SOHO TMS best practices

Anders Abrahamsen · ‎04-29-2013

I have opened the firewall from internet to DMZ to my SOHO TMS server. For phone books on public systems port 80/443 is required open towards the TMS server. How can I prevent the TMS Website from appearing in a browser? What changes do I need to do in the IIS? I guess you only need to set “Anonymous access” on the public folder?

Patrick Sparkman · ‎04-29-2013

The only problem about changing IIS authentication settings is you might break something that is required by the managed systems, don't have any examples or anything, but worse case speaking. Have you thought about limiting the default User group to have no access to TMS, essentially removing all privileges?

Anders Abrahamsen · ‎04-29-2013

Actually I have two TMS servers. One (Production) is on the LAN talking to a separate SQL server (TMSNG and TMSPE). I also have a TMS server in DMZ (public IP) which talks to the same SQL DB (TMSNG). No services are running on the server in DMZ. This is a standard SOHO deplyment. I only need IIS running to provide phone books to public systems. My problem is tha this also makes TMS Web Site available on the public internet. I want to diable the web site part and only making the phone books available through IIS "Public" folder. User Groups will not help since you get prompted for a user and password. If you have an account you can log in from the outside.

mahkrish · ‎04-29-2013

Hi Anders, I concur with Patrick, modifying the IIS authentication settings is not a good idea.

Have you considered configuring Secure HTTPS between TMS and Cisco TelePresence products which will add additional security within your environment.

Please refer to following document - Configuring Secure HTTPS between Cisco TelePresence products Reference Guide from

http://www.cisco.com/en/US/docs/telepresence/infrastructure/tms/config_guide/Cisco_TelePresence_Implementing_Secure_Management_Config_Guide.pdf

HTH.

BR, Mahesh Adithiyha

Anders Abrahamsen · ‎04-29-2013

OK. I guess it was a long shot. Even though you enable HTTPS the web site will be available on the web. I will have to limit the HTTPS access through the firewall to the IP addresses of the endpoints/ firewall public interface on public internet.

Lucky for me it is only five systems...

Martin Koch · ‎04-29-2013

If you want to prevent all parts of the TMS website to be open a reverse proxy

where you can define which URLs are allowed to be accessed by who might to the trick.

Please remember to rate helpful responses and identify

Kjetil Ree · ‎04-29-2013

Hi,

You are in unsupported territory here, but what about creating a HTTP redirect from /tms to a static page? If you choose "Only redirect requests to content in this directory (not subdirectories)", you won't touch the feedback and phonebook mechanisms in /public that your SOHO systems rely upon.

Note that the TMS installer will undo this setting when you upgrade.

This is not something I have tested (other than for five minutes just now), but it seems to do the trick. Also keep in mind that this suggestion is unsupported - don't call the TAC if it breaks something!

-Kjetil

Sumeet Rakesh · ‎04-29-2013

Hi Anders,

If there are not much systems, it will be better idea to open ports for specific IP address and block others to access TMS. In case of security breach your TMS will go in loop of unecessary re-direct that will degrade the performance. Having firewall in place will ensure that only authentic users/endpoints try to access TMS server while res them will be blocked.

Regards

Sumeet Rakesh