[cisco-voip] CCMuser pages or not? (CUCM v7)

Sun Feb 27 23:03:58 EST 2011

thanks Bernhard, 

you confirmed many of my suspicions and some of my findings. 

--- 
Lelio Fulgenzi, B.A. 
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN) 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
Cooking with unix is easy. You just sed it and forget it. 
- LFJ (with apologies to Mr. Popeil) 

----- Original Message -----
From: "Bernhard Albler" <bernhard.albler at gmail.com> 
To: "Anthony Holloway" <avholloway+cisco-voip at gmail.com> 
Cc: "Lelio Fulgenzi" <lelio at uoguelph.ca>, "cisco-voip voyp list" <cisco-voip at puck.nether.net> 
Sent: Sunday, February 27, 2011 1:43:14 PM 
Subject: Re: [cisco-voip] CCMuser pages or not? (CUCM v7) 

Hi all, 
two answers: 
1.) 
I have one customer who has pretty much reimplemented CCMUSER and 
quite a bit more as a part of a full management solution. It's pretty 
darn cool (we can also configure unity etc. viy that page) but it was 
quite a bit of work. 

2.)I believe ASA Url filtering will not work because the page these 
days are only available via SSL. So no luck there. 

What I did at another customer was to use NGINX (www.nginx.net) as a 
reverse proxy and then filter ccmuser. This is a bit more tricky than 
necessary because CCMUser actually uses resources (images) pointing to 
/ccmadmin/. So the config looks something like this: 
server { 
listen <VIRTUALIP>:443; 
server_name <HOSTNAME>; 
access_log /var/log/nginx/settings.access.log; 
error_log /var/log/nginx/settings.error.log; 

ssl on; 
ssl_certificate /etc/certs/host.cert; 
ssl_certificate_key /etc/certs/host.key; 
ssl_session_timeout 5m; 

ssl_protocols SSLv2 SSLv3 TLSv1; 
ssl_ciphers 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; 
ssl_prefer_server_ciphers on; 

keepalive_timeout 70; 

location /nginx_status { 
stub_status on; 
access_log off; 
} 

location / { 
rewrite ^/(.*) https://<HOSTNAME>/ccmuser permanent; 
} 

location /ccmuser/ { 

proxy_set_header X-Real-IP $remote_addr; 

# 
# This line tells the application which URL to use as base_url: 
# 
proxy_set_header Host <HOSTNAME>; 
proxy_set_header X-Host $host; 
proxy_set_header X-Forwarded-For 
$proxy_add_x_forwarded_for; 

# 
# Here we point to Jetty 
# 
proxy_pass https://<REALCCM>/ccmuser/; 
proxy_redirect default; 
} 
location /ccmadmin/loading-please-wait.jsp { 

proxy_set_header X-Real-IP $remote_addr; 

# 
# This line tells the openms application which URL to 
use as base_url: 
# 
proxy_set_header Host <HOSTNAME>; 
proxy_set_header X-Host $host; 
proxy_set_header X-Forwarded-For 
$proxy_add_x_forwarded_for; 

# 
# Here we point to the CCM 
# 
proxy_pass 
https://<REALCCM>ccmadmin/loading-please-wait.jsp; 
proxy_redirect default; 
} 

location /ccmadmin/themes/ { 

proxy_set_header X-Real-IP $remote_addr; 

# 
# This line tells the application which URL to use as base_url: 
# 
proxy_set_header Host <HOSTNAME>; 
proxy_set_header X-Host $host; 
proxy_set_header X-Forwarded-For 
$proxy_add_x_forwarded_for; 

# 
# Here we point to the CCM 
# 
proxy_pass https://<REALCCM>/ccmadmin/themes/; 
proxy_redirect default; 
} 
} 

This also has the advantage that users can just enter <HOSTNAME> and 
will drop to CCMUSER. 
I believe you can do the same with a F5 or a ACE. 

regards 
bernhard 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110227/39cb92ff/attachment.html>