that require encryption/decryption for media are counted towards the SRTP limit; if passthrough is set for the call, even if both legs are SRTP, they do not count towards the limit. 2. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Model License Requirement1
15-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 15 Information About Cisco Unified Communications Proxy Features Licensing for Cisco Unified Communications Proxy Features Table 15-2 shows the default and maximum TLS session details by platform. The following table shows the Unified Communications Proxy license details by platform for intercompany media engine proxy: NoteThis feature is not available on No Payload Encryption models. For more information about licensing, see Chapter 5, “Managing Feature Licenses for Cisco ASA Version 7.1,” in the general operations configuration guide. Table 15-2 Default and Maximum TLS Sessions on the Security Appliance Security Appliance Platform Default TLS Sessions Maximum TLS Sessions ASA 5505 10 80 ASA 5510 100 200 ASA 5520 300 1200 ASA 5540 1000 4500 ASA 5550 2000 4500 ASA 5580 4000 13,000 Model License Requirement All models Intercompany Media Engine license. When you enable the Intercompany Media Engine (IME) license, you can use TLS proxy sessions up to the configured TLS proxy limit. If you also have a Unified Communications (UC) license installed that is higher than the default TLS proxy limit, then the ASA sets the limit to be the UC license limit plus an additional number of sessions depending on your model. You can manually configure the TLS proxy limit using the Configuration > Firewall > Unified Communications > TLS Proxy pane. If you also install the UC license, then the TLS proxy sessions available for UC are also available for IME sessions. For example, if the configured limit is 1000 TLS proxy sessions, and you purchase a 750-session UC license, then the first 250 IME sessions do not affect the sessions available for UC. If you need more than 250 sessions for IME, then the remaining 750 sessions of the platform limit are used on a first-come, first-served basis by UC and IME. For a license part number ending in “K8”, TLS proxy sessions are limited to 1000. For a license part number ending in “K9”, the TLS proxy limit depends on your configuration and the platform model. NoteK8 and K9 refer to whether the license is restricted for export: K8 is unrestricted, and K9 is restricted. You might also use SRTP encryption sessions for your connections: For a K8 license, SRTP sessions are limited to 250. For a K9 license, there is no limit. NoteOnly calls that require encryption/decryption for media are counted toward the SRTP limit; if passthrough is set for the call, even if both legs are SRTP, they do not count toward the limit.
CH A P T E R 16-1 Cisco ASA Series Firewall ASDM Configuration Guide 16 Using the Cisco Unified Communication Wizard This chapter describes how to configure the adaptive security appliance for Cisco Unified Communications Proxy features. This chapter includes the following sections: Information about the Cisco Unified Communication Wizard, page 16-1 Licensing Requirements for the Unified Communication Wizard, page 16-3 Guidelines and Limitations, page 16-4 Configuring the Phone Proxy by using the Unified Communication Wizard, page 16-4 Configuring the Mobility Advantage by using the Unified Communication Wizard, page 16-11 Configuring the Presence Federation Proxy by using the Unified Communication Wizard, page 16-14 Configuring the UC-IME by using the Unified Communication Wizard, page 16-16 Working with Certificates in the Unified Communication Wizard, page 16-23 Information about the Cisco Unified Communication Wizard NoteThe Unified Communication Wizard is supported for the ASA version 8.3(1) and later. The Unified Communication Wizard assists you in configuring the following Unified Communications proxies on the ASA: Cisco Phone Proxy See Configuring the Phone Proxy by using the Unified Communication Wizard, page 16-4. Cisco Mobility Advantage Proxy See Configuring the Mobility Advantage by using the Unified Communication Wizard, page 16-11. Cisco Presence Federation Proxy See Configuring the Presence Federation Proxy by using the Unified Communication Wizard, page 16-14. Cisco Intercompany Media Engine Proxy See Configuring the UC-IME by using the Unified Communication Wizard, page 16-16.
16-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Information about the Cisco Unified Communication Wizard The wizard simplifies the configuration of the Unified Communications proxies in the following ways: You enter all required data in the wizard steps. You are not required to navigate various ASDM screens to configure the Unified Communications proxies. The wizard generates configuration settings for the Unified Communications proxies where possible, automatically, without requiring you to enter data. For example, the wizard configures the required ACLs, IP address translation (NAT and PAT) statements, self-signed certificates, TLS proxies, and application inspection. The wizard displays network diagrams to illustrate data collection. To access the Unified Communication Wizard, choose one of the following paths in the main ASDM application window: Wizards > Unified Communication Wizard. Configuration > Firewall > Unified Communications, and then click Unified Communication Wizard. Phone Proxy: Secure remote access for Cisco encrypted endpoints, and VLAN traversal for Cisco softphones The phone proxy feature enables termination of Cisco SRTP/TLS-encrypted endpoints for secure remote access. The phone proxy allows large scale deployments of secure phones without a large scale VPN remote access hardware deployment. End-user infrastructure is limited to just the IP endpoint, without VPN tunnels or hardware. The Cisco adaptive security appliance phone proxy is the replacement product for the Cisco Unified Phone Proxy. Additionally, the phone proxy can be deployed for voice/data VLAN traversal for softphone applications. Cisco IP Communicator (CIPC) traffic (both media and signaling) can be proxied through the ASA, thus traversing calls securely between voice and data VLANs. For information about the differences between the TLS proxy and phone proxy, go to the following URL for Unified Communications content, including TLS Proxy vs. Phone Proxy white paper: http://www.cisco.com/go/secureuc Mobility Advantage Proxy: Secure connectivity between Cisco Mobility Advantage server and Cisco Unified Mobile Communicator clients Cisco Mobility Advantage solutions include the Cisco Unified Mobile Communicator (Cisco UMC), an easy-to-use software application for mobile handsets that extends enterprise communications applications and services to mobile phones and the Cisco Unified Mobility Advantage (Cisco UMA) server. The Cisco Mobility Advantage solution streamlines the communication experience, enabling single number reach and integration of mobile endpoints into the Unified Communications infrastructure. The security appliance acts as a proxy, terminating and reoriginating the TLS signaling between the Cisco UMC and Cisco UMA. As part of the proxy security functionality, inspection is enabled for the Cisco UMA Mobile Multiplexing Protocol (MMP), the protocol between Cisco UMC and Cisco UMA. Presence Federation Proxy: Secure connectivity between Cisco Unified Presence servers and Cisco/Microsoft Presence servers Cisco Unified Presence solution collects information about the availability and status of users, such as whether they are using communication devices, such as IP phones at particular times. It also collects information regarding their communications capabilities, such as whether web collaboration or video conferencing is enabled. Using user information captured by Cisco Unified Presence, applications such as Cisco Unified Personal Communicator and Cisco UCM can improve productivity by helping users connect with colleagues more efficiently through determining the most effective way for collaborative communication.
16-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Licensing Requirements for the Unified Communication Wizard Using the ASA as a secure presence federation proxy, businesses can securely connect their Cisco Unified Presence (Cisco UP) servers to other Cisco or Microsoft Presence servers, enabling intra-enterprise communications. The security appliance terminates the TLS connectivity between the servers, and can inspect and apply policies for the SIP communications between the servers. Cisco Intercompany Media Engine Proxy: Secure connectivity between Cisco UCM servers in different enterprises for IP Phone traffic As more unified communications are deployed within enterprises, cases where business-to-business calls utilize unified communications on both sides with the Public Switched Network (PSTN) in the middle become increasingly common. All outside calls go over circuits to telephone providers and from there are delivered to all external destinations. The Cisco Intercompany Media Engine (UC-IME) gradually creates dynamic, encrypted VoIP connections between businesses, so that a collection of enterprises that work together end up looking like one giant business with secure VoIP interconnections between them. There are three components to a Cisco Intercompany Media Engine deployment within an enterprise: a Cisco Intercompany Media Engine server, a call agent (the Cisco Unified Communications Manager) and an ASA running the Cisco Intercompany Media Engine Proxy. The ASA provides perimeter security by encrypting signaling connections between enterprises and preventing unauthorized calls. An ASA running the Cisco Intercompany Media Engine Proxy can either be deployed as an Internet firewall or be designated as a Cisco Intercompany Media Engine Proxy and placed in the DMZ, off the path of the regular Internet traffic. Licensing Requirements for the Unified Communication Wizard To run the Unified Communication Wizard in ASDM, you require the following license: However, to run each of the Unified Communications proxy features created by the wizard, you must have the appropriate Unified Communications Proxy licenses. The Cisco Unified Communications proxy features supported by the ASA require a Unified Communications Proxy license: Cisco Phone Proxy TLS proxy for encrypted voice inspection Presence Federation Proxy Cisco Intercompany Media Engine Proxy See Licensing for Cisco Unified Communications Proxy Features, page 15-4 for more information. NoteThe Cisco Intercompany Media Engine Proxy does not appear as an option in the Unified Communication Wizard unless the license required for this proxy is installed on the ASA. Model License Requirement All models Base License
