====== Perform an installation and initial set up of a CallManager cluster ====== * **Describe CallManager cluster relationships** * **Describe CallManager redundancy designs** * **Configure DHCP, TFTP and NTP** * **Determine which CallManager services are necessary and make sure the appropriate services are enabled** ====== Configure Call Manager to support a call between any two endpoints on-cluster and off-cluster ====== * **Explain the function of a CallManager group** * **Describe the functions and usage of CSS and partitions** * **Configure a route plan** * **Explain digit analysis** * **Describe and configure route patterns to route or block calls** * **Explain route filters** * **Explain discard digit instructions, translation patterns, and transformation masks** * **Describe the functions of CallManager regions** * **Describe the functions or usage of a device pool** * **Explain the purpose of locations** * **Configure CallManager and gatekeeper to support CAC** * **Desribe the purpose and features of SRST and AAR** * **Configure intercluster communications** * **Configure voice gateways** ====== Given a list of IP phone features, configure the CallManager to support the given feature set ====== * **Configure call forward** * **Configure MeetMe conferencing and conferencing resources** * **Configure Music-on-hold** * **Configure soft-key and IP phone button templates** * **Configure multiple calls per line appearance** * **Configure IPMA** * **Configure Malicious Call ID** * **Configure hunt groups** * **Configure IP phone services** * **Configure extension mobility** * **Configure MRGs and MRGLs** * **Configure other CallManager features and services** ====== Secure an IP telephone network ====== * **[[Secure Call|Explain Secure RTP and other components that help protect a CIPT network against threats]]** * Threats * Loss of privacy * Loss of integrity * Impersonation * Denial of Service (DoS) * Secure Signaling - encrypt SCCP using TLS * Secure media transfer - sRTP (key exchange during Secure Signaling) * Secure Signaling and media transfer * Only on 7970, 7960, 7940 * Btw IP Phones and gateway * Not intercluster call * Not to media resources e.g. conference, transcoding or MoH * Authentication of phone images - Cisco signed image * Authentication of phone configuration files - TFTP server signed config * [[CTL|The certificate Trusted List (CTL)]] * Cisco Call Manager certificates * TFTP server certificates * CAPF certificates * Cisco certificates - use to verify the MIC * Cisco CTL certficate - use to verify subsequent CTL * [[CAPF|Certificate Authority Proxy Function (CAPF)]] * Rules for Cisco CallManager authentication and encryption * Signaling encryption requires signaling authentication * Media encryption requires media authentication and signaling encryption * Media authentication requires media encryption * Signaling encryption requires media encryption * Authentication - using TLS SHA-1 (signaling) SRTP SHA-1 (media) * Encryption - using TLS AES (signaling) SRTP AES (media) * **Securing the CallManager Server - best practices/recommendations** * **Describe the Cisco SAFE network design** * **Configure SSL** * **Configure IPSec** * **Configure CallManager to use certificates** - Enable Security Services * CTL Provider * Certificate Authority Proxy Function - Use the CTL to activate security options * Smart Card service must be enabled on PC with USB port * Mixed Mode - allow call between two security-enabled devices * Nonsecure Mode (default) - Configure devices for security * Certficate Operation * Install/Upgrade (add or update CTL) * Delete (delete CTL) * Troubleshoot * No Pending Operation (default) * Authentication Mode * By Authentication String (Password) * BY Null String (no auth) * By Existing Certficate (Precedence to LSC) * By Existing Certficate (Precedence to MIC) * Device Security Mode * Non Secure * Authenticated * Encrypted * Generating a CAPF Report (based on) * Certficate Operation Status * Device Security Mode * Authentication Mode * Authentication String * **[[MLA|Configure MLA (multi-level admin)]]** * Standard MLA Functional Groups * Plugin, User