Model: relation/HcsSipTrunkSecurityProfileREL

SIP Trunk Security Profiles

Make sure that the hierarchy path is set to the node where the Cisco Unified Communications Manager is configured.

Perform one of:

If you signed in as the provider or reseller administrator, choose Device Management > CUCM > SIP Trunk Security Profiles.
If you signed in as the customer administrator, choose Device Management > Advanced > SIP Trunk Security Profiles.

Perform one of:

To add a new SIP trunk security profile, click Add, then go to Step 5.
To edit an existing SIP trunk security profile, click the SIP trunk security profile to be updated. Go to Step 6.

If the Network Device List popup window appears, select the NDL for the SIP trunk security profile from the drop-down menu. The window appears when you are on a non-site hierarchy node. If you are at a site hierarchy node, the NDL associated with the site is automatically used.

Note:

The Network Device List drop-down menu appears when a SIP trunk security profile is added. It does not appear when you edit a SIP trunk security profile.

Enter a unique name for the new SIP trunk security profile in the Name field, or modify the existing Name if desired. This field is mandatory.

Complete, at minimum, the other mandatory SIP Trunk Security Profiles Fields

Click Save to save a new SIP trunk security profile or to update an existing SIP trunk security profile.

SIP Trunk Security Profiles Fields

Option	Description
Name (Mandatory)	Enter a name for the security profile. When you save the new profile, the name displays in the SIP Trunk Security Profile drop-down list in the Trunk Configuration window. The maximum length for the name is 64 characters.
Description (Optional)	Enter a description for the security profile. The description can include up to 50 characters in any language, but it cannot include double-quotes ("), percentage sign (%), ampersand (&), back-slash (\), or angle brackets (<>).
Device Security Mode (Optional)	From the drop-down list, choose one of the following options: Non Secure - No security features except image authentication apply. A TCP or UDP connection opens to Cisco Unified Communications Manager. Authenticated - Unified CM provides integrity and authentication for the trunk. A TLS connection that uses NULL/SHA opens. Encrypted - Unified CM provides integrity, authentication, and signaling encryption for the trunk. A TLS connection that uses AES128/SHA opens for signaling.
Incoming Transport Type (Optional)	Choose one of: TCP+UDP UDP TLS TCP If you do not specify an incoming transport type, TCP+UDP is assigned. When Device Security Mode is Non Secure, TCP+UDP specifies the transport type. When Device Security Mode is Authenticated or Encrypted, TLS specifies the transport type. Note: The Transport Layer Security (TLS) protocol secures the connection between Unified CM and the trunk.

Option

Description

Name (Mandatory)

Enter a name for the security profile. When you save the new profile, the name displays in the SIP Trunk Security Profile drop-down list in the Trunk Configuration window. The maximum length for the name is 64 characters.

Description (Optional)

Enter a description for the security profile. The description can include up to 50 characters in any language, but it cannot include double-quotes ("), percentage sign (%), ampersand (&), back-slash (\), or angle brackets (<>).

Device Security Mode (Optional)

From the drop-down list, choose one of the following options:

Non Secure - No security features except image authentication apply. A TCP or UDP connection opens to Cisco Unified Communications Manager.
Authenticated - Unified CM provides integrity and authentication for the trunk. A TLS connection that uses NULL/SHA opens.
Encrypted - Unified CM provides integrity, authentication, and signaling encryption for the trunk. A TLS connection that uses AES128/SHA opens for signaling.

Incoming Transport Type (Optional)

Choose one of:

TCP+UDP
UDP
TLS
TCP

If you do not specify an incoming transport type, TCP+UDP is assigned.

When Device Security Mode is Non Secure, TCP+UDP specifies the transport type.

When Device Security Mode is Authenticated or Encrypted, TLS specifies the transport type.

Note:

The Transport Layer Security (TLS) protocol secures the connection between Unified CM and the trunk.

