Hi, Matt.

Thanks for your reply. In the actual production environment, we need to put the web server in the DMZ zone, but i understand from you that it is not feasible. Even if we put the web server in a separate domain and setup a trusted relationship between them, how would the public access the "entry point" from the company web site? So the bottom line is that all the server components for EIM/WIM must be in a domain environment?

Will the version 4.3(2) solve this caveat?

Thanks,
Eric

Eric - This not a bug, this is default product design, i think this not supported due  to permission issue over the EIM folder when web server is out off domain. This is not yet certified in eGain base build will check internally with the PM in which version of eGain this will be supported and then later on this can be part of CIM.

Currently there is no other options except for steps specified by Geffo

Hope this helps.

Regards,

Gaurav  Thakur.

Hi, Gaurav Thakur.

Thanks for the reply. If the Web Server will not work when it is in DMZ zone, I think it defeat the purpose of having the WIM system..

Btw, you mentioned that there is no other option except the steps specified by Geoff, can you give me the URL link to the post?

Thank you so much.

Regards.

Eric

Hi Eric

You just need to put both servers in the dmz. You then just open up the ports outlined in the srnd for the app server to communicate with the mr pg, aw and agents.

I have this working with no complaints about security.

Matt

Sent from my iPhone

or if you have load balancers, put both servers on the internal LAN and use the load balancers in the dmz to terminate external users.

Please review the following documents...

The CIM SRND at this link; http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/cisco_interaction_manager/cim_43/design/guide/im431srnd.pdf indicates on page 91 the following;

"In a typical installation where agents using Cisco Interaction Manager could be spread across multiple locations, the load balancer, along with the Cisco Interaction Manager web servers, may be deployed in a DMZ."

Here are some other docs that explain how to separate out the Web Server.

E-Mail Interaction Manager: How To Install the WIM Component on a Separate
Server During E-Mail Interaction Manager Installation

http://www.cisco.com/en/US/products/sw/custcosw/ps1844/products_configuration_example09186a0080b12114.shtml

From that link there is another link to the following doc;

http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/cisco_interaction_manager/cim_42/installation/guide/cisco_im_ccx_installationguide.pdf

Page 71 contains the instructions you need; "Separating the web server from the application server"

Hi Guys

Have same problem and i still in doubt as how to setup this and customer is worried:

We are talking about a 2 server installation with integration to UCCE and I need to know the recommended installation configuration:

Page 14 in the installation guide states that:

"A true single-server deployment is possible only for Unified EIM installations. If the installation includes Unified WIM, it becomes a collocated deployment, where the web server is installed on a separate machine outside the firewall."

This means that the WEB server must be placed in the DMZ, so far so good.

Page 14 in the installation guide states that:

"Verifying Network Configuration

These tasks must be completed in all collocated, split-server, and distributed-server configurations.

To verify network configuration:

1. Ensure that all machines other than the web server, are in the same Active Directory domain. The web server does not need to be installed in the same domain. Note that the application cannot be installed in a workgroup"

As I understand this, it means that the WEB server also must be in a domain, not necessarily the same as the rest of the EIM/UCCE installation, but still in a domain. My customer is worried about security, since they do not want a server in the DMZ to be part of their production domain, where rest of the installation is placed.

So then we could create a separate domain for EIM/WIM installation ?

Page 22 in the installation guide states that:

"Setting Up User Accounts and Permissions

You will need administrator privileges on the local system to perform the installation.

In all single-server configurations, and split-server configurations that do not require Windows authentication for

database connectivity, a localUsername, with administrator privileges, can be used.

For collocated and split-server configurations that are using Windows authentication, and all distributed-server

configurations, a domain user account is required.

Page 22 in the installation guide states that:

"Setting Up Domain Account

Skip this section if you are installing a single-server configuration, or a split-server that does not use Windows

authentication.

Request your IT department to create a domain user account for exclusive use by Cisco Interaction

Manager. The domain user account needs the Log on as a Service privilege on each of the servers used in

deployment. It does not require the Interactive Logon privilege.

You will use this account to install and configure the system."

This domain account is to be created in the domain created for EIM/WIM installation ? but is there need for access to the production domain AD and if so, why ?

So I'm asking for the recommended solution for this setup:

1.One separate domain for EIM/WIM servers with it's own domain user account for installation.

WIM server in DMZ and EIM server behind firewall.

2. One separate domain for EIM/WIM servers with it's own domain user account for installation.

Both WIM and EIM server in DMZ which would save some port openings between those 2 servers and only require port openings towards UCCE services as Matthew descibes.

Thanks in advance..

Henrik

Hi Guys,

Anyone install sucessfull  the WIM/EIM in a single single/collocated deployment model.  Webserver and other application same domain, But i cant' start web EIM. I was unable to view default/partion, web pages display errors "The page cannot be display... http 500 error"

My version Wim/EIM (4.3.1)

This is log error

http://pastebin.com/Ziz8MQ9q

thanks

Can you be a bit more clear about how you have deployed EIM/WIM?  You noted "Webserver and other application same domain"

Do you mean to say that you have installed the product in one domain, then separated the application and web Servers into a separate domain?  Or simply the Web Server?

The error you are getting indicates that the Web Server is unable to find the page.  The reason I asked the question above is, I would like for you to attempt to open the page by by-passing the web server directing your inquiry to the following;

http://<9001>/system/web/view/platform/common/login/root.jsp?partitionId=1

If that does not work, then there is a problem with your application server... if it does work I assume you skipped a step in the instructions for relocating the Web Server outside the DMZ...

All you need to properly configure the Web Server in the DMZ is in this document;

http://www.cisco.com/en/US/products/ps7236/products_configuration_example09186a0080bc211e.shtml

I suspect that you have skipped the following step;

Install Files for File Server

Since the file share on the file server cannot be accessed from the  DMZ, the files on the file server must be manually installed on each  external web server.

Complete these steps:

1. On the file server, create a ZIP file of the Cisco_Home > eService folder.

2. Copy the ZIP file to each external web server.

3. On each external web server, create a folder named Cisco (for example, C:\Cisco).

4. On each external web server, unzip the ZIP file into the folder created in Step 3, such that the resulting pathname is C:\Cisco\eService.

If the instruction above does not correct this for you then you may have a configuration issue within IIS.... possibly.

Feel free to send me screen shots of your IIS configuration for your default and system pages directly and I'll be happy to take a look.

Thx,

Kim

Hi Kim,

Thank your Reply.

This is my diagram for my customer . you can see below

I just test on my lab, and dont have filewall.

1. I try to access web pages by direct link .It's working .

http://serverwim:9001/system/web/view/platform/common/login/root.jsp?partitionId=1

2.I had copy folder eService from FileServer to external Webserver. and try to do step by step  instructions from Cisco "Unified web and e-mail interaction manager.

Web server in a DMZ Configuration Example" but it's not working , display error  below

this is my config

workers.properties

ps=\
worker.maintain=-1
# An entry that lists all the workers defined
# 'default' worker -- Will be used for jsp's
# 'pushlet' worker -- Will be used for Pushlet requests [nailed connection]
# 'live'    worker -- Will be used for live requests
worker.list=default, pushlet, live
# Entries that define the host and port associated with these workers
worker.default.host=serverwim
worker.default.port=15006
worker.default.type=ajp13
worker.pushlet.host=serverwim
worker.pushlet.type=ajp13
worker.live.host=serverwim
worker.live.port=15008
worker.live.type=ajp13

This is log and screenshot .you can view here.

http://s1163.photobucket.com/albums/q551/triquang33/wim/

Thank you

Can't see all I need from what you've offered.  If you'd like to open a TAC SR and put my name in the description I'll be happy to assist the TAC Engineer to resolve this for you.

I've alerted the team to be aware that you may open an SR.  I work Eastern US shift hours.

Thx

Kim