Cisco Cisco IP Contact Center Release 4.6.1 Design Guide
8-9
Cisco Unified Contact Center Enterprise 7.0, 7.1, and 7.2 SRND
OL-8669-16
Chapter 8 Securing Unified CCE
Active Directory Deployment
Unified CCE supports connectivity through a NAT except when CTI OS desktop monitoring/recording
is in use. The IP address of the agent phone is seen as the NAT IP address, which causes the agent desktop
to improperly filter the IP packets. For more information, consult the IPSec and NAT Support section of
the Security Best Practices Guide for ICM and IPCC Enterprise & Hosted Editions, available at
is in use. The IP address of the agent phone is seen as the NAT IP address, which causes the agent desktop
to improperly filter the IP packets. For more information, consult the IPSec and NAT Support section of
the Security Best Practices Guide for ICM and IPCC Enterprise & Hosted Editions, available at
Active Directory Deployment
This section describes the topology displayed in
. For more detailed Active Directory (AD)
deployment guidance, consult the Staging Guide for Cisco ICM/IPCC & Hosted Editions, available at
While Unified ICM and Unified CCE systems may still be deployed in a dedicated Windows Active
Directory domain, it is not a requirement. What makes this possible is the capability of the software
security principals to be installed in Organizational Units. This closer integration with AD and the power
of security delegation means that corporate AD directories can be used to house application servers (for
domain membership), user and service accounts, and groups.
Directory domain, it is not a requirement. What makes this possible is the capability of the software
security principals to be installed in Organizational Units. This closer integration with AD and the power
of security delegation means that corporate AD directories can be used to house application servers (for
domain membership), user and service accounts, and groups.
Parent/Child Deployments
The deployment of parent/child systems can be done on the same AD Domain or Forest, but they may
also be deployed in totally disparate AD environments. The scenario where this deployment would be
common is when the child System Unified CCE system is housed at an outsourced contact center site.
In this case, the Gateway PG that is a parent node would be a member of the parent AD domain.
(Workgroup membership is supported but not recommended due to the administration limitations.) This
type of deployment is common today for having remote branch offices with PGs that are added as
members of the central site's domain to which the Routers, Loggers, and Distributors are members.
also be deployed in totally disparate AD environments. The scenario where this deployment would be
common is when the child System Unified CCE system is housed at an outsourced contact center site.
In this case, the Gateway PG that is a parent node would be a member of the parent AD domain.
(Workgroup membership is supported but not recommended due to the administration limitations.) This
type of deployment is common today for having remote branch offices with PGs that are added as
members of the central site's domain to which the Routers, Loggers, and Distributors are members.
attempts to represent the AD Boundaries for each of the two AD
domains involved in this deployment and to which domain the application servers are joined. The parent
AD Domain Boundary is extended beyond the central data center site to include the Unified ICM Central
Controllers and accompanying servers as well as the ACD PG (at the legacy site) and Gateway PG at the
child System Unified CCE site. The child System Unified CCE site and its AD Boundary would have
the System Unified CCE servers as members. This may or may not be as part of an outsourcer's corporate
AD environment. Of course, it may also be a dedicated AD domain for System Unified CCE.
AD Domain Boundary is extended beyond the central data center site to include the Unified ICM Central
Controllers and accompanying servers as well as the ACD PG (at the legacy site) and Gateway PG at the
child System Unified CCE site. The child System Unified CCE site and its AD Boundary would have
the System Unified CCE servers as members. This may or may not be as part of an outsourcer's corporate
AD environment. Of course, it may also be a dedicated AD domain for System Unified CCE.
AD Site Topology
In a geographically distributed deployment of Unified ICM or Unified CCE, redundant domain
controllers should be located at each of the sites, and properly configured Inter-Site Replication
Connections must be established with a Global Catalog at each site. The Unified CCE application is
designed to communicate with the AD servers that are in their site, but this requires an adequately
implemented site topology in accordance with Microsoft guidelines.
controllers should be located at each of the sites, and properly configured Inter-Site Replication
Connections must be established with a Global Catalog at each site. The Unified CCE application is
designed to communicate with the AD servers that are in their site, but this requires an adequately
implemented site topology in accordance with Microsoft guidelines.