[cisco-voip] CCMuser pages or not? (CUCM v7)

Anthony Holloway avholloway+cisco-voip at gmail.com
Sun Feb 27 12:30:05 EST 2011


In his example, yes, that's as fara s he takes it.  However the product can
do much more:

! HTTP Inspection
class-map type inspect http match-any http_url_inspection_class
 ! Matches the host portion like you said
 match request header host regex class http_host_keywords
 ! Matches the URI path like I was saying "ccmadmin", "ccmuser", etc.
 match request uri regex class uri_path_keywords
 ! Matches the query string params "device=SEP111122223333", etc.
 match request args regex class query_param_keywords

Now, from your other reply, about ccmuser pointing to ccmadmin resources,
that makes this a bit trickier, but not an invalid solution.

Anthony

On Fri, Feb 25, 2011 at 9:07 AM, Lelio Fulgenzi <lelio at uoguelph.ca> wrote:

> As far as I know, you can not filter past the domain name, i.e. part of the
> URL path itself. Since they're both going to the same host, I don't believe
> this will help.
>
> Sent from my iPhone
>
> On Feb 25, 2011, at 10:01 AM, Anthony Holloway <
> avholloway+cisco-voip at gmail.com> wrote:
>
> One possible solution:  You could implement a firewall solution which
> filters traffic such that only your desired personnel can access the
> ccmadmin page.
>
> Check this posting by our community member go0se for a filtering by URL on
> an ASA tutorial:   <http://atc.go0se.com/?p=904>
> http://atc.go0se.com/?p=904
>
> <http://atc.go0se.com/?p=904>Anthony
>
> On Fri, Feb 25, 2011 at 7:56 AM, Lelio Fulgenzi < <lelio at uoguelph.ca>
> lelio at uoguelph.ca> wrote:
>
>> I'm just wondering what others are doing to deliver CCMuser pages and/or
>> equivalent while protecting the CCMadmin pages.
>>
>> As far as I know, you can not change the port on which CCMadmin pages are
>> served. This means someone who can reach the CCMuser pages can also reach
>> the CCMadmin pages.
>>
>> In this world of people writing passwords on post-it notes, weak
>> passwords, shared passwords, workstations without proper protection, etc.,
>> thus worries me. Our environment here can be considered a bit 'hostile'
>> since we're not using NAC on our wired ports and all ports are pretty much
>> open. I'm not sure even VPN would help, since the same passwords are used,
>> so a stollen password would get them through that.
>>
>> In the past we have used a reverse proxy which has worked well, but I'm
>> finding it difficult to find support to get that working again. I'm also not
>> sure if that is directional.
>>
>> What have others done to protect CCMadmin pages? Or have they simply
>> implemented things using AXL?
>>
>> Anybody seen any packaged AXL solutions that can deliver what CCMuser
>> pages can deliver?
>>
>> Sent from my iPhone
>>
>> _______________________________________________
>> cisco-voip mailing list
>>  <cisco-voip at puck.nether.net>cisco-voip at puck.nether.net
>>  <https://puck.nether.net/mailman/listinfo/cisco-voip>
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110227/6da575bd/attachment.html>


More information about the cisco-voip mailing list