McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 183

↗ View in doc context
page
183
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::179

• To maintain conference integrity on shared lines, do not configure devices that share a line with different security modes; for example, do not configure an encrypted phone to share a line with an authenticated or nonsecure phone. • Do not use SIP trunks as ICTs when you want to share conference security status between clusters. • If you set the cluster security mode to mixed mode, the security mode that is configured for the DSP farm (nonsecure or encrypted) must match the conference bridge security mode in Unified Communications Manager Administration, or the conference bridge cannot register. The conference bridge registers as encrypted when both security modes specify encrypted; the conference bridge registers as nonsecure when both security modes specify nonsecure. • If you set the cluster security mode to mixed mode, if the security profile you applied to the conference bridge is encrypted, but the conference bridge security level is nonsecure, Unified Communications Manager rejects conference bridge registration. • If you set the cluster security mode to nonsecure mode, configure the security mode at the DSP farm as nonsecure, so the conference bridge can register. The conference bridge registers as nonsecure even if the setting in Unified Communications Manager Administration specifies encrypted. • During registration, the conference bridge must pass authentication. To pass authentication, the DSP farm system must contain one or more the Unified Communications Manager CallManager.pem certificates, and Unified Communications Manager must contain certificates for the DSP farm system and the DSP connection in the CallManager-trust store. The common Name specified in the X.509 Subject attribute must begin with the conference bridge name defined in Cisco Unified Communications Manager and on the DSP farm system using the associate profile <profile-identifier> register <device-name>? command. The Subject Alternate Name attribute is not supported. For example, if the certificate Subject Common Name is ?CN=example.cisco.com? then the Conference Bridge Name in Unified Communications Manager must be ?example? and the DSP farm system command must be ?associate profile <profile-identifier> register example. If you have multiple secure conference bridges on the same DSP farm system, each requires a separate certificate. Make sure that the Conference Bridge Name is unique and that it can not be configured in any other place under the "Device" table. This applies to the Route list, SIP trunks, IP phones, and so on. Tip • If conference bridge certificates expire or change for any reason, use the certificate management feature in Cisco Unified Communications Operating System Administration to update the certificates in the trusted store. The TLS authentication fails when certificates do not match, and conference bridge does not work because it cannot register to Unified Communications Manager. • The secure conference bridge registers to Unified Communications Manager through TLS connection at port 2443; a nonsecure conference bridge registers to Unified Communications Manager through TCP connection at port 2000. • Changing the device security mode for the conference bridge requires a reset of Unified Communications Manager devices and a restart of the Cisco CallManager service. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 165 Basic System Security Securing Conference Resources Tips