<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<base href="x-msg://819/">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.apple-style-span
        {mso-style-name:apple-style-span;}
span.apple-converted-space
        {mso-style-name:apple-converted-space;}
span.EmailStyle21
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Ok, I’m with ya. I was thinking they were the only root certs
on the Cisco devices, not third party mobile phones. Next time I’ll read the
entire thread before asking a question. </span><span style='font-size:11.0pt;
font-family:Wingdings;color:#1F497D'>J</span><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan Ratliff
[mailto:rratliff@cisco.com] <br>
<b>Sent:</b> Monday, October 26, 2009 11:20 AM<br>
<b>To:</b> Matt Slaga (US)<br>
<b>Cc:</b> Dane Newman; CiscosupportUpuck; Craig Staffin<br>
<b>Subject:</b> Re: [cisco-voip] CUMA and ASA as Proxy<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Those are the two that we've found all of the phones to have
installed. You'd have to ask the phone manufacturers why only those two
seem to be included everywhere.<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";
color:black'>-Ryan<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal>On Oct 26, 2009, at 11:16 AM, Matt Slaga (US) wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<span class=apple-style-span><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif"'><o:p></o:p></span></span></p>
<div>
<div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Out of curiosity, any particular reason why only those two
certificate authorities were chosen?</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;
border-width:initial;border-color:initial'>
<div>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
class=apple-converted-space><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> </span></span><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><a
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a><span
class=apple-converted-space> </span>[mailto:cisco-voip-bounces@puck.nether.net]<span
class=apple-converted-space> </span><b>On Behalf Of<span
class=apple-converted-space> </span></b>Ryan Ratliff<br>
<b>Sent:</b><span class=apple-converted-space> </span>Monday, October 26,
2009 10:32 AM<br>
<b>To:</b><span class=apple-converted-space> </span>Dane Newman<br>
<b>Cc:</b><span class=apple-converted-space> </span>CiscosupportUpuck;
Craig Staffin<br>
<b>Subject:</b><span class=apple-converted-space> </span>Re: [cisco-voip]
CUMA and ASA as Proxy</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>The outside certificate the ASA presents to the mobile
phones has to be one of those specified in the documentation (GeoTrust and
Verisign). This is because the phones only come loaded with the root
certificates for those two CAs, and TAC does not support the loading of 3rd
party root certificates on your phones. <o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal>That said, if you want to load the GoDaddy root certificate
on every phone that's going to talk to your ASA/CUMA then go for it, just don't
call TAC if it isn't working (the certificate part anyway).<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";
color:black'>-Ryan</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=MsoNormal>On Oct 25, 2009, at 4:23 PM, Dane Newman wrote:<o:p></o:p></p>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
Will the ASA be ok with any trusted ssl cert such as one from godaddy thats 30
bucks a year opposed to the cheapest gotrust one thats $250 a year?<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal>On Thu, Jul 2, 2009 at 9:40 AM, Ryan Ratliff <<a
href="mailto:rratliff@cisco.com">rratliff@cisco.com</a>> wrote:<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>For lab purposes you *should* be able to get it to work.
It's not TAC supported but that really doesn't matter for a demo. I
also believe Verisign has temp cert you can get for free (but it has an
expiration date).<br>
<br>
Regarding the name, it needs to match whatever you populate in the external
DNS, which should resolve to the ASA.<o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal><br>
"Obtain the IP address and fully qualified domain name for the Proxy Host"<o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal>The proxy host is your ASA.<br>
<span style='color:#888888'><br>
-Ryan</span><o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<br>
On Jul 2, 2009, at 9:32 AM, Voice Noob wrote:<br>
<br>
I have a procedure on how to make the self signed certs work on my phone.<br>
That is the least of my problems or concerns. If it does not work that's<br>
fine but I have to try. We are only looking at a pilot of about two phones.<br>
If we do a customer deployment we will have them get a correct cert.<br>
<br>
In the below step do I create the cert using the name of my Cisco ASA or of<br>
the name of my CUMA server?<br>
<br>
<br>
<br>
<a href="http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/"
target="_blank">http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/</a>install/guide<br>
/cuma_70_IAG_02_ASA.html<br>
<br>
For New Installations) How to Obtain and Import the Cisco Adaptive Security<br>
Appliance-to-Client Certificate<br>
This procedure is required unless you are upgrading from Release 3.1.2 and<br>
reusing your signed certificate from your Proxy Server.<br>
<br>
This procedure has several subprocedures:<br>
<br>
.Generate a Certificate Signing Request<br>
<br>
.Submit the Certificate Signing Request to the Certificate Authority<br>
<br>
.Upload the Signed Certificate to the Cisco Adaptive Security Appliance<br>
<br>
Generate a Certificate Signing Request<br>
Before You Begin<br>
<br>
