Cisco Systems and the ASA Services Module Network Router User Manual


 
16-12
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 16 Configuring the Cisco Phone Proxy
Phone Proxy Guidelines and Limitations
End-User Phone Provisioning
The phone proxy is a transparent proxy with respect to the TFTP and signaling transactions. If NAT is
not configured for the Cisco UCM TFTP server, then the IP phones need to be configured with the Cisco
UCM cluster TFTP server address.
If NAT is configured for the Cisco UCM TFTP server, then the Cisco UCM TFTP server global address
is configured as the TFTP server address on the IP phones.
Ways to Deploy IP Phones to End Users
In both options, deploying a remote IP phone behind a commercial Cable/DSL router with NAT
capabilities is supported.
Option 1 (Recommended)
Stage the IP phones at corporate headquarters before sending them to the end users:
The phones register inside the network. IT ensures there are no issues with the phone configurations,
image downloads, and registration.
If Cisco UCM cluster was in mixed mode, the CTL file should be erased before sending the phone
to the end user.
Advantages of this option are:
Easier to troubleshoot and isolate problems with the network or phone proxy because you know
whether the phone is registered and working with the Cisco UCM.
Better user experience because the phone does not have to download firmware from over a
broadband connection, which can be slow and require the user to wait for a longer time.
Option 2
Send the IP phone to the end user. When using option 2, the user must be provided instructions to change
the settings on phones with the appropriate Cisco UCM and TFTP server IP address.
Note As an alternative to authenticating remote IP phones through the TLS handshake, you can configure
authentication via LSC provisioning. With LSC provisioning you create a password for each remote IP
phone user and each user enters the password on the remote IP phones to retrieve the LSC.
Because using LSC provisioning to authenticate remote IP phones requires the IP phones first register
in nonsecure mode, Cisco recommends LSC provisioning be done inside the corporate network before
giving the IP phones to end-users. Otherwise, having the IP phones register in nonsecure mode requires
the Administrator to open the nonsecure signaling port for SIP and SCCP on the ASA.
See “Example 5: LSC Provisioning in Mixed-mode Cisco UCM cluster; Cisco UCM and TFTP Server
on Publisher, page 16-50“. See also the Cisco Unified Communications Manager Security Guide for
information on Using the Certificate Authority Proxy Function (CAPF) to install a locally significant
certificate (LSC).
Phone Proxy Guidelines and Limitations
This section includes the following topics: