Manual Pamilik Cisco Reverse Proxy Installer

Leuwihview

The Cisco Reverse Proxy Installer (referred to as RP Installer in this document) is a component of the Cisco Unified CCE solution. It offers a ready-made reverse proxy solution (based on Open Resty Nginx) for Unified CCE, featuring built-in, battle-tested configurations. These configurations can be used to proxy other  Unified CCE components and external applications,such as ADFS, which are commonly used when deploying Unified CCE.

The RP Installer has been pre-tested and load-qualified for various usage scenarios across the deployment models supported by the Unified CCE solution.

The RP Installer facilitates access to the Unified CCE solution from the internet and is typically set up to provide VPN-less access to the Finesse Agent Desktop or enable advanced functionalities like digital channels that require direct internet ingress.

The RP Installer is intended to be deployed in a Demilitarized Zone (DMZ) on a customer-provided and hardened host running the RHEL 9.4 Operating System. The pre-configured proxying rules allow for the proxying of the following components through data-driven configuration files:

• Cisco Finesse
• Awan Sambungkeun
• Cisco hasil ngahijikeun Tatar AKAL Center
• Data Hirup
• Cisco Identity Service
• Cisco IM&P Server
• Microsoft ADFS 3.0 or 5.0

Perhatian
The term “upstream servers” is used in this guide to refer to all the solution components such as Finesse, CUIC, IdS, and IM&P servers that are configured to be accessed through reverse-proxy

Prasyarat

To configure VPN-less access to the Finesse desktop:

• Reverse Proxy Installer must be 15.0(1) or above
• Finesse, IdS, and Cisco Unified Intelligence Center must be 12.6(2) ES4 or above.
• In coresident deployments, LiveData and Cisco Unified Intelligence Center should be 12.6(2) or above
• Unified CCE and LiveData standalone must be 12.6 (1) or above with the latest ES for the respective versions
• Cisco IM&P Server
• DMZ with internet connectivity must be available to host the reverse-proxy.

Kaamanan

RP Installer sanes hiji proxy kabuka; eta authenticates sadayana requests saméméh diteruskeun ka server hulu luyu. Server hulu ogé ngalaksanakeun auténtikasi lokal sateuacan ngolah pamundut.

Beyond authentication, there are several additional kaamanan measures available to protect the solution. Details about security can be found in the Security chapter.

For information about security guidelines, see the Security Guidelines for Reverse-Proxy Deployment in
Security Guide for Cisco Unified ICM/Contact Center Enterprise.

Kanggo inpo nu langkung lengkep ihwal auténtikasi, tingal Auténtikasi.

Host Mapping File pikeun Tarjamahan Jaringan

Panyebaran proxy sabalikna ngandelkeun pemetaan file disayogikeun ku administrator pikeun ngonpigurasikeun daptar kombinasi hostname/port anu katingali sacara éksternal sareng pemetaanna kana nami server sareng palabuhan anu saleresna dianggo ku server Finesse, IdS, sareng CUIC. pemetaan ieu file nu ngonpigurasi dina server hulu nyaéta konfigurasi konci anu ngamungkinkeun para klien disambungkeun ngaliwatan internét dialihkeun ka sarwa diperlukeun tur palabuhan anu dipaké dina internét. Kanggo inpo nu langkung lengkep ihwal pemetaan, tingal Populate Network Tarjamahan Data.

Catetan
It is recommended to use a dedicated web server dina LAN pikeun host pemetaan file, tinimbang ngagunakeun pamasang Reverse Proxy pikeun tujuan ieu.

Pikeun sadaya pamundut anu ngalangkungan proxy-balik, server Finesse, IdS, sareng CUIC pariksa pemetaan host. file, to translate the internal host names and ports that are used on the LAN. They are translated to the publicly resolvable host names and ports that have to be used on the internet. This mapping file, disebut salaku peta Proxy-config file, is the key configuration that allows the clients connected over the reverse proxy to be redirected to the required hosts and ports that are used on the internet.

Peta Proxy-config file tiasa dikonpigurasi ku ngagunakeun CLI anu sayogi dina server Finesse, IdS, sareng CUIC. Pikeun detil ngeunaan pemetaan file format jeung data ngonpigurasi, tingal bagian Populate Network Tarjamahan Data. Pikeun detil ngeunaan CLI dipaké pikeun ngonpigurasikeun file, refer to the utils system reverse-proxy config-uri CLI in the topic Configure Proxy Mapping by Using CLI.

Peta Proxy-config file bisa ngonpigurasi ku ngagunakeun CLI sadia dina server ngahiji CCX sarta server Cisco Kolaborasi Platform. Pikeun detil ngeunaan pemetaan file format jeung data ngonpigurasi, tingal bagian Populate Network Tarjamahan Data di Cisco Unified Kontak Center Express Administrasi sarta Guide Operasi. Pikeun detil ngeunaan CLI dipaké pikeun ngonpigurasikeun file, refer to the Configure Proxy Mapping by Using CLI section in Cisco Unified Contact Center Express Administration and Operations Guide available
at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-express/products-maintenance-guides-list.html..

