Cisco Cisco IP Contact Center Release 4.6.1 Design Guide
8-8
Cisco Unified Contact Center Enterprise 7.0, 7.1, and 7.2 SRND
OL-8669-16
Chapter 8 Securing Unified CCE
Network Firewalls
Topology
The deployment in
represents the recommended placement of firewalls and other network
infrastructure components in a Unified CCE deployment. The design model in
incorporates
a parent Unified ICM system with legacy peripheral hosts and a child Cisco Unified System Contact
Center (Unified SCC) with a Unified CM cluster. The following best practices apply to this type of
deployment:
Center (Unified SCC) with a Unified CM cluster. The following best practices apply to this type of
deployment:
•
Block the following ports at the enterprise perimeter firewall:
–
UDP ports 135, 137, 138, and 445
–
TCP ports 135, 139, 445, and 593
•
Deploy Layer-3 and Layer-4 ACLs that are configured as described in the port guides.
•
Isolate database and web services by installing dedicated WebView servers and historical data
servers.
servers.
•
Minimize the number of administrative workstation distributors (AWD) and make use of client AWs
(no database required) and Internet script editor clients.
(no database required) and Internet script editor clients.
•
Use the same deployment guidelines when the parent Unified ICM or child system Unified CCE
central controllers are geographically distributed.
central controllers are geographically distributed.
•
Use Windows IPSec to authenticate application servers running the Support Tools Node Agent with
the Cisco support tools server that is managing the servers.
the Cisco support tools server that is managing the servers.
•
Deploy Windows IPSec (ESP) to encrypt intra-server communications. The use of hardware off-load
network cards is required to minimize the impact of encryption on the main CPU and to sustain the
load level (including number of agents and call rate) that is supported with the Unified CCE system.
See the section on
network cards is required to minimize the impact of encryption on the main CPU and to sustain the
load level (including number of agents and call rate) that is supported with the Unified CCE system.
See the section on
, for a more detailed diagram and further
information.
•
Use Cisco IOS IPSec for site-to-site VPNs between geographically distributed sites, remote branch
sites, or outsourced sites.
sites, or outsourced sites.
Network Address Translation
Network Address Translation (NAT) is a feature that resides on a network router and permits the use of
private IP addressing. A private IP address is an IP address that cannot be routed on the Internet. When
NAT is enabled, users on the private IP network can access devices on the public network through the
NAT router.
private IP addressing. A private IP address is an IP address that cannot be routed on the Internet. When
NAT is enabled, users on the private IP network can access devices on the public network through the
NAT router.
When an IP packet reaches the NAT-enabled router, the router replaces the private IP address with a
public IP address. For applications such as HTTP or Telnet, NAT does not cause problems. However,
applications that exchange IP addresses in the payload of an IP packet experience problems because the
IP address that is transmitted in the payload of the IP packet is not replaced; only the IP address in the
IP header is replaced.
public IP address. For applications such as HTTP or Telnet, NAT does not cause problems. However,
applications that exchange IP addresses in the payload of an IP packet experience problems because the
IP address that is transmitted in the payload of the IP packet is not replaced; only the IP address in the
IP header is replaced.
To overcome this problem, Cisco IOS-based routers and PIX/ASA firewalls implement “fixups” for a
variety of protocols and applications including SCCP and CTIQBE (TAPI/JTAPI). The fixup allows the
router to look at the entire packet and replace the necessary addresses when performing the NAT
operation. For this process to work the version of IOS or PIX/ASA must be compatible with the
Unified CM version.
variety of protocols and applications including SCCP and CTIQBE (TAPI/JTAPI). The fixup allows the
router to look at the entire packet and replace the necessary addresses when performing the NAT
operation. For this process to work the version of IOS or PIX/ASA must be compatible with the
Unified CM version.