44-9
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 44 Configuring the TLS Proxy for Encrypted Voice Inspection
CTL Provider
Modes
The following table shows the modes in which this feature is available:
Add TLS Proxy Instance Wizard – Server Configuration
Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.
Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP
signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified
Communications features on the adaptive security appliance.
The Add TLS Proxy Instance Wizard is available from the Configuration > Firewall > Unified
Communications > TLS Proxy pane.
Step 1 Complete the first step of the Add TLS Proxy Instance Wizard. See “Adding a TLS Proxy Instance”
section on page 44-8.
The Add TLS Proxy Instance Wizard – Server Configuration dialog box opens.
Step 2 Specify the server proxy certificate by doing one of the following:
• To add a new certificate, click Manage. The Manage Identify Certificates dialog box opens.
When the Phone Proxy is operating in a mixed-mode CUCM cluster, you must import the CUCM
certificate by clicking Add in the Manage Identify Certificates dialog box. See “Configuring
Identity Certificates Authentication” section on page 35-14.
• To select an existing certificate, select one from the drop-down list.
When you are configuring the TLS Proxy for the Phone Proxy, select the certificate that has a
filename beginning with _internal_PP_. When you create the CTL file for the Phone Proxy, the
adaptive security appliance, creates an internal trustpoint used by the Phone Proxy to sign the TFTP
files. The trustpoint is named _internal_PP_ctl-instance_filename.
The server proxy certificate is used to specify the trustpoint to present during the TLS handshake. The
trustpoint can be self-signed or enrolled locally with the certificate service on the proxy. For example,
for the Phone Proxy, the server proxy certificate is used by the Phone Proxy during the handshake with
the IP phones.
Step 3 To install the TLS server certificate in the adaptive security appliance trust store, so that the adaptive
security appliance can authenticate the TLS server during TLS handshake between the proxy and the
TLS server, click Install TLS Server’s Certificate.
The Manage CA Certificates dialog box opens. See the “Guidelines and Limitations” section on
page 35-8. Click Add to open the Install Certificate dialog box. See the “Adding or Installing a CA
Certificate” section on page 35-9.
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
••••—
To Next Page
Loading...
Need help?
General
