<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msochpdefault, li.msochpdefault, div.msochpdefault
{mso-style-name:msochpdefault;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Calibri","sans-serif";}
span.emailstyle17
{mso-style-name:emailstyle17;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">James,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The ASA certificate needs to be added as a Phone-VPN-Trust under OS Administration->Security->Certificate Management. You then select that certificate under the VPN Gateway configuration in CUCM. You then associate
the VPN Group and VPN Profile to the Common Phone Profile and associate the Common Phone Profile to the phone.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">If you’re doing username/password authentication, that’s all you have to do. The certificate for the ASA will be in the phone’s config file. Just need to reset the phone on-site so it can download it.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">If you want to do MIC-based authentication, you need to add the Manufacturing CA Trust certificate from OS Administration to the ASA as a trustpoint.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">If you want to do LSC-based authentication, you need to add the Publisher’s CAPF.pem certificate as a trustpoint on the ASA and Install the LSC on the phone.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Good IP Phone Anyconnect documentation-
<a href="https://supportforums.cisco.com/docs/DOC-9124">https://supportforums.cisco.com/docs/DOC-9124</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Brian<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> cisco-voip [mailto:cisco-voip-bounces@puck.nether.net]
<b>On Behalf Of </b>James Dust<br>
<b>Sent:</b> Thursday, November 07, 2013 9:24 AM<br>
<b>To:</b> cisco-voip@puck.nether.net<br>
<b>Subject:</b> [cisco-voip] Phone VPN<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span lang="EN-GB">Afternoon all,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">We are trying a proof of concept here for Cisco IP phone VPN and are stuck, as we don’t seem to be able to update the 9951 SIP phone we are using with the certificate needed to build the VPN tunnel.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">The phone has been added with a ‘common phone profile’ but we cannot see where the certificate has been installed (if at all)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Versions are as so:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Cucm: 8.6.2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Asa ver 9.1(2)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">9951 phone load: sip9951.9-3-4-24<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Can anyone shed any light on what the correct process is to update the phone?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Kind Regards</span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">James</span><span lang="EN-GB">
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-GB" style="font-size:12.0pt;font-family:"Arial","sans-serif""><br>
</span><strong><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#99CC00">Consider the environment - Think before you print</span></strong><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif""><br>
</span><span lang="EN-GB" style="font-size:10.0pt;font-family:"Arial","sans-serif""><br>
</span><span lang="EN-GB" style="font-size:7.5pt;font-family:"Arial","sans-serif"">The contents of this email are confidential to the intended recipient and may not be disclosed. Although it is believed that this email and any attachments are virus free, it
is the responsibility of the recipient to confirm this. <br>
<br>
You are advised that urgent, time-sensitive communications should not be sent by email. We hereby give you notice that a delivery receipt does not constitute acknowledgement or receipt by the intended recipient(s).<br>
<br>
Details of Charles Stanley group companies and their regulators (where applicable), can be found at this URL
</span><span lang="EN-GB" style="font-size:10.0pt;font-family:"Arial","sans-serif""><a href="http://www.charles-stanley.co.uk/contact-us/disclosure/" title="http://www.charles-stanley.co.uk/contact-us/disclosure/"><span style="font-size:7.5pt">http://www.charles-stanley.co.uk/contact-us/disclosure/</span></a></span><span lang="EN-GB" style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p></o:p></span></p>
</div>
</body>
</html>