Cisco ASA Series Cli Configuration Manual page 1272

Information about the Cisco Mobility Advantage Proxy Feature
MMP is a data transport protocol for transmitting data entities between Cisco UMA clients and servers.
MMP must be run on top of a connection-oriented protocol (the underlying transport) and is intended to
be run on top of a secure transport protocol such as TLS. The Orative Markup Language (OML) protocol
is intended to be run on top of MMP for the purposes of data synchronization, as well as the HTTP
protocol for uploading and downloading large files.
The TCP/TLS default port is 5443. There are no embedded NAT or secondary connections.
Cisco UMA client and server communications can be proxied via TLS, which decrypts the data, passes
it to the inspect MMP module, and re-encrypt the data before forwarding it to the endpoint. The inspect
MMP module verifies the integrity of the MMP headers and passes the OML/HTTP to an appropriate
handler. The ASA takes the following actions on the MMP headers and data:
•
•
•
Note
4096 is the value currently used in MMP implementations.
Because MMP headers and entities can be split across packets, the ASA buffers data to ensure consistent
inspection. The SAPI (stream API) handles data buffering for pending inspection opportunities. MMP
header text is treated as case insensitive and a space is present between header text and values.
Reclaiming of MMP state is performed by monitoring the state of the TCP connection.
Mobility Advantage Proxy Deployment Scenarios
Figure 1-1
Mobility Advantage solution. In scenario 1 (the recommended deployment architecture), the ASA
functions as both the firewall and TLS proxy. In scenario 2, the ASA functions as the TLS proxy only
and works with an existing firewall. In both scenarios, the clients connect from the Internet.
In the scenario 1 deployment, the ASA is between a Cisco UMA client and a Cisco UMA server. The
Cisco UMA client is an executable that is downloaded to each smartphone. The Cisco UMA client
applications establishes a data connection, which is a TLS connection, to the corporate Cisco UMA
server. The ASA intercepts the connections and inspects the data that the client sends to the Cisco UMA
server.
Note
The TLS proxy for the Cisco Mobility Advantage solution does not support client authentication because
the Cisco UMA client cannot present a certificate. The following commands can be used to disable
authentication during the TLS handshake.
hostname(config)# tls-proxy my_proxy
hostname(config-tlsp)# no server authenticate-client
Cisco ASA Series CLI Configuration Guide
1-2
Verifies that client MMP headers are well-formed. Upon detection of a malformed header, the TCP
session is terminated.
Verifies that client to server MMP header lengths are not exceeded. If an MMP header length is
exceeded (4096), then the TCP session is terminated.
Verifies that client to server MMP content lengths are not exceeded. If an entity content length is
exceeded (4096), the TCP session is terminated.
and Figure 1-2 show the two deployment scenarios for the TLS proxy used by the Cisco
Chapter 1 Configuring Cisco Mobility Advantage