What is "Cisco STG" and why would it dynamically replace a wildcard certificate on port 5061?

Question

I have a lync client that is connecting to a Lync Edge server on port 5061. I get an invalid certificate error when connecting.

When I run wireshark, during the TLS setup, and inside the certificate I see an unexpected issuer with an RDN sequence of Cisco Inc, STG, _internal_pp_ctl_phoneprocy_file

I'm a little confused by what this could mean and why this is present. I built this server from scratch and never installed a cisco certificate anywhere. I assume this is some feature of a Cisco firewall or switch (as Cisco call manager used to be present in the environment)

Can anyone offer an explanation and possible remediation?

The expected issuer is "User Trust" / "Network Solutions" / "Network Solutions Certificate Authority", as I am using a wildcard certificate on this Lync host.

Answer 1

It appears that someone can't spell phoneproxy correctly when they typed it in setting it up.

Regardless it's for CUCM's phone proxy feature on an ASDM firewall.

See here: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/unified_comm_phoneproxy.html

Here's the gist of it:

The Cisco Phone Proxy on the ASA bridges IP telephony between the corporate IP telephony network and the Internet in a secure manner by forcing data from remote phones on an untrusted network to be encrypted

Basically it appears that the user is getting held up on the firewall by this feature. The default port for the feature is 5061, and you'll likely find ACL's in the firewall for this port and feature setup.

As far as how to get around it or rid of it? You can see here for a similar type discussion: https://supportforums.cisco.com/discussion/11562066/jabber-vcs-control-issue-inbound-tls-negotiation-error but you'll need to make sure CUCM and this feature is no longer needed and remove the class mapping and remove the ACLs and replace them with the proper ones for Lync to use 5061 instead.