Mailing List Archive: Cisco: VOIP

CUMA and ASA as Proxy

Index | Next | Previous | View Threaded

voicenoob at gmail

Jul 1, 2009, 6:43 PM

Post #1 of 12 (515 views)
Permalink

CUMA and ASA as Proxy

Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am having
a problem with the documentation on exactly how I setup the ASA and the
certificate requests. I don't know if the name I should put into the
requests is the CUMA server name or the hostname of my ASA.

Also has anyone done this using slef signed certs with an internal CA? I
don't think I can get this company to pay for a cert from Verisign or
Geotrust. In fact I know I can't.

rratliff at cisco

Jul 2, 2009, 6:21 AM

Post #2 of 12 (474 views)
Permalink

Re: CUMA and ASA as Proxy [In reply to]

I'm still getting up to speed with CUMA but I'll give it a shot...

There are two certs you need to have generated for CUMA with the ASA
proxy. One is the external-facing cert that the mobile devices see
when connecting to the ASA. This cert cannot be self-signed because
the phones only have the public root CA certificates and thus can't
trust self-signed certs. The second cert is the one between the CUMA
server and the ASA. This one can be self-signed and is documented in
the URL below "Importing a Self-Signed Certificate" section.

http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/
install/guide/cuma_70_IAG_02_ASA.html#wp1233240

-Ryan

On Jul 1, 2009, at 9:43 PM, Voice Noob wrote:

Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am
having a problem with the documentation on exactly how I setup the
ASA and the certificate requests. I don't know if the name I should
put into the requests is the CUMA server name or the hostname of my ASA.

Also has anyone done this using slef signed certs with an internal
CA? I don't think I can get this company to pay for a cert from
Verisign or Geotrust. In fact I know I can't.
_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

voicenoob at gmail

Jul 2, 2009, 6:32 AM

Post #3 of 12 (474 views)
Permalink

Re: CUMA and ASA as Proxy [In reply to]

I have a procedure on how to make the self signed certs work on my phone.
That is the least of my problems or concerns. If it does not work that's
fine but I have to try. We are only looking at a pilot of about two phones.
If we do a customer deployment we will have them get a correct cert.

In the below step do I create the cert using the name of my Cisco ASA or of
the name of my CUMA server?

http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/install/guide
/cuma_70_IAG_02_ASA.html

For New Installations) How to Obtain and Import the Cisco Adaptive Security
Appliance-to-Client Certificate
This procedure is required unless you are upgrading from Release 3.1.2 and
reusing your signed certificate from your Proxy Server.

This procedure has several subprocedures:

.Generate a Certificate Signing Request

.Submit the Certificate Signing Request to the Certificate Authority

.Upload the Signed Certificate to the Cisco Adaptive Security Appliance

Generate a Certificate Signing Request
Before You Begin

.Obtain the IP address and fully qualified domain name for the Proxy Host
Name as specified in Obtaining IP Addresses and DNS Names from IT, page 1-3.

.Determine required values for your company or organization name,
organizational unit, country, and state or province. See the table in
Creating Security Contexts, page 9-7. You must enter identical values in the
Cisco Adaptive Security Appliance and in the relevant security context in
Cisco Unified Mobility Advantage.

Procedure

----------------------------------------------------------------------------
----

Step 1 Enter configuration mode:

conf t

Step 2 Generate a key pair for this certificate:

crypto key generate rsa label <keypair-cuma-signed> modulus 1024

You will see a "Please wait..." message; look carefully for the prompt to
reappear.

Step 3 Create a trustpoint with the necessary information to generate the
certificate request:

crypto ca trustpoint <trustpoint-cuma-signed>

subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage
server. Use the Fully Qualified Domain Name.>,OU=<organization unit
country code>,St=<state>,L=<city>

(For requirements for the Company, organization unit, Country, and State
values, see the values you determined in the prerequisite for this
procedure.)

keypair <keypair-cuma-signed>

fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server. This
value must exactly match the value you entered for CN above.>

enrollment terminal

Step 4 Get the certificate signing request to send to the Certificate
Authority:

crypto ca enroll <trustpoint-cuma-signed>

% Start certificate enrollment.

% The subject name in the certificate will be:CN=<Proxy Host Name of the
Cisco Unified Mobility Advantage server>,OU=<organization unit

% The fully-qualified domain name in the certificate will be: <Proxy Host
Name of the Cisco Unified Mobility Advantage server>

% Include the device serial number in the subject name? [yes/no]: no

% Display Certificate Request to terminal? [yes/no]: yes

Step 5 Copy the entire text of the displayed Certificate Signing Request and
paste it into a text file.

Include the following lines. Make sure that there are no extra spaces at the
end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 6 Save the text file.

----------------------------------------------------------------------------
----

What To Do Next

-----Original Message-----
From: Craig Staffin [mailto:cmstaffin[at]gmail.com]
Sent: Wednesday, July 01, 2009 9:46 PM
To: Voice Noob
Cc: CiscosupportUpuck
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

I am going through this battle right now

As far as self signed certs the response from the BU was that they are
completely not supported as mobile phones do not do certs "well". In
other words if you can manage to get the CA of your domain onto your
phone it might work for a week or two but then it might fail. The BU
states that you need to use a verisign cert or GEOTrust.

Let me know if you need more help.
On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:

> Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am
> having a problem with the documentation on exactly how I setup the
> ASA and the certificate requests. I don't know if the name I should
> put into the requests is the CUMA server name or the hostname of my
> ASA.
>
> Also has anyone done this using slef signed certs with an internal
> CA? I don't think I can get this company to pay for a cert from
> Verisign or Geotrust. In fact I know I can't.
> _______________________________________________
> cisco-voip mailing list
> cisco-voip[at]puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

rratliff at cisco

Jul 2, 2009, 6:40 AM

Post #4 of 12 (474 views)
Permalink

Re: CUMA and ASA as Proxy [In reply to]

For lab purposes you *should* be able to get it to work. It's not
TAC supported but that really doesn't matter for a demo. I also
believe Verisign has temp cert you can get for free (but it has an
expiration date).

Regarding the name, it needs to match whatever you populate in the
external DNS, which should resolve to the ASA.
"Obtain the IP address and fully qualified domain name for the Proxy
Host"
The proxy host is your ASA.

-Ryan

On Jul 2, 2009, at 9:32 AM, Voice Noob wrote:

I have a procedure on how to make the self signed certs work on my
phone.
That is the least of my problems or concerns. If it does not work that's
fine but I have to try. We are only looking at a pilot of about two
phones.
If we do a customer deployment we will have them get a correct cert.

In the below step do I create the cert using the name of my Cisco ASA
or of
the name of my CUMA server?

http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/
install/guide
/cuma_70_IAG_02_ASA.html

For New Installations) How to Obtain and Import the Cisco Adaptive
Security
Appliance-to-Client Certificate
This procedure is required unless you are upgrading from Release
3.1.2 and
reusing your signed certificate from your Proxy Server.

This procedure has several subprocedures:

.Generate a Certificate Signing Request

.Submit the Certificate Signing Request to the Certificate Authority

.Upload the Signed Certificate to the Cisco Adaptive Security Appliance

Generate a Certificate Signing Request
Before You Begin

.Obtain the IP address and fully qualified domain name for the Proxy
Host
Name as specified in Obtaining IP Addresses and DNS Names from IT,
page 1-3.

