Cisco Cisco E-Mail Manager Unity Integration Option Leaflet
8-8
Cisco Unified Contact Center Enterprise 7.5 SRND
Chapter 8 Securing Unified CCE
Network Firewalls
To aid in firewall configuration, these guides list the protocols and ports used for agent desktop-to-server
communication, application administration, and reporting. They also provide a listing of the ports used
for intra-server communication.
communication, application administration, and reporting. They also provide a listing of the ports used
for intra-server communication.
Topology
The deployment in
represents the recommended placement of firewalls and other network
infrastructure components in a Unified CCE deployment. The design model in
a parent Unified ICM system with legacy peripheral hosts and a child Cisco Unified System Contact
Center (Unified SCC) with a Unified CM cluster. The following best practices apply to this type of
deployment:
Center (Unified SCC) with a Unified CM cluster. The following best practices apply to this type of
deployment:
•
Block the following ports at the enterprise perimeter firewall:
–
UDP ports 135, 137, 138, and 445
–
TCP ports 135, 139, 445, and 593
•
Deploy Layer-3 and Layer-4 ACLs that are configured as described in the port guides.
•
Isolate database and web services by installing dedicated WebView servers and historical data
servers.
servers.
•
Minimize the number of administrative workstation distributors (AWD) and make use of client AWs
(no database required) and Internet script editor clients.
(no database required) and Internet script editor clients.
•
Use the same deployment guidelines when the parent Unified ICM or child Unified System CCE
central controllers are geographically distributed.
central controllers are geographically distributed.
•
Use Windows IPSec to authenticate application servers running the Support Tools Node Agent with
the Cisco support tools server that is managing the servers.
the Cisco support tools server that is managing the servers.
•
Deploy Windows IPSec (ESP) to encrypt intra-server communications. The use of hardware
off-load network cards is required to minimize the impact of encryption on the main CPU and to
sustain the load level (including number of agents and call rate) that is supported with the Unified
CCE system. See the section on
off-load network cards is required to minimize the impact of encryption on the main CPU and to
sustain the load level (including number of agents and call rate) that is supported with the Unified
CCE system. See the section on
, for a more detailed diagram and
further information.
•
Use Cisco IOS IPSec for site-to-site VPNs between geographically distributed sites, remote branch
sites, or outsourced sites.
sites, or outsourced sites.
Network Address Translation
Network Address Translation (NAT) is a feature that resides on a network router and permits the use of
private IP addressing. A private IP address is an IP address that cannot be routed on the Internet. When
NAT is enabled, users on the private IP network can access devices on the public network through the
NAT router.
private IP addressing. A private IP address is an IP address that cannot be routed on the Internet. When
NAT is enabled, users on the private IP network can access devices on the public network through the
NAT router.
When an IP packet reaches the NAT-enabled router, the router replaces the private IP address with a
public IP address. For applications such as HTTP or Telnet, NAT does not cause problems. However,
applications that exchange IP addresses in the payload of an IP packet experience problems because the
IP address that is transmitted in the payload of the IP packet is not replaced; only the IP address in the
IP header is replaced.
public IP address. For applications such as HTTP or Telnet, NAT does not cause problems. However,
applications that exchange IP addresses in the payload of an IP packet experience problems because the
IP address that is transmitted in the payload of the IP packet is not replaced; only the IP address in the
IP header is replaced.