cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4011
Views
5
Helpful
7
Replies

SocialMiner UCCX Web Chat network configuration

James Hawkins
Level 8
Level 8

Hello,

I am about to deploy UCCX 11.6(2) with SocialMiner to support web chat from end users on the Internet. I am confused about how the network should be set up to support this.

 

The customer architecture has a DMZ that uses private addresses and static NAT is used to provide access to servers in the DMZ by mapping public addresses to their private addresses.

 

However the UCCX 11.6(2) design guide states that NAT is not supported. The UCCX port utilisation guide shows that https (TCP 443) traffic must be allowed from users on the Internet initiating chat sessions to the SocialMiner server I am struggling to see how this can work.

The design guide does vaguely mention using a proxy server but does not really explain what this will do.

Is the configuration I want to implement supported or are public IP addresses required in the DMZ?

This issue seems to have been raised numerous times since UCCX web chat was introduced but no definite answer seems to have been provided (that I can find).

 

1 Accepted Solution

Accepted Solutions

Hi James,

 

Yes NAT is not supported, I have done a deployment where we have used a Web proxy like Sophos or Netscaler, so the end customer on the internet will only be talking to our Web proxy gateway not directly to a host sitting in the internal network/DMZ and we can make use of the security certs that are provided by the Web proxy server. This is the best way to deploy it, if your customer have a Web proxy set up. 

 

 

View solution in original post

7 Replies 7

James Hawkins
Level 8
Level 8

So I have been doing some more research and it seems that NAT is not supported for SocialMiner.

This means that for this deployment the SM server will have to be placed on the public Internet as the customer does not have a DMZ that uses public addresses. The also have security concerns about hosting a VM on the external Internet on the same ESXi host that they use to host "normal" DMZ servers.

 

With this deployment there is also a requirement to punch holes through the corporate firewall to allow SM to talk to Active Directory.

 

This is a very messy setup from a security perspective and could all be avoided if SM could use NAT.

Can anyone confirm that my understanding above is correct? - it will be a difficult sell to my customer.

Hi James,

 

Yes NAT is not supported, I have done a deployment where we have used a Web proxy like Sophos or Netscaler, so the end customer on the internet will only be talking to our Web proxy gateway not directly to a host sitting in the internal network/DMZ and we can make use of the security certs that are provided by the Web proxy server. This is the best way to deploy it, if your customer have a Web proxy set up. 

 

 

Hi Jinto,

 

Thanks for your response. The deployment I am involved with is just a proof of concept of web-chat but email will be a production service. It think I will find it very difficult to persuade the customer to deploy a web proxy server just for this test. 

 

If they did not need email I would put the SM server outside the firewall but do not want email traffic to be routed out to the SM on the Internet and then back in.

It would be good if CCX could support separate SM servers for chat and email to avoid this.

 

Regarding your mention of certificates would I need to put the public hostname of the SM server into a cert on the web proxy? - e.g. chat.company.com

 

Thanks for you previous response.

Hi James,

 

Not needed if you are using a certificate provided by your webproxy for it, otherwise follow the below document

https://www.cisco.com/c/en/us/support/docs/customer-collaboration/unified-contact-center-express/118855-configure-uccx-00.html

 

Hope this helps :)

Hi James,

For Chat it might be worth considering crowconnect.com cloud chat solution for cisco finesse

https://www.crowconnect.com/site/docs

It's in beta for now, so it's free to register and test.

 

Leszekstartchat

Hi

 

Webchat do support NAT, i have 2 customers with private IPs on the DMZ and NAT on the Outside Firewall and it works, one in 11.0.1 and 10.6.1 but i dont believe Cisco changed this on the last versions.

 

The scenário that was implemented on the 11.0.1 included a specific situation with NAT reflection on the Firewall because internaly the DNS resolves the public IP and the socialminer has a private IP, and was validated by Cisco BU.

 

Regards 

I'm trying to configure SocialMiner (11.6) with FB chat and webchat. Customer has a WAF (with reverse proxy functionality) and have to use this for chat integrations, as the Social Miner server is deployed in DMZ. Asked security team to allow https://<FQDN>/fbm to <Internal IP>:10443/fbm via WAF and fb integration is complete. 

 

However I'm not sure how to allow webchat from WAF (reverse Proxy), since there's not specific URL like in facebook integration. How did you get webchat allowed (both 7071/7443 ?) from reverse proxy side ? 

I'm trying to understand the configuration requirement from WAF / Reverse proxy side as I have to request exact change from company's firewall team. Thanks in advance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: