<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Verdana; font-size: 10pt; color: #000000'>i _think_ there's a difference between a proxy and a reverse proxy<br><br>a proxy is something that you program your browser with and all requests go through that proxy and there's no special programming required on the proxy side. much more canned i believe.<br><br>a reverse proxy allows you to contact a website without having to make changes on the client side, but the proxy has to be configured to do all the re-writing.<br><br>honestly, i'm a newbie to this. so i could be off my rocker. <br><span><br><span name="x"></span>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)<br>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>Cooking with unix is easy. You just sed it and forget it. <br> - LFJ (with apologies to Mr. Popeil)<br><span name="x"></span><br></span><br><hr id="zwchr"><b>From: </b>"Wes Sisk" <wsisk@cisco.com><br><b>To: </b>"Lelio Fulgenzi" <lelio@uoguelph.ca><br><b>Cc: </b>"FrogOnDSCP46EF" <ciscoboy2006@gmail.com>, "cisco-voip voyp list" <cisco-voip@puck.nether.net>, "Matthew Saskin" <msaskin@gmail.com><br><b>Sent: </b>Thursday, January 19, 2012 4:43:00 PM<br><b>Subject: </b>Re: [cisco-voip] CUCM - separating management traffic<br><br>I'll plead ignorance - why is a special proxy required? A standard https proxy will not work?<div><br></div><div>/wes</div><div><br><div><div>On Jan 19, 2012, at 3:08 PM, Lelio Fulgenzi wrote:</div><br class="Apple-interchange-newline"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div><div style="font-family: Verdana; font-size: 10pt; color: rgb(0, 0, 0); ">while the reverse proxy has served us well, we did have to find someone to build and maintain this for us. also, not everything will work with a reverse proxy, especially any protocol that builds the IP address into the code and/or requires direct access to the host client. media master bar comes to mind.<span class="Apple-converted-space"> </span><br><br><span><span></span>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)<br>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>Cooking with unix is easy. You just sed it and forget it.<span class="Apple-converted-space"> </span><br> - LFJ (with apologies to Mr. Popeil)<br><span></span><br></span><br><hr id="zwchr"><b>From:<span class="Apple-converted-space"> </span></b>"Wes Sisk" <<a href="mailto:wsisk@cisco.com" target="_blank">wsisk@cisco.com</a>><br><b>To:<span class="Apple-converted-space"> </span></b>"Matthew Saskin" <<a href="mailto:msaskin@gmail.com" target="_blank">msaskin@gmail.com</a>><br><b>Cc:<span class="Apple-converted-space"> </span></b>"FrogOnDSCP46EF" <<a href="mailto:ciscoboy2006@gmail.com" target="_blank">ciscoboy2006@gmail.com</a>>, "cisco-voip voyp list" <<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>><br><b>Sent:<span class="Apple-converted-space"> </span></b>Thursday, January 19, 2012 3:00:52 PM<br><b>Subject:<span class="Apple-converted-space"> </span></b>Re: [cisco-voip] CUCM - separating management traffic<br><br>out of band management is usually delivered via IPKVM either as external hardware or utilizing iLO or the IBM equivalent which escapes me at the moment.<div><br></div><div>To protect the administrative interfaces (web and ssh) block traffic from hostile environments to these on a per port basis.</div><div><br></div><div>The only overlap is access to ccmuser vs. (ccmadmin/ccmservice/iptplatform) as all are web services. Because they utilize https now Lelio is spot on that a front end proxy is required.</div><div><br></div><div>The general response is that there are devices that do this and very commonly do it better than any possible internal implementation. With that precondition why add the additional complexity to the core product?</div><div><br></div><div>We've seen several times, even here on cisco-voip, where an ASA or external box is required for true policing. Security folks present a very sound case for this.