Which two statements about configuring an encrypted trunk between Cisco TelePresence Video Communication Server and Cisco Unified Communications Manager are true? (Choose two.)
A. The root CA of the VCS server certificate must be loaded in Cisco Unified Communications Manager.
B. A SIP trunk security profile must be configured with Incoming Transport Type set to TCP+UDP.
C. A SIP trunk security profile must be configured with the X.509 Subject Name from the VCS certificate.
D. The Cisco Unified Communications Manager zone configured in VCS must have SIP authentication trust mode set to On.
E. The Cisco Unified Communications Manager zone configured in VCS must have TLS verify mode set to Off.
Which three statements about configuring an encrypted trunk between Cisco TelePresence Video
Communication Server and Cisco Unified Communications Manager are true? (Choose three.)
A. The root CA of the VCS server certificate must be loaded in Cisco Unified Communications Manager.
B. A SIP trunk security profile must be configured with Incoming Transport Type set to TCP+UDP.
C. The Cisco Unified Communications Manager trunk configuration must have the destination port set to 5061.
D. A SIP trunk security profile must be configured with Device Security Mode set to TLS.
E. A SIP trunk security profile must be configured with the X.509 Subject Name from the VCS certificate.
F. The Cisco Unified Communications Manager zone configured in VCS must have SIP authentication trust mode set to On.
G. The Cisco Unified Communications Manager zone configured in VCS must have TLS verify mode set to Off.
Answer: ACE
I agree with answer A and C
On Unified CM:
1. Select Cisco Unified CM Administration, click Go and log in.
2. Go to System > Security > SIP Trunk Security Profile.
3. Click Add New.
4. Configure the fields as follows:
Name A name indicating that this is an encrypted profile.
Description Enter a textual description as required.
Device Security Mode Encrypted.
Incoming Transport Type TLS.
Outgoing Transport Type TLS.
Enable Digest Authentication Leave unselected.
X.509 Subject Name The subject name or a subject alternate name provided by the VCS in its
certificate. For VCS clusters, ensure that this list includes all of the names
contained within all of the peers’ certificates. To specify multiple X.509
names, separate each name by a space, comma, semicolon or colon.
Incoming Port 5061
Use a different port (such as 5070 or 5071) if you are using 5061 for MRA
registrations. The reason is to avoid potential issues with MRA if Unified CM
For Unified CM and VCS to establish a TLS connection with each other:
■ VCS and Unified CM must both have valid server certificates loaded (you must replace the VCS’s default
server certificate with a valid server certificate)
■ VCS must trust Unified CM’s server certificate (the root CA of the Unified CM server certificate must be loaded
onto VCS)
■ Unified CM must trust VCS’s server certificate (the root CA of the VCS server certificate must be loaded onto
Unified CM)
I have seen this question, where E is “… set to On”
and in that case it would be correct
Answer should be A and C.