Achieving Unified CCE system security requires an effective security policy that accurately defines access, connection requirements, and systems management within your contact center. A good security policy enables you to use many state-of-the-art Cisco technologies to protect your data center resources from internal and external threats. Security measures ensure data privacy, integrity, and system availability.
The security considerations for Unified CCE at a high level are similar to the considerations for the other applications in a Cisco Unified Communications solution. Deployments of Unified CCE vary greatly and often call
for complex network designs. These deployments require competence in Layer 2 and Layer 3 networking as well as voice, VPN, QoS, Microsoft Windows Active Directory, and other networking issues. This chapter provides some guidance that touches on these areas. But, this chapter is not an
all-inclusive guide for deploying a secure Unified CCE network.
Along with the Unified Communications Security Solution portal, use other Cisco solution reference network design guides (SRNDs) in addition to this document to answer many design and deployment
questions. These documents provide information on properly building a network infrastructure for Cisco Unified Communications. In particular, consult the following relevant documents about security and Cisco Unified Communications:
Cisco Unified Communications SRND Based on Cisco Unified Communications Manager
Data Center Networking: Server Farm Security SRNDv2
Site-to-Site IPSec VPN SRND
Voice and Video Enabled IPSec VPN (V3PN) SRND
Business Ready Teleworker SRND
Updates and additions to these documents are posted periodically, so visit the SRND web site frequently.
This chapter provides limited guidance on the intricacies of designing and deploying a Windows Active Directory. More information is available from Microsoft on the following topics:
Designing a new Active Directory logical structure
Deploying Active Directory for the first time
Upgrading an existing
Windows environment to Microsoft Windows Server 2012 R2 Active Directory
Restructuring your current environment to a Windows Active Directory environment
In particular, see the Designing and Deploying Directory and Security Services section of the Microsoft Windows Server 2012 R2 Deployment Kit. That section
can assist you in meeting all the Active Directory design and deployment goals for your organization. This development kit and its related documentation are available from
An adequately secure Unified CCE deployment requires a multilayered approach to protecting systems and networks from targeted attacks and the propagation of viruses, among other threats. The goal of this chapter is to stress the various areas pertinent to securing a Unified CCE
deployment, but it does not delve into the details of each area. Specific details can be found in the relevant product documentation.
Implement the following security layers and establish policies around them:
You must ensure that the servers hosting the Cisco contact center applications are physically secure. They must be located in data centers to which only authorized personnel have access. The cabling plant, routers, and switches also have controlled access.
Implementing a strong physical-layer network security plan also includes utilizing such things as port security on data switches.
While this document does not delve into the details on how to design and deploy a secure data network, it does provide references to resources that can aid in establishing an effective secure environment for your contact center applications.
To ensure an increased level of protection from eavesdropping for customer-sensitive information, Unified CCE provides support for Transport Layer Security (TLS) on the CTI OS and Cisco Agent Desktops. It also supports IPSec to secure communication channels
You can use the Windows Firewall to protect from malicious users and programs that use unsolicited incoming traffic to attack servers. Use the Windows Firewall Configuration Utility on VMs or the Agent Desktop Installers to
integrate with the firewall component of Windows Server 2012 R2.
A system is typically not connected to a live network until all security updates have been applied. It is important for all hosts to be kept up-to-date with Microsoft (Windows, SQL Server, Internet Explorer, and so forth) and other third-party security
For most of these security layers, the Unified CCE solution supports a number of capabilities. However, what Cisco cannot control or enforce is your enterprise policies and procedures for deploying and maintaining a secure Unified CCE solution.
how to design the various security layers required for a Unified CCE network,
this section introduces the differences that are inherent in the applications
making up the Unified CCE solution.
The Unified CCE
solution consists of a number of application servers that are managed
differently. The primary servers, those with the most focus in this document,
are the Routers, Loggers (also known as Central Controllers), Peripheral
Gateways, Administration & Data Servers, and so forth. These application
servers can be installed only on a standard (default) operating system
installation. For Unified CCE components that you install on Windows Server 2012 R2, use only a default retail version of the Windows Server software.
The maintenance of this operating system in terms of device drivers, security
updates, and so forth, is the responsibility of the customer, as is acquiring
the necessary software from the appropriate vendors. This category of
application servers is the primary focus of this topic.
The approach to
securing the Unified CCE solution as it pertains to the various layers listed
above differs from one group of servers to another. It is useful to keep this
in mind as you design, deploy, and maintain these servers in your environment.
Cisco is constantly enhancing its Unified Communications products with the
eventual goal of having them all support the same customized operating system,
antivirus applications, and security path management techniques.
