WIXLIB

Cisco Unified Communications Manager and the IM and Presence Service v12.5Document IntroductionCisco Unified Communications Manager andthe IM and Presence Service v12.5CC Configuration GuideVersion: 0.5Date: December 28, 2020 2020 Cisco Systems, Inc. All rights reserved. This document may be reproduced in full without any modification.1

Cisco Unified Communications Manager and the IM and Presence Service v12.5 CC Configuration GuideDocument IntroductionTable of ContentsDocument Introduction. 41.Introduction . 61.1.Audience . 61.2.Purpose . 61.3.Document References. 61.4.TOE Overview . 91.5.Operational Environment . 91.6.Excluded Functionality .101.7.TOE Acceptance .112.Installation.122.1.Clusters and Nodes .122.2.Physical Installation.122.3.Hypervisor Installation .122.4.Initial Installation of CUCM .132.5.Access Web GUI over HTTPS .132.6.Access Local Console CLI .132.7.Initial Installation of IM&P.132.8.Verify TOE Software .142.9.Enable FIPS Mode .142.10.Access Banner .152.11.Administrator Configuration, Credentials and Session Termination .163.Configuration .173.1.Certificates .173.1.1.CA Certificates .173.1.2.Device Certificates (non-VVoIP Endpoints) .173.1.3.Generate CSR.183.1.4.Import Certificates .182

Cisco Unified Communications Manager and the IM and Presence Service v12.5 CC Configuration GuideDocument Introduction3.2.TLS.193.3.Audit Logging Configuration .193.3.1.Audit Trail Capacities .203.3.2.System Logs .213.4.Configure Time and Date .213.5.CUCM Mixed Mode (Secure Mode) .223.6.Device Certificates (VVoIP Endpoints) .223.7.VVoIP Endpoint Devices and User Association .253.8.SIP Connections and Protocols .263.9.Product Updates .273.10.Disable IM&P TOE Component .273.11.Disk Erasure .284.Auditing .295.Obtaining Documentation and Submitting a Service Request .566.Contacting Cisco .563

Cisco Unified Communications Manager and the IM and Presence Service v12.5 CC Configuration GuideDocument IntroductionDocument IntroductionPrepared By:Cisco Systems, Inc.170 West Tasman Dr.San Jose, CA 95134This document provides Guidance to IT personnel for the TOE, Cisco Unified Communications Manager and the IM andPresence Service v12.5. This Guidance document includes instructions to successfully install the TOE in the OperationalEnvironment, instructions to manage the security of the TSF, and instructions to provide a protected administrativecapability.Revision HistoryVersionDateChange0.1July 15, 2020Initial Version0.2November 20, 2020Updates for Check-Out0.3December 2, 2020Additional Updates for Check-Out0.4December 7, 2020Final Updates for Check-Out0.5December 28, 2020Final Updates for Check-Out4

Cisco Unified Communications Manager and the IM and Presence Service v12.5 CC Configuration GuideDocument IntroductionCisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and othercountries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarksmentioned are the property of their respective owners. The use of the word partner does not imply a partnershiprelationship between Cisco and any other company. (1110R) 2020 Cisco Systems, Inc. All rights reserved.5

Cisco Unified Communications Manager and the IM and Presence Service v12.5 CC Configuration GuideIntroduction1. IntroductionThis Operational User Guidance with Preparative Procedures documents the administration of the Cisco UnifiedCommunications Manager (CUCM) and the IM and Presence Service 12.5 running on Cisco Unified Computing System (Cisco UCS) UCS C220 M5 or UCS C240 M5, the TOE, as it was certified under Common Criteria.1.1. AudienceThis document is written for administrators installing and configuring the TOE. This document assumes that you arefamiliar with the basic concepts and terminologies used in internetworking, and understand your network topology and theprotocols that the devices in your network can use, that you are a trusted individual, and that you are trained to use theoperating systems on which you are running your network.1.2. PurposeThis document is the Operational User Guidance with Preparative Procedures for the Common Criteria evaluation. It waswritten to highlight the specific TOE configuration and administrator functions and interfaces that are necessary toconfigure and maintain the TOE in the evaluated configuration. This document is not meant to detail specific actionsperformed by the administrator but rather is a road map for identifying the appropriate locations within Ciscodocumentation to get the specific details for configuring and maintaining Cisco Unified Communications Manager (CUCM)and the IM and Presence Service operations. All security relevant commands to manage the TSF data are provided withinthis documentation within each functional section.1.3. Document ReferencesThis section lists the Cisco Systems documentation that is also a portion of the Common Criteria Configuration Item (CI)List. The documents used are shown below in Table 1. Throughout this document, the guides will be referred to by the“#”, such as [1].Table 1 Cisco Documentation#[1]TitleLinkHardware Install Guides:(a)Cisco UCS C220 M5 Server Installation and cs/unified sco UCS C240 M5 Server Installation and cs/unified computing/ucs/c/hw/C240M5/install/C240M5.html6

Cisco Unified Communications Manager and the IM and Presence Service v12.5 CC Configuration GuideIntroduction#TitleLink[2]Cisco Collaboration on Virtual Servershttps://www.cisco.com/c/en/us/td/docs/voice ip comm/cucm/virtual/CUCM BK C90D1BE9 00 llation Guide for Cisco Unifiedhttps://www.cisco.com/c/en/us/td/docs/voice ip comm/cucm/install/12 5 1/cucm b install-guide-cucm-imp-1251.htmlCommunications Manager and IM andPresence Service Release 12.5(1)[4]Cisco Unified CDR Analysis and ce ip comm/Administration Guide, Release 12.5(1)cucm/service/12 5 1/Car/cucm b em Configuration Guide for Cisco Unifiedhttps://www.cisco.com/c/en/us/td/docs/voice ip comm/Communications Manager, Release 12.5(1)SU2cucm/admin/12 5 1SU2/systemConfig/cucm b systemconfiguration-guide-1251su2.html[6]Security Guide for Cisco Unifiedhttps://www.cisco.com/c/en/us/td/docs/voice ip comm/Communications Manager, Release 12.5(1)SU2cucm/security/12 5 1SU2/cucm b security-guide1251SU2.html[7]Administration Guide for Cisco Unifiedhttps://www.cisco.com/c/en/us/td/docs/voice ip comm/Communications Manager, Release 12.5(1)cucm/admin/12 5 1/admin/cucm b administrationguide-1251/cucm b administration-guide1251 chapter 01111.html[8][9][10]Cisco Unified Communications ManagerSee NIAP webpage for certified products -Common Criteria Guidance, version 1.0https://www.niap-ccevs.org/CCEVS Products/pcl.cfmCisco Unified Communications ManagerSee NIAP webpage for certified products -Security Target, version 1.0https://www.niap-ccevs.org/CCEVS Products/pcl.cfmCisco Unified Communications ed-(CallManager) Maintain and Operate [11]Release Notes for Cisco Unified CommunicationsManager and IM & Presence Service, Release 12.5(1)https://www.cisco.com/c/en/us/td/docs/voice ip comm/cucm/rel notes/12 5 1/cucm b release-notes-cucm-imp-1251.htmlRelease Notes for Cisco UnifiedCommunications Manager and the IM andhttps://www.cisco.com/c/en/us/td/docs/voice ip comm/Presence Service, Release 12.5(1)SU1cucm/rel notes/12 5 1/SU1/cucm b release-notes-forcucm-imp-1251su1.html7

Cisco Unified Communications Manager and the IM and Presence Service v12.5 CC Configuration GuideIntroduction#[12]TitleLinkManage voice ip comm/cucm/security/12 5 1/cucm b security-guide-1251.html[13]Cisco Unified Serviceability s/voice ip comm/Guide, Release12.5(1)cucm/admin/12 5 1/admin/cucm b .cisco.com/c/en/us/td/docs/voice ip comm/cucm/admin/12 0 1/featureConfig/cucm b cucm-feature-configurationguide 1201.htmlFeature Configuration Guide for Cisco UnifiedCommunications Manager, Release 12.5(1)https://www.cisco.com/c/en/us/td/docs/voice ip [16]Command Line Interface Guide for Ciscohttps://www.cisco.com/c/en/us/td/docs/voice ip comm/Unified Communications Solutions, Releasecucm/cli ref/12 5 1/cucm b cli-reference-guide-12.5(1)1251.htmlCisco Unified Reporting Administration Guide,https://www.cisco.com/c/en/us/td/docs/voice ip comm/Release 12.0(1)cucm/service/12 0 1/report/cucm b ]Cisco UCS C-Series Integrated Management Controller GUI Configuration Guide, Release 3.1https://www.cisco.com/c/en/us/td/docs/unified computing/ucs/c/sw/gui/config/guide/3 1/b Cisco UCS C-series GUI Configuration Guide 31.htmlCisco UCS C-Series Integrated ManagementController GUI Configuration Guide, ified computing/ucs/c/sw/gui/config/guide/4 0/b Cisco UCS Cseries GUI Configuration Guide 40.html[18]Cisco UCS Manager Administration ManagementGuide 3.1https://www.cisco.com/c/en/us/td/docs/unified nagement/31/b Cisco UCS Admin Mgmt Guide 3 1.htmlCisco UCS Manager s/unified computiManagement Guide ent/4-0/b Cisco UCS Admin Mgmt Guide 40.html8

Cisco Unified Communications Manager and the IM and Presence Service v12.5 CC Configuration GuideIntroduction#TitleLink[19]Upgrade and Migration Guide for Cisco Unified Communications Manager and the IM and Presence Service, Release 12.5(1)https://www.cisco.com/c/en/us/td/docs/voice ip comm/cucm/upgrade/12 5 1/cucm b upgrade-migration-guide-125x.html1.4. TOE OverviewThe TOE is Cisco Unified Communications Manager (CUCM) and Instant Message and Presence Service v12.5. The TOEis an IP-based communications system integrating voice, video, data, and mobility products and applications enablingmore effective and secure user communications.1.5. Operational EnvironmentThe TOE requires the following IT Environment Components when the TOE is configured in its evaluated configuration:Table 2. Operational Environment ComponentsComponentUsage/Purpose/DescriptionLocal ConsoleThis includes any IT Environment Console that is directlyconnected to the CUCM and IM&P TOE components viathe Serial Console Port. This is used by the SecurityAdministrator to perform local administration.Management WorkstationThis includes any IT Environment Managementworkstation that can remotely access CUCM and IM&Padministration interfaces with a web browser usingHTTPS. This provides the Security Administrator thecapability to perform remote administration over atrusted path.(3 ) NTP ServersThe NTP servers provides the CUCM TOE componentthe ability to synchronize its clock to an accurate sourceof time and date.At least 3 NTP time sources must beprovided to the CUCM TOE component.Syslog ServerThe Syslog server provides the TOE with the capabilityto transmit generated audit data over TLS.Remote EndpointThis includes any VoIP client with which the TOEcommunicates with over a protected TLS channel.9

Cisco Unified Communications Manager and the IM and Presence Service v12.5 CC Configuration GuideIntroductionDNS ServerA DNS server provides the TOE with the capability totranslate domain names to numeric IP addresses.Certificate Authority (CA) and OCSP ResponderThe Certificate Authority provides the TOE and VVoIPclients with valid certificates. The CA also provides theTOE with an OCSP Responder to check the peercertificate revocation status of devices the TOEcommunicates with on the network.1.6. Excluded FunctionalityThe functionality listed below is not included in the evaluated configuration.Table 3. Excluded Functionality and RationaleFunction ExcludedRationaleNon-FIPS 140-2 mode of operationThe TOE includes FIPS mode of operation. The FIPSmodes allows the TOE to use only approvedcryptography. FIPS mode of operation must be enabledin order for the TOE to be operating in its evaluatedconfiguration.Additionally, the TOE includes a number of functions where there are no Security Functional Requirements that applyfrom the collaborative Protection Profile for Network Devices v2.1 or the Extended Package Enterprise Session Controller(ESC EP) Version 1.0. The excluded functionality does not affect the TOE’s conformance to the claimed ProtectionProfiles.10