Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
18-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider Adding a TLS Proxy Instance NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2. Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA. This wizard is available from the Configuration > Firewall > Unified Communications > TLS Proxy pane. Step 1Open the Configuration > Firewall > Unified Communications > TLS Proxy pane. Step 2To add a new TLS Proxy Instance, click Add. The Add TLS Proxy Instance Wizard opens. Step 3In the TLS Proxy Name field, type the TLS Proxy name. Step 4Click Next. The Add TLS Proxy Instance Wizard – Server Configuration dialog box opens. In this step of the wizard, configure the server proxy parameters for original TLS Server—the Cisco Unified Call Manager (CUCM) server, the Cisco Unified Presence Server (CUPS), or the Cisco Unified Mobility Advantage (CUMA) server. See Add TLS Proxy Instance Wizard – Server Configuration, page 18-9. After configuring the server proxy parameters, the wizard guides you through configuring client proxy parameters (see Add TLS Proxy Instance Wizard – Client Configuration, page 18-10) and provides instructions on the steps to complete outside the ASDM to make the TLS Proxy fully functional (see Add TLS Proxy Instance Wizard – Other Steps, page 18-12). Add TLS Proxy Instance Wizard – Server Configuration NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2. Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA. The Add TLS Proxy Instance Wizard is available from the Configuration > Firewall > Unified Communications > TLS Proxy pane. Step 1Complete the first step of the Add TLS Proxy Instance Wizard. See Adding a TLS Proxy Instance, page 18-9. The Add TLS Proxy Instance Wizard – Server Configuration dialog box opens. Step 2Specify the server proxy certificate by doing one of the following: To add a new certificate, click Manage. The Manage Identify Certificates dialog box opens.
18-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider When the Phone Proxy is operating in a mixed-mode CUCM cluster, you must import the CUCM certificate by clicking Add in the Manage Identify Certificates dialog box. See the “Configuring Identity Certificates Authentication” section on page 40-55 in the general operations configuration guide. To select an existing certificate, select one from the drop-down list. When you are configuring the TLS Proxy for the Phone Proxy, select the certificate that has a filename beginning with _internal_PP_. When you create the CTL file for the Phone Proxy, the ASA, creates an internal trustpoint used by the Phone Proxy to sign the TFTP files. The trustpoint is named _internal_PP_ctl-instance_filename. The server proxy certificate is used to specify the trustpoint to present during the TLS handshake. The trustpoint can be self-signed or enrolled locally with the certificate service on the proxy. For example, for the Phone Proxy, the server proxy certificate is used by the Phone Proxy during the handshake with the IP phones. Step 3To install the TLS server certificate in the ASA trust store, so that the ASA can authenticate the TLS server during TLS handshake between the proxy and the TLS server, click Install TLS Server’s Certificate. The Manage CA Certificates dialog box opens. See the “Guidelines and Limitations” section on page 40-10 in the general operations configuration guide. Click Add to open the Install Certificate dialog box. See the “Adding or Installing a CA Certificate” section on page 40-13 in the general operations configuration guide. When you are configuring the TLS Proxy for the Phone Proxy, click Install TLS Server’s Certificate and install the Cisco Unified Call Manager (CUCM) certificate so that the proxy can authenticate the IP phones on behalf of the CUCM server. Step 4To require the ASA to present a certificate and authenticate the TLS client during TLS handshake, check the Enable client authentication during TLS Proxy handshake check box. When adding a TLS Proxy Instance for Mobile Advantage (the CUMC client and CUMA server), disable the check box when the client is incapable of sending a client certificate. Step 5Click Next. The Add TLS Proxy Instance Wizard – Client Configuration dialog box opens. In this step of the wizard, configure the client proxy parameters for original TLS Client—the CUMC client for Mobile Advantage, CUP or MS LCS/OCS client for Presence Federation, or the IP phone for the Phone Proxy. See Add TLS Proxy Instance Wizard – Client Configuration, page 18-10. After configuring the client proxy parameters, the wizard provides instructions on the steps to complete outside the ASDM to make the TLS Proxy fully functional (see Add TLS Proxy Instance Wizard – Other Steps, page 18-12). Add TLS Proxy Instance Wizard – Client Configuration NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2. Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.
