Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
Cisco Unified Contact Center Security Wizard
Downloads: This chapterpdf (PDF - 1.2MB) The complete bookPDF (PDF - 3.48MB) | Feedback

Cisco Unified Contact Center Security Wizard

Cisco Unified Contact Center Security Wizard

About Cisco Unified Contact Center Security Wizard

The Cisco Unified Contact Center Security Wizard is a security deployment tool for Unified ICM/CCE that simplifies security configuration through its step-by-step wizard-based approach.

The Security Wizard is a new graphical user interface you can use to configure security by means of the following Unified ICM/CCE security command-line utilities:

  • The Windows Hardening Utility
  • The Windows Firewall Utility
  • The Network Isolation Utility
  • The SQL Hardening Utility

The Windows Hardening and Windows Firewall utility are two command-line security utilities that have existed since the 7.0 release. The Network Isolation Utility was introduced after the ICM 7.2 release, and the SQL Hardening utility was introduced in the ICM 7.5 release.

For the descriptions of each of these utilities, see the following chapters/sections in this guide:

Configuration and restrictions

The following are Security Wizard restrictions:

  • While the Security Wizard does not interfere with applications that run on the network, run the Security Wizard only during the application maintenance window because it can potentially disrupt connectivity when you are setting up the network security.
  • The Security Wizard works on a Windows Server 2008 platform only.
  • The Firewall Configuration Utility and the Network Isolation Utility must be configured after Unified ICM is installed on the network. For more details, see Windows Server 2003 Firewall Configuration and Applying IPsec with the Network Isolation Utility.

Run Wizard

The Security Wizard is installed by the ICM-CCE-CCH Installer and is placed in the "%SYSTEMDRIVE%\CiscoUtils\UCCSecurityWizard" directory. You must be a server administrator to use the features in the Security Wizard.

You can run the wizard using the shortcut installed under Start > Programs > Cisco Unified CCE Tools > Security Wizard.


Note


Before you use the wizard, read the chapters in this guide about each of the utilities included in the wizard to understand what the utilities do.


When running the Security Wizard, you are provided with a menu list of the security utilities (the Security Hardening, the Windows Firewall, Network Isolation Utility, and SQL Utility), and you run each, one at a time.

You can go back and forth on any menu selection to understand what each one contains. However, after you click the Next button for any particular feature, you must either complete configuration or click Cancel to go back to the Welcome page.

The Security Wizard is self-explanatory; each utility has an introductory panel, configuration panel or panels, a confirmation panel, and a status panel. The following list provides brief explanations of these panels:
  • Introductory panel:

    1. Briefly describes what the specific utility does.
    2. Warns if security utility files are missing or not installed.
    3. Allows you to switch between utilities until you click the Next button.

  • Configuration panel(s): Lists the options you can select to configure the utility and gathers your configuration input.

  • Confirmation panel: Allows you to confirm your configuration choices or to go back and make changes. After you have entered all the required input, the confirmation panel is displayed and the Next button is replaced with the Finish button. This indicates that this is your last chance to make a change to your configuration selections. After you click Finish, you can no longer go back.

  • Status panel:

    1. Displays the configuration command with all of its required arguments.
    2. Displays the streaming output of the configuration command while it is executing in the background.
    3. Displays "Configuration Complete" and enables the "Go back to Welcome Panel" button after the command execution is complete.

What to Do Next

The defaults are set to the recommended values and warnings are displayed if you make a selection that could cause a problem.

In the rare event that the back-end utility script dies, a temporary text file created in the UCCSecurityWizard folder is not deleted. This text file contains command-line output, which you can use this file to debug the issue.

Example of Security Wizard usage

The following image shows the Cisco Unified Contact Center Security Wizard introductory panel.

Figure 1. Security Wizard Welcome Window



The Security Wizard requires the command line utilities to be installed on the system to configure security. It will detect if a utility is not installed and notify the user.

The Security Wizard can execute on all Unified ICM or Unified CCE servers but will not execute on a Domain Controller.

Example of Windows Firewall configuration panels

The following image shows the introductory panel for the Windows Firewall Wizard.

Figure 2. Windows Firewall Wizard Introduction Panel



You will get a message in this panel if the selected utility has not been installed on your system.

The following image shows the Firewall configuration panel.

Figure 3. Windows Firewall Configuration Options Panel



In the Security Wizard Firewall Configuration panel, you can:

  • Configure a Windows firewall for your Unified ICM or Unified CCE system.
  • Undo firewall configuration settings that were previously applied.
  • Restore to Windows Default.

    Warning


    The Default Windows firewall configuration is not compatible with the Unified ICM application.


  • Disable the Windows firewall.
  • Edit the Unified ICM Firewall Exceptions XML file. Clicking the Edit ICM Firewall Exceptions XML button opens that XML file in Notepad. You must save the file and close it before continuing with the wizard.

The Window Firewall Configuration Utility:

  • Must be executed after the Unified ICM application is installed.
  • Automatically detects Unified ICM components installed and configures the Windows Firewall accordingly.
  • Can add custom exceptions such as an exception for VNC.
  • Is installed by default on all Unified ICM and Unified CCE servers.

See Windows Server 2003 Firewall Configuration for a complete description of these configuration options.

The following image shows the confirmation panel for Windows Firewall configuration.

Figure 4. Windows Firewall Confirmation Panel



The following image shows the status panel for Windows Firewall configuration.

Figure 5. Windows Firewall Status Panel



Example of Network Isolation configuration panels

Figure 6. Network Isolation Configuration Panel. The following image shows the introductory panel for the Network Isolation utility.



The Security Wizard is the preferred choice for deploying the Network Isolation Utility when configuring it for the first time, or when editing an existing policy.

The Security Wizard interface has the following advantages:

  • You can be guided by configuration panels that dynamically change according your input.
  • You can browse the current policy.
  • You can see the current Network Isolation configuration and edit it if you need to.
  • You can add multiple Boundary Devices through a single Security Wizard panel. To add multiple Boundary Devices in the CLI, you must create a separate command for each device that you want to add.

You must run the Network Isolation Utility on every server that will be set as a Trusted Device. There is no need to run the utility on Boundary Devices.

For a complete description of the Network Isolation Utility, see Applying IPsec with the Network Isolation Utility.

Figure 7. Trusted Devices Configuration Panel. The following image shows the configuration panel for Trusted Devices.



This panel and the next panel are loaded from the last configuration saved in the XML Network Isolation configuration file (not the Windows IPsec policy store), if it is available.

The Trusted Devices panel:

  • Shows the current status of the policy.
  • Can be used to enable, modify, browse, or disable the policy.

    Note


    To enable or modify a device as Trusted you must enter a Preshared Key of 36 characters or more. The length of the key typed in is displayed and updated as you enter it to help you enter the correct length.

    Note


    You can permanently delete the Network Isolation Utility policy through the command line only.

You must use the same Preshared Key on all Trusted Devices or else network connectivity between the Trusted Devices will fail.

Figure 8. Boundary Device Configuration Panel. The following image shows the Network Isolation Boundary Devices panel.



The Boundary Device panel (Figure 3) and the preceding panel are loaded from the last configuration saved in the XML Network Isolation configuration file (not the Windows IPsec policy store), if it is available.

In the Boundary Devices panel:

  • The content of the panel is dynamically modified based on the selection made in the previous panel:
    • If in the previous panel you have disabled the policy, then the panel elements displayed here are disabled.
    • If in the previous panel you have selected the browse option, then only the Boundary List of devices is enabled for browsing purposes.
  • You can add or remove multiple boundary devices.
  • You can add dynamically detected devices through check boxes.
  • You can add manually specified devices through a port, an IP address, or a subnet. After specifying the device, you must click Add Device to add the device. The Add button validates the data and checks for duplicate entries before proceeding further.
  • You can remove a device from the Boundary Devices by selecting it in the Devices List and clicking Remove Selected.

You can narrow down the exception based on:

  • Direction of traffic: Outbound or Inbound
  • Protocol: TCP, UDP, ICMP
  • Any port (only if TCP or UDP selected)
  • A specific port or All ports
Figure 9. Network Isolation Confirmation Panel. The following figure shows the confirmation panel for the Network Isolation utility.



Figure 10. Network Isolation Status Panel. The following image shows the Network Isolation status panel.



Example of SQL Hardening panels

The following image shows the introductory panel for the SQL Hardening utility.

You can use the SQL Hardening wizard to:

  • Apply the SQL Server 2008 R2 security hardening.
  • Upgrade from a previously applied hardening.
  • Roll back previously applied hardening.

For more information on SQL Server hardening, see the section Automated SQL 2008 R2 Hardening.

Figure 11. Security Action Panel. The following image shows the SQL Hardening Security Action panel.



In the SQL Hardening Security Action panel, you can:

  • Apply or Upgrade SQL Server 2008 R2 Security Hardening
  • Roll back Previously Applied SQL Server 2008 R2 Security Hardening

    Note


    The Rollback will be disabled if there is no prior history of SQL Server 2008 R2 security hardening or if the hardening was already rolled back.


Figure 12. SQL Hardening Confirmation Panel.

The following image shows the SQL Hardening Confirmation panel. At this point, you can still change any configuration selections, but after you click Finish, you can no longer change your selections.





Figure 13. SQL Hardening Status Panel. The following image shows the SQL Hardening status panel.



The status bar at the top of the panel tells you when the configuration is complete.