[cisco-voip] PhoneProxy and CTL file modification
Jason Burns
burns.jason at gmail.com
Sat Apr 14 11:07:21 EDT 2012
Ariel,
The CTL for the CUCM cluster is signed by the USB eToken.
The CTL for the ASA is signed by a private key self generated on the ASA.
You cannot place the ASA public key into the CUCM CTL.
You cannot place the eToken public key in the ASA CTL.
(These two previous bullets mean that when you move a phone from the inside
to the outside or vice versa, you have to delete the CTL manually from the
phone)
Both the CUCM CTL file and the ASA CTL file need to contain the CAPF
certificate, but the CAPF process runs ONLY on the CUCM publisher server.
This means that even though the two CTL files are not going to be trusted
by each other, the ASA does need to have the CUCM CAPF certificate so it
can build the correct CTL file. The ASA just passes through the CAPF
connection from an outside phone requesting an LSC to the CUCM publisher.
No modifications are required to the CUCM server CTL for this to work, just
take the CUCM CAPF cert and load it on the ASA.
-Jason Burns
On Fri, Apr 13, 2012 at 2:22 PM, ROZA, Ariel <Ariel.ROZA at la.logicalis.com>wrote:
> Thanks for the info Jason.****
>
> ** **
>
> Additionally, what about the CTL file for the cluster? Do I have to modify
> it to include the ASA? I am assuming a “yes”, but still I would like to be
> certain.****
>
> ** **
>
> Regards,****
>
> ** **
>
> Ariel.****
>
> ** **
>
> *From:* Jason Burns [mailto:burns.jason at gmail.com]
> *Sent:* jueves, 12 de abril de 2012 07:11 p.m.
> *To:* ROZA, Ariel
> *Cc:* cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] PhoneProxy and CTL file modification****
>
> ** **
>
> The ASA completely takes care of generating the CTL file for the Phone
> Proxy feature that gets presented to Phone Proxy Phones. The ASA needs to
> have the correct CCM certificates uploaded (primarily the CAPF certificate)
> so that the ASA can bundle the CAPF certificate in the CTL file it
> generates.
>
> You don't import the CTL from the CUCM into the ASA, you import
> certificates from the CUCM, and the ASA generates a brand new CTL file and
> signs it with its own key.
>
> When you move phones inside to outside or outside to inside you need to
> delete the CTL file from the phone manually.
>
> -Jason****
>
> On Thu, Apr 12, 2012 at 4:27 PM, ROZA, Ariel <Ariel.ROZA at la.logicalis.com>
> wrote:****
>
> Hi, guys!****
>
> ****
>
> For those who have successfully implemented Cisco PhoneProxy:****
>
> ****
>
> I have been reading the instructions on both Callmanager and ASA
> documentations, and I have some doubts about it.****
>
> According to CUCM documentation, you need to modify the CTL file used by
> the cluster, to add the ASA firewall with username and password.****
>
> ****
>
> The ASA documentation says that you have to import the CTL file from the
> cluster and modify it within the ASA.****
>
> ****
>
> What´s the correct way to handle the CTL file to implement PhoneProxy? The
> security mode for the cluster is set to mixed.****
>
> ****
>
> Regards,****
>
> ****
>
> Ariel.****
>
> ****
>
> ****
>
> *ARIEL ROZA*
> *Advanced Engineering*****
>
> ****
>
> *LOGICALIS*
> Perú 327 1er Piso - C.A.B.A. - Argentina - C1067AAG
> Tel/Fax: +54 (11) 4344-0300
> *ariel.roza at la.logicalis.com*
> *www.la.logicalis.com
> www.logicalisnow.com*****
>
> Por favor, piense en el medioambiente antes de imprimir este email.
> La presente información se envía únicamente para el destinatario, y
> contiene información de carácter CONFIDENCIAL o PRIVLEGIADA.
> La modificación, retransmisión, difusón, copia u otro uso de esta
> información por cualquier medio, por personas distintas al destinatario,
> están estrictamente prohibidas.****
>
> ****
>
> ****
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120414/f5e37b57/attachment.html>
More information about the cisco-voip
mailing list