This document describes how to configure IP phones over a Secure Sockets Layer VPN (SSL VPN), also known as a WebVPN. Two Cisco Unified Communications Managers (CallManagers) and three types of certificates are used with this solution. The CallManagers are:
The certificate types are:
The key concept to understand is that, once the configuration on the SSL VPN gateway and CallManager are completed, you must join the IP phones locally. This enables the phones to join the CUCM and to use the correct VPN information and certificates. If the phones are not joined locally, they cannot find the SSL VPN gateway and do not have the correct certificates to complete the SSL VPN handshake.
The most common configurations are CUCM/Unified CME with ASA self-signed certificates and Cisco IOS self-signed certificates. Consequently, they are the easiest to configure.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The basic ASA SSL VPN configuration is described in these documents:
Once this configuration is complete, a remote test PC should be able to connect to the SSL VPN gateway, connect via AnyConnect, and ping the CUCM. Ensure the ASA has an AnyConnect for Cisco IP phone license. (Use the show ver command.) Both TCP and UDP port 443 must be open between the gateway and the client.
Refer to IP Phone SSL VPN to ASA using AnyConnect for more detailed information.
The ASA must have a license for AnyConnect for Cisco VPN Phone. After you configure the SSL VPN, you then configure your CUCM for the VPN.
ciscoasa(config)# crypto ca export trustpoint name identity-certificateThis command displays a pem-encoded identity certificate to the terminal.
ciscoasa(config)# crypto ca trustpoint certificate-name
ciscoasa(config-ca-trustpoint)# enrollment terminal
ciscoasa(config)# crypto ca authenticate certificate-name
ciscoasa# configure terminal
ciscoasa(config)# tunnel-group VPNPhones webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-url https://192.168.1.1/VPNPhone
enable
ciscoasa(config-tunnel-webvpn)# exit
This configuration is very similar to the configuration described in CUCM: ASA SSLVPN with Self-Signed Certificates Configuration section, except that you are using third-party certificates. Configure SSL VPN on the ASA with third-party certificates as described in ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example.
The basic Cisco IOS SSL VPN configuration is described in these documents:
Once this configuration is complete, a remote test PC should be able to connect to the SSL VPN gateway, connect via AnyConnect, and ping the CUCM. In Cisco IOS 15.0 and later, you must have a valid SSL VPN license to complete this task. Both TCP and UDP port 443 must be open between the gateway and the client.
This configuration is similar to the configuration described in CUCM: ASA SSLVPN with Third-Party Certificates Configuration and CUCM: ASA SSLVPN with Self-Signed Certificates Configuration sections. The differences are:
R1(config)# crypto pki export trustpoint-name pem terminal
R1(config)# crypto pki trustpoint certificate-name
R1(config-ca-trustpoint)# enrollment terminal
R1(config)# crypto ca authenticate certificate-name
The WebVPN context configuration should show this text:
gateway webvpn_gateway domain VPNPhone
Configure the CUCM as described in CUCM: ASA SSLVPN with Self-Signed Certificates Configuration section.
This configuration is similar to the configuration described in CUCM: ASA SSLVPN with Self-Signed Certificates Configuration section. Configure your WebVPN with a third-party certificate.
Configuration for the Unified CME is similar to the configurations of the CUCM; for example, the WebVPN endpoint configurations are the same. The only significant difference is the configurations of the Unified CME call agent. Configure the VPN group and the VPN policy for the Unified CME as described in Configuring SSL VPN Client for SCCP IP Phones.
In order to export the certificates from the WebVPN gateway, refer to the ASA/router section. If you are using a third-party certificate, you must include the full certificate chain. In order to import the certificates to the Unified CME, use the same method as used to import certificates into a router:
CME(config)# crypto pki trustpoint certificate-name
CME(config-ca-trustpoint)# enrollment terminal
CME(config)# crypto ca authenticate certificate-name
The Cisco Unified Communications 500 Series Model UC 520 IP phone is quite different from the CUCM and CME configurations.
There is currently no verification procedure available for this configuration.
There is currently no specific troubleshooting information available for this configuration.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
19-Dec-2013 |
Initial Release |