Option	Description
Outgoing Transport Type (Optional)	From the drop-down list, choose the outgoing transport mode. Choose one of: TCP+UDP UDP TLS TCP When Device Security Mode is Non Secure, choose TCP or UDP. When Device Security Mode is Authenticated or Encrypted, TLS specifies the transport type. Note: TLS ensures signaling integrity, device authentication, and signaling encryption for SIP trunks. Tip: Use UDP as the outgoing transport type when connecting SIP trunks between Unified CM systems and IOS gateways that do not support TCP connection reuse. See "Understanding Session Initiation Protocol (SIP)" in the "Cisco Unified Communications Manager System Guide" for more information.
Enable Digest Authentication (Optional)	Select this check box to enable digest authentication. If you select this check box, Unified CM challenges all SIP requests from the trunk. Digest authentication does not provide device authentication, integrity, or confidentiality. Choose a security mode of Authenticated or Encrypted to use these features. Tip: Use digest authentication to authenticate SIP trunk users on trunks that are using TCP or UDP transport.
Nonce Validity Time (mins) (Optional)	Enter the number of minutes (in seconds) that the nonce value is valid. When the time expires, Unified CM generates a new value. Note: A nonce value (a random number that supports digest authentication) is used to calculate the MD5 hash of the digest authentication password. Default = 600 minutes. If you do not specify a Nonce Validity Time, the default of 600 minutes is assigned.

Option

Description

Outgoing Transport Type (Optional)

From the drop-down list, choose the outgoing transport mode. Choose one of:

TCP+UDP
UDP
TLS
TCP

When Device Security Mode is Non Secure, choose TCP or UDP.

When Device Security Mode is Authenticated or Encrypted, TLS specifies the transport type.

Note:

TLS ensures signaling integrity, device authentication, and signaling encryption for SIP trunks.

Tip:

Use UDP as the outgoing transport type when connecting SIP trunks between Unified CM systems and IOS gateways that do not support TCP connection reuse. See "Understanding Session Initiation Protocol (SIP)" in the "Cisco Unified Communications Manager System Guide" for more information.

Enable Digest Authentication (Optional)

Select this check box to enable digest authentication. If you select this check box, Unified CM challenges all SIP requests from the trunk.

Digest authentication does not provide device authentication, integrity, or confidentiality. Choose a security mode of Authenticated or Encrypted to use these features.

Tip:

Use digest authentication to authenticate SIP trunk users on trunks that are using TCP or UDP transport.

Nonce Validity Time (mins) (Optional)

Enter the number of minutes (in seconds) that the nonce value is valid. When the time expires, Unified CM generates a new value.

Note:

A nonce value (a random number that supports digest authentication) is used to calculate the MD5 hash of the digest authentication password.

Default = 600 minutes. If you do not specify a Nonce Validity Time, the default of 600 minutes is assigned.

Option	Description
X.509 Subject Name (Optional)	This field applies if you configured TLS for the incoming and outgoing transport type. For device authentication, enter the subject name of the X.509 certificate for the SIP trunk device. If you have a Unified CM cluster or if you use SRV lookup for the TLS peer, a single trunk may resolve to multiple hosts. This situation results in multiple X.509 subject names for the trunk. If multiple X.509 subject names exist, enter one of the following characters to separate the names: space, comma, semicolon, or a colon. You can enter up to 4096 characters in this field. Tip: The subject name corresponds to the source connection TLS certificate. Ensure that subject names are unique for each subject name and port. You cannot assign the same subject name and incoming port combination to different SIP trunks. Example: SIP TLS trunk1 on port 5061 has X.509 Subject Names my_cm1, my_cm2. SIP TLS trunk2 on port 5071 has X.509 Subject Names my_cm2, my_cm3. SIP TLS trunk3 on port 5061 can have X.509 Subject Name my_ccm4 but cannot have X.509 Subject Name my_cm1.
Incoming Port (Optional)	Choose the incoming port. Enter a value that is a unique port number from 0 to 65535. The value that you enter applies to all SIP trunks that use the profile. The default port value for incoming TCP and UDP SIP messages is 5060. The default SIP secured port for incoming TLS messages is 5061. If the incoming port is not specified, the default port of 5060 is used. Tip: All SIP trunks that use TLS can share the same incoming port; all SIP trunks that use TCP + UDP can share the same incoming port. You cannot mix SIP TLS transport trunks with SIP non-TLS transport trunk types on the same port.

Option

Description

X.509 Subject Name (Optional)

This field applies if you configured TLS for the incoming and outgoing transport type.

For device authentication, enter the subject name of the X.509 certificate for the SIP trunk device. If you have a Unified CM cluster or if you use SRV lookup for the TLS peer, a single trunk may resolve to multiple hosts. This situation results in multiple X.509 subject names for the trunk. If multiple X.509 subject names exist, enter one of the following characters to separate the names: space, comma, semicolon, or a colon.

You can enter up to 4096 characters in this field.

Tip:

The subject name corresponds to the source connection TLS certificate. Ensure that subject names are unique for each subject name and port. You cannot assign the same subject name and incoming port combination to different SIP trunks.

Example:

SIP TLS trunk1 on port 5061 has X.509 Subject Names my_cm1, my_cm2.

SIP TLS trunk2 on port 5071 has X.509 Subject Names my_cm2, my_cm3.

SIP TLS trunk3 on port 5061 can have X.509 Subject Name my_ccm4 but cannot have X.509 Subject Name my_cm1.

Incoming Port (Optional)

Choose the incoming port. Enter a value that is a unique port number from 0 to 65535. The value that you enter applies to all SIP trunks that use the profile.

The default port value for incoming TCP and UDP SIP messages is 5060. The default SIP secured port for incoming TLS messages is 5061.

If the incoming port is not specified, the default port of 5060 is used.

Tip:

All SIP trunks that use TLS can share the same incoming port; all SIP trunks that use TCP + UDP can share the same incoming port. You cannot mix SIP TLS transport trunks with SIP non-TLS transport trunk types on the same port.

Option	Description
Enable application level authorization (Optional)	Application-level authorization applies to applications that are connected through the SIP trunk. If you select this check box, also select the Enable Digest Authentication check box and configure digest authentication for the trunk. Unified CM authenticates a SIP application user before checking the allowed application methods. When application level authorization is enabled, trunk-level authorization occurs first, and application-level authorization occurs second. Unified CM checks the methods authorized for the trunk (in this security profile) before the methods authorized for the SIP application user in the Application User Configuration window. Tip: Consider using application-level authorization if you do not trust the identity of the application or if the application is not trusted on a particular trunk. Application requests may come from a different trunk than you expect. For more information about configuring application level authorization at the Application User Configuration window, see the "Cisco Unified Communications Manager Administration Guide".
Accept presence subscription (Optional)	If you want Unified CM to accept presence subscription requests that come through the SIP trunk, select this check box. If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept Presence Subscription for any application users authorized for this feature. When application-level authorization is enabled, if you select Accept Presence Subscription for the application user but not for the trunk, a 403 error message is sent to the SIP user agent connected to the trunk.
Accept out-of-dialog refer (Optional)	If you want Unified CM to accept incoming non-INVITE, Out-of-Dialog REFER requests that come through the SIP trunk, select this check box. If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept out-of-dialog refer for any application users authorized for this method. Note: If this profile is associated with an EMCC SIP trunk, Accept Out-of-Dialog REFER is enabled regardless of the setting on this page.
Accept unsolicited notification (Optional)	If you want Unified CM to accept incoming non-INVITE, unsolicited notification messages that come through the SIP trunk, select this check box. If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept Unsolicited Notification for any application users authorized for this method.

Option

Description

Enable application level authorization (Optional)

Application-level authorization applies to applications that are connected through the SIP trunk.

If you select this check box, also select the Enable Digest Authentication check box and configure digest authentication for the trunk. Unified CM authenticates a SIP application user before checking the allowed application methods.

When application level authorization is enabled, trunk-level authorization occurs first, and application-level authorization occurs second. Unified CM checks the methods authorized for the trunk (in this security profile) before the methods authorized for the SIP application user in the Application User Configuration window.

Tip:

Consider using application-level authorization if you do not trust the identity of the application or if the application is not trusted on a particular trunk. Application requests may come from a different trunk than you expect.

For more information about configuring application level authorization at the Application User Configuration window, see the "Cisco Unified Communications Manager Administration Guide".

Accept presence subscription (Optional)

If you want Unified CM to accept presence subscription requests that come through the SIP trunk, select this check box.

If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept Presence Subscription for any application users authorized for this feature.

When application-level authorization is enabled, if you select Accept Presence Subscription for the application user but not for the trunk, a 403 error message is sent to the SIP user agent connected to the trunk.

Accept out-of-dialog refer (Optional)

If you want Unified CM to accept incoming non-INVITE, Out-of-Dialog REFER requests that come through the SIP trunk, select this check box. If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept out-of-dialog refer for any application users authorized for this method.

Note:

If this profile is associated with an EMCC SIP trunk, Accept Out-of-Dialog REFER is enabled regardless of the setting on this page.

Accept unsolicited notification (Optional)

If you want Unified CM to accept incoming non-INVITE, unsolicited notification messages that come through the SIP trunk, select this check box.

If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept Unsolicited Notification for any application users authorized for this method.

Option	Description
Accept replaces header (Optional)	If you want Unified CM to accept new SIP dialogs, which have replaced existing SIP dialogs, select this check box. If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept Header Replacement for any application users authorized for this method.
Transmit security status (Optional)	If you want Unified CM to send the security icon status of a call from the associated SIP trunk to the SIP peer, select this check box. Default = Cleared.
Allow charging header (Optional)	If you want to allow RFC 3455 SIP charging headers in transactions (for example, where billing information is passed in the headers for prepaid accounts), select this check box. If the check box is clear, RFC 3455 SIP charging headers are not allowed in sessions that use the SIP profile. Default = Cleared.
SIP V.150 Outbound SDP Offer Filtering (Mandatory)	Choose one of the following filter options from the drop-down list: Use Default Filter - The SIP trunk uses the default filter that is indicated in the SIP V.150 Outbound SDP Offer Filtering service parameter. To locate the service parameter, go to System Service Parameters Clusterwide Parameters (Device-SIP) in Unified CM Administration. No Filtering - The SIP trunk performs no filtering of V.150 SDP lines in outbound offers. Remove MER V.150 - The SIP trunk removes V.150 MER SDP lines in outbound offers. Choose this option to reduce ambiguity when the trunk is connected to a pre-MER V.150 Unified CM. Remove Pre-MER V.150 - The SIP trunk removes any non-MER compliant V.150 lines in outbound offers. Choose this option to reduce ambiguity when your cluster is in a network of MER-compliant devices that cannot process offers with pre-MER lines. Default = Use Default Filter .

Option

Description

Accept replaces header (Optional)

If you want Unified CM to accept new SIP dialogs, which have replaced existing SIP dialogs, select this check box.

If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept Header Replacement for any application users authorized for this method.

Transmit security status (Optional)

If you want Unified CM to send the security icon status of a call from the associated SIP trunk to the SIP peer, select this check box.

Default = Cleared.

Allow charging header (Optional)

If you want to allow RFC 3455 SIP charging headers in transactions (for example, where billing information is passed in the headers for prepaid accounts), select this check box. If the check box is clear, RFC 3455 SIP charging headers are not allowed in sessions that use the SIP profile. Default = Cleared.

