[Index]

Model: relation/HcsSipTrunkSecurityProfileREL

SIP Trunk Security Profiles

To access the latest documentation, go to Documentation and Resources at: https://voss.portalshape.com

  1. Log in as provider, reseller, or customer administrator.

  2. Set the hierarchy path to the node where the Cisco Unified Communications Manager is configured.

  3. Choose an option:

  4. Choose an option:

  5. If the Network Device List popup window appears, select the NDL for the SIP trunk security profile from the drop-down menu. The window appears when you are on a non-site hierarchy node. If you are at a site hierarchy node, the NDL associated with the site is automatically used.

    Note:

    The Network Device List drop-down menu appears when a SIP trunk security profile is added. It does not appear when you edit a SIP trunk security profile.

  6. Enter a unique name for the new SIP trunk security profile in the Name field, or modify the existing Name if desired. This field is mandatory.

  7. Complete, at minimum, the other mandatory SIP Trunk Security Profiles Fields

  8. Click Save to save a new SIP trunk security profile or to update an existing SIP trunk security profile.

SIP Trunk Security Profiles Fields

Option Description
Name (Mandatory) Enter a name for the security profile. When you save the new profile, the name displays in the SIP Trunk Security Profile drop-down list in the Trunk Configuration window. The maximum length for the name is 64 characters.
Description (Optional) Enter a description for the security profile. The description can include up to 50 characters in any language, but it cannot include double-quotes ("), percentage sign (%), ampersand (&), back-slash (\), or angle brackets (<>).
Device Security Mode (Optional)

From the drop-down list, choose one of the following options:

  • Non Secure - No security features except image authentication apply. A TCP or UDP connection opens to Cisco Unified Communications Manager.
  • Authenticated - Unified CM provides integrity and authentication for the trunk. A TLS connection that uses NULL/SHA opens.
  • Encrypted - Unified CM provides integrity, authentication, and signaling encryption for the trunk. A TLS connection that uses AES128/SHA opens for signaling.
Incoming Transport Type (Optional)

Choose one of:

  • TCP+UDP
  • UDP
  • TLS
  • TCP

If you do not specify an incoming transport type, TCP+UDP is assigned.

When Device Security Mode is Non Secure, TCP+UDP specifies the transport type.

When Device Security Mode is Authenticated or Encrypted, TLS specifies the transport type.

Note:

The Transport Layer Security (TLS) protocol secures the connection between Unified CM and the trunk.

Option Description
Outgoing Transport Type (Optional)

From the drop-down list, choose the outgoing transport mode. Choose one of:

  • TCP+UDP
  • UDP
  • TLS
  • TCP

When Device Security Mode is Non Secure, choose TCP or UDP.

When Device Security Mode is Authenticated or Encrypted, TLS specifies the transport type.

Note:

TLS ensures signaling integrity, device authentication, and signaling encryption for SIP trunks.

Tip:

Use UDP as the outgoing transport type when connecting SIP trunks between Unified CM systems and IOS gateways that do not support TCP connection reuse. See "Understanding Session Initiation Protocol (SIP)" in the "Cisco Unified Communications Manager System Guide" for more information.

Enable Digest Authentication (Optional)

Select this check box to enable digest authentication. If you select this check box, Unified CM challenges all SIP requests from the trunk.

Digest authentication does not provide device authentication, integrity, or confidentiality. Choose a security mode of Authenticated or Encrypted to use these features.

Tip:

Use digest authentication to authenticate SIP trunk users on trunks that are using TCP or UDP transport.

Nonce Validity Time (mins) (Optional)

Enter the number of minutes (in seconds) that the nonce value is valid. When the time expires, Unified CM generates a new value.

Note:

A nonce value (a random number that supports digest authentication) is used to calculate the MD5 hash of the digest authentication password.

Default = 600 minutes. If you do not specify a Nonce Validity Time, the default of 600 minutes is assigned.

Option Description
X.509 Subject Name (Optional)

This field applies if you configured TLS for the incoming and outgoing transport type.

For device authentication, enter the subject name of the X.509 certificate for the SIP trunk device. If you have a Unified CM cluster or if you use SRV lookup for the TLS peer, a single trunk may resolve to multiple hosts. This situation results in multiple X.509 subject names for the trunk. If multiple X.509 subject names exist, enter one of the following characters to separate the names: space, comma, semicolon, or a colon.

You can enter up to 4096 characters in this field.

Tip:

The subject name corresponds to the source connection TLS certificate. Ensure that subject names are unique for each subject name and port. You cannot assign the same subject name and incoming port combination to different SIP trunks.

Example:

SIP TLS trunk1 on port 5061 has X.509 Subject Names my_cm1, my_cm2.

SIP TLS trunk2 on port 5071 has X.509 Subject Names my_cm2, my_cm3.

SIP TLS trunk3 on port 5061 can have X.509 Subject Name my_ccm4 but cannot have X.509 Subject Name my_cm1.

Incoming Port (Optional)

Choose the incoming port. Enter a value that is a unique port number from 0 to 65535. The value that you enter applies to all SIP trunks that use the profile.

The default port value for incoming TCP and UDP SIP messages is 5060. The default SIP secured port for incoming TLS messages is 5061.

If the incoming port is not specified, the default port of 5060 is used.

Tip:

All SIP trunks that use TLS can share the same incoming port; all SIP trunks that use TCP + UDP can share the same incoming port. You cannot mix SIP TLS transport trunks with SIP non-TLS transport trunk types on the same port.

Option Description
Enable application level authorization (Optional)

Application-level authorization applies to applications that are connected through the SIP trunk.

If you select this check box, also select the Enable Digest Authentication check box and configure digest authentication for the trunk. Unified CM authenticates a SIP application user before checking the allowed application methods.

When application level authorization is enabled, trunk-level authorization occurs first, and application-level authorization occurs second. Unified CM checks the methods authorized for the trunk (in this security profile) before the methods authorized for the SIP application user in the Application User Configuration window.

Tip:

Consider using application-level authorization if you do not trust the identity of the application or if the application is not trusted on a particular trunk. Application requests may come from a different trunk than you expect.

For more information about configuring application level authorization at the Application User Configuration window, see the "Cisco Unified Communications Manager Administration Guide".

Accept presence subscription (Optional)

If you want Unified CM to accept presence subscription requests that come through the SIP trunk, select this check box.

If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept Presence Subscription for any application users authorized for this feature.

When application-level authorization is enabled, if you select Accept Presence Subscription for the application user but not for the trunk, a 403 error message is sent to the SIP user agent connected to the trunk.

Accept out-of-dialog refer (Optional)

If you want Unified CM to accept incoming non-INVITE, Out-of-Dialog REFER requests that come through the SIP trunk, select this check box. If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept out-of-dialog refer for any application users authorized for this method.

Note:

If this profile is associated with an EMCC SIP trunk, Accept Out-of-Dialog REFER is enabled regardless of the setting on this page.

Accept unsolicited notification (Optional)

If you want Unified CM to accept incoming non-INVITE, unsolicited notification messages that come through the SIP trunk, select this check box.

If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept Unsolicited Notification for any application users authorized for this method.

Option Description
Accept replaces header (Optional)

If you want Unified CM to accept new SIP dialogs, which have replaced existing SIP dialogs, select this check box.

If you selected Enable Application Level Authorization, go to the Application User Configuration window and select Accept Header Replacement for any application users authorized for this method.

Transmit security status (Optional)

If you want Unified CM to send the security icon status of a call from the associated SIP trunk to the SIP peer, select this check box.

Default = Cleared.

Allow charging header (Optional) If you want to allow RFC 3455 SIP charging headers in transactions (for example, where billing information is passed in the headers for prepaid accounts), select this check box. If the check box is clear, RFC 3455 SIP charging headers are not allowed in sessions that use the SIP profile. Default = Cleared.
SIP V.150 Outbound SDP Offer Filtering (Mandatory)

Choose one of the following filter options from the drop-down list:

  • Use Default Filter - The SIP trunk uses the default filter that is indicated in the SIP V.150 Outbound SDP Offer Filtering service parameter. To locate the service parameter, go to System Service Parameters Clusterwide Parameters (Device-SIP) in Unified CM Administration.
  • No Filtering - The SIP trunk performs no filtering of V.150 SDP lines in outbound offers.
  • Remove MER V.150 - The SIP trunk removes V.150 MER SDP lines in outbound offers. Choose this option to reduce ambiguity when the trunk is connected to a pre-MER V.150 Unified CM.
  • Remove Pre-MER V.150 - The SIP trunk removes any non-MER compliant V.150 lines in outbound offers. Choose this option to reduce ambiguity when your cluster is in a network of MER-compliant devices that cannot process offers with pre-MER lines.

Default = Use Default Filter .

This relation wraps the device/cucm/SipTrunkSecurityProfile element.

Model Details: relation/HcsSipTrunkSecurityProfileREL

Title Description Details
Digest Authentication
  • Field Name: digestAuthentication
  • Type: Boolean
  • Cardinality: [0..1]
X509Subject Name
  • Field Name: x509SubjectName
  • Type: ["String", "Null"]
  • Cardinality: [0..1]
  • MaxLength: 4096
Name *
  • Field Name: name
  • Type: String
  • Cardinality: [1..1]
  • MaxLength: 75
Accept Presence Subscription
  • Field Name: acceptPresenceSubscription
  • Type: Boolean
  • Cardinality: [0..1]
Accept Unsolicited Notification
  • Field Name: acceptUnsolicitedNotification
  • Type: Boolean
  • Cardinality: [0..1]
Sip V150Outbound Sdp Offer Filtering * Default: Use Default Filter
  • Field Name: sipV150OutboundSdpOfferFiltering
  • Type: String
  • Cardinality: [1..1]
  • Default: Use Default Filter
  • Choices: ["No Filtering", "Remove MER V.150", "Remove Pre-MER V.150", "Use Default Filter"]
Accept Out Of Dialog Refer
  • Field Name: acceptOutOfDialogRefer
  • Type: Boolean
  • Cardinality: [0..1]
Allow Replace Header
  • Field Name: allowReplaceHeader
  • Type: Boolean
  • Cardinality: [0..1]
Security Mode
  • Field Name: securityMode
  • Type: ["String", "Null"]
  • Cardinality: [0..1]
  • Choices: ["Non Secure", "Authenticated", "Encrypted"]
Appl Level Authentication
  • Field Name: applLevelAuthentication
  • Type: Boolean
  • Cardinality: [0..1]
Allow Charging Header
  • Field Name: allowChargingHeader
  • Type: Boolean
  • Cardinality: [0..1]
Nonce Policy Time Only if digestAuthentication is enabled this value can be changed. Default: 600
  • Field Name: noncePolicyTime
  • Type: Integer
  • Cardinality: [0..1]
  • Default: 600
Outgoing Transport
  • Field Name: outgoingTransport
  • Type: ["String", "Null"]
  • Cardinality: [0..1]
  • Choices: ["TCP", "UDP", "TLS", "TCP+UDP"]
Incoming Port Default: 5060
  • Field Name: incomingPort
  • Type: Integer
  • Cardinality: [0..1]
  • Default: 5060
Incoming Transport Default: TCP+UDP
  • Field Name: incomingTransport
  • Type: String
  • Cardinality: [0..1]
  • Default: TCP+UDP
  • Choices: ["TCP", "UDP", "TLS", "TCP+UDP"]
Transmit Security Status
  • Field Name: transmitSecurityStatus
  • Type: Boolean
  • Cardinality: [0..1]
Description
  • Field Name: description
  • Type: ["String", "Null"]
  • Cardinality: [0..1]
  • MaxLength: 100
Shadow
  • Field Name: shadow.[n]
  • Type: Array
  • Cardinality: [0..1]
Name *
  • Field Name: shadow.[n].name
  • Type: String
  • MaxLength: 1024