16-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Supports IPv6 addresses. Additional Guidelines and Limitations Using the Unified Communication Wizard to create the Unified Communications proxies has the following limitations and requirements: You must configure at least two interfaces on the ASA to use the UC Wizard to configure a Unified Communications proxy. For all Unified Communications proxies to function correctly, you must synchronize the clock on the ASA and all servers associated with each proxy, such as the Cisco Unified Communication Manager server, the Cisco Mobility Advantage server, the Cisco Unified Presence server, and the Cisco Intercompany Media Engine server. When you configure the Cisco Intercompany Media Engine Proxy for an off-path deployment, you must ensure that the public IP addresses and ports of the Cisco Unified Communications Manager servers and the public IP address for the media termination address are accessible from the Internet. The summary page of the Unified Communication Wizard reminds you of the requirements. If the ASA on which you configure the Cisco Mobility Advantage Proxy and the Cisco Presence Federation Proxy is located behind another firewall, you must ensure that the public IP addresses for the Cisco Mobility Advantage server and the Cisco Unified Presence server are accessible from the Internet. If you use the Unified Communication Wizard to create to the Presence Federation Proxy and the Cisco Intercompany Media Engine Proxy, you might be required to adjust the configuration of the ACLs created automatically by the wizard for each proxy. See Chapter 20, “Configuring Cisco Unified Presence” and Chapter 21, “Configuring Cisco Intercompany Media Engine Proxy”, respectively, for information about the ACL requirements required by each proxy. Configuring the Phone Proxy by using the Unified Communication Wizard To configure the Cisco Unified Presence proxy by using ASDM, choose Wizards > Unified Communications Wizard from the menu. The Unified Communications Wizard opens. From the first page, select the Phone Proxy option under the Remote Access section. The wizard automatically creates the necessary TLS proxy, then guides you through creating the Phone Proxy instance, importing and installing the required certificates, and finally enables the SIP and SCCP inspection for the Phone Proxy traffic automatically.
16-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard NoteAny configuration created by the wizard should be maintained through the wizard to ensure proper synchronization. For example, if you create a phone proxy configuration through the UC wizard and then modify the configuration outside of the wizard, the rest of the wizard configuration is not updated, and the wizard configuration is not synchronized. Therefore, if you choose to change some part of the phone proxy configuration outside of the wizard, it is your responsibility to keep the rest of the configuration in synchronization. The wizard guides you through four steps to configure the Phone Proxy: Step 1Select the Phone Proxy option. Step 2Specify settings to define the Cisco Unified Communications Manager (UCM) servers and TFTP servers, such the IP address and the address translation settings of each server, and the Cisco UCM cluster security mode. See Configuring the Private Network for the Phone Proxy, page 16-5 and Configuring Servers for the Phone Proxy, page 16-6. Step 3If required, enable Certificate Authority Proxy Function (CAPF). See Enabling Certificate Authority Proxy Function (CAPF) for IP Phones, page 16-8. Step 4Configure the public IP phone network, such as address translation settings for remote IP phones, whether to enable service setting for IP phones, and the HTTP proxy used by the IP phones. Configuring the Public IP Phone Network, page 16-9 Step 5Specify the media termination address settings of the Cisco UCM. Configuring the Media Termination Address for Unified Communication Proxies, page 16-10. The wizard completes by displaying a summary of the configuration created for Phone Proxy. Configuring the Private Network for the Phone Proxy The values that you specify in this page configure the connection from the ASA to the Cisco UCMs and TFTP servers by creating the necessary address translation settings and access control list entries. Additionally, you specify the security mode for the Cisco UCM cluster. In a nonsecure cluster mode or a mixed mode where the phones are configured as nonsecure, the phone proxy behaves in the following ways: The TLS connections from the phones are terminated on the ASA and a TCP connection is initiated to the Cisco UCM. SRTP sent from external IP phones to the internal network IP phone via the ASA is converted to RT P. In a mixed mode cluster where the internal IP phones are configured as authenticated, the TLS connection is not converted to TCP to the Cisco UCM but the SRTP is converted to RTP. In a mixed mode cluster where the internal IP phone is configured as encrypted, the TLS connection remains a TLS connection to the Cisco UCM and the SRTP from the remote phone remains SRTP to the internal IP phone. Step 1From the Interface drop-down list, choose the interface on which the ASA listens for the Cisco UCM servers and TFTP servers. The Cisco UCM servers and TFTP servers must reside on the same interface.
16-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard Step 2Specify each entity in the network (all Cisco UCM and TFTP servers) that the IP phones must trust. Click Add to add the servers. See Configuring Servers for the Phone Proxy, page 16-6. To modify the configuration of a server already added to the configuration, select the server in the table and click Edit. The Edit Server dialog appears. See Configuring Servers for the Phone Proxy, page 16-6. At least one Cisco UCM and at least one TFTP server must be configured for the phone proxy. Step 3Specify the security mode of the Cisco UCM cluster by clicking one of the following options in the Unified CM Cluster Mode field: Non-secure—Specifies the cluster to be in nonsecure mode when configuring the Phone Proxy feature. Mixed—Specifies the cluster to be in mixed mode when configuring the Phone Proxy feature. If you selected the Mixed security mode, the Generate and Export LDC Certificate button becomes available. Step 4For a Mixed security mode only, configure local dynamic certificates (LDC) for the IP phones by performing the following steps: a.Click the Generate and Export LDC Certificate button. A dialog box appears stating “Enrollment succeeded,” which indicates that the LDC was generated. b.Click OK to close the Enrollment Status dialog box. The Export certificate dialog box appears. c.In the Export to File field, enter the file name and path for the LDC or click browse to locate and select an existing file. d.Click the Export Certificate button. A dialog box appears indicating that the file was exported successfully. e.Click OK to close the dialog box. A dialog box appears reminding you to install the LDC on the Cisco UCMs. f.Click OK to close the dialog box. Once configured, the ASA presents this unique, dynamically-created certificate to the Cisco UCM on behalf of the IP phones. Step 5Click Next. Configuring Servers for the Phone Proxy The values that you specify in this page generate address translation settings, access list entries, trustpoints, and the corresponding CTL file entries for each server. You must add a server for each entity in the network that the IP phones must trust. These servers include all Cisco UCM servers in the cluster and all the TFTP servers. You must add at least one TFTP server and at least one Cisco UCM server for the phone proxy. You can configure up to five TFTP servers for the phone proxy. The TFTP server is assumed to be behind the firewall on the trusted network; therefore, the phone proxy intercepts the requests between the IP phones and TFTP server. NoteWhen you delete a TFTP server from the Server list in Step 2 of the wizard, ASDM deletes only the TFTP server IP address from the configuration and does not remove from the configuration all the ACLs, NAT statements, object groups, etc. attached to the TFTP server. To remove those attached configuration
16-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard statements, you must delete them manually by using the appropriate area of ASDM or rerun the Unified Communications wizard without making any changes and apply the configuration to to remove these statements. The servers that the IP phones must trust can be deployed on the network in one of the following ways: All the services required by the Cisco UCM server, namely the Cisco UCM, TFTP, and CAPF services, are running on one server. In this deployment, only one instance of each service exists. For this deployment, you can select Unified CM+ TFTP as the server type. You can either use Address only or Address and ports for address translation. Cisco recommends that you specify Address and ports for increased security. Deployments for larger enterprises might have redundant Cisco UCMs and dedicated servers for TFTP and CAPF services. In that type of deployment, use Address only for voice address translation and Address only or Address and ports for TFTP. Table 16-1 lists the ports that are configured for Address and port translation by default: Step 1In the Server Type field, select the server from the drop-down list: Unified CM, TFTP, or Unified CM + TFTP. Select Unified CM + TFTP when the Cisco UCM and TFTP server reside on the same device. NoteDepending on which type of server you select (Unified CM or TFTP), only the necessary fields in this dialog box become available. Specifically, if the server type is Unified CM, the TFTP section in the dialog is unavailable. If the server type is TFTP, the Voice section is unavailable. Step 2In the Private Address field, specify the actual internal IP address of the server. Step 3In the FQDN field, enter the fully-qualified domain name of the server, which includes the hostname and domain name; for