<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
mso-fareast-language:ES-AR;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ES-AR link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Excellent anwer, Jason! I really appreciate it.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks for your time,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ariel.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jason Burns [mailto:burns.jason@gmail.com] <br><b>Sent:</b> sábado, 14 de abril de 2012 12:07 p.m.<br><b>To:</b> ROZA, Ariel<br><b>Cc:</b> cisco-voip@puck.nether.net<br><b>Subject:</b> Re: [cisco-voip] PhoneProxy and CTL file modification<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Ariel,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>The CTL for the CUCM cluster is signed by the USB eToken.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The CTL for the ASA is signed by a private key self generated on the ASA.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>You cannot place the ASA public key into the CUCM CTL.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>You cannot place the eToken public key in the ASA CTL.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>(These two previous bullets mean that when you move a phone from the inside to the outside or vice versa, you have to delete the CTL manually from the phone)<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Both the CUCM CTL file and the ASA CTL file need to contain the CAPF certificate, but the CAPF process runs ONLY on the CUCM publisher server.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>This means that even though the two CTL files are not going to be trusted by each other, the ASA does need to have the CUCM CAPF certificate so it can build the correct CTL file. The ASA just passes through the CAPF connection from an outside phone requesting an LSC to the CUCM publisher.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>No modifications are required to the CUCM server CTL for this to work, just take the CUCM CAPF cert and load it on the ASA.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'>-Jason Burns<o:p></o:p></p><div><p class=MsoNormal>On Fri, Apr 13, 2012 at 2:22 PM, ROZA, Ariel <<a href="mailto:Ariel.ROZA@la.logicalis.com">Ariel.ROZA@la.logicalis.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks for the info Jason.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Additionally, what about the CTL file for the cluster? Do I have to modify it to include the ASA? I am assuming a “yes”, but still I would like to be certain.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Regards,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ariel.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jason Burns [mailto:<a href="mailto:burns.jason@gmail.com" target="_blank">burns.jason@gmail.com</a>] <br><b>Sent:</b> jueves, 12 de abril de 2012 07:11 p.m.<br><b>To:</b> ROZA, Ariel<br><b>Cc:</b> <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><b>Subject:</b> Re: [cisco-voip] PhoneProxy and CTL file modification</span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>The ASA completely takes care of generating the CTL file for the Phone Proxy feature that gets presented to Phone Proxy Phones. The ASA needs to have the correct CCM certificates uploaded (primarily the CAPF certificate) so that the ASA can bundle the CAPF certificate in the CTL file it generates.<br><br>You don't import the CTL from the CUCM into the ASA, you import certificates from the CUCM, and the ASA generates a brand new CTL file and signs it with its own key.<br><br>When you move phones inside to outside or outside to inside you need to delete the CTL file from the phone manually.<br><br>-Jason<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Thu, Apr 12, 2012 at 4:27 PM, ROZA, Ariel <<a href="mailto:Ariel.ROZA@la.logicalis.com" target="_blank">Ariel.ROZA@la.logicalis.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hi, guys!<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>For those who have successfully implemented Cisco PhoneProxy:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>I have been reading the instructions on both Callmanager and ASA documentations, and I have some doubts about it.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>According to CUCM documentation, you need to modify the CTL file used by the cluster, to add the ASA firewall with username and password.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>The ASA documentation says that you have to import the CTL file from the cluster and modify it within the ASA.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>What´s the correct way to handle the CTL file to implement PhoneProxy? The security mode for the cluster is set to mixed.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>Regards,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>Ariel.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> </span><o:p></o:p></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=899 style='width:674.25pt'><tr style='min-height:34.5pt'><td valign=top style='padding:0cm 0cm 0cm 0cm;min-height:34.5pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> </span><o:p></o:p></p></td><td valign=top style='padding:0cm 0cm 0cm 0cm;min-height:34.5pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:7.5pt;font-family:"Verdana","sans-serif";color:#FF3300'>ARIEL ROZA</span></b><span lang=EN-US style='font-size:7.5pt;font-family:"Verdana","sans-serif";color:#666666'><br></span><b><span lang=EN-US style='font-size:7.5pt;font-family:"Verdana","sans-serif";color:#333333'>Advanced Engineering</span></b><o:p></o:p></p></td></tr><tr style='min-height:18.0pt'><td width=16 style='width:11.95pt;padding:0cm 0cm 0cm 0cm;min-height:18.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> </span><o:p></o:p></p></td><td width=883 style='width:662.3pt;padding:0cm 0cm 0cm 0cm;min-height:18.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:7.5pt;font-family:"Verdana","sans-serif";color:#FF3300'>LOGICALIS</span></b><span style='font-size:7.5pt;font-family:"Verdana","sans-serif";color:#666666'><br></span><span style='font-size:7.5pt;font-family:"Verdana","sans-serif"'>Perú 327 1er Piso - C.A.B.A. - Argentina - C1067AAG<br>Tel/Fax: <a href="tel:%2B54%20%2811%29%204344-0300" target="_blank">+54 (11) 4344-0300</a><br><u><a href="mailto:ariel.roza@la.logicalis.com" target="_blank">ariel.roza@la.logicalis.com</a></u><br><u><span style='color:purple'><a href="http://www.la.logicalis.com" target="_blank">www.la.logicalis.com</a></span><span style='color:#FF3300'><br></span><span style='color:purple'><a href="http://www.logicalisnow.com" target="_blank">www.logicalisnow.com</a></span></u></span><o:p></o:p></p></td></tr><tr style='min-height:71.25pt'><td width=16 style='width:11.95pt;padding:0cm 0cm 0cm 0cm;min-height:71.25pt'></td><td width=883 valign=top style='width:662.3pt;padding:0cm 0cm 0cm 0cm;min-height:71.25pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:7.5pt;font-family:"Verdana","sans-serif";color:green'>Por favor, piense en el medioambiente antes de imprimir este email.</span><span style='font-size:7.5pt;font-family:"Verdana","sans-serif";color:#666666'> <br></span><span style='font-size:7.5pt;font-family:"Verdana","sans-serif";color:#333333'>La presente información se envía únicamente para el destinatario, y contiene información de carácter CONFIDENCIAL o PRIVLEGIADA.<br>La modificación, retransmisión, difusón, copia u otro uso de esta información por cualquier medio, por personas distintas al destinatario, están estrictamente prohibidas.</span><o:p></o:p></p></td></tr></table><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>