53-14
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 53 Configuring the TLS Proxy for Encrypted Voice Inspection
CTL Provider
Edit TLS Proxy Instance – Client Configuration
Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.
The TLS Proxy enables inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting
with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.
The fields in the Edit TLS Proxy dialog box are identical to the fields displayed when you add a TLS
Proxy instance. Use the Edit TLS Proxy – Client Configuration tab to edit the client proxy parameters
for the original TLS Client, such as IP phones, CUMA clients, the Cisco Unified Presence Server
(CUPS), or the Microsoft OCS server.
Step 1 Open the Configuration > Firewall > Unified Communications > TLS Proxy pane.
Step 2 To edit a TLS Proxy Instance, click Edit.
The Edit TLS Proxy Instance dialog box opens.
Step 3 If necessary, click the Client Configuration tab.
Step 4 To specify a client proxy certificate to use for the TLS Proxy, perform the following. Select this option
when the client proxy certificate is being used between two servers; for example, when configuring the
TLS Proxy for Presence Federation, which uses the Cisco Unified Presence Server (CUPS), both the TLS
client and TLS server are both servers.
a. Check the Specify the proxy certificate for the TLS Client... check box.
b. Select a certificate from the drop-down list.
Or
To create a new client proxy certificate, click Manage. The Manage Identify Certificates dialog box
opens. See the “Configuring Identity Certificates Authentication” section on page 44-16.
Note When you are configuring the TLS Proxy for the Phone Proxy and it is using the mixed security mode
for the CUCM cluster, you must configure the LDC Issuer. The LDC Issuer lists the local certificate
authority to issue client or server dynamic certificates.
Step 5 To specify an LDC Issuer to use for the TLS Proxy, perform the following. When you select and
configure the LDC Issuer option, the ASA acts as the certificate authority and issues certificates to TLS
clients.
a. Click the Specify the internal Certificate Authority to sign the local dynamic certificate for phones...
check box.
b. Click the Certificates radio button and select a self-signed certificate from the drop-down list or
click Manage to create a new LDC Issuer. The Manage Identify Certificates dialog box opens. See
the “Configuring Identity Certificates Authentication” section on page 44-16.
Or
Click the Certificate Authority radio button to specify a Certificate Authority (CA) server. When you
specify a CA server, it needs to be created and enabled in the ASA. To create and enable the CA
server, click Manage. The Edit CA Server Settings dialog box opens. See the “Authenticating Using
the Local CA” section on page 44-23.