09-29-2015 11:36 PM
Our PCCE is in a dedicated network at our customer premises.
The contact center operators are in a different (client) network that Is separated from the CC network.
Thus, to use Finesse the customer wants to use a reverse proxy that maps all access URLS (e.g. https://<finesse FQDN>/desktop/…) to a particular URL (e.g.https://<another FQDN>:<a port>/). This mapping is called a “junction”.
Normally, when you log in to Finesse, you get 4 requests to create exceptions to certificates, using variations of the main URL on port 7443.
The customer doesn’t like this, so we let them sign Finesse Tomcat certificate with their internal CA, we uploaded it on Finesse and now when accessing Finesse with the standard URL everything works and the browser doesn’t show any red alert.
But when using the junction, Finesse asks again for the certificate acceptance on port 7443, but it mixes the finesse FQDN with the junction FQDN, so that it is not possible to reach the pages (they don’t actually exist).
I suspect (but I am not an expert) that some links requested by the Finesse login are static while other are dynamic.
Is there any documented or known way to have operators access Finesse that is behind a reverse proxy?
Solved! Go to Solution.
09-30-2015 07:14 AM
Finesse supports a load balancer in redirect mode now. The Finesse users can point their browsers to a LB and then the LB will redirect the agent to the appropriate Finesse server.
Would that work?
We looked into the reverse proxy idea and it isn't going to work.
09-30-2015 07:14 AM
Finesse supports a load balancer in redirect mode now. The Finesse users can point their browsers to a LB and then the LB will redirect the agent to the appropriate Finesse server.
Would that work?
We looked into the reverse proxy idea and it isn't going to work.
02-05-2016 04:40 AM
Hello
I could get Finesse OOB container (the standard Finesse), CUIC and eGain for PCCE10.5 working across a Reverse Proxy in both http and https mode.
I tested most of the functionalities, included Finesse cluster fail-over, CUIC reporting, eGain email/chat, and all basic functionalities seem to work.
Testing was based on Apache 2.4 configured as Reverse Proxy.
Although no change was required for Finesse, CUIC and eGain (default installation. no hacking), this setup is not supported by Cisco TAC since it is pure configuration of non Cisco component (the reverse proxy), which could affect the behavior of standard Cisco applications.
Customer has to be aware that any issue must be replicated in supported deployment (no reverse proxy. straight connection) in order to claim support.
It was a huge effort and extensive use of personal time, all dedicated to reverse engineering of http traffic sniff, as well as research and troubleshooting work.
The outcome consists in guidelines and a reverse proxy sample configuration.
How it works:
Browser <= Front-end Network => RP <= Back-end Network => (Finesse, CUIC, eGain…)
All Front-end DNS hostnames (the one defined in the RP, let’s say RP hostname) start with rpx-<hostname>.cisco.com
All Back-end DNS hostnames (the one on the datacenter) start with rmlab-<hostname>.rmpoc.cisco.com
Example:
Browser point to rpx-finesse-a/b.cisco.com.
Reverse Proxy elaborate the traffic for rmlab-poc-ccd-a/b.rmpoc.cisco.com
Notes:
Finesse Back-end connects CUIC through the RP to avoid certificate mismatch if you are on SSL
Finesse layout will refer to LiveData and CUIC Reports permalink using RP hostname and not CUIC backend hostname.
Example, in Finesse Layout.xml you will have:
For this reason, the Back-end DNS have to resolve also CUIC routing using RP name (rpx-cuic.cisco.com) pointing on the back end interface of the Reverse Proxy server.
It is required to manually create SelfSigned certificates for rpx-cuic.cisco.com to be imported into Finesse a/b as tomcat-trust
Further testing on 11.5 will be done once available, including SSO.
If you are interested in the guidelines, pls contact me.
Regards
Marco
05-10-2017 02:16 AM
Hi Marco,
I am playing with the similar setup in my lab on finesse 11 and CUIC. I will appriciate if you can share the guidelines you have created.
Ash
05-10-2017 02:35 AM
05-10-2017 03:27 AM
Thanks Marco
07-22-2019 03:25 PM
Based on the posted configuration here's my working updated version for 11.5 PCCE and Apache 2.4.
Notes:
<VirtualHost *:443>
ServerName rpx-finesse-a.cisco.com
ServerAdmin admin@rpx-finesse-a.cisco.com
ErrorLog "|/sw/apache/httpd/prod/bin/rotatelogs /sw/apache/httpd/prod/logs/rpx-finesse-ssl_error_log.%Y-%m-%d-%H_%M_%S 100M"
CustomLog "|/sw/apache/httpd/prod/bin/rotatelogs /sw/apache/httpd/prod/logs/rpx-finesse-ssl_access_log.%Y-%m-%d-%H_%M_%S 100M" combined
#
SSLEngine on
SSLCipherSuite AES:256-SHA:AES128-SHA
SSLCertificateFile conf/vhosts.d/ssl.crt/rpx-finesse-a.crt
SSLCertificateKeyFile conf/vhosts.d/ssl.key/rpx-finesse-a.key
SSLCertificateChainFile conf/vhosts.d/ssl.crt/rpx-finesse-a.crt
#
SSLProxyEngine on
#
<Location />
# Allow access from client
Require ip 192.
#
FilterDeclare Substitute
FilterProvider Substitute SUBSTITUTE "%{REQUEST_URI} =~ /(.+)$/"
FilterChain +Substitute
#
AddOutputFilterByType SUBSTITUTE image/png image/jpeg text/html text/css text/javascript application/octet-stream application/json
Substitute "s|rmlab-poc-ccd-a.rmpoc.cisco.com:8444|rpx-finesse-a.cisco.com|i"
Substitute "s|rmlab-poc-ccd-b.rmpoc.cisco.com:8444|rpx-finesse-b.cisco.com|i"
</Location>
#
<Proxy balancer://cuic1>
BalancerMember https://rmlab-poc-ccd-a.rmpoc.cisco.com:8444
BalancerMember https://rmlab-poc-ccd-b.rmpoc.cisco.com:8444 status=+H
</Proxy>
#
ProxyPass / balancer://cuic1/
ProxyPassReverse / balancer://cuic1/
#
</VirtualHost>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide