Cisco Unity Connection Security Guide Release 14 PDF

Summary

This document provides a guide to the IP communications required by Cisco Unity Connection, detailing the TCP and UDP ports used for inbound connections and internal communication within the system. It covers various services and ports used for different functionalities.

Full Transcript

CHAPTER 1
IP Communications Required by Cisco Unity
Connection
IP Communications Required by Cisco Unity Connection, on page 1

IP Communications Required by Cisco Unity Connection
Service Ports
Table 1: TCP and UDP Ports Used for Inbound Connections to Cisco Unity Connection lists the TCP and
UDP ports that are used for inbound connections to the Cisco Unity Connection server, and ports that are used
internally by Unity Connection.

Table 1: TCP and UDP Ports Used for Inbound Connections to Cisco Unity Connection

1
Ports and Protocols Operating System Executable/Service Service Account Comments
Firewall Setting or Application

TCP: 20500, 20501, Open only between CuCsMgr/Unity cucsmgr Servers in a Unity
20502, 19003, 1935 servers in a Unity Connection Connection cluster
Connection cluster. Conversation must be able to
Port 1935 is blocked Manager connect to each
and is for internal other on these ports.
use only.

TCP: 21000–21512 Open CuCsMgr/Unity cucsmgr IP phones must be
Connection able to connect to
Conversation this range of ports
Manager on the Unity
Connection server
for some phone
client applications.

Security Guide for Cisco Unity Connection Release 14
1
 IP Communications Required by Cisco Unity Connection
Service Ports

1
Ports and Protocols Operating System Executable/Service Service Account Comments
Firewall Setting or Application

TCP: 5000 Open CuCsMgr/Unity cucsmgr Opened for
Connection port-status
Conversation monitoring
Manager read-only
connections.
Monitoring must be
configured in
ConnectionAdministration
before any data can
be seen on this port
(Monitoring is off
by default).
Administration
workstations
connect to this port.

TCP and UDP ports Open CuCsMgr/Unity cucsmgr Unity Connection
allocated by Connection SIP Control Traffic
administrator for Conversation handled by
SIP traffic. Manager conversation
manager.
Possible ports are
5060–5199 SIP devices must be
able to connect to
these ports.

TCP: 20055 Open only between CuLicSvr/Unity culic Restricted to
servers in a Unity Connection License localhost only (no
Connection cluster Server remote connections
to this service are
needed).

TCP: 1502, 1503 Open only between unityoninit/Unity root Servers in a Unity
(“ciscounity_tcp” in servers in a Unity Connection DB Connection cluster
/etc/services) Connection cluster must be able to
connect to each
other on these
database ports.
For external access
to the database, use
CuDBProxy.

TCP: 143, 993, Open CuImapSvr/Unity cuimapsvr Client workstations
7993, 8143, 8993 Connection IMAP must be able to
Server connect to ports 143
and 993 for IMAP
inbox access, and
IMAP over SSL
inbox access.

Security Guide for Cisco Unity Connection Release 14
2
IP Communications Required by Cisco Unity Connection
Service Ports

1
Ports and Protocols Operating System Executable/Service Service Account Comments
Firewall Setting or Application

TCP: 25, 8025 Open CuSmtpSvr/Unity cusmtpsvr Servers delivering
Connection SMTP SMTP to Unity
Server Connection port 25,
such as other servers
in a UC Digital
Network.

TCP: 4904 Blocked; internal SWIsvcMon openspeech Restricted to
use only (Nuance localhost only (no
SpeechWorks remote connections
Service Monitor) to this service are
needed).

TCP: 4900:4904 Blocked; internal OSServer/Unity openspeech Restricted to
use only Connection Voice localhost only (no
Recognizer remote connections
to this service are
needed).

UDP: 16384–21511 Open CuMixer/Unity cumixer VoIP devices
Connection Mixer (phones and
gateways) must be
able to send traffic
to these UDP ports
to deliver inbound
audio streams.

UDP: 7774–7900 Blocked; internal CuMixer/ Speech cumixer Restricted to
use only recognition RTP localhost only (no
remote connections
to this service are
needed).

TCP: 22000 Open only between CuSrm/ Unity cusrm Cluster SRM RPC.
servers in a Unity Connection Server
UDP: 22000 Servers in a Unity
Connection cluster Role Manager
Connection cluster
must be able to
connect to each
other on these ports.

Security Guide for Cisco Unity Connection Release 14
3
 IP Communications Required by Cisco Unity Connection
Service Ports

1
Ports and Protocols Operating System Executable/Service Service Account Comments
Firewall Setting or Application

TCP: 22001 Open only between CuSrm/ Unity cusrm Cluster SRM
servers in a Unity Connection Server heartbeat.
UDP: 22001
Connection cluster Role Manager
Heartbeat event
traffic is not
encrypted but is
MAC secured.
Servers in a Unity
Connection cluster
must be able to
connect to each
other on these ports.

TCP: 20532 Open CuDbProxy/ Unity cudbproxy If this service is
Connection enabled it allows
Database Proxy administrative
read/write database
connections for
off-box clients. For
example, some of
the
ciscounitytools.com
tools use this port.
Administrative
workstations would
connect to this port.

TCP: 22 Open Sshd root Firewall must be
open for TCP 22
connections for
remote CLI access
and serving SFTP in
a Unity Connection
cluster.
Administrative
workstations must
be able to connect to
a Unity Connection
server on this port.
Servers in a Unity
Connection cluster
must be able to
connect to each
other on this port.

UDP: 161 Open Snmpd Platform root —
SNMP Service

Security Guide for Cisco Unity Connection Release 14
4
IP Communications Required by Cisco Unity Connection
Service Ports

1
Ports and Protocols Operating System Executable/Service Service Account Comments
Firewall Setting or Application

UDP: 500 Open Raccoon ipsec root Using ipsec is
isakmp (key optional, and off by
management) default.
service
If the service is
enabled, servers in a
Unity Connection
cluster must be able
to connect to each
other on this port.

TCP: 8500 Open clm/cluster root The cluster manager
management service service is part of the
UDP: 8500
Voice Operating
System.
Servers in a Unity
Connection cluster
must be able to
connect to each
other on these ports.

UDP: 123 Open Ntpd Network Time ntp Network time
Service service is enabled to
keep time
synchronized
between servers in a
Unity Connection
cluster.
The publisher server
can use either the
operating system
time on the
publisher server or
the time on a
separate NTP server
for time
synchronization.
Subscriber servers
always use the
publisher server for
time
synchronization.
Servers in a Unity
Connection cluster
must be able to
connect to each
other on this port.

Security Guide for Cisco Unity Connection Release 14
5
 IP Communications Required by Cisco Unity Connection
Service Ports

1
Ports and Protocols Operating System Executable/Service Service Account Comments
Firewall Setting or Application

TCP: 5007 Blocked; internal Tomcat/Cisco tomcat Servers in a Unity
use only. Tomcat (SOAP Connection cluster
Service) must be able to
connect to each
other on these ports.

TCP: 1500, 1501 Open only between cmoninit/Cisco DB informix These database
servers in a Unity instances contain
Connection cluster information for
LDAP integrated
users, and
serviceability data.
Servers in a Unity
Connection cluster
must be able to
connect to each
other on these ports.

TCP: 1515 Open only between dblrpm/Cisco DB root Servers in a Unity
servers in a Unity Replication Service Connection cluster
Connection cluster must be able to
connect to each
other on these ports.

TCP: 8001 Open only between dbmon/Cisco DB database Servers in a Unity
servers in a Unity Change Notification Connection cluster
Connection cluster Port must be able to
connect to each
other on these ports.

