Cisco Cisco Unified Contact Center Enterprise 9.0(1) Folheto
8-9
Cisco Unified Contact Center Enterprise 7.5 SRND
Chapter 8 Securing Unified CCE
Active Directory Deployment
To overcome this problem, Cisco IOS-based routers and PIX/ASA firewalls implement “fixups” for a
variety of protocols and applications including SCCP and CTIQBE (TAPI/JTAPI). The fixup allows the
router to look at the entire packet and replace the necessary addresses when performing the NAT
operation. For this process to work the version of IOS or PIX/ASA must be compatible with the
Unified CM version.
variety of protocols and applications including SCCP and CTIQBE (TAPI/JTAPI). The fixup allows the
router to look at the entire packet and replace the necessary addresses when performing the NAT
operation. For this process to work the version of IOS or PIX/ASA must be compatible with the
Unified CM version.
Unified CCE supports connectivity through a NAT except when CTI OS desktop monitoring/recording
is in use. The IP address of the agent phone is seen as the NAT IP address, which causes the agent desktop
to improperly filter the IP packets. For more information, consult the IPSec and NAT Support section of
the Security Best Practices Guide for ICM and IPCC Enterprise & Hosted Editions, available at
is in use. The IP address of the agent phone is seen as the NAT IP address, which causes the agent desktop
to improperly filter the IP packets. For more information, consult the IPSec and NAT Support section of
the Security Best Practices Guide for ICM and IPCC Enterprise & Hosted Editions, available at
Active Directory Deployment
This section describes the topology displayed in
. For more detailed Active Directory (AD)
deployment guidance, consult the Staging Guide for Cisco ICM/IPCC & Hosted Editions, available at
While Unified ICM and Unified CCE systems may still be deployed in a dedicated Windows Active
Directory domain, it is not a requirement. What makes this possible is the capability of the software
security principals to be installed in Organizational Units. This closer integration with AD and the power
of security delegation means that corporate AD directories can be used to house application servers (for
domain membership), user and service accounts, and groups.
Directory domain, it is not a requirement. What makes this possible is the capability of the software
security principals to be installed in Organizational Units. This closer integration with AD and the power
of security delegation means that corporate AD directories can be used to house application servers (for
domain membership), user and service accounts, and groups.
Parent/Child Deployments
The deployment of parent/child systems can be done on the same AD Domain or Forest, but they may
also be deployed in totally disparate AD environments. The scenario where this deployment would be
common is when the child Unified System CCE system is housed at an outsourced contact center site.
In this case, the Gateway PG that is a parent node would be a member of the parent AD domain.
(Workgroup membership is supported but not recommended due to the administration limitations.) This
type of deployment is common today for having remote branch offices with PGs that are added as
members of the central site's domain to which the Routers, Loggers, and Distributors are members.
also be deployed in totally disparate AD environments. The scenario where this deployment would be
common is when the child Unified System CCE system is housed at an outsourced contact center site.
In this case, the Gateway PG that is a parent node would be a member of the parent AD domain.
(Workgroup membership is supported but not recommended due to the administration limitations.) This
type of deployment is common today for having remote branch offices with PGs that are added as
members of the central site's domain to which the Routers, Loggers, and Distributors are members.
The topology shown in
attempts to represent the AD Boundaries for each of the two AD
domains involved in this deployment and to which domain the application servers are joined. The parent
AD Domain Boundary is extended beyond the central data center site to include the Unified ICM Central
Controllers and accompanying servers as well as the ACD PG (at the legacy site) and Gateway PG at the
child Unified System CCE site. The child Unified System CCE site and its AD Boundary would have
the Unified System CCE servers as members. This may or may not be as part of an outsourcer's corporate
AD environment. Of course, it may also be a dedicated AD domain for Unified System CCE.
AD Domain Boundary is extended beyond the central data center site to include the Unified ICM Central
Controllers and accompanying servers as well as the ACD PG (at the legacy site) and Gateway PG at the
child Unified System CCE site. The child Unified System CCE site and its AD Boundary would have
the Unified System CCE servers as members. This may or may not be as part of an outsourcer's corporate
AD environment. Of course, it may also be a dedicated AD domain for Unified System CCE.
AD Site Topology
In a geographically distributed deployment of Unified ICM or Unified CCE, redundant domain
controllers should be located at each of the sites, and properly configured Inter-Site Replication
Connections must be established with a Global Catalog at each site. The Unified CCE application is
designed to communicate with the AD servers that are in their site, but this requires an adequately
implemented site topology in accordance with Microsoft guidelines.
controllers should be located at each of the sites, and properly configured Inter-Site Replication
Connections must be established with a Global Catalog at each site. The Unified CCE application is
designed to communicate with the AD servers that are in their site, but this requires an adequately
implemented site topology in accordance with Microsoft guidelines.