Cisco VXC VPN...Cisco VXC VPN • CiscoVXCRequirements,page1 • SetUpCiscoVXCVPN,page3 • CiscoVXCVPNLimitationsandRestrictions,page7 Cisco VXC Requirements

Cisco VXC VPN

• Cisco VXC Requirements, page 1

• Set Up Cisco VXC VPN, page 3

• Cisco VXC VPN Limitations and Restrictions, page 7

Cisco VXC RequirementsThe Cisco VXC VPN feature provides integrated VPN functionality for Cisco Virtualization ExperienceClients (Cisco VXC) 2111 and 2112. The feature enables VPN tunneling for the Cisco VXC 2111 and CiscoVXC 2112 clients when they attach to a Cisco Unified IP Phone 8961, 9951, or 9971.

You can set up the Cisco VXC VPN and the phone VPN to use the same tunnel or separate tunnels in thefollowing configurations:

• One tunnel for both Cisco VXC VPN traffic and phone VPN traffic

• Two tunnels that use the same access credentials (one for Cisco VXC VPN traffic and another for phoneVPN traffic)

• Two tunnels that use different access credentials (one for Cisco VXC VPN traffic and another for phoneVPN traffic). This configuration is only supported when a one-time password is applied.

You can configure the feature to prompt the user only once for access credentials (in the Phone VPN Sign Inwindow), or once each for the phone VPN (in the Phone VPN Sign In window) and for the Cisco VXC VPN(in the VXC VPN Sign In window).

Cisco VXC FirmwareTo support the VXC VPN feature, the Cisco VXC clients must be running the following minimum firmwarereleases:

• Cisco VXC 2112: ICA Firmware Release 7.1_118

• Cisco VXC 2111: PCoIP Firmware Release 4.0 (Q3CY12)

Cisco Unified IP Phone 8961, 9951, and 9971 Administration Guide for Cisco Unified Communications Manager 10.0

1

Cisco Unified Communications Manager for Cisco VXC VPNThe following Cisco Unified Communications Manager configuration is required to support the Cisco VXCVPN:

PC Port Enabled

You must set the PC Port to Enabled. If the PC port is disabled, the Cisco VXC cannot access thenetwork. The phone provides no enforcement of this configuration.

Span to PC Port Disabled

You must set the Span to PC Port option to Disabled. The Cisco VXC does not require this feature.

You can set the preceding parameters in Cisco Unified Communications Manager Administration by usingany of the following configuration windows:

• Phone Configuration window (Device > Phone)

• Common Phone Profile Configuration window (Device > Device Settings > Common Phone Profile)

• Enterprise Phone Configuration window (System > Enterprise Phone Configuration)

VPN Concentrator for Cisco VXC VPNThe recommendedVPN concentrator for use with this feature is the Cisco ASA 5500 Series Adaptive SecurityAppliance. To support the Cisco VXC VPN, you must set up the ASA for multisession support so that thephone can establish two tunnels that use the same credentials.

Network Guidelines for Cisco VXC VPNThe following network guidelines exist for the Cisco VXC VPN feature implementation:

• The MTU size in the phone VPN profile is a configurable value. The default value is 1290.

• The maximum MTU value on the phone itself is hardcoded at 1406.

• The MTU value must be no greater than 1406, but it should not be less than 576, because some IIS andvirtualization servers do not accept values less than 576.

• You must set up the firewall to allow the MTU value that you specify in the phone VPN profile.

• If the phone cannot download the certificate file or the phone configuration file, check for the allowedpacket size in the network.

• If the Cisco VXC VPN cannot establish a tunnel, then ping the VPN concentrator IP address with apacket size (load) to match the MTU value that the VPN profile specifies.

• If the ping fails, try another ping that specifies no load. If the ping still fails without the load, check therouting configuration.

• If the ping fails only with the load included, check the firewall to ensure that it is configured to allowthe required MTU.

