Table of Contents
Advertisement
Information About Configuring Secure SRST
To generate the certificate for Credentials Server, perform the following procedures:
•
•
•
Once the certificate is generated, fill in the name of the certificate (or the name of the trustpoint in IOS)
in the "trustpoint" entry.
This certificate for the Credentials Server on the Secure SRST will be seamlessly exported to the Cisco
Unified CM when requested in
Manager" section on page
Certificates Transport from CUCM to Secure SRST
For more information about Certificates Transport from CUCM to Secure SRST, see
Certificate Files in PEM Format to the Secure SRST Router" section on page
Media Security on Unify SRST - SRTP
Media encryption, which uses Secure Real-Time Protocol (SRTP), ensures that only the intended
recipient can interpret the media streams between supported devices. Support includes audio streams
only.
If the devices support SRTP, the system uses a SRTP connection. If at least one device does not support
SRTP, the system uses an RTP connection. SRTP-to-RTP fallback may occur for transfers from a secure
device to a non-secure device, transcoding, music-on-hold (MOH), and so on.
Note
Before you configure SRTP or signaling encryption for gateways and trunks, Cisco strongly
Warning
recommends that you configure IPSec because Cisco H.323 gateways, and H.323/H.245/H.225 trunks
rely on IPSec configuration to ensure that security-related information does not get sent in the clear.
Cisco Uinified SRST does not verify that you configured IPSec correctly. If you do not configure IPSec
correctly, security-related information may get exposed.
Establishment of Secure Cisco Unified SRST to the Cisco Unified IP Phone
Figure 1
Communications Manager, and the Cisco Unified IP Phone.
secure SRST to the Cisco Unified IP Phone.
Cisco Unified SCCP and SIP SRST System Administrator Guide
182
Autoenrolling and Authenticating the Secure Cisco Unified SRST Router to the CA Server,
page 188
Enabling Credentials Service on the Secure Cisco Unified SRST Router, page 193
Configuring SRST Fallback on Cisco Unified Communications Manager, page 204
203.
Secure SRST handles media encryption keys differently for different devices and protocols. All
phones that are running SCCP get their media encryption keys from SRST, which secures the
media encryption key downloads to phones with TLS encrypted signaling channels. Phones that
are running SIP generate and store their own media encryption keys. Media encryption keys that
are derived by SRST securely get sent via encrypted signaling paths to gateways over
IPSec-protected links for H.323.
shows the interworking of the credentials server on the SRST router, Cisco Unified
"Adding an SRST Reference to Cisco Unified Communications
Configuring Secure SRST for SCCP and SIP
"Importing Phone
195.
Table 2
describes the establishment of
OL-13143-04
Advertisement
Table of Contents
Troubleshooting
