49-3
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter49 Configuring the TLS Proxy for Encrypted Voice Inspection
Information about the TLS Proxy for Encrypted Voice Inspection
proxy, the CTL file must contain the certificate that the security appliance creates for the Cisco UCMs.
To proxy calls on behalf of the Cisco IP Phone, the security appliance presents a certificate that the Cisco
UCM can verify, which is a Local Dynamic Certificate for the phone, issued by the certificate authority
on the security appliance.
TLS proxy is supported by the Cisco Unified CallManager Release 5.1 and later. You should be familiar
with the security features of the Cisco UCM. For background and detailed description of Cisco UCM
security, see the Cisco Unified CallManager document:
http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/5_0/sec_vir/ae/sec504/index.htm
TLS proxy applies to the encryption layer and must be configured with an application layer protocol
inspection. You should be familiar with the inspection features on the ASA, especially Skinny and SIP
inspection.
CTL Client Overview
The CTL Client application supplied by Cisco Unified CallManager Release 5.1 and later supports a TLS
proxy server (firewall) in the CTL file. Figure49-2 through Figure 49-5 illustrate the TLS proxy features
supported in the CTL Client.
Figure49-2 CTL Client TLS Proxy Features — Add Firewall
Figure 49-2 shows support for adding a CTL entry consisting of the security appliance as the TLS proxy.