Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Edit TLS Proxy Instance Client Configuration

53-14

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter53 Configuring the TLS Proxy for Encrypted Voice Inspe ction

CTL Provider

Edit TLS Proxy Instance – Client Configuration

Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.

The TLS Proxy enables inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting

with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.

The fields in the Edit TLS Proxy dialog box are identical to the fields displayed when you add a TLS

Proxy instance. Use the Edit TLS Proxy – Client Configuration tab to edit the client proxy parameters

for the original TLS Client, such as IP phones, CUMA clients, the Cisco Unified Presence Server

(CUPS), or the Microsoft OCS server.

Step1 Open the Configuration > Firewall > Unified Communications > TLS Proxy pane.

Step2 To edit a TLS Proxy Instance, click Edit.

The Edit TLS Proxy Instance dialog box opens.

Step3 If necessary, click the Client Configuration tab.

Step4 To specify a client proxy certificate to use for the TLS Proxy, perform the following. Select this option

when the client proxy certificate is being used between two servers; for example, when configuring the

TLS Proxy for Presence Federation, which uses the Cisco Unified Presence Server (CUPS), both the TLS

client and TLS server are both servers.

a. Check the Specify the proxy certificate for the TLS Client... check box.

b. Select a certificate from the drop-down list.

To create a new client proxy certificate, click Manage. The Manage Identify Certificates dialog box

opens. See the “Configuring Identity Certificates Authentication” section on page44-16.

Note When you are configuring the TLS Proxy for the Phone Proxy and it is using the mixed security mode

for the CUCM cluster, you must configure the LDC Issuer. The LDC Issuer lists the local certificate

authority to issue client or server dynamic certificates.

Step5 To specify an LDC Issuer to use for the TLS Proxy, perform the following. When you select and

configure the LDC Issuer option, the ASA acts as the certificate authority and issues certificates to TLS

clients.

a. Click the Specify the internal Certificate Authority to sign the local dynamic certificate for phones...

check box.

b. Click the Certificates radio button and select a self-signed certificate from the drop-down list or

click Manage to create a new LDC Issuer. The Manage Identify Certificates dialog box opens. See

the “Configuring Identity Certificates Authentication” section on page44-16.

Click the Certificate Authority radio button to specify a Certificate Authority (CA) server. When you

specify a CA server, it needs to be created and enabled in the ASA. To create and enable the CA

server, click Manage. The Edit CA Server Settings dialog box opens. See the “Authenticating Using

the Local CA” section on page44-23.

Cisco Systems Edit TLS Proxy Instance Client Configuration