.. rst-class:: chapter-with-expand
How to Configure SIP Trunk Security Profiles
--------------------------------------------
1. Log in as provider, reseller, or customer administrator.
2. Make sure that the hierarchy path is set to the node where the Cisco
Unified Communications Manager is configured.
3. Perform one of:
* If you signed in as the provider or reseller administrator, choose
**Device Management > CUCM > SIP Trunk Security Profiles**.
* If you signed in as the customer administrator, choose
**Device Management > Advanced > SIP Trunk Security Profiles**.
4. Perform one of:
* To add a new SIP trunk security profile, click **Add**, then go to Step 5.
* To edit an existing SIP trunk security profile, click the SIP trunk security
profile to be updated. Go to Step 6.
5. If the **Network Device List** popup window appears, select the NDL for the
SIP trunk security profile from the drop-down menu. The window appears when you
are on a non-site hierarchy node. If you are at a site hierarchy node, the NDL
associated with the site is automatically used.
Note:
The **Network Device List** drop-down menu appears when a SIP trunk security
profile is added. It does not appear when you edit a SIP trunk security profile.
6. Enter a unique name for the new SIP trunk security profile in the **Name** field,
or modify the existing Name if desired. This field is mandatory.
7. Complete, at minimum, the other mandatory :ref:`sip_trunk_security_profiles_fields`
8. Click **Save** to save a new SIP trunk security profile or to update an existing
SIP trunk security profile.
.. _sip_trunk_security_profiles_fields:
SIP Trunk Security Profiles Fields
..................................
.. tabularcolumns:: |p{3.5cm}|p{12cm}|
+----------------+-----------------------------------------------------------+
| Option | Description |
+================+===========================================================+
| Name | Enter a name for the security profile. When you save the |
| (Mandatory) | new profile, the name displays in the **SIP Trunk Security|
| | Profile** drop-down list in the Trunk Configuration |
| | window. The maximum length for the name is 64 characters. |
+----------------+-----------------------------------------------------------+
| Description | Enter a description for the security profile. The |
| (Optional) | description can include up to 50 characters in any |
| | language, but it cannot include double-quotes ("), |
| | percentage sign (%), ampersand (&), back-slash (\\), or |
| | angle brackets (<>). |
+----------------+-----------------------------------------------------------+
| Device | From the drop-down list, choose one of the following |
| Security Mode | options: |
| (Optional) | |
| | - **Non Secure** - No security features except image |
| | authentication apply. A TCP or UDP connection opens to |
| | Cisco Unified Communications Manager. |
| | - **Authenticated** - Unified CM provides integrity and |
| | authentication for the trunk. A TLS connection that |
| | uses NULL/SHA opens. |
| | - **Encrypted** - Unified CM provides integrity, |
| | authentication, and signaling encryption for the |
| | trunk. A TLS connection that uses AES128/SHA opens for |
| | signaling. |
+----------------+-----------------------------------------------------------+
| Incoming | Choose one of: |
| Transport Type | |
| (Optional) | - TCP+UDP |
| | - UDP |
| | - TLS |
| | - TCP |
| | |
| | If you do not specify an incoming transport type, |
| | **TCP+UDP** is assigned. |
| | |
| | When **Device Security Mode** is **Non Secure**, |
| | **TCP+UDP** specifies the transport type. |
| | |
| | When **Device Security Mode** is **Authenticated** or |
| | **Encrypted**, **TLS** specifies the transport type. |
| | |
| | Note: |
| | |
| | The Transport Layer Security (TLS) protocol secures |
| | the connection between Unified CM and the trunk. |
+----------------+-----------------------------------------------------------+
.. tabularcolumns:: |p{3.5cm}|p{12cm}|
+----------------+------------------------------------------------------------+
| Option | Description |
+================+============================================================+
| Outgoing | From the drop-down list, choose the outgoing transport |
| Transport Type | mode. Choose one of: |
| (Optional) | |
| | - TCP+UDP |
| | - UDP |
| | - TLS |
| | - TCP |
| | |
| | When **Device Security Mode** is **Non Secure**, choose |
| | **TCP** or **UDP**. |
| | |
| | When **Device Security Mode** is **Authenticated** or |
| | **Encrypted**, **TLS** specifies the transport type. |
| | |
| | Note: |
| | |
| | **TLS** ensures signaling integrity, device |
| | authentication, and signaling encryption for SIP |
| | trunks. |
| | |
| | Tip: |
| | |
| | Use **UDP** as the outgoing transport type when |
| | connecting SIP trunks between Unified CM systems and |
| | IOS gateways that do not support TCP connection |
| | reuse. See "Understanding Session Initiation Protocol |
| | (SIP)" in the "Cisco Unified Communications Manager |
| | System Guide" for more information. |
+----------------+------------------------------------------------------------+
| Enable Digest | Select this check box to enable digest authentication. If |
| Authentication | you select this check box, Unified CM challenges all SIP |
| (Optional) | requests from the trunk. |
| | |
| | Digest authentication does not provide device |
| | authentication, integrity, or confidentiality. Choose a |
| | security mode of **Authenticated** or **Encrypted** to use |
| | these features. |
| | |
| | Tip: |
| | |
| | Use digest authentication to authenticate SIP trunk |
| | users on trunks that are using TCP or UDP transport. |
+----------------+------------------------------------------------------------+
| Nonce Validity | Enter the number of minutes (in seconds) that the nonce |
| Time (mins) | value is valid. When the time expires, Unified CM |
| (Optional) | generates a new value. |
| | |
| | Note: |
| | |
| | A nonce value (a random number that supports digest |
| | authentication) is used to calculate the MD5 hash of |
| | the digest authentication password. |
| | |
| | Default = 600 minutes. If you do not specify a Nonce |
| | Validity Time, the default of 600 minutes is assigned. |
+----------------+------------------------------------------------------------+
.. tabularcolumns:: |p{3.5cm}|p{12cm}|
+----------------+------------------------------------------------------------+
| Option | Description |
+================+============================================================+
| X.509 Subject | This field applies if you configured TLS for the incoming |
| Name | and outgoing transport type. |
| (Optional) | |
| | For device authentication, enter the subject name of the |
| | X.509 certificate for the SIP trunk device. If you have a |
| | Unified CM cluster or if you use SRV lookup for the TLS |
| | peer, a single trunk may resolve to multiple hosts. This |
| | situation results in multiple X.509 subject names for the |
| | trunk. If multiple X.509 subject names exist, enter one |
| | of the following characters to separate the names: space, |
| | comma, semicolon, or a colon. |
| | |
| | You can enter up to 4096 characters in this field. |
| | |
| | Tip: |
| | |
| | The subject name corresponds to the source connection |
| | TLS certificate. Ensure that subject names are unique |
| | for each subject name and port. You cannot assign the |
| | same subject name and incoming port combination to |
| | different SIP trunks. |
| | |
| | Example: |
| | |
| | SIP TLS trunk1 on port 5061 has X.509 Subject Names |
| | my\_cm1, my\_cm2. |
| | |
| | SIP TLS trunk2 on port 5071 has X.509 Subject Names |
| | my\_cm2, my\_cm3. |
| | |
| | SIP TLS trunk3 on port 5061 can have X.509 Subject |
| | Name my\_ccm4 but cannot have X.509 Subject Name |
| | my\_cm1. |
+----------------+------------------------------------------------------------+
| Incoming Port | Choose the incoming port. Enter a value that is a unique |
| (Optional) | port number from 0 to 65535. The value that you enter |
| | applies to all SIP trunks that use the profile. |
| | |
| | The default port value for incoming TCP and UDP SIP |
| | messages is 5060. The default SIP secured port for |
| | incoming TLS messages is 5061. |
| | |
| | If the incoming port is not specified, the default port |
| | of 5060 is used. |
| | |
| | Tip: |
| | |
| | All SIP trunks that use TLS can share the same |
| | incoming port; all SIP trunks that use TCP + UDP can |
| | share the same incoming port. You cannot mix SIP TLS |
| | transport trunks with SIP non-TLS transport trunk |
| | types on the same port. |
+----------------+------------------------------------------------------------+
.. tabularcolumns:: |p{3.5cm}|p{12cm}|
+----------------+------------------------------------------------------------+
| Option | Description |
+================+============================================================+
| Enable | Application-level authorization applies to applications |
| application | that are connected through the SIP trunk. |
| level | |
| authorization | If you select this check box, also select the **Enable |
| (Optional) | Digest Authentication** check box and configure digest |
| | authentication for the trunk. Unified CM authenticates a |
| | SIP application user before checking the allowed |
| | application methods. |
| | |
| | When application level authorization is enabled, |
| | trunk-level authorization occurs first, and |
| | application-level authorization occurs second. Unified CM |
| | checks the methods authorized for the trunk (in this |
| | security profile) before the methods authorized for the |
| | SIP application user in the **Application User |
| | Configuration** window. |
| | |
| | Tip: |
| | |
| | Consider using application-level authorization if you |
| | do not trust the identity of the application or if |
| | the application is not trusted on a particular trunk. |
| | Application requests may come from a different trunk |
| | than you expect. |
| | |
| | For more information about configuring application level |
| | authorization at the **Application User Configuration** |
| | window, see the "Cisco Unified Communications Manager |
| | Administration Guide". |
+----------------+------------------------------------------------------------+
| Accept | If you want Unified CM to accept presence subscription |
| presence | requests that come through the SIP trunk, select this |
| subscription | check box. |
| (Optional) | |
| | If you selected **Enable Application Level Authorization**,|
| | go to the **Application User Configuration** window and |
| | select **Accept Presence Subscription** for any |
| | application users authorized for this feature. |
| | |
| | When application-level authorization is enabled, if you |
| | select **Accept Presence Subscription** for the |
| | application user but not for the trunk, a 403 error |
| | message is sent to the SIP user agent connected to the |
| | trunk. |
+----------------+------------------------------------------------------------+
| Accept | If you want Unified CM to accept incoming non-INVITE, |
| out-of-dialog | Out-of-Dialog REFER requests that come through the SIP |
| refer | trunk, select this check box. |
| (Optional) | If you selected **Enable Application Level |
| | Authorization**, go to the **Application User |
| | Configuration** window and select **Accept out-of-dialog |
| | refer** for any application users authorized for this |
| | method. |
| | |
| | Note: |
| | |
| | If this profile is associated with an EMCC SIP trunk, |
| | Accept Out-of-Dialog REFER is enabled regardless of |
| | the setting on this page. |
+----------------+------------------------------------------------------------+
| Accept | If you want Unified CM to accept incoming non-INVITE, |
| unsolicited | unsolicited notification messages that come through the |
| notification | SIP trunk, select this check box. |
| (Optional) | |
| | If you selected **Enable Application Level |
| | Authorization**, go to the **Application User |
| | Configuration** window and select **Accept Unsolicited |
| | Notification** for any application users authorized for |
| | this method. |
+----------------+------------------------------------------------------------+
.. tabularcolumns:: |p{3.5cm}|p{12cm}|
+----------------+------------------------------------------------------------+
| Option | Description |
+================+============================================================+
| Accept | If you want Unified CM to accept new SIP dialogs, which |
| replaces | have replaced existing SIP dialogs, select this check box. |
| header | |
| (Optional) | If you selected **Enable Application Level Authorization**,|
| | go to the **Application User Configuration** window and |
| | select **Accept Header Replacement** for any application |
| | users authorized for this method. |
+----------------+------------------------------------------------------------+
| Transmit | If you want Unified CM to send the security icon status |
| security | of a call from the associated SIP trunk to the SIP peer, |
| status | select this check box. |
| (Optional) | |
| | Default = Cleared. |
+----------------+------------------------------------------------------------+
| Allow charging | If you want to allow RFC 3455 SIP charging headers in |
| header | transactions (for example, where billing information is |
| (Optional) | passed in the headers for prepaid accounts), select this |
| | check box. If the check box is clear, RFC 3455 SIP charging|
| | headers are not allowed in sessions that use the SIP |
| | profile. Default = **Cleared**. |
+----------------+------------------------------------------------------------+
| SIP V.150 | Choose one of the following filter options from the |
| Outbound SDP | drop-down list: |
| Offer | |
| Filtering | - **Use Default Filter** - The SIP trunk uses the default |
| (Mandatory) | filter that is indicated in the SIP V.150 Outbound SDP |
| | Offer Filtering service parameter. To locate the |
| | service parameter, go to System Service Parameters |
| | Clusterwide Parameters (Device-SIP) in Unified CM |
| | Administration. |
| | - **No Filtering** - The SIP trunk performs no filtering |
| | of V.150 SDP lines in outbound offers. |
| | - **Remove MER V.150** - The SIP trunk removes V.150 MER |
| | SDP lines in outbound offers. Choose this option to |
| | reduce ambiguity when the trunk is connected to a |
| | pre-MER V.150 Unified CM. |
| | - **Remove Pre-MER V.150** - The SIP trunk removes any |
| | non-MER compliant V.150 lines in outbound offers. |
| | Choose this option to reduce ambiguity when your |
| | cluster is in a network of MER-compliant devices that |
| | cannot process offers with pre-MER lines. |
| | |
| | Default = **Use Default Filter** . |
+----------------+------------------------------------------------------------+