SIP Trunk Security Profile Field Descriptions¶
Option |
Description |
|---|---|
Name (Mandatory) |
Enter a name for the security profile. When you save the new profile, the name displays in the SIP Trunk Security Profile drop-down list in the Trunk Configuration window. The maximum length for the name is 64 characters. |
Description (Optional) |
Enter a description for the security profile. The description can include up to 50 characters in any language, but it cannot include double-quotes (“), percentage sign (%), ampersand (&), back-slash (\), or angle brackets (<>). |
Device Security Mode (Optional) |
From the drop-down list, choose one of the following options:
|
Incoming Transport Type (Optional) |
Choose one of:
If you do not specify an incoming transport type, TCP+UDP is assigned. When Device Security Mode is Non Secure, TCP+UDP specifies the transport type. When Device Security Mode is Authenticated or Encrypted, TLS specifies the transport type. Note: The Transport Layer Security (TLS) protocol secures the connection between Unified CM and the trunk. |
Outgoing Transport Type (Optional) |
From the drop-down list, choose the outgoing transport mode. Choose one of:
When Device Security Mode is Non Secure, choose TCP or UDP. When Device Security Mode is Authenticated or Encrypted, TLS specifies the transport type. Note: TLS ensures signaling integrity, device authentication, and signaling encryption for SIP trunks. Tip: Use UDP as the outgoing transport type when connecting SIP trunks between Unified CM systems and IOS gateways that do not support TCP connection reuse. See “Understanding Session Initiation Protocol (SIP)” in the “Cisco Unified Communications Manager System Guide” for more information. |
Option |
Description |
|---|---|
Enable Digest Authentication (Optional) |
Select this check box to enable digest authentication. If you select this check box, Unified CM challenges all SIP requests from the trunk. Digest authentication does not provide device authentication, integrity, or confidentiality. Choose a security mode of Authenticated or Encrypted to use these features. Tip: Use digest authentication to authenticate SIP trunk users on trunks that are using TCP or UDP transport. |
Nonce Validity Time (mins) (Optional) |
Enter the number of minutes (in seconds) that the nonce value is valid. When the time expires, Unified CM generates a new value. Note: A nonce value (a random number that supports digest authentication) is used to calculate the MD5 hash of the digest authentication password. Default = 600 minutes. If you do not specify a Nonce Validity Time, the default of 600 minutes is assigned. |
X.509 Subject Name (Optional) |
This field applies if you configured TLS for the incoming and outgoing transport type. For device authentication, enter the subject name of the X.509 certificate for the SIP trunk device. If you have a Unified CM cluster or if you use SRV lookup for the TLS peer, a single trunk may resolve to multiple hosts. This situation results in multiple X.509 subject names for the trunk. If multiple X.509 subject names exist, enter one of the following characters to separate the names: space, comma, semicolon, or a colon. You can enter up to 4096 characters in this field. Tip: The subject name corresponds to the source connection TLS certificate. Ensure that subject names are unique for each subject name and port. You cannot assign the same subject name and incoming port combination to different SIP trunks. Example: SIP TLS trunk1 on port 5061 has X.509 Subject Names my_cm1, my_cm2. SIP TLS trunk2 on port 5071 has X.509 Subject Names my_cm2, my_cm3. SIP TLS trunk3 on port 5061 can have X.509 Subject Name my_ccm4 but cannot have X.509 Subject Name my_cm1. |
Incoming Port (Optional) |
Choose the incoming port. Enter a value that is a unique port number from 0 to 65535. The value that you enter applies to all SIP trunks that use the profile. The default port value for incoming TCP and UDP SIP messages is 5060. The default SIP secured port for incoming TLS messages is 5061. If the incoming port is not specified, the default port of 5060 is used. Tip: All SIP trunks that use TLS can share the same incoming port; all SIP trunks that use TCP + UDP can share the same incoming port. You cannot mix SIP TLS transport trunks with SIP non-TLS transport trunk types on the same port. |
Option |
Description |
|---|---|
Enable application level authorization (Optional) |
Application-level authorization applies to applications that are connected through the SIP trunk. If you select this check box, also select the Enable Digest Authentication check box and configure digest authentication for the trunk. Unified CM authenticates a SIP application user before checking the allowed application methods. When application level authorization is enabled, trunk-level authorization occurs first, and application-level authorization occurs second. Unified CM checks the methods authorized for the trunk (in this security profile) before the methods authorized for the SIP application user in the Application User Configuration window. Tip: Consider using application-level authorization if you do not trust the identity of the application or if the application is not trusted on a particular trunk. Application requests may come from a different trunk than you expect. For more information about configuring application level authorization at the Application User Configuration window, see the “Cisco Unified Communications Manager Administration Guide”. |
Accept presence subscription (Optional) |
If you want Unified CM to accept presence subscription requests that come through the SIP trunk, select this check box. If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept Presence Subscription for any application users authorized for this feature. When application-level authorization is enabled, if you select Accept Presence Subscription for the application user but not for the trunk, a 403 error message is sent to the SIP user agent connected to the trunk. |
Accept out-of-dialog refer (Optional) |
If you want Unified CM to accept incoming non-INVITE, Out-of-Dialog REFER requests that come through the SIP trunk, select this check box. If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept out-of-dialog refer for any application users authorized for this method. Note: If this profile is associated with an EMCC SIP trunk, Accept Out-of-Dialog REFER is enabled regardless of the setting on this page. |
Accept unsolicited notification (Optional) |
If you want Unified CM to accept incoming non-INVITE, unsolicited notification messages that come through the SIP trunk, select this check box. If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept Unsolicited Notification for any application users authorized for this method. |
Option |
Description |
|---|---|
Accept replaces header (Optional) |
If you want Unified CM to accept new SIP dialogs, which have replaced existing SIP dialogs, select this check box. If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept Header Replacement for any application users authorized for this method. |
Transmit security status (Optional) |
If you want Unified CM to send the security icon status of a call from the associated SIP trunk to the SIP peer, select this check box. Default = Cleared. |
Allow charging header (Optional) |
If you want to allow RFC 3455 SIP charging headers in transactions (for example, where billing information is passed in the headers for prepaid accounts), select this check box. If the check box is clear, RFC 3455 SIP charging headers are not allowed in sessions that use the SIP profile. Default = Cleared. |
SIP V.150 Outbound SDP Offer Filtering (Mandatory) |
Choose one of the following filter options from the drop-down list:
Default = Use Default Filter . |