.Determine required values for your company or organization name,
organizational unit, country, and state or province. See the table in
Creating Security Contexts, page 9-7. You must enter identical values
in the
Cisco Adaptive Security Appliance and in the relevant security
context in
Cisco Unified Mobility Advantage.

Procedure

------------------------------------------------------------------------
----
----

Step 1 Enter configuration mode:

conf t

Step 2 Generate a key pair for this certificate:

crypto key generate rsa label <keypair-cuma-signed> modulus 1024

You will see a "Please wait..." message; look carefully for the
prompt to
reappear.

Step 3 Create a trustpoint with the necessary information to generate
the
certificate request:

crypto ca trustpoint <trustpoint-cuma-signed>

subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage
server. Use the Fully Qualified Domain Name.>,OU=<organization unit
letter
country code>,St=<state>,L=<city>

(For requirements for the Company, organization unit, Country, and State
values, see the values you determined in the prerequisite for this
procedure.)

keypair <keypair-cuma-signed>

fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server.
This
value must exactly match the value you entered for CN above.>

enrollment terminal

Step 4 Get the certificate signing request to send to the Certificate
Authority:

crypto ca enroll <trustpoint-cuma-signed>

% Start certificate enrollment.

% The subject name in the certificate will be:CN=<Proxy Host Name of the
Cisco Unified Mobility Advantage server>,OU=<organization unit

% The fully-qualified domain name in the certificate will be: <Proxy
Host
Name of the Cisco Unified Mobility Advantage server>

% Include the device serial number in the subject name? [yes/no]: no

% Display Certificate Request to terminal? [yes/no]: yes

Step 5 Copy the entire text of the displayed Certificate Signing
Request and
paste it into a text file.

Include the following lines. Make sure that there are no extra spaces
at the
end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 6 Save the text file.

------------------------------------------------------------------------
----
----

What To Do Next

-----Original Message-----
From: Craig Staffin [mailto:cmstaffin[at]gmail.com]
Sent: Wednesday, July 01, 2009 9:46 PM
To: Voice Noob
Cc: CiscosupportUpuck
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

I am going through this battle right now

As far as self signed certs the response from the BU was that they are
completely not supported as mobile phones do not do certs "well". In
other words if you can manage to get the CA of your domain onto your
phone it might work for a week or two but then it might fail. The BU
states that you need to use a verisign cert or GEOTrust.

Let me know if you need more help.
On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:

> Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am
> having a problem with the documentation on exactly how I setup the
> ASA and the certificate requests. I don't know if the name I should
> put into the requests is the CUMA server name or the hostname of my
> ASA.
>
> Also has anyone done this using slef signed certs with an internal
> CA? I don't think I can get this company to pay for a cert from
> Verisign or Geotrust. In fact I know I can't.
> _______________________________________________
> cisco-voip mailing list
> cisco-voip[at]puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

voicenoob at gmail

Jul 2, 2009, 6:48 AM

Post #5 of 12 (474 views)
Permalink

Re: CUMA and ASA as Proxy [In reply to]

Thank you.

-----Original Message-----
From: Ryan Ratliff [mailto:rratliff[at]cisco.com]
Sent: Thursday, July 02, 2009 8:41 AM
To: Voice Noob
Cc: 'Craig Staffin'; 'CiscosupportUpuck'
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

For lab purposes you *should* be able to get it to work. It's not
TAC supported but that really doesn't matter for a demo. I also
believe Verisign has temp cert you can get for free (but it has an
expiration date).

Regarding the name, it needs to match whatever you populate in the
external DNS, which should resolve to the ASA.
"Obtain the IP address and fully qualified domain name for the Proxy
Host"
The proxy host is your ASA.

-Ryan

On Jul 2, 2009, at 9:32 AM, Voice Noob wrote:

I have a procedure on how to make the self signed certs work on my
phone.
That is the least of my problems or concerns. If it does not work that's
fine but I have to try. We are only looking at a pilot of about two
phones.
If we do a customer deployment we will have them get a correct cert.

In the below step do I create the cert using the name of my Cisco ASA
or of
the name of my CUMA server?

http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/
install/guide
/cuma_70_IAG_02_ASA.html

For New Installations) How to Obtain and Import the Cisco Adaptive
Security
Appliance-to-Client Certificate
This procedure is required unless you are upgrading from Release
3.1.2 and
reusing your signed certificate from your Proxy Server.

This procedure has several subprocedures:

.Generate a Certificate Signing Request

.Submit the Certificate Signing Request to the Certificate Authority

.Upload the Signed Certificate to the Cisco Adaptive Security Appliance

Generate a Certificate Signing Request
Before You Begin

.Obtain the IP address and fully qualified domain name for the Proxy
Host
Name as specified in Obtaining IP Addresses and DNS Names from IT,
page 1-3.

.Determine required values for your company or organization name,
organizational unit, country, and state or province. See the table in
Creating Security Contexts, page 9-7. You must enter identical values
in the
Cisco Adaptive Security Appliance and in the relevant security
context in
Cisco Unified Mobility Advantage.

Procedure

------------------------------------------------------------------------
----
----

Step 1 Enter configuration mode:

conf t

Step 2 Generate a key pair for this certificate:

crypto key generate rsa label <keypair-cuma-signed> modulus 1024

You will see a "Please wait..." message; look carefully for the
prompt to
reappear.

Step 3 Create a trustpoint with the necessary information to generate
the
certificate request:

crypto ca trustpoint <trustpoint-cuma-signed>

subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage
server. Use the Fully Qualified Domain Name.>,OU=<organization unit
letter
country code>,St=<state>,L=<city>

(For requirements for the Company, organization unit, Country, and State
values, see the values you determined in the prerequisite for this
procedure.)

keypair <keypair-cuma-signed>

fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server.
This
value must exactly match the value you entered for CN above.>

enrollment terminal

Step 4 Get the certificate signing request to send to the Certificate
Authority:

crypto ca enroll <trustpoint-cuma-signed>

% Start certificate enrollment.

% The subject name in the certificate will be:CN=<Proxy Host Name of the
Cisco Unified Mobility Advantage server>,OU=<organization unit

% The fully-qualified domain name in the certificate will be: <Proxy
Host
Name of the Cisco Unified Mobility Advantage server>

% Include the device serial number in the subject name? [yes/no]: no

% Display Certificate Request to terminal? [yes/no]: yes

Step 5 Copy the entire text of the displayed Certificate Signing
Request and
paste it into a text file.

Include the following lines. Make sure that there are no extra spaces
at the
end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 6 Save the text file.

------------------------------------------------------------------------
----
----

What To Do Next

-----Original Message-----
From: Craig Staffin [mailto:cmstaffin[at]gmail.com]
Sent: Wednesday, July 01, 2009 9:46 PM
To: Voice Noob
Cc: CiscosupportUpuck
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

I am going through this battle right now

As far as self signed certs the response from the BU was that they are
completely not supported as mobile phones do not do certs "well". In
other words if you can manage to get the CA of your domain onto your
phone it might work for a week or two but then it might fail. The BU
states that you need to use a verisign cert or GEOTrust.

