cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1084
Views
0
Helpful
7
Replies

SOHO TMS best practices

I have opened the firewall from internet to DMZ to my SOHO TMS server. For phone books on public systems port 80/443 is required open towards the TMS server. How can I prevent the TMS Website from appearing in a browser? What changes do I need to do in the IIS? I guess you only need to set “Anonymous access” on the public folder?

7 Replies 7

Patrick Sparkman
VIP Alumni
VIP Alumni

The only problem about changing IIS authentication settings is you might break something that is required by the managed systems, don't have any examples or anything, but worse case speaking.  Have you thought about limiting the default User group to have no access to TMS, essentially removing all privileges?

Actually I have two TMS servers. One (Production) is on the LAN talking to a separate SQL server (TMSNG and TMSPE). I also have a TMS server in DMZ (public IP) which talks to the same SQL DB (TMSNG). No services are running on the server in DMZ. This is a standard SOHO deplyment. I only need IIS running to provide phone books to public systems. My problem is tha this also makes TMS Web Site available on the public internet. I want to diable the web site part and only making the phone books available through IIS "Public" folder. User Groups will not help since you get prompted for a user and password. If you have an account you can log in from the outside.

Hi Anders, I concur with Patrick, modifying the IIS authentication settings is not a good idea.

Have you considered configuring Secure HTTPS between TMS and Cisco TelePresence products which will add additional security within your environment.

Please refer to following document - Configuring Secure HTTPS between Cisco TelePresence products Reference Guide from 

http://www.cisco.com/en/US/docs/telepresence/infrastructure/tms/config_guide/Cisco_TelePresence_Implementing_Secure_Management_Config_Guide.pdf

HTH.

BR, Mahesh Adithiyha

OK. I guess it was a long shot. Even though you enable HTTPS the web site will be available on the web. I will have to limit the HTTPS access through the firewall to the IP addresses of the endpoints/ firewall public interface on public internet.

Lucky for me it is only five systems...

If you want to prevent all parts of the TMS website to be open a reverse proxy

where you can define which URLs are allowed to be accessed by who might to the trick.

Please remember to rate helpful responses and identify

Kjetil Ree
Cisco Employee
Cisco Employee

Hi,

You are in unsupported territory here, but what about creating a HTTP redirect from /tms to a static page? If you choose "Only redirect requests to content in this directory (not subdirectories)", you won't touch the feedback and phonebook mechanisms in /public that your SOHO systems rely upon.

Note that the TMS installer will undo this setting when you upgrade.

This is not something I have tested (other than for five minutes just now), but it seems to do the trick. Also keep in mind that this suggestion is unsupported - don't call the TAC if it breaks something!

-Kjetil

Sumeet Rakesh
Level 1
Level 1

Hi Anders,

If there are not much systems, it will be better idea to open ports for specific IP address and block others to access TMS. In case of security breach your TMS will go in loop of unecessary re-direct that will degrade the performance. Having firewall in place will ensure that only authentic users/endpoints try to access TMS server while res them will be blocked.

Regards

Sumeet Rakesh