Cisco has a security
guide for the primary group of servers. The guide covers details of security
implementation along with general guidance for securing a Unified CCE
deployment. The security guide includes the following topics:
The guidelines are
based in part on hardening guidelines published by Microsoft and other
third-party vendors. The guide also serves as a reference point for most of the
security functionality in the product. The guide also covers installation for
the Automated OS and SQL Security Hardening bundled with the application
installer, Windows Firewall Configuration Utility, the SSL Configuration
Utility, the Network Isolation IPSec Utility, and the Unified CC Security
There are several important factors to consider when deploying firewalls in a Unified CCE network. The application servers making up a Unified CCE solution are not meant to reside in a demilitarized zone (DMZ) and must be segmented from any externally visible networks and internal corporate networks. The VMs must be placed in data centers, and the applicable firewalls or routers must be configured with access control lists (ACL) to control the traffic that is targeted to the VMs, thereby allowing only designated network traffic to pass through.
Deploying the application in an environment in which firewalls are in place requires the network administrator to be knowledgeable about which TCP/UDP IP ports are used, firewall deployment and topology considerations, and impact of Network Address Translation (NAT).
To aid in firewall
configuration, these guides list the protocols and ports used for agent
desktop-to-server communication, application administration, and reporting.
They also provide a listing of the ports used for intra-server communication.
Network Firewall Topology
The deployment shown in the section on AD Administrator created OUs represents the placement of firewalls and other network infrastructure components in a Unified CCE deployment. The design model incorporates a parent Unified ICM
system with legacy peripheral hosts and a child Cisco Unified Contact Center Enterprise with a Unified CM cluster. For this deployment type, do the following:
Block the following ports at the enterprise perimeter firewall:
UDP ports 135, 137, 138, and 445
TCP ports 135, 139, 445, and 593
Deploy Layer-3 and Layer-4 ACLs that are configured as described in the port guides.
Isolate database and web services by installing dedicated historical data servers.
Minimize the number of Administration & Data Servers (ADS) and use Administration Clients (no database required) and internet script editor clients.
Use the same deployment guidelines when the parent Unified ICM or child Unified CCE central controllers are geographically distributed.
Deploy Windows IPSec (ESP) to encrypt intraserver communications.
Use Cisco IOS IPSec for site-to-site VPNs between geographically distributed sites, remote branch sites, or outsourced sites.
Network Address Translation (NAT) is a feature that resides on a network router and permits the use of private IP addressing. A private IP address is an IP address that cannot be routed on the Internet. When NAT is enabled, users on the private IP network can access devices on the public
network through the NAT router.
When an IP packet reaches the NAT-enabled router, the router replaces the private IP address with a public IP address. For applications such as HTTP or Telnet, NAT does not cause problems. However, applications that exchange IP addresses in the payload of an IP packet experience problems
because the IP address that is transmitted in the payload of the IP packet is not replaced. Only the IP address in the IP header is replaced.
To overcome this problem, Cisco IOS-based routers and PIX/ASA firewalls implement
fix-ups for a variety of protocols and applications including SCCP and
CTIQBE (TAPI/JTAPI). The fix-up allows the router to look at the entire packet and
replace the necessary addresses when performing the NAT operation. For this process to
work, the version of Cisco IOS or PIX/ASA must be compatible with the Unified CM
While Unified ICM
and Unified CCE systems may still be deployed in a dedicated Windows Active
Directory domain, it is not a requirement. What makes this possible is the
capability of the software security principals to be installed in
Organizational Units. This closer integration with AD and the power of security
delegation means that corporate AD directories can be used to house application
servers (for domain membership), user and service accounts, and groups.
In a geographically distributed deployment of Unified ICM or Unified CCE, redundant domain controllers must be located at each of the sites, and properly configured Inter-Site Replication Connections must be established with a Global Catalog at each site. The Unified CCE application is designed to communicate with the AD servers that are in their site, but this requires an adequately implemented site topology in accordance with Microsoft guidelines.
The installation of
Unified ICM or Unified CCE software requires that the AD Domain in which the
VMs are members must be in Native Mode. The installation will add a number of
OU objects, containers, users, and groups that are necessary for the operation
of the software. Adding these objects can be done only in an Organizational
Unit in AD over which the user running the install program has been delegated
control. The OU can be located anywhere in the domain hierarchy, and the AD
Administrator determines how deeply nested the Unified ICM/Unified CCE OU
hierarchy is created and populated.
Accounts and groups are not created on the application servers. All created
groups are Domain Local Security Groups, and all user accounts are domain
accounts. The Service Logon domain account is added to the Local
Administrators' group of the application servers.
Unified ICM and
Unified CCE software installation is integrated with a Domain Manager tool that
can be used standalone for pre-installing the OU hierarchies and objects
required by the software, or can be used when the Setup program is invoked to
create the same objects in AD. The AD/OU creation can be done on the domain in
which the running VM is a member or on a trusted domain.
