Home » Cisco Manuals » Telephony » Cisco CP-7911G-CH1 » Manual Viewer

Cisco CP-7911G-CH1 Administration Guide - Page 182

Certificates Transport from CUCM to Secure SRST, Media Security on Unify SRST - SRTP

Add to My Manuals
Save this manual to your list of manuals

Page 182 highlights

Information About Configuring Secure SRST Configuring Secure SRST for SCCP and SIP To generate the certificate for Credentials Server, perform the following procedures: • Autoenrolling and Authenticating the Secure Cisco Unified SRST Router to the CA Server, page 188 • Enabling Credentials Service on the Secure Cisco Unified SRST Router, page 193 • Configuring SRST Fallback on Cisco Unified Communications Manager, page 204 Once the certificate is generated, fill in the name of the certificate (or the name of the trustpoint in IOS) in the "trustpoint" entry. This certificate for the Credentials Server on the Secure SRST will be seamlessly exported to the Cisco Unified CM when requested in "Adding an SRST Reference to Cisco Unified Communications Manager" section on page 203. Certificates Transport from CUCM to Secure SRST For more information about Certificates Transport from CUCM to Secure SRST, see "Importing Phone Certificate Files in PEM Format to the Secure SRST Router" section on page 195. Media Security on Unify SRST - SRTP Media encryption, which uses Secure Real-Time Protocol (SRTP), ensures that only the intended recipient can interpret the media streams between supported devices. Support includes audio streams only. If the devices support SRTP, the system uses a SRTP connection. If at least one device does not support SRTP, the system uses an RTP connection. SRTP-to-RTP fallback may occur for transfers from a secure device to a non-secure device, transcoding, music-on-hold (MOH), and so on. Note Secure SRST handles media encryption keys differently for different devices and protocols. All phones that are running SCCP get their media encryption keys from SRST, which secures the media encryption key downloads to phones with TLS encrypted signaling channels. Phones that are running SIP generate and store their own media encryption keys. Media encryption keys that are derived by SRST securely get sent via encrypted signaling paths to gateways over IPSec-protected links for H.323. Warning Before you configure SRTP or signaling encryption for gateways and trunks, Cisco strongly recommends that you configure IPSec because Cisco H.323 gateways, and H.323/H.245/H.225 trunks rely on IPSec configuration to ensure that security-related information does not get sent in the clear. Cisco Uinified SRST does not verify that you configured IPSec correctly. If you do not configure IPSec correctly, security-related information may get exposed. Establishment of Secure Cisco Unified SRST to the Cisco Unified IP Phone Figure 1 shows the interworking of the credentials server on the SRST router, Cisco Unified Communications Manager, and the Cisco Unified IP Phone. Table 2 describes the establishment of secure SRST to the Cisco Unified IP Phone. 182 Cisco Unified SCCP and SIP SRST System Administrator Guide OL-13143-04

Section	Page
Cisco Unified SCCP and SIP SRST System Administrator Guide (All Versions)	1
Contents	3
Cisco Unified SCCP and SIP SRST Feature Overview	11
Contents	11
Cisco Unified SCCP SRST	11
Information About SCCP SRST	12
Prerequisites for Configuring Cisco Unified SCCP SRST	14
Installing Cisco Unified Communications Manager	15
Installing Cisco Unified SCCP SRST	15
Installing Cisco Unified SRST V3.0 and Later Versions	15
Installing Cisco Unified SRST V2.0 and V2.1	15
Installing Cisco Unified SRST V1.0	15
Integrating Cisco Unified SCCP SRST with Cisco Unified Communications Manager	16
If You Have Cisco Communications Manager V3.3 or Later Versions	16
If You Have Cisco Unified Communications Manager Version Prior to V3.3	16
Restrictions for Configuring Cisco Unified SCCP SRST	17
Cisco Unified SIP SRST	19
Information About SIP SRST	19
Prerequisites for Configuring Cisco Unified SIP SRST	19
Restrictions for Configuring Cisco Unified SIP SRST	19
MGCP Gateways and SRST	23
Support for Cisco Unified IP Phones and Platforms	23
Finding Cisco IOS Software Releases That Support Cisco Unified SRST	23
Cisco Unified IP Phone Support	24
Platform and Memory Support	24
Determining Platform Support Through Cisco Feature Navigator	24
Availability of Cisco IOS Software Images	24
Cisco Unified Communications Manager Compatibility	24
Signal Support	25
Language Support	25
Switch Support	25
Where to Go Next	25
Additional References	26
Related Documents	27
Standards	29
MIBs	29
RFCs	29
Technical Assistance	29
Obtaining Documentation, Obtaining Support, and Security Guidelines	29
Cisco Unified Survivable Remote Site Telephony Feature Roadmap	31
Contents	31
Documentation Organization	32
Feature Roadmap	33
Information About New Features in Cisco Unified SRST	38
New Features in Cisco Unified SRST Version 9.0	38
Support for Cisco Unified 6901 and 6911 SIP IP Phones	38
Support for Cisco Unified 6921, 6941, 6945, and 6961 SIP IP Phones	40
Support for Cisco Unified 8941 and 8945 SIP IP Phones	41
Multiple Calls Per Line	42
Cisco Unified 8941 and 8945 SCCP IP Phones	42
Cisco Unified 6921, 6941, 6945, 6961, 8941, and 8945 SIP IP Phones	42
Voice and Fax Support on Cisco ATA-187	43
New Features in Cisco Unified SRST Version 8.8	44
Support for Cisco Unified 6945, 8941, and 8945 SCCP IP Phones	44
New Features in Cisco Unified SRST Version 8.0	45
New Features in Cisco Unified SRST Version 7.0/4.3	45
New Features in Cisco Unified SRST Version 4.2(1)	46
New Features in Cisco Unified SRST Version 4.1	46
New Features in Cisco Unified SRST Version 4.0	46
Additional Cisco Unified IP Phone Support	46
Cisco IP Communicator Support	47
Fax Passthrough using SCCP and ATAs Support	47
H.323 VoIP Call Preservation Enhancements for WAN Link Failures for SCCP Phones	47
Video Support	47
New Features in Cisco Unified SRST Version 3.4	48
Cisco SIP SRST 3.4	48
New Features in Cisco SRST Version 3.3	48
Secure SRST	48
Cisco Unified IP Phone 7970G and Cisco Unified 7971G-GE Support	49
Enhancement to the show ephone Command	49
New Features in Cisco SRST Version 3.2	49
Enhancement to the alias Command	50
Enhancement to the cor Command	50
Enhancement to the pickup Command	50
Enhancement to the user-locale Command	50
Increased the Number of Cisco Unified IP Phones Supported on the Cisco 3845	50
MOH Live-Feed Support	50
No Timeout for Call Preservation	51
RFC 2833 DTMF Relay Support	51
Translation Profile Support	51
New Features in Cisco SRST Version 3.1	52
Cisco Unified IP Phone 7920 Support	52
Cisco Unified IP Phone 7936 Support	52
New Features in Cisco SRST Version 3.0	53
Additional Language Options for IP Phone Display	53
Consultative Call Transfer and Forward Using H.450.2 and H.450.3 for SCCP Phones	54
Customized System Message for Cisco Unified IP Phones	54
Dual-Line Mode	54
E1 R2 Signaling Support	54
European Date Formats	56
Huntstop for Dual-Line Mode	56
Music-on-Hold for Multicast from Flash Files	56
Ringing Timeout Default	56
Secondary Dial Tone	56
Enhancement to the show ephone Command	56
System Log Messages for Phone Registrations	57
Three-Party G.711 Ad Hoc Conferencing	57
Support for Cisco VG248 Analog Phone Gateway 1.2(1) and Higher Versions	57
New Features in Cisco SRST Version 2.1	57
Additional Language Options for IP Phone Display	58
Cisco SRST Aggregation	58
Cisco ATA 186 and ATA 188 Support	58
Cisco Unified IP Phone 7902G Support	58
Cisco Unified IP Phone 7905G Support	59
Cisco Unified IP Phone 7912G Support	59
Cisco Unified IP Phone Expansion Module 7914 Support	59
Enhancement to the dialplan-pattern Command	59
New Features in Cisco SRST Version 2.02	59
Cisco Unified IP Phone Conference Station 7935 Support	60
Increase in Directory Numbers	60
Cisco Unity Voice Mail Integration Using In-Band DTMF Signaling Across the PSTN and BRI/PRI	60
Where to Go Next	61
Setting Up the Network	63
Contents	63
Information About Setting Up the Network	64
How to Set Up the Network	64
Enabling IP Routing	64
Enabling Cisco Unified SRST on an MGCP Gateway	64
Configuring Cisco Unified SRST on an MGCP Gateway Prior to Cisco IOS Release 12.3(14)T	65
SUMMARY STEPS	65
DETAILED STEPS	65
Configuring SRST on an MGCP Gateway Using Cisco IOS Release 12.3(14)T or Later Releases	66
Restrictions	66
SUMMARY STEPS	67
DETAILED STEPS	67
Configuration Example of Enabling SRST on a MGCP Gateway using Cisco IOS Release 12.3(14)T	68
Configuring DHCP for Cisco Unified SRST Phones	70
Defining a Single DHCP IP Address Pool	70
SUMMARY STEPS	70
DETAILED STEPS	71
Defining a Separate DHCP IP Address Pool for Each Cisco Unified IP Phone	71
SUMMARY STEPS	71
DETAILED STEPS	72
Defining the DHCP Relay Server	72
SUMMARY STEPS	72
DETAILED STEPS	73
Specifying Keepalive Intervals	73
SUMMARY STEPS	73
DETAILED STEPS	74
Examples	74
Where to Go Next	74
Cisco Unified SIP SRST 4.1	75
Contents	75
Prerequisites for Cisco Unified SIP SRST 4.1	75
Restrictions for Cisco Unified SIP SRST 4.1	76
Information About Cisco Unified SIP SRST 4.1	76
Out-of-Dialog REFER	76
Digit Collection on SIP Phones	77
KPML Digit Collection	77
SIP Dial Plans	77
Caller ID Display	78
Disabling SIP Supplementary Services for Call Forward and Call Transfer	78
Idle Prompt Status	78
Enhanced 911 Services	78
How to Configure Cisco Unified SIP SRST 4.1 Features	79
Enabling KPML for SIP Phones	79
Restrictions	79
SUMMARY STEPS	79
DETAILED STEPS	80
What to Do Next	80
Disabling SIP Supplementary Services for Call Forward and Call Transfer	81
SUMMARY STEPS	81
DETAILED STEPS	81
Configuring Idle Prompt Status for SIP Phones	82
Prerequisites	82
SUMMARY STEPS	82
DETAILED STEPS	83
Where to Go Next	83
Setting Up Cisco Unified IP Phones using SCCP	85
Contents	85
Information About Setting Up Cisco Unified IP Phones	85
How to Set Up Cisco Unified IP Phones	86
Configuring Cisco Unified SRST to Support Phone Functions	86
SUMMARY STEPS	86
DETAILED STEPS	87
Configuring Cisco Unified 8941 and 8945 SCCP IP Phones	88
SUMMARY STEPS	88
DETAILED STEPS	89
Verifying That Cisco Unified SRST Is Enabled	89
Configuring IP Phone Clock, Date, and Time Formats	90
SUMMARY STEPS	90
DETAILED STEPS	91
Example	91
Configuring IP Phone Language Display	92
SUMMARY STEPS	92
DETAILED STEPS	93
Examples	93
Configuring Customized System Messages for Cisco Unified IP Phones	94
SUMMARY STEPS	94
DETAILED STEPS	94
Examples	95
Configuring a Secondary Dial Tone	95
SUMMARY STEPS	95
DETAILED STEPS	95
Examples	95
Configuring Dual-Line Phones	96
SUMMARY STEPS	96
DETAILED STEPS	97
Examples	97
Configuring Eight Calls per Button (Octo-Line)	98
Prerequisites	98
Restrictions	98
SUMMARY STEPS	98
DETAILED STEPS	99
Examples	100
Configuring the Maximum Number of Calls	100
Prerequisites	100
SUMMARY STEPS	100
DETAILED STEPS	100
Troubleshooting	102
How to Set Up Cisco IP Communicator for Cisco Unified SRST	102
Prerequisites	102
Verifying Cisco IP Communicator	103
Troubleshooting Cisco IP Communicator	103
Where to Go Next	103
Setting Up Cisco Unified IP Phones using SIP	105
Contents	105
Prerequisites for Configuring the SIP Registrar	105
Restrictions for Configuring the SIP Registrar	105
Information About Configuring the SIP Registrar	106
How to Configure the SIP Registrar	106
Configuring the SIP Registrar	106
SUMMARY STEPS	107
DETAILED STEPS	107
What to Do Next	108
Configuring Backup Registrar Service to SIP Phones	108
Prerequisites	109
Restrictions	109
SUMMARY STEPS	109
DETAILED STEPS	110
What to Do Next	111
Configuring Backup Registrar Service to SIP Phones (Using Optional Commands)	112
Prerequisites	112
SUMMARY STEPS	112
DETAILED STEPS	112
Examples	115
Verifying SIP Registrar Configuration	115
SUMMARY STEPS	115
DETAILED STEPS	116
Verifying Proxy Dial-Peer Configuration	117
SUMMARY STEPS	117
DETAILED STEPS	118
Where to Go Next	120
Configuring Call Handling	123
Contents	123
Prerequisites for Configuring SIP SRST Features Using Back-to-Back User Agent Mode	123
Restrictions for Configuring SIP SRST Features Using Back-to-Back User Agent Mode	124
Information About Configuring SCCP SRST Call Handling	124
H.323 VoIP Call Preservation Enhancements for WAN Link Failures	124
Toll Fraud Prevention	124
Information About Configuring SIP SRST Features Using Back-to-Back User Agent Mode	125
Cisco Unified SIP SRST and Cisco SIP Communications Manager Express Feature Crossover	125
How to Configure Cisco Unified SCCP SRST	127
Configuring Incoming Calls	127
Configuring Call Forwarding During a Busy Signal or No Answer	128
SUMMARY STEPS	128
DETAILED STEPS	128
Examples	129
Configuring Call Rerouting	129
Call Forward Destination	130
Huntstop on an Individual Alias	130
SUMMARY STEPS	131
DETAILED STEPS	131
Examples	132
Configuring Call Pickup	132
SUMMARY STEPS	133
DETAILED STEPS	133
Examples	134
Configuring Consultative Transfer	134
Conference Calls	135
Configuring Transfer Digit Collection Method	136
Prerequisites for Cisco Unified SRST 4.3	136
Restrictions for Cisco Unified SRST 4.3	136
SUMMARY STEPS	136
DETAILED STEPS	136
Examples	137
Configuring Global Prefixes	137
SUMMARY STEPS	137
DETAILED STEPS	138
Examples	138
Enabling Digit Translation Rules	139
SUMMARY STEPS	139
DETAILED STEPS	140
Examples	140
Enabling Translation Profiles	140
SUMMARY STEPS	141
DETAILED STEPS	142
Examples	143
Verifying Translation Profiles	143
SUMMARY STEPS	143
DETAILED STEPS	144
Configuring Dial-Peer and Channel Hunting	144
SUMMARY STEPS	144
DETAILED STEPS	145
Examples	145
Configuring Busy Timeout	145
SUMMARY STEPS	145
DETAILED STEPS	146
Examples	146
Configuring the Ringing Timeout Default	146
SUMMARY STEPS	146
DETAILED STEPS	147
Examples	147
Configuring Outgoing Calls	147
Configuring Local and Remote Call Transfer	147
SUMMARY STEPS	148
DETAILED STEPS	148
Examples	148
Enabling Consultative Call Transfer and Forward Using H.450.2 and H.450.3 with Cisco SRST 3.0	148
Prerequisites	149
Restrictions	149
SUMMARY STEPS	149
DETAILED STEPS	150
Examples	151
Enabling Analog Transfer Using Hookflash and the H.450.2 Standard with Cisco SRST 3.0 or Earlier	152
Prerequisites	152
Restrictions	153
SUMMARY STEPS	153
DETAILED STEPS	154
Examples	155
Configuring Trunk Access Codes	156
SUMMARY STEPS	156
DETAILED STEPS	157
Examples	157
Configuring Interdigit Timeout Values	157
SUMMARY STEPS	158
DETAILED STEPS	158
Examples	158
Configuring Class of Restriction	158
SUMMARY STEPS	159
DETAILED STEPS	160
Examples	160
Call Blocking (Toll Bar) Based on Time of Day and Day of Week or Date	162
SUMMARY STEPS	162
DETAILED STEPS	162
Examples	163
How to Configure Cisco Unified SIP SRST	164
Configuring SIP Phone Features	164
SUMMARY STEPS	164
DETAILED STEPS	165
Configuring SIP-to-SIP Call Forwarding	166
SUMMARY STEPS	167
DETAILED STEPS	167
Configuring Call Blocking Based on Time of Day, Day of Week, or Date	168
SUMMARY STEPS	169
DETAILED STEPS	169
Examples	171
Verification	171
SIP Call Hold and Resume	172
Examples	172
How to Configure Optional Features	174
Enabling Three-Party G.711 Ad Hoc Conferencing	174
SUMMARY STEPS	174
DETAILED STEPS	175
Examples	175
Defining XML API Schema	176
SUMMARY STEPS	176
DETAILED STEPS	176
Where to Go Next	176
Configuring Secure SRST for SCCP and SIP	177
Contents	177
Prerequisites for Configuring Secure SRST	177
Restrictions for Configuring Secure SRST	178
Information About Configuring Secure SRST	179
Benefits of Secure SRST	179
Cisco IP Phones Clear-Text Fallback During Non-Secure SRST	179
Signaling Security on Unify SRST - TLS	180
SRST Routers and the TLS Protocol	180
Certificates Operation on Secure SRST	180
Cisco Unified SRST Routers and PKI	180
Cisco IOS Credentials Server on Secure SRST Routers	181
Generating a Certificate for the Credentials Server	181
Certificates Transport from CUCM to Secure SRST	182
Media Security on Unify SRST - SRTP	182
Establishment of Secure Cisco Unified SRST to the Cisco Unified IP Phone	182
Secure SRST Authentication and Encryption	184
How to Configure Secure Unified SRST	185
Preparing the Cisco Unified SRST Router for Secure Communication	186
Configuring a Certificate Authority Server on a Cisco IOS Certificate Server	186
SUMMARY STEPS	186
DETAILED STEPS	187
Examples	188
Autoenrolling and Authenticating the Secure Cisco Unified SRST Router to the CA Server	188
SUMMARY STEPS	188
DETAILED STEPS	189
Examples	190
Disabling Automatic Certificate Enrollment	190
SUMMARY STEPS	190
DETAILED STEPS	191
What to Do Next	191
Verifying Certificate Enrollment	191
SUMMARY STEPS	191
DETAILED STEPS	192
Enabling Credentials Service on the Secure Cisco Unified SRST Router	193
SUMMARY STEPS	194
DETAILED STEPS	194
Examples	194
Troubleshooting Credential Settings	195
SUMMARY STEPS	195
DETAILED STEPS	195
Importing Phone Certificate Files in PEM Format to the Secure SRST Router	195
Cisco Unified Communications Manager 4.X.X and Earlier Versions	196
Cisco Unified Communications Manager 5.0 and Later Versions	196
Prerequisites	196
Cisco Unified Communications Manager 6.0 and Later Versions	197
Authenticating the Imported Certificates on the Cisco Unified SRST Router	197
Restrictions	197
SUMMARY STEPS	197
DETAILED STEPS	197
What to Do Next	198
Examples	198
Cisco Unified Communications Manager 4.X.X and Earlier Versions: Example	198
Cisco Unified Communications Manager 5.0 and Later Versions Example	201
Configuring Cisco Unified Communications Manager to the Secure Cisco Unified SRST Router	203
Adding an SRST Reference to Cisco Unified Communications Manager	203
Configuring SRST Fallback on Cisco Unified Communications Manager	204
Configuring CAPF on Cisco Unified Communications Manager	205
Enabling SRST Mode on the Secure Cisco Unified SRST Router	206
SUMMARY STEPS	206
DETAILED STEPS	206
Examples	207
Configuring Secure SCCP SRST	207
Prerequisites for Configuring Secure SCCP SRST	208
Restrictions for Configuring Secure SCCP SRST	208
Verifying Phone Status and Registrations	208
SUMMARY STEPS	208
DETAILED STEPS	209
Configuration Examples for Secure SCCP SRST	215
Secure SCCP SRST: Example	215
Control Plane Policing: Example	220
Configuring Secure SIP Call Signaling and SRTP Media with Cisco SRST	221
Prerequisites for Configuring Secure SIP Call Signaling and SRTP Media with Cisco SRST	221
Restrictions for Configuring Secure SIP Call Signaling and SRTP Media with Cisco SRST	221
Information About Cisco Unified SIP SRST Support of Secure SIP Signaling and SRTP Media	222
Configuring Cisco Unified Communications Manager	222
Configuring SIP SRTP for Encrypted Phones	223
SUMMARY STEPS	223
DETAILED STEPS	223
Configuring SIP options for Secure SIP SRST	224
SUMMARY STEPS	224
DETAILED STEPS	225
Configuring SIP SRST Security Policy	225
SUMMARY STEPS	225
DETAILED STEPS	226
Configuring SIP User Agent for Secure SIP SRST	226
SUMMARY STEPS	226
DETAILED STEPS	227
Verifying the Configuration	227
Configuration Example for Cisco Unified SIP SRST	228
Additional References	230
Related Documents	230
Standards	231
MIBs	231
RFCs	231
Technical Assistance	231
Command Reference	232
Feature Information for Secure SCCP and SIP SRST	233
Where to Go Next	233
Integrating Voice Mail with Cisco Unified SRST	235
Contents	235
Information About Integrating Voice Mail with Cisco Unified SCCP SRST	235
How to Integrate Voice Mail with Cisco Unified SCCP and SIP SRST	237
Configuring Direct Access to Voice Mail	237
SUMMARY STEPS	237
DETAILED STEPS	238
Examples	240
Configuring Message Buttons	240
SUMMARY STEPS	241
DETAILED STEPS	241
Examples	242
Redirecting to Cisco Unified Communications Manager Gateway	243
Configuring Call Forwarding to Voice Mail	243
Call Routing Instructions Using DTMF Digit Patterns	243
Prerequisites	245
SUMMARY STEPS	245
DETAILED STEPS	246
Examples	247
Configuring Message Waiting Indication	247
SUMMARY STEPS	248
DETAILED STEPS	248
Configuration Examples for SCCP SRST	249
Configuring Local Voice-Mail System (FXO and FXS): Example	249
Configuring Central Location Voice-Mail System (FXO and FXS): Example	250
Configuring Voice-Mail Access over FXO and FXS: Example	251
Configuring Voice-Mail Access over BRI and PRI: Example	251
How to Configure DTMF Relay for SIP Applications and Voice Mail	252
DTMF Relay Using SIP RFC 2833	252
SUMMARY STEPS	253
DETAILED STEPS	253
Troubleshooting Tips	254
DTMF Relay Using SIP Notify (Nonstandard)	254
SUMMARY STEPS	254
DETAILED STEPS	255
Troubleshooting Tips	255
Where to Go Next	256
Setting Video Parameters	257
Contents	257
Prerequisites for Setting Video Parameters	257
Restrictions for Setting Video Parameters	258
Information About Setting Video Parameters	258

Match case Limit results 1 per page

Configuring Secure SRST for SCCP and SIP

Information About Configuring Secure SRST

182

Cisco Unified SCCP and SIP SRST System Administrator Guide

OL-13143-04

To generate the certificate for Credentials Server, perform the following procedures:

•

Autoenrolling and Authenticating the Secure Cisco Unified SRST Router to the CA Server,

page 188

•

Enabling Credentials Service on the Secure Cisco Unified SRST Router, page 193

•

Configuring SRST Fallback on Cisco Unified Communications Manager, page 204

Once the certificate is generated,

fill in the name of the certificate (or the name of the trustpoint in IOS)

in the "trustpoint" entry.

This certificate for the Credentials Server on the Secure SRST will be seamlessly exported to the Cisco

Unified CM when requested in

“Adding an SRST Reference to Cisco Unified Communications

Manager” section on page 203

Certificates Transport from CUCM to Secure SRST

For more information about Certificates Transport from CUCM to Secure SRST, see

“Importing Phone

Certificate Files in PEM Format to the Secure SRST Router” section on page 195

Media Security on Unify SRST - SRTP

Media encryption, which uses Secure Real-Time Protocol (SRTP), ensures that only the intended

recipient can interpret the media streams between supported devices. Support includes audio streams

only.

If the devices support SRTP, the system uses a SRTP connection. If at least one device does not support

SRTP, the system uses an RTP connection. SRTP-to-RTP fallback may occur for transfers from a secure

device to a non-secure device, transcoding, music-on-hold (MOH), and so on.

Note

Secure SRST handles media encryption keys differently for different devices and protocols. All

phones that are running SCCP get their media encryption keys from SRST, which secures the

media encryption key downloads to phones with TLS encrypted signaling channels. Phones that

are running SIP generate and store their own media encryption keys. Media encryption keys that

are derived by SRST securely get sent via encrypted signaling paths to gateways over

IPSec-protected links for H.323.

Warning

Before you configure SRTP or signaling encryption for gateways and trunks, Cisco strongly

recommends that you configure IPSec because Cisco H.323 gateways, and H.323/H.245/H.225 trunks

rely on IPSec configuration to ensure that security-related information does not get sent in the clear.

Cisco Uinified SRST does not verify that you configured IPSec correctly. If you do not configure IPSec

correctly, security-related information may get exposed.

Establishment of Secure Cisco Unified SRST to the Cisco Unified IP Phone

Figure 1

shows the interworking of the credentials server on the SRST router, Cisco Unified

Communications Manager, and the Cisco Unified IP Phone.

Table 2

describes the establishment of

secure SRST to the Cisco Unified IP Phone.