</div><div><br></div><div>Regards,</div><div>Wes</div><div><br><div><div>On Jan 19, 2012, at 9:54 AM, Matthew Saskin wrote:</div><br class="Apple-interchange-newline">I knew Lelio was going to chime in ;)<br><br>It's an interesting note that while none of my financial customers have done this, or use features like secure voice, I have one Edu whose policy is "everything on the network must be encrypted, end of story". The net of this is vastly more time spent troubleshooting security/encryption issues, and a significant extra workload in terms of additional servers/development work to "Secure" things that aren't secured by their nature (eg; ODBC access to UCCX via informix drivers. While ODBC can be secured/encrypted, the informix connectivity to UCCX can't be encrypted)<br><br>I digress. While I agree with Lelio that it's not a difficult thing for Cisco to implement, I've yet to see the real-world call for it barring very specific circumstances...and we all know the reality, until it's clamored for by a collective of customers spending 10's of millions of dollars, it's not likely to happen.<br><br>-matthew<br><br><div class="gmail_quote">On Thu, Jan 19, 2012 at 9:48 AM, Scott Voll<span class="Apple-converted-space"> </span><span dir="ltr"><<a href="mailto:svoll.voip@gmail.com" target="_blank">svoll.voip@gmail.com</a>></span><span class="Apple-converted-space"> </span>wrote:<br><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">except Lelio ;-)<span class="HOEnZb"><font color="#888888"><div><br></div></font></span><div><span class="HOEnZb"><font color="#888888">Scott</font></span><div><div class="h5"><br><br><div class="gmail_quote">On Thu, Jan 19, 2012 at 6:11 AM, Matthew Saskin<span class="Apple-converted-space"> </span><span dir="ltr"><<a href="mailto:msaskin@gmail.com" target="_blank">msaskin@gmail.com</a>></span><span class="Apple-converted-space"> </span>wrote:<br><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">Who knows? It's not something that I've ever heard of on the roadmap from CIsco. Technically speaking, I can't imagine it would be terribly difficult to have the various CCM services operate on one interface/IP and the management (HTTP/HTTPS) on another address, but that's just me thinking about it.<br><br>Speaking realistically, I've never seen anyone care enough to implement ACL's or application layer filtering to "protect" the admin interface in the real world.<span><font color="#888888"><br><br>-matthew</font></span><div><div><br><br><br><div class="gmail_quote">On Thu, Jan 19, 2012 at 6:21 AM, FrogOnDSCP46EF<span class="Apple-converted-space"> </span><span dir="ltr"><<a href="mailto:ciscoboy2006@gmail.com" target="_blank">ciscoboy2006@gmail.com</a>></span><span class="Apple-converted-space"> </span>wrote:<br><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">Thanks Mathew. Would this be difficult to do? Given Cisco has inhouse UC developers.<div><div><br><br><br><div class="gmail_quote">On Thu, Jan 19, 2012 at 5:52 AM, Matthew Saskin<span class="Apple-converted-space"> </span><span dir="ltr"><<a href="mailto:msaskin@gmail.com" target="_blank">msaskin@gmail.com</a>></span><span class="Apple-converted-space"> </span>wrote:<br><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">You can't. Virtual or physical, CUCM only operates using a single interface and single IP address. Closest you're going to get is firewall rules to disallow certain access based on source, and that may not even work as things like authentication URL's are on the same IP/port on the CUCM - you'd have to do some application layer filtering of URL's.<br><br><br><div class="gmail_quote"><div><div>On Wed, Jan 18, 2012 at 11:21 AM, FrogOnDSCP46EF<span class="Apple-converted-space"> </span><span dir="ltr"><<a href="mailto:ciscoboy2006@gmail.com" target="_blank">ciscoboy2006@gmail.com</a>></span><span class="Apple-converted-space"> </span>wrote:<br></div></div><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; "><div><div>Have anyone figured out yet how to separate CUCM management in VMware or physical deployment?<br><br>It's kind of weird, Cisco's all deployment templates are still putting mgmt and traffic packets on the same eth0 interface.<br><br>I bet this is in Cisco's todo list.<br><br>thanks<br><br></div></div>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br><br></blockquote></div><br></blockquote></div><br><br clear="all"><br></div></div><span><font color="#888888">--<span class="Apple-converted-space"> </span><br>Smile, you'll save someone else's day!<br>Frog<br></font></span></blockquote></div><br></div></div><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br><br></blockquote></div><br></div></div></div></blockquote></div><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br></div><br></div><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br></div></div></span></div><br></div></div></body></html>