XML Services with Cisco Phone Proxy: Part 1 - the easy part

The ASA phone proxy is a very nice feature where a ASA acts as Skinny or SIP proxy for cisco phones. Generally i prefer the new phone vpn feature in UCM 8, there are very valid reasons to use phone proxy for remote worker phones.

Key to understand phone proxy is, that it only proxies signalling (secure signalling to be exact) and media traffic to ucm. anything else is not proxied, and this means XML services (e.g. Extension Mobility Login/Logout). So these services do not work by default.
Generally opening up those XML services to the outside world SHOULD not be an option ;-).

There is a new feature to help with this since ASA 8.2 but is very well hidden.
When looking at the ASA config guide at http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/unified_comm_phoneproxy.html, there is the proxy-server configuration command, which is described as follows:

If the operational environment has an external HTTP proxy to which the IP phones direct all HTTP request, configures a proxy server.

You can configure only one proxy server while the phone proxy is in use.

By default, the Phone URL Parameters configured under the Enterprise Parameters use an FQDN in the URLs. The parameters might need to be changed to use an IP address if the DNS lookup for the HTTP proxy does not resolve the FQDNs.

Note If the IP phones have already downloaded their configuration files after you have configured the proxy server, you must restart the IP phones so that they get the configuration file with the proxy server address in the file.

So, the command can actually be used to at least make the services on the UCM directly available WITHOUT an extra proxy.
for this, just configure the following under the phone proxy configuration

proxy-server a.b.c.d interface <inside>

where a.b.c.d is the internal IP of the communications manager and <inside> is the name of the inside interface.
For example:

phone-proxy ASA-phone-proxy
   proxy-server 192.168.214.10 interface inside

would make the services available on the UCM 192.168.214.10 directly

Et voila, this will open a dynamic pinhole for port 8080 for all registered phones to the UCM and it will allow the phones to use the services that are directly located on the UCM (even though the UCM is of course not a proxy server as such)

If you need other XML services, you need to use a external proxy. A configuration example for such a case follows during the next days.