SIP V.150 Outbound SDP Offer Filtering (Mandatory)

Choose one of the following filter options from the drop-down list:

Use Default Filter - The SIP trunk uses the default filter that is indicated in the SIP V.150 Outbound SDP Offer Filtering service parameter. To locate the service parameter, go to System Service Parameters Clusterwide Parameters (Device-SIP) in Unified CM Administration.
No Filtering - The SIP trunk performs no filtering of V.150 SDP lines in outbound offers.
Remove MER V.150 - The SIP trunk removes V.150 MER SDP lines in outbound offers. Choose this option to reduce ambiguity when the trunk is connected to a pre-MER V.150 Unified CM.
Remove Pre-MER V.150 - The SIP trunk removes any non-MER compliant V.150 lines in outbound offers. Choose this option to reduce ambiguity when your cluster is in a network of MER-compliant devices that cannot process offers with pre-MER lines.

Default = Use Default Filter .

This relation wraps the device/cucm/SipTrunkSecurityProfile element.

Model Details: relation/HcsSipTrunkSecurityProfileREL

An asterisk * in the title indicates the field is mandatory.
If a field has a default value, it is shown in the Description column.
If the field type is an array, the Field Name has a .[n] suffix, where n is the array index placeholder.
Object and array field names are listed to provide context. If a field belongs to an object or an array, the full field name is shown in dot separated notation.

Title			Description	Details
Digest Authentication				Field Name: digestAuthentication Type: Boolean Cardinality: [0..1]
X509Subject Name				Field Name: x509SubjectName Type: ["String", "Null"] Cardinality: [0..1] MaxLength: 4096
Name *				Field Name: name Type: String Cardinality: [1..1] MaxLength: 75
Accept Presence Subscription				Field Name: acceptPresenceSubscription Type: Boolean Cardinality: [0..1]
Accept Unsolicited Notification				Field Name: acceptUnsolicitedNotification Type: Boolean Cardinality: [0..1]
Sip V150Outbound Sdp Offer Filtering *			Default: Use Default Filter	Field Name: sipV150OutboundSdpOfferFiltering Type: String Cardinality: [1..1] Default: Use Default Filter Choices: ["No Filtering", "Remove MER V.150", "Remove Pre-MER V.150", "Use Default Filter"]
Accept Out Of Dialog Refer				Field Name: acceptOutOfDialogRefer Type: Boolean Cardinality: [0..1]
Allow Replace Header				Field Name: allowReplaceHeader Type: Boolean Cardinality: [0..1]
Security Mode				Field Name: securityMode Type: ["String", "Null"] Cardinality: [0..1] Choices: ["Non Secure", "Authenticated", "Encrypted"]
Appl Level Authentication				Field Name: applLevelAuthentication Type: Boolean Cardinality: [0..1]
Allow Charging Header				Field Name: allowChargingHeader Type: Boolean Cardinality: [0..1]
Nonce Policy Time			Only if digestAuthentication is enabled this value can be changed. Default: 600	Field Name: noncePolicyTime Type: Integer Cardinality: [0..1] Default: 600
Outgoing Transport				Field Name: outgoingTransport Type: ["String", "Null"] Cardinality: [0..1] Choices: ["TCP", "UDP", "TLS", "TCP+UDP"]
Incoming Port			Default: 5060	Field Name: incomingPort Type: Integer Cardinality: [0..1] Default: 5060
Incoming Transport			Default: TCP+UDP	Field Name: incomingTransport Type: String Cardinality: [0..1] Default: TCP+UDP Choices: ["TCP", "UDP", "TLS", "TCP+UDP"]
Transmit Security Status				Field Name: transmitSecurityStatus Type: Boolean Cardinality: [0..1]
Description				Field Name: description Type: ["String", "Null"] Cardinality: [0..1] MaxLength: 100
	Shadow			Field Name: shadow.[n] Type: Array Cardinality: [0..1]
		Name *		Field Name: shadow.[n].name Type: String MaxLength: 1024