SIP Trunk Security Profile Field Descriptions
---------------------------------------------
.. tabularcolumns:: |p{4cm}|p{11cm}|
+----------------+-----------------------------------------------------------+
| Option | Description |
+================+===========================================================+
| Name | Enter a name for the security profile. When you save the |
| (Mandatory) | new profile, the name displays in the **SIP Trunk Security|
| | Profile** drop-down list in the Trunk Configuration |
| | window. The maximum length for the name is 64 characters. |
+----------------+-----------------------------------------------------------+
| Description | Enter a description for the security profile. The |
| (Optional) | description can include up to 50 characters in any |
| | language, but it cannot include double-quotes ("), |
| | percentage sign (%), ampersand (&), back-slash (\\), or |
| | angle brackets (<>). |
+----------------+-----------------------------------------------------------+
| Device | From the drop-down list, choose one of the following |
| Security Mode | options: |
| (Optional) | |
| | - **Non Secure** - No security features except image |
| | authentication apply. A TCP or UDP connection opens to |
| | Cisco Unified Communications Manager. |
| | - **Authenticated** - Unified CM provides integrity and |
| | authentication for the trunk. A TLS connection that |
| | uses NULL/SHA opens. |
| | - **Encrypted** - Unified CM provides integrity, |
| | authentication, and signaling encryption for the |
| | trunk. A TLS connection that uses AES128/SHA opens for |
| | signaling. |
+----------------+-----------------------------------------------------------+
| Incoming | Choose one of: |
| Transport Type | |
| (Optional) | - TCP+UDP |
| | - UDP |
| | - TLS |
| | - TCP |
| | |
| | If you do not specify an incoming transport type, |
| | **TCP+UDP** is assigned. |
| | |
| | When **Device Security Mode** is **Non Secure**, |
| | **TCP+UDP** specifies the transport type. |
| | |
| | When **Device Security Mode** is **Authenticated** or |
| | **Encrypted**, **TLS** specifies the transport type. |
| | |
| | Note: |
| | |
| | The Transport Layer Security (TLS) protocol secures |
| | the connection between Unified CM and the trunk. |
+----------------+-----------------------------------------------------------+
| Outgoing | From the drop-down list, choose the outgoing transport |
| Transport Type | mode. Choose one of: |
| (Optional) | |
| | - TCP+UDP |
| | - UDP |
| | - TLS |
| | - TCP |
| | |
| | When **Device Security Mode** is **Non Secure**, choose |
| | **TCP** or **UDP**. |
| | |
| | When **Device Security Mode** is **Authenticated** or |
| | **Encrypted**, **TLS** specifies the transport type. |
| | |
| | Note: |
| | |
| | **TLS** ensures signaling integrity, device |
| | authentication, and signaling encryption for SIP |
| | trunks. |
| | |
| | Tip: |
| | |
| | Use **UDP** as the outgoing transport type when |
| | connecting SIP trunks between Unified CM systems and |
| | IOS gateways that do not support TCP connection |
| | reuse. See "Understanding Session Initiation Protocol |
| | (SIP)" in the "Cisco Unified Communications Manager |
| | System Guide" for more information. |
+----------------+-----------------------------------------------------------+
.. tabularcolumns:: |p{4cm}|p{11cm}|
+----------------+------------------------------------------------------------+
| Option | Description |
+================+============================================================+
| Enable Digest | Select this check box to enable digest authentication. If |
| Authentication | you select this check box, Unified CM challenges all SIP |
| (Optional) | requests from the trunk. |
| | |
| | Digest authentication does not provide device |
| | authentication, integrity, or confidentiality. Choose a |
| | security mode of **Authenticated** or **Encrypted** to use |
| | these features. |
| | |
| | Tip: |
| | |
| | Use digest authentication to authenticate SIP trunk |
| | users on trunks that are using TCP or UDP transport. |
+----------------+------------------------------------------------------------+
| Nonce Validity | Enter the number of minutes (in seconds) that the nonce |
| Time (mins) | value is valid. When the time expires, Unified CM |
| (Optional) | generates a new value. |
| | |
| | Note: |
