Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
8-22
ASDM configuration guide
Chapter 8 Using the Cisco Unified Communication Wizard
Configuring the UC-IME by using the Unified Communication Wizard
Configuring the Remote-Side Certificates for the Cisco Intercompany Media
Engine Proxy
Establishing a trust relationship cross enterprises or across administrative domains is key. Cross
enterprises you must use a trusted third-party CA (such as, VeriSign). The ASA obtains a certificate with
the FQDN of the Cisco Unified Communications Manager server (certificate impersonation).
For the TLS handshake, the two entities could validate the peer certificate via a certificate chain to
trusted third-party certificate authorities. Both entities enroll with the CAs. The ASA as the TLS proxy
must be trusted by both entities. The ASA is always associated with one of the enterprises. Within that
enterprise, the entity and the ASA could authenticate each other via a local CA, or by using self-signed
certificates.
To establish a trusted relationship between the ASA and the remote entity, the ASA can enroll with the
CA on behalf of the local enterprise. In the enrollment request, the local Cisco UCM identity (domain
name) is used.
To establish the trust relationship, the ASA enrolls with the third party CA by using the Cisco Unified
Communications Manager server FQDN as if the security appliance is the Cisco UCM.
Note If the ASA already has a signed identity certificate, you can skip Step 1 in this procedure and proceed
directly to Step 3.
Step 1 In the ASA’s Identity Certificate area, click Generate CSR. The CSR parameters dialog box appears.
For information about specifying additional parameters for the certificate signing request (CSR), see
Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy, page 8-24.
Information dialog boxes appear indicating that the wizard is delivering the settings to the ASA and
retrieving the certificate key pair information. The Identity Certificate Request dialog box appears.
For information about saving the CSR that was generated and submitting it to a CA, see Saving the
Identity Certificate Request, page 8-25.
Step 2 In the ASA’s Identity Certificate area, click Install ASA’s Identity Certificate. Installing the ASA
Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers,
page 8-26.
Step 3 In the Remote Server’s CA’s Certificate area, click Install Remote Server’s CA’s Certificate. Installing
the root certificates of the CA for the remote servers is necessary so that the ASA can determine that the
remote servers are trusted.
The Install Certificate dialog box appears. Install the certificate. See Installing a Certificate, page 8-23.
Note You must install the root certificates only when the root certificates for the remote servers are
received from a CA other than the one that provided the identity certificate for the ASA
Step 4 Click Next.
The wizard completes by displaying a summary of the configuration created for the Cisco Intercompany
Media Engine.