« back to news

Troubleshooting Collaboration Security for the Enterprise On-Premises Preferred Architecture

Date
July 2020

Overview

In the past, the deployment of end-to-end authentication and encryption in Cisco Collaboration has not been widespread. A majority of customers chose to consider their internal networks as secure and that the privacy of their communications as being subsequently assured. Over recent years, this mind set has begun to shift, and more and more customers have started to investigate leveraging cryptography as an additional layer of defense. Also with the rise in “VPN-less” access technologies, the requirement for signaling and media privacy has become standard for any device or client that is traversing the firewall perimeter to access corporate collaboration services.
With the above in mind, this collaboration security lab educates users on the practical steps required to enable security features and functions available with the Collaboration Solution Release (CSR) 12.5, including:

  • Cisco Jabber SIP OAuth based authorization and encryption for both SIP signaling and RTP media and MRA media path optimization with direct interactive connectivity establishment (ICE).
  • Online CA mode with automatic Microsoft Certificate Authority certificate enrollment as an alternative to Certificate Authority Proxy Function CA issued endpoint locally significant certificates (LSCs).
  • Administrative granular cipher control for all Unified CM TLS/SSH interfaces.
  • Specific License Reservation (SLR) as an alternative to Cisco Smart Software Manager satellite for highly secure deployments with strict airgap requirements between the DC and cloud-based services.
  • Secure hardware endpoint onboarding with activation codes.

This collaboration security lab is based on the Cisco Preferred Architecture for Enterprise Collaboration 12.x as documented in the Cisco Validated Design (CVD). The CVD is available at https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Collaboration/enterprise/12x/120/collbcvd.html

Modules and Components

Scenario 1: Specific License Reservation – Unified CM, Unity Connection

Scenario 2: Administrative Cipher Control – Unity Connection

Scenario 3: Secure LDAP Integrations – Unified CM, Jabber

Scenario 4: SIP OAuth (Line Side) for On-Premises Jabber Encrypted Calling – Unified CM, Jabber

Scenario 5: Encrypted Calling with Expressway MRA and ICE Media Path Optimization – Unified CM, Expressway, Jabber

Scenario 6: Online CA Mode for Automatic Enterprise CA Endpoint Certificate Enrollment – Unified CM, Microsoft Certificate Authority, Jabber

Scenario 7: Secure Integration with Cisco Unified Border Element (CUBE) – Unified CM, CUBE (vCUBE), Microsoft Certificate Authority

Resources