-
Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
-
Preface
-
Encryption support
-
IPsec and NAT support
-
IPsec with Network Isolation Utility
-
Windows Server 2008 R2 firewall configuration
-
Cisco Unified Contact Center Security Wizard
-
Microsoft Windows
-
SQL Server Hardening
-
Cisco SSL Encryption utility
-
Network Access Protection
-
Microsoft Baseline Security Analyzer
-
Auditing
-
General antivirus guidelines and recommendations
-
Remote administration
-
Additional security best practices
-
Index
-
Feedback
Contents
Network Access Protection
Network Access Protection (NAP) is a platform and solution introduced in Windows Server 2008 R2 that helps to maintain the network's overall integrity by controlling access to network resources based on a client computer's compliance with system health policies. Examples of system health policies include making sure that clients have the latest antivirus definitions and security updates installed, a firewall installed and enabled,etc. If a client is not compliant with the network health requirements, NAP can be configured to limit the client's network access. NAP also provides a mechanism to automatically bring the client back to compliance.
The NAP server validates client health using the system health policies.
The NAP server is supported on Windows Server 2008 R2.
The NAP client is supported on the following operating systems:
How NAP works
When a NAP client attempts to connect to the network, the client's health state is validated against the health requirement policies defined in the Network Policy Server (NPS).
If a client is not compliant with the defined health policies, the administrator can choose to limit the client's access to a restricted network. This restricted network ideally contains health update resources for the client to gain compliance. In this limited access environment, only clients that comply with the health requirement policies are allowed unlimited access to the network. However, the administrator can also define exceptions.
The administrator can choose to configure a monitoring-only environment where the noncompliant client can still be granted full network access. In this environment, the compliant state for each client is logged.
The administrator can also choose to automatically update noncompliant clients with missing software updates to help ensure compliance. In a limited access environment, noncompliant clients will have restricted network access until the updates and configuration changes are completed. In a monitoring-only environment, noncompliant clients will have full access to the network before they are updated with the required changes.
With all these options available, administrators can configure a solution that is best tailored to the needs of their networks.
NoteThe Microsoft literature contains important information about NAP that the user should read to better understand this platform. For the latest information, refer to the Network Access Protection (Microsoft TechNet) at http://technet.microsoft.com/en-us/network/bb545879.
Using Microsoft Windows NAP with Unified CCE
Network Policy Server
As a general rule, do not use a Unified CCE server for any other purpose than for Unified CCE approved software. Therefore, do not run the Network Policy Server on any Unified CCE machine such as ICM, CVP, and so on.
Unified CCE Servers and NAP
NAP can be used in a few different ways. The following are some deployment options a user may consider to use with Unified CCE:
- Unified CCE servers using a limited access environment - NOT SUPPORTED
Warning
In this model, the Unified CCE servers such as the ICM PG, ICM Router, ICM Logger, and ICM AW/HDS would become inaccessible if they fall out of compliance. This would cause the entire call center to go down until machines become compliant again.
- Unified CCE server uses monitoring-only environment This mode could be useful for keeping track of the health status on the Unified CCE servers.
- Unified CCE servers that are exempt from health validation In this mode, the Unified CCE servers will work in a NAP environment but will not become inaccessible from the network. All communications to and from the Unified CCE servers would not be affected by the Unified CCE server's state of health.
Unified CCE Client Machines and NAP
The following contains information regarding Unified CCE client machines and NAP.
- Unified CCE client machines using limited access environment: Systems in this environment must be compliant with all policies that are set up by the network administrator. For example, if an agent desktop is in this environment then the agent would not be able to sign in or contact the Agent PG in any way until the client machine becomes compliant with the NAP policies that are active.
- Unified CCE client machines using monitoring-only environment: Same as above for Unified CCE servers.
- Unified CCE client machines that are exempt from health validation: Same as above for Unified CCE servers.
Additional NAP references
For more information about NAP, see the following references:
- Network Access Protection Design Guide: http://technet.microsoft.com/en-us/library/dd125338(WS.10).aspx
- Windows Server 2008 R2 Networking and Network Access Protection (NAP) by Microsoft Press
- Cisco NAC and Microsoft NAP Interoperability Architecture: http://www.cisco.com/en/US/netsol/ns812/index.html