18-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider This wizard is available from the Configuration > Firewall > Unified Communications > TLS Proxy pane. Step 1Complete the first two steps of the Add TLS Proxy Instance Wizard. See Adding a TLS Proxy Instance, page 18-9 and Add TLS Proxy Instance Wizard – Client Configuration, page 18-10. The Add TLS Proxy Instance Wizard – Client Configuration dialog box opens. Step 2To specify a client proxy certificate to use for the TLS Proxy, perform the following. Select this option when the client proxy certificate is being used between two servers; for example, when configuring the TLS Proxy for Presence Federation, which uses the Cisco Unified Presence Server (CUPS), both the TLS client and TLS server are both servers. a.Check the Specify the proxy certificate for the TLS Client... check box. b.Select a certificate from the drop-down list. Or To create a new client proxy certificate, click Manage. The Manage Identify Certificates dialog box opens. See the “Configuring Identity Certificates Authentication” section on page 40-55 in the general operations configuration guide. NoteWhen you are configuring the TLS Proxy for the Phone Proxy and it is using the mixed security mode for the CUCM cluster, you must configure the LDC Issuer. The LDC Issuer lists the local certificate authority to issue client or server dynamic certificates. Step 3To specify an LDC Issuer to use for the TLS Proxy, perform the following. When you select and configure the LDC Issuer option, the ASA acts as the certificate authority and issues certificates to TLS clients. a.Click the Specify the internal Certificate Authority to sign the local dynamic certificate for phones... check box. b.Click the Certificates radio button and select a self-signed certificate from the drop-down list or click Manage to create a new LDC Issuer. The Manage Identify Certificates dialog box opens. See the “Configuring Identity Certificates Authentication” section on page 40-55 in the general operations configuration guide. Or Click the Certificate Authority radio button to specify a Certificate Authority (CA) server. When you specify a CA server, it needs to be created and enabled in the ASA. To create and enable the CA server, click Manage. The Edit CA Server Settings dialog box opens. See the “Authenticating Using the Local CA” section on page 40-63 in the general operations configuration guide. NoteTo make configuration changes after the local certificate authority has been configured for the first time, disable the local certificate authority. c.In the Key-Pair Name field, select a key pair from the drop-list. The list contains the already defined RSA key pair used by client dynamic certificates. To see the key pair details, including generation time, usage, modulus size, and key data, click Show. Or
18-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider To create a new key pair, click New. The Add Key Pair dialog box opens. See the “Configuring Identity Certificates Authentication” section on page 40-55 in the general operations configuration guide for details about the Key Pair fields. Step 4In the Security Algorithms area, specify the available and active algorithms to be announced or matched during the TLS handshake. Available Algorithms—Lists the available algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. Add—Adds the selected algorithm to the active list. Remove—Removes the selected algorithm from the active list. Active Algorithms—Lists the active algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting as a TLS client to the server), the user-defined algorithms replace the original ones from the hello message for asymmetric encryption method between the two TLS legs. For example, the leg between the proxy and Call Manager may be NULL cipher to offload the Call Manager. Move Up—Moves an algorithm up in the list. Move Down—Moves an algorithm down in the list. Step 5Click Next. The Add TLS Proxy Instance Wizard – Other Steps dialog box opens. The Other Steps dialog box provides instructions on the steps to complete outside the ASDM to make the TLS Proxy fully functional (see Add TLS Proxy Instance Wizard – Other Steps, page 18-12). Add TLS Proxy Instance Wizard – Other Steps NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2. The last dialog box of the Add TLS Proxy Instance Wizard specifies the additional steps required to make TLS Proxy fully functional. In particular, you need to perform the following tasks to complete the TLS Proxy configuration: Export the local CA certificate or LDC Issuer and install them on the original TLS server. To export the LDC Issuer, go to Configuration > Firewall > Advanced > Certificate Management > Identity Certificates > Export. See the “Exporting an Identity Certificate” section on page 40-58 in the general operations configuration guide. For the TLS Proxy, enable Skinny and SIP inspection between the TLS server and TLS clients. See SIP Inspection, page 12-20 and Skinny (SCCP) Inspection, page 12-32. When you are configuring the TLS Proxy for Presence Federation (which uses CUP), you only enable SIP inspection because the feature supports only the SIP protocol. For the TLS Proxy for CUMA, enable MMP inspection. When using the internal Certificate Authority of the ASA to sign the LDC Issuer for TLS clients, perform the following: –Use the Cisco CTL Client to add the server proxy certificate to the CTL file and install the CTL file on the ASA.
18-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider For information on the Cisco CTL Client, see “Configuring the Cisco CTL Client” in Cisco Unified CallManager Security Guide. http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/5_0_4/secuauth.html To install the CTL file on the ASA, go to Configuration > Firewall > Unified Communications > CTL Provider > Add. The Add CTL Provider dialog box opens. For information on using this dialog box to install the CTL file, see Add/Edit CTL Provider, page 18-7. –Create a CTL provider instance for connections from the CTL clients. See Add/Edit CTL Provider, page 18-7. Edit TLS Proxy Instance – Server Configuration NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2. The TLS Proxy enables inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA. Use the Edit TLS Proxy – Server Configuration tab to edit the server proxy parameters for the original TLS Server—the Cisco Unified Call Manager (CUCM) server, the Cisco Unified Presence Server (CUPS), or the Cisco Unified Mobility Advantage (CUMA) server. Step 1Open the Configuration > Firewall > Unified Communications > TLS Proxy pane. Step 2To edit a TLS Proxy Instance, click Edit. The Edit TLS Proxy Instance dialog box opens. Step 3If necessary, click the Server Configuration tab. Step 4Specify the server proxy certificate by doing one of the following: To add a new certificate, click Manage. The Manage Identify Certificates dialog box opens. When the Phone Proxy is operating in a mixed-mode CUCM cluster, you must import the CUCM certificate by clicking Add in the Manage Identify Certificates dialog box. See the “Configuring CA Certificate Authentication” section on page 40-13 in the general operations configuration guide. To select an existing certificate, select one from the drop-down list. When you are configuring the TLS Proxy for the Phone Proxy, select the certificate that has a filename beginning with _internal_PP_. When you create the CTL file for the Phone Proxy, the ASA, creates an internal trustpoint used by the Phone Proxy to sign the TFTP files. The trustpoint is named _internal_PP_ctl-instance_filename. The server proxy certificate is used to specify the trustpoint to present during the TLS handshake. The trustpoint can be self-signed or enrolled locally with the certificate service on the proxy. For example, for the Phone Proxy, the server proxy certificate is used by the Phone Proxy during the handshake with the IP phones. Step 5To install the TLS server certificate in the ASA trust store, so that the ASA can authenticate the TLS server during TLS handshake between the proxy and the TLS server, click Install TLS Server’s Certificate.
18-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider The Manage CA Certificates dialog box opens. See the “Guidelines and Limitations” section on page 40-10 in the general operations configuration guide. Click Add to open the Install Certificate dialog box. See the “Configuring CA Certificate Authentication” section on page 40-13 in the general operations configuration guide. When you are configuring the TLS Proxy for the Phone Proxy, click Install TLS Server’s Certificate and install the Cisco Unified Call Manager (CUCM) certificate so that the proxy can authenticate the IP phones on behalf of the CUCM server. Step 6To require the ASA to present a certificate and authenticate the TLS client during TLS handshake, check the Enable client authentication during TLS Proxy handshake check box. When adding a TLS Proxy Instance for Mobile Advantage (the CUMC client and CUMA server), disable the check box when the client is incapable of sending a client certificate. Step 7Click Apply to save the changes. Edit TLS Proxy Instance – Client Configuration NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2. The TLS Proxy enables inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA. The fields in the Edit TLS Proxy dialog box are identical to the fields displayed when you add a TLS Proxy instance. Use the Edit TLS Proxy – Client Configuration tab to edit the client proxy parameters for the original TLS Client, such as IP phones, CUMA clients, the Cisco Unified Presence Server (CUPS), or the Microsoft OCS server. Step 1Open the Configuration > Firewall > Unified Communications > TLS Proxy pane. Step 2To edit a TLS Proxy Instance, click Edit. The Edit TLS Proxy Instance dialog box opens. Step 3If necessary, click the Client Configuration tab. Step 4To specify a client proxy certificate to use for the TLS Proxy, perform the following. Select this option when the client proxy certificate is being used between two servers; for example, when configuring the TLS Proxy for Presence Federation, which uses the Cisco Unified Presence Server (CUPS), both the TLS client and TLS server are both servers. a.Check the Specify the proxy certificate for the TLS Client... check box. b.Select a certificate from the drop-down list. Or To create a new client proxy certificate, click Manage. The Manage Identify Certificates dialog box opens. See the “Configuring Identity Certificates Authentication” section on page 40-55 in the general operations configuration guide.
