This post details how to configure a SIP-TLS trunk between Cisco Video Communications Server (VCS) or Cisco Expressway-Core and Cisco Unified Communications Server (CUCM). This post references a single CUCM node (version 10.5) with a single VCS Control (version X8.2.1) lab build throughout, and only the minimum steps to achieve the desired outcome are described. It is assumed that both CUCM and VCS have a basic config and endpoints can register with SIP-TLS and can dial other endpoints registered to the same system (VCS>VCS, CUCM>CUCM, etc.) Starting with the VCS, Install a certificate signed by a trusted Certificate Authority (CA). For a Microsoft CA, create a template with the following extensions (note I copied the base Web Server template)

• Application Policies - Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)

Then install the CA certificate (and chain if applicable) for the issuing CA you are using to the VCS

1. Log into the VCS and go to Maintenance > Security certificates > Trusted CA certificates
2. Select the file to upload, and click append CA certificate

Next, generate a CSR on the VCS and install the resulting certificate

1. Log into the VCS and go to Maintenance > Security certificates > Server certificate
2. Click Generate CSR
3. Specify the details in the Additional information section; the rest should be fine as default
4. Click Generate the CSR
5. Back on the Sever certificate page, click download to download the CSR
6. Submit the request to the CA using the template create above and download the certificate in Base 64
7. Back on the Server certificate page, Select the certificate file received from the CA, and click upload server certificate data

Next, add a zone for CUCM

1. Log into the VCS and go to Configuration > Zones > Zones
2. Click New and configure as shown below. Ensure that you use the FQDN of the CUCM node as the peer address so that it will align with the common name used in the CUCM SSL certificate

And finally, add a search rule appropriate for your dial plan

1. Log into the VCS and go to Configuration > Dial plan > Search rules
2. Click new and configure as appropriate, noting the FQDN for the CUCM is defined in the CUCM Enterprise Parameters (shown later). Example below

Next move on the CUCM and if not already done install the appropriate SSL certificate and CA certificates. See my other post here for reference on how to do this: Registering a Cisco Videoconferencing Endpoint to CUCM using SIP-TLS

Next, create a new SIP Trunk Security Profile

1. Log into Cisco Unified CM Administration and go to System > Security > SIP Trunk Security Profile
2. Click Add New
3. Configure as shown below taking note to use the FQDN of the VCS as the X.509 Subject name such that it will match the common name in the VCSs server certificate

Next set the CUCM Cluster FQDN

1. Log into Cisco Unified CM Administration and go to System > Enterprise Parameters
2. Locate Clusterwide Domain Configuration
3. Set the Cluster Fully Qualified Domain Name, to the domain you want to use in your URI’s
4. Click Save

Next, add the SIP Trunk to the VCS in CUCM

1. Log into Cisco Unified CM Administration and go to Devices > Trunk
2. Click Add New
3. The Trunk Type should be SIP Trunk; the Device Protocol should be SIP and the Trunk Service Type should be None(Default)
4. Create the trunk similarly to the below adjusting where required (most defaults are fine). Ensure that
   1. SRTP Allowed is checked
   2. The SIP InformationDestination, destination address and port should be that of your VCS and port 5061
   3. The SIP Trunk Security Profile is set to the one created earlier

Lastly, create a SIP Route Pattern for the VCS SIP domain

1. Log into Cisco Unified CM Administration and go to Call Routing > SIP Route Pattern
2. Click Add New
3. Configure similarly to what is shown below, selecting Domain Routing as the Pattern Usage and enter the SIP domain used on the VCS in the IPv4 Pattern.
4. Select the SIP trunk created earlier towards the VCS.

At this point, you should now be able to initiate calls from CUCM registered endpoints to VCS registered endpoints and vice versa