Filter
Top Products
19-18
Cisco ASDM User Guide
OL-16647-01
Chapter 19 Adding Global Objects
TLS Proxy Wizard
Use the TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP,
interacting with Cisco Call Manager. Additionally, configure the TLS Proxy on the security appliance to
use the following Cisco Unified Communications features:
For the Mobility feature, the TLS client is a CUMA client and the TLS server is a CUMA server. The
security appliance is between a CUMA client and a CUMA server. The TLS Proxy for CUMA allows
the use of an imported PKCS-12 certificate for server proxy during the handshake with the client. CUMA
clients are not required to present a certificate (no client authentication) during the handshake. In
previous releases, the security appliance required the client to always present a valid certificate and it
acted as a private certificate authority (CA) for the clients.
For the Presence Federation feature, the security appliance acts as a TLS Proxy between the Cisco
Unified Presence and the foreign server. This allows the security appliance to proxy TLS messages on
behalf of the server that initiates the TLS connection, and route the proxied TLS messages to the client.
The security appliance stores certificate trustpoints for the server and the client, and presents these
certificates on establishment of the TLS session.
The security appliance supports TLS Proxy for various voice applications. For the Phone Proxy feature,
the TLS Proxy running on the security appliance has the following key features:
• The TLS Proxy is implemented on the security appliance to intercept the TLS signaling from IP
phones.
• The TLS Proxy decrypts the packets, sends packets to the inspection engine for NAT rewrite and
protocol conformance, optionally encrypts packets, and sends them to CUCM or sends them in clear
text if the IP phone is configured to be in nonsecure mode on the CUCM.
• The TLS Proxy is a transparent proxy that works based on establishing trusted relationship between
the TLS client, the proxy (the security appliance), and the TLS Server.
Table 19-2 TLS Proxy Applications and the Security Appliance
Application TLS Client TLS Server
Client
Authentication
Security
Appliance
Server Role
Security
Appliance
Client Role
Mobile
Advantage
CUMC CUMA No Using the
CUMA private
key or
certificate
impersonation
Any static
configured
certificate
Presence
Federation
CUP or MS
LCS/OCS
CUP or MS
LCS/OCS
Yes Proxy
certificate,
self-signed or
by internal CA
Using the CUP
private key or
certificate
impersonation
IP Telephone
(including
Phone Proxy)
IP phone CUCM Yes Proxy
certificate,
self-signed or
by internal CA
Local dynamic
certificate
signed by the
security
appliance CA
(might not need
certificate for
Phone Proxy
application)