Tag Archives: security

ASA Licensing Update…from a Collab guy!?


Yah, that’s what I would have thought a few years ago as well.

As the ASA is embedded in the path of my solutions more and more (aka borderless concerns) I’m finding that it is crucial to understand and be able to verify licensing on customer ASA’s.

This is true not just in the most common scenarios – ASA handling secure connectivity for a user at their house who is running any of the variety of teleworker scenarios (IP Communicator/other softphone over VPN, ASA/8xx router with fixed VPN, IP Phone with Phone Proxy, or IP Phone with VPN) but other up and coming scenarios such as IME, and IM/XMPP federation.

The ASA truly is becoming an integral device to the overall architecture to common UC deployments (not just the one you have up there for the security conscious customers).

All that said, I’ve quoted ASA licensing several times, and advised customers numerous times but I felt I had some gaps – so I sat in on an ASA Licensing training.

What is below is not a comprehensive view of ASA licensing, but rather a focus on the most common discussion points for ASA Licensing from a UC view.

First – there are four scenarios for remote employees that I mentioned above:

  1. PC/Mac/Mobile Device VPN – and a softphone on said device
  2. Physical (and usually stationary) device creating a VPN tunnel – and a physical phone behind said device
  3. IP Phone using the Phone Proxy feature (a la Cisco’s Metreos acquisition in 2006)
  4. IP Phone using SSL VPN (aka AnyConnect Premium)

Below is a bit more detail on each of the options, along with information on the licenses required.


PC/Mac/Mobile Device VPN w/ Softphone

This option is historically the most common scenario.  Softphone client options are:

  • Cisco Softphone (yah, the old CTI version)
  • Cisco IP Communicator
  • Cisco Unified Personal Communicator
  • Cisco CUCI-x (Lync, MOC, Sametime, Connect, etc.)
  • Cisco Jabber (for this discussion – essentially CUCI-Connect for Mac)
  • Third-party PC/Mac options
  • Cisco Mobile for the iPhone
  • Cisco Mobile/Jabber for Android
  • Cisco Mobile for Nokia
  • Cisco Quad UC Integration
  • And probably more I’m missing…

The solution is very flexible – VPN anyway possible to the corporate network, and you have a phone client operational.

VPN licensing can pretty much be any VPN option – SSL VPN, IPSec, etc.


Physical device creating VPN tunnel

This scenario was pretty common and is still around, but is being phased out for options that don’t require hardware at the home/small office.

Typical hardware for the remote site included:

  • Cisco PIX 501 – basically a older version of the 5505
  • Cisco ASA 5505 – nice because it included PoE for the phone
  • Cisco 8xx router – 871 seemed to be the most common, although if you wanted 911 dialing you might go with the 888SRST.  For voice quality sensitive users, this is still the best choice.
  • Cisco 1700/1800/1900 – For very small offices connecting over VPN, this would give you a bit more capability/power and handle a few users, not just a single user

Again, this solution was flexible from a VPN selection perspective – use whatever needed to provide the proper security, and keep the tunnel up and running as long as desired.


IP Phone using Phone Proxy

While I only had two customers actually use the original Metreos “Phone Proxy” appliance, Cisco did a good job of cleaning up the issues with the original rendition, and moving the code/functionality to a pretty ubiquitous platform in the ASA.

The premise is great – drop nearly any Cisco IP Phone somewhere on the Internet, plug it into a local power brick, and you are off and running.

Unfortunately, there a couple of major issues with the Phone Proxy option:

  1. Lack of geographic redundancy – when you configure the phone, you are setting up a static entry as the Alternate TFTP to get it working.  The Alternate TFTP points a specific public IP of the ASA you are connecting to.  If that ASA – or even the ISP you are getting that IP from (in the scenario of a dual-connected Internet) is unavailable, your remote phones are out of luck.
  2. Confusing licensing – Ok.  Perhaps “confusing licensing” is an oxymoron.  Let me explain…All remote phones will consume a license for EACH UCM appliance they are connecting to.  So if you have the max of three UCM’s in the phone’s list – you are going to consume 3 licenses…for 1 phone.  Err…  Oh yah, if you look at the output from a “show phone-proxy secure-phones” command – you won’t see the hidden licensing consumption.  Look instead to “show tls-proxy session” to see the real license usage.  End result – not only is the ASA pair/site/ISP a single point of failure – you essentially want to have UCM a single point of failure for remote phones too.
  3. No IP Phone Services – IP Phone Services don’t work on Phone Proxy.  Corporate Directory does…maybe.  See below.  So if you are using Extension Mobility…or um…the Berbee flight lookup tool…or an actual IP Phone Service you developed – well too bad for remote users.
  4. Cisco doesn’t want you to use it anymore… – While I can’t point to any e-mail from Chambers scolding me for using it…I can point to bugID CSCtl11930.  Go ahead.  I’ll wait…..You back?  Love that “Workaround:  download to firmware 8.5(2)…” didn’t you?  So essentially Cisco is saying – “if you want to use Phone Proxy, well fine we can’t stop you.  But we can stop you from using new firmware.”  I’m not so sure about reading tea leaves, but I’ve gotten pretty good at reading Bug notes.  That says – “stop using Phone Proxy.  Use SSL VPN instead.”  Oh yah, that is what the unnamed TAC guy said too…

The biggest benefit – it works on older phones (7940/7960’s).


IP Phone using SSL VPN (AnyConnect Premium)

That’s the last time I’m going to use the old term of SSL VPN.  I’m on the bandwagon – AnyConnect it is!

This is my personal favorite option – mainly because getting the AnyConnect infrastructure in place helps not just for remote phones, it helps for mobile devices, remote phones, remote PC/Mac’s…basically everything!

Think of AnyConnect as the IPSec of 2011-???

AnyConnect requires a couple licenses:

  • AnyConnect Premium – YES – Premium, NOT Essential!
  • AnyConnect for Cisco VPN Phone – yup, that’s a part number – L-ASA-AC-PH-<Your Model # here> in fact!

The AnyConnect Premium license is based on the number of CONCURRENT sessions.

There is even better scenarios where you can pool licenses on a single ASA, and have other ASA around the world or country grab licenses in blocks of 50 on an as needed basis.

The AnyConnect for Cisco VPN Phone licenses is per PLATFORM – throw it on the ASA and you are set.  These licenses are cheap – $100-500 based on the platform.

While you are at it, thrown in the AnyConnect for Mobile (L-ASA-AC-M-55XX) as well so you can have iPhones/iPads/Android devices (see my tweet from 10-28 btw) connect using AnyConnect.  That license is roughly the same as the AnyConnect for Cisco VPN Phone’s cost.

There are a couple big wins for this option in my book:

  • Super simple setup – especially if AnyConnect is already setup and in use on the ASA
  • Faster phone bootups (vs. Phone Proxy at least)
  • Ability to have redundant geographic datacenters – In nearly all designs I’ve seen in the past 3 years – there are geographically redundant UCM servers.  Since the clustering over the WAN requirement went to 80ms, nearly any WAN can handle this.  If there are a lot of remote users, or keeping the remote users operational is critical to the business — this is a MUST have.
  • Standardizes troubleshooting on single technology – no dealing with TLS just for Phone Proxy…

One last note for this option – it requires 8.0.4+ version of ASA code.


That’s all for now, I’ll address IME and the Federation discussion later…or not…