<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style>
<!--
@font-face
        {font-family:Calibri}
@font-face
        {font-family:Tahoma}
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif"}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif"}
p.msochpdefault, li.msochpdefault, div.msochpdefault
        {margin-right:0cm;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Calibri","sans-serif"}
span.emailstyle17
        {font-family:"Calibri","sans-serif";
        color:windowtext}
span.EmailStyle19
        {font-family:"Calibri","sans-serif";
        color:#1F497D}
span.BalloonTextChar
        {font-family:"Tahoma","sans-serif"}
span.EmailStyle23
        {font-family:"Calibri","sans-serif";
        color:#1F497D}
.MsoChpDefault
        {font-size:10.0pt}
@page WordSection1
        {margin:72.0pt 72.0pt 72.0pt 72.0pt}
div.WordSection1
        {}
-->
</style>
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Thank you Brian,</span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="color:#1F497D">We believe we have done all of that so I will work back through the config.</span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:#1F497D">Kind Regards</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:#1F497D">James Dust
<br>
</span><span lang="EN-US" style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:#1F497D">Technical Infrastructure Engineer</span><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:#1F497D"><br>
Charles Stanley & Co Ltd <br>
Tel: 020 7149 6314 <br>
Mob: 07989 491136 <br>
mailto: <a href="mailto:james.dust@charles-stanley.co.uk">james.dust@charles-stanley.co.uk</a></span><span lang="EN-US" style="color:#1F497D"></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"> </span></p>
<div>
<div style="border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt; font-family:"Tahoma","sans-serif""> Brian Meade (brmeade) [mailto:brmeade@cisco.com]
<br>
<b>Sent:</b> 07 November 2013 15:11<br>
<b>To:</b> James Dust; cisco-voip@puck.nether.net<br>
<b>Subject:</b> RE: Phone VPN</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">James,</span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">The ASA certificate needs to be added as a Phone-VPN-Trust under OS Administration->Security->Certificate Management.  You then select that certificate under the VPN Gateway configuration in CUCM. 
 You then associate the VPN Group and VPN Profile to the Common Phone Profile and associate the Common Phone Profile to the phone.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">If you’re doing username/password authentication, that’s all you have to do.  The certificate for the ASA will be in the phone’s config file.  Just need to reset the phone on-site so it can download
 it.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">If you want to do MIC-based authentication, you need to add the Manufacturing CA Trust certificate from OS Administration to the ASA as a trustpoint.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">If you want to do LSC-based authentication, you need to add the Publisher’s CAPF.pem certificate as a trustpoint on the ASA and Install the LSC on the phone.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Good IP Phone Anyconnect documentation-
<a href="https://supportforums.cisco.com/docs/DOC-9124">https://supportforums.cisco.com/docs/DOC-9124</a></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Brian</span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span></p>
<div>
<div style="border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt; font-family:"Tahoma","sans-serif""> cisco-voip [<a href="mailto:cisco-voip-bounces@puck.nether.net">mailto:cisco-voip-bounces@puck.nether.net</a>]
<b>On Behalf Of </b>James Dust<br>
<b>Sent:</b> Thursday, November 07, 2013 9:24 AM<br>
<b>To:</b> <a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b> [cisco-voip] Phone VPN</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<p class="MsoNormal">Afternoon all,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">We are trying a proof of concept here for Cisco IP phone VPN and are stuck, as we don’t seem to be able to update the 9951 SIP phone we are using with the certificate needed to build the VPN tunnel.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The phone has been added with a ‘common phone profile’ but we cannot see where the certificate has been installed (if at all)</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Versions are as so:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Cucm: 8.6.2</p>
<p class="MsoNormal">Asa ver 9.1(2)</p>
<p class="MsoNormal">9951 phone load: sip9951.9-3-4-24</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Can anyone shed any light on what the correct process is to update the phone?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">Kind Regards</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif""> </span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">James</span>
</p>
<p class="MsoNormal"> </p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:12.0pt; font-family:"Arial","sans-serif""><br>
</span><strong><span style="font-size:7.5pt; font-family:"Arial","sans-serif"; color:#99CC00">Consider the environment - Think before you print</span></strong><span style="font-size:7.5pt; font-family:"Arial","sans-serif""><br>
</span><span style="font-size:10.0pt; font-family:"Arial","sans-serif""><br>
</span><span style="font-size:7.5pt; font-family:"Arial","sans-serif"">The contents of this email are confidential to the intended recipient and may not be disclosed. Although it is believed that this email and any attachments are virus free, it is the responsibility
 of the recipient to confirm this. <br>
<br>
You are advised that urgent, time-sensitive communications should not be sent by email. We hereby give you notice that a delivery receipt does not constitute acknowledgement or receipt by the intended recipient(s).<br>
<br>
Details of Charles Stanley group companies and their regulators (where applicable), can be found at this URL
</span><span style="font-size:10.0pt; font-family:"Arial","sans-serif""><a href="http://www.charles-stanley.co.uk/contact-us/disclosure/" title="http://www.charles-stanley.co.uk/contact-us/disclosure/"><span style="font-size:7.5pt">http://www.charles-stanley.co.uk/contact-us/disclosure/</span></a></span><span style="font-size:12.0pt; font-family:"Times New Roman","serif""></span></p>
</div>
<font face="Arial"><br>
<font size="2"><font size="1"><font color="#99cc00"><strong>Consider the environment - Think before you print</strong></font><br>
</font><br>
</font><font size="1">The contents of this email are confidential to the intended recipient and may not be disclosed. Although it is believed that this email and any attachments are virus free, it is the responsibility of the recipient to confirm this.
<br>
<br>
You are advised that urgent, time-sensitive communications should not be sent by email. We hereby give you notice that a delivery receipt does not constitute acknowledgement or receipt by the intended recipient(s).<br>
<br>
Details of Charles Stanley group companies and their regulators (where applicable), can be found at this URL
</font></font><span style="font-size:10pt; font-family:'Arial','sans-serif'"><a title="http://www.charles-stanley.co.uk/contact-us/disclosure/" href="http://www.charles-stanley.co.uk/contact-us/disclosure/"><font size="1">http://www.charles-stanley.co.uk/contact-us/disclosure/</font></a></span><br>
<br>
<font face="Arial"></font>
</body>
</html>