Maximum Tls Proxy Sessions - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 25
Configuring Application Layer Protocol Inspection
The security appliance acts as a TLS proxy between the Cisco IP Phone and Cisco Unified CallManager.
The proxy is transparent for the voice calls between the phone and the Cisco Unified CallManager. Cisco
IP Phones download a Certificate Trust List from the Cisco Unified CallManager before registration
which contains identities (certificates) of the devices that the phone should trust, such as TFTP servers
and Cisco Unified CallManager servers. To support server proxy, the CTL file must contain the
certificate that the security appliance creates for the Cisco Unified CallManagers. To proxy calls on
behalf of the Cisco IP Phone, the security appliance presents a certificate that the Cisco Unified
CallManager can verify, which is a Local Dynamic Certificate for the phone, issued by the certificate
authority on the security appliance.
TLS proxy is supported by the Cisco Unified CallManager Release 5.1 and later. You should be familiar
with the security features of the Cisco Unified CallManager. For background and detailed description of
Cisco Unified CallManager security, see the Cisco Unified CallManager document:
http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/5_0/sec_vir/ae/sec504/index.htm
TLS proxy applies to the encryption layer and must be configured with an application layer protocol
inspection. You should be familiar with the inspection features on the ASA security appliance, especially
Skinny and SIP inspection. For more information on deployment topologies and configuration, refer to
the Cisco Security Appliance Command Line Configuration Guide:
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a00807032
0a_4container_ccmigration_09186a00807d939a.html#wp1148989
Maximum TLS Proxy Sessions
Each TLS proxy session is composed of two SSL connections with mutual authentication. The security
appliance supports a pre-set number of TLS proxy sessions by default. The default limit varies by
platform. You can increase or decrease the limit by using the tls-proxy maximum-sessions global
configuration command.
Table 25-4
.
Table 25-4
Platform
ASA 5505
ASA 5510
ASA 5520
ASA 5540
ASA 5550
All cryptographic applications, mainly SSL VPN, IPSec VPN, and TLS proxy, share the same crypto
memory pool on the security appliance. The memory used by 2.5 SSL VPN connections is equal to one
TLS proxy session. The number of possible TLS proxy sessions is reduced if there are active SSL VPN
and TLS proxy sessions concurrently. For example, if the security appliance is configured to support up
to 100 TLS proxy sessions, and there are 25 active SSL VPN connections, the maximum number of TLS
proxy sessions is reduced to 90.
You do not need SSL VPN or IPSec VPN licenses to use TLS proxy, though the licenses are needed to
Note
support SSL VPN or IPSec VPN.
OL-12172-03
lists the default and maximum possible sessions on the security appliance platforms.
Maximum Sessions
Default Sessions
10
100
300
1000
2000
TLS Proxy for Encrypted Voice Inspection
Cisco Security Appliance Command Line Configuration Guide
Max Possible Sessions
80
200
1200
4500
4500
25-81
Advertisement
Table of Contents
Troubleshooting
