McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 220

↗ View in doc context
page
220
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::220

Restriction Feature IP Phone services using secure URLs based on HTTPS do not work. Workaround to use IP Phone services: Use HTTP for all underlying service options. For example, corporate directory and personal directory. However, HTTP is not recommended as HTTP is not as secure if you need to enter sensitive data for features, such as Extension Mobility. The drawbacks of using HTTP include: • Provisioning challenges when configuring HTTP for legacy phones and HTTPS for supported phones. • No resiliency for IP Phone services. • Performance of the server handling IP phone services can be affected. IP Phone services using secure URLs based on HTTPS. EMCC is not supported with TLS 1.2 on legacy phones. Workaround: Complete the following tasks to enable EMCC: 1. Enable EMCC over HTTP instead of HTTPS. 2. Turn on mixed-mode on all Unified Communications Manager clusters. 3. Use the same USB eTokens for all Unified Communications Manager clusters. Extension Mobility Cross Cluster (EMCC) on legacy phones LSC is not supported with TLS 1.2 on legacy phones. As a result, 802.1x and phone VPN authentication based on LSC are not available. Workaround for 802.1x: Authentication based on MIC or password with EAP-MD5 on older phones. However, those are not recommended. Workaround for VPN: Use phone VPN authentication based on end-user username and password. Locally Significant Certificates (LSC) on legacy phones Encrypted Trivial File Transfer Protocol (TFTP) configuration files are not supported with TLS 1.2 on legacy phones even with Manufacturer Installed Certificate (MIC). There is no workaround. Encrypted Trivial File Transfer Protocol (TFTP) configuration files Legacy phones lose trust when the CallManager certificate is renewed. For example, a phone cannot get new configurations after renewing the certificate. This is applicable only in Unified Communications Manager 11.5.1 Workaround: To prevent legacy phones from losing trust, complete the following steps: 1. Before you enable the CallManager certificate, set the Cluster For Roll Back to Pre 8.0 enterprise parameter to True. By default, this setting disables the security. 2. Temporarily allow TLS 1.0 (multiple Unified Communications Manager reboots). CallManager certificate renewal causes legacy phones to lose trust Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 202 Basic System Security TLS Restrictions