Cisco ASA 5505 User Manual
Page 1044
49-8
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection
Configuring the TLS Proxy for Encrypted Voice Inspection
•
Creating a CTL Provider Instance, page 49-11
•
Creating the TLS Proxy Instance, page 49-12
•
Enabling the TLS Proxy Instance for Skinny or SIP Inspection, page 49-13
Task flow for Configuring the TLS Proxy for Encrypted Voice Inspection
To configure the security appliance for TLS proxy, perform the following steps:
Step 1
(Optional) Set the maximum number of TLS proxy sessions to be supported by the security appliance
using the following command, for example:
hostname(config)# tls-proxy maximum-sessions 1200
Note
The tls-proxy maximum-sessions command controls the memory size reserved for
cryptographic applications such as TLS proxy. Crypto memory is reserved at the time of system
boot. You may need to reboot the security appliance for the configuration to take effect if the
configured maximum sessions number is greater than the currently reserved.
Step 2
Create trustpoints and generate certificates for the TLS Proxy for Encrypted Voice Inspection. See
Creating Trustpoints and Generating Certificates, page 49-9
Step 3
Create the internal CA to sign the LDC for Cisco IP Phones. See
Creating an Internal CA, page 49-10
.
Step 4
Create the CTL provider instance. See
Creating a CTL Provider Instance, page 49-11
.
Step 5
Create the TLS proxy instance. See
Creating the TLS Proxy Instance, page 49-12
.
Step 6
Enable the TLS proxy y with SIP and Skinny inspection. See
Enabling the TLS Proxy Instance for
Skinny or SIP Inspection, page 49-13
Step 7
Export the local CA certificate (ldc_server) and install it as a trusted certificate on the Cisco UCM server.
a.
Use the following command to export the certificate if a trust-point with proxy-ldc-issuer is used
as the signer of the dynamic certificates, for example:
hostname(config)# crypto ca export ldc_server identity-certificate
b.
For the embedded local CA server LOCAL-CA-SERVER, use the following command to export its
certificate, for example:
hostname(config)# show crypto ca server certificate
Save the output to a file and import the certificate on the Cisco UCM. For more information, see the
Cisco Unified CallManager document:
After this step, you may use the Display Certificates function on the Cisco Unified CallManager GUI to
verify the installed certificate:
Step 8
Run the CTL Client application to add the server proxy certificate (ccm_proxy) to the CTL file and
install the CTL file on the security appliance. See the Cisco Unified CallManager document for
information on how to configure and use CTL Client: