.. rst-class:: chapter-with-expand Configure SIP Trunk Security Profiles -------------------------------------- 1. Log in as provider, reseller, or customer administrator. 2. Set the hierarchy path to the node where the Cisco Unified Communications Manager is configured. 3. Choose an option: * If you signed in as the Provider or Reseller administrator, go to **Device Management > CUCM > SIP Trunk Security Profiles**. * If you signed in as the Customer administrator, go to **Device Management > Advanced > SIP Trunk Security Profiles**. 4. Choose an option: * To add a new SIP trunk security profile, click **Add**, then go to Step 5. * To edit an existing SIP trunk security profile, click the SIP trunk security profile to be updated. Go to Step 6. 5. If the **Network Device List** popup window appears, select the NDL for the SIP trunk security profile from the drop-down menu. The window appears when you are on a non-site hierarchy node. If you are at a site hierarchy node, the NDL associated with the site is automatically used. Note: The **Network Device List** drop-down menu appears when a SIP trunk security profile is added. It does not appear when you edit a SIP trunk security profile. 6. Enter a unique name for the new SIP trunk security profile in the **Name** field, or modify the existing Name if desired. This field is mandatory. 7. Complete, at minimum, the other mandatory :ref:`sip_trunk_security_profiles_fields` 8. Click **Save** to save a new SIP trunk security profile or to update an existing SIP trunk security profile. .. _sip_trunk_security_profiles_fields: SIP Trunk Security Profiles Fields .................................. .. tabularcolumns:: |p{3.5cm}|p{12cm}| +----------------+------------------------------------------------------------+ | Option | Description | +================+============================================================+ | Name | Enter a name for the security profile. When you save the | | (Mandatory) | new profile, the name displays in the **SIP Trunk Security | | | Profile** drop-down list in the Trunk Configuration | | | window. The maximum length for the name is 64 characters. | +----------------+------------------------------------------------------------+ | Description | Enter a description for the security profile. The | | (Optional) | description can include up to 50 characters in any | | | language, but it cannot include double-quotes ("), | | | percentage sign (%), ampersand (&), back-slash (\\), or | | | angle brackets (<>). | +----------------+------------------------------------------------------------+ | Device | From the drop-down list, choose one of the following | | Security Mode | options: | | (Optional) | | | | - **Non Secure** - No security features except image | | | authentication apply. A TCP or UDP connection opens to | | | Cisco Unified Communications Manager. | | | - **Authenticated** - Unified CM provides integrity and | | | authentication for the trunk. A TLS connection that | | | uses NULL/SHA opens. | | | - **Encrypted** - Unified CM provides integrity, | | | authentication, and signaling encryption for the | | | trunk. A TLS connection that uses AES128/SHA opens for | | | signaling. | +----------------+------------------------------------------------------------+ | Incoming | Choose one of: | | Transport Type | | | (Optional) | - TCP+UDP | | | - UDP | | | - TLS | | | - TCP | | | | | | If you do not specify an incoming transport type, | | | **TCP+UDP** is assigned. | | | | | | When **Device Security Mode** is **Non Secure**, | | | **TCP+UDP** specifies the transport type. | | | | | | When **Device Security Mode** is **Authenticated** or | | | **Encrypted**, **TLS** specifies the transport type. | | | | | | Note: | | | | | | The Transport Layer Security (TLS) protocol secures | | | the connection between Unified CM and the trunk. | +----------------+------------------------------------------------------------+ .. tabularcolumns:: |p{3.5cm}|p{12cm}| +----------------+------------------------------------------------------------+ | Option | Description | +================+============================================================+ | Outgoing | From the drop-down list, choose the outgoing transport | | Transport Type | mode. Choose one of: | | (Optional) | | | | - TCP+UDP | | | - UDP | | | - TLS | | | - TCP | | | | | | When **Device Security Mode** is **Non Secure**, choose | | | **TCP** or **UDP**. | | | | | | When **Device Security Mode** is **Authenticated** or | | | **Encrypted**, **TLS** specifies the transport type. | | | | | | Note: | | | | | | **TLS** ensures signaling integrity, device | | | authentication, and signaling encryption for SIP | | | trunks. | | | | | | Tip: | | | | | | Use **UDP** as the outgoing transport type when | | | connecting SIP trunks between Unified CM systems and | | | IOS gateways that do not support TCP connection | | | reuse. See "Understanding Session Initiation Protocol | | | (SIP)" in the "Cisco Unified Communications Manager | | | System Guide" for more information. | +----------------+------------------------------------------------------------+ | Enable Digest | Select this check box to enable digest authentication. If | | Authentication | you select this check box, Unified CM challenges all SIP | | (Optional) | requests from the trunk. | | | | | | Digest authentication does not provide device | | | authentication, integrity, or confidentiality. Choose a | | | security mode of **Authenticated** or **Encrypted** to use | | | these features. | | | | | | Tip: | | | | | | Use digest authentication to authenticate SIP trunk | | | users on trunks that are using TCP or UDP transport. | +----------------+------------------------------------------------------------+ | Nonce Validity | Enter the number of minutes (in seconds) that the nonce | | Time (mins) | value is valid. When the time expires, Unified CM | | (Optional) | generates a new value. | | | | | | Note: | | | | | | A nonce value (a random number that supports digest | | | authentication) is used to calculate the MD5 hash of | | | the digest authentication password. | | | | | | Default = 600 minutes. If you do not specify a Nonce | | | Validity Time, the default of 600 minutes is assigned. | +----------------+------------------------------------------------------------+ .. tabularcolumns:: |p{3.5cm}|p{12cm}| +----------------+------------------------------------------------------------+ | Option | Description | +================+============================================================+ | X.509 Subject | This field applies if you configured TLS for the incoming | | Name | and outgoing transport type. | | (Optional) | | | | For device authentication, enter the subject name of the | | | X.509 certificate for the SIP trunk device. If you have a | | | Unified CM cluster or if you use SRV lookup for the TLS | | | peer, a single trunk may resolve to multiple hosts. This | | | situation results in multiple X.509 subject names for the | | | trunk. If multiple X.509 subject names exist, enter one | | | of the following characters to separate the names: space, | | | comma, semicolon, or a colon. | | | | | | You can enter up to 4096 characters in this field. | | | | | | Tip: | | | | | | The subject name corresponds to the source connection | | | TLS certificate. Ensure that subject names are unique | | | for each subject name and port. You cannot assign the | | | same subject name and incoming port combination to | | | different SIP trunks. | | | | | | Example: | | | | | | SIP TLS trunk1 on port 5061 has X.509 Subject Names | | | my\_cm1, my\_cm2. | | | | | | SIP TLS trunk2 on port 5071 has X.509 Subject Names | | | my\_cm2, my\_cm3. | | | | | | SIP TLS trunk3 on port 5061 can have X.509 Subject | | | Name my\_ccm4 but cannot have X.509 Subject Name | | | my\_cm1. | +----------------+------------------------------------------------------------+ | Incoming Port | Choose the incoming port. Enter a value that is a unique | | (Optional) | port number from 0 to 65535. The value that you enter | | | applies to all SIP trunks that use the profile. | | | | | | The default port value for incoming TCP and UDP SIP | | | messages is 5060. The default SIP secured port for | | | incoming TLS messages is 5061. | | | | | | If the incoming port is not specified, the default port | | | of 5060 is used. | | | | | | Tip: | | | | | | All SIP trunks that use TLS can share the same | | | incoming port; all SIP trunks that use TCP + UDP can | | | share the same incoming port. You cannot mix SIP TLS | | | transport trunks with SIP non-TLS transport trunk | | | types on the same port. | +----------------+------------------------------------------------------------+ .. tabularcolumns:: |p{3.5cm}|p{12cm}| +---------------+-------------------------------------------------------------+ | Option | Description | +===============+=============================================================+ | Enable | Application-level authorization applies to applications | | application | that are connected through the SIP trunk. | | level | | | authorization | If you select this check box, also select the **Enable | | (Optional) | Digest Authentication** check box and configure digest | | | authentication for the trunk. Unified CM authenticates a | | | SIP application user before checking the allowed | | | application methods. | | | | | | When application level authorization is enabled, | | | trunk-level authorization occurs first, and | | | application-level authorization occurs second. Unified CM | | | checks the methods authorized for the trunk (in this | | | security profile) before the methods authorized for the | | | SIP application user in the **Application User | | | Configuration** window. | | | | | | Tip: | | | | | | Consider using application-level authorization if you | | | do not trust the identity of the application or if | | | the application is not trusted on a particular trunk. | | | Application