Securing CallManager Communications Using HTTPS

HTTPS secures communication between the browser on the client PC and a web server. It allows authentication of the web server (to ensure the client is not accessing an impersonating website) and protects communication between the client and the web server. All packets are signed to provide integrity, so that the receiver has a guarantee that the packets are authentic and have not been modified during transit. In addition, all packets are encrypted to provide privacy, so that sensitive information can be sent over untrusted networks. These Cisco CallManager applications support HTTPS:

  • Cisco CallManager Administration
  • Cisco CallManager Serviceability
  • Cisco IP Phone User Options web pages
  • Bulk Administration Tool (BAT)
  • Tool for Auto-Registered Phones Support (TAPS)
  • Cisco Call Detail Record (CDR) Analysis and Reporting (CAR)
  • Trace Collection Tool
  • Real-Time Monitoring Tool (RTMT)

When you are using HTTPS for browsing to Cisco CallManager Administration and user options web pages, communication is secure. A hacker who sniffs the communication will find it very difficult to re-create any information from the sniffed packets.

HTTPS secures not only the username and passwords in the communication, but also configuration changes in Cisco CallManager Administration and other applications, such as Cisco CallManager Serviceability. If a user configures parameters such as call forwarding or speed dials on the user options web pages, the client and IIS communicate in a secure way.

HTTPS Certificates

HTTPS uses certificates for web server authentication. Certificates provide information about a device and are signed by an issuer, the Certificate Authority (CA). By default, Cisco CallManager uses a self-signed certificate, but it also allows you to use a certificate issued by a company CA or even an external CA such as VeriSign. The file where the Cisco CallManager HTTPS certificate is stored is C:Program FilesCiscoCertificateshttpscert.cer.

Tip

A self-signed certificate provides the same functions as a certificate issued by a recognized CA. The only problem that occurs with a self-signed certificate is that client web browsers issue warning or caution messages the first time they access the secured website. For internal and intranet server use, this should not cause any major problems.

The certificate will be used on the IIS default website that hosts the Cisco CallManager virtual directories, which include the following:

  • CCMAdmin and CCMUser
  • CCMService
  • Administration Serviceability Tool (AST)
  • BAT and TAPS
  • RTMTReports
  • CCMTraceAnalysis
  • PktCap
  • Administrator Reporting Tool (ART)
  • CCMServiceTraceCollectionTool

To use a certificate issued by a CA after a Cisco CallManager installation or upgrade, delete the self-signed certificate and install the CA signed certificate instead.

Note

For more information on how to obtain a certificate from an external CA, contact a vendor of Internet certificates such as VeriSign or consult with the administrator of your company CA (if using your own CA).

 

Accessing CallManager When Using Self-Signed Certificates

The first time that a user accesses Cisco CallManager Administration or other Cisco CallManager applications after the Cisco CallManager Release 4.1 installation or upgrade from a browser client, a Security Alert dialog box (shown in Figure 21-1) asks whether the user trusts the server. When the dialog box appears, clicking the buttons results in these actions:

  • Yes Trust the certificate for the current web session only. The Security Alert dialog box will display each time you access the application.
  • No Cancel the action. No authentication occurs, and the user cannot access the Cisco CallManager Administration pages.
  • View Certificate Start certificate installation tasks, so that the certificate is always trusted. After you install the certificate, the Security Alert dialog box no longer appears when you access the Cisco CallManager Administration pages.

Figure 21-1. Self-Signed Certificate Security Alert

Click the View Certificate button. The Security Alert dialog box appears and the Certificate window opens, shown in Figure 21-2. The General tab shows brief information about the certificate, such as the issuer and the validation. For more detailed information, click the Details tab. Another way to get information about the certificate is to check the certificate directly on the Cisco CallManager. On the Cisco CallManager publisher, right-click the certificate name in C:Program FilesCiscoCertificateshttpscert.cer and choose Open. It is not possible to change any data in the certificate.

Figure 21-2. Viewing the SSL Certificate

To keep from seeing the security warning each time you navigate to the Cisco CallManager server, click the Install Certificate button. By walking through the Microsoft Windows Certificate Import Wizard, you will import the CallManager self-signed certificate into your local certificate store. This keeps Microsoft Internet Explorer from prompting you with a security warning each time you access the CallManager Administration interface.

Part I: Cisco CallManager Fundamentals

Introduction to Cisco Unified Communications and Cisco Unified CallManager

Cisco Unified CallManager Clustering and Deployment Options

Cisco Unified CallManager Installation and Upgrades

Part II: IPT Devices and Users

Cisco IP Phones and Other User Devices

Configuring Cisco Unified CallManager to Support IP Phones

Cisco IP Telephony Users

Cisco Bulk Administration Tool

Part III: IPT Network Integration and Route Plan

Cisco Catalyst Switches

Configuring Cisco Gateways and Trunks

Cisco Unified CallManager Route Plan Basics

Cisco Unified CallManager Advanced Route Plans

Configuring Hunt Groups and Call Coverage

Implementing Telephony Call Restrictions and Control

Implementing Multiple-Site Deployments

Part IV: VoIP Features

Media Resources

Configuring User Features, Part 1

Configuring User Features, Part 2

Configuring Cisco Unified CallManager Attendant Console

Configuring Cisco IP Manager Assistant

Part V: IPT Security

Securing the Windows Operating System

Securing Cisco Unified CallManager Administration

Preventing Toll Fraud

Hardening the IP Phone

Understanding Cryptographic Fundamentals

Understanding the Public Key Infrastructure

Understanding Cisco IP Telephony Authentication and Encryption Fundamentals

Configuring Cisco IP Telephony Authentication and Encryption

Part VI: IP Video

Introducing IP Video Telephony

Configuring Cisco VT Advantage

Part VII: IPT Management

Introducing Database Tools and Cisco Unified CallManager Serviceability

Monitoring Performance

Configuring Alarms and Traces

Configuring CAR

Using Additional Management and Monitoring Tools

Part VIII: Appendix

Appendix A. Answers to Review Questions

Index



Authorized Self-Study Guide Cisco IP Telephony (CIPT)
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
ISBN: 158705261X
EAN: 2147483647
Year: 2004
Pages: 329

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net