Cisco Systems ASA Services Module Webcam User Manual


 
18-6
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection
Prerequisites for the TLS Proxy for Encrypted Voice Inspection
Prerequisites for the TLS Proxy for Encrypted Voice Inspection
Before configuring TLS proxy, the following prerequisites are required:
You must set clock on the security appliance before configuring TLS proxy. To set the clock
manually and display clock, use the clock set and show clock commands. We recommend that the
security appliance use the same NTP server as the Cisco Unified CallManager cluster. TLS
handshake may fail due to certificate validation failure if clock is out of sync between the security
appliance and the Cisco Unified CallManager server.
3DES-AES license is needed to interoperate with the Cisco Unified CallManager. AES is the default
cipher used by the Cisco Unified CallManager and Cisco IP Phone.
Import the following certificates which are stored on the Cisco UCM. These certificates are required
by the ASA for the phone proxy.
Cisco_Manufacturing_CA
CAP-RTP-001
CAP-RTP-002
CAPF certificate (Optional)
If LSC provisioning is required or you have LSC enabled IP phones, you must import the CAPF
certificate from the Cisco UCM. If the Cisco UCM has more than one CAPF certificate, you
must import all of them to the ASA.
See Chapter 17, “Configuring the Cisco Phone Proxy.”For example, the CA Manufacturer certificate
is required by the phone proxy to validate the IP phone certificate.
Configuring the TLS Proxy for Encrypted Voice Inspection
This section includes the following topics:
Configure TLS Proxy Pane, page 18-8
Adding a TLS Proxy Instance, page 18-9
Add TLS Proxy Instance Wizard – Server Configuration, page 18-9
Add TLS Proxy Instance Wizard – Client Configuration, page 18-10
Add TLS Proxy Instance Wizard – Other Steps, page 18-12
Edit TLS Proxy Instance – Server Configuration, page 18-13
Edit TLS Proxy Instance – Client Configuration, page 18-14
CTL Provider
Use the CTL Provider option to configure Certificate Trust List provider service.
The CTL Provider pane lets you define and configure Certificate Trust List provider service to enable
inspection of encrypted traffic.
Fields
CTL Provider Name—Lists the CTL Provider name.