About Cisco Unified Contact Center Security Wizard
The Cisco Unified Contact Center Security Wizard is a security deployment tool for Unified ICM/CCE that simplifies security configuration through its step-by-step wizard-based approach.
The Security Wizard is a new graphical user interface you can use to configure security by means of the following Unified ICM/CCE security command-line utilities:
The Windows Hardening Utility
The Windows Firewall Utility
The Network Isolation Utility
The SQL Hardening Utility
The Windows Hardening and Windows Firewall utility are two command-line security utilities that have existed since the 7.0 release. The Network Isolation Utility was introduced after the ICM 7.2 release, and the SQL Hardening utility was introduced in the ICM 7.5 release.
For the descriptions of each of these utilities, see the following chapters/sections in this guide:
While the Security Wizard does not interfere with applications that run on the network, run the Security Wizard only during the application maintenance window because it can potentially disrupt connectivity when you are setting up the network security.
The Security Wizard works on a Windows Server 2008 platform only.
The Security Wizard is installed by the ICM-CCE-CCH Installer and is placed in the
"%SYSTEMDRIVE%\CiscoUtils\UCCSecurityWizard" directory. You must be a server administrator to use the features in the Security Wizard.
You can run the wizard using the shortcut installed under Start > Programs > Cisco Unified CCE Tools > Security Wizard.
Before you use the wizard, read the chapters in this guide about each of the utilities included in the wizard to understand what the utilities do.
When running the Security Wizard, you are provided with a menu list of the security utilities (the Security Hardening, the Windows Firewall, Network Isolation Utility, and SQL Utility), and you run each, one at a time.
You can go back and forth on any menu selection to understand what each one contains. However, after you click the Next button for any particular feature, you must either complete configuration or click Cancel to go back to the Welcome page.
The Security Wizard is self-explanatory; each utility has an introductory panel, configuration panel or panels, a confirmation panel, and a status panel. The following list provides brief explanations of these panels:
Briefly describes what the specific utility does.
Warns if security utility files are missing or not installed.
Allows you to switch between utilities until you click the Next button.
Configuration panel(s): Lists the options you can select to configure the utility and gathers your configuration input.
Confirmation panel: Allows you to confirm your configuration choices or to go back and make changes. After you have entered all the required input, the confirmation panel is displayed and the Next button is replaced with the Finish button. This indicates that this is your last chance to make a change to your configuration selections. After you click Finish, you can no longer go back.
Displays the configuration command with all of its required arguments.
Displays the streaming output of the configuration command while it is executing in the background.
Displays "Configuration Complete" and enables the "Go back to Welcome Panel" button after the command execution is complete.
What to Do Next
The defaults are set to the recommended values and warnings are displayed if you make a selection that could cause a problem.
In the rare event that the back-end utility script dies, a temporary text file created in the UCCSecurityWizard folder is not deleted. This text file contains command-line output, which you can use this file to debug the issue.
Example of Security Wizard usage
The following image shows the Cisco Unified Contact Center Security Wizard introductory panel.
Figure 1. Security Wizard Welcome Window
The Security Wizard requires the command line utilities to be installed on the system to configure security. It will detect if a utility is not installed and notify the user.
The Security Wizard can execute on all Unified ICM or Unified CCE servers but will not execute on a Domain Controller.
Example of Windows Firewall configuration panels
The following image shows the introductory panel for the Windows Firewall Wizard.
Figure 2. Windows Firewall Wizard Introduction Panel
You will get a message in this panel if the selected utility has not been installed on your system.
The following image shows the Firewall configuration panel.
Figure 3. Windows Firewall Configuration Options Panel
In the Security Wizard Firewall Configuration panel, you can:
Configure a Windows firewall for your Unified ICM or Unified CCE system.
Undo firewall configuration settings that were previously applied.
Restore to Windows Default.
The Default Windows firewall configuration is not compatible with the Unified ICM application.
Disable the Windows firewall.
Edit the Unified ICM Firewall Exceptions XML file. Clicking the Edit ICM Firewall Exceptions XML button opens that XML file in Notepad. You must save the file and close it before continuing with the wizard.
The Window Firewall Configuration Utility:
Must be executed after the Unified ICM application is installed.
Automatically detects Unified ICM components installed and configures the Windows Firewall accordingly.
Can add custom exceptions such as an exception for VNC.
Is installed by default on all Unified ICM and Unified CCE servers.
Figure 7. Trusted Devices Configuration Panel.
The following image shows the configuration panel for Trusted Devices.
This panel and the next panel are loaded from the last configuration saved in the XML Network Isolation configuration file (not the Windows IPsec policy store), if it is available.
The Trusted Devices panel:
Shows the current status of the policy.
Can be used to enable, modify, browse, or disable the policy.
To enable or modify a device as Trusted you must enter a Preshared Key of 36 characters or more. The length of the key typed in is displayed and updated as you enter it to help you enter the correct length.
You can permanently delete the Network Isolation Utility policy through the command line only.
You must use the same Preshared Key on all Trusted Devices or else network connectivity between the Trusted Devices will fail.
Figure 8. Boundary Device Configuration Panel.
The following image shows the Network Isolation Boundary Devices panel.
The Boundary Device panel (Figure 3) and the preceding panel are loaded from the last configuration saved in the XML Network Isolation configuration file (not the Windows IPsec policy store), if it is available.
In the Boundary Devices panel:
The content of the panel is dynamically modified based on the selection made in the previous panel:
If in the previous panel you have disabled the policy, then the panel elements displayed here are disabled.
If in the previous panel you have selected the browse option, then only the Boundary List of devices is enabled for browsing purposes.
You can add or remove multiple boundary devices.
You can add dynamically detected devices through check boxes.
You can add manually specified devices through a port, an IP address, or a subnet. After specifying the device, you must click Add Device to add the device. The Add button validates the data and checks for duplicate entries before proceeding further.
You can remove a device from the Boundary Devices by selecting it in the Devices List and clicking Remove Selected.
You can narrow down the exception based on:
Direction of traffic: Outbound or Inbound
Protocol: TCP, UDP, ICMP
Any port (only if TCP or UDP selected)
A specific port or All ports
Figure 9. Network Isolation Confirmation Panel.
The following figure shows the confirmation panel for the Network Isolation utility.
Figure 10. Network Isolation Status Panel.
The following image shows the Network Isolation status panel.
Example of SQL Hardening panels
The following image shows the introductory panel for the SQL Hardening utility.