Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
17-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy Rate Limiting Configuration Example The following example describes how you configure rate limiting for TFTP requests by using the police command and the Modular Policy Framework. Begin by determining the conformance rate that is required for the phone proxy. To determine the conformance rate, use the following formula: X * Y * 8 Where X = requests per second Y = size of each packet, which includes the L2, L3, and L4 plus the payload Therefore, if a rate of 300 TFTP requests/second is required, then the conformance rate would be calculated as follows: 300 requests/second * 80 bytes * 8 = 192000 To control which hosts can ping the media termination address, create an ICMP rule. Go to Configuration > Device Management > Management Access > ICMP and click the Add button. End-User Phone Provisioning The phone proxy is a transparent proxy with respect to the TFTP and signaling transactions. If NAT is not configured for the Cisco UCM TFTP server, then the IP phones need to be configured with the Cisco UCM cluster TFTP server address. If NAT is configured for the Cisco UCM TFTP server, then the Cisco UCM TFTP server global address is configured as the TFTP server address on the IP phones. Ways to Deploy IP Phones to End Users In both options, deploying a remote IP phone behind a commercial Cable/DSL router with NAT capabilities is supported. Option 1 (Recommended) Stage the IP phones at corporate headquarters before sending them to the end users: The phones register inside the network. IT ensures there are no issues with the phone configurations, image downloads, and registration. If Cisco UCM cluster was in mixed mode, the CTL file should be erased before sending the phone to the end user. Advantages of this option are: Easier to troubleshoot and isolate problems with the network or phone proxy because you know whether the phone is registered and working with the Cisco UCM. Better user experience because the phone does not have to download firmware from over a broadband connection, which can be slow and require the user to wait for a longer time. Option 2 Send the IP phone to the end user. When using option 2, the user must be provided instructions to change the settings on phones with the appropriate Cisco UCM and TFTP server IP address.
17-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Phone Proxy Guidelines and Limitations NoteAs an alternative to authenticating remote IP phones through the TLS handshake, you can configure authentication via LSC provisioning. With LSC provisioning you create a password for each remote IP phone user and each user enters the password on the remote IP phones to retrieve the LSC. Because using LSC provisioning to authenticate remote IP phones requires the IP phones first register in nonsecure mode, Cisco recommends LSC provisioning be done inside the corporate network before giving the IP phones to end-users. Otherwise, having the IP phones register in nonsecure mode requires the Administrator to open the nonsecure signaling port for SIP and SCCP on the ASA. See also the Cisco Unified Communications Manager Security Guide for information on Using the Certificate Authority Proxy Function (CAPF) to install a locally significant certificate (LSC). Phone Proxy Guidelines and Limitations This section includes the following topics: General Guidelines and Limitations, page 17-12 Media Termination Address Guidelines and Limitations, page 17-13 General Guidelines and Limitations The phone proxy has the following general limitations: Only one phone proxy instance can be configured on the ASA by using the phone-proxy command. See the command reference for information about the phone-proxy command. See also Creating the Phone Proxy Instance, page 17-18. The phone proxy only supports one Cisco UCM cluster. See Creating the CTL File, page 17-15 for the steps to configure the Cisco UCM cluster for the phone proxy. The phone proxy is not supported when the ASA is running in transparent mode or multiple context mode. When a remote IP phone calls an invalid internal or external extension, the phone proxy does not support playing the annunciator message from the Cisco UCM. Instead, the remote IP phone plays a fast busy signal instead of the annunciator message Your call cannot be completed ... However, when an internal IP phone dials in invalid extension, the annunciator messages plays Your call cannot be completed ... Packets from phones connecting to the phone proxy over a VPN tunnel are not inspected by the ASA inspection engines. The phone proxy does not support IP phones sending Real-Time Control Protocol (RTCP) packets through the ASA. Disable RTCP packets in the Cisco Unified CM Administration console from the Phone Configuration page. See your Cisco Unified Communications Manager (CallManager) documentation for information about setting this configuration option. When used with CIPC, the phone proxy does not support end-users resetting their device name in CIPC (Preferences > Network tab > Use this Device Name field) or Administrators resetting the device name in Cisco Unified CM Administration console (Device menu > Phone Configuration > Device Name field). To function with the phone proxy, the CIPC configuration file must be in the
17-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Phone Proxy Guidelines and Limitations format: SEP.cnf.xml. If the device name does not follow this format (SEP), CIPC cannot retrieve its configuration file from Cisco UMC via the phone proxy and CIPC will not function. The phone proxy does not support IP phones sending SCCP video messages using Cisco VT Advantage because SCCP video messages do not support SRTP keys. For mixed-mode clusters, the phone proxy does not support the Cisco Unified Call Manager using TFTP to send encrypted configuration files to IP phones through the ASA. Multiple IP phones behind one NAT device must be configured to use the same security mode. When the phone proxy is configured for a mixed-mode cluster and multiple IP phones are behind one NAT device and registering through the phone proxy, all the SIP and SCCP IP phones must be configured as authenticated or encrypted, or all as non-secure on the Unified Call Manager. For example, if there are four IP phones behind one NAT device where two IP phones are configured using SIP and two IP phones are configured using SCCP, the following configurations on the Unified Call Manager are acceptable: –Two SIP IP phones: one IP phone in authenticated mode and one in encrypted mode, both in authenticated mode, or both in encrypted mode Two SCCP IP phones: one IP phone in authenticated mode and one in encrypted mode, both in authenticated mode, or both in encrypted mode –Two SIP IP phones: both in non-secure mode Two SCCP IP phones: one IP phone in authenticated mode and one in encrypted mode, both in authenticated mode, both in encrypted mode –Two SIP IP phones: one IP phone in authenticated mode and one in encrypted mode, both in authenticated mode, both in encrypted mode Two SCCP IP phones: both in non-secure mode This limitation results from the way the application-redirect rules (rules that convert TLS to TCP) are created for the IP phones. Media Termination Address Guidelines and Limitations The phone proxy has the following limitations relating to configuring the media-termination address: When configuring the media-termination address, the phone proxy does not support having internal IP phones (IP phones on the inside network) being on a different network interface from the Cisco UCM unless the IP phones are forced to use the non-secure Security mode. When internal IP phones are on a different network interface than the Cisco UCM, the IP phones signalling sessions still go through ASA; however, the IP phone traffic does not go through the phone proxy. Therefore, Cisco recommends that you deploy internal IP phones on the same network interface as the Cisco UMC. If the Cisco UMC and the internal IP phones must be on different network interfaces, you must add routes for the internal IP phones to access the network interface of the media-termination address where Cisco UMC resides. When the phone proxy is configured to use a global media-termination address, all IP phones see the same global address, which is a public routable address.
17-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy If you decide to configure a media-termination address on interfaces (rather than using a global interface), you must configure a media-termination address on at least two interfaces (the inside and an outside interface) before applying the phone-proxy service policy. Otherwise, you will receive an error message when enabling the Phone Proxy with SIP and Skinny Inspection. The phone proxy can use only one type of media termination instance at a time; for example, you can configure a global media-termination address for all interfaces or configure a media-termination address for different interfaces. However, you cannot use a global media-termination address and media-termination addresses configured for each interface at the same time. Configuring the Phone Proxy This section includes the following topics: Task Flow for Configuring the Phone Proxy, page 17-14 Creating the CTL File, page 17-15 Adding or Editing a Record Entry in a CTL File, page 17-16 Creating the Media Termination Instance, page 17-17 Creating the Phone Proxy Instance, page 17-18 Adding or Editing the TFTP Server for a Phone Proxy, page 17-20 Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy, page 17-21 Task Flow for Configuring the Phone Proxy NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2. Configuring the Phone Proxy requires the following steps: Step 1: Create the CTL file. See Creating the CTL File, page 17-15. Step 2: Create the TLS Proxy instance to handle the encrypted signaling. See Adding a TLS Proxy Instance, page 18-9. Step 3: Create the Phone Proxy instance. See the “Creating the Phone Proxy Instance” section on page 17-18. Step 4: Configure the media termination address for the Phone Proxy. See Creating the Media Termination Instance, page 17-17. NoteBefore you enable SIP and Skinny inspection for the Phone Proxy (which is done by applying the Phone Proxy to a service policy rule), the Phone Proxy must have an MTA instance, TLS Proxy, and CTL file assigned to it before the Phone Proxy can be applied to a service policy. Additionally, once a Phone Proxy is applied to a service policy rule, the Phone Proxy cannot be changed or removed. Step 5: Enable the Phone Proxy with SIP and Skinny inspection. See SIP Inspection, page 12-20 and Skinny (SCCP) Inspection, page 12-32.
17-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Creating the CTL File Create a Certificate Trust List (CTL) file that is required by the Phone Proxy. Specify the certificates needed by creating a new CTL file or by specifying the path of an exiting CTL file to parse from Flash memory. Create trustpoints and generate certificates for each entity in the network (CUCM, CUCM and TFTP, TFTP server, CAPF) that the IP phones must trust. The certificates are used in creating the CTL file. You need to create trustpoints for each CUCM (primary and secondary if a secondary CUCM is used) and TFTP server in the network. The trustpoints need to be in the CTL file for the phones to trust the CUCM. Create the CTL File that will be presented to the IP phones during the TFTP. The address must be the translated or global address of the TFTP server or CUCM if NAT is configured. When the file is created, it creates an internal trustpoint used by the Phone Proxy to sign the TFTP files. The trustpoint is named _internal_PP_ctl-instance_filename. NoteWhen a CTL file instance is assigned to the Phone Proxy, you cannot modify it in the CTL File pane and the pane is disabled. To modify a CTL File that is assigned to the Phone Proxy, go to the Phone Proxy pane (Configuration > Firewall > Unified Communications > Phone Proxy), and deselect the Use the Certificate Trust List File generated by the CTL instance check box. Use the Create a Certificate Trust List (CTL) File pane to create a CTL file for the Phone Proxy. This pane creates the CTL file that is presented to the IP phones during the TFTP handshake with the ASA. For a detailed overview of the CTL file used by the Phone Proxy, see the “Creating the CTL File” section on page 17-15. The Create a Certificate Trust List (CTL) File pane is used to configure the attributes for generating the CTL file. The name of the CTL file instance is generated by the ASDM. When the user tries to edit the CTL file instance configuration, the ASDM automatically generates the shutdown CLI command first and the no shutdown CLI command as the last command. This pane is available from the Configuration > Firewall > Unified Communications > CTL File pane. Step 1Open the Configuration > Firewall > Unified Communications > CTL File pane. Step 2Check the Enable Certificate Trust List File check box to enable the feature. Step 3To specify the CTL file to use for the Phone Proxy, perform one of the following: If there is an existing CTL file available, download the CTL file to Flash memory by using the File Management Tool in the ASDM Tools menu. Select the Use certificates present in the CTL stored in flash radio button and specify the CTL file name and path in the text box. Use an existing CTL file to install the trustpoints for each entity in the network (CUCM, CUCM and TFTP, TFTP server, CAPF) that the IP phones must trust. If you have an existing CTL file that contains the correct IP addresses of the entities (namely, the IP address that the IP phones use for the CUCM or TFTP servers), you can be use it to create a new CTL file. Store a copy of the existing CTL file to Flash memory and rename it something other than CTLFile.tlv If there is no existing CTL file available, select Create new CTL file radio button. Add Record entries for each entity in the network such as CUCM, TFTP, and CUCM-TFTP option by clicking Add. The Add Record Entry dialog box opens. See Adding or Editing a Record Entry in a CTL File, page 17-16. Step 4Specify the number SAST certificate tokens required. The default is 2. maximum allowed is 5.