Privilege Management, User Management, Feature, System, Service Management, Service, Serviceability, Gateway, RoutePlan, Phone * Standard MLA User Groups * Phone Administration, ReadOnly, ServerMonitoring, SuperUserGroup, ServerMaintenance, Gateway Administration * Privilege Level * No Access, Read Only, Full * **Configure toll-fraud prevention** * Different types of toll fraud * Call Forward All, Transfer from voice mail, Social Engineering, Inside facilitators * **Call Forward All** and **Transfer from voice mail** are 2 typical source of toll frauds * To Prevent Toll Fraud * Calling Search Space * Use Route Pattern to block Commonly exploited countries codes that look like are codes of the United States * Use [[time of day|Time-of-Day Routing]] - Apply to **Partition** * Use [[FAC|Force Authorization Codes]] (FAC) - Call Authorization, apply to **Route Pattern** * Use [[CMC|Client Matter Codes]] (CMC) - Call Accounting, apply to **Route Pattern** * [[OffNet Transfer|Configuring Call Transfer Restriction]] * Apply OffNet/OnNet to * **Route Pattern** * **Intercluster trunks** - Intercluster trunk, SIP trunk * **Gateways** - H.323, MGCP FXO/E1/T1 * Drop Ad Hoc Conference Calls * Configured under (Service > Service Parameters > Cisco CallManager) * Never (default) * When Conference Creator Drops Out * When No OnNet Parties Remain in the Conference * **Describe hardening IP phones** * Signed phone images * Signed configuration files - 7940, 7960, 7970 * Disabling Phone Settings in Cisco CallManager Administration * Speakerphone and Speakerphone Headset * PC Port - Not on the 7912 * Setting Access - CCM, TFTP IP ---- etc * Gratuitous ARP - unsolicit ARP response * PC Voice VLAN access * Web Access - Needed for XML push application * Enabling IP Phone Encryption and Authentication - sRTP and TLS SCCP * **Cryptographic** * Data Authenticity * Data Confidentiality * Data Integrity * Data nonrepudiation * [[Auth vs Norepud|Authenticity versus Non Repudiation]] * Encryption - **Confidentiality** * Resistance to cryptographic attacks * Variable key lengths and scalability * Avalanche effect - small change in text result in big change in ciphertext * Symmetric * DES, 3DES, AES, IDEA, RC series, SEAL, Blowfish * Asymmetric Encryption * RSA * Hash Function * MD5 * SHA-1 (More secure) * Hash-based Message Authentication Code (HMAC) * **Authenticity, Integrity** * Hash with a secret key as input * Keyed MD5 * Keyed SHA-1 * [[Digital Sign|Digital Signatures]] * **Authenticity, Integrity, Nonrepudiation** * encrypt/sign with private key and decrypt/verify with public key * **Public Key Infrastructure** * Solve the problem of scalable, secure key exchange * Key Exchange in Symmetric Cryptography - out-of-band or PKI * Key Exchange in Asymmetric Encryption - public/private keys, Diffie-Hellman * PKI as Trusted Third-Party Protocol * PKI entities * Certificate Authority (CA) * Certificate (x.509) - identity of issuer, identity of owner and owner public key * Certficate Revocation List (CRL) * Download CRL * Online Certificate Status Protocol (OCSP) * Self-Signed Certicates * Secure PKI Enrollment * Over a trusted network * Mutual out-of-band authentication between PKI user and CA * PKI user verify CA using out-of-bands exchange of the fingerprints of the certficate * CA verify PKI user using out-of-bands exchange of the fingerprints of submitted information * PKI Revocation * Private key compromise * Contract Termination for that PKI users * Loss of private keys ====== Given a specific set of IP telephony applications and tools, configure CallManager to support the applications ====== * **Configure IP soft phone/IP communicator** * **Install and configure BAT and TAPS to bulk add/manage phones/users** * **Describe Call Detail Records and methods to extract** * **Install and use BARS to backup publisher** ====== Monitor and manage an IP telephony network using Internal Server Tools ====== * **Describe the use of Serviceability tool** * **Describe the use of Real-Time monitoring tool** * **Describe the tools inherent in the operating system and database, and also provided by Cisco, to monitor CallManager operation**