Let me know if you need more help.
On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:

> Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am
> having a problem with the documentation on exactly how I setup the
> ASA and the certificate requests. I don't know if the name I should
> put into the requests is the CUMA server name or the hostname of my
> ASA.
>
> Also has anyone done this using slef signed certs with an internal
> CA? I don't think I can get this company to pay for a cert from
> Verisign or Geotrust. In fact I know I can't.
> _______________________________________________
> cisco-voip mailing list
> cisco-voip[at]puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

voicenoob at gmail

Jul 8, 2009, 6:34 AM

Post #6 of 12 (400 views)
Permalink

Re: CUMA and ASA as Proxy [In reply to]

I "think" I have everything setup. I have upgraded to 7.0(2) and all of my
enterprise adaptors work correctly. I have added users and my DNS entries
are correct. My problem seems to be with the ASA. I have port 9080 and 5443
configured for the external interface to forward to my CUMA server. I can
see the traffic from my phone come in on port 9080 but it just hangs. When I
connect internally to port 9080 to my internal IP of my CUMA server it
redirects me to a URL with port 9443. So it looks like it is trying to do
that on the outside but the ASA is blocking it I guess. I am sure this is
some type of inspect rule or something I don't have configured correctly on
the ASA. Here are some of configs

access-list Outside_access_in extended permit tcp any interface Outside eq
9080 log notifications
access-list Outside_access_in extended permit tcp any interface Outside eq
5443

access-list mmp_inspect extended permit tcp any any eq 5443
access-list mmp_inspect extended permit tcp any any eq 9080

static (Inside,Outside) tcp interface 5443 1.1.1.1 5443 netmask
255.255.255.255
static (Inside,Outside) tcp interface 9080 1.1.1.1 9080 netmask
255.255.255.255

access-group Outside_access_in in interface Outside

tls-proxy PROXYNAME
server trust-point trustpoint-cuma-signed
no server authenticate-client
client trust-point trustpoint-asa-cuma-selfsigned
client cipher-suite aes128-sha1 aes256-sha1

class-map cuma_proxy
match access-list mmp_inspect
class-map inspection_default
match default-inspection-traffic

policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ftp
inspect icmp
inspect http
inspect mmp tls-proxy PROXYNAME
inspect sip
class cuma_proxy
inspect mmp tls-proxy PROXYNAME
class class-default
set connection decrement-ttl

-----Original Message-----
From: Ryan Ratliff [mailto:rratliff[at]cisco.com]
Sent: Thursday, July 02, 2009 8:41 AM
To: Voice Noob
Cc: 'Craig Staffin'; 'CiscosupportUpuck'
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

For lab purposes you *should* be able to get it to work. It's not
TAC supported but that really doesn't matter for a demo. I also
believe Verisign has temp cert you can get for free (but it has an
expiration date).

Regarding the name, it needs to match whatever you populate in the
external DNS, which should resolve to the ASA.
"Obtain the IP address and fully qualified domain name for the Proxy
Host"
The proxy host is your ASA.

-Ryan

On Jul 2, 2009, at 9:32 AM, Voice Noob wrote:

I have a procedure on how to make the self signed certs work on my
phone.
That is the least of my problems or concerns. If it does not work that's
fine but I have to try. We are only looking at a pilot of about two
phones.
If we do a customer deployment we will have them get a correct cert.

In the below step do I create the cert using the name of my Cisco ASA
or of
the name of my CUMA server?

http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/
install/guide
/cuma_70_IAG_02_ASA.html

For New Installations) How to Obtain and Import the Cisco Adaptive
Security
Appliance-to-Client Certificate
This procedure is required unless you are upgrading from Release
3.1.2 and
reusing your signed certificate from your Proxy Server.

This procedure has several subprocedures:

.Generate a Certificate Signing Request

.Submit the Certificate Signing Request to the Certificate Authority

.Upload the Signed Certificate to the Cisco Adaptive Security Appliance

Generate a Certificate Signing Request
Before You Begin

.Obtain the IP address and fully qualified domain name for the Proxy
Host
Name as specified in Obtaining IP Addresses and DNS Names from IT,
page 1-3.

.Determine required values for your company or organization name,
organizational unit, country, and state or province. See the table in
Creating Security Contexts, page 9-7. You must enter identical values
in the
Cisco Adaptive Security Appliance and in the relevant security
context in
Cisco Unified Mobility Advantage.

Procedure

------------------------------------------------------------------------
----
----

Step 1 Enter configuration mode:

conf t

Step 2 Generate a key pair for this certificate:

crypto key generate rsa label <keypair-cuma-signed> modulus 1024

You will see a "Please wait..." message; look carefully for the
prompt to
reappear.

Step 3 Create a trustpoint with the necessary information to generate
the
certificate request:

crypto ca trustpoint <trustpoint-cuma-signed>

subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage
server. Use the Fully Qualified Domain Name.>,OU=<organization unit
letter
country code>,St=<state>,L=<city>

(For requirements for the Company, organization unit, Country, and State
values, see the values you determined in the prerequisite for this
procedure.)

keypair <keypair-cuma-signed>

fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server.
This
value must exactly match the value you entered for CN above.>

enrollment terminal

Step 4 Get the certificate signing request to send to the Certificate
Authority:

crypto ca enroll <trustpoint-cuma-signed>

% Start certificate enrollment.

% The subject name in the certificate will be:CN=<Proxy Host Name of the
Cisco Unified Mobility Advantage server>,OU=<organization unit

% The fully-qualified domain name in the certificate will be: <Proxy
Host
Name of the Cisco Unified Mobility Advantage server>

% Include the device serial number in the subject name? [yes/no]: no

% Display Certificate Request to terminal? [yes/no]: yes

Step 5 Copy the entire text of the displayed Certificate Signing
Request and
paste it into a text file.

Include the following lines. Make sure that there are no extra spaces
at the
end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 6 Save the text file.

------------------------------------------------------------------------
----
----

What To Do Next

-----Original Message-----
From: Craig Staffin [mailto:cmstaffin[at]gmail.com]
Sent: Wednesday, July 01, 2009 9:46 PM
To: Voice Noob
Cc: CiscosupportUpuck
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

I am going through this battle right now

As far as self signed certs the response from the BU was that they are
completely not supported as mobile phones do not do certs "well". In
other words if you can manage to get the CA of your domain onto your
phone it might work for a week or two but then it might fail. The BU
states that you need to use a verisign cert or GEOTrust.

Let me know if you need more help.
On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:

> Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am
> having a problem with the documentation on exactly how I setup the
> ASA and the certificate requests. I don't know if the name I should
> put into the requests is the CUMA server name or the hostname of my
> ASA.
>
> Also has anyone done this using slef signed certs with an internal
> CA? I don't think I can get this company to pay for a cert from
> Verisign or Geotrust. In fact I know I can't.
> _______________________________________________
> cisco-voip mailing list
> cisco-voip[at]puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

dane.newman at gmail

Oct 25, 2009, 1:23 PM

Post #7 of 12 (161 views)
Permalink

Re: CUMA and ASA as Proxy [In reply to]

Will the ASA be ok with any trusted ssl cert such as one from godaddy thats
30 bucks a year opposed to the cheapest gotrust one thats $250 a year?