| | |
| | A nonce value (a random number that supports digest |
| | authentication) is used to calculate the MD5 hash of |
| | the digest authentication password. |
| | |
| | Default = 600 minutes. If you do not specify a Nonce |
| | Validity Time, the default of 600 minutes is assigned. |
+----------------+------------------------------------------------------------+
| X.509 Subject | This field applies if you configured TLS for the incoming |
| Name | and outgoing transport type. |
| (Optional) | |
| | For device authentication, enter the subject name of the |
| | X.509 certificate for the SIP trunk device. If you have a |
| | Unified CM cluster or if you use SRV lookup for the TLS |
| | peer, a single trunk may resolve to multiple hosts. This |
| | situation results in multiple X.509 subject names for the |
| | trunk. If multiple X.509 subject names exist, enter one |
| | of the following characters to separate the names: space, |
| | comma, semicolon, or a colon. |
| | |
| | You can enter up to 4096 characters in this field. |
| | |
| | Tip: |
| | |
| | The subject name corresponds to the source connection |
| | TLS certificate. Ensure that subject names are unique |
| | for each subject name and port. You cannot assign the |
| | same subject name and incoming port combination to |
| | different SIP trunks. |
| | |
| | Example: |
| | |
| | SIP TLS trunk1 on port 5061 has X.509 Subject Names |
| | my\_cm1, my\_cm2. |
| | |
| | SIP TLS trunk2 on port 5071 has X.509 Subject Names |
| | my\_cm2, my\_cm3. |
| | |
| | SIP TLS trunk3 on port 5061 can have X.509 Subject |
| | Name my\_ccm4 but cannot have X.509 Subject Name |
| | my\_cm1. |
+----------------+------------------------------------------------------------+
| Incoming Port | Choose the incoming port. Enter a value that is a unique |
| (Optional) | port number from 0 to 65535. The value that you enter |
| | applies to all SIP trunks that use the profile. |
| | |
| | The default port value for incoming TCP and UDP SIP |
| | messages is 5060. The default SIP secured port for |
| | incoming TLS messages is 5061. |
| | |
| | If the incoming port is not specified, the default port |
| | of 5060 is used. |
| | |
| | Tip: |
| | |
| | All SIP trunks that use TLS can share the same |
| | incoming port; all SIP trunks that use TCP + UDP can |
| | share the same incoming port. You cannot mix SIP TLS |
| | transport trunks with SIP non-TLS transport trunk |
| | types on the same port. |
+----------------+------------------------------------------------------------+
.. tabularcolumns:: |p{4cm}|p{11cm}|
+----------------+------------------------------------------------------------+
| Option | Description |
+================+============================================================+
| Enable | Application-level authorization applies to applications |
| application | that are connected through the SIP trunk. |
| level | |
| authorization | If you select this check box, also select the **Enable |
| (Optional) | Digest Authentication** check box and configure digest |
| | authentication for the trunk. Unified CM authenticates a |
| | SIP application user before checking the allowed |
| | application methods. |
| | |
| | When application level authorization is enabled, |
| | trunk-level authorization occurs first, and |
| | application-level authorization occurs second. Unified CM |
| | checks the methods authorized for the trunk (in this |
| | security profile) before the methods authorized for the |
| | SIP application user in the **Application User |
| | Configuration** window. |
| | |
| | Tip: |
| | |
| | Consider using application-level authorization if you |
| | do not trust the identity of the application or if |
| | the application is not trusted on a particular trunk. |
| | Application requests may come from a different trunk |
| | than you expect. |
| | |
| | For more information about configuring application level |
| | authorization at the **Application User Configuration** |
| | window, see the "Cisco Unified Communications Manager |
| | Administration Guide". |
+----------------+------------------------------------------------------------+
| Accept | If you want Unified CM to accept presence subscription |
| presence | requests that come through the SIP trunk, select this |
| subscription | check box. |
| (Optional) | |
| | If you selected **Enable Application Level Authorization**,|
| | go to the **Application User Configuration** window and |
| | select **Accept Presence Subscription** for any |
| | application users authorized for this feature. |
| | |
| | When application-level authorization is enabled, if you |
| | select **Accept Presence Subscription** for the |
| | application user but not for the trunk, a 403 error |
| | message is sent to the SIP user agent connected to the |
| | trunk. |
+----------------+------------------------------------------------------------+
| Accept | If you want Unified CM to accept incoming non-INVITE, |
| out-of-dialog | Out-of-Dialog REFER requests that come through the SIP |
| refer | trunk, select this check box. |
| (Optional) | If you selected **Enable Application Level |
| | Authorization**, go to the **Application User |
| | Configuration** window and select **Accept out-of-dialog |
| | refer** for any application users authorized for this |
| | method. |
| | |
| | Note: |
| | |
| | If this profile is associated with an EMCC SIP trunk, |
| | Accept Out-of-Dialog REFER is enabled regardless of |
| | the setting on this page. |
+----------------+------------------------------------------------------------+
| Accept | If you want Unified CM to accept incoming non-INVITE, |
| unsolicited | unsolicited notification messages that come through the |
| notification | SIP trunk, select this check box. |
| (Optional) | |
| | If you selected **Enable Application Level |
| | Authorization**, go to the **Application User |
| | Configuration** window and select **Accept Unsolicited |
| | Notification** for any application users authorized for |
| | this method. |
+----------------+------------------------------------------------------------+
.. tabularcolumns:: |p{4cm}|p{11cm}|
+----------------+------------------------------------------------------------+
| Option | Description |
+================+============================================================+
| Accept | If you want Unified CM to accept new SIP dialogs, which |
| replaces | have replaced existing SIP dialogs, select this check box. |
| header | |
| (Optional) | If you selected **Enable Application Level Authorization**,|
| | go to the **Application User Configuration** window and |
| | select **Accept Header Replacement** for any application |
| | users authorized for this method. |
+----------------+------------------------------------------------------------+
| Transmit | If you want Unified CM to send the security icon status |
| security | of a call from the associated SIP trunk to the SIP peer, |
| status | select this check box. |
| (Optional) | |
| | Default = Cleared. |
+----------------+------------------------------------------------------------+
| Allow charging | If you want to allow RFC 3455 SIP charging headers in |
| header | transactions (for example, where billing information is |
| (Optional) | passed in the headers for prepaid accounts), select this |
| | check box. If the check box is clear, RFC 3455 SIP charging|
| | headers are not allowed in sessions that use the SIP |
| | profile. Default = **Cleared**. |
+----------------+------------------------------------------------------------+
| SIP V.150 | Choose one of the following filter options from the |
| Outbound SDP | drop-down list: |
| Offer | |
| Filtering | - **Use Default Filter** - The SIP trunk uses the default |
| (Mandatory) | filter that is indicated in the SIP V.150 Outbound SDP |
| | Offer Filtering service parameter. To locate the |
| | service parameter, go to System Service Parameters |
| | Clusterwide Parameters (Device-SIP) in Unified CM |
| | Administration. |
| | - **No Filtering** - The SIP trunk performs no filtering |
| | of V.150 SDP lines in outbound offers. |
| | - **Remove MER V.150** - The SIP trunk removes V.150 MER |
| | SDP lines in outbound offers. Choose this option to |
| | reduce ambiguity when the trunk is connected to a |
| | pre-MER V.150 Unified CM. |
| | - **Remove Pre-MER V.150** - The SIP trunk removes any |
| | non-MER compliant V.150 lines in outbound offers. |
| | Choose this option to reduce ambiguity when your |
| | cluster is in a network of MER-compliant devices that |
| | cannot process offers with pre-MER lines. |
| | |
| | Default = **Use Default Filter** . |
+----------------+------------------------------------------------------------+