49-8
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter49 Configuring the TLS Proxy for Encrypted Voice Inspe ction
Configuring the TLS Proxy for Encrypted Voice Inspection
Creating a CTL Provider Instance, page 49-11
Creating the TLS Proxy Instance, page49-12
Enabling the TLS Proxy Instance for Skinny or SIP Inspection, page49-13
Task flow for Configuring the TLS Proxy for Encrypted Voice Inspection
To configure the security appliance for TLS proxy, perform the following steps:
Step1 (Optional) Set the maximum number of TLS proxy sessions to be supported by the security appliance
using the following command, for example:
hostname(config)# tls-proxy maximum-sessions 1200
Note The tls-proxy maximum-sessions command controls the memory size reserved for
cryptographic applications such as TLS proxy. Crypto memory is reserved at the time of system
boot. You may need to reboot the security appliance for the configuration to take effect if the
configured maximum sessions number is greater than the currently reserved.
Step2 Create trustpoints and generate certificates for the TLS Proxy for Encrypted Voice Inspection. See
Creating Trustpoints and Generating Certificates, page49-9.
Step3 Create the internal CA to sign the LDC for Cisco IP Phones. See Creating an Internal CA, page 49-10.
Step4 Create the CTL provider instance. See Creating a CTL Provider Instance, page 49-11.
Step5 Create the TLS proxy instance. See Creating the TLS Proxy Instance, page 49-12.
Step6 Enable the TLS proxy y with SIP and Skinny inspection. See Enabling the TLS Proxy Instance for
Skinny or SIP Inspection, page49-13 .
Step7 Export the local CA certificate (ldc_server) and install it as a trusted certificate on the Cisco UCM server.
a. Use the following command to export the certificate if a trust-point with proxy-ldc-issuer is used
as the signer of the dynamic certificates, for example:
hostname(config)# crypto ca export ldc_server identity-certificate
b. For the embedded local CA server LOCAL-CA-SERVER, use the following command to export its
certificate, for example:
hostname(config)# show crypto ca server certificate
Save the output to a file and import the certificate on the Cisco UCM. For more information, see the
Cisco Unified CallManager document:
http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/5_0/iptp_adm/504/iptpch6.htm#wp1
040848
After this step, you may use the Display Certificates function on the Cisco Unified CallManager GUI to
verify the installed certificate:
http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/5_0/iptp_adm/504/iptpch6.htm#wp1
040354
Step8 Run the CTL Client application to add the server proxy certificate (ccm_proxy) to the CTL file and
install the CTL file on the security appliance. See the Cisco Unified CallManager document for
information on how to configure and use CTL Client: