51-4
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter51 Configuring Cisco Unified Presence
Information About Cisco Unified Presence
http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.ht
ml
Trust Relationship in the Presence Federation
Within an enterprise, setting up a trust relationship is achievable by using self-signed certificates or you
can set it up on an internal CA.
Establishing a trust relationship cross enterprises or across administrative domains is key for federation.
Cross enterprises you must use a trusted third-party CA (such as, VeriSign). The ASA obtains a
certificate with the FQDN of the Cisco UP (certificate impersonation).
For the TLS handshake, the two entities could validate the peer certificate via a certificate chain to
trusted third-party certificate authorities. Both entities enroll with the CAs. The ASA as the TLS proxy
must be trusted by both entities. The ASA is always associated with one of the enterprises. Within that
enterprise (Enterprise X in Figure 51-1), the entity and the ASA could authenticate each other via a local
CA, or by using self-signed certificates.
To establish a trusted relationship between the ASA and the remote entity (Entity Y), the ASA can enroll
with the CA on behalf of Entity X (Cisco UP). In the enrollment request, the Entity X identity (domain
name) is used.
Figure 51-3 shows the way to establish the trust relationship. The ASA enrolls with the third party CA
by using the Cisco UP FQDN as if the ASA is the Cisco UP.
Figure51-3 How the Security Appliance Represents Cisco Unified Presence – Certificate
Impersonate
271639
Internet
Access
Proxy
LCS/OCS
Director
Inspected and
Modified
(if needed)
Certificate
Authority
Certificate
Certificate with
Private Key
ASA
Cisco UP
Enroll with FQDN
of Cisco UP
Microsoft Presence Server
Key 1 Key 2
TLS (Self-signed,
or from local CA) TLS (Cisco UP Certificate)
3rd Party CA