example, ucm.cisco.com (where ucm is the hostname and cisco.com is the domain name). If you are configuring a Unified CM server, enter the fully-qualified domain name configured on the Cisco UCM. If you are configuring a TFTP server, only specify the TFTP server fully-qualified domain name when that server is configured with FQDN. If the TFTP server is not configured with FQDN, you can leave the field blank. NoteEntering the fully-qualified domain name allows the ASA to perform hostname resolution when DNS lookup is not configured on the ASA or the configured DNS servers are unavailable.See the command reference for information about the dns domain-lookup command. Step 4In the Address Translation section, select whether to use the interface IP address or to enter a different IP address. Table 16-1 Port Configuration Address Default Port Description TFTP Server 69 Allows incoming TFTP Cisco UCM 2000 Allows incoming non-secure SCCP Cisco UCM 2443 Allows incoming secure SCCP Cisco UCM 5061 Allows incoming secure SIP
16-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard Selecting the Use interface IP radio button configures the server to use the IP address of the public interface. You select the public interface in step 4 of the wizard when you configure the public network for the phone proxy. If the Use interface IP radio button is selected, you must specify port translation settings in the Voice and TFTP sections. Address-only translation is available only when you specify an IP address other than the IP address of the public interface. When you select the Address only radio button, the ASA performs address translation on all traffic between the server and the IP phones. Selecting the Address and ports radio button limits address translation to the specified ports. Step 5(Unified CM or Unified CM + TFTP servers only) In the Voice section, configure inspection of SIP or SCCP protocol traffic, or both SIP and SCCP protocol traffic by completing the following fields: a.In the Translation Type field, specify whether to use the Address only or the Address and ports. When the deployment has redundant Cisco UCM servers and dedicated servers for TFTP and CAPF services, select Address only for voice address translation. Select the Address and ports option when you want to limit address translation to the specified ports. b.In the Voice Protocols field, select the inspection protocols supported by the IP phones deployed in the enterprise. Depending on which inspection protocols you select—SCCP, SIP, or SCCP and SIP—only the ports fields for the selected voice protocols are available. c.In the Port Translation section, enter the private and public ports for the voice protocols. The default values for the voice ports appear in the text fields. If necessary, change the private ports to match the settings on the Cisco UCM. The values you set for the public ports are used by the IP phones to traverse the ASA and communicate with the Cisco UCM. The secure SCCP private port and public port are automatically configured. These port numbers are automatically set to the value of the non-secure port number plus 443. Step 6(TFTP or Unified CM + TFTP servers only) In the TFTP section, you can select either Address only or Address and port for address translation. Cisco recommends that you specify Address and port for increased security. Specifying Address and port configures the TFTP server to listen on port 69 for TFTP requests. When the server type is Unified CM + TFTP, the wizard configures the same type of address translation for Voice and TFTP; for example, when the server type is Unified CM + TFTP and the Address only option is selected, the wizard creates a global address translation rule for all traffic to and from the server. In this case, configuring port translation for the TFTP server would be redundant. Step 7Click OK to add the server to the phone proxy configuration and return to step 2 of the wizard. Enabling Certificate Authority Proxy Function (CAPF) for IP Phones As an alternative to authenticating remote IP phones through the TLS handshake, you can configure authentication via locally significant certificate (LSC) provisioning. With LSC provisioning, you create a password for each remote IP phone user and each user enters the password on the remote IP phones to retrieve the LSC. Because using LSC provisioning to authenticate remote IP phones requires the IP phones first register in nonsecure mode, Cisco recommends LSC provisioning be done inside the corporate network before giving the IP phones to end-users. Otherwise, having the IP phones register in nonsecure mode requires the Administrator to open the nonsecure signaling port for SIP and SCCP on the ASA.