Manajemén palabuhan

Salah sahiji aspék desain utama dina nyebarkeun proxy sabalikna nyaéta domain sareng palabuhan anu dianggo pikeun ngaksés aplikasi. Aspék ieu silih gumantung sareng silih pangaruhan nalika ngarancang panyebaran.

The proxy sabalikna kudu bisa nangtukeun, mun server hulu mana, hiji pamundut asup bisa diteruskeun ka mana hiji pamundut asup kudu diteruskeun ka. Ieu tiasa dilakukeun ku cara ngarobih port atanapi hostname anu dianggo pikeun ngaksés aplikasi. Intina, kombinasi host sareng port kedah unik supados proxy tiasa ngabédakeun sareng ngalihkeun lalu lintas ka komponén hulu anu leres, sareng éta mangrupikeun syarat pikeun proxy pikeun ngamimitian leres.

Janten ieu mangrupikeun pilihan anu sayogi pikeun ngarancang domain sareng aksés port:

• Use a common domain and differentiate application access using multiple ports.
• Use a common port and differentiate application access using multiple domains

Saatos domain sareng distribusi port ditangtukeun, léngkah-léngkah ieu kedah dilaksanakeun:

1. Proxy map configuration has to be changed to match the port and domain required. See Configure Proxy Mapping by Using CLI.
2. The respective upstream component environment configuration in the reverse proxy installer has to be configured with the required hostname and port, see Configure deployment environment configurations

Ngagunakeun domain umum kalawan sababaraha palabuhan

Ex di handapample illustrates kumaha sababaraha server aplikasi bisa ngonpigurasi ngagunakeun pola aksés ieu:

• FinesseA = ReverseProxyDomain.com:8445
• FinesseB = ReverseProxyDomain.com:8446
• Finesse1A = ReverseProxyDomain.com:8447
• Finesse2B = ReverseProxyDomain.com:8448

The following are the benefits of using multiple ports:

• More granular packet level rate-limits applicable to each application can be applied at the ingress point to control rate-limits. Domain-level access means that the rate-limits can’t be granular.
• A single-domain requires only a single SSL certificate to access the application. It could be a factor in reducing costs, unlike a multiple-domain application which requires a wildcard certificate.

Di handap ieu mangrupakeun disadvantages in using multiple ports:

• Certain network deployments like CDNs don’t support custom ports.
• Security devices that automatically apply security rules might require custom configurations with non-standard ports.
• Multiple ports must be opened in the DMZ firewall (10–15 ports are required for a standard 2k deployment). This isn’t recommended by the network security teams.
• There’s an increased overhead regarding the port manageability.
• Deploying new instances of the application requires firewall/network changes.

Catetan
Ports other than the ones mentioned in the Proxy Map must be blocked and shouldn’t be available for access on the reverse proxy host. This must be blocked at the ingress point as the proxy doesn’t currently have rules to block this access at network level.

The Cisco provided installer supports running multiple instances which cater to different sets of upstream servers, to aid in ease of maintenance. Multiple instances of the installer don’t allow to use the same ports across different instances of the proxy. Only one process can bind to the same TCP port.

Consider the above two points when deciding the port management strategy against proxy installer configuration.

Ngagunakeun port umum tur mibanda sababaraha domain

Ex di handapample illustrates how multiple application servers can be configured using this access pattern.:

• FinesseA = FinesseA-ReverseProxyDomain.com:443
• FinesseB = FinesseB-ReverseProxyDomain.com:443
• Finesse1A = Finesse1A-ReverseProxyDomain.com:443
• Finesse2B = Finesse2B-ReverseProxyDomain.com:443

Konfigurasi port tunggal ngabalikeun pro sareng kontra anu didaptarkeun di luhur kalayan konfigurasi sababaraha port.

Catetan
Supporting a single port of access requires Unified Intelligence Center and LiveData components to be on 12.6(2)versions.

Konfigurasi DNS pikeun Finesse, IdS, sareng Server CUIC

Unggal Finesse, IdS, CUIC, IM&P, sareng server komponén pihak katilu anu cocog sareng host anu peryogi aksés Internét kedah tiasa dialamatkeun tina Internét. Ieu nyauran ngaran host sareng palabuhan anu aya hubunganana anu tiasa dilereskeun tina Internét pikeun dipetakeun ka palabuhan umum sareng cocog IP tina proxy sabalikna supados lalu lintas diarahkeun ka server komponén masing-masing.

DNS registration of the publicly resolvable host names and the corresponding IP addresses is mandatory before the requests reach the reverse-proxy.

Sértipikat SSL
For the hostnames that are configured, corresponding to each unique hostname that is used by the internet client, the respective certificates must be acquired and configured on the reverse-proxy. Even though self signed certificates are supported, they are risky because the users access directly from the internet. The clients can be more secure by using CA-signed certificates. The best practice is to get CA certificates for proxy servers and third-party-gadget servers.

Dokumén / Sumberdaya

Cisco Reverse Proxy Installer [pdf] Buku Panduan Pamilik Pamasang Proksi Balik, Pamasang Proksi, Pamasang

Rujukan

• Manual pamaké