TLS 1.2 for On-Premises Cisco Collaboration Deployments

Similar documents
Cisco Tetration Analytics, Release , Release Notes

Enterprise Chat and Developer s Guide to Web Service APIs for Chat, Release 11.6(1)

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Introduction to Mindjet on-premise

DELL EMC VxRAIL vcenter SERVER PLANNING GUIDE

Date: October User guide. Integration through ONVIF driver. Partner Self-test. Prepared By: Devices & Integrations Team, Milestone Systems

Licensing the Core Client Access License (CAL) Suite and Enterprise CAL Suite

Planning, installing, and configuring IBM CMIS for Content Manager OnDemand

Dolby Conference Phone Support Frequently Asked Questions

Digital Imaging and Communications in Medicine (DICOM) Supplement 204 TLS Security Profiles

CNS-222-1I: NetScaler for Apps and Desktops

Please contact technical support if you have questions about the directory that your organization uses for user management.

Cisco Smart Software Manager satellite

CCNA Security v2.0 Chapter 3 Exam Answers

Cisco EPN Manager Network Administration

Max 8/16 and T1/E1 Gateway, Version FAQs

Dynamic Storage (ECS)

These tasks can now be performed by a special program called FTP clients.

Log shipping is a HA option. Log shipping ensures that log backups from Primary are

Demand Forecasting. For. Microsoft Dynamics 365 for Operations. Technical Guide. Release 7.1. December 2017

Cisco EPN Manager Network Administration - Optical

BMC Remedyforce Integration with Remote Support

Release Notes Version: - v18.13 For ClickSoftware StreetSmart September 22, 2018

Your New Service Request Process: Technical Support Reference Guide for Cisco Customer Journey Platform

Interoperability between ProCurve WESM zl and HP ipaq Voice Messenger smartphone

Cisco Meeting App. Release Notes for Desktop (Windows and macos) Build number January 15, Cisco Systems, Inc.

BMC Remedyforce Integration with Bomgar Remote Support

Xerox Security Bulletin XRX12-007

Quick Setup Guide. Aastra MX-ONE V.4.0 Integration with Microsoft OCS 2007 R2. Doc. Nr. ASE/MXO/PLM/ 0123/EN Rev.A

Campuses that access the SFS nvision Windows-based client need to allow outbound traffic to:

Troubleshooting Citrix- Published Resources Configuration in VMware Identity Manager

UPGRADING TO DISCOVERY 2005

SAS Hot Fix Analysis, Download and Deployment Tool

Technical Paper. Installing and Configuring SAS Environment Manager in a SAS Grid Environment

Telkom VPN-Lite router setup User Manual Billion 810VGTX

Contents: Module. Objectives. Lesson 1: Lesson 2: appropriately. As benefit of good. with almost any planning. it places on the.

CaseWare Working Papers. Data Store user guide

SAP Business One Hardware Requirements Guide

Lecture 6 -.NET Remoting

Release Notes. Dell SonicWALL Security firmware is supported on the following appliances: Dell SonicWALL Security 200

Knowledge Exchange (KE) System Cyber Security Plan

Aras Innovator Viewer Add-Ons

(CNS-220) Citrix NetScaler Essentials and Traffic Management

NiceLabel LMS. Installation Guide for Single Server Deployment. Rev-1702 NiceLabel

Password Reset for Remote Users

Dell Chassis Management Controller (CMC) Version 1.35 for Dell PowerEdge VRTX. Release Notes

NSE 8 Certification. Exam Description for FortiGate 5.2 and higher

Milestone XProtect. NVR Installer s Guide

Telkom VPN-Lite router setup User Manual Billion 800VGT

Infrastructure Series

Qlik Sense Mobile February 2018 (version 1.3.1) release notes

Graduate Application Review Process Documentation

Definiens XD Release Notes

Ephorus Integration Kit

Cisco EPN Manager Operations

SOLA and Lifecycle Manager Integration Guide

Element Creator for Enterprise Architect

Technical Paper. Installing and Configuring SAS Environment Manager in a SAS Grid Environment with a Shared Configuration Directory

USER MANUAL. RoomWizard Administrative Console

User Guide. Document Version: 1.0. Solution Version:

Aras Innovator 11. Client Settings for Chrome on Windows

vrealize Operations Management Pack for Storage Devices Release Notes

EView/400i Management Pack for Systems Center Operations Manager (SCOM)

UC Mobile Admin Guide. Release Android, ios. Document Version Maryland Way, Suite 300 Brentwood, TN Tel

HP Server Virtualization Solution Planning & Design

TPP: Date: October, 2012 Product: ShoreTel PathSolutions System version: ShoreTel 13.x

Release Note. Discovery Network Assistant (DNA) V

Bulk Deployment Utility Guide Cisco Wireless IP Phone 8821 & 8821-EX

Dell EqualLogic PS Series Arrays: Expanding Windows Basic Disk Partitions

App Orchestration 2.6

VMware AirWatch SDK Plugin for Apache Cordova Instructions Add AirWatch Functionality to Enterprise Applicataions with SDK Plugins

TRAINING GUIDE. Overview of Lucity Spatial

CCNA Security v2.0 Chapter 9 Exam Answers

Release Notes. Dell SonicWALL Security BETA

HP ExpertOne. HP2-T21: Administering HP Server Solutions. Table of Contents

USO RESTRITO. SNMP Agent. Functional Description and Specifications Version: 1.1 March 20, 2015

OO Shell for Authoring (OOSHA) User Guide

OpenScape Business V2

Element Creator for Enterprise Architect

Troubleshooting Citrix- Published Resources Configuration in VMware Identity Manager

High Security SaaS Concept Software as a Service (SaaS) for Life Science

Shavlik Protect. Migration Tool User s Guide

PAGE NAMING STRATEGIES

Procurement Contract Portal. User Guide

UDS Enterprise Configuring UDS Enterprise in HA

New Product Release Package 8 XT[2] System and Software 19 Jan 2009

Level 2 Development Training

E-Lock Policy Manager White Paper

HPE LoadRunner Best Practices Series. LoadRunner Upgrade Best Practices

Paragon II. Release 4.8

CSC IT practix Recommendations

CommandCenter Secure Gateway Release Virtual CC

ROCK-POND REPORTING 2.1

Kaltura MediaSpace Installation and Upgrade Guide. Version: 5.0

Spectrum Enterprise SIP Trunking Service Zultys MX Phone System v9.0.4 IP PBX Configuration Guide

INSTALLING CCRQINVOICE

Citrix FlexCast Planning Guide. Prepared by: Worldwide Consulting Solutions

Cookbook Qermid Defibrillator web service Version This document is provided to you free of charge by the. ehealth platform

Admin Report Kit for Exchange Server

ClassFlow Administrator User Guide

Transcription:

TLS 1.2 fr On-Premises Cisc Cllabratin Deplyments First Published: Octber 5, 2017 Last Updated: April 20, 2018 Intrductin Transprt Layer Security (TLS) and its predecessr, Secure Scket Layer (SSL), are cryptgraphic prtcls that prvide cmmunicatins security ver a netwrk. Hwever, SSL, TLS 1.0, and smetimes TLS 1.1 may nt prvide the level f security required by an rganizatin. Many rganizatins may require TLS 1.2. This white paper prvides infrmatin n TLS 1.2 supprt and n the ability t disable lwer versins f TLS fr npremises Cisc Cllabratin deplyments. It als discusses the implicatins when disabling TLS 1.0 and 1.1. Hwever, it des nt discuss cipher suites supprt with TLS 1.2. This dcument als cmplements the: TLS 1.2 Cmpatibility Matrix fr Cisc Cllabratin Prducts: https://www.cisc.cm/c/en/us/td/dcs/vice_ip_cmm/uc_system/unified/cmmunicatins/system/cmpati bility/tls/tls1-2-cmpatibility-matrix.html TLS 1.2 Cnfiguratin Overview Guide: https://www.cisc.cm/c/en/us/td/dcs/vice_ip_cmm/uc_system/tls/tls-1-2-cnfiguratin-overview- Guide.html Terminlgy TLS Client and Server Interfaces In a TLS cnnectin, the device that initiates the TLS request is knwn as the TLS client and its interface is knwn as the utbund interface r client interface. On the ther side f the cnnectin, the device that receives the TLS request is knwn as the TLS server and its interface is knwn as the inbund interface r server interface. Figure 1 prvides an illustratin f this terminlgy. Figure 1: TLS Client and TLS Server Cisc Systems, Inc. www.cisc.cm 1

