Web Interaction Manager (WIM) with reverse proxy

peter.trimble · ‎08-01-2013

Is it a supported solution to install the WIM component of Cisco Interaction Manager in the internal network with a Reverse Proxy in the DMZ?

SRND and deployment guide advise putting the Web server in the DMZ but also stipulate it must be a member of the domain which is a major security risk.

Thanks in advance

Peter

lohjintiam · ‎08-01-2013

Hi Peter,

I remember seeing a doc (Cisco/eGain) previously which defines how WIM can be configured to be in DMZ. The chat messsages will not be delivered consistently / one way only if not configured correctly.

Thanks!

-JT-

Ravindra Adhav · ‎08-01-2013

In a typical installation where agents using Cisco Interaction Manager could be spread across multiple locations, the load balancer, along with the Cisco Interaction Manager web servers, may be deployed in a DMZ. This is a required deployment for Unified WIM installations where customers enter chat sessions from outside the intranet. However, having the web-application servers within the intranet is possible, too. The services and database server can reside in the network over the same or different VLAN. If integration of these servers is implemented with Active Directory, then associated ports should be opened for communication with Domain Controllers.

Above is from

http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/cisco_interaction_manager/cim_901/design/cisco_im90_cce_srnd.pdf

The web server does not need to be installed in the same domain as other Cisco Interaction Manager components. It can be

located anywhere, for example, in a DMZ.

For EIM WIM 9 Deployment model to Support DMZ web server, following points need to be taken care of:

Keep Web server within the Network while installing the setup
After Installation of Web Server, move webserver VM to demilitarized zone (DMZ)
Only four ports need to be open between Web Server and App Server (i.e. 15006, 15007, 15008 and 15009)

Or if you do not want to put in network even at the time of installation then all the ports that we use between the web server and the intranet servers (application, server, etc) that we document need to be open at installation, if the web server is already in the DMZ

lohjintiam · ‎08-01-2013

Hi Ravindra,

Is there an official document on that?

Would Reverse Proxy still be required here?

Thanks!

-JT-

Ravindra Adhav · ‎08-01-2013

For installing web server in DMZ or installing in n/w and then moving to DMZ, you can refer regular web server install document.

And with web server in DMZ external users won't have direct access to any CIM servers except Web server so I dont think another reverse proxy layer is needed but this can be evaluated based on clients intial requirement of reverse proxy

lohjintiam · ‎08-01-2013

The customer will be clicking on the web chat link which is hosted in the WIM web server.

The agents will login into the App Server (assuming 2 server architecture) directly instead web server which is in the DMZ?

Thanks!

-JT-

peter.trimble · ‎08-02-2013

appreciate the comments guys.

I am still not clear on how I can achieve a secure solution without reverse proxy. The documentation states that WIM must be on a domain (not necessarily the same domain as App server) which is not a good DMZ solution.

To avoid doing this I would like to keep WIM in the Intranet zone and route chat requests via reverse proxy therefore not requiring a domain server in the DMZ. The documentation mentions reverse proxy in the context of load balencers for HA but does not mention a supported configuration where the WIM box stays in the intranet.

Any thoughts on this?

Thanks

Peter