17-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Because the Phone Proxy generates the CTL file, it needs to create the System Administrator Security Token (SAST) key to sign the CTL file itself. This key can be generated on the ASA. A SAST is created as a self-signed certificate. Typically, a CTL file contains more than one SAST. In case a SAST is not recoverable, the other one can be used to sign the file later. Step 5Click Apply to save the CTL file configuration settings. Adding or Editing a Record Entry in a CTL File NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2. Use the Add/Edit Record Entry dialog box to specify the trustpoints to be used for the creation of the CTL file. NoteYou can edit an entry in the CTL file by using the Edit Record Entry dialog box; however, changing a setting in this dialog box does not change related settings for the phone proxy. For example, editing the IP address for the CUCM or TFTP servers in this dialog changes the setting only in the CTL file and does not change the actual addresses of those servers or update the address translations required by the phone proxy. To modify CTL file settings, we strongly recommend you re-run the Unified Communications Wizard to edit CTL file settings and ensure proper synchronization with all phone proxy settings. Add additional record-entry configurations for each entity that is required in the CTL file. Step 1Open the Configuration > Firewall > Unified Communications > CTL File pane. Step 2Check the Enable Certificate Trust List File check box to enable the feature. Step 3In the Type field, specify the type of trustpoint to create: cucm: Specifies the role of this trustpoint to be CCM. Multiple CCM trustpoints can be configured. cucm-tftp: Specifies the role of this trustpoint to be CCM+TFTP. Multiple CCM+TFTP trustpoints can be configured. tftp: Specifies the role of this trustpoint to be TFTP. Multiple TFTP trustpoints can be configured. capf: Specifies the role of this trustpoint to be CAPF. Only one CAPF trustpoint can be configured. Step 4In the Host field, specify the IP address of the trustpoint. The IP address you specify must be the global address of the TFTP server or CUCM if NAT is configured. The global IP address is the IP address as seen by the IP phones because it will be the IP address used for the CTL record for the trustpoint. Step 5In the Certificate field, specify the Identity Certificate for the record entry in the CTL file. You can create a new Identity Certificate by clicking Manage. The Manage Identify Certificates dialog box opens. See the “Configuring Identity Certificates Authentication” section on page 40-55 in the general operations configuration guide. You can add an Identity Certificate by generating a self-signed certificate, obtaining the certificate through SCEP enrollment, or by importing a certificate in PKCS-12 format. Choose the best option based on the requirements for configuring the CTL file.
17-17 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Step 6(Optional) In the Domain Name field, specify the domain name of the trustpoint used to create the DNS field for the trustpoint. This is appended to the Common Name field of the Subject DN to create the DNS Name. The domain name should be configured when the FQDN is not configured for the trustpoint. Only one domain-name can be specified. NoteIf you are using domain names for your CUCM and TFTP server, you must configure DNS lookup on the ASA. Add an entry for each of the outside interfaces on the ASA into your DNS server, if such entries are not already present. Each ASA outside IP address should have a DNS entry associated with it for lookups. These DNS entries must also be enabled for Reverse Lookup. Additionally, define your DNS server IP address on the ASA; for example: dns name-server 10.2.3.4 (IP address of your DNS server). Creating the Media Termination Instance Create the media termination instance that you will use in the phone proxy. The media termination address you configure must meet the requirements as described in Media Termination Instance Prerequisites, page 17-6. NoteIn versions before 8.2(1), you configured one media-termination address (MTA) on the outside interface of the adaptive security appliance where the remote Cisco IP phones were located. In Version 8.2(1) and later, you can configure a global media-termination address for all interfaces or configure a media-termination address for different interfaces. As a result of this enhancement, the old configuration has been deprecated. You can continue to use the old configuration if desired. However, if you need to change the configuration at all, only the new configuration method is accepted; you cannot later restore the old configuration. If you need to maintain downgrade compatibility, you should keep the old configuration as is. Step 1Open the Configuration > Firewall > Unified Communications > Media Termination Address pane. Step 2Check the Enable Media Termination Address check box to enable the feature. Step 3In the Media Termination Address Settings area, specify whether to configure a media-termination address (MTA) per interface or to configure a global MTA. You can configure a global media-termination address for all interfaces or configure a media-termination address for different interfaces. To configure an MTA per interface, click the Configure MTA per Interface radio button and click the Add button. In the dialog box that appears, specify the interface name and enter an IP address or hostname. If you configure a media termination address for multiple interfaces, you must configure an address on each interface that the ASA uses when communicating with IP phones. The IP addresses are publicly routable addresses that are unused IP addresses within the address range on that interface. See Media Termination Instance Prerequisites, page 17-6 for the complete list of requirements that you must follow when creating the media termination instance and configuring the media termination addresses. To configure a global MTA, click the Configure global MTA on interface radio button and enter the IP address in the text box. See Media Termination Instance Prerequisites, page 17-6 for the complete list of requirements that you must follow when configuring a global media termination address.
17-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Step 4Specify the minimum and maximum values for the RTP port range for the media termination instance. The minimum port and the maximum port can be a value from 1024 to 65535. Step 5Click Apply to save the media termination address configuration settings. Creating the Phone Proxy Instance Create the phone proxy instance. To have a fully functional phone proxy, you must also complete additional tasks, such as creating the MTA and enabling SIP and SCCP (Skinny) inspection. See Ta s k Flow for Configuring the Phone Proxy, page 17-14 for the complete list of tasks. Prerequisites You must have already created the CTL file and TLS proxy instance for the phone proxy. See Creating the CTL File, page 17-15 and Adding a TLS Proxy Instance, page 18-9. NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2. Use the Configure Phone Proxy pane to add a Phone Proxy. This pane is available from the Configuration > Firewall > Unified Communications > Phone Proxy pane. Step 1Open the Configuration > Firewall > Unified Communications > Phone Proxy pane. Step 2Check the Enable Phone Proxy check box to enable the feature. Step 3Check the Apply MTA instance to Phone Proxy check box to add the media termination address to the Phone Proxy instance. You must have a media termination address instance configured. The configured address is added to the Phone Proxy instance. NoteTo configure the media termination address, click the Configure MTA button. The Media Termination Address dialog box appears. Once you click the Add MTA instance to Phone Proxy check box, the media termination address instance cannot be modified and the button changes to View MTA Configuration. To change the media termination address, uncheck the Add MTA instance to Phone Proxy check box. Step 4If necessary, add a TFTP server for the Phone Proxy. To add a new TFTP server for the Phone Proxy, click Add. The Add TFTP Server dialog box opens. See Adding or Editing the TFTP Server for a Phone Proxy, page 17-20. NoteThe TFTP server must reside on the same interface as the Cisco Unified Call Manager. Additionally, If NAT is configured for the TFTP server, the NAT configuration must be configured prior to configuring the specifying the TFTP server while creating the Phone Proxy instance. Step 5Specify the CTL File to use for the Phone Proxy by doing one of the following: To use an existing CTL File, check the Use the Certificate Trust List File generated by the CTL instance check box.
17-19 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy To create a new CTL file for the Phone Proxy, click the link Generate Certificate Trust List File. The Create a Certificate Trust List (CTL) File pane opens. See “Creating the CTL File” section on page 17-15. Step 6To specify the security mode of the CUCM cluster, click one of the following options in the CUCM Cluster Mode field: Non-secure—Specifies the cluster mode to be in nonsecure mode when configuring the Phone Proxy feature. Mixed—Specifies the cluster mode to be in mixed mode when configuring the Phone Proxy feature. Step 7To configure the idle timeout after which the secure-phone entry is removed from the Phone Proxy database (the default is 5 minutes), enter a value in the format hh:mm:ss. Since secure phones always request a CTL file upon bootup, the Phone Proxy creates a database that marks the phone as secure. The entries in the secure phone database are removed after a specified configured timeout. The entry timestamp is updated for each registration refresh the Phone Proxy receives for SIP phones and KeepAlives for SCCP phones. Specify a value that is greater than the maximum timeout value for SCCP KeepAlives and SIP Register refresh. For example, if the SCCP KeepAlives are configured for 1 minute intervals and the SIP Register Refresh is configured for 3 minutes, configure this timeout value greater than 3 minutes. Step 8To preserve Call Manager configuration on the IP phones, check the Preserve the Call Manager’s configuration on the phone... check box. When this check box is uncheck, the following service settings are disabled on the IP phones: PC Port Gratuitous ARP Voice VLAN access Web Access Span to PC Port Step 9To force Cisco IP Communicator (CIPC) softphones to operate in authenticated mode when CIPC softphones are deployed in a voice and data VLAN scenario, check the Enable CIPC security mode authentication check box. Because CIPC requires an LSC to perform the TLS handshake, CIPC needs to register with the CUCM in nonsecure mode using cleartext signaling. To allow the CIPC to register, create an ACL that allows the CIPC to connect to the CUCM on the nonsecure SIP/SCCP signalling ports (5060/2000). CIPC uses a different cipher when doing the TLS handshake and requires the null-sha1 cipher and SSL encryption be configured. To add the null-shal cipher, go to Configuration > Device Management > Advanced > SSL Settings > Encryption section. Select the null-shal SSL encryption type and add it to the Available Algorithms. Current versions of Cisco IP Communicator (CIPC) support authenticated mode and perform TLS signaling but not voice encryption. Step 10To configure an HTTP proxy for the Phone Proxy feature that is written into the IP phones configuration file under the tag, do the following: a.Check the Configure a http-proxy which would be written into the phone’s config file... check box. b.In the IP Address field, type the IP address of the HTTP proxy and the listening port of the HTTP proxy.
17-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy The IP address you enter should be the global IP address based on where the IP phone and HTTP proxy server is located. You can enter a hostname in the IP Address field when that hostname can be resolved to an IP address by the ASA (for example, DNS lookup is configured) because the ASA will resolve the hostname to an IP address. If a port is not specified, the default will be 8080. c.In the Interface field, select the interface on which the HTTP proxy resides on the ASA. Setting the proxy server configuration option for the Phone Proxy allows for an HTTP proxy on the DMZ or external network in which all the IP phone URLs are directed to the proxy server for services on the phones. This setting accommodates nonsecure HTTP traffic, which is not allowed back into the corporate network. Step 11Click Apply to save the Phone Proxy configuration settings. NoteAfter creating the Phone Proxy instance, you enable it with SIP and Skinny inspection. See SIP Inspection, page 12-20 and Skinny (SCCP) Inspection, page 12-32. However, before you enable SIP and Skinny inspection for the Phone Proxy (which is done by applying the Phone Proxy to a service policy rule), the Phone Proxy must have an MTA instance, TLS Proxy, and CTL file assigned to it before the Phone Proxy can be applied to a service policy. Additionally, once a Phone Proxy is applied to a service policy rule, the Phone Proxy cannot be changed or removed. Adding or Editing the TFTP Server for a Phone Proxy NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2. NoteYou can edit the TFTP server setting by using the Edit TFTP Server dialog box; however, changing a setting in this dialog box does not change related settings for the phone proxy. For example, editing the IP address for the TFTP server in this dialog does not change the setting in the CTL file and does not update the address translations required by the phone proxy. To modify TFTP server settings, we strongly recommend you re-run the Unified Communications Wizard to ensure proper synchronization with all phone proxy settings. Step 1Open the Configuration > Firewall > Unified Communications > Phone Proxy pane. Step 2Check the Enable Phone Proxy check box to enable the feature. Step 3To add or edit the TFTP Server information for the phone proxy, click the Add or Edit button. The Add/Edit TFTP Server dialog box appears. Use the Add/Edit TFTP Server dialog box to specify the IP address of the TFTP server and the interface on which the TFTP server resides. The Phone Proxy must have at least one CUCM TFTP server configured. Up to five TFTP servers can be configured for the Phone Proxy. The TFTP server is assumed to be behind the firewall on the trusted network; therefore, the Phone Proxy intercepts the requests between the IP phones and TFTP server.