TLS 1.2 fr On-Premises Cisc Cllabratin Deplyments Terminlgy TLS Client and Server Interfaces In a cllabratin slutin, endpints r phnes are cnsidered clients. Applicatins such as Cisc Unified Cmmunicatins Manager (Unified CM) are cnsidered servers based n their main functin within the Cisc Cllabratin deplyment. Hwever, frm a TLS cnnectin standpint, the definitin f a client and server is different. A device can have bth client interfaces and server interfaces. Fr example, an endpint has an interface fr call signaling (SIP r SCCP) that culd be encrypted and acts as a TLS client t Unified CM. An endpint als has a web interface fr the endpint internal web server that culd be encrypted (HTTPS), causing the endpint t act as a TLS server. Figure 2 prvides an example f the TLS server interface and TLS client interfaces n an endpint. Similarly, Unified CM has TLS client interfaces such as the secure LDAP interface and has TLS server interfaces such as the web interface. Unified interfaces. Figure 2: Example f TLS Server and TLS Client Interfaces with Endpint 2

TLS 1.2 fr On-Premises Cisc Cllabratin Deplyments TLS Versin Negtiatin Defaults t TLS 1.2 Figure 3: Example f TLS Server and TLS Client Interfaces with Unified CM TLS Versin Negtiatin Defaults t TLS 1.2 If a TLS client and TLS server bth supprt TLS 1.2, then by default TLS versin 1.2 is negtiated, even if they als supprt TLS 1.0 and TLS 1.1. A TLS handshake initiates a TLS cnnectin. At the beginning f the TLS handshake, the TLS client sends a ClientHell that includes the TLS versin. If the TLS client supprts TLS 1.0, 1.1, and 1.2, by default it first sends the ClientHell with a TLS versin set t 1.2. If the TLS server als supprts TLS 1.2, then it replies with a ServerHell with the TLS versin set t 1.2. The TLS versin negtiatin is cmplete at this pint, even if the client r server als supprts TLS 1.0/1.1. Hwever, if there was an issue with the first TLS 1.2 handshake, the TLS client wuld indicate TLS 1.0 r 1.1 in subsequent ClientHell messages. A nrmal TLS negtiatin is illustrated in Figure 3. 3

TLS 1.2 fr On-Premises Cisc Cllabratin Deplyments Disabling TLS 1.0/1.1 Figure 3: TLS 1.2 Negtiated When TLS Client and Server Supprt Bth TLS 1.2 and Prir TLS Versins Mst f the cmpnents in Cisc Cllabratin Systems Release 12.0 supprt TLS 1.2. Fr a list f Cisc Cllabratin prducts that supprt TLS 1.2, refer t the TLS 1.2 Cmpatibility Matrix fr Cisc Cllabratin Prducts at https://www.cisc.cm/c/en/us/td/dcs/vice_ip_cmm/uc_system/unified/cmmunicatins/system/cmpatibility/tls /TLS1-2-Cmpatibility-Matrix.html. Nte: SSL has been remved frm mst f the Cisc Cllabratin prducts and frm all prducts listed in the TLS 1.2 Cmpatibility Matrix fr Cisc Cllabratin Prducts. Disabling TLS 1.0/1.1 TLS versin 1.2 shuld always be negtiated between devices that supprt TLS 1.2, even if they als supprt TLS 1.0 and TLS 1.1. Hwever, there culd be Man-in-the-Middle (MitM) attacks that attempt t alter the TLS handshake and negtiate a lwer versin f TLS r even SSL. T prevent this frm happening, disable TLS 1.0 (and TLS 1.1), thus frcing all TLS cmmunicatins t be restricted t just TLS 1.2 (and TLS 1.1). The TLS 1.2 Cmpatibility Matrix fr Cisc Cllabratin Prducts indicates the minimum versins f Cisc Cllabratin prducts that can disable TLS versin 1.0 and 1.1. Disabling TLS 1.0/1.1 n TLS cnnectins culd be dne in thery either n the client interfaces r the server interfaces, it des nt need t be dne n bth interface types. With Cisc Cllabratin prducts, it is dne n the server interface. When an administratr disables TLS 1.0/1.1, the TLS server interfaces d nt allw TLS 1.0/1.1 anymre. In sme cases, in additin t TLS server interfaces, disabling TLS 1.0/1.1 culd als apply t TLS client interfaces, fr example with the LDAP client interface r the SIP client interface in Unified CM. Figure 4 shws the typical implementatin where the cnfiguratin t disable TLS 1.0 and 1.1 applies t the server interface and where the versin fr the TLS cnnectin is therefre restricted t 1.2. This is what the TLS 1.2 Cmpatibility Matrix fr Cisc Cllabratin Prducts tracks. It cnsiders that a prduct can disable TLS versin 1.0/1.1 if all the TLS server interfaces f that prduct can disable TLS versin 1.0 and 1.1. The client interfaces may still allw disable TLS 1.0/1.1 n the client interfaces. 4

TLS 1.2 fr On-Premises Cisc Cllabratin Deplyments Limitatins When Disabling TLS 1.0/1.1 Figure 4: Cnfiguratin t Disable TLS 1.0/1.1 Applies t Server Interface Disabling TLS 1.0/1.1 might result in cmpatibility issues if sme cmpnents d nt supprt TLS 1.2. Befre yu disable TLS 1.0/1.1, verify that all the prducts in yur deplyments supprt TLS 1.2 and cnsider the limitatins described in the fllwing sectin. Limitatins When Disabling TLS 1.0/1.1 When yu disable a versin (r versins) f TLS n a prduct, ensure that there is still a cmmn versin f TLS that can be negtiated with the ther prducts that are cnnecting t it. Fr example, if yu disable TLS 1.0 and TLS 1.1 n Unified CM, ensure that all the prducts cnnecting t Unified CM thrugh a TLS cnnectin supprt TLS 1.2. If nt, there may be interperability issues. Fr a list f prducts supprting TLS 1.2, refer t the TLS 1.2 Cmpatibility Matrix fr Cisc Cllabratin Prducts. The fllwing sectins describe sme f the key limitatins f disabling TLS 1.0/1.1. Limitatins When Disabling TLS 1.0/1.1 n Unified CM When yu disable TLS 1.0/1.1 n a Unified CM nde, it sets the minimum versin f TLS and applies this versin t all server interfaces in the Unified CM nde such as the HTTPS web server interface, the SIP server interface, and the Certificate Trust List (CTL) prvider server interface. It als applies the versin t sme client interfaces such as the SIP TLS versin t TLS 1.1 r 1.2. Certificate Trust List Client The main limitatin with Unified CM is with the Certificate Trust List (CTL) Client. The CTL Client that is used with the USB etkens t enable Unified CM mixed-mde des nt supprt TLS 1.2, even with Unified CM 12.0. Wrkarund: Enable TLS 1.0 temprarily n Unified CM when enabling mixed-mde r when updating the CTL file. Wrkarund: Migrate t the Tkenless CTL (CLI-based). 5

TLS 1.2 fr On-Premises Cisc Cllabratin Deplyments Limitatins When Disabling TLS 1.0/1.1 Cisc IP Phne Address Bk Synchrnizer Cisc IP Phne Address Bk Synchrnizer enables users t synchrnize their Micrsft Windws Address Bk with the Cisc Persnal Address Bk. This client nly supprts TLS 1.0. Wrkarund: There is n wrkarund. Intercnnectivity with Unified CM clusters running an lder release Releases befre Unified CM 10.5(2) d nt supprt TLS 1.2. Therefre, intercnnecting with thse lder clusters may be limited if restricting the TLS versin n yur lcal Unified CM cluster. Fr example, secure SIP trunks, secure Lcatin Bandwidth Management (LBM), Intercluster Lkup Service (ILS), and remte cluster discvery service used with Extensin Mbility Crss Cluster (EMCC) may nt be functinal. Wrkarund: Unified CM 10.5(2) intrduced TLS 1.2 supprt fr many interfaces including SIP, but fr TLS 1.2 supprt n all Unified CM interfaces, deply Unified CM 11.5(1)SU3 r later. Intercnnectivity with lder prducts thrugh SIP trunks Disabling TLS 1.0/1.1 applies t SIP server interfaces and SIP client interfaces. Wrkarund: Ensure that the prducts that yur Unified CM ndes cnnect t thrugh a SIP trunk als supprt TLS 1.2. Fr example, if Cisc Unified Brder Element (CUBE) is deplyed, ensure it is running a release that supprts TLS 1.2. Interperability with lder phnes This limitatin is discussed in the fllwing sectin. Limitatins f Older Phnes Disabling TLS 1.0/1.1 in Unified CM can als have significant implicatins n lder phnes, such as the Cisc Unified IP Phne 8961, Cisc Unified IP Phne 9900, 7900, 6900, 3900 Series, and Cisc IP Cmmunicatr. Thse lder phnes d nt supprt TLS 1.1 and TLS 1.2. Therefre, if Unified CM is cnfigured with the minimum TLS wrkarund is t use nn-encrypted cnnectins instead, but ding this may be a security issue. Other Unified CM interfaces like Trust Verificatin Service (TVS) and Certificate Authrity Prxy Functin (CAPF) nly allw TLS, and nnencrypted cnnectins are nt available, therefre the crrespnding services will nt be available at all with the lder phnes. See figure 5 fr an example f thse cnnectins when setting the minimum TLS versin n Unified CM t 1.1 r 1.2. Sme cnnectins may still be pssible if they can be nn-encrypted. Sme ther cnnectins that nly supprt TLS will break. 6

TLS 1.2 fr On-Premises Cisc Cllabratin Deplyments Limitatins When Disabling TLS 1.0/1.1 Figure 5: Cnnectins with Older Phnes When TLS 1.1 r 1.2 Is Unified CM Minimum Versin The fllwing sectins prvide mre details abut these limitatins and the pssible wrkarunds. SIP Interface When a phne is cnfigured in authenticated r encrypted mde, it registers t Unified CM thrugh a TLS cnnectin (encrypted SIP r encrypted SCCP). If the SIP interface f the phne des nt supprt TLS 1.2 and Unified CM is cnfigured with the minimum TLS versin set t 1.2, then this cnnectin cannt be established. Mrever, when cnfigured in that mde, fr security reasns, the phne des nt attempt t register thrugh a nn-tls cnnectin. Wrkarund: Cnfigure phnes in nnsecure mde. HTTPS Web Server Interface fr IP Phne Services The phne client interface that cnnects t Unified CM web services fr IP Phne services des nt supprt TLS 1.2 n lder phnes. Therefre, an IP Phne service will nt wrk if the phne attempts t use HTTPS t cnnect t the IP Phne Service. If a phne des nt supprt HTTPS fr that IP Phne Services interface (fr example 7940/7960), then it Services will wrk in this particular case. But if a phne supprts HTTPS, fr security reasns, it will nly attempt t use HTTPS (it will nt try t fallback t HTTP) if a secure URL is cnfigured r if the default cnfiguratin is used fr built-in Cisc IP Phne Services (such as Applicatin:Cisc/CrprateDirectry). With TLS 1.2 nt being supprted n lder phnes, IP Phne services will nt be available at all. This limitatin applies t mst f the lder phnes discussed here (fr example 7941/7961 r newer 7900 mdels, 6900, 9900, 8961 mdels). Wrkarund: Use nnsecure URLs (HTTP instead f HTTPS) fr all the phnes in yur deplyment. Hwever, HTTP is nt recmmended as it is nt secure and may be a cncern especially when sensitive data is transmitted (fr example, user id and PIN with Extensin Mbility). Fr default Cisc IP Phne services (such as Applicatin:Cisc/CrprateDirectry), using specific URLs has drawbacks. With default cnfiguratin f thse default Cisc IP Phne services, the phne uses the Unified CM ndes cnfigured in the CM grup and fllws the same preference rder as it des fr call prcessing. If the primary Unified CM call prcessing subscriber fails, the phne will fail ver t the secndary call prcessing subscriber. Hwever, by cnfiguring a URL, a single server is specified, and there is n resiliency fr the IP Phne service anymre. Anther drawback is that the lad may nt be well distributed 7

TLS 1.2 fr On-Premises Cisc Cllabratin Deplyments Limitatins When Disabling TLS 1.0/1.1 when cnfiguring a URL. If the same server is cnfigured fr all IP Phne services, the perfrmance f that server can be affected. T alleviate sme f thse issues, yu culd cnfigure nly the lder phnes with a nnsecure URL (HTTP), and cnfigure newer phnes supprting TLS 1.2 t use the nrmal cnfiguratin (secure URLs and default cnfiguratin with default Cisc IP Phne services). Hwever, there are prvisining challenges when cnfiguring HTTP fr lder phnes and HTTPS fr newer phnes. Yu wuld need t add separate IP Phne services, sme based n HTTP, sme based n HTTPS, and then assciate the phnes t the apprpriate IP Phne Services. Yu may als need t remve sme secure URLs frm the Unified CM enterprise parameters page and then add them back fr the new phnes nly. Trust Verificatin Service Interface can validate certificates n behalf f the phnes r prvide certificates t the phnes. Fr example, TVS enables the endpints t cnnect t IP Phne Services securely (thrugh HTTPS). With Unified CM releases befre 12.0, TVS was als used by endpints t trust Unified CM when renewing the CallManager certificate r migrating between Unified CM clusters. Frm Unified CM 12.0 nward, TVS is typically nt used in thse scenaris since the tkenless CTL and ITL files are signed by the ITLrecvery key. Older endpints d nt supprt TLS 1.2 n this interface. Since TLS is the nly ptin with TVS (nn-encrypted cnnectin nt allwed), lder endpints are nt able t cnnect t the Unified CM TVS service if Unified CM is cnfigured with the minimum TLS versin set t 1.1 r 1.2. The implicatins are: Older endpints cannt use secure URLs (HTTPS) fr IP Phne services, even with external IP Phne Services (nt hsted by Unified CM). Wrkarund: Use nnsecure URLs (HTTP), but this is nt recmmended as it may be a security issue. There may als be prvisining challenges. With Unified CM 11.5(1)SU3 and subsequent SUs, renewing the CallManager certificate results in lder phnes nt trusting Unified CM because the phnes are nt able t verify the CTL and ITL files signed by the new CallManager key. This is nt an issue with Unified CM releases 12.0 and later since the tkenless CTL and ITL files are signed by the ITLrecvery key. Wrkarund: Temprarily set the Prepare Cluster fr Rllback t pre 8.0 enterprise parameter t True. Wrkarund: Temprarily allw TLS 1.0 in Unified CM. Wrkarund: Upgrade t Unified CM 12.0 r later. With Unified CM 11.5(1)SU3 and subsequent SUs, if mixed-mde is nt enabled r if it is enabled with the CLI (tkenless CTL), Extensin Mbility Crss Cluster (EMCC) des nt wrk with lder phnes. Mrever, phne migratins frm ne Unified CM cluster t anther Unified CM cluster require the deletin f the CTL/ITL file n each phne. Wrkarund: Enable Unified CM mixed-mde with USB etkens and use the same etkens acrss all Unified CM clusters. Wrkarund: Upgrade t Unified CM 12.0 r later. With Unified CM 11.5(1)SU3 and subsequent SUs, with Prxy TFTP server deplyed, the lder phnes are nt able t validate static files signed by the Prxy TFTP server, such as ringlist files, backgrund images, r lcales. Wrkarund: Upgrade Unified CM hme clusters t Unified CM 12.0 r later. 8

TLS 1.2 fr On-Premises Cisc Cllabratin Deplyments Limitatins When Disabling TLS 1.0/1.1 Certificate Authrity Prxy Functin Interface Certificate Authrity Prxy Functin (CAPF) service allws certificate-related peratins such as issuing r updating Lcally Significant Certificate (LSC) n endpints r getting the endpint certificates and public keys that are needed t supprt encrypted TFTP cnfiguratin files. Older endpints d nt supprt TLS 1.2 n this interface. Since TLS is the nly ptin with CAPF (nn-encrypted cnnectin nt allwed), then lder endpints are nt able t cnnect t the Unified CM CAPF service if Unified CM is cnfigured with the minimum TLS versin set t 1.2. The implicatins are: LSC certificates cannt be installed n lder phnes. Therefre, services based n LSC certificates are nt available. Fr example, 802.1x authenticatin and Phne VPN cannt be based n LSC certificates. Wrkarund: Services based n LSC certificates wuld have t be based n ther authenticatin mechanisms such as MIC certificates r end-user credentials. Encrypted TFTP cnfiguratin files is nt pssible, even with MIC certificates. Wrkarund: Use nn-encrypted TFTP cnfiguratin files, but this may be a security cncern especially when credentials are cnfigured in the Unified CM Administratin phne page. Summary f Older Phne Limitatins and Wrkarunds When Unified CM minimum TLS versin is set t 1.1 r 1.2, lder phnes such as the Cisc Unified IP Phne 8961, Cisc Unified IP Phne 9900, 7900, 6900, 3900 Series, and Cisc IP Cmmunicatr are nt fully functinal and have imprtant limitatins. The fllwing table summarizes the main limitatins and prvides sme wrkarunds. The recmmendatin is hwever t upgrade thse lder phnes t newer phnes such as the Cisc IP Phne 7800 r 8800. Table 1: Summary f Older Phne Limitatins and Wrkarunds When Unified CM Minimum TLS Versin Is 1.1 r 1.2 Feature Limitatin Wrkarund SIP Interface Encrypted mde r Authenticated mde Older phnes in Encrypted mde r Authenticated mde are nt functinal; they cannt register t Unified CM. Cnfigure thse phnes in nnsecure mde. HTTPS Web Server Interface fr IP Phne Services IP Phne Services using secure URLs (HTTPS) Trust Verificatin Service Interface Older phnes cannt cnnect t IP Phne Services using secure URLs (HTTPS). Use nnsecure URLs (HTTP), but this is nt recmmended as it may be a security issue. There may als be prvisining challenges. 9

