Other Cisco Call Center Applications
The following sections discuss security considerations for other Cisco Call Center applications.
Cisco Unified ICM Router
The file dbagent.acl is an internal, background file. Do not edit this file. However, this file must have the READ permission set, so that the file can allow users to connect to the router's real-time feed.
Peripheral Gateways (PGs) and Agent Login
There is a rate limit of Unified CCE agent login attempts with incorrect password. By default, the agent account is disabled for 15 minutes after three incorrect password attempts, counted over a period of 15 minutes.
You can change this default by using registry keys. The registry keys are under: HKLM\SOFTWARE\Cisco Systems, Inc.\\ICM\<inst>\PG(n)[A/B]\PG\CurrentVersion\PIMS\pim(n)\EAGENTData\Dynamic
The registry keys include the following:
AccountLockoutDuration: Default. After the account is locked out because of unsuccessful login attempts, this value is the number of minutes the account remains locked out.
AccountLockoutResetCountDuration: Default 15. Number of minutes before the AccountLockoutThreshold count goes back to zero. This value is applicable when the account does not get locked out, but you have unsuccessful login attempts that are less than AccountLockoutThreshold.
AccountLockoutThreshold: Default 3. Number of unsuccessful login attempts after which the account is locked out.
Cisco CTI Object Server (CTI OS)
In the CTI OS System Manager Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted:
Desktop Users: The section "Desktop User Accounts" contains instructions for configuring privileges for desktop users.
CTI OS and Monitor Mode Connection
There is a rate limit on Monitor Mode connection. When TLS is enabled and a password is required, Monitor Mode is disabled for 15 minutes after three incorrect password attempts (configurable). Counter resets on a valid login. Refer to the CTI OS System Manager Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted for more information.
Cisco Agent Desktop
Check the Cisco Agent Desktop documentation for information about required privileges and other topics that have an impact on security.
The CTI OS (C++/COM toolkit) and CAD agent desktop servers both support TLS encryption to the server. This encryption protects agent sign-in and CTI data from snooping. A mutual authentication mechanism enables the CTI OS Server and client to agree on a cipher suite for authentication, key exchange, and stream encryption. The cipher suite used is as follows:
Key exchange: DH
Encryption: AES (128)
Message digest algorithm: SHA1
The following figure shows the encryption implementation's use of X.509 certificates on the agent desktops and on the servers. The implementation supports the integration with a Public Key Infrastructure (PKI) for the most secure deployment. By default, the application installs and relies on a self-signed certificate authority (CA) to sign client and server requests. However, Cisco supports integration with a third-party CA. This mechanism is the preferred method because of the increased security provided by a corporate-managed CA or external authority such as VeriSign.
The following figure shows the Certificate Authority enrollment procedure to generate certificates used by the agent and the servers. The agent desktop certificate enrollment process is manual. The process requires the creation of certificate signing requests (CSRs) at each endpoint. The CSRs are then transferred to the certificate authority responsible for signing and generating the certificates.
Cisco Finesse supports HTTPS for the Administration Console and Agent and Supervisor Desktops. HTTPS is not supported for Agent and Supervisor Desktops in large deployments (over 1000 agents).
Unified IP Phone Device Authentication
- Device Identity — Mutual authentication using X.509 certificates
- Signaling Integrity — SCCP/SIP messages authenticated using HMAC-SHA-1
- Signaling Privacy — SCCP/SIP message content encrypted using AES-128-CBC
Media Encryption (SRTP) Considerations
Certain IP phones support Secure Real-Time Transport Protocol (SRTP). Before enabling SRTP in your deployment, consider the following points:
The Unified CVP VXML Browser does not support SRTP.
Deployments that use span-based silent monitoring do not support SRTP.
Mobile Agents cannot use SRTP.
The Cisco Outbound Option Dialers do not support SRTP. While calls are connected to the Dialer, the calls cannot use SRTP. But, calls can negotiate SRTP once the call is no longer connected to the Dialer.
IP Phone Hardening
- PC Voice VLAN Access
- Indicates whether the phone will allow a device attached to the PC port to access the Voice VLAN. Disabling Voice VLAN Access will prevent the attached PC from sending and receiving data on the Voice VLAN. It will also prevent the PC from receiving data sent and received by the phone. Disabling this feature will disable desktop-based monitoring and recording.
- Setting: Enabled (default)
- Span to PC Port
- Indicates whether the phone will forward packets transmitted and received on the Phone Port to the PC Port. To use this feature, PC Voice VLAN access must be enabled. Disabling this feature will disable desktop-based monitoring and recording.
- Setting: Enabled
- Gratuitous ARP
- Indicates whether the phone will learn MAC addresses from Gratuitous ARP responses.
- Setting: Disabled