Cisco ASA 5505 Configuration Manual page 959

Chapter 43 Configuring the Cisco Phone Proxy
7960 and 7940 IP Phones Support
•
Note
Note
•
•
•
•
Cisco IP Communicator Prerequisites
To configure Cisco IP Communicator (CIPC) with the phone proxy, you must meet the following
prerequisites:
•
•
•
Current versions of Cisco IP Communicator (CIPC) support authenticated mode and perform TLS
signaling but not voice encryption.
Because CIPC requires an LSC to perform the TLS handshake, CIPC needs to register with the Cisco
UCM in nonsecure mode using cleartext signaling. To allow the CIPC to register, create an ACL that
allows the CIPC to connect to the Cisco UCM on the nonsecure SIP/SCCP signalling ports (5060/2000).
Note You can configure LSC provisioning for additional end-user authentication. See the Cisco Unified
Communications Manager configuration guide for information.
CIPC uses a different cipher when doing the TLS handshake and requires the null-sha1 cipher and SSL
encryption be configured. To add the null-shal cipher, use the show run all ssl command to see the output
for the ssl encryption command and add null-shal to the end of the SSL encryption list.
OL-20339-01
An LSC must be installed on these IP phones because they do not come pre installed with a MIC.
Install the LSC on each phone before using them with the phone proxy to avoid opening the
nonsecure SCCP port for the IP phones to register in nonsecure mode with the Cisco UCM.
See the following document for the steps to install an LSC on IP phones:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/7_0_1/secugd/secucapf.html#w
p1093518
If an IP phone already has an LSC installed on it from a different Cisco UCM cluster, delete the
LSC from the different cluster and install an LSC from the current Cisco UCM cluster.
You can configure LSC provisioning for additional end-user authentication. See the Cisco
Unified Communications Manager configuration guide for information.
The CAPF certificate must be imported onto the adaptive security appliance.
The CTL file created on the adaptive security appliance must be created with a CAPF record-entry.
The phone must be configured to use only the SCCP protocol because the SIP protocol does not
support encryption on these IP phones.
If LSC provisioning is done via the phone proxy, you must add an ACL to allow the IP phones to
register with the Cisco UCM on the nonsecure port 2000.
Go to Configuration > Firewall > Unified Communications > Phone Proxy and select the "Enable
CICP security mode authentication" check box under the Call Manager and Phone Settings area.
Create an ACL to allow CIPC to register with the Cisco UCM in nonsecure mode.
Configure null-sha1 as one of the SSL encryption ciphers.
Cisco ASA 5500 Series Configuration Guide using ASDM
Prerequisites for the Phone Proxy
43-9