Cisco Systems ASA Services Module Webcam User Manual


 
17-16
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 17 Configuring the Cisco Phone Proxy
Configuring the Phone Proxy
Because the Phone Proxy generates the CTL file, it needs to create the System Administrator Security
Token (SAST) key to sign the CTL file itself. This key can be generated on the ASA. A SAST is created
as a self-signed certificate. Typically, a CTL file contains more than one SAST. In case a SAST is not
recoverable, the other one can be used to sign the file later.
Step 5 Click Apply to save the CTL file configuration settings.
Adding or Editing a Record Entry in a CTL File
Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.
Use the Add/Edit Record Entry dialog box to specify the trustpoints to be used for the creation of the
CTL file.
Note You can edit an entry in the CTL file by using the Edit Record Entry dialog box; however, changing a
setting in this dialog box does not change related settings for the phone proxy. For example, editing the
IP address for the CUCM or TFTP servers in this dialog changes the setting only in the CTL file and
does not change the actual addresses of those servers or update the address translations required by the
phone proxy.
To modify CTL file settings, we strongly recommend you re-run the Unified Communications Wizard
to edit CTL file settings and ensure proper synchronization with all phone proxy settings.
Add additional record-entry configurations for each entity that is required in the CTL file.
Step 1 Open the Configuration > Firewall > Unified Communications > CTL File pane.
Step 2 Check the Enable Certificate Trust List File check box to enable the feature.
Step 3 In the Type field, specify the type of trustpoint to create:
cucm: Specifies the role of this trustpoint to be CCM. Multiple CCM trustpoints can be configured.
cucm-tftp: Specifies the role of this trustpoint to be CCM+TFTP. Multiple CCM+TFTP trustpoints
can be configured.
tftp: Specifies the role of this trustpoint to be TFTP. Multiple TFTP trustpoints can be configured.
capf: Specifies the role of this trustpoint to be CAPF. Only one CAPF trustpoint can be configured.
Step 4 In the Host field, specify the IP address of the trustpoint. The IP address you specify must be the global
address of the TFTP server or CUCM if NAT is configured. The global IP address is the IP address as
seen by the IP phones because it will be the IP address used for the CTL record for the trustpoint.
Step 5 In the Certificate field, specify the Identity Certificate for the record entry in the CTL file. You can create
a new Identity Certificate by clicking Manage. The Manage Identify Certificates dialog box opens. See
the “Configuring Identity Certificates Authentication” section on page 40-24 in the general operations
configuration guide.
You can add an Identity Certificate by generating a self-signed certificate, obtaining the certificate
through SCEP enrollment, or by importing a certificate in PKCS-12 format. Choose the best option
based on the requirements for configuring the CTL file.