GOLD : Configuring ASA TLS Proxy

This page last changed on Oct 06, 2008 by mstover.

Return to Inter-Domain Presence Federation or continue to Configuring OCS for Federation

denotes an information section

denotes a section that needs configuration

• Configuring the TLS Proxy on the ASA

• °
Configure Access-Lists to Invoke TLS Proxy
°
Configuring the TLS Proxy Instances
°
Associating an Access List with a TLS Proxy Instance Using Class Maps
°
Enabling the TLS Proxy

Configuring the TLS Proxy on the ASA

The ASA acts as a TLS proxy between CUP and the Microsoft OCS Access Edge server. This allows the
ASA to proxy TLS messages on behalf of the server that initiates the TLS connection, and route the TLS
messages from the proxy to the client. The TLS proxy decrypts, inspects and modifies the TLS messages
as required on the incoming leg, and then re-encrypts traffic on the return leg.

Configure Access-Lists to Invoke TLS Proxy

To invoke the TLS proxy for traffic between the CUP server and the Microsoft OCS Access Edge server, you
must configure an access list for incoming traffic from each of these servers. You will need to configure
two access lists for each foreign domain that CUP is federating with.

• From the lab laptop or Student 1 (XP1) desktop, telnet to the ASA CLI at 10.10.16.254
° Password is cisco
° Enable password is lab-cert

• Configure an access list to allow CUP to send messages to the darkside.lab domain on port 5061:
° access-list cup_to_ext_server extended permit tcp host 10.10.10.150 host

10.10.20.105 eq 5061
• Configure an access list to allow Cisco Unified Presence to receive messages from the foreign
domain on port 5061.
° access-list ext_server_to_cup extended permit tcp host 10.10.20.105 host

10.10.10.150 eq 5061

Configuring the TLS Proxy Instances

For this integration, you need to create two TLS proxy instances. The first TLS proxy handles the TLS
connections initiated by CUP, where CUP is the TLS client and the OCS Edge server is the TLS server--
the ASA acts as the TLS server to the CUP "client". The second TLS Proxy handles the TLS connections
initiated by the OCS Edge server, where the OCS edge is the TLS client and CUP is the TLS server.

The TLS proxy instance defines "trustpoints" for both the server and the client. The direction from which
the TLS handshake is initiated determines the trustpoint defined in the server and client commands.
If the TLS handshake is initiated from CUP to OCS, the server command specifies the trustpoint that
contains the ASA self-signed certificate. The client command specifies the trustpoint that contains the
ASA certificate that is used in the TLS handshake between the ASA and OCS. If the handshake initiates
from OCS to CUP, the server command specifies the trustpoint that contains the ASA certificate the TLS
handshake uses between the ASA and OCS. The client command specifies the trustpoint that contains the
ASA self-signed certificate.

Create a TLS proxy instance for TLS connections initiated by CUP:

• From the lab laptop or Student 1 (XP1) desktop, telnet to the ASA CLI at 10.10.16.254
° Password is cisco
° Enable password is lab-cert

Document generated by Confluence on Nov 03, 2008 04:47 Page 1

 •
tls-proxy cup_to_ext_domain
server trust-point lab_cup_proxy
client trust-point lab_ca_trustpoint
client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1

Create a TLS proxy instance for TLS connections initiated by OCS:

•
tls-proxy ext_domain_to_cup
server trust-point lab_ca_trustpoint
client trust-point lab_cup_proxy
client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1

Associating an Access List with a TLS Proxy Instance Using Class Maps

Using the class map command, you need to associate a TLS Proxy instance to each of the access lists
you defined previously. Associate each of your access lists with the TLS proxy instance that the class map
uses. The TLS proxy you select depends on whether the class-map is for messages from CUP to OCS or
from OCS to CUP.

Create a Class Map for TLS connections initiated by CUP:

• From the lab laptop or Student 1 (XP1) desktop, telnet to the ASA CLI at 10.10.16.254
° Password is cisco
° Enable password is lab-cert

•
class-map cup_to_ext_domain
match access-list cup_to_ext_server

Create a Class Map for TLS connections initiated by OCS:

•
class-map ext_domain_to_cup
match access-list ext_server_to_cup

Enabling the TLS Proxy

Using the policy map command, you need to enable the TLS proxy for each class map you created in the
previous section.

Define the sip-inspect policy map:

• From the lab laptop or Student 1 (XP1) desktop, telnet to the ASA CLI at 10.10.16.254
° Password is cisco
° Enable password is lab-cert

•
policy-map type inspect sip sip_inspect
Parameters
im
no state-checking action log
no ip-address-privacy
no max-forwards-validation action log
no rtp-conformance
no software-version action log

Document generated by Confluence on Nov 03, 2008 04:47 Page 2

 no strict-header-validation action log

Define the SIP inspection in the global policy map:

•
policy-map global_policy
class cup_to_ext_domain
inspect sip sip_inspect tls-proxy cup_to_ext_domain
exit
class ext_domain_to_cup
inspect sip sip_inspect tls-proxy ext_domain_to_cup

Return to Inter-Domain Presence Federation or continue to Configuring OCS for Federation

Document generated by Confluence on Nov 03, 2008 04:47 Page 3