TLS Proxy for Encrypted Voice Inspection
Configuring TLS Proxy
The security appliance in
and Cisco Unified CallManager interaction.
Figure 25-5
Before configuring TLS proxy, the following prerequisites are required:
•
Cisco Security Appliance Command Line Configuration Guide
25-82
Figure 25-5
TLS Proxy Flow
Cisco IP Phone
IP
Client Hello
Client Certificate
Client Key Exchange
Certificate Verify
[Change Cipher Spec]
Finished
(Proxy) Dynamic Client Certificate
(Proxy) Client Key Exchange
Certificate Verify
[Change Cipher Spec]
Finished
Application Data
You must set clock on the security appliance before configuring TLS proxy. To set the clock
manually and display clock, use the clock set and show clock commands. We recommend that the
security appliance use the same NTP server as the Cisco Unified CallManager cluster. TLS
handshake may fail due to certificate validation failure if clock is out of sync between the security
appliance and the Cisco Unified CallManager server.
Chapter 25
serves as a proxy for both client and server, with Cisco IP Phone
Cisco ASA
(Proxy) Server Hello
(Proxy) Server Certificate
(Proxy) Server Key Exchange
Certificate Request
(Proxy) Server Hello Done
[Change Cipher Spec]
Finished
(Proxy) Client Hello
INSPECTION
Configuring Application Layer Protocol Inspection
Cisco CallManager
M
Server Hello
Server Certificate
Server Key Exchange
Certificate Request
Server Hello Done
[Change Cipher Spec]
Finished
Application Data
OL-12172-03