<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Eric,<br>
<br>
Good clarification. Nothing built into the product to allow this, but
sounds like a good use of a proxy server. AONS/firewall would not work
because it's https and encrypted on the wire.<br>
<br>
/Wes<br>
<br>
Eric Pedersen wrote:
<blockquote
cite="mid:A58F94A553BA4742821241C8F3E76C9F04494A27@EX2.ACDM.DS.SAIT.CA"
type="cite">
<title></title>
<meta http-equiv="Content-Type" content="text/html; ">
<meta content="MSHTML 6.00.2900.3157" name="GENERATOR">
<div dir="ltr" align="left"><font color="#0000ff" face="Arial"
size="2"><span class="491191618-28092007">I wasn't clear enough. We
have a limited range of IP addresses that are trusted for callmanager
administration, and we have larger IP ranges where our general user
population reside. I would like to filter what networks can access
ccmadmin, os admin, etc. so that the general user population can't even
get to the login screen. Because ccmadmin and ccmuser use the same tcp
ports, and I haven't found any way to change this, I cannot simply
filter admin access with router ACLs.</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial"
size="2"><span class="491191618-28092007"></span></font> </div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial"
size="2"><span class="491191618-28092007">Simple username and password
authentication isn't a particularly secure way to protect such a key
piece of infrastructure ... you're just one accidental password
disclosure or web server bug away from a hacked callmanager. </span></font></div>
<br>
<div class="OutlookMessageHeader" dir="ltr" align="left" lang="en-us">
<hr tabindex="-1"><font face="Tahoma" size="2"><b>From:</b> Wes Sisk
[<a class="moz-txt-link-freetext" href="mailto:wsisk@cisco.com">mailto:wsisk@cisco.com</a>] <br>
<b>Sent:</b> September 28, 2007 12:14<br>
<b>To:</b> Eric Pedersen<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b> Re: [cisco-voip] user access to ccmuser web pages<br>
</font><br>
</div>
check out the "Standard CCM End Users" group.<br>
<br>
Eric Pedersen wrote:
<blockquote
cite="mid:A58F94A553BA4742821241C8F3E76C9F04494A00@EX2.ACDM.DS.SAIT.CA"
type="cite">
<meta content="MSHTML 6.00.2900.3157" name="GENERATOR">
<div><span class="933023516-28092007"><font face="Arial" size="2">I'm
using callmanager 5.1. I want to enable general user access to the
callmanager ccmuser web pages. I have not seen any way to allow this
without also giving access to ccmadmin/osadmin/etc. web pages, which I
don't want to do for obvious security reasons. Is there a way to do
this?</font></span></div>
<div><span class="933023516-28092007"></span> </div>
<div><span class="933023516-28092007"><font face="Arial" size="2">Thanks,</font></span></div>
<div><span class="933023516-28092007"><font face="Arial" size="2">Eric</font></span></div>
<pre wrap=""><hr size="4" width="90%">
_______________________________________________
cisco-voip mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a></pre>
</blockquote>
</blockquote>
</body>
</html>