53-12
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter53 Configuring the TLS Proxy for Encrypted Voice Inspe ction
CTL Provider
Active Algorithms—Lists the active algorithms to be announced or matched during the TLS
handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting
as a TLS client to the server), the user-defined algorithms replace the original ones from the hello
message for asymmetric encryption method between the two TLS legs. For example, the leg between
the proxy and Call Manager may be NULL cipher to offload the Call Manager.
Move Up—Moves an algorithm up in the list.
Move Down—Moves an algorithm down in the list.
Step5 Click Next.
The Add TLS Proxy Instance Wizard – Other Steps dialog box opens. The Other Steps dialog box
provides instructions on the steps to complete outside the ASDM to make the TLS Proxy fully functional
(see Add TLS Proxy Instance Wizard – Other Steps, page53-12).
Add TLS Proxy Instance Wizard – Other Steps
Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.
The last dialog box of the Add TLS Proxy Instance Wizard specifies the additional steps required to
make TLS Proxy fully functional. In particular, you need to perform the following tasks to complete the
TLS Proxy configuration:
Export the local CA certificate or LDC Issuer and install them on the original TLS server.
To export the LDC Issuer, go to Configuration > Firewall > Advanced > Certificate Management >
Identity Certificates > Export. See the “Exporting an Identity Certificate” section on page44-19.
For the TLS Proxy, enable Skinny and SIP inspection between the TLS server and TLS clients. See
SIP Inspection, page 48-24 and Skinny (SCCP) Inspection, page48-37. When you are configuring
the TLS Proxy for Presence Federation (which uses CUP), you only enable SIP inspection because
the feature supports only the SIP protocol.
For the TLS Proxy for CUMA, enable MMP inspection.
When using the internal Certificate Authority of the ASA to sign the LDC Issuer for TLS clients,
perform the following:
Use the Cisco CTL Client to add the server proxy certificate to the CTL file and install the CTL
file on the ASA.
For information on the Cisco CTL Client, see “Configuring the Cisco CTL Client” in Cisco
Unified CallManager Security Guide.
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/5_0_4/secuauth.html
To install the CTL file on the ASA, go to Configuration > Firewall > Unified Communications
> CTL Provider > Add. The Add CTL Provider dialog box opens. For information on using this
dialog box to install the CTL file, see Add/Edit CTL Provider, page53-6.
Create a CTL provider instance for connections from the CTL clients. See Add/Edit CTL
Provider, page53-6.