On Thu, Jul 2, 2009 at 9:40 AM, Ryan Ratliff <rratliff[at]cisco.com> wrote:

> For lab purposes you *should* be able to get it to work. It's not TAC
> supported but that really doesn't matter for a demo. I also believe
> Verisign has temp cert you can get for free (but it has an expiration date).
>
> Regarding the name, it needs to match whatever you populate in the external
> DNS, which should resolve to the ASA.
>
> "Obtain the IP address and fully qualified domain name for the Proxy Host"
> The proxy host is your ASA.
>
> -Ryan
>
>
> On Jul 2, 2009, at 9:32 AM, Voice Noob wrote:
>
> I have a procedure on how to make the self signed certs work on my phone.
> That is the least of my problems or concerns. If it does not work that's
> fine but I have to try. We are only looking at a pilot of about two phones.
> If we do a customer deployment we will have them get a correct cert.
>
> In the below step do I create the cert using the name of my Cisco ASA or of
> the name of my CUMA server?
>
>
>
> http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/
> install/guide
> /cuma_70_IAG_02_ASA.html
>
> For New Installations) How to Obtain and Import the Cisco Adaptive Security
> Appliance-to-Client Certificate
> This procedure is required unless you are upgrading from Release 3.1.2 and
> reusing your signed certificate from your Proxy Server.
>
> This procedure has several subprocedures:
>
> .Generate a Certificate Signing Request
>
> .Submit the Certificate Signing Request to the Certificate Authority
>
> .Upload the Signed Certificate to the Cisco Adaptive Security Appliance
>
> Generate a Certificate Signing Request
> Before You Begin
>
> .Obtain the IP address and fully qualified domain name for the Proxy Host
> Name as specified in Obtaining IP Addresses and DNS Names from IT, page
> 1-3.
>
>
> .Determine required values for your company or organization name,
> organizational unit, country, and state or province. See the table in
> Creating Security Contexts, page 9-7. You must enter identical values in
> the
> Cisco Adaptive Security Appliance and in the relevant security context in
> Cisco Unified Mobility Advantage.
>
> Procedure
>
>
>
> ----------------------------------------------------------------------------
> ----
>
> Step 1 Enter configuration mode:
>
> conf t
>
> Step 2 Generate a key pair for this certificate:
>
> crypto key generate rsa label <keypair-cuma-signed> modulus 1024
>
> You will see a "Please wait..." message; look carefully for the prompt to
> reappear.
>
> Step 3 Create a trustpoint with the necessary information to generate the
> certificate request:
>
> crypto ca trustpoint <trustpoint-cuma-signed>
>
> subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage
> server. Use the Fully Qualified Domain Name.>,OU=<organization unit
> name>,O=<company or organization name as publicly registered>,C=<2 letter
> country code>,St=<state>,L=<city>
>
> (For requirements for the Company, organization unit, Country, and State
> values, see the values you determined in the prerequisite for this
> procedure.)
>
> keypair <keypair-cuma-signed>
>
> fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server. This
> value must exactly match the value you entered for CN above.>
>
> enrollment terminal
>
> Step 4 Get the certificate signing request to send to the Certificate
> Authority:
>
> crypto ca enroll <trustpoint-cuma-signed>
>
> % Start certificate enrollment.
>
> % The subject name in the certificate will be:CN=<Proxy Host Name of the
> Cisco Unified Mobility Advantage server>,OU=<organization unit
> name>,O=<organization name>,C=<2 letter country code>,St=<state>,L=<city>
>
> % The fully-qualified domain name in the certificate will be: <Proxy Host
> Name of the Cisco Unified Mobility Advantage server>
>
> % Include the device serial number in the subject name? [yes/no]: no
>
> % Display Certificate Request to terminal? [yes/no]: yes
>
> Step 5 Copy the entire text of the displayed Certificate Signing Request
> and
> paste it into a text file.
>
> Include the following lines. Make sure that there are no extra spaces at
> the
> end.
>
> ----BEGIN CERTIFICATE----
>
> ----END CERTIFICATE----
>
> Step 6 Save the text file.
>
>
>
> ----------------------------------------------------------------------------
> ----
>
> What To Do Next
>
>
> -----Original Message-----
> From: Craig Staffin [mailto:cmstaffin[at]gmail.com]
> Sent: Wednesday, July 01, 2009 9:46 PM
> To: Voice Noob
> Cc: CiscosupportUpuck
> Subject: Re: [cisco-voip] CUMA and ASA as Proxy
>
> I am going through this battle right now
>
> As far as self signed certs the response from the BU was that they are
> completely not supported as mobile phones do not do certs "well". In
> other words if you can manage to get the CA of your domain onto your
> phone it might work for a week or two but then it might fail. The BU
> states that you need to use a verisign cert or GEOTrust.
>
> Let me know if you need more help.
> On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:
>
> Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am
>> having a problem with the documentation on exactly how I setup the
>> ASA and the certificate requests. I don't know if the name I should
>> put into the requests is the CUMA server name or the hostname of my
>> ASA.
>>
>> Also has anyone done this using slef signed certs with an internal
>> CA? I don't think I can get this company to pay for a cert from
>> Verisign or Geotrust. In fact I know I can't.
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip[at]puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip[at]puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>

rratliff at cisco

Oct 26, 2009, 7:31 AM

Post #8 of 12 (140 views)
Permalink

Re: CUMA and ASA as Proxy [In reply to]

The outside certificate the ASA presents to the mobile phones has to
be one of those specified in the documentation (GeoTrust and
Verisign). This is because the phones only come loaded with the root
certificates for those two CAs, and TAC does not support the loading
of 3rd party root certificates on your phones.

That said, if you want to load the GoDaddy root certificate on every
phone that's going to talk to your ASA/CUMA then go for it, just don't
call TAC if it isn't working (the certificate part anyway).

-Ryan

On Oct 25, 2009, at 4:23 PM, Dane Newman wrote:

Will the ASA be ok with any trusted ssl cert such as one from godaddy
thats 30 bucks a year opposed to the cheapest gotrust one thats $250 a
year?

On Thu, Jul 2, 2009 at 9:40 AM, Ryan Ratliff <rratliff[at]cisco.com> wrote:
For lab purposes you *should* be able to get it to work. It's not TAC
supported but that really doesn't matter for a demo. I also believe
Verisign has temp cert you can get for free (but it has an expiration
date).

Regarding the name, it needs to match whatever you populate in the
external DNS, which should resolve to the ASA.

"Obtain the IP address and fully qualified domain name for the Proxy
Host"
The proxy host is your ASA.

-Ryan

On Jul 2, 2009, at 9:32 AM, Voice Noob wrote:

I have a procedure on how to make the self signed certs work on my
phone.
That is the least of my problems or concerns. If it does not work that's
fine but I have to try. We are only looking at a pilot of about two
phones.
If we do a customer deployment we will have them get a correct cert.

In the below step do I create the cert using the name of my Cisco ASA
or of
the name of my CUMA server?

http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/install/guide
/cuma_70_IAG_02_ASA.html

For New Installations) How to Obtain and Import the Cisco Adaptive
Security
Appliance-to-Client Certificate
This procedure is required unless you are upgrading from Release 3.1.2
and
reusing your signed certificate from your Proxy Server.

This procedure has several subprocedures:

.Generate a Certificate Signing Request

.Submit the Certificate Signing Request to the Certificate Authority

.Upload the Signed Certificate to the Cisco Adaptive Security Appliance

Generate a Certificate Signing Request
Before You Begin

.Obtain the IP address and fully qualified domain name for the Proxy
Host
Name as specified in Obtaining IP Addresses and DNS Names from IT,
page 1-3.

.Determine required values for your company or organization name,
organizational unit, country, and state or province. See the table in
Creating Security Contexts, page 9-7. You must enter identical values
in the
Cisco Adaptive Security Appliance and in the relevant security context
in
Cisco Unified Mobility Advantage.

Procedure

----------------------------------------------------------------------------
----

Step 1 Enter configuration mode:

conf t

Step 2 Generate a key pair for this certificate:

crypto key generate rsa label <keypair-cuma-signed> modulus 1024

You will see a "Please wait..." message; look carefully for the prompt
to
reappear.

Step 3 Create a trustpoint with the necessary information to generate
the
certificate request:

crypto ca trustpoint <trustpoint-cuma-signed>

subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage
server. Use the Fully Qualified Domain Name.>,OU=<organization unit
name>,O=<company or organization name as publicly registered>,C=<2
letter
country code>,St=<state>,L=<city>

(For requirements for the Company, organization unit, Country, and State
values, see the values you determined in the prerequisite for this
procedure.)

keypair <keypair-cuma-signed>

fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server.
This
value must exactly match the value you entered for CN above.>

enrollment terminal

Step 4 Get the certificate signing request to send to the Certificate
Authority:

crypto ca enroll <trustpoint-cuma-signed>

% Start certificate enrollment.

% The subject name in the certificate will be:CN=<Proxy Host Name of the
Cisco Unified Mobility Advantage server>,OU=<organization unit
name>,O=<organization name>,C=<2 letter country
code>,St=<state>,L=<city>

% The fully-qualified domain name in the certificate will be: <Proxy
Host
Name of the Cisco Unified Mobility Advantage server>

% Include the device serial number in the subject name? [yes/no]: no

% Display Certificate Request to terminal? [yes/no]: yes

Step 5 Copy the entire text of the displayed Certificate Signing
Request and
paste it into a text file.

Include the following lines. Make sure that there are no extra spaces
at the
end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 6 Save the text file.

----------------------------------------------------------------------------
----

What To Do Next

-----Original Message-----
From: Craig Staffin [mailto:cmstaffin[at]gmail.com]
Sent: Wednesday, July 01, 2009 9:46 PM
To: Voice Noob
Cc: CiscosupportUpuck
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

I am going through this battle right now

As far as self signed certs the response from the BU was that they are
completely not supported as mobile phones do not do certs "well". In
other words if you can manage to get the CA of your domain onto your
phone it might work for a week or two but then it might fail. The BU
states that you need to use a verisign cert or GEOTrust.

Let me know if you need more help.
On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:

Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am
having a problem with the documentation on exactly how I setup the
ASA and the certificate requests. I don't know if the name I should
put into the requests is the CUMA server name or the hostname of my
ASA.

Also has anyone done this using slef signed certs with an internal
CA? I don't think I can get this company to pay for a cert from
Verisign or Geotrust. In fact I know I can't.
_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Matt.Slaga at us

Oct 26, 2009, 8:16 AM

Post #9 of 12 (136 views)
Permalink

Re: CUMA and ASA as Proxy [In reply to]

Out of curiosity, any particular reason why only those two certificate authorities were chosen?

From: cisco-voip-bounces[at]puck.nether.net [mailto:cisco-voip-bounces[at]puck.nether.net] On Behalf Of Ryan Ratliff
Sent: Monday, October 26, 2009 10:32 AM
To: Dane Newman
Cc: CiscosupportUpuck; Craig Staffin
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

The outside certificate the ASA presents to the mobile phones has to be one of those specified in the documentation (GeoTrust and Verisign). This is because the phones only come loaded with the root certificates for those two CAs, and TAC does not support the loading of 3rd party root certificates on your phones.

That said, if you want to load the GoDaddy root certificate on every phone that's going to talk to your ASA/CUMA then go for it, just don't call TAC if it isn't working (the certificate part anyway).

-Ryan

On Oct 25, 2009, at 4:23 PM, Dane Newman wrote:

Will the ASA be ok with any trusted ssl cert such as one from godaddy thats 30 bucks a year opposed to the cheapest gotrust one thats $250 a year?
On Thu, Jul 2, 2009 at 9:40 AM, Ryan Ratliff <rratliff[at]cisco.com<mailto:rratliff[at]cisco.com>> wrote:
For lab purposes you *should* be able to get it to work. It's not TAC supported but that really doesn't matter for a demo. I also believe Verisign has temp cert you can get for free (but it has an expiration date).

Regarding the name, it needs to match whatever you populate in the external DNS, which should resolve to the ASA.

"Obtain the IP address and fully qualified domain name for the Proxy Host"
The proxy host is your ASA.

-Ryan

On Jul 2, 2009, at 9:32 AM, Voice Noob wrote:

I have a procedure on how to make the self signed certs work on my phone.
That is the least of my problems or concerns. If it does not work that's
fine but I have to try. We are only looking at a pilot of about two phones.
If we do a customer deployment we will have them get a correct cert.

In the below step do I create the cert using the name of my Cisco ASA or of
the name of my CUMA server?

http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/install/guide
/cuma_70_IAG_02_ASA.html

For New Installations) How to Obtain and Import the Cisco Adaptive Security
Appliance-to-Client Certificate
This procedure is required unless you are upgrading from Release 3.1.2 and
reusing your signed certificate from your Proxy Server.

This procedure has several subprocedures:

.Generate a Certificate Signing Request

.Submit the Certificate Signing Request to the Certificate Authority

.Upload the Signed Certificate to the Cisco Adaptive Security Appliance

Generate a Certificate Signing Request
Before You Begin

.Obtain the IP address and fully qualified domain name for the Proxy Host
Name as specified in Obtaining IP Addresses and DNS Names from IT, page 1-3.

.Determine required values for your company or organization name,
organizational unit, country, and state or province. See the table in
Creating Security Contexts, page 9-7. You must enter identical values in the
Cisco Adaptive Security Appliance and in the relevant security context in
Cisco Unified Mobility Advantage.

Procedure

----------------------------------------------------------------------------
----

Step 1 Enter configuration mode:

conf t

Step 2 Generate a key pair for this certificate:

crypto key generate rsa label <keypair-cuma-signed> modulus 1024

You will see a "Please wait..." message; look carefully for the prompt to
reappear.

Step 3 Create a trustpoint with the necessary information to generate the
certificate request:

crypto ca trustpoint <trustpoint-cuma-signed>

subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage
server. Use the Fully Qualified Domain Name.>,OU=<organization unit
name>,O=<company or organization name as publicly registered>,C=<2 letter
country code>,St=<state>,L=<city>

(For requirements for the Company, organization unit, Country, and State
values, see the values you determined in the prerequisite for this
procedure.)

keypair <keypair-cuma-signed>

fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server. This
value must exactly match the value you entered for CN above.>

enrollment terminal

Step 4 Get the certificate signing request to send to the Certificate
Authority:

crypto ca enroll <trustpoint-cuma-signed>

% Start certificate enrollment.

% The subject name in the certificate will be:CN=<Proxy Host Name of the
Cisco Unified Mobility Advantage server>,OU=<organization unit
name>,O=<organization name>,C=<2 letter country code>,St=<state>,L=<city>

% The fully-qualified domain name in the certificate will be: <Proxy Host
Name of the Cisco Unified Mobility Advantage server>

% Include the device serial number in the subject name? [yes/no]: no

% Display Certificate Request to terminal? [yes/no]: yes

Step 5 Copy the entire text of the displayed Certificate Signing Request and
paste it into a text file.

Include the following lines. Make sure that there are no extra spaces at the
end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 6 Save the text file.

----------------------------------------------------------------------------
----

What To Do Next

-----Original Message-----
From: Craig Staffin [mailto:cmstaffin[at]gmail.com<mailto:cmstaffin[at]gmail.com>]
Sent: Wednesday, July 01, 2009 9:46 PM
To: Voice Noob
Cc: CiscosupportUpuck
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

I am going through this battle right now

As far as self signed certs the response from the BU was that they are
completely not supported as mobile phones do not do certs "well". In
other words if you can manage to get the CA of your domain onto your
phone it might work for a week or two but then it might fail. The BU
states that you need to use a verisign cert or GEOTrust.

Let me know if you need more help.
On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:
Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am
having a problem with the documentation on exactly how I setup the
ASA and the certificate requests. I don't know if the name I should
put into the requests is the CUMA server name or the hostname of my
ASA.

Also has anyone done this using slef signed certs with an internal
CA? I don't think I can get this company to pay for a cert from
Verisign or Geotrust. In fact I know I can't.
_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net<mailto:cisco-voip[at]puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net<mailto:cisco-voip[at]puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

-----------------------------------------
Disclaimer:

This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the
designated addressee(s) named above only. If you are not the
intended addressee, you are hereby notified that you have received
this communication in error and that any use or reproduction of
this email or its contents is strictly prohibited and may be
unlawful. If you have received this communication in error, please
notify us immediately by replying to this message and deleting it
from your computer. Thank you.

rratliff at cisco

Oct 26, 2009, 8:19 AM

Post #10 of 12 (136 views)
Permalink

Re: CUMA and ASA as Proxy [In reply to]

Those are the two that we've found all of the phones to have
installed. You'd have to ask the phone manufacturers why only those
two seem to be included everywhere.

-Ryan

On Oct 26, 2009, at 11:16 AM, Matt Slaga (US) wrote:

Out of curiosity, any particular reason why only those two certificate
authorities were chosen?

From: cisco-voip-bounces[at]puck.nether.net [mailto:cisco-voip-
bounces[at]puck.nether.net] On Behalf Of Ryan Ratliff
Sent: Monday, October 26, 2009 10:32 AM
To: Dane Newman
Cc: CiscosupportUpuck; Craig Staffin
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

The outside certificate the ASA presents to the mobile phones has to
be one of those specified in the documentation (GeoTrust and
Verisign). This is because the phones only come loaded with the root
certificates for those two CAs, and TAC does not support the loading
of 3rd party root certificates on your phones.

That said, if you want to load the GoDaddy root certificate on every
phone that's going to talk to your ASA/CUMA then go for it, just don't
call TAC if it isn't working (the certificate part anyway).

-Ryan

On Oct 25, 2009, at 4:23 PM, Dane Newman wrote:

Will the ASA be ok with any trusted ssl cert such as one from godaddy
thats 30 bucks a year opposed to the cheapest gotrust one thats $250 a
year?

On Thu, Jul 2, 2009 at 9:40 AM, Ryan Ratliff <rratliff[at]cisco.com> wrote:
For lab purposes you *should* be able to get it to work. It's not TAC
supported but that really doesn't matter for a demo. I also believe
Verisign has temp cert you can get for free (but it has an expiration
date).

Regarding the name, it needs to match whatever you populate in the
external DNS, which should resolve to the ASA.

"Obtain the IP address and fully qualified domain name for the Proxy
Host"
The proxy host is your ASA.

-Ryan

On Jul 2, 2009, at 9:32 AM, Voice Noob wrote:

I have a procedure on how to make the self signed certs work on my
phone.
That is the least of my problems or concerns. If it does not work that's
fine but I have to try. We are only looking at a pilot of about two
phones.
If we do a customer deployment we will have them get a correct cert.

In the below step do I create the cert using the name of my Cisco ASA
or of
the name of my CUMA server?

http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/install/guide
/cuma_70_IAG_02_ASA.html

For New Installations) How to Obtain and Import the Cisco Adaptive
Security
Appliance-to-Client Certificate
This procedure is required unless you are upgrading from Release 3.1.2
and
reusing your signed certificate from your Proxy Server.

This procedure has several subprocedures:

.Generate a Certificate Signing Request

.Submit the Certificate Signing Request to the Certificate Authority

.Upload the Signed Certificate to the Cisco Adaptive Security Appliance

Generate a Certificate Signing Request
Before You Begin

.Obtain the IP address and fully qualified domain name for the Proxy
Host
Name as specified in Obtaining IP Addresses and DNS Names from IT,
page 1-3.

.Determine required values for your company or organization name,
organizational unit, country, and state or province. See the table in
Creating Security Contexts, page 9-7. You must enter identical values
in the
Cisco Adaptive Security Appliance and in the relevant security context
in
Cisco Unified Mobility Advantage.

Procedure

----------------------------------------------------------------------------
----

Step 1 Enter configuration mode:

conf t

Step 2 Generate a key pair for this certificate:

crypto key generate rsa label <keypair-cuma-signed> modulus 1024

You will see a "Please wait..." message; look carefully for the prompt
to
reappear.

Step 3 Create a trustpoint with the necessary information to generate
the
certificate request:

crypto ca trustpoint <trustpoint-cuma-signed>

subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage
server. Use the Fully Qualified Domain Name.>,OU=<organization unit
name>,O=<company or organization name as publicly registered>,C=<2
letter
country code>,St=<state>,L=<city>

(For requirements for the Company, organization unit, Country, and State
values, see the values you determined in the prerequisite for this
procedure.)

keypair <keypair-cuma-signed>

fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server.
This
value must exactly match the value you entered for CN above.>

enrollment terminal

Step 4 Get the certificate signing request to send to the Certificate
Authority:

crypto ca enroll <trustpoint-cuma-signed>

% Start certificate enrollment.

% The subject name in the certificate will be:CN=<Proxy Host Name of the
Cisco Unified Mobility Advantage server>,OU=<organization unit
name>,O=<organization name>,C=<2 letter country
code>,St=<state>,L=<city>

% The fully-qualified domain name in the certificate will be: <Proxy
Host
Name of the Cisco Unified Mobility Advantage server>

% Include the device serial number in the subject name? [yes/no]: no

% Display Certificate Request to terminal? [yes/no]: yes

Step 5 Copy the entire text of the displayed Certificate Signing
Request and
paste it into a text file.

Include the following lines. Make sure that there are no extra spaces
at the
end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 6 Save the text file.

