Help Center

Recommendations for Unified Communications Products

Common Security Considerations

Prognosis for Unified Communications is installed minimally in a two-server configuration, consisting of a Prognosis server installation to monitor the UC environment, as well as a separate machine hosting the primary Prognosis Management Server plus the Web Application. Prognosis for Unified Communications supports the monitoring of multiple UC applications and can be deployed and managed via multiple Prognosis Management Servers.

All UC monitoring is performed off-board, so requires access to various interfaces on the monitored devices, including:

  • Utilizing web services

  • Issuing SNMP Queries

  • Receiving SNMP traps

  • Retrieving WMI statistics

  • Retrieving metrics via command line interfaces (Telnet/SSH)

  • Receiving files via SFTP

  • Receiving events via syslog

In Prognosis for UC installations, the following additional security items should be considered.

Access Layer

Prognosis uses the following credentials, stored in the PASSWORDS configuration, to retrieve and accept data from various monitoring interfaces:

Entry Name

Purpose

Used By

snmpV2c:*

Used to set the authentication password to obtain SNMP data (via SNMPv2c) from a specified device.

UC

Avaya Aura AES

Avaya Aura AEP

Avaya Aura Contact Center

Avaya Aura System and Session Manager

Avaya Aura Communications Manager

Avaya Communication Server 1000

Avaya IP Office

Avaya Modular Messaging

Cisco Emergency Responder

Cisco UCCE

Cisco UCCX

Cisco Unified Communications Manager

Cisco Unified Computing System (UCS-B)

Cisco Unified Presence

Cisco Unity Connection

SBC

Oracle SBC

AudioCodes SBC

Avaya SBC-E

Cisco UBE

Ribbon SBC

Standalone Gateways and Routers

snmpV3:*

Used to set the authentication password to obtain SNMP data (via SNMPv3) from a specified device.

UC

Avaya Aura AES

Avaya Aura AEP

Avaya Aura Contact Center

Avaya Aura System and Session Manager

Avaya Aura Communications Manager

Avaya IP Office

Avaya Modular Messaging

Cisco Emergency Responder

Cisco UCCE

Cisco UCCX

Cisco Unified Communications Manager

Cisco Unified Computing System (UCS-B)

Cisco Unified Presence

Cisco Unity Connection

SBC

Oracle SBC

AudioCodes SBC

Avaya SBC-E

Cisco UBE

Ribbon SBC

Standalone Gateways and Routers

snmpV3encryption:*

Used to set the encryption password to obtain SNMP data (via SNMPv3) from a specified device.

UC

Avaya Aura AES

Avaya Aura AEP

Avaya Aura Contact Center

Avaya Aura System and Session Manager

Avaya Aura Communications Manager

Avaya IP Office

Avaya Modular Messaging

Cisco Emergency Responder

Cisco UCCE

Cisco UCCX

Cisco Unified Communications Manager

Cisco Unified Computing System (UCS-B)

Cisco Unified Presence

Cisco Unity Connection

SBC

Oracle SBC

AudioCodes SBC

Avaya SBC-E

Cisco UBE

Ribbon SBC

Standalone Gateways and Routers

FTP:*

Used to set the password to retrieve CDRs via FTP.

Avaya Communication Server 1000

SFTP:*

Used to set the password to receive CDRs via SFTP.

Cisco Unified Communications Manager

Oracle SBC

WMI:*

Used to access WMI performance information from the PBX.

Avaya Aura Contact Center

Avaya Modular Messaging

Call Recording Assurance

Skype for Business

Network Layer

To see the port considerations for Prognosis for Unified Communications, see the Port Requirements.

Most UC subsystems support the use of SNMPv3 for monitoring. It is highly recommended that SNMPv3 be enabled wherever it is available in Prognosis and on the monitored device.

UC systems can also be configured to send Syslog messages to Prognosis. TLS can typically be enabled on Syslog connections, so when TLS Syslog is available from the monitored device, it is recommended that it be used to forward any events that may contain confidential data.

In addition, command line interfaces are used to retrieve information from some UC systems. In these cases, an option is provided to use telnet or SSH for the connection. The following systems are affected:

Configuration Setting

Purpose

Used By

CLI_PROFILE (mode)

Used to set the mode of connection to the command line interface (telnet or ssh).

UC

Avaya CS1000

Cisco Emergency Responder

Cisco UCS-C

Cisco Unity Connection

SBC

Cisco UBE

SAT_PROFILE (mode)

Used to set the mode of connection to the command line interface (telnet or ssh).

UC

Avaya Aura Communications Manager

System Layer

The following Prognosis configuration files for UC should be monitored for File Integrity Monitoring.

File Name

Purpose

Server\Configuration\IPTM\ContactCenter\xml\Common\contact-center-global.xml

Performance tuning configuration for Avaya Contact Center monitoring.

Server\Configuration\IPTM\ContactCenter\xml\Common\snmp-global.xml

Performance tuning configuration for Avaya Contact Center monitoring.

Server\Configuration\\IPTM\Avaya\avaya-sat-global.xml

Performance tuning configuration for Avaya monitoring.

Server\Configuration\\IPTM\AvayaIpo\avaya-ipo-globals.xml

Performance tuning configuration for Avaya IP Office monitoring.

Server\Configuration\IPTM\CallRecording\xml\Common\call-recording-global.xml

Performance tuning configuration for Call Recording Assurance.

Server\Configuration\IPTM\CallRecording\xml\Nice\nice-global.xml

Performance tuning configuration for Call Recording Assurance.

Server\Configuration\IPTM\Ccma\cce-global.xml

Performance tuning configuration for Cisco Unified Contact Center Enterprise monitoring.

Server\Configuration\IPTM\Ccma\ccx-global.xml

Performance tuning configuration for Cisco Unified Contact Center Express monitoring.

Server\Configuration\IPTM\Ccma\Config\GWayDesc.csv

Gateway description configuration for Cisco Call Manager.

Server\Configuration\IPTM\Ccma\cer-global.xml

Performance tuning configuration for Cisco Emergency Responder monitoring.

Server\Configuration\IPTM\Ccma\cma-global.xml

Performance tuning configuration for Cisco Call Manager monitoring.

Server\Configuration\IPTM\Ccma\cuc-global.xml

Performance tuning configuration for Cisco Unity Connection monitoring.

Server\Configuration\IPTM\Ccma\cup-global.xml

Performance tuning configuration for Cisco Unified Presence monitoring.

Server\Configuration\IPTM\Common\SNMP\snmp-global.xml

Performance tuning configuration for SNMP monitoring.

Server\Configuration\IPTM\Common\WMI\wmi-globals.xml

Performance tuning configuration for WMI monitoring.

Server\Configuration\IPTM\Cucs\ucs-global.xml

Performance tuning configuration for Cisco Unified Computing System monitoring.

Server\Configuration\IPTM\iptdevice\dev-global.xml

Performance tuning configuration for generic IPT device monitoring.

Server\Configuration\IPTM\Lync\lync-globals.xml

Performance tuning configuration for Skype for Business monitoring.

Server\Configuration\IPTM\Nortel\nortel-global.xml

Performance tuning configuration for Nortel monitoring.

Server\Configuration\IPTM\radius\radius-global.xml

Performance tuning configuration for Radius monitoring.

Server\Configuration\IPTM\Sbc\asbce-snmp-global.xml

Performance tuning configuration for Avaya SBC-E monitoring.

Server\Configuration\IPTM\Sbc\cube-global.xml

Performance tuning configuration for Cisco UBE monitoring.

Server\Configuration\IPTM\Sbc\sbc-acme2600-global.xml

Performance tuning configuration for Oracle SBC monitoring.

Server\Configuration\IPTM\syslog\syslog-global.xml

Performance tuning configuration for Syslog monitoring.

Recommendations

In all environments, the following approach is recommended:

  • Lock down access to any Prognosis ports not required for remote connections.

  • Use SNMPv2c or higher for all SNMP based monitoring.

In high security environments, the following approach is recommended:

  • Deploy a file integrity checking tool to ensure that files in the Prognosis folder are not changed without the relevant approval.

  • Lock down remote access to ports that are not required for remote communications.

  • Utilize SNMPv3 where possible, with both authentication and privacy encryption mechanisms enabled.

  • Enable TLS on any incoming Syslog connections, especially where confidential information may be transmitted in events.

  • Use SSH mode on any CLI_PROFILE or SAT_PROFILE connections.

Provide feedback on this article