Cisco ASA 5505 Configuration Manual page 961

Chapter 43 Configuring the Cisco Phone Proxy
Ways to Deploy IP Phones to End Users
In both options, deploying a remote IP phone behind a commercial Cable/DSL router with NAT
capabilities is supported.
Option 1 (Recommended)
Stage the IP phones at corporate headquarters before sending them to the end users:
•
•
Advantages of this option are:
•
•
Option 2
Send the IP phone to the end user. When using option 2, the user must be provided instructions to change
the settings on phones with the appropriate Cisco UCM and TFTP server IP address.
As an alternative to authenticating remote IP phones through the TLS handshake, you can configure
Note
authentication via LSC provisioning. With LSC provisioning you create a password for each remote IP
phone user and each user enters the password on the remote IP phones to retrieve the LSC.
Because using LSC provisioning to authenticate remote IP phones requires the IP phones first register
in nonsecure mode, Cisco recommends LSC provisioning be done inside the corporate network before
giving the IP phones to end-users. Otherwise, having the IP phones register in nonsecure mode requires
the Administrator to open the nonsecure signaling port for SIP and SCCP on the adaptive security
appliance.
See also the Cisco Unified Communications Manager Security Guide for information on Using the
Certificate Authority Proxy Function (CAPF) to install a locally significant certificate (LSC).
Phone Proxy Guidelines and Limitations
This section includes the following topics:
•
•
General Guidelines and Limitations
The phone proxy has the following general limitations:
•
OL-20339-01
The phones register inside the network. IT ensures there are no issues with the phone configurations,
image downloads, and registration.
If Cisco UCM cluster was in mixed mode, the CTL file should be erased before sending the phone
to the end user.
Easier to troubleshoot and isolate problems with the network or phone proxy because you know
whether the phone is registered and working with the Cisco UCM.
Better user experience because the phone does not have to download firmware from over a
broadband connection, which can be slow and require the user to wait for a longer time.
General Guidelines and Limitations, page 43-11
Media Termination Address Guidelines and Limitations, page 43-13
Only one phone proxy instance can be configured on the adaptive security appliance by using the
phone-proxy command. See the Cisco ASA 5500 Series Command Reference for information about
the phone-proxy command. See also Creating the Phone Proxy Instance, page
Cisco ASA 5500 Series Configuration Guide using ASDM
Phone Proxy Guidelines and Limitations
43-17.
43-11