Cisco Unified IP Phone 8961, 9951, and 9971 Administration Guide for Cisco Unified Communications Manager10.0

2

Cisco VXC VPNCisco Unified Communications Manager for Cisco VXC VPN

• Perform a traceroute to the VPN concentrator IP address, and then ping each route with the load todetermine the source of the issue.

• Ensure the Don’t Fragment (DF) bit is not set on the server, network, or IP phone VPN tunnel.

Set Up Cisco VXC VPNYou must enter the Alternate TFTP and TFTP server fields when you configure an off-premises phone forSSL VPN to ASA using a built-in client.

The Cisco VXC clients require no configuration to support the VPN. All VPN configuration is performedfor the phone only.

Note

Procedure

Step 1 To set up the Cisco VXC VPN feature, set up the VPN feature for the attached IP phone in Cisco UnifiedCommunications Manager Administration. Use the submenus in Advanced Features > VPN.

Step 2 To enable the Cisco VXC VPN feature, populate the Enable VXC VPN for MAC field using one of thefollowing configuration windows:

• Phone Configuration window (Device > Phone)

• Common Phone Profile window (Device > Device Settings > Common Phone Profile)

• Enterprise Phone Configuration window (System > Enterprise Phone Configuration)

Cisco VXC VPN DescriptionsThe following table describes the Cisco VXC VPN fields.


3

Cisco VXC VPNSet Up Cisco VXC VPN

Table 1: Cisco VXC VPN Fields

Parameter DescriptionParameter Name

This field enables or disables the Cisco VXC VPN feature. When youpopulate this field, the phone allows traffic from the device with thespecified MAC address and that connects to the phone PC Port to accessthe tunnel.

• When this field is blank, the phone does not establish a Cisco VXCVPN tunnel.

• When this field specifies one broadcast MAC address(FFFFFFFFFFFF), the phone establishes the Cisco VXCVPN tunneland allows any connected Cisco VXC 2111/2112 device to accessthe tunnel.

• When this field specifies one nonbroadcast MAC address, the phoneestablishes the Cisco VXC VPN tunnel and allows only the CiscoVXC device with the specified MAC address to access the tunnel.

By default, this field is blank.

Enable VXC VPN for MAC

This field indicates the type of VXC VPN support.

• Dual Tunnel: The phone establishes two VPN tunnels, one for thephone and another for the Cisco VXC device.

To ensure the highest quality of service for the phone voice and videoservices, Cisco recommends the Dual Tunnel setting, which is thedefault setting. With two VPN tunnels, the host Cisco Unified IPPhone can provide prioritization of CPU and memory resources tothe data that associates with the phone voice and with video functionsover the data that associates with the Cisco VXC VPN tunnel. Thisapproach requires two manual login entries, depending on securityparameters: one for the phone VPN and another for the Cisco VXCVPN. The two-tunnel approach also requires two VPN concentratorports and two IP addresses.

• Single Tunnel: The phone establishes only one VPN tunnel for thephone and the Cisco VXC device to share.

For customers who are willing to trade off potential voice and videoquality for a simplified operatingmodel, the single VPN tunnel optionis available. All data travels over a single VPN tunnel by sharing theavailable phone processor and memory resources across the voice,video, and Cisco VXC services. The IP phone does not prioritize datahanding of one service over another. As a result, possible performancedegradation of the IP phone voice and video media handling and UIfunctions may occur due to IP phone CPU loading.

Default: Dual Tunnel

VXC VPN Option


4

Cisco VXC VPNCisco VXC VPN Descriptions

Parameter DescriptionParameter Name

This field indicates whether or not to challenge the user for a password forthe Cisco VXC VPN.

1 Challenge: The phone challenges the user for a password to enable theCisco VXC VPN.

2 No Challenge: The phone does not challenge the user for a passwordfor the Cisco VXC VPN.

Default: Challenge

If the phone uses only a certificate for authentication, the Sign Inwindows do not display.

Note

VXC challenge

This field indicates the Cisco VXC Manager Server IP address list, whereeach entry is separated by commas.

Maximum length: 255 (character length)

Default: blank

VXC-M Servers is an IP address list which includes VXC-Mservers and repository servers (if present). The phone considersthe first IP address in this string as the VXC-M server and offersthis information to VXC devices. Therefore, after you configureVXC-M Servers, make sure that the IP addresses of any VXC-Mservers are placed in front of the IP addresses of the repositoryservers.

Note

VXC-M Servers

The following table describes how the VXC VPN Option and Challenge field settings alter the operation ofthe Cisco VXC VPN feature.

Table 2: Cisco VXC VPN operation as determined by VXC VPN Option and Challenge settings

Result after enabling the VXC VPNfeature (with Cisco VXC connectedto the phone)

VXC Challenge settingVXC VPN Option setting

The phone displays the VXC VPNSign In window to prompt the userto enter a password. If one-timepassword is configured on the VPNconcentrator (that is, a newpassword is always required toreauthenticate the tunnel), the usermust enter a password for the CiscoVXC VPN that differs from thepassword that was used for thephone VPN tunnel.

Challenge (default)Dual Tunnel (default)


5


Result after enabling the VXC VPNfeature (with Cisco VXC connectedto the phone)

VXC Challenge settingVXC VPN Option setting

The phone attempts to reuse thephone VPN credentials for theCisco VXC VPN tunnel. Note thatif the VPN concentrator isconfigured for one-time passwords,the attempt fails, and the phonedisplays the VXC VPN Sign Inwindow for the user to enter adifferent password from the phoneVPN password.

No ChallengeDual Tunnel (default)

The phone disconnects the phoneVPN tunnel, and then displays thePhone VPN Sign In window toprompt the user to enter a passwordand reestablish the phone VPNtunnel. If the user is on an activecall, the phone waits until the callends before tearing down thetunnel.

ChallengeSingle Tunnel

Cisco VXC traffic receives silentpermission to go over the phoneVPN with no challenge.

No ChallengeSingle Tunnel

The following table describes how a change in the VXC VPN Option setting alters the operation of the VXCVPN feature when the feature is already enabled.

Table 3: Cisco VXC VPN operation as determined by VXC VPN Option change

ResultVXC VPN action

The phone disconnects the VXC VPN tunnel andleaves the phone VPN tunnel intact.

Cisco VXC traffic receives permission to go over thephone VPN tunnel.

Change from Dual Tunnel to Single Tunnel

The phone attempts to reuse the phone VPNcredentials for the Cisco VXC VPN tunnel silentlywithout considering the VXC Challenge field.

If the VPN concentrator is configured for one-timepassword, the attempt fails and the phone displaysthe VXC VPN Sign In window, which prompts theuser to enter a different password.

Change from Single Tunnel to Dual Tunnel


6


Cisco VXC VPN Limitations and RestrictionsThe following limitations and restrictions apply:

• Only Layer 3 packets are tunneled. The Cisco VXC VPN feature does not support Layer 2 tunneling.Therefore any Layer 2 capabilities are lost if the Cisco VXC connects through VPN.

• The VPN client supports only IPv4 addresses.

• The Cisco VXC VPN tunnel cannot be established over a Wi-Fi interface.

• The Enable VXC VPN for MAC feature option is configurable only after you set up the phone VPNparameters, including VPNGroup and VPN Profile. This restriction exists because the Cisco VXCVPNcan share the same VPN parameters as the phone VPN.

• All existing limitations and restrictions that apply to the phone VPN support apply to the Cisco VXCVPN as well.

Do not turn on the VPN before a downgrade to a load previous to 9.2(3), or the phone will be unregistered.Note


7

Cisco VXC VPNCisco VXC VPN Limitations and Restrictions


8

Cisco VXC VPNCisco VXC VPN Limitations and Restrictions

Documents

Cisco VXC VPN...Cisco VXC VPN • CiscoVXCRequirements,page1 • SetUpCiscoVXCVPN,page3 • CiscoVXCVPNLimitationsandRestrictions,page7 Cisco VXC Requirements