requests may come from a different trunk | | | than you expect. | | | | | | For more information about configuring application level | | | authorization at the **Application User Configuration** | | | window, see the "Cisco Unified Communications Manager | | | Administration Guide". | +---------------+-------------------------------------------------------------+ | Accept | If you want Unified CM to accept presence subscription | | presence | requests that come through the SIP trunk, select this | | subscription | check box. | | (Optional) | | | | If you selected **Enable Application Level Authorization**, | | | go to the **Application User Configuration** window and | | | select **Accept Presence Subscription** for any | | | application users authorized for this feature. | | | | | | When application-level authorization is enabled, if you | | | select **Accept Presence Subscription** for the | | | application user but not for the trunk, a 403 error | | | message is sent to the SIP user agent connected to the | | | trunk. | +---------------+-------------------------------------------------------------+ | Accept | If you want Unified CM to accept incoming non-INVITE, | | out-of-dialog | Out-of-Dialog REFER requests that come through the SIP | | refer | trunk, select this check box. | | (Optional) | If you selected **Enable Application Level | | | Authorization**, go to the **Application User | | | Configuration** window and select **Accept out-of-dialog | | | refer** for any application users authorized for this | | | method. | | | | | | Note: | | | | | | If this profile is associated with an EMCC SIP trunk, | | | Accept Out-of-Dialog REFER is enabled regardless of | | | the setting on this page. | +---------------+-------------------------------------------------------------+ | Accept | If you want Unified CM to accept incoming non-INVITE, | | unsolicited | unsolicited notification messages that come through the | | notification | SIP trunk, select this check box. | | (Optional) | | | | If you selected **Enable Application Level | | | Authorization**, go to the **Application User | | | Configuration** window and select **Accept Unsolicited | | | Notification** for any application users authorized for | | | this method. | +---------------+-------------------------------------------------------------+ .. tabularcolumns:: |p{3.5cm}|p{12cm}| +----------------+-------------------------------------------------------------+ | Option | Description | +================+=============================================================+ | Accept | If you want Unified CM to accept new SIP dialogs, which | | replaces | have replaced existing SIP dialogs, select this check box. | | header | | | (Optional) | If you selected **Enable Application Level Authorization**, | | | go to the **Application User Configuration** window and | | | select **Accept Header Replacement** for any application | | | users authorized for this method. | +----------------+-------------------------------------------------------------+ | Transmit | If you want Unified CM to send the security icon status | | security | of a call from the associated SIP trunk to the SIP peer, | | status | select this check box. | | (Optional) | | | | Default = Cleared. | +----------------+-------------------------------------------------------------+ | Allow charging | If you want to allow RFC 3455 SIP charging headers in | | header | transactions (for example, where billing information is | | (Optional) | passed in the headers for prepaid accounts), select this | | | check box. If the check box is clear, RFC 3455 SIP charging | | | headers are not allowed in sessions that use the SIP | | | profile. Default = **Cleared**. | +----------------+-------------------------------------------------------------+ | SIP V.150 | Choose one of the following filter options from the | | Outbound SDP | drop-down list: | | Offer | | | Filtering | - **Use Default Filter** - The SIP trunk uses the default | | (Mandatory) | filter that is indicated in the SIP V.150 Outbound SDP | | | Offer Filtering service parameter. To locate the | | | service parameter, go to System Service Parameters | | | Clusterwide Parameters (Device-SIP) in Unified CM | | | Administration. | | | - **No Filtering** - The SIP trunk performs no filtering | | | of V.150 SDP lines in outbound offers. | | | - **Remove MER V.150** - The SIP trunk removes V.150 MER | | | SDP lines in outbound offers. Choose this option to | | | reduce ambiguity when the trunk is connected to a | | | pre-MER V.150 Unified CM. | | | - **Remove Pre-MER V.150** - The SIP trunk removes any | | | non-MER compliant V.150 lines in outbound offers. | | | Choose this option to reduce ambiguity when your | | | cluster is in a network of MER-compliant devices that | | | cannot process offers with pre-MER lines. | | | | | | Default = **Use Default Filter** . | +----------------+-------------------------------------------------------------+