About Cisco Unified Contact Center Security Wizard
The Cisco Unified
Contact Center Security Wizard is a security deployment tool for Unified
ICM/CCE that simplifies security configuration through its step-by-step
The Security Wizard is a new
graphical user interface you can use to configure security by means of the
following Unified ICM/CCE security command-line utilities:
The Windows Hardening Utility
The Windows Firewall
The Network Isolation Utility
The SQL Hardening Utility
The Windows Hardening
and Windows Firewall utility are two command-line security utilities that have
existed since the 7.0 release. The Network Isolation Utility was introduced
after the ICM 7.2 release, and the SQL Hardening utility was introduced in the ICM
For the descriptions of each of these
utilities, see the following chapters/sections in this guide:
While the Security Wizard does not interfere with applications that
run on the network, run the Security Wizard only during the application
maintenance window because it can potentially disrupt connectivity when you are
setting up the network security.
The Security Wizard
works on a Windows Server 2008 platform only.
The Security Wizard
is installed by the ICM-CCE-CCH Installer and is placed in the
"%SYSTEMDRIVE%\CiscoUtils\UCCSecurityWizard" directory. You must be
a server administrator to use the features in the Security Wizard.
You can run the wizard using the shortcut installed under
Start > Programs > Cisco
Unified CCE Tools > Security
Before you use the wizard, read the chapters in this guide about
each of the utilities included in the wizard to understand what the utilities
When running the Security Wizard, you are provided with a menu list
of the security utilities (the Security Hardening, the Windows Firewall,
Network Isolation Utility, and SQL Utility), and you run each, one at a time.
You can go back and forth on any menu selection to understand what
each one contains. However, after you click the Next button for any particular
feature, you must either complete configuration or click Cancel to go back
to the Welcome page.
The Security Wizard is self-explanatory; each utility has an
introductory panel, configuration panel or panels, a confirmation panel, and a
status panel. The following list provides brief explanations of these panels:
Briefly describes what the specific utility does.
Warns if security utility files are missing or not installed.
Allows you to switch between utilities until you click the
Configuration panel(s): Lists the options you can select to
configure the utility and gathers your configuration input.
Confirmation panel: Allows you to confirm your
configuration choices or to go back and make changes. After you have entered
all the required input, the confirmation panel is displayed and the Next button
is replaced with the Finish button. This indicates that this is your last
chance to make a change to your configuration selections. After you click
Finish, you can no longer go back.
Displays the configuration command with all of its required
Displays the streaming output of the configuration command
while it is executing in the background.
"Configuration Complete" and enables the
"Go back to Welcome Panel" button after the command
execution is complete.
What to Do Next
The defaults are set to the recommended values and warnings are
displayed if you make a selection that could cause a problem.
In the rare event that the back-end utility script dies, a temporary
text file created in the UCCSecurityWizard folder is not deleted. This text
file contains command-line output, which you can use this file to debug the
Example of Security Wizard usage
The following image shows the Cisco Unified Contact Center Security
Wizard introductory panel.
Figure 1. Security Wizard Welcome Window
The Security Wizard requires the command line utilities to be
installed on the system to configure security. It will detect if a utility is
not installed and notify the user.
The Security Wizard can execute on all
Unified ICM or
Unified CCE servers but will not execute on a Domain Controller.
Example of Windows Firewall configuration panels
The following image shows the
introductory panel for the Windows Firewall Wizard.
Figure 2. Windows Firewall Wizard Introduction Panel
get a message in this panel if the selected utility has not been installed on
The following image shows the Firewall configuration
Figure 3. Windows Firewall Configuration Options Panel
In the Security Wizard Firewall Configuration panel, you
Configure a Windows firewall for your
Unified ICM or Unified CCE system.
Undo firewall configuration settings that were previously
Restore to Windows Default.
Default Windows firewall configuration is not compatible with the
Unified ICM application.
Disable the Windows
Edit the Unified ICM Firewall
Exceptions XML file. Clicking the Edit ICM Firewall Exceptions
XML button opens that XML file in Notepad. You must save the file and
close it before continuing with the wizard.
The Window Firewall Configuration Utility:
Must be executed
after the Unified ICM application is
Automatically detects Unified ICM components installed and
configures the Windows Firewall accordingly.
Can add custom exceptions such as an exception
Is installed by default on all
Unified ICM and Unified CCE
Figure 7. Trusted Devices Configuration Panel. The following image shows the configuration panel for Trusted Devices.
This panel and
the next panel are loaded from the last configuration saved in the XML Network
Isolation configuration file (not the Windows IPsec policy store), if it is
The Trusted Devices panel:
Shows the current status of the policy.
be used to enable, modify, browse, or disable the policy.
enable or modify a device as Trusted you must enter a Preshared Key of 36
characters or more. The length of the key typed in is displayed and updated as
you enter it to help you enter the correct length.
permanently delete the Network Isolation Utility policy through the
command line only.
You must use the same Preshared Key on all
Trusted Devices or else network connectivity between the Trusted Devices will
Figure 8. Boundary Device Configuration Panel. The following image shows the Network Isolation
Boundary Devices panel.
Device panel (Figure 3) and the preceding panel are loaded from the last
configuration saved in the XML Network Isolation configuration file (not the
Windows IPsec policy store), if it is available.
the Boundary Devices panel:
content of the panel is dynamically modified based on the selection made in the
If in the previous panel you
have disabled the policy, then the panel elements displayed here are
If in the previous panel you have
selected the browse option, then only the Boundary List of devices is enabled
for browsing purposes.
You can add
or remove multiple boundary devices.
You can add
dynamically detected devices through check boxes.
add manually specified devices through a port, an IP address, or a subnet.
After specifying the device, you must click Add Device to add
The Add button validates the data and checks for
duplicate entries before proceeding further.
remove a device from the Boundary Devices by selecting it in the Devices List
and clicking Remove Selected.
You can narrow down the exception based on:
Direction of traffic: Outbound or Inbound
TCP, UDP, ICMP
Any port (only if TCP or UDP
A specific port or All ports
Figure 9. Network Isolation Confirmation Panel. The following figure shows the confirmation panel for the Network Isolation
Figure 10. Network Isolation Status Panel. The following image
shows the Network Isolation status panel.
Example of SQL Hardening panels
The following image shows the introductory panel for the SQL Hardening