Cisco Systems ASA5515K9, ASA 5500 Phone Proxy Guidelines and Limitations

48-12

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter48 Configuring the Cisco Phone Proxy

Phone Proxy Guidelines and Limitations

The phone proxy is a transparent proxy with respect to the TFTP and signaling transactions. If NAT is

not configured for the Cisco UCM TFTP server, then the IP phones need to be configured with the Cisco

UCM cluster TFTP server address.

If NAT is configured for the Cisco UCM TFTP server, then the Cisco UCM TFTP server global address

is configured as the TFTP server address on the IP phones.

In both options, deploying a remote IP phone behind a commercial Cable/DSL router with NAT

capabilities is supported.

Option 1 (Recommended)

Stage the IP phones at corporate headquarters before sending them to the end users:

•The phones register inside the network. IT ensures there are no issues with the phone configurations,

image downloads, and registration.

•If Cisco UCM cluster was in mixed mode, the CTL file should be erased before sending the phone

to the end user.

Advantages of this option are:

•Easier to troubleshoot and isolate problems with the network or phone proxy because you know

whether the phone is registered and working with the Cisco UCM.

•Better user experience because the phone does not have to download firmware from over a

broadband connection, which can be slow and require the user to wait for a longer time.

Option 2

Send the IP phone to the end user. When using option 2, the user must be provided instructions to change

the settings on phones with the appropriate Cisco UCM and TFTP server IP address.

Note As an alternative to authenticating remote IP phones through the TLS handshake, you can configure

authentication via LSC provisioning. With LSC provisioning you create a password for each remote IP

phone user and each user enters the password on the remote IP phones to retrieve the LSC.

Because using LSC provisioning to authenticate remote IP phones requires the IP phones first register

in nonsecure mode, Cisco recommends LSC provisioning be done inside the corporate network before

giving the IP phones to end-users. Otherwise, having the IP phones register in nonsecure mode requires

the Administrator to open the nonsecure signaling port for SIP and SCCP on the ASA.

See “Example 5: LSC Provisioning in Mixed-mode Cisco UCM cluster; Cisco UCM and TFTP Server

on Publisher, page 48-49“. See also the Cisco Unified Communications Manager Security Guide for

information on Using the Certificate Authority Proxy Function (CAPF) to install a locally significant

certificate (LSC).

Phone Proxy Guidelines and Limitations

This section includes the following topics: