Cisco ASA 5505 Configuration Manual page 969

Chapter 43 Configuring the Cisco Phone Proxy
To force Cisco IP Communicator (CIPC) softphones to operate in authenticated mode when CIPC
Step 9
softphones are deployed in a voice and data VLAN scenario, check the Enable CIPC security mode
authentication check box.
Because CIPC requires an LSC to perform the TLS handshake, CIPC needs to register with the CUCM
in nonsecure mode using cleartext signaling. To allow the CIPC to register, create an ACL that allows
the CIPC to connect to the CUCM on the nonsecure SIP/SCCP signalling ports (5060/2000).
CIPC uses a different cipher when doing the TLS handshake and requires the null-sha1 cipher and SSL
encryption be configured. To add the null-shal cipher, go to Configuration > Device Management >
Advanced > SSL Settings > Encryption section. Select the null-shal SSL encryption type and add it to
the Available Algorithms.
Current versions of Cisco IP Communicator (CIPC) support authenticated mode and perform TLS
signaling but not voice encryption.
Step 10 To configure an HTTP proxy for the Phone Proxy feature that is written into the IP phone's configuration
file under the <proxyServerURL> tag, do the following:
a.
b.
c.
Setting the proxy server configuration option for the Phone Proxy allows for an HTTP proxy on the DMZ
or external network in which all the IP phone URLs are directed to the proxy server for services on the
phones. This setting accommodates nonsecure HTTP traffic, which is not allowed back into the
corporate network.
Click Apply to save the Phone Proxy configuration settings.
Step 11
Note After creating the Phone Proxy instance, you enable it with SIP and Skinny inspection. See
Inspection, page 38-23
However, before you enable SIP and Skinny inspection for the Phone Proxy (which is done by applying
the Phone Proxy to a service policy rule), the Phone Proxy must have an MTA instance, TLS Proxy, and
CTL file assigned to it before the Phone Proxy can be applied to a service policy. Additionally, once a
Phone Proxy is applied to a service policy rule, the Phone Proxy cannot be changed or removed.
Adding or Editing the TFTP Server for a Phone Proxy
This feature is not supported for the Adaptive Security Appliance version 8.1.2.
Note
OL-20339-01
Check the Configure a http-proxy which would be written into the phone's config file... check box.
In the IP Address field, type the IP address of the HTTP proxy and the listening port of the HTTP
proxy.
The IP address you enter should be the global IP address based on where the IP phone and HTTP
proxy server is located. You can enter a hostname in the IP Address field when that hostname can
be resolved to an IP address by the adaptive security appliance (for example, DNS lookup is
configured) because the adaptive security appliance will resolve the hostname to an IP address. If a
port is not specified, the default will be 8080.
In the Interface field, select the interface on which the HTTP proxy resides on the adaptive security
appliance.
and Skinny (SCCP) Inspection, page 38-36.
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring the Phone Proxy
SIP
43-19