Cisco yiyipada aṣoju insitola ti eni ká Afowoyi

Cisco yiyipada aṣoju insitola ti eni ká Afowoyi

Pariview

The Cisco Reverse Proxy Installer (referred to as RP Installer in this document) is a component of the Cisco Unified CCE solution. It offers a ready-made reverse proxy solution (based on Open Resty Nginx) for Unified CCE, featuring built-in, battle-tested configurations. These configurations can be used to proxy other  Unified CCE components and external applications,such as ADFS, which are commonly used when deploying Unified CCE.

The RP Installer has been pre-tested and load-qualified for various usage scenarios across the deployment models supported by the Unified CCE solution.

The RP Installer facilitates access to the Unified CCE solution from the internet and is typically set up to provide VPN-less access to the Finesse Agent Desktop or enable advanced functionalities like digital channels that require direct internet ingress.

The RP Installer is intended to be deployed in a Demilitarized Zone (DMZ) on a customer-provided and hardened host running the RHEL 9.4 Operating System. The pre-configured proxying rules allow for the proxying of the following components through data-driven configuration files:

• Cisco Finesse
• Awọsanma Sopọ
• Cisco iṣọkan oye Center
• Data Live
• Cisco Identity Service
• Cisco IM&P Server
• Microsoft ADFS 3.0 or 5.0

Ifarabalẹ
The term “upstream servers” is used in this guide to refer to all the solution components such as Finesse, CUIC, IdS, and IM&P servers that are configured to be accessed through reverse-proxy

Awọn ibeere pataki

To configure VPN-less access to the Finesse desktop:

• Reverse Proxy Installer must be 15.0(1) or above
• Finesse, IdS, and Cisco Unified Intelligence Center must be 12.6(2) ES4 or above.
• In coresident deployments, LiveData and Cisco Unified Intelligence Center should be 12.6(2) or above
• Unified CCE and LiveData standalone must be 12.6 (1) or above with the latest ES for the respective versions
• Cisco IM&P Server
• DMZ with internet connectivity must be available to host the reverse-proxy.

Aabo

Insitola RP kii ṣe aṣoju ṣiṣi; o jẹri gbogbo awọn ibeere ṣaaju fifiranṣẹ wọn si olupin oke ti o yẹ. Awọn olupin ti o wa ni oke tun fi agbara mu ijẹrisi agbegbe ṣaaju ṣiṣe awọn ibeere naa.

Beyond authentication, there are several additional aabo measures available to protect the solution. Details about security can be found in the Security chapter.

For information about security guidelines, see the Security Guidelines for Reverse-Proxy Deployment in
Security Guide for Cisco Unified ICM/Contact Center Enterprise.

Fun alaye diẹ sii lori ìfàṣẹsí, tọka si Ijeri.

Ogun ìyàwòrán File fun Network Translation

Ifijiṣẹ aṣoju yiyipada da lori aworan agbaye file ti a pese nipasẹ oluṣakoso lati tunto atokọ ti awọn akojọpọ alejo gbigba ti o han ni ita / awọn akojọpọ ibudo ati aworan agbaye si awọn orukọ olupin gangan ati awọn ebute oko oju omi ti o lo nipasẹ awọn olupin Finesse, IdS, ati awọn olupin CUIC. Yi aworan agbaye file eyi ti o tunto lori awọn olupin oke jẹ iṣeto bọtini ti o fun laaye awọn onibara ti a ti sopọ lori intanẹẹti lati darí si awọn ogun ti o nilo ati awọn ebute oko oju omi ti o lo lori intanẹẹti. Fun alaye diẹ sii lori aworan agbaye, tọka si Data Itumọ Nẹtiwọọki Oloju.

Akiyesi
It is recommended to use a dedicated web olupin laarin LAN lati gbalejo maapu naa file, dipo ki o lo olupilẹṣẹ Aṣoju Yiyipada fun idi eyi.

Fun gbogbo awọn ibeere ti o wa nipasẹ aṣoju-ayipada, Finesse, IdS, ati awọn olupin CUIC ṣayẹwo maapu agbalejo file, to translate the internal host names and ports that are used on the LAN. They are translated to the publicly resolvable host names and ports that have to be used on the internet. This mapping file, tọka si bi maapu Aṣoju-iṣeto file, is the key configuration that allows the clients connected over the reverse proxy to be redirected to the required hosts and ports that are used on the internet.

Maapu aṣoju-konfigi file le tunto nipasẹ lilo CLI ti o wa lori Finesse, IdS, ati awọn olupin CUIC. Fun alaye lori maapu file ọna kika ati data ti a tunto, tọka si apakan Data Translation Network Populate. Fun awọn alaye lori CLI lo lati tunto awọn file, refer to the utils system reverse-proxy config-uri CLI in the topic Configure Proxy Mapping by Using CLI.

Maapu aṣoju-konfigi file le ṣe tunto nipasẹ lilo CLI ti o wa lori awọn olupin CCX Iṣọkan ati awọn olupin Platform Ifọwọsowọpọ Sisiko. Fun alaye lori maapu file ọna kika ati data tunto, tọkasi awọn Populate Network Translation Data apakan ni Sisiko iṣọkan olubasọrọ Center Express Administration ati Mosi Itọsọna. Fun awọn alaye lori CLI lo lati tunto awọn file, refer to the Configure Proxy Mapping by Using CLI section in Cisco Unified Contact Center Express Administration and Operations Guide available
at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-express/products-maintenance-guides-list.html..

Port Management

Ọkan ninu awọn aaye apẹrẹ akọkọ ni gbigbe aṣoju yiyipada jẹ agbegbe ati awọn ebute oko oju omi ti a lo lati wọle si ohun elo naa. Awọn aaye wọnyi jẹ igbẹkẹle ati ni ipa lori ara wọn nigbati o ṣe apẹrẹ imuṣiṣẹ naa.

Aṣoju yiyipada gbọdọ ni anfani lati pinnu, si eyiti olupin oke, ibeere ti nwọle le jẹ dariji si ibiti ibeere ti nwọle yẹ ki o firanṣẹ si. Eyi le ṣee ṣe nipa yiyipada boya ibudo tabi orukọ olupin ti a lo lati wọle si ohun elo naa. Ni pataki, apapọ agbalejo ati ibudo gbọdọ jẹ alailẹgbẹ ni ibere fun aṣoju lati ṣe iyatọ ati ipa ọna si paati oke ti o tọ, ati pe o jẹ ibeere fun aṣoju lati paapaa bẹrẹ ni deede.

Nitorinaa awọn aṣayan ti o wa lati ṣe apẹrẹ agbegbe ati iraye si ibudo:

• Use a common domain and differentiate application access using multiple ports.
• Use a common port and differentiate application access using multiple domains

Ni kete ti a ti pinnu agbegbe ati pinpin ibudo, awọn igbesẹ wọnyi nilo lati ṣe:

1. Proxy map configuration has to be changed to match the port and domain required. See Configure Proxy Mapping by Using CLI.
2. The respective upstream component environment configuration in the reverse proxy installer has to be configured with the required hostname and port, see Configure deployment environment configurations

Lilo agbegbe ti o wọpọ pẹlu awọn ebute oko oju omi pupọ

Awọn wọnyi example ṣe apejuwe bi ọpọlọpọ awọn olupin ohun elo ṣe le tunto nipa lilo ilana iwọle yii:

• FinesseA = ReverseProxyDomain.com:8445
• FinesseB = ReverseProxyDomain.com:8446
• Finesse1A = ReverseProxyDomain.com:8447
• Finesse2B = ReverseProxyDomain.com:8448

The following are the benefits of using multiple ports:

• More granular packet level rate-limits applicable to each application can be applied at the ingress point to control rate-limits. Domain-level access means that the rate-limits can’t be granular.
• A single-domain requires only a single SSL certificate to access the application. It could be a factor in reducing costs, unlike a multiple-domain application which requires a wildcard certificate.

Awọn atẹle jẹ alailanfanitages in using multiple ports:

• Certain network deployments like CDNs don’t support custom ports.
• Security devices that automatically apply security rules might require custom configurations with non-standard ports.
• Multiple ports must be opened in the DMZ firewall (10–15 ports are required for a standard 2k deployment). This isn’t recommended by the network security teams.
• There’s an increased overhead regarding the port manageability.
• Deploying new instances of the application requires firewall/network changes.

Akiyesi
Ports other than the ones mentioned in the Proxy Map must be blocked and shouldn’t be available for access on the reverse proxy host. This must be blocked at the ingress point as the proxy doesn’t currently have rules to block this access at network level.

The Cisco provided installer supports running multiple instances which cater to different sets of upstream servers, to aid in ease of maintenance. Multiple instances of the installer don’t allow to use the same ports across different instances of the proxy. Only one process can bind to the same TCP port.

Consider the above two points when deciding the port management strategy against proxy installer configuration.

Lilo ibudo ti o wọpọ ati pẹlu awọn ibugbe pupọ

Awọn wọnyi example illustrates how multiple application servers can be configured using this access pattern.:

• FinesseA = FinesseA-ReverseProxyDomain.com:443
• FinesseB = FinesseB-ReverseProxyDomain.com:443
• Finesse1A = Finesse1A-ReverseProxyDomain.com:443
• Finesse2B = Finesse2B-ReverseProxyDomain.com:443

Awọn nikan ibudo iṣeto ni reverses awọn Aleebu ati awọn konsi akojọ loke pẹlu awọn ọpọ ibudo iṣeto ni.

Akiyesi
Supporting a single port of access requires Unified Intelligence Center and LiveData components to be on 12.6(2)versions.

Iṣeto ni DNS fun Finesse, IdS, ati Awọn olupin CUIC

Finesse kọọkan, IdS, CUIC, IM&P, ati awọn olupin paati ẹnikẹta ti o baamu si agbalejo ti o nilo iraye si Intanẹẹti gbọdọ jẹ adirẹsi lati Intanẹẹti. Eyi n pe fun orukọ olupin ati ibudo to somọ eyiti o jẹ atunṣe lati Intanẹẹti lati ya aworan si ibudo ita gbangba ati IP ti o baamu ti aṣoju-aṣoju ki ijabọ naa ni itọsọna si awọn olupin paati oniwun.

DNS registration of the publicly resolvable host names and the corresponding IP addresses is mandatory before the requests reach the reverse-proxy.

Awọn iwe-ẹri SSL
For the hostnames that are configured, corresponding to each unique hostname that is used by the internet client, the respective certificates must be acquired and configured on the reverse-proxy. Even though self signed certificates are supported, they are risky because the users access directly from the internet. The clients can be more secure by using CA-signed certificates. The best practice is to get CA certificates for proxy servers and third-party-gadget servers.