cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1048
Views
20
Helpful
4
Replies

Separating Proximity and Admin-Interface

Florian Zahn
Level 4
Level 4

Hello,

is there a way to let our users use proxmity without exposing the admin-interface of our telepresence-systems?

Because all our telepresence systems are registered on our CUCMs the share the network as DHCP-clients with normal ip-phones.

To get Proximity working, we need to give the clients access to port 443 (https) to this network. This means, that users cannot only use proximity, but also access the administrative interface of the telepresence-systems and IP-Phones. I think, that this is unacceptable, not only in our company.

Is there a way to separate this? So the proximity service listens on different port, then the admin-interfaces?

Thanks for help

regards

Florian

1 Accepted Solution

Accepted Solutions

Wayne DeNardi
VIP Alumni
VIP Alumni

If you have admin username/password combinations on your endpoints, then the users, unless they know the credentials will not be able to change any settings on the endpoints by accessing the web browser interfaces.

If you don't have your endpoints web interfaces protected with something other than the default admin username and password, it's strongly recommended to do so.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne
--
Please remember to mark helpful responses and to set your question as answered if appropriate.

View solution in original post

4 Replies 4

Wayne DeNardi
VIP Alumni
VIP Alumni

If you have admin username/password combinations on your endpoints, then the users, unless they know the credentials will not be able to change any settings on the endpoints by accessing the web browser interfaces.

If you don't have your endpoints web interfaces protected with something other than the default admin username and password, it's strongly recommended to do so.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne
--
Please remember to mark helpful responses and to set your question as answered if appropriate.

Although restricting access via auth is possible, it would be preferential to block this further upstream. This is particularly relevant for any environments where there is a desire to provide proximity access from guest networks.

I'm sure the problem is already being considered, but it appears a simple solution would be to have the proximity server operate on an alternative port in future firmware.

Hi Wayne,

i do not agree to that. It was and it is always best practice to hide administrative interfaces from normal users. Nobody can hack into a system, that he is unable to access at all. Deployingn Proximity in a typical enterprise environment means giving access from internal networks and guest networks as well, so also guests can share their screens via proximity.

So in my opinion its not acceptable to have the admin-page also reachable for guests...

Perhaps Cisco should reconsider, if this is really a good idea and not a showstopper for many enterprises to deploy Proximity within their networks.

Regards

Florian

This is actually a planned feature, just not a prioritized one right now. Sorry about that.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: