CUCM(Cisco Unified Communications Manager)从7.1(5)版本开始,就分有restricted和unrestricted版本的区别。很多人并不知道这两个版本之间有什么区别,两个版本是不是都能实现CUCM的所有功能。
限制版本(Restricted)的CUCM在很多国家是不能在和政府机构以及军事相关机构里面部署的,而且限制的版本受到进出口以及美国政府的随时监管。而且一些国家不允许CUCM部署,因此在限制版本中,对媒介和信息都做了特别的加密处理。
在我们部署CUCM的时候,需要注意的是,不管是限制版本还是非限制版本,思科官网都会实施同步更新。因此请根据自己的需要下载相应的版本。另外从unrestricted升级到restricted版本是不被支持的。其他的,包括CUCM本身的安全特性HTTP(s),SSH,密码加密和认证(SIP数字认证),JTAPI, TSP,SNMP传输数据加密,利用IPSEC和IMS进行的数据库相关加密等都不会受到任何影响。
下面是出自Ryan Ratliff的<Restricted vs Unrestricted CUCM Versions>,可以详细阅读:
Unrestricted Export Support
The restricted US export classification on Cisco Unified CM meant that governmental and military customers in many countries could not employ Unified CM in their networks.
In addition to the delay inherent in obtaining export licenses, products classified as restricted by the Department of Commerce (DoC) carry a requirement to allow US government representatives to demand on-site inspections at any time to confirm that the product is being used in accordance with its licensed purpose. This post-shipment verification (PSV) is unacceptable to many customers.
Additionally, some foreign countries maintain import restrictions which prohibited Unified CM from being available to customers in those countries. Both US export and foreign import issues stem from Unified CM support for strong encryption of signaling and media.
Unrestricted Classification
Because Cisco has obtained an unrestricted classification from the DoC for a version of Unified CM, beginning with Unified CM 7.1(5), both restricted and unrestricted versions of Unified CM will be released in parallel.
Limitations
Signaling and media encryption is permanently disabled in the unrestricted version, but remains unchanged in the restricted version.
Migration from the unrestricted version to the restricted version is not supported.
Note No impact exists to other security features such as HTTP(s), SSH, password encryption and authentication (for example, SIP digest authentication), mechanisms used by unrestricted Unified CM clients such as JTAPI, TSP, encryption of SNMP traffic, encryption of data related to database that is done by using IPSEC and IMS on the server side.
文章评论
小茶,最重要的是unrestricted版本是无法实施CUCM的加密,即Cisco PKI,使用CTL工具操作时,是无法将Cluster更改为混合模式的。
@basongcuo 谢谢补充!另外不太清楚混合模式有什么用?
@挨踢小茶 CUCM Mixed Mode下才支持信令和媒体加密(混合的意思实际上这个群集中即支持两个加密端点会话,也支持不加密的端点会话),Non-secure mode是不知道这些安全特性的,你翻一下当初采购CUCM时的交付物清单,会发现两支令牌,那个就是用来实施CTL的,说白了就是令牌有CISCO的私钥,用来给CUCM签发证书的,而话机都内建了思科的证书。关于加密,你可以仔细看下CIPT 2这本书的最后三章,说的很清楚了。