Legacy
phones in Encrypted Mode
|
Legacy
phones in Encrypted Mode do not work. There is no workaround.
|
Legacy
phones in Authenticated Mode
|
Legacy
phones in Authenticated Mode do not work. There is no workaround.
|
IP Phone
services using secure URLs based on HTTPS.
|
IP Phone
services using secure URLs based on HTTPS do not work.
Workaround to use IP Phone services: Use HTTP for all underlying
service options. For example, corporate directory and personal directory.
However, HTTP is not recommended as HTTP is not as secure if you need to enter
sensitive data for features, such as Extension Mobility. The drawbacks of using
HTTP include:
-
Provisioning challenges when configuring HTTP for legacy phones
and HTTPS for supported phones.
-
No
resiliency for IP Phone services.
-
Performance of the server handling IP phone services can be
affected.
|
Extension Mobility Cross Cluster (EMCC) on legacy phones
|
EMCC is
not supported with TLS 1.2 on legacy phones.
Workaround: Complete the following tasks to enable EMCC:
-
Enable EMCC over HTTP instead of HTTPS.
-
Turn on mixed-mode on all Unified Communications Manager clusters.
-
Use the same USB eTokens for all Unified Communications Manager clusters.
|
Locally
Significant Certificates (LSC) on legacy phones
|
LSC is
not supported with TLS 1.2 on legacy phones. As a result, 802.1x and phone VPN
authentication based on LSC are not available.
Workaround for 802.1x: Authentication based on MIC or password
with EAP-MD5 on older phones. However, those are not recommended.
Workaround for VPN: Use phone VPN authentication based on
end-user username and password.
|
Encrypted Trivial File Transfer Protocol (TFTP) configuration
files
|
Encrypted Trivial File Transfer Protocol (TFTP) configuration
files are not supported with TLS 1.2 on legacy phones even with Manufacturer
Installed Certificate (MIC).
There is
no workaround.
|
CallManager certificate renewal causes legacy phones to lose
trust
|
Legacy phones lose trust when the CallManager certificate is renewed. For example, a phone cannot get new configurations after
renewing the certificate. This is applicable only in Unified Communications Manager 11.5.1
Workaround: To prevent legacy phones from losing trust, complete
the following steps:
-
Before you enable the CallManager certificate, set the
Cluster For Roll Back to Pre 8.0 enterprise
parameter to
True. By default, this setting disables the
security.
-
Temporarily allow TLS 1.0 (multiple Unified Communications Manager reboots).
|
Connections to non-supported versions of Cisco Unified
Communications Manager
|
TLS 1.2 connections to older versions of Unified Communications Manager that do not support the higher TLS version do not work. For example, a TLS 1.2 SIP trunk connection to Unified Communications Manager Release 9.x does not work because that release does not support TLS 1.2.
You can
use one of the following workarounds:
-
Workaround to enable connections: Use nonsecure trunks, although
this is not a recommended option.
-
Workaround to enable connections while using TLS 1.2: Upgrade
the non-supported version to a release that does support TLS 1.2.
|
Certificate Trust List (CTL) Client
|
CTL
client does not support TLS 1.2.
You can use one of the following workarounds:
-
Temporarily allow TLS 1.0 when using the CTL client and then move the Cluster to Common Criteria mode. Configure Minimum
TLS to 1.1 or 1.2
-
Migrate to the Tokenless CTL by using the CLI Command utils ctl set-cluster mixed-mode in Common Criteria mode. Configure Minimum TLS to 1.1 or 1.2
|
Address
Book Synchronizer
|
There is
no workaround.
|