1. 1 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Private Secure Messaging Unity 4.0(5)

2. 2 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Background Customers are worried that their messages marked private can be forwarded using GUI tools like Outlook. Customers would like their voice mail to be secure and encrypted so that even if it is accidentally forwarded out of the system, it cannot be listened to by external folks. Solution Private secure messaging in Unity can do this for a customer. You can setup a subscriber such that any voice messages sent as private will also be encrypted. The wave file can only be decrypted and played back if it is listened to after logging into the Unity voice mail box using the phone.

3. 3 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Implementation Basics Unity uses a private/public key certificate for each server to encrypt and decrypt the wave files. The public key is written into AD, under the server object, to replicate around. The public keys are also downloaded into the servers table of each Unity and use to encrypt the voice mails. These certificates are created using a new utility called AssignConfCert.exe. It can be found in the directory - CommServer\Utilities\CiscoUnitySrvrCertMgr. The utility needs to be run under the right account (recommendation is the Dir Services facing account). It can be run as a GUI or can be run silently through a command prompt. By default every Unity 4.0(5) system will get a certificate installed as part of the upgrade/install. There is no new visible step, it is done silently.

4. 4 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Unity Encryption/Decryption The TUI conversations and the Voice Connector will encrypt private messages marked encrypted with the public keys of all servers. The TUI conversation and the Voice Connector will decrypt messages with the Private Key of the server. An encrypted message looks similar to a regular voice mail (except for the warnings in there). Trying to play the message through outlook or CPCA results in the user hearing the decoy wave file. If the message is forwarded via Outlook. The wave file remains encrypted and keeps the original content safe.

5. 5 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Limitations This feature is only available for Unity integrated with Exchange 2000 and 2003. This is because we are using AD to replicate the public data for the certificate for each Unity server. When forwarding a non-private voice mail, and marking the new mail as private, Unity will not allow you to mark it as private and secure. It is a technical limitation to avoid MAPI deadlocks. When resending a non-private voice mail, and marking the new mail as private, Unity will not allow you to mark it as private and secure. It is a technical limitation to avoid MAPI deadlock. In a multi Unity configuration, each server has to have the server installed so that messages sent to subscribers on any server can be decrypted.

6. 6 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL