[cisco-voip] security by default vs tokens

Stephen Welsh stephen.welsh at unifiedfx.com
Thu Jan 26 11:13:10 EST 2012 

Hi Eric,

From our experience with Security by Default and the number of times a simple upgrade (even between UCM 8 versions) can end up with ITL problems, I recommend you go down the token method. The reason I say this, is we have seen clients were synchronisation of certificate related information can take up to 20 minutes during upgrades, so without doing anything wrong in the upgrade process you can still get problems where the ITL file on the phone is no longer in-sync with the TFTP/TVS service in the cluster and you may end-up in a situation where you have to delete the ITL files.

If you have a token then you do not have the dependancy on TFTP/TVS certificate generation, back-up and synchronisation, you have a permanent token on a USB key, so as long as you don't loose the token you should be free from having to delete ITL/CTL files etc.

Thanks

Stephen

On 26 Jan 2012, at 16:03, Eric Pedersen wrote:

What are your thoughts about security tokens/CTL vs. security-by-default in Callmanager 8.x?  Our cluster is currently using security by default, and I need to decide whether to order a couple tokens and enable mixed mode.  I've used the tokens in the past without issue, and I like that they have the signing certificate rather than a file on Callmanager (which I see people have problems with from time to time).  The CTL file is customizable which I recall makes moving phones between CM and CME easier since we don't have to delete the ITL file.

I'm curious what you're doing and any difficulties you've found with either setup.

Thanks,
Eric

The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication,
e-mail communications may be vulnerable to interception by unauthorized
parties. If you do not wish us to communicate with you by e-mail, please
notify us at your earliest convenience. In the absence of such
notification, your consent is assumed. Should you choose to allow us to
communicate by e-mail, we will not take any additional security measures
(such as encryption) unless specifically requested.

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120126/9bec89bf/attachment.html>

More information about the cisco-voip mailing list