Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3277
Views
9
Helpful
6
Replies

Reverse proxy between agent browser and Finesse server

Go to solution
simone.tomaselli
Level 1
Level 1

‎09-29-2015 11:36 PM

Our PCCE is in a dedicated network at our customer premises.

The contact center operators are in a different (client) network that Is separated from the CC network.

Thus, to use Finesse the customer wants to use a reverse proxy that maps all access URLS (e.g. https://<finesse FQDN>/desktop/…) to a particular URL (e.g.https://<another FQDN>:<a port>/). This mapping is called a “junction”.

Normally, when you log in to Finesse, you get 4 requests to create exceptions to certificates, using variations of the main URL on port 7443.

The customer doesn’t like this, so we let them sign Finesse Tomcat certificate with their internal CA, we uploaded it on Finesse and now when accessing Finesse with the standard URL everything works and the browser doesn’t show any red alert.

But when using the junction, Finesse asks again for the certificate acceptance on port 7443, but it mixes the finesse FQDN with the junction FQDN, so that it is not possible to reach the pages (they don’t actually exist).

I suspect (but I am not an expert) that some links requested by the Finesse login are static while other are dynamic.

Is there any documented or known way to have operators access Finesse that is behind a reverse proxy?

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
tephipps
Cisco Employee
Cisco Employee

‎09-30-2015 07:14 AM

Finesse supports a load balancer in redirect mode now.  The Finesse users can point their browsers to a LB and then the LB will redirect the agent to the appropriate Finesse server. 

Would that work?

We looked into the reverse proxy idea and it isn't going to work.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
tephipps
Cisco Employee
Cisco Employee

‎09-30-2015 07:14 AM

Finesse supports a load balancer in redirect mode now.  The Finesse users can point their browsers to a LB and then the LB will redirect the agent to the appropriate Finesse server. 

Would that work?

We looked into the reverse proxy idea and it isn't going to work.

0 Helpful

Go to solution
mpirrone
Cisco Employee
Cisco Employee
In response to tephipps

‎02-05-2016 04:40 AM

Hello

I could get Finesse OOB container (the standard Finesse), CUIC and eGain for PCCE10.5  working across a Reverse Proxy in both http and https mode.

I tested most of the functionalities, included Finesse cluster fail-over, CUIC reporting, eGain email/chat, and all basic functionalities seem to work.

Testing was based on Apache 2.4 configured as Reverse Proxy.

Although no change was required for Finesse, CUIC and eGain (default installation. no hacking), this setup is not supported by Cisco TAC since it is pure configuration of non Cisco component (the reverse proxy), which could affect the behavior of standard Cisco applications.

Customer has to be aware that any issue must be replicated in supported deployment (no reverse proxy. straight connection) in order to claim support.

It was a huge effort and extensive use of personal time, all dedicated to reverse engineering of http traffic sniff, as well as research and troubleshooting work.

The outcome consists in guidelines and a reverse proxy sample configuration.

How it works:

                      

Browser <= Front-end Network => RP <= Back-end Network => (Finesse, CUIC, eGain…)

All Front-end DNS hostnames (the one defined in the RP, let’s say RP hostname) start with rpx-<hostname>.cisco.com

All Back-end  DNS hostnames (the one on the datacenter) start with rmlab-<hostname>.rmpoc.cisco.com 

Example:

Browser point to rpx-finesse-a/b.cisco.com.

Reverse Proxy elaborate the traffic for rmlab-poc-ccd-a/b.rmpoc.cisco.com

Notes:

Finesse Back-end connects CUIC through the RP to avoid certificate mismatch if you are on SSL

Finesse layout will refer to LiveData and CUIC Reports permalink using RP hostname and not CUIC backend hostname.

Example, in Finesse Layout.xml you will have:

  <gadget>https://rpx-cuic.cisco.com:8444/cuic/gadget/LiveData/LiveDataGadget.jsp?gadgetHeight=310&viewId=99E6C8E210000141000000D80A0006C4&filterId=agent.id=CL%20teamName</gadget>

For this reason, the Back-end DNS have to resolve also CUIC routing using RP name (rpx-cuic.cisco.com) pointing on the back end interface of the Reverse Proxy server.

It is required to manually create SelfSigned certificates for rpx-cuic.cisco.com to be imported into Finesse a/b as tomcat-trust

Further testing on 11.5 will be done once available, including SSO.

If you are interested in the guidelines, pls contact me.

Regards

Marco

0 Helpful

Go to solution
AshG
Level 4
Level 4
In response to mpirrone

‎05-10-2017 02:16 AM

Hi Marco,

I am playing with the similar setup in my lab on finesse 11 and CUIC. I will appriciate if you can share the guidelines you have created.

Ash

0 Helpful

Go to solution
mpirrone
Cisco Employee
Cisco Employee
In response to AshG

‎05-10-2017 02:35 AM

Hi Ashish

I can share with you my apache working config.

You should analyze the config and try it out

it should stick with that config.

Regards

Marco

httpd.conf.5Feb2016.txt.zip
httpd-ssl.conf.5Feb2016.txt.zip

Go to solution
AshG
Level 4
Level 4
In response to mpirrone

‎05-10-2017 03:27 AM

Thanks Marco

0 Helpful

Go to solution
st4882
Level 1
Level 1
In response to mpirrone

‎07-22-2019 03:25 PM


Based on the posted configuration here's my working updated version for 11.5 PCCE and Apache 2.4.

 

Notes:

  • httpd.conf the following line needs to be uncommented:
    • #LoadModule substitute_module modules/mod_substitute.so
  • Apache is set for hot standby for the second endpoint.

 

<VirtualHost *:443>

  ServerName      rpx-finesse-a.cisco.com

  ServerAdmin     admin@rpx-finesse-a.cisco.com

  ErrorLog        "|/sw/apache/httpd/prod/bin/rotatelogs /sw/apache/httpd/prod/logs/rpx-finesse-ssl_error_log.%Y-%m-%d-%H_%M_%S  100M"

  CustomLog       "|/sw/apache/httpd/prod/bin/rotatelogs /sw/apache/httpd/prod/logs/rpx-finesse-ssl_access_log.%Y-%m-%d-%H_%M_%S  100M" combined

#

  SSLEngine on

  SSLCipherSuite AES:256-SHA:AES128-SHA

  SSLCertificateFile    conf/vhosts.d/ssl.crt/rpx-finesse-a.crt

  SSLCertificateKeyFile conf/vhosts.d/ssl.key/rpx-finesse-a.key

  SSLCertificateChainFile conf/vhosts.d/ssl.crt/rpx-finesse-a.crt

#

  SSLProxyEngine on

#

    <Location />

       # Allow access from client

       Require ip 192.

                

               #

       FilterDeclare Substitute

       FilterProvider Substitute SUBSTITUTE "%{REQUEST_URI} =~ /(.+)$/"

       FilterChain +Substitute

#

       AddOutputFilterByType SUBSTITUTE image/png image/jpeg text/html text/css text/javascript application/octet-stream application/json

       Substitute "s|rmlab-poc-ccd-a.rmpoc.cisco.com:8444|rpx-finesse-a.cisco.com|i"

       Substitute "s|rmlab-poc-ccd-b.rmpoc.cisco.com:8444|rpx-finesse-b.cisco.com|i"

     </Location>

#

    <Proxy balancer://cuic1>

        BalancerMember https://rmlab-poc-ccd-a.rmpoc.cisco.com:8444

        BalancerMember https://rmlab-poc-ccd-b.rmpoc.cisco.com:8444 status=+H

    </Proxy>

#

    ProxyPass        / balancer://cuic1/

    ProxyPassReverse / balancer://cuic1/

#

</VirtualHost>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents