Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: VOIP

Preventing Web Access to 79xx

  

 
Cisco voip RSS feed   Index | Next | Previous | View Threaded


mb at c2ukltd

Nov 3, 2009, 1:53 AM

Post #1 of 13 (723 views)
Permalink
Preventing Web Access to 79xx
Hi Folks,

We are currently deploying a CCM system and have a security remit of locking all Web Access to our 79xx phones. Can anyone advise on this no matter what we try we can still access. All help much appreciated.

Regards,

Mark


pwalenta at wi

Nov 3, 2009, 3:59 AM

Post #2 of 13 (697 views)
Permalink
Re: Preventing Web Access to 79xx [In reply to]
On my CUCM 7.0.2 system I see an option under "Product Specific
Configuration Layout" on my 7970's. It's called "Web Access".have you tried
this?



From: cisco-voip-bounces [at] puck
[mailto:cisco-voip-bounces [at] puck] On Behalf Of mark baker
Sent: Tuesday, November 03, 2009 3:53 AM
To: cisco-voip [at] puck
Subject: [cisco-voip] Preventing Web Access to 79xx



Hi Folks,



We are currently deploying a CCM system and have a security remit of locking
all Web Access to our 79xx phones. Can anyone advise on this no matter what
we try we can still access. All help much appreciated.



Regards,



Mark


mb at c2ukltd

Nov 3, 2009, 4:07 AM

Post #3 of 13 (694 views)
Permalink
Re: Preventing Web Access to 79xx [In reply to]
We have tried preventing Web Access here however we are still able to get in some how. Now in the process of putting ACL although you would have thought there was a smarter way of achieving this?? Many thanks for all of the replies so far folks.

From: Philip Walenta [mailto:pwalenta [at] wi]
Sent: 03 November 2009 12:00
To: mark baker; cisco-voip [at] puck
Subject: RE: [cisco-voip] Preventing Web Access to 79xx

On my CUCM 7.0.2 system I see an option under "Product Specific Configuration Layout" on my 7970's. It's called "Web Access"...have you tried this?

From: cisco-voip-bounces [at] puck [mailto:cisco-voip-bounces [at] puck] On Behalf Of mark baker
Sent: Tuesday, November 03, 2009 3:53 AM
To: cisco-voip [at] puck
Subject: [cisco-voip] Preventing Web Access to 79xx

Hi Folks,

We are currently deploying a CCM system and have a security remit of locking all Web Access to our 79xx phones. Can anyone advise on this no matter what we try we can still access. All help much appreciated.

Regards,

Mark


wsisk at cisco

Nov 3, 2009, 6:32 AM

Post #4 of 13 (687 views)
Permalink
Re: Preventing Web Access to 79xx [In reply to]
What Philip indicated is correct. Change that setting, reset the
phone. phone should download new config file. Then phone should
disable http interface. ACL should not be necessary. If you made the
change on the phone and it's not taking effect then I strongly recommend
investigating that more closely. This can be a symptom of more
significant issues on your CM.

/Wes

On Tuesday, November 03, 2009 7:07:46 AM, mark baker <mb [at] c2ukltd> wrote:
>
> We have tried preventing Web Access here however we are still able to
> get in some how. Now in the process of putting ACL although you would
> have thought there was a smarter way of achieving this?? Many thanks
> for all of the replies so far folks.
>
>
>
> *From:* Philip Walenta [mailto:pwalenta [at] wi]
> *Sent:* 03 November 2009 12:00
> *To:* mark baker; cisco-voip [at] puck
> *Subject:* RE: [cisco-voip] Preventing Web Access to 79xx
>
>
>
> On my CUCM 7.0.2 system I see an option under "Product Specific
> Configuration Layout" on my 7970's. It's called "Web Access"...have
> you tried this?
>
>
>
> *From:* cisco-voip-bounces [at] puck
> [mailto:cisco-voip-bounces [at] puck] *On Behalf Of *mark baker
> *Sent:* Tuesday, November 03, 2009 3:53 AM
> *To:* cisco-voip [at] puck
> *Subject:* [cisco-voip] Preventing Web Access to 79xx
>
>
>
> Hi Folks,
>
>
>
> We are currently deploying a CCM system and have a security remit of
> locking all Web Access to our 79xx phones. Can anyone advise on this
> no matter what we try we can still access. All help much appreciated.
>
>
>
> Regards,
>
>
>
> Mark
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-voip
>


lelio at uoguelph

Nov 3, 2009, 6:56 AM

Post #5 of 13 (686 views)
Permalink
Re: Preventing Web Access to 79xx [In reply to]
Personally speaking, I would investigate using ACLs to limit access to the phones web browser/server. There are many services (some Cisco, some third party) that use the web server to do stuff, like post messages, etc.

Granted, it's a little more involved, and you need to have separate voice and data VLANs, but it's a better long term approach. IMHO.

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"Bad grammar makes me [sic]" - Tshirt


----- Original Message -----
From: "Wes Sisk" <wsisk [at] cisco>
To: "mark baker" <mb [at] c2ukltd>
Cc: cisco-voip [at] puck
Sent: Tuesday, November 3, 2009 9:32:09 AM GMT -05:00 US/Canada Eastern
Subject: Re: [cisco-voip] Preventing Web Access to 79xx

What Philip indicated is correct. Change that setting, reset the phone. phone should download new config file. Then phone should disable http interface. ACL should not be necessary. If you made the change on the phone and it's not taking effect then I strongly recommend investigating that more closely. This can be a symptom of more significant issues on your CM.

/Wes

On Tuesday, November 03, 2009 7:07:46 AM, mark baker <mb [at] c2ukltd> wrote:





We have tried preventing Web Access here however we are still able to get in some how. Now in the process of putting ACL although you would have thought there was a smarter way of achieving this?? Many thanks for all of the replies so far folks.





From: Philip Walenta [ mailto:pwalenta [at] wi ]
Sent: 03 November 2009 12:00
To: mark baker; cisco-voip [at] puck
Subject: RE: [cisco-voip] Preventing Web Access to 79xx



On my CUCM 7.0.2 system I see an option under “Product Specific Configuration Layout” on my 7970’s. It’s called “Web Access”…have you tried this?





From: cisco-voip-bounces [at] puck [ mailto:cisco-voip-bounces [at] puck ] On Behalf Of mark baker
Sent: Tuesday, November 03, 2009 3:53 AM
To: cisco-voip [at] puck
Subject: [cisco-voip] Preventing Web Access to 79xx



Hi Folks,



We are currently deploying a CCM system and have a security remit of locking all Web Access to our 79xx phones. Can anyone advise on this no matter what we try we can still access. All help much appreciated.



Regards,



Mark
_______________________________________________
cisco-voip mailing list cisco-voip [at] puck https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________ cisco-voip mailing list cisco-voip [at] puck https://puck.nether.net/mailman/listinfo/cisco-voip


ealeatherman at gmail

Nov 3, 2009, 7:55 AM

Post #6 of 13 (685 views)
Permalink
Re: Preventing Web Access to 79xx [In reply to]
Depending on the particular security requirements, he should still
consider disabling the web access in addition to ACLs etc.
I've had end users unplug phones, and move them to another office that
had jack with only data vlan on it. Now the phone gets a public IP
address that is potentially reachable from the anywhere. you can surf
to it and get the IP addresses of all your call manager servers, tftp
server, etc. Granted, these servers are hopefully on private IP space
- but its more information than you probably want to provide to
someone scanning port 80. Just depends on how strict your security
concerns are, or how paranoid you are I guess :)

On Tue, Nov 3, 2009 at 10:56 AM, Lelio Fulgenzi <lelio [at] uoguelph> wrote:
> Personally speaking, I would investigate using ACLs to limit access to the
> phones web browser/server. There are many services (some Cisco, some third
> party) that use the web server to do stuff, like post messages, etc.
>
> Granted, it's a little more involved, and you need to have separate voice
> and data VLANs, but it's a better long term approach. IMHO.
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> "Bad grammar makes me [sic]" - Tshirt
>


--
Ed Leatherman
_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip


lelio at uoguelph

Nov 3, 2009, 7:57 AM

Post #7 of 13 (691 views)
Permalink
Re: Preventing Web Access to 79xx [In reply to]
Interesting angle.

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"Bad grammar makes me [sic]" - Tshirt


----- Original Message -----
From: "Ed Leatherman" <ealeatherman [at] gmail>
To: "Lelio Fulgenzi" <lelio [at] uoguelph>
Cc: cisco-voip [at] puck
Sent: Tuesday, November 3, 2009 10:55:54 AM GMT -05:00 US/Canada Eastern
Subject: Re: [cisco-voip] Preventing Web Access to 79xx

Depending on the particular security requirements, he should still
consider disabling the web access in addition to ACLs etc.
I've had end users unplug phones, and move them to another office that
had jack with only data vlan on it. Now the phone gets a public IP
address that is potentially reachable from the anywhere. you can surf
to it and get the IP addresses of all your call manager servers, tftp
server, etc. Granted, these servers are hopefully on private IP space
- but its more information than you probably want to provide to
someone scanning port 80. Just depends on how strict your security
concerns are, or how paranoid you are I guess :)

On Tue, Nov 3, 2009 at 10:56 AM, Lelio Fulgenzi <lelio [at] uoguelph> wrote:
> Personally speaking, I would investigate using ACLs to limit access to the
> phones web browser/server. There are many services (some Cisco, some third
> party) that use the web server to do stuff, like post messages, etc.
>
> Granted, it's a little more involved, and you need to have separate voice
> and data VLANs, but it's a better long term approach. IMHO.
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> "Bad grammar makes me [sic]" - Tshirt
>


--
Ed Leatherman


svoll.voip at gmail

Nov 3, 2009, 8:00 AM

Post #8 of 13 (685 views)
Permalink
Re: Preventing Web Access to 79xx [In reply to]
put the whole Voice network behind a Firewall. if they move to a Data Vlan
only....... the phone never comes up.... then the helpdesk gets the call and
someone can go and slap them around. ;-)

just make sure the Firewall is an ASA and not a FWSM. <RANT> what a
Joke........ it's a firewall...... but NO VPN, NO Phone Proxy, basically you
loose all Voice functions you want out of a Firewall </RANT>.

Scott

On Tue, Nov 3, 2009 at 8:55 AM, Ed Leatherman <ealeatherman [at] gmail>wrote:

> Depending on the particular security requirements, he should still
> consider disabling the web access in addition to ACLs etc.
> I've had end users unplug phones, and move them to another office that
> had jack with only data vlan on it. Now the phone gets a public IP
> address that is potentially reachable from the anywhere. you can surf
> to it and get the IP addresses of all your call manager servers, tftp
> server, etc. Granted, these servers are hopefully on private IP space
> - but its more information than you probably want to provide to
> someone scanning port 80. Just depends on how strict your security
> concerns are, or how paranoid you are I guess :)
>
> On Tue, Nov 3, 2009 at 10:56 AM, Lelio Fulgenzi <lelio [at] uoguelph> wrote:
> > Personally speaking, I would investigate using ACLs to limit access to
> the
> > phones web browser/server. There are many services (some Cisco, some
> third
> > party) that use the web server to do stuff, like post messages, etc.
> >
> > Granted, it's a little more involved, and you need to have separate voice
> > and data VLANs, but it's a better long term approach. IMHO.
> >
> > ---
> > Lelio Fulgenzi, B.A.
> > Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> > (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > "Bad grammar makes me [sic]" - Tshirt
> >
>
>
> --
> Ed Leatherman
> _______________________________________________
> cisco-voip mailing list
> cisco-voip [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-voip
>


lelio at uoguelph

Nov 3, 2009, 8:14 AM

Post #9 of 13 (690 views)
Permalink
Re: Preventing Web Access to 79xx [In reply to]
Ed's correct though, it won't come up, but it will get an IP address and can be browsed. The phone keeps config data around.

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"Bad grammar makes me [sic]" - Tshirt


----- Original Message -----
From: "Scott Voll" <svoll.voip [at] gmail>
To: "Ed Leatherman" <ealeatherman [at] gmail>
Cc: "Lelio Fulgenzi" <lelio [at] uoguelph>, cisco-voip [at] puck
Sent: Tuesday, November 3, 2009 11:00:35 AM GMT -05:00 US/Canada Eastern
Subject: Re: [cisco-voip] Preventing Web Access to 79xx

put the whole Voice network behind a Firewall. if they move to a Data Vlan only....... the phone never comes up.... then the helpdesk gets the call and someone can go and slap them around. ;-)


just make sure the Firewall is an ASA and not a FWSM. <RANT> what a Joke........ it's a firewall...... but NO VPN, NO Phone Proxy, basically you loose all Voice functions you want out of a Firewall </RANT>.


Scott


On Tue, Nov 3, 2009 at 8:55 AM, Ed Leatherman < ealeatherman [at] gmail > wrote:


Depending on the particular security requirements, he should still
consider disabling the web access in addition to ACLs etc.
I've had end users unplug phones, and move them to another office that
had jack with only data vlan on it. Now the phone gets a public IP
address that is potentially reachable from the anywhere. you can surf
to it and get the IP addresses of all your call manager servers, tftp
server, etc. Granted, these servers are hopefully on private IP space
- but its more information than you probably want to provide to
someone scanning port 80. Just depends on how strict your security
concerns are, or how paranoid you are I guess :)


On Tue, Nov 3, 2009 at 10:56 AM, Lelio Fulgenzi < lelio [at] uoguelph > wrote:
> Personally speaking, I would investigate using ACLs to limit access to the
> phones web browser/server. There are many services (some Cisco, some third
> party) that use the web server to do stuff, like post messages, etc.
>
> Granted, it's a little more involved, and you need to have separate voice
> and data VLANs, but it's a better long term approach. IMHO.
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> "Bad grammar makes me [sic]" - Tshirt
>


--
Ed Leatherman



_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip


rratliff at cisco

Nov 3, 2009, 8:26 AM

Post #10 of 13 (668 views)
Permalink
Re: Preventing Web Access to 79xx [In reply to]
Would having your data vlan IP address be public and reachable from
the big bad internet (especially on port 80) be a bigger worry for the
security group than users being able to access their IP phones' web
page?

There are some times when web access to the phone is very useful for
verifying config, looking at media information, or even for getting a
screenshot of the phone's display.

Setting up ACLs to block those you don't want to have access may be
more pain up front but if you ever need to get console logs, etc from
a phone without resetting it (bug investigation for example) then
being able to modify an ACL will be a lot easier then enabling web
access, resetting the phone (which will fix the issue), and waiting
for the problem to come back.

-Ryan

On Nov 3, 2009, at 10:55 AM, Ed Leatherman wrote:

Depending on the particular security requirements, he should still
consider disabling the web access in addition to ACLs etc.
I've had end users unplug phones, and move them to another office that
had jack with only data vlan on it. Now the phone gets a public IP
address that is potentially reachable from the anywhere. you can surf
to it and get the IP addresses of all your call manager servers, tftp
server, etc. Granted, these servers are hopefully on private IP space
- but its more information than you probably want to provide to
someone scanning port 80. Just depends on how strict your security
concerns are, or how paranoid you are I guess :)

On Tue, Nov 3, 2009 at 10:56 AM, Lelio Fulgenzi <lelio [at] uoguelph>
wrote:
> Personally speaking, I would investigate using ACLs to limit access
> to the
> phones web browser/server. There are many services (some Cisco, some
> third
> party) that use the web server to do stuff, like post messages, etc.
>
> Granted, it's a little more involved, and you need to have separate
> voice
> and data VLANs, but it's a better long term approach. IMHO.
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> "Bad grammar makes me [sic]" - Tshirt
>


--
Ed Leatherman
_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip


m.bufton at spectra-group

Nov 3, 2009, 8:28 AM

Post #11 of 13 (669 views)
Permalink
Re: Preventing Web Access to 79xx[Scanned] [In reply to]
I think access lists will be the way to go as I would like my Engineers
to be able to debug the phones.

Access list denying all, other than the management network is the way
forward I think


Martin Bufton BSc (Hons), CCNA - Systems Engineer


-----Original Message-----
From: Ryan Ratliff [mailto:rratliff [at] cisco]
Sent: 03 November 2009 16:26
To: Ed Leatherman
Cc: cisco-voip [at] puck
Subject: Re: [cisco-voip] Preventing Web Access to 79xx[Scanned]

Would having your data vlan IP address be public and reachable from
the big bad internet (especially on port 80) be a bigger worry for the
security group than users being able to access their IP phones' web
page?

There are some times when web access to the phone is very useful for
verifying config, looking at media information, or even for getting a
screenshot of the phone's display.

Setting up ACLs to block those you don't want to have access may be
more pain up front but if you ever need to get console logs, etc from
a phone without resetting it (bug investigation for example) then
being able to modify an ACL will be a lot easier then enabling web
access, resetting the phone (which will fix the issue), and waiting
for the problem to come back.

-Ryan

On Nov 3, 2009, at 10:55 AM, Ed Leatherman wrote:

Depending on the particular security requirements, he should still
consider disabling the web access in addition to ACLs etc.
I've had end users unplug phones, and move them to another office that
had jack with only data vlan on it. Now the phone gets a public IP
address that is potentially reachable from the anywhere. you can surf
to it and get the IP addresses of all your call manager servers, tftp
server, etc. Granted, these servers are hopefully on private IP space
- but its more information than you probably want to provide to
someone scanning port 80. Just depends on how strict your security
concerns are, or how paranoid you are I guess :)

On Tue, Nov 3, 2009 at 10:56 AM, Lelio Fulgenzi <lelio [at] uoguelph>
wrote:
> Personally speaking, I would investigate using ACLs to limit access
> to the
> phones web browser/server. There are many services (some Cisco, some
> third
> party) that use the web server to do stuff, like post messages, etc.
>
> Granted, it's a little more involved, and you need to have separate
> voice
> and data VLANs, but it's a better long term approach. IMHO.
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> "Bad grammar makes me [sic]" - Tshirt
>


--
Ed Leatherman
_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip


ealeatherman at gmail

Nov 3, 2009, 8:51 AM

Post #12 of 13 (675 views)
Permalink
Re: Preventing Web Access to 79xx [In reply to]
Oh I agree.. I leave web access enabled myself - I don't consider the
risk great enough to out weigh the troubleshooting value. Just saying
its something to consider depending on your situation.
Coming from a higher education point of view, we have a hard time
blocking certain traffic no matter how much we want to, port 80 may
very well be open to the internet.

On Tue, Nov 3, 2009 at 12:26 PM, Ryan Ratliff <rratliff [at] cisco> wrote:
> Would having your data vlan IP address be public and reachable from the big
> bad internet (especially on port 80) be a bigger worry for the security
> group than users being able to access their IP phones' web page?
>
> There are some times when web access to the phone is very useful for
> verifying config, looking at media information, or even for getting a
> screenshot of the phone's display.
>
> Setting up ACLs to block those you don't want to have access may be more
> pain up front but if you ever need to get console logs, etc from a phone
> without resetting it (bug investigation for example) then being able to
> modify an ACL will be a lot easier then enabling web access, resetting the
> phone (which will fix the issue), and waiting for the problem to come back.
>
> -Ryan
>
> On Nov 3, 2009, at 10:55 AM, Ed Leatherman wrote:
>
> Depending on the particular security requirements, he should still
> consider disabling the web access in addition to ACLs etc.
> I've had end users unplug phones, and move them to another office that
> had jack with only data vlan on it. Now the phone gets a public IP
> address that is potentially reachable from the anywhere. you can surf
> to it and get the IP addresses of all your call manager servers, tftp
> server, etc. Granted, these servers are hopefully on private IP space
> - but its more information than you probably want to provide to
> someone scanning port 80. Just depends on how strict your security
> concerns are, or how paranoid you are I guess :)
>
> On Tue, Nov 3, 2009 at 10:56 AM, Lelio Fulgenzi <lelio [at] uoguelph> wrote:
>>
>> Personally speaking, I would investigate using ACLs to limit access to the
>> phones web browser/server. There are many services (some Cisco, some third
>> party) that use the web server to do stuff, like post messages, etc.
>>
>> Granted, it's a little more involved, and you need to have separate voice
>> and data VLANs, but it's a better long term approach. IMHO.
>>
>> ---
>> Lelio Fulgenzi, B.A.
>> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
>> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> "Bad grammar makes me [sic]" - Tshirt
>>
>
>
> --
> Ed Leatherman
> _______________________________________________
> cisco-voip mailing list
> cisco-voip [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>



--
Ed Leatherman
_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip


mb at c2ukltd

Nov 4, 2009, 1:48 AM

Post #13 of 13 (656 views)
Permalink
Re: Preventing Web Access to 79xx [In reply to]
Hi All,

Many thanks for all of your help - we are completing the install today and will let you know how it went.

Kind Regards,

Mark

From: Wes Sisk [mailto:wsisk [at] cisco]
Sent: 03 November 2009 14:32
To: mark baker
Cc: Philip Walenta; cisco-voip [at] puck
Subject: Re: [cisco-voip] Preventing Web Access to 79xx

What Philip indicated is correct. Change that setting, reset the phone. phone should download new config file. Then phone should disable http interface. ACL should not be necessary. If you made the change on the phone and it's not taking effect then I strongly recommend investigating that more closely. This can be a symptom of more significant issues on your CM.

/Wes

On Tuesday, November 03, 2009 7:07:46 AM, mark baker <mb [at] c2ukltd><mailto:mb [at] c2ukltd> wrote:

We have tried preventing Web Access here however we are still able to get in some how. Now in the process of putting ACL although you would have thought there was a smarter way of achieving this?? Many thanks for all of the replies so far folks.

From: Philip Walenta [mailto:pwalenta [at] wi]
Sent: 03 November 2009 12:00
To: mark baker; cisco-voip [at] puck<mailto:cisco-voip [at] puck>
Subject: RE: [cisco-voip] Preventing Web Access to 79xx

On my CUCM 7.0.2 system I see an option under "Product Specific Configuration Layout" on my 7970's. It's called "Web Access"...have you tried this?

From: cisco-voip-bounces [at] puck<mailto:cisco-voip-bounces [at] puck> [mailto:cisco-voip-bounces [at] puck] On Behalf Of mark baker
Sent: Tuesday, November 03, 2009 3:53 AM
To: cisco-voip [at] puck<mailto:cisco-voip [at] puck>
Subject: [cisco-voip] Preventing Web Access to 79xx

Hi Folks,

We are currently deploying a CCM system and have a security remit of locking all Web Access to our 79xx phones. Can anyone advise on this no matter what we try we can still access. All help much appreciated.

Regards,

Mark






________________________________






_______________________________________________

cisco-voip mailing list

cisco-voip [at] puck<mailto:cisco-voip [at] puck>

https://puck.nether.net/mailman/listinfo/cisco-voip

Cisco voip RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.