TCP: 2555, 2556 Open only between RisDC/Cisco RIS ccmservice Servers in a Unity
servers in a Unity Data Collector Connection cluster
Connection cluster must be able to
connect to each
other on these ports.

TCP: 1090, 1099 Open only between Amc/Cisco AMC ccmservice Performs back-end
servers in a Unity Service (Alert serviceability data
Connection cluster Manager Collector) exchanges
1090: AMC RMI
Object Port 1099:
AMC RMI Registry
Port
Servers in a Unity
Connection cluster
must be able to
connect to each
other on these ports.

Security Guide for Cisco Unity Connection Release 14
6
IP Communications Required by Cisco Unity Connection
Service Ports

1
Ports and Protocols Operating System Executable/Service Service Account Comments
Firewall Setting or Application

TCP: 80, 443, 8080, Open tomcat/Cisco tomcat Both client and
8443 Tomcat administrative
workstations need to
connect to these
ports.
Servers in a Unity
Connection cluster
must be able to
connect to each
other on these ports
for communications
that use HTTP-based
interactions like
REST.
Note These ports
support both
the IPv4 and
IPv6 addresses.
However, the
IPv6 address
works only
when
Connection
platform is
configured in
Dual
(IPv4/IPv6)
mode.
Cisco Unity
Connection
Survivable
Remote Site
Voicemail
SRSV supports
these ports for
IP
communication.

Security Guide for Cisco Unity Connection Release 14
7
 IP Communications Required by Cisco Unity Connection
Service Ports

1
Ports and Protocols Operating System Executable/Service Service Account Comments
Firewall Setting or Application

TCP: 8081, 8444 Open only between tomcat/Cisco tomcat Servers in HTTPS
servers in HTTPS Tomcat Networking must be
Networking able to connect to
each other on these
ports for
communications.
Unity Connection
HTTPS Directory
Feeder service uses
these ports for
directory
synchronization.
Note Unity
Connection
HTTPS
Directory
Feeder
service
supports
only IPv4
mode.

TCP: 5001-5004, Blocked; internal tomcat/Cisco tomcat Internal tomcat
8005 use only Tomcat service control and
axis ports.

TCP: 32768–61000 Open — — Ephemeral port
ranges, used by
UDP: 32768–61000
anything with a
dynamically
allocated client port.

TCP: 7443 Open jetty/Unity jetty Secure Jabber and
Connection Jetty Web Inbox
notifications
Note You can
enable the
port using
"utils cuc
jetty ssl
enable"
CLI
command.

Security Guide for Cisco Unity Connection Release 14
8
 IP Communications Required by Cisco Unity Connection
Outbound Connections Made by Unity Connection

1
Ports and Protocols Operating System Executable/Service Service Account Comments
Firewall Setting or Application

TCP: 7080 Open jetty/Unity jetty Exchange 2010 only,
Connection Jetty single inbox only:
Jabber and Web
Inbox EWS
notifications of
changes to Unity
Connection voice
messages.

UDP: 9291 Open CuMbxSync/ Unity cumbxsync Single inbox only:
Connection Mailbox WebDAV
Sync Service notifications of
changes to Unity
Connection voice
messages.

TCP: 6080 Open CuCsMgr/Unity cucsmgr Video server must
Connection be able to connect to
Conversation Unity Connection on
Manager this port for
communications.
1
Bold port numbers are open for direct connections from off-box clients.

Outbound Connections Made by Unity Connection
Table 2: TCP and UDP Ports Unity Connection Uses to Connect With Other Servers in the Network lists the
TCP and UDP ports that Cisco Unity Connection uses to connect with other servers in the network.

Table 2: TCP and UDP Ports Unity Connection Uses to Connect With Other Servers in the Network

Ports and Protocols Executable Service Account Comments

TCP: 2000* (Default CuCsMgr cucsmgr Unity Connection SCCP
SCCP port) client connection to Cisco
Unified CM when they
Optionally TCP port
are integrated using
2443* if you use SCCP
SCCP.
over TLS.
* Many devices and
applications allow
configurable RTP port
allocations.

Security Guide for Cisco Unity Connection Release 14
9
 IP Communications Required by Cisco Unity Connection
Outbound Connections Made by Unity Connection

Ports and Protocols Executable Service Account Comments

UDP: 16384–32767* CuMixer cumixer Unity Connection
(RTP) outbound audio-stream
traffic.
* Many devices and
applications allow
configurable RTP port
allocations.

UDP: 69 CuCsMgr cucsmgr When you are configuring
encrypted SCCP,
encrypted SIP, or
encrypted media streams,
Unity Connection makes
a TFTP client connection
to Cisco Unified CM to
download security
certificates.

TCP: 6972 CuCsMgr cucsmgr When you are configuring
encrypted SIP or
encrypted media streams,
Unity Connection makes
the HTTPS client
connection with Cisco
Unified CM to download
ITL security certificates.

TCP: 53 any any Used by any process that
needs to perform DNS
UDP: 53
name resolution.

TCP: 53, and either 389 CuMbxSync cumbxsync Used when Unity
or 636 Connection is configured
CuCsMgr cucsmgr
for unified messaging
tomcat tomcat with Exchange and one or
more unified messaging
services are configured to
search for Exchange
servers.
Unity Connection uses
port 389 when you select
LDAP for the protocol
used to communicate with
domain controllers.
Unity Connection uses
port 636 when you select
LDAPS for the protocol
used to communicate with
domain controllers.

Security Guide for Cisco Unity Connection Release 14
10
IP Communications Required by Cisco Unity Connection
Outbound Connections Made by Unity Connection

Ports and Protocols Executable Service Account Comments

TCP: 80, 443 (HTTP and CuMbxSync cumbxsync Note These ports
HTTPS) support both
CuCsMgr cucsmgr
the IPv4 and
tomcat tomcat IPv6
addresses.

TCP: 80, 443, 8080, and CuCsMgr cucsmgr Unity Connection makes
8443 (HTTP and HTTPS) HTTP and HTTPS client
tomcat tomcat
connections to:
Other Unity
Connection servers
for Digital
Networking
automatic joins.
Cisco Unified CM
for AXL user
synchronization.
Note These
ports
support
both the
IPv4 and
IPv6
addresses.
Note Cisco Unity
Connection
Survivable
Remote Site
Voicemail
SRSV supports
these ports for
IP
communication.

TCP: 143, 993 (IMAP and CuCsMgr cucsmgr Unity Connection makes
IMAP over SSL) IMAP connections to
Microsoft Exchange
servers to perform
text-to-speech conversions
of email messages in a
Unity Connection user’s
Exchange mailbox.

Security Guide for Cisco Unity Connection Release 14
11
 IP Communications Required by Cisco Unity Connection
Outbound Connections Made by Unity Connection

Ports and Protocols Executable Service Account Comments

TCP: 25,587 (SMTP) CuSmtpSvr cusmtpsvr Unity Connection makes
client connections to
SMTP servers and smart
hosts, or to other Unity
Connection servers for
features such as VPIM
networking or Unity
Connection Digital
Networking.
Note Cisco Unity
Connection
supports
STARTTLS
over port 25.
With
Release
14SU2 and
later,
STARTTLS
is also
supported
over port
587.

TCP: 21 (FTP) ftp root The installation
framework performs FTP
connections to download
upgrade media when an
FTP server is specified.

TCP: 22 (SSH/SFTP) CiscoDRFMaster drf The Disaster Recovery
Framework performs
sftp root
SFTP connections to
network backup servers to
perform backups and
retrieve backups for
restoration.
The installation
framework performs
SFTP connections to
download upgrade media
when an SFTP server is
specified.

Security Guide for Cisco Unity Connection Release 14
12
 IP Communications Required by Cisco Unity Connection
Securing Transport Layer

Ports and Protocols Executable Service Account Comments

UDP: 67 (DHCP/BootP) dhclient root Client connections made
for obtaining DHCP
addressing.
Although DHCP is
supported, Cisco highly
recommends that you
assign static IP addresses
to Unity Connection
servers.

TCP: 123 Ntpd root Client connections made
for NTP clock
UDP: 123 (NTP)
synchronization.

UDP: 514 Syslog/Cisco Syslog syslog Unity Connection server
Server must be able to send audit
TCP: 601
logs to remote syslog
server through these ports

Securing Transport Layer
Unity Connection uses Transport Layer Security(TLS) protocol and Secure Sockets Layer(SSL) protocol for
signaling and client server communication. Unity Connection supports TLS 1.0, TLS 1.1 and TLS 1.2 for
secure communication across various interfaces of Cisco Unity Connection. TLS 1.2 is the most secure and
authenticated protocol for communication.
Depending upon the organization security policies and deployment capabilities, Unity Connection 11.5(1)
SU3 and later allows you to configure the minimum TLS version. After configuring the minimum version of
TLS, Unity Connection supports the minimum configured version and higher versions of TLS. For example,
if you configure TLS 1.1 as a minimum version of TLS, Unity Connection uses TLS 1.1 and higher versions
for communication and rejects the request for a TLS version that is lower than the configured value. By default,
TLS 1.0 is configured.
Before configuring minimum TLS version, ensure that all the interfaces of Unity Connection must be secured
and use configured minimum TLS version or higher version for communication. However, you can configure
the minimum TLS version for inbound interfaces of Unity Connection.
Table 3 lists the supported interfaces for which you can configure the minimum TLS version on Unity
Connection.

Security Guide for Cisco Unity Connection Release 14
13
 IP Communications Required by Cisco Unity Connection
Configuring Minimum TLS Version

Table 3: Supported Interfaces for secure Communication

Ports Executable/Service Service Account Comments
or
Application

8443, Cisco haproxy Both client and administrative workstations must connect to
443, HAProxy these ports.
8444
Servers in a Unity Connection cluster must be able to connect
to each other on these ports for communications that use
HTTP-based interactions like REST.

7443 jetty/Unity jetty Secure Jabber and Web Inbox notifications.
Connection
Cisco Unity Connection 14SU3 and later, supports only TLS
Jetty
version 1.2 for secure communication

993 CuImapSvr/Unity cuimapsvr Client workstations must be able to connect to port 993 for
Connection IMAP over SSL inbox access.
IMAP Server
25,587 CuSmtpSvr/Unity cusmtpsvr Servers delivering SMTP to Unity Connection port 25 or 587,
Connection such as other servers in a UC Digital Network.
SMTP Server
5061-5199 CuCsMgr/Unity cucsmgr Unity Connection SIP Control Traffic handled by
Connection conversation manager. SIP devices must be able to connect
Conversation to these ports.
Manager
LDAP CuMbxSync cumbxsync Unity Connection uses port 636 when you select LDAPS for
(outbound the protocol used to communicate with domain controllers.
CuCsMgr cucsmgr
interface)
tomcat tomcat

20536 Cisco haproxy If this service is enabled it allows administrative secure
HAProxy read/write database connections for off-box clients.

For more information on supported inbound interfaces of Cisco Unity Connection, see "Service Ports" section.

Configuring Minimum TLS Version
To configure the minimum TLS version in Cisco Unity Connection, execute the following CLI command:
set tls min-version
In cluster, you must execute the CLI command on both publisher and subscriber.
In addition to this, you can execute the following CLI command to check the configured value of minimum
TLS version on Unity Connection:
show tls min-version
For detailed information on the CLI, see Command Line Interface Reference Guide for Cisco Unified
Communications Solutions available at http://www.cisco.com/c/en/us/support/unified-communications/
unified-communications-manager-callmanager/products-maintenance-guides-list.html.

Security Guide for Cisco Unity Connection Release 14
14
IP Communications Required by Cisco Unity Connection
Configuring Minimum TLS Version

Caution After configuring minimum TLS version, the Cisco Unity Connection server restart automatically.

Security Guide for Cisco Unity Connection Release 14
15
 IP Communications Required by Cisco Unity Connection
Configuring Minimum TLS Version

Security Guide for Cisco Unity Connection Release 14
16
 CHAPTER 2
Preventing Toll Fraud
Introduction, on page 17
Using Restriction Tables to Help Prevent Toll Fraud, on page 17
Restricting Collect Calling Options, on page 18

Introduction
In this chapter, you would find a description of toll fraud—a potential security issue in any organization. You
can also find information that may help you to develop preventive measures, and best practices to avoid toll
fraud.

Using Restriction Tables to Help Prevent Toll Fraud
Toll fraud is defined as any toll (long distance) call that is made at the expense of your organization and in
violation of its policies. Cisco Unity Connection provides restriction tables that you can use to help guard
against toll fraud. Restriction tables control the phone numbers that can be used for transferring calls, for
message notification, and for other Unity Connection functions. Each class of service has several restriction
tables associated with it, and you can add more as needed. By default, restriction tables are configured for
basic toll fraud restrictions for a dial plan with a trunk access code of 9. Restriction tables should be adjusted
for your specific dial plan and international dialing prefixes.
Best Practices:
To prevent toll fraud by users, administrators, and even outside callers who have improperly gained access
to a Cisco Unity Connection mailbox, implement the following changes:
Set up all restriction tables to block calls to the international operator. When this is done, a person cannot
dial out to or configure call transfers from an extension to the international operator (for example, a trunk
access code of 9 followed by 00 to dial the international operator) for placing international calls.
If Unity Connection is integrated with two phone systems, add restriction table patterns to match applicable
trunk access codes for both phone system integrations. For example, if the trunk access code for one of
the phone system integrations is 99 and you want to restrict the call pattern 900, you would also restrict
the pattern 99900. When patterns that include the trunk access codes are restricted, attempts to bypass
the restriction table by first accessing either trunk and then dialing the international operator is blocked.
For those in your organization who do not need to access international numbers to do their work, set up
restriction tables to block all calls to international numbers. This prevents a person who has access to a

Security Guide for Cisco Unity Connection Release 14
17
 Preventing Toll Fraud
Restricting Collect Calling Options

Unity Connection mailbox that is associated with the restriction table from configuring call transfers or
fax delivery from that extension to an international number.
Set up restriction tables to permit calls only to specific domestic long distance area codes or to prohibit
calls to long distance area codes. This prevents a person who has access to a Unity Connection mailbox
that is associated with the restriction table from configuring call transfers or fax delivery from that
extension to a long distance number.
Restrict the numbers that can be used for system transfers—a feature that allows callers to dial a number
and then transfer to another number that they specify. For example, set up the applicable restriction tables
to allow callers to transfer to a lobby or conference room phone, but not to the international operator or
to a long distance phone number.

Restricting Collect Calling Options
We recommend that you work with your telecommunications provider to restrict the collect calling option on
your incoming phone lines, if appropriate.