TLS 1.2 fr On-Premises Cisc Cllabratin Deplyments Disabling TLS 1.0/1.1 Cnfiguratin Example CallManager certificate renewal Extensin Mbility Crss Cluster (EMCC) Prxy TFTP Server With Unified CM release 11.5(1)SU3 and subsequent SUs, lder phnes lse trust when CallManager certificates are renewed. This is nt an issue with Unified CM 12.0 and later. EMCC is nt supprted with lder phnes and Unified CM release 11.5(1)SU3 and subsequent SUs, if mixed-mde is nt enabled r if it is enabled with the CLI (tkenless CTL). With Unified CM 11.5(1)SU3 and subsequent SUs, with Prxy TFTP server deplyed, the lder phnes are nt able t validate static files signed by the Prxy TFTP server, such as ringlist files, backgrund images, r lcales. Temprarily set the Prepare Cluster fr Rllback t pre 8.0 enterprise parameter t True. OR Temprarily allw TLS 1.0 in Unified CM. OR Upgrade t Unified CM 12.0 release r later. Enable Unified CM mixed-mde with USB etkens and use the same etkens acrss all Unified CM clusters. OR Upgrade t Unified CM 12.0 release r later. Upgrade Unified CM hme clusters t Unified CM 12.0 release r later. Certificate Authrity Prxy Functin Interface Lcally Significant Certificates (LSC) Encrypted Trivial File Transfer Prtcl (TFTP) cnfiguratin files LSC cannt be installed r updated n lder phnes. As a result, 802.1x and phne VPN authenticatins based n LSC are nt available. TFTP cnfiguratin files cannt be encrypted with lder phnes. Use ther authenticatin mechanisms such as MIC certificates r end-user credentials. Use nn-encrypted TFTP cnfiguratin files and avid cnfiguratin credentials n the Unified CM Administratin phne page. Disabling TLS 1.0/1.1 Cnfiguratin Example The cnfiguratin t disable TLS 1.0 and TLS 1.1 depends n the prduct. This example shws hw t disable TLS versins fr Unified CM with IM and Presence Service and prducts based n the same platfrm, such as Cisc Unity Cnnectin, Cisc Emergency Respnder (Emergency Respnder), and Cisc Prime Cllabratin Deplyment. Nte: Fr cnfiguratin infrmatin fr ther prducts, refer t the related prduct dcumentatin. 10

TLS 1.2 fr On-Premises Cisc Cllabratin Deplyments Summary By default, the minimum versin f TLS is set t 1.0 fr Unified CM with IM and Presence Service, Cisc Unity Cnnectin, Emergency Respnder, r Cisc Prime Cllabratin Deplyment. Setting the minimum TLS versin t 1.1 disables TLS 1.0. Setting the minimum TLS versin t 1.2 disables TLS 1.0 and TLS 1.1. T disable TLS 1.0 and TLS 1.1, lg in t the Cmmand Line Interface and run the set tls min-versin 1.2 CLI cmmand. Figure 6 shws an example f hw t cnfigure the minimum versin f TLS n a Unified CM with IM and Presence Service nde. After the cnfiguratin, the nde rebts. This cnfiguratin applies nly t the lcal nde, s if yu want t disable TLS 1.0/1.1 fr all the ndes in a cluster, apply this cnfiguratin n all cluster ndes. Figure 6: Cnfiguring TLS 1.2 as Minimum Versin n Unified CM with IM and Presence Service T verify the minimum TLS versin currently cnfigured n Unified CM and IM and Presence Service, Cisc Unity Cnnectin, Emergency Respnder, r Cisc Prime Cllabratin Deplyment, run the shw tls min-versin CLI cmmand. Figure 7: Verifying the Cnfigured Minimum TLS Versin f Unified CM with IM and Presence Service Summary With current Cisc Cllabratin prducts and current releases, SSL is disabled and TLS 1.2 shuld be negtiated by default. T prevent attacks n TLS versin dwngrades, disable TLS 1.0 and TLS 1.1. Befre disabling TLS 1.0 and TLS 1.1, ensure the ther prducts that are invlved in the relevant TLS cnnectins supprt TLS 1.2. If yu have lder phnes, they may nt be fully functinal and may have imprtant limitatins. The recmmendatin is t upgrade t newer phnes such as the Cisc IP Phne 7800 r 8800 Series. Related Dcumentatin Fr a list f Cisc Cllabratin prducts that supprt TLS 1.2 and can disable TLS 1.0 and TLS 1.1, see the TLS 1.2 Cmpatibility Matrix fr Cisc Cllabratin Prducts at https://www.cisc.cm/c/en/us/td/dcs/vice_ip_cmm/uc_system/unified/cmmunicatins/system/cmpatib ility/tls/tls1-2-cmpatibility-matrix.html. This matrix is als available frm the Cmpatibility Infrmatin page available at https://www.cisc.cm/c/en/us/supprt/unified-cmmunicatins/unified-cmmunicatinssystem/prducts-device-supprt-tables-list.html. Fr an verview n hw t enable TLS 1.2 and disable TLS 1.0 and 1.1 fr Cisc Cllabratin prducts, see the TLS 1.2 Cnfiguratin Overview Guide, at 11

TLS 1.2 fr On-Premises Cisc Cllabratin Deplyments Dcumentatin Changes https://www.cisc.cm/c/en/us/td/dcs/vice_ip_cmm/uc_system/tls/tls-1-2-cnfiguratin-overview- Guide.html. Fr infrmatin n disabling TLS 1.0/ 1.1, r n cnfiguring a minimum versin f TLS n the server interface, refer t the prduct supprt dcumentatin at https://www.cisc.cm/. Fr security infrmatin abut Unified CM, see the Security Guide fr Cisc Unified Cmmunicatins Manager available at https://www.cisc.cm/c/en/us/supprt/unified-cmmunicatins/unified-cmmunicatinsmanager-callmanager/prducts-maintenance-guides-list.html. Fr security infrmatin abut Cisc Unity Cnnectin, see the Security Guide fr Cisc Unity Cnnectin available at https://www.cisc.cm/c/en/us/supprt/unified-cmmunicatins/unity-cnnectin/prductsmaintenance-guides-list.html. Fr the cmpatible prduct sftware release versins fr Cisc Cllabratin Systems Releases, see the Cisc Cllabratin Systems Release Cmpatibility Matrix at https://www.cisc.cm/c/en/us/td/dcs/vice_ip_cmm/uc_system/unified/cmmunicatins/system/cmpatib ility/csr-cmpatibility-matrix.html. Dcumentatin Changes Table 2. Dcumentatin Changes Date April 20, 2018 Change Added link t TLS 1.2 Cnfiguratin Overview Guide. Obtaining Dcumentatin and Submitting a Service Request Fr infrmatin n btaining dcumentatin, using the Cisc Bug Search Tl (BST), submitting a service request, and gathering additinal infrmatin, see New in Cisc Prduct Dcumentatin. T receive new and revised Cisc technical cntent directly t yur desktp, yu can subscribe t the Cisc Prduct Dcumentatin RSS feed. The RSS feeds are a free service. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisc implementatin f TCP header cmpressin is an adaptatin f a prgram develped by the University f Cpyright 1981, Regents f the University f Califrnia. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS -NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, 12

TLS 1.2 fr On-Premises Cisc Cllabratin Deplyments Obtaining Dcumentatin and Submitting a Service Request EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Prtcl (IP) addresses and phne numbers used in this dcument are nt intended t be actual addresses and phne numbers. Any examples, cmmand display utput, netwrk tplgy diagrams, and ther figures included in the dcument are shwn fr illustrative purpses nly. Any use f actual IP addresses r phne numbers in illustrative cntent is unintentinal and cincidental. All printed cpies and duplicate sft cpies are cnsidered un-cntrlled cpies and the riginal n-line versin shuld be referred t fr latest versin. Cisc has mre than 200 ffices wrldwide. Addresses, phne numbers, and fax numbers are listed n the Cisc website at www.cisc.cm/g/ffices. Cisc and the Cisc lg are trademarks r registered trademarks f Cisc and/r its affiliates in the U.S. and ther cuntries. T view a list f Cisc trademarks, g t this URL: www.cisc.cm/g/trademarks. Third-party trademarks mentined are the prperty f their respective wners. The use f the wrd partner des nt imply a partnership relatinship between Cisc and any ther cmpany. (1110R) 2017 Cisc Systems, Inc. All rights reserved. 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback