Cisco ASA 5505 Configuration Manual page 985

Chapter 44 Configuring the TLS Proxy for Encrypted Voice Inspection
Use the Edit TLS Proxy – Server Configuration tab to edit the server proxy parameters for the original
TLS Server—the Cisco Unified Call Manager (CUCM) server, the Cisco Unified Presence Server
(CUPS), or the Cisco Unified Mobility Advantage (CUMA) server.
Open the Configuration > Firewall > Unified Communications > TLS Proxy pane.
Step 1
To edit a TLS Proxy Instance, click Edit.
Step 2
The Edit TLS Proxy Instance dialog box opens.
If necessary, click the Server Configuration tab.
Step 3
Specify the server proxy certificate by doing one of the following:
Step 4
•
•
The server proxy certificate is used to specify the trustpoint to present during the TLS handshake. The
trustpoint can be self-signed or enrolled locally with the certificate service on the proxy. For example,
for the Phone Proxy, the server proxy certificate is used by the Phone Proxy during the handshake with
the IP phones.
To install the TLS server certificate in the adaptive security appliance trust store, so that the adaptive
Step 5
security appliance can authenticate the TLS server during TLS handshake between the proxy and the
TLS server, click Install TLS Server's Certificate.
The Manage CA Certificates dialog box opens. See the
page
Authentication" section on page
When you are configuring the TLS Proxy for the Phone Proxy, click Install TLS Server's Certificate
and install the Cisco Unified Call Manager (CUCM) certificate so that the proxy can authenticate the IP
phones on behalf of the CUCM server.
To require the adaptive security appliance to present a certificate and authenticate the TLS client during
Step 6
TLS handshake, check the Enable client authentication during TLS Proxy handshake check box.
When adding a TLS Proxy Instance for Mobile Advantage (the CUMC client and CUMA server), disable
the check box when the client is incapable of sending a client certificate.
Click Apply to save the changes.
Step 7
Edit TLS Proxy Instance – Client Configuration
This feature is not supported for the Adaptive Security Appliance version 8.1.2.
Note
OL-20339-01
To add a new certificate, click Manage. The Manage Identify Certificates dialog box opens.
When the Phone Proxy is operating in a mixed-mode CUCM cluster, you must import the CUCM
certificate by clicking Add in the Manage Identify Certificates dialog box. See the
Certificate Authentication" section on page
To select an existing certificate, select one from the drop-down list.
When you are configuring the TLS Proxy for the Phone Proxy, select the certificate that has a
filename beginning with _internal_PP_. When you create the CTL file for the Phone Proxy, the
adaptive security appliance, creates an internal trustpoint used by the Phone Proxy to sign the TFTP
files. The trustpoint is named _internal_PP_ctl-instance_filename.
35-8. Click Add to open the Install Certificate dialog box. See the
35-9.
"Guidelines and Limitations" section on
35-9.
Cisco ASA 5500 Series Configuration Guide using ASDM
CTL Provider
"Configuring CA
"Configuring CA Certificate
44-13