----------------------------------------------------------------------------
----

What To Do Next

-----Original Message-----
From: Craig Staffin [mailto:cmstaffin[at]gmail.com]
Sent: Wednesday, July 01, 2009 9:46 PM
To: Voice Noob
Cc: CiscosupportUpuck
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

I am going through this battle right now

As far as self signed certs the response from the BU was that they are
completely not supported as mobile phones do not do certs "well". In
other words if you can manage to get the CA of your domain onto your
phone it might work for a week or two but then it might fail. The BU
states that you need to use a verisign cert or GEOTrust.

Let me know if you need more help.
On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:

Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am
having a problem with the documentation on exactly how I setup the
ASA and the certificate requests. I don't know if the name I should
put into the requests is the CUMA server name or the hostname of my
ASA.

Also has anyone done this using slef signed certs with an internal
CA? I don't think I can get this company to pay for a cert from
Verisign or Geotrust. In fact I know I can't.
_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Disclaimer: This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the
designated addressee(s) named above only. If you are not the intended
addressee, you are hereby notified that you have received this
communication in error and that any use or reproduction of this email
or its contents is strictly prohibited and may be unlawful. If you
have received this communication in error, please notify us
immediately by replying to this message and deleting it from your
computer. Thank you.

voicenoob at gmail

Oct 26, 2009, 8:23 AM

Post #11 of 12 (136 views)
Permalink

Re: CUMA and ASA as Proxy [In reply to]

I am using a cert from comodo.com and it is working fine. I have BlackJackII
and Iphone clients

http://www.comodo.com/

From: cisco-voip-bounces[at]puck.nether.net
[mailto:cisco-voip-bounces[at]puck.nether.net] On Behalf Of Matt Slaga (US)
Sent: Monday, October 26, 2009 10:16 AM
To: Ryan Ratliff; Dane Newman
Cc: Craig Staffin; CiscosupportUpuck
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

Out of curiosity, any particular reason why only those two certificate
authorities were chosen?

From: cisco-voip-bounces[at]puck.nether.net
[mailto:cisco-voip-bounces[at]puck.nether.net] On Behalf Of Ryan Ratliff
Sent: Monday, October 26, 2009 10:32 AM
To: Dane Newman
Cc: CiscosupportUpuck; Craig Staffin
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

The outside certificate the ASA presents to the mobile phones has to be one
of those specified in the documentation (GeoTrust and Verisign). This is
because the phones only come loaded with the root certificates for those two
CAs, and TAC does not support the loading of 3rd party root certificates on
your phones.

That said, if you want to load the GoDaddy root certificate on every phone
that's going to talk to your ASA/CUMA then go for it, just don't call TAC if
it isn't working (the certificate part anyway).

-Ryan

On Oct 25, 2009, at 4:23 PM, Dane Newman wrote:

Will the ASA be ok with any trusted ssl cert such as one from godaddy thats
30 bucks a year opposed to the cheapest gotrust one thats $250 a year?

On Thu, Jul 2, 2009 at 9:40 AM, Ryan Ratliff <rratliff[at]cisco.com> wrote:

For lab purposes you *should* be able to get it to work. It's not TAC
supported but that really doesn't matter for a demo. I also believe
Verisign has temp cert you can get for free (but it has an expiration date).

Regarding the name, it needs to match whatever you populate in the external
DNS, which should resolve to the ASA.

"Obtain the IP address and fully qualified domain name for the Proxy Host"

The proxy host is your ASA.

-Ryan

On Jul 2, 2009, at 9:32 AM, Voice Noob wrote:

I have a procedure on how to make the self signed certs work on my phone.
That is the least of my problems or concerns. If it does not work that's
fine but I have to try. We are only looking at a pilot of about two phones.
If we do a customer deployment we will have them get a correct cert.

In the below step do I create the cert using the name of my Cisco ASA or of
the name of my CUMA server?

http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/install/guide
/cuma_70_IAG_02_ASA.html

For New Installations) How to Obtain and Import the Cisco Adaptive Security
Appliance-to-Client Certificate
This procedure is required unless you are upgrading from Release 3.1.2 and
reusing your signed certificate from your Proxy Server.

This procedure has several subprocedures:

.Generate a Certificate Signing Request

.Submit the Certificate Signing Request to the Certificate Authority

.Upload the Signed Certificate to the Cisco Adaptive Security Appliance

Generate a Certificate Signing Request
Before You Begin

.Obtain the IP address and fully qualified domain name for the Proxy Host
Name as specified in Obtaining IP Addresses and DNS Names from IT, page 1-3.

.Determine required values for your company or organization name,
organizational unit, country, and state or province. See the table in
Creating Security Contexts, page 9-7. You must enter identical values in the
Cisco Adaptive Security Appliance and in the relevant security context in
Cisco Unified Mobility Advantage.

Procedure

----------------------------------------------------------------------------
----

Step 1 Enter configuration mode:

conf t

Step 2 Generate a key pair for this certificate:

crypto key generate rsa label <keypair-cuma-signed> modulus 1024

You will see a "Please wait..." message; look carefully for the prompt to
reappear.

Step 3 Create a trustpoint with the necessary information to generate the
certificate request:

crypto ca trustpoint <trustpoint-cuma-signed>

subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage
server. Use the Fully Qualified Domain Name.>,OU=<organization unit
name>,O=<company or organization name as publicly registered>,C=<2 letter
country code>,St=<state>,L=<city>

(For requirements for the Company, organization unit, Country, and State
values, see the values you determined in the prerequisite for this
procedure.)

keypair <keypair-cuma-signed>

fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server. This
value must exactly match the value you entered for CN above.>

enrollment terminal

Step 4 Get the certificate signing request to send to the Certificate
Authority:

crypto ca enroll <trustpoint-cuma-signed>

% Start certificate enrollment.

% The subject name in the certificate will be:CN=<Proxy Host Name of the
Cisco Unified Mobility Advantage server>,OU=<organization unit
name>,O=<organization name>,C=<2 letter country code>,St=<state>,L=<city>

% The fully-qualified domain name in the certificate will be: <Proxy Host
Name of the Cisco Unified Mobility Advantage server>

% Include the device serial number in the subject name? [yes/no]: no

% Display Certificate Request to terminal? [yes/no]: yes

Step 5 Copy the entire text of the displayed Certificate Signing Request and
paste it into a text file.

Include the following lines. Make sure that there are no extra spaces at the
end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 6 Save the text file.

----------------------------------------------------------------------------
----

What To Do Next

-----Original Message-----
From: Craig Staffin [mailto:cmstaffin[at]gmail.com]
Sent: Wednesday, July 01, 2009 9:46 PM
To: Voice Noob
Cc: CiscosupportUpuck
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

I am going through this battle right now

As far as self signed certs the response from the BU was that they are
completely not supported as mobile phones do not do certs "well". In
other words if you can manage to get the CA of your domain onto your
phone it might work for a week or two but then it might fail. The BU
states that you need to use a verisign cert or GEOTrust.

Let me know if you need more help.
On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:

Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am
having a problem with the documentation on exactly how I setup the
ASA and the certificate requests. I don't know if the name I should
put into the requests is the CUMA server name or the hostname of my
ASA.

Also has anyone done this using slef signed certs with an internal
CA? I don't think I can get this company to pay for a cert from
Verisign or Geotrust. In fact I know I can't.
_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

_____

Disclaimer: This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the designated
addressee(s) named above only. If you are not the intended addressee, you
are hereby notified that you have received this communication in error and
that any use or reproduction of this email or its contents is strictly
prohibited and may be unlawful. If you have received this communication in
error, please notify us immediately by replying to this message and deleting
it from your computer. Thank you.

Matt.Slaga at us

Oct 26, 2009, 8:29 AM

Post #12 of 12 (136 views)
Permalink

Re: CUMA and ASA as Proxy [In reply to]

Ok, I'm with ya. I was thinking they were the only root certs on the Cisco devices, not third party mobile phones. Next time I'll read the entire thread before asking a question. :)

From: Ryan Ratliff [mailto:rratliff[at]cisco.com]
Sent: Monday, October 26, 2009 11:20 AM
To: Matt Slaga (US)
Cc: Dane Newman; CiscosupportUpuck; Craig Staffin
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

Those are the two that we've found all of the phones to have installed. You'd have to ask the phone manufacturers why only those two seem to be included everywhere.

-Ryan

On Oct 26, 2009, at 11:16 AM, Matt Slaga (US) wrote:

Out of curiosity, any particular reason why only those two certificate authorities were chosen?

From: cisco-voip-bounces[at]puck.nether.net<mailto:cisco-voip-bounces[at]puck.nether.net> [mailto:cisco-voip-bounces[at]puck.nether.net] On Behalf Of Ryan Ratliff
Sent: Monday, October 26, 2009 10:32 AM
To: Dane Newman
Cc: CiscosupportUpuck; Craig Staffin
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

The outside certificate the ASA presents to the mobile phones has to be one of those specified in the documentation (GeoTrust and Verisign). This is because the phones only come loaded with the root certificates for those two CAs, and TAC does not support the loading of 3rd party root certificates on your phones.

That said, if you want to load the GoDaddy root certificate on every phone that's going to talk to your ASA/CUMA then go for it, just don't call TAC if it isn't working (the certificate part anyway).

-Ryan

On Oct 25, 2009, at 4:23 PM, Dane Newman wrote:

Will the ASA be ok with any trusted ssl cert such as one from godaddy thats 30 bucks a year opposed to the cheapest gotrust one thats $250 a year?
On Thu, Jul 2, 2009 at 9:40 AM, Ryan Ratliff <rratliff[at]cisco.com<mailto:rratliff[at]cisco.com>> wrote:
For lab purposes you *should* be able to get it to work. It's not TAC supported but that really doesn't matter for a demo. I also believe Verisign has temp cert you can get for free (but it has an expiration date).

Regarding the name, it needs to match whatever you populate in the external DNS, which should resolve to the ASA.

"Obtain the IP address and fully qualified domain name for the Proxy Host"
The proxy host is your ASA.

-Ryan

On Jul 2, 2009, at 9:32 AM, Voice Noob wrote:

I have a procedure on how to make the self signed certs work on my phone.
That is the least of my problems or concerns. If it does not work that's
fine but I have to try. We are only looking at a pilot of about two phones.
If we do a customer deployment we will have them get a correct cert.

In the below step do I create the cert using the name of my Cisco ASA or of
the name of my CUMA server?

http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/install/guide
/cuma_70_IAG_02_ASA.html

For New Installations) How to Obtain and Import the Cisco Adaptive Security
Appliance-to-Client Certificate
This procedure is required unless you are upgrading from Release 3.1.2 and
reusing your signed certificate from your Proxy Server.

This procedure has several subprocedures:

.Generate a Certificate Signing Request

.Submit the Certificate Signing Request to the Certificate Authority

.Upload the Signed Certificate to the Cisco Adaptive Security Appliance

Generate a Certificate Signing Request
Before You Begin

.Obtain the IP address and fully qualified domain name for the Proxy Host
Name as specified in Obtaining IP Addresses and DNS Names from IT, page 1-3.

.Determine required values for your company or organization name,
organizational unit, country, and state or province. See the table in
Creating Security Contexts, page 9-7. You must enter identical values in the
Cisco Adaptive Security Appliance and in the relevant security context in
Cisco Unified Mobility Advantage.

Procedure

----------------------------------------------------------------------------
----

Step 1 Enter configuration mode:

conf t

Step 2 Generate a key pair for this certificate:

crypto key generate rsa label <keypair-cuma-signed> modulus 1024

You will see a "Please wait..." message; look carefully for the prompt to
reappear.

Step 3 Create a trustpoint with the necessary information to generate the
certificate request:

crypto ca trustpoint <trustpoint-cuma-signed>

subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage
server. Use the Fully Qualified Domain Name.>,OU=<organization unit
name>,O=<company or organization name as publicly registered>,C=<2 letter
country code>,St=<state>,L=<city>

(For requirements for the Company, organization unit, Country, and State
values, see the values you determined in the prerequisite for this
procedure.)

keypair <keypair-cuma-signed>

fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server. This
value must exactly match the value you entered for CN above.>

enrollment terminal

Step 4 Get the certificate signing request to send to the Certificate
Authority:

crypto ca enroll <trustpoint-cuma-signed>

% Start certificate enrollment.

% The subject name in the certificate will be:CN=<Proxy Host Name of the
Cisco Unified Mobility Advantage server>,OU=<organization unit
name>,O=<organization name>,C=<2 letter country code>,St=<state>,L=<city>

% The fully-qualified domain name in the certificate will be: <Proxy Host
Name of the Cisco Unified Mobility Advantage server>

% Include the device serial number in the subject name? [yes/no]: no

% Display Certificate Request to terminal? [yes/no]: yes

Step 5 Copy the entire text of the displayed Certificate Signing Request and
paste it into a text file.

Include the following lines. Make sure that there are no extra spaces at the
end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 6 Save the text file.

----------------------------------------------------------------------------
----

What To Do Next

-----Original Message-----
From: Craig Staffin [mailto:cmstaffin[at]gmail.com<mailto:cmstaffin[at]gmail.com>]
Sent: Wednesday, July 01, 2009 9:46 PM
To: Voice Noob
Cc: CiscosupportUpuck
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

I am going through this battle right now

As far as self signed certs the response from the BU was that they are
completely not supported as mobile phones do not do certs "well". In
other words if you can manage to get the CA of your domain onto your
phone it might work for a week or two but then it might fail. The BU
states that you need to use a verisign cert or GEOTrust.

Let me know if you need more help.
On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:
Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am
having a problem with the documentation on exactly how I setup the
ASA and the certificate requests. I don't know if the name I should
put into the requests is the CUMA server name or the hostname of my
ASA.

Also has anyone done this using slef signed certs with an internal
CA? I don't think I can get this company to pay for a cert from
Verisign or Geotrust. In fact I know I can't.
_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net<mailto:cisco-voip[at]puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip[at]puck.nether.net<mailto:cisco-voip[at]puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

________________________________

Disclaimer: This e-mail communication and any attachments may contain confidential and privileged information and is for use by the designated addressee(s) named above only. If you are not the intended addressee, you are hereby notified that you have received this communication in error and that any use or reproduction of this email or its contents is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. Thank you.

-----------------------------------------
Disclaimer:

This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the
designated addressee(s) named above only. If you are not the
intended addressee, you are hereby notified that you have received
this communication in error and that any use or reproduction of
this email or its contents is strictly prohibited and may be
unlawful. If you have received this communication in error, please
notify us immediately by replying to this message and deleting it
from your computer. Thank you.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com