An administrator can
create certain AD objects. A prime example is the OU container for Unified CCE
Servers. This OU container is manually added to contain the VMs that are
members of a given domain. You move these VMs to this OU once they are joined
to the domain. This segregation controls who can or cannot administer the
servers (delegation of control). Most importantly, the segregation controls the
AD Domain Security Policies that the application servers in the OU can or
As noted before, Unified
ICM/Unified CCE servers ship with a customized security policy. You can apply
this policy at this server OU level through a Group Policy Object (GPO). Block
any differing policies from being inherited at the Unified ICM/Unified CCE
Servers' OU. Remember that someone can override blocking inheritance, a
configuration option at the OU object level, by selecting the Enforced/No
Override option at a higher hierarchy level. The application of group policies
must follow a well-planned design. Start with the most common denominator, and
restrict those policies only at the appropriate level in the hierarchy.
The Unified CCE
solution relies on one or both of Microsoft Windows IPsec and Cisco IOS IPsec to secure
critical links between VMs and sites. You can secure the solution in the following ways:
deploying peer-to-peer IPsec tunnels between the VMs and sites
a more restrictive and preconfigured Network Isolation IPsec polic
using a combination of both
The peer-to-peer IPsec deployment requires manual
configuration for each communication path that must be secured, using the
tools provided by Microsoft. However, you can automatically deploy the Network Isolation IPsec policy on each VM by using the Network Isolation IPsec utility.
The utility secures all communication paths to or from that VM unless an exception
is made. The Network Isolation IPsec utility is installed by default on all
Unified CCE servers.
This guide not only
lists the supported paths, but also information to help users deploy Windows
IPsec, including appropriate settings and much more.
Enabling IPsec affects scalability in several key
paths in Unified CCE support IPsec. The following figure illustrates these guidelines.
The figure shows the various server interconnections that
must be secured with either Windows IPsec or Cisco IOS IPsec. The diagram also
shows several paths that support TLS.
By providing host
firewall protection on the innermost layer of your network, Windows Firewall
can be an effective part of your defense-in-depth security strategy. Unified
CCE supports the deployment of Windows Firewall on the VMs. The
Security Best Practices
Guide for Cisco Unified ICM/Contact Center Enterprise
& Hosted contains a chapter on the implementation and configuration of
The configuration of
the exceptions and the opening of the ports required by the application will
still be done locally using the Windows Firewall Configuration Utility, which
is included with the Unified CCE application.
The Windows Firewall
is set up during Unified CCE installation, during which required ports are
The Unified Contact Center Security Wizard allows easy configuration of the security features defined above, namely, SQL Server Hardening, Windows Firewall configuration, and Network Isolation IPSec policy deployment. The Security Wizard encapsulates the functionality of these four utilities
in an easy-to-use wizard-like interface that guides the user with the steps involved in configuring the security feature. (This is particularly helpful when deploying the Network Isolation IPSec policy.) The Security Wizard is installed by default with Unified CCE. The
Security Best Practices
Guide for Cisco Unified ICM/Contact Center Enterprise
& Hosted at http://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-installation-and-configuration-guides-list.html contains a chapter explaining the Security Wizard in detail.
A number of third-party antivirus applications are supported for the Unified CCE system. For a list of applications and versions supported on your particular release of the Unified CCE software, see the Compatibility Matrix
for Unified CCE at http://docwiki.cisco.com/wiki/Compatibility_Matrix_for_Unified_CCE DocWiki and the Hardware and System Software Specification for Cisco Unified Customer Voice Portal (Unified CVP), as well as the Cisco Unified CCX and Unified Communications Manager product documentation for the applications
supported. These documents are available on cisco.com.
Deploy only the supported applications for your environment, otherwise a software conflict might arise.
Antivirus applications have numerous configuration options that allow granular control of what and how data must be scanned on a VM.
Upgrade to the latest supported version of the third-party antivirus application. Newer versions improve scanning speed over previous versions, resulting in lower overhead on VMs.
Avoid scanning of any files accessed from remote drives (such as network mappings or UNC connections). Where possible, each of these remote machines must have its own antivirus software installed, thus keeping all scanning local. With a multitiered antivirus strategy, scanning
across the network and adding to the network load is not required generally.
Heuristics scanning has a higher overhead than traditional antivirus scanning. Use this advanced scanning option only at key points of data entry from untrusted networks (such as email and internet gateways).
You can enable real-time or on-access scanning, but only on incoming files (when writing to disk). This setting is the default for most antivirus applications. On-access scanning of file reads yields a higher than necessary impact on system resources in a
high-performance application environment.
On-demand and real-time scanning of all files gives optimum protection. But, this configuration imposes the unnecessary overhead of scanning those files that cannot support malicious code (for example, ASCII text files). Exclude files or directories of files in all scanning modes that are
known to present no risk to the system. Also, follow the guidelines for which specific Unified CCE files to exclude in Unified CCE implementation, as provided in the Security Best Practices
Guide for Cisco Unified ICM/Contact Center Enterprise
Schedule regular disk scans only during low usage times and at times when application activity is lowest. To determine when application purge activity is scheduled, see the Security Best Practices
Guide for Cisco Unified ICM/Contact Center Enterprise
& Hosted listed in the previous item.
Cisco does not test or support intrusion prevention products by vendors such as Sygate, McAfee, and so on. Such products are capable of blocking legitimate application functionality if they incorrectly identify that application as a security threat. These products must be configured to allow legitimate operations to execute.
guidelines regarding when and how to apply updates. All Contact Center
customers must separately assess all security patches released by Microsoft and
install those deemed appropriate for their environments.
Unified CCE servers
(except for the applications installed on VOS) support integration with
Microsoft's Windows Server Update Services, whereby customers control which
patches can be deployed to those VMs and when the patches can be deployed.
updates and determine when they get deployed on production VMs. The Windows
Automatic Update Client (installed by default on all Windows hosts) can be
configured to retrieve updates by polling a VM that is running Microsoft Window
Update Services in place of the default Windows Update Web site.
The Cisco Unified
Communications Operating System configuration and patch process does not
currently allow for an automated patch management process.
The CTI OS (C++/COM toolkit) and CAD agent desktop servers both support TLS encryption to the server. This encryption protects agent login and CTI data from snooping. A mutual authentication mechanism enables the CTI OS Server and client to agree on a cipher suite for
authentication, key exchange, and stream encryption. The cipher suite used is as follows:
Key exchange: DH
Encryption: AES (128)
Message digest algorithm: SHA1
The following figure shows the encryption implementation's use of X.509 certificates on the agent desktops as well as on the servers. The implementation supports the integration with a Public Key Infrastructure (PKI) for the most secure deployment. By default, the application installs and
relies on a self-signed certificate authority (CA) to sign client and server requests. However, Cisco supports integration with a third-party CA. This mechanism is the preferred method because of the increased security provided by a corporate-managed CA or external authority such as Verisign.
The following figure shows the Certificate Authority enrollment procedure to generate certificates used by the agent and the servers. The agent desktop certificate enrollment process is manual. The process requires the creation of certificate signing requests (CSRs) at each endpoint. The CSRs are then
transferred to the certificate authority responsible for signing and generating the certificates.
Cisco Finesse supports HTTPS for the Administration Console and Agent and Supervisor Desktops. HTTPS is not supported for Agent and Supervisor Desktops in large deployments (over 1500 agents).
Unified IP Phone
When designing a
Unified CCE solution based on Unified Communications Manager, customers may
choose to implement device authentication for the Cisco Unified IP Phones.
Unified CCE supports Unified Communications Manager’s Authenticated Device Security Mode, which
ensures the following:
Device Identity — Mutual
authentication using X.509 certificates
Signaling Integrity — SCCP/SIP
messages authenticated using HMAC-SHA-1
— SCCP/SIP message content encrypted using AES-128-CBC
Certain IP phones
support Secure Real-Time Transport Protocol (SRTP). Before enabling SRTP in
your deployment, consider the following points:
The Unified CVP
VXML Browser does not support SRTP. While calls are connected to the VXML
Browser, the calls cannot use SRTP. But, calls can negotiate SRTP once the
media no longer terminates in the VXML Browser.
Deployments that use span-based silent monitoring do not support SRTP.
cannot use SRTP.
Outbound Option Dialers do not support SRTP. While calls are connected to the
Dialer, the calls cannot use SRTP. But, calls can negotiate SRTP once the call
is no longer connected to the Dialer.
IP Phone Hardening
The IP phone device configuration in Unified CM provides the ability to disable a number of phone features to harden the phones, such as disabling the phone's PC port or restricting a PC from accessing the voice VLAN. Changing some of these settings can disable the monitoring/recording
feature of the Unified CCE solution. The settings are defined as follows:
PC Voice VLAN Access
Indicates whether the phone will allow a device attached to the PC port to access the Voice VLAN. Disabling Voice VLAN Access will prevent the attached PC from sending and receiving data on the Voice VLAN. It will also prevent the PC from receiving data sent and received by the
phone. Disabling this feature will disable desktop-based monitoring and recording.
Setting: Enabled (default)
Span to PC Port
Indicates whether the phone will forward packets transmitted and received on the Phone Port to the PC Port. To use this feature, PC Voice VLAN access must be enabled. Disabling this feature will disable desktop-based monitoring and recording.
Disable the following setting to prevent man-in-the-middle (MITM) attacks unless the third-party monitoring and/or recording application deployed uses this mechanism for capturing voice streams. The CTI OS Silent Monitoring feature and CAD Silent Monitoring and Recording do not depend on
Indicates whether the phone will learn MAC addresses from Gratuitous ARP responses.