Cisco CP-7911G-CH1 Administration Guide - Page 182
Certificates Transport from CUCM to Secure SRST, Media Security on Unify SRST - SRTP
View all Cisco CP-7911G-CH1 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 182 highlights
Information About Configuring Secure SRST Configuring Secure SRST for SCCP and SIP To generate the certificate for Credentials Server, perform the following procedures: • Autoenrolling and Authenticating the Secure Cisco Unified SRST Router to the CA Server, page 188 • Enabling Credentials Service on the Secure Cisco Unified SRST Router, page 193 • Configuring SRST Fallback on Cisco Unified Communications Manager, page 204 Once the certificate is generated, fill in the name of the certificate (or the name of the trustpoint in IOS) in the "trustpoint" entry. This certificate for the Credentials Server on the Secure SRST will be seamlessly exported to the Cisco Unified CM when requested in "Adding an SRST Reference to Cisco Unified Communications Manager" section on page 203. Certificates Transport from CUCM to Secure SRST For more information about Certificates Transport from CUCM to Secure SRST, see "Importing Phone Certificate Files in PEM Format to the Secure SRST Router" section on page 195. Media Security on Unify SRST - SRTP Media encryption, which uses Secure Real-Time Protocol (SRTP), ensures that only the intended recipient can interpret the media streams between supported devices. Support includes audio streams only. If the devices support SRTP, the system uses a SRTP connection. If at least one device does not support SRTP, the system uses an RTP connection. SRTP-to-RTP fallback may occur for transfers from a secure device to a non-secure device, transcoding, music-on-hold (MOH), and so on. Note Secure SRST handles media encryption keys differently for different devices and protocols. All phones that are running SCCP get their media encryption keys from SRST, which secures the media encryption key downloads to phones with TLS encrypted signaling channels. Phones that are running SIP generate and store their own media encryption keys. Media encryption keys that are derived by SRST securely get sent via encrypted signaling paths to gateways over IPSec-protected links for H.323. Warning Before you configure SRTP or signaling encryption for gateways and trunks, Cisco strongly recommends that you configure IPSec because Cisco H.323 gateways, and H.323/H.245/H.225 trunks rely on IPSec configuration to ensure that security-related information does not get sent in the clear. Cisco Uinified SRST does not verify that you configured IPSec correctly. If you do not configure IPSec correctly, security-related information may get exposed. Establishment of Secure Cisco Unified SRST to the Cisco Unified IP Phone Figure 1 shows the interworking of the credentials server on the SRST router, Cisco Unified Communications Manager, and the Cisco Unified IP Phone. Table 2 describes the establishment of secure SRST to the Cisco Unified IP Phone. 182 Cisco Unified SCCP and SIP SRST System Administrator Guide OL-13143-04