03-23-2004 10:45 AM - edited 03-13-2019 04:23 AM
Hi,
We're a large enterprise and we currently manage several hundred NT/W2K servers. All the servers we own & manage today are part of a single domain.
We are now deploying our first few Call Managers for IPT. We're having a big debate internally as to whether we add the Call Managers to our existing domain or if we put them in a domain on their own. This is complicated by the fact that we intend to have a 3rd part help us support the IPT environment.
Is there a best practice regarding Call Manager & Windows Domain security? I expect that over time Cisco will move CM to an appliance platform (as they've done on other products) and I suspect that this may limit our choice, right?
I appreciate any input...
Alistair.
03-23-2004 03:23 PM
I don't know of any best practice, but if it were my own system I would keep them separate.
The CCMs hold such a crucial part in one's network that I would try and separate them (from normal traffic, read virus) and secure them as much as possible.
But then again, that's just my personal opinion.
03-23-2004 03:47 PM
I've seen documents indicating that Cisco recommends that Callmanagers be part of their own workgroup. They should not be member servers of a domain.
On the other hand, because of Unity requirements, those servers should be members servers of a domain.
There are also best practices documents relating to putting the servers in their own segments and installing certain ACL's to further protect the servers and phones from DOS attacks and such.
Your 'third party' should be up-to-date on these 'best practice' suggestions.
Ray Burkholder.
03-23-2004 08:03 PM
I'd treat the phone system as such. It just so happens CCM runs on W2k. It's not a file share or print server.
CCM will be appliance-type server in the near future. Look for it in your local hardware stores (that was a joke).
For Unity, if your intention is to have unified messaging where you can check your email on your phone, and vm on Outlook, then by all means, join the existing domain with Exchange/Domino servers.
However if you are using VM only (that means your intention is just to check VM from phone), then it can certainly sit on it's own domain and probably should. That way, you keep it out of domain politics (although i've been told that does not exist)
H. M.
03-23-2004 08:36 PM
Remember, CallManager(software PBX) install on Windows 2000 server, but they are actually a PHONE system. Have you seen PBX join domain(stuipd me), I mean PBX wont get any attack from hacker because they are isolated.
Therefore, dont try to make CCM join your existing domain, that what Cisco recommends anyway. I mean hacker still can attack CCM, but at least wont get affect if Domain goes down.
Make CCM has own workgroup, install Antivirus, configure ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide