Chapter 21 Configuring Cisco Intercompany Media Engine Proxy

Configuring Cisco Intercompany Media Engine Proxy

Creating the TLS Proxy

Because either enterprise, namely the local or remote Cisco UCM servers, can initiate the TLS handshake (unlike IP Telephony or Cisco Mobility Advantage, where only the clients initiate the TLS handshake), you must configure by-directional TLS proxy rules. Each enterprise can have an ASA as the TLS proxy.

Create TLS proxy instances for the local and remote entity initiated connections respectively. The entity that initiates the TLS connection is in the role of “TLS client.” Because the TLS proxy has a strict definition of “client” and “server” proxy, two TLS proxy instances must be defined if either of the entities could initiate the connection.

The example command lines in this task are based on a basic (in-line) deployment. See Figure 21-6 on page 21-11for an illustration explaining the example command lines in this task.

To create the TLS proxy, perform the following steps:

 

Command

Purpose

 

 

 

Step 1

hostname(config)# tls-proxyproxy_name

Creates the TLS proxy for the outbound

 

Example:

connections.

 

hostname(config)# tls-proxy local_to_remote-ent

 

 

 

 

Step 2

hostname(config-tlsp)# client trust-point

For outbound connections, specifies the trustpoint

 

proxy_trustpoint

and associated certificate that the adaptive security

 

Example:

appliance uses in the TLS handshake when the

 

hostname(config-tlsp)# client trust-point local-ent

 

adaptive security appliance assumes the role of the

 

 

 

 

TLS client. The certificate must be owned by the

 

 

adaptive security appliance (identity certificate).

 

 

Where proxy_trustpoint specifies the trustpoint

 

 

defined by the crypto ca trustpoint command in

 

 

Step 2 in “Creating Trustpoints and Generating

 

 

Certificates” section on page 21-21.

 

 

 

Step 3

hostname(config-tlsp)# client cipher-suite

For outbound connections, controls the TLS

 

cipher_suite

handshake parameter for the cipher suite.

 

Example:

Where cipher_suite includes des-sha1, 3des-sha1,

 

hostname(config-tlsp)# client cipher-suite

 

aes128-sha1 aes256-sha1 3des-sha1 null-sha1

aes128-sha1, aes256-sha1, or null-sha1.

 

 

For client proxy (the proxy acts as a TLS client to

 

 

the server), the user-defined cipher suite replaces the

 

 

default cipher suite, or the one defined by the ssl

 

 

encryption command. Use this command to achieve

 

 

difference ciphers between the two TLS sessions.

 

 

You should use AES ciphers with the Cisco UCM

 

 

server.

 

 

 

Step 4

hostname(config-tlsp)# exit

Exits from the TLS proxy configuration mode.

 

 

 

Step 5

hostname(config)# tls-proxyproxy_name

Create the TLS proxy for inbound connections.

 

Example:

 

 

hostname(config)# tls-proxy remote_to_local-ent

 

 

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

21-24

Page 512
Image 512
Cisco Systems ASA 5555-X, ASA 5505, ASA 5545-X, ASA 5585-X, ASA 5580, ASA Services Module manual Creating the TLS Proxy, 21-24

ASA Services Module, ASA 5555-X, ASA 5545-X, ASA 5585-X, ASA 5580 specifications

Cisco Systems has long been a leader in the field of network security, and its Adaptive Security Appliance (ASA) series is a testament to this expertise. Within the ASA lineup, models such as the ASA 5505, ASA 5580, ASA 5585-X, ASA 5545-X, and ASA 5555-X stand out for their unique features, capabilities, and technological advancements.

The Cisco ASA 5505 is designed for small businesses or branch offices. It provides essential security features such as firewall protection, flexible VPN capabilities, and intrusion prevention. The ASA 5505 supports a user-friendly interface, allowing for straightforward management. Its built-in threat detection and prevention tools provide a layered defense, and with scalability in mind, it can accommodate various expansion options as organizational needs grow.

Moving up the line, the ASA 5580 delivers greater throughput and advanced security features. This model is suited for medium to large enterprises that require robust protection against increasingly sophisticated threats. Its multi-core architecture allows it to manage high volumes of traffic seamlessly while maintaining excellent performance levels. The ASA 5580 also supports application-layer security and customizable access policies, making it highly adaptable to diverse security environments.

The ASA 5585-X further enhances Cisco's security offerings with advanced malware protection and extensive security intelligence capabilities. It incorporates next-generation firewall features, including context-aware security, and supports advanced threat detection technologies. This model is ideal for large enterprises or data centers that prioritize security while ensuring uninterrupted network performance and availability.

For enterprises requiring a balance of performance and security, the ASA 5545-X presents a compelling option. This model features scalable performance metrics, high availability, and integrated advanced threat protection. Coupled with advanced endpoint protection and detailed monitoring capabilities, the ASA 5545-X enables organizations to manage their security posture effectively.

Lastly, the ASA 5555-X blends cutting-edge technologies with strong security infrastructures. It boasts high throughput and the ability to execute deep packet inspections. Its sophisticated architecture supports threat intelligence feeds that provide real-time security updates, making it a powerful tool against modern threats.

Each of these Cisco ASA models brings specific advantages to varied environments. Their integrative capabilities enable businesses to enhance their security postures while benefiting from seamless scalability and management. As cybersecurity threats evolve, these advanced appliances play a vital role in protecting valuable digital assets.