18-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider NoteWhen you are configuring the TLS Proxy for the Phone Proxy and it is using the mixed security mode for the CUCM cluster, you must configure the LDC Issuer. The LDC Issuer lists the local certificate authority to issue client or server dynamic certificates. Step 5To specify an LDC Issuer to use for the TLS Proxy, perform the following. When you select and configure the LDC Issuer option, the ASA acts as the certificate authority and issues certificates to TLS clients. a.Click the Specify the internal Certificate Authority to sign the local dynamic certificate for phones... check box. b.Click the Certificates radio button and select a self-signed certificate from the drop-down list or click Manage to create a new LDC Issuer. The Manage Identify Certificates dialog box opens. See the “Configuring Identity Certificates Authentication” section on page 40-55 in the general operations configuration guide. Or Click the Certificate Authority radio button to specify a Certificate Authority (CA) server. When you specify a CA server, it needs to be created and enabled in the ASA. To create and enable the CA server, click Manage. The Edit CA Server Settings dialog box opens. See the “Authenticating Using the Local CA” section on page 40-63 in the general operations configuration guide. NoteTo make configuration changes after the local certificate authority has been configured for the first time, disable the local certificate authority. c.In the Key-Pair Name field, select a key pair from the drop-list. The list contains the already defined RSA key pair used by client dynamic certificates. To see the key pair details, including generation time, usage, modulus size, and key data, click Show. Or To create a new key pair, click New. The Add Key Pair dialog box opens. See the “Configuring Identity Certificates Authentication” section on page 40-55 in the general operations configuration guide for details about the Key Pair fields. Step 6In the Security Algorithms area, specify the available and active algorithms to be announced or matched during the TLS handshake. Available Algorithms—Lists the available algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. Add—Adds the selected algorithm to the active list. Remove—Removes the selected algorithm from the active list. Active Algorithms—Lists the active algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting as a TLS client to the server), the user-defined algorithms replace the original ones from the hello message for asymmetric encryption method between the two TLS legs. For example, the leg between the proxy and Call Manager may be NULL cipher to offload the Call Manager. Move Up—Moves an algorithm up in the list. Move Down—Moves an algorithm down in the list. Step 7Click Apply to save the changes.
18-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection TLS Proxy TLS Proxy This feature is supported only for ASA versions 8.0.x prior to 8.0.4 and for version 8.1. NoteThis feature is not supported for the Adaptive Security Appliance versions prior to 8.0.4 and for version 8.1.2. Use the TLS Proxy option to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco CallManager. The TLS Proxy pane lets you define and configure Transaction Layer Security Proxy to enable inspection of encrypted traffic. Fields TLS Proxy Name—Lists the TLS Proxy name. Server—Lists the trustpoint, which is either self-signed or enrolled with a certificate server. Local Dynamic Certificate Issuer—Lists the local certificate authority to issue client or server dynamic certificates. Local Dynamic Certificate Key Pair—Lists the RSA key pair used by client or server dynamic certificates. Add—Adds a TLS Proxy. Edit—Edits a TLS Proxy. Delete—Deletes a TLS Proxy. Maximum Sessions—Lets you specify the maximum number of TLS Proxy sessions to support. –Specify the maximum number of TLS Proxy sessions that the ASA needs to support. By default, ASA supports 300 sessions.—Enables maximum number of sessions option. –Maximum number of sessions:—The minimum is 1. The maximum is dependent on the platform. The default is 300. Add/Edit TLS Proxy NoteThis feature is not supported for the Adaptive Security Appliance versions prior to 8.0.4 and for version 8.1.2. The Add/Edit TLS Proxy dialog box lets you define the parameters for the TLS Proxy. Fields TLS Proxy Name—Specifies the TLS Proxy name. Server Configuration—Specifies the proxy certificate name. –Server—Specifies the trustpoint to be presented during the TLS handshake. The trustpoint could be self-signed or enrolled locally with the certificate service on the proxy. Client Configuration—Specifies the local dynamic certificate issuer and key pair. –Local Dynamic Certificate Issuer—Lists the local certificate authority to issue client or server dynamic certificates.
18-17 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Feature History for the TLS Proxy for Encrypted Voice Inspection Certificate Authority Server—Specifies the certificate authority server. Certificate—Specifies a certificate. Manage—Configures the local certificate authority. To make configuration changes after it has been configured for the first time, disable the local certificate authority. –Local Dynamic Certificate Key Pair—Lists the RSA key pair used by client dynamic certificates. Key-Pair Name—Specifies a defined key pair. Show—Shows the key pair details, including generation time, usage, modulus size, and key data. New—Lets you define a new key pair. More Options—Specifies the available and active algorithms to be announced or matched during the TLS handshake. –Available Algorithms—Lists the available algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. Add—Adds the selected algorithm to the active list. Remove—Removes the selected algorithm from the active list. –Active Algorithms—Lists the active algorithms to be announced or matched during the TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting as a TLS client to the server), the user-defined algorithms replace the original ones from the hello message for asymmetric encryption method between the two TLS legs. For example, the leg between the proxy and CallManager may be NULL cipher to offload the CallManager. Move Up—Moves an algorithm up in the list. Move Down—Moves an algorithm down in the list. Feature History for the TLS Proxy for Encrypted Voice Inspection Table 18-2 lists the release history for this feature. Table 18-2 Feature History for Cisco Phone Proxy Feature Name Releases Feature Information TLS Proxy 8.0(2) The TLS proxy feature was introduced.
18-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Feature History for the TLS Proxy for Encrypted Voice Inspection