.Obtain the IP address and fully qualified domain name for the Proxy Host<br>
Name as specified in Obtaining IP Addresses and DNS Names from IT, page 1-3.<br>
<br>
<br>
.Determine required values for your company or organization name,<br>
organizational unit, country, and state or province. See the table in<br>
Creating Security Contexts, page 9-7. You must enter identical values in the<br>
Cisco Adaptive Security Appliance and in the relevant security context in<br>
Cisco Unified Mobility Advantage.<br>
<br>
Procedure<br>
<br>
<br>
----------------------------------------------------------------------------<br>
----<br>
<br>
Step 1 Enter configuration mode:<br>
<br>
conf t<br>
<br>
Step 2 Generate a key pair for this certificate:<br>
<br>
crypto key generate rsa label <keypair-cuma-signed> modulus 1024<br>
<br>
You will see a "Please wait..." message; look carefully for the
prompt to<br>
reappear.<br>
<br>
Step 3 Create a trustpoint with the necessary information to generate the<br>
certificate request:<br>
<br>
crypto ca trustpoint <trustpoint-cuma-signed><br>
<br>
subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage<br>
server. Use the Fully Qualified Domain Name.>,OU=<organization unit<br>
name>,O=<company or organization name as publicly registered>,C=<2
letter<br>
country code>,St=<state>,L=<city><br>
<br>
(For requirements for the Company, organization unit, Country, and State<br>
values, see the values you determined in the prerequisite for this<br>
procedure.)<br>
<br>
keypair <keypair-cuma-signed><br>
<br>
fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server. This<br>
value must exactly match the value you entered for CN above.><br>
<br>
enrollment terminal<br>
<br>
Step 4 Get the certificate signing request to send to the Certificate<br>
Authority:<br>
<br>
crypto ca enroll <trustpoint-cuma-signed><br>
<br>
% Start certificate enrollment.<br>
<br>
% The subject name in the certificate will be:CN=<Proxy Host Name of the<br>
Cisco Unified Mobility Advantage server>,OU=<organization unit<br>
name>,O=<organization name>,C=<2 letter country code>,St=<state>,L=<city><br>
<br>
% The fully-qualified domain name in the certificate will be: <Proxy Host<br>
Name of the Cisco Unified Mobility Advantage server><br>
<br>
% Include the device serial number in the subject name? [yes/no]: no<br>
<br>
% Display Certificate Request to terminal? [yes/no]: yes<br>
<br>
Step 5 Copy the entire text of the displayed Certificate Signing Request and<br>
paste it into a text file.<br>
<br>
Include the following lines. Make sure that there are no extra spaces at the<br>
end.<br>
<br>
----BEGIN CERTIFICATE----<br>
<br>
----END CERTIFICATE----<br>
<br>
Step 6 Save the text file.<br>
<br>
<br>
----------------------------------------------------------------------------<br>
----<br>
<br>
What To Do Next<br>
<br>
<br>
-----Original Message-----<br>
From: Craig Staffin [mailto:<a href="mailto:cmstaffin@gmail.com" target="_blank">cmstaffin@gmail.com</a>]<br>
Sent: Wednesday, July 01, 2009 9:46 PM<br>
To: Voice Noob<br>
Cc: CiscosupportUpuck<br>
Subject: Re: [cisco-voip] CUMA and ASA as Proxy<br>
<br>
I am going through this battle right now<br>
<br>
As far as self signed certs the response from the BU was that they are<br>
completely not supported as mobile phones do not do certs "well".
In<br>
other words if you can manage to get the CA of your domain onto your<br>
phone it might work for a week or two but then it might fail. The BU<br>
states that you need to use a verisign cert or GEOTrust.<br>
<br>
Let me know if you need more help.<br>
On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:<o:p></o:p></p>
<div>
<p class=MsoNormal>Has anyone deployed CUMA 7.x using the ASA as the Proxy
server? I am<br>
having a problem with the documentation on exactly how I setup the<br>
ASA and the certificate requests. I don't know if the name I should<br>
put into the requests is the CUMA server name or the hostname of my<br>
ASA.<br>
<br>
Also has anyone done this using slef signed certs with an internal<br>
CA? I don't think I can get this company to pay for a cert from<br>
Verisign or Geotrust. In fact I know I can't.<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif"'><o:p> </o:p></span></p>
</div>
<div class=MsoNormal align=center style='text-align:center'><span
style='font-size:13.5pt;font-family:"Helvetica","sans-serif"'>
<hr size=1 width="100%" align=center>
</span></div>
<div>
<p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif"'><o:p> </o:p></span></p>
</div>
<p><strong><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif"'>Disclaimer:
This e-mail communication and any attachments may contain confidential and
privileged information and is for use by the designated addressee(s) named
above only. If you are not the intended addressee, you are hereby notified that
you have received this communication in error and that any use or reproduction
of this email or its contents is strictly prohibited and may be unlawful. If you
have received this communication in error, please notify us immediately by
replying to this message and deleting it from your computer. Thank you.</span></strong><span
style='font-size:13.5pt;font-family:"Helvetica","sans-serif"'><o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>
<HTML><BODY><P><hr size=1></P>
<P><STRONG>
Disclaimer:
This e-mail communication and any attachments may contain confidential and privileged information and is for use by the designated addressee(s) named above only. If you are not the intended addressee, you are hereby notified that you have received this communication in error and that any use or reproduction of this email or its contents is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. Thank you.
</STRONG></P></BODY></HTML>