Security Guide for Cisco Unity Connection Release 14
18
 CHAPTER 3
Cisco Unity Connection- Restricted and
Unrestricted Version
Cisco Unity Connection - Restricted and Unrestricted Version , on page 19

Cisco Unity Connection - Restricted and Unrestricted Version
This product contains cryptographic features and is subject to United States and local country laws governing
import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority
to import, export, distribute, or use encryption. Importers, exporters, distributors and users are responsible
for compliance with U.S. and local country laws.
Cisco Unity Connection provides two versions of the Connection software - restricted and unrestricted that
address import requirements for some countries related to encryption of user data. Restricted version of the
Cisco Unity Connection allows you to enable the encryption on the product to use the below given security
modules whereas in Unrestricted version, you are not allowed to use the security modules

Functionality Restricted Version of Unrestricted Version of Connection
Connection
SSL for IMAP connections used to Allowed Disallowed
access voice messages
Secure SCCP, SIP, and SRTP for Allowed Disallowed
call signaling and media
Communications among networked Allowed Disallowed
Connection servers or clusters (over
secure MIME)
SSL for Comet notification (Jetty Allowed Disallowed
SSL command)

Caution With restricted and unrestricted versions of Connection software available, download software or order a
DVD. Upgrading a restricted version to an unrestricted version is supported, but future upgrades are then
limited to unrestricted versions. Upgrading an unrestricted version to a restricted version is not supported.

Security Guide for Cisco Unity Connection Release 14
19
 Cisco Unity Connection- Restricted and Unrestricted Version
Cisco Unity Connection - Restricted and Unrestricted Version

In Unity Connection, by default the encryption is disabled for the Restricted version of the product in Evaluation
Mode. Hence you are not allowed to use the above security modules with Restricted version of Unity Connection
until the product is registered with Cisco Smart Software Manager (CSSM) or Cisco Smart Software Manager
satellite using a token that allows Export-Controlled Functionality. The behavior of Restricted version of
Unity Connection in Evaluation Mode is similar to the behavior of Unrestricted version of Unity Connection.
When you are upgrading Cisco Unity Connection from any earlier releases to 12.0(1) and later, you get the
following behavior of encryption on Cisco Unity Connection:

Upgrade Path Cluster Mode License Status before License Action
before Upgrade Upgrade Status after
Upgrade
Pre-12.0(1) to Secure Demo or PLM Licensed Evaluation Cisco Unity Connection continues
12.0(1) Mode to run in secure mode. If the
product is not registered with
CSSM or satellite through Export
Controlled Functionality enabled
token before Evaluation Period
Expired, system will generate an
alarm on RTMT after Evaluation
Period Expired.

Caution After deregistration, if any of the following services - "Connection Conversation Manager" or "Connection
IMAP Server" is restarted, you will not be able to use security modules. For example IMAP in case IMAP
Server restart and SCCP/SIP/SRTP in case Connection Conversation Manager in Cisco Unity Connection.

Note Upgrade from 12.0(1) to 12.0(1) and later will have the existing encryption status of the system after upgrade.

For more information on how to register the product with CSSM or satellite, see "Managing Licenses" chapter
of Install, Upgrade and Maintenance Guide for Cisco Unity Connection 14 available at https://www.cisco.com/
c/en/us/td/docs/voice_ip_comm/connection/14/install_upgrade/guide/b_14cuciumg.html.
To enable or disable the encryption on Cisco Unity Connection Restricted version, a CLI command "utils cuc
encryption " can be used.

Note In case of upgrade, you must execute the CLI after successfully completed the switch version.

For more information on the CLI, see the Command Line Interface Reference Guide for Cisco Unified Solutions
for the latest release, available at
http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-maintenance-guides-list.html

Security Guide for Cisco Unity Connection Release 14
20
 CHAPTER 4
Securing the Connection between Cisco Unity
Connection, Cisco Unified Communications
Manager, and IP Phones
Securing the Connection between Cisco Unity Connection, Cisco Unified Communications Manager,
and IP Phones, on page 21

Securing the Connection between Cisco Unity Connection,
Cisco Unified Communications Manager, and IP Phones
Introduction
In this chapter, you would find descriptions of potential security issues related to connections between
Cisco Unity Connection, Cisco Unified Communications Manager, and IP phones; information on any actions
you need to take; recommendations that helps you make decisions; discussion of the ramifications of the
decisions you make; and best practices.

Security Issues for Connections between Unity Connection, Cisco Unified
Communications Manager, and IP Phones
A potential point of vulnerability for a Cisco Unity Connection system is the connection between Unity
Connection voice messaging ports (for an SCCP integration) or port groups (for a SIP integration), Cisco
Unified Communications Manager, and the IP phones.
Possible threats include:
Man-in-the-middle attacks (when the information flow between Cisco Unified CM and Unity Connection
is observed and modified)
Network traffic sniffing (when software is used to capture phone conversations and signaling information
that flow between Cisco Unified CM, Unity Connection, and IP phones that are managed by Cisco
Unified CM)
Modification of call signaling between Unity Connection and Cisco Unified CM

Security Guide for Cisco Unity Connection Release 14
21
 Securing the Connection between Cisco Unity Connection, Cisco Unified Communications Manager, and IP Phones
Cisco Unified Communications Manager Security Features for Unity Connection Voice Messaging Ports

Modification of the media stream between Unity Connection and the endpoint (for example, an IP phone
or a gateway)
Identity theft of Unity Connection (when a non-Unity Connection device presents itself to Cisco
Unified CM as a Unity Connection server)
Identity theft of the Cisco Unified CM server (when a non-Cisco Unified CM server presents itself to
Unity Connection as a Cisco Unified CM server)

CiscoUnifiedCommunicationsManagerSecurityFeaturesforUnityConnection
Voice Messaging Ports
Cisco Unified CM can secure the connection with Unity Connection against the threats listed in the Security
Issues for Connections between Unity Connection, Cisco Unified Communications Manager, and IP Phones.
The Cisco Unified CM security features that Unity Connection can take advantage of are described in Table
4: Cisco Unified CM Security Features Used by Cisco Unity Connection.

Table 4: Cisco Unified CM Security Features Used by Cisco Unity Connection

Security Feature Description

Signaling authentication The process that uses the Transport Layer Security
(TLS) protocol to validate that no tampering has
occurred to signaling packets during transmission.
Signaling authentication relies on the creation of the
Cisco Certificate Trust List (CTL) file.
This feature protects against:
Man-in-the-middle attacks that modify the
information flow between Cisco Unified CM and
Unity Connection.
Modification of the call signalling.
Identity theft of the Unity Connection server.
Identity theft of the Cisco Unified CM server.

Security Guide for Cisco Unity Connection Release 14
22
Securing the Connection between Cisco Unity Connection, Cisco Unified Communications Manager, and IP Phones
Cisco Unified Communications Manager Security Features for Unity Connection Voice Messaging Ports

Security Feature Description

Device authentication The process that validates the identity of the device
and ensures that the entity is what it claims to be. This
process occurs between Cisco Unified CM and either
Unity Connection voice messaging ports (for an SCCP
integration) or Unity Connection port groups (for a
SIP integration) when each device accepts the
certificate of the other device. When the certificates
are accepted, a secure connection between the devices
is established. Device authentication relies on the
creation of the Cisco Certificate Trust List (CTL) file.
This feature protects against:
Man-in-the-middle attacks that modify the
information flow between Cisco Unified CM and
Unity Connection.
Modification of the media stream.
Identity theft of the Unity Connection server.
Identity theft of the Cisco Unified CM server.

Signaling encryption The process that uses cryptographic methods to protect
(through encryption) the confidentiality of all SCCP
or SIP signaling messages that are sent between Unity
Connection and Cisco Unified CM. Signaling
encryption ensures that the information that pertains
to the parties, DTMF digits that are entered by the
parties, call status, media encryption keys, and so on
are protected against unintended or unauthorized
access.
This feature protects against:
Man-in-the-middle attacks that observe the
information flow between Cisco Unified CM and
Unity Connection.
Network traffic sniffing that observes the
signaling information flow between Cisco
Unified CM and Unity Connection.

Security Guide for Cisco Unity Connection Release 14
23
 Secur