Filter
Top Products
18-11
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection
CTL Provider
This wizard is available from the Configuration > Firewall > Unified Communications > TLS Proxy
pane.
Step 1 Complete the first two steps of the Add TLS Proxy Instance Wizard. See Adding a TLS Proxy Instance,
page 18-9 and Add TLS Proxy Instance Wizard – Client Configuration, page 18-10.
The Add TLS Proxy Instance Wizard – Client Configuration dialog box opens.
Step 2 To specify a client proxy certificate to use for the TLS Proxy, perform the following. Select this option
when the client proxy certificate is being used between two servers; for example, when configuring the
TLS Proxy for Presence Federation, which uses the Cisco Unified Presence Server (CUPS), both the TLS
client and TLS server are both servers.
a. Check the Specify the proxy certificate for the TLS Client... check box.
b. Select a certificate from the drop-down list.
Or
To create a new client proxy certificate, click Manage. The Manage Identify Certificates dialog box
opens. See the “Configuring Identity Certificates Authentication” section on page 40-24 in the
general operations configuration guide.
Note When you are configuring the TLS Proxy for the Phone Proxy and it is using the mixed security mode
for the CUCM cluster, you must configure the LDC Issuer. The LDC Issuer lists the local certificate
authority to issue client or server dynamic certificates.
Step 3 To specify an LDC Issuer to use for the TLS Proxy, perform the following. When you select and
configure the LDC Issuer option, the ASA acts as the certificate authority and issues certificates to TLS
clients.
a. Click the Specify the internal Certificate Authority to sign the local dynamic certificate for phones...
check box.
b. Click the Certificates radio button and select a self-signed certificate from the drop-down list or
click Manage to create a new LDC Issuer. The Manage Identify Certificates dialog box opens. See
the “Configuring Identity Certificates Authentication” section on page 40-24 in the general
operations configuration guide.
Or
Click the Certificate Authority radio button to specify a Certificate Authority (CA) server. When you
specify a CA server, it needs to be created and enabled in the ASA. To create and enable the CA
server, click Manage. The Edit CA Server Settings dialog box opens. See the “Authenticating Using
the Local CA” section on page 40-31 in the general operations configuration guide.
Note To make configuration changes after the local certificate authority has been configured for
the first time, disable the local certificate authority.
c. In the Key-Pair Name field, select a key pair from the drop-list. The list contains the already defined
RSA key pair used by client dynamic certificates. To see the key pair details, including generation
time, usage, modulus size, and key data, click Show.
Or