Cisco Cisco IP Contact Center Release 4.6.2 Dépliant
8-14
Cisco Unified Contact Center Enterprise 7.5 SRND
Chapter 8 Securing Unified CCE
Host-Based Firewall
In designing an integrated system with many of the security layers discussed in this document, it is
important to note the compatibility limitations between the Windows Firewall and the Cisco Security
Agent (CSA). For more information on CSA, refer to the section on
important to note the compatibility limitations between the Windows Firewall and the Cisco Security
Agent (CSA). For more information on CSA, refer to the section on
and to the Cisco Security Agent Installation/Deployment Guide for Cisco Unified ICM/CCE & Hosted
Editions, Release 7.1.
Editions, Release 7.1.
Caution
The Cisco Security Agent (CSA) version 4.5, which ships with Unified ICM 7.1, disables the Windows
Firewall on Windows Server 2003 SP1 when run at the same time. This occurs each time the system is
rebooted, even if the Windows firewall has been enabled since the last system startup and configured
using the Cisco Unified ICM Firewall Configuration Utility (CiscoICMfwConfig).
Firewall on Windows Server 2003 SP1 when run at the same time. This occurs each time the system is
rebooted, even if the Windows firewall has been enabled since the last system startup and configured
using the Cisco Unified ICM Firewall Configuration Utility (CiscoICMfwConfig).
Enterprises that want to deploy both the Cisco Security Agent and the Windows Firewall must use Active
Directory to enable Windows Firewall using the Windows Firewall Group Policy settings. Because
Unified CCE applications require an AD infrastructure, Cisco requires the use of Group Policies to
enable Windows Firewall when CSA is deployed along with it.
Directory to enable Windows Firewall using the Windows Firewall Group Policy settings. Because
Unified CCE applications require an AD infrastructure, Cisco requires the use of Group Policies to
enable Windows Firewall when CSA is deployed along with it.
For details on how to configure an AD Group Policy to enable Windows Firewall when installed with
CSA at, refer to Field Notice: FN-62188 – Cisco Unified ICM Enterprise and Hosted Contact Center
Products Notice for Cisco Security Agent 4.5.1.616 Policy 2.0.0, available at
CSA at, refer to Field Notice: FN-62188 – Cisco Unified ICM Enterprise and Hosted Contact Center
Products Notice for Cisco Security Agent 4.5.1.616 Policy 2.0.0, available at
The configuration of the exceptions and the opening of the ports required by the application will still be
done locally using the Windows Firewall Configuration Utility, which is included with the Unified CCE
application.
done locally using the Windows Firewall Configuration Utility, which is included with the Unified CCE
application.
The Windows Firewall Configuration Utility (CiscoICMfwConfig) uses a configuration file
(CiscoICMfwConfig_exc.xml) to determine which ports, applications, or services should be enabled in
the Windows Firewall. When deploying CSA in managed mode, hence requiring communication with a
CSA Management Center (MC), it is important that this file be changed to add the default UDP port used
for the MC to connect to the CSA Agent. This must done before running the Configuration Utility. The
following line should be added to the configuration file Ports XML element as needed:
(CiscoICMfwConfig_exc.xml) to determine which ports, applications, or services should be enabled in
the Windows Firewall. When deploying CSA in managed mode, hence requiring communication with a
CSA Management Center (MC), it is important that this file be changed to add the default UDP port used
for the MC to connect to the CSA Agent. This must done before running the Configuration Utility. The
following line should be added to the configuration file Ports XML element as needed:
<Ports>
..
<Port Number="5401" Protocol="UDP" Name="ManagedCSA" />
</Ports>
The Windows Firewall may also be configured afterwards by directly adding the port exception using
the Windows Firewall Control Panel Applet or from the command line by using the following
commands:
the Windows Firewall Control Panel Applet or from the command line by using the following
commands:
netsh firewall add portopening protocol = UDP port = 5401 name = ManagedCSA mode = ENABLE
scope = ALL profile = ALL
For more information on the Windows Firewall, see the Windows Firewall Operations Guide, available
at
at