51-12
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter51 Configuring Cisco Unified Presence
Configuring Cisco Unified Presence Proxy for SIP Federation
What to Do Next
Once you have created the trustpoints and installed the certificates for the local and remote entities on
the ASA, create the TLS proxy instance. See Creating the TLS Proxy Instance, page 51-12.
Creating the TLS Proxy Instance
Because either server can initiate the TLS handshake (unlike IP Telephony or Cisco Unified Mobility,
where only the clients initiate the TLS handshake), you must configure by-directional TLS proxy rules.
Each enterprise can have an ASA as the TLS proxy.
Create TLS proxy instances for the local and remote entity initiated connections respectively. The entity
that initiates the TLS connection is in the role of “TLS client”. Because the TLS proxy has a strict
definition of “client” and “server” proxy, two TLS proxy instances must be defined if either of the
entities could initiate the connection.
Command Purpose
Step1 ! Local entity to remote entity
hostname(config)# tls-proxy proxy_name
Example:
hostname(config)# tls-proxy ent_x_to_y
Creates the TLS proxy instance.
Step2 hostname(config-tlsp)# server trust-point proxy_name
Example:
hostname(config-tlsp)# server trust-point
ent_y_proxy
Specifies the proxy trustpoint certificate presented
during TLS handshake.
The certificate must be owned by the ASA (identity
certificate).
Where the proxy_name for the server trust-point
command is the remote entity proxy name.
Step3 hostname(config-tlsp)# client trust-point
proxy_trustpoint
Example:
hostname(config-tlsp)# client trust-point
ent_x_proxy
Specifies the trustpoint and associated certificate
that the ASA uses in the TLS handshake when the
ASA assumes the role of the TLS client.
The certificate must be owned by the ASA (identity
certificate).
Where the proxy_trustpoint for the client
trust-point command is the local entity proxy.
Step4 hostname(config-tlsp)# client cipher-suite
cipher_suite
Example:
hostname(config-tlsp)# client cipher-suite
aes128-sha1 aes256-sha1 3des-sha1 null-sha1
Specifies cipher suite configuration.
For client proxy (the proxy acts as a TLS client to
the server), the user-defined cipher suite replaces the
default cipher suite.
Step5 ! Remote entity to local entity
hostname(config)# tls-proxy proxy_name
Example:
tls-proxy ent_y_to_x
Creates the TLS proxy instance.
Step6 hostname(config-tlsp)# server trust-point proxy_name
Example:
hostname(config-tlsp)# server trust-point
ent_x_proxy
Specifies the proxy trustpoint certificate presented
during TLS handshake.
Where the proxy_name for the server trust-point
command is the local entity proxy name