cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7951
Views
10
Helpful
24
Replies

Cisco Webex Meeting Server On-Premise – IRP Issues

Chi Fai Leung
Level 1
Level 1

I am deploying the Webex Meeting Server On-Premise and using the Non-Split-Horizon network for the IRP.

Non-Split-Horizon.png

Actually, I have to input the Real IP and the public FQDN to the IRP deployment during the vCenter ova deployment. Should I set the NAT (from the real IP to the IRP private IP) on the external firewall? If not, how to communicate between the IRP and the internal Webex?

24 Replies 24

Sarg .
Level 3
Level 3

Dont take my word for it but I would think along these lines:

1)The proxies should know the ip and fqdn of the admin vm as it was entered int the proxy during deployment.

2) I thouht the proxies were supposed to be configured with a public IP. If you have used a private, it might be worth NAT-ing to the  proxy's internal IP.

3) Also, may now need to create a DNS entrying to point to the public IP (e.g meetings@testlab.com) of the proxy so when people try to join your meetings, they are given a route-able ip address to connect with.

And by the way, can your firewall really handle everyone going though it for a meeting? With all that Video, audio and web presentation going on , it might be worth just modifying your deployment

Cheers

Chi Fai Leung
Level 1
Level 1

One more related question I want to ask about the resource usage. The hardware sepcification is the same of the internal Webex about the IRP. Will the external users use the IRP media resource? Will the internal users use the internal Webex media resource?

Dont take my word for it because as a support engineer, my deployment experience is pretty much in my badroom.  That said, here is my understanding:

1) The External-user-facing part of CWMS is the proxy. They only permit or terminates the connections from external devices ( mobiles included). You will need a proxy if you wish to connect with Iphones.  

2) Inside the network, we have the Admin, Media, Web and Media .

3) During a meeting, the Proxy VM on the outside of the network  connects to the Media /Web VM that is on the inside of the network. So even though the media to the external devices, are terminated on the proxy, the mixing and processing of the media happens on the inside.

4) Cisco recommends 1.5mbps per connection or device so if you send both internal and external users to the DMZ, you wan bandwith utizilation is going to take a massive hit.

5) According to your design, when meetings are hosted, everyone connects to the proxy and the proxy the sends everyone's media back into the Media VMs which are inside the network: Double trouble!

6) The best bet would be to deploy split horizen DNS but the second best woud be:

Internal Internet Reverse Proxy Network Topology

Please see detials here:


http://www.cisco.com/en/US/docs/collaboration/CWMS/1_5/Planning_Guide_chapter_01.html

Sarg .
Level 3
Level 3

Any luck with this, how did it turn out?

Not Yet!

Actually I deployed the internal Webex ova on the internal UCS server already, that is using right now.

Now, I want to deploy the IRP on the DMZ UCS server. But when I use the vCenter to deploy the ova and select the "50 Internet Reverse Proxy", that I entered the public FQDN and public IP address ..etc. After that the IRP can come up normally, it showed "Wait the internal Admin Webex"  <-- This is the problem ~ Where can I set the DMZ private IP to the IRP? Have two virtual network ports.

Hi

have you configured the admin sever to detect the proxy so that it can be joined to the webex network?

Please note that all virtual ip addresses are configured on the Admin Vm and not the proxy.

First of all, watch this Youtube clip from 15 min to about 20min. Between this time frame, you will see how the proxy is connected to the Admin VM and now to virtual ip address is configured.

http://youtu.be/BlEtbiNQyTI

After watching this, please not the following.

First of all consider this scenario.

1) you have two internal  CWMS admin servers

2) you have two external CWMSW proxy servers

3) If you watch the video above, you will notice that the private address that you configure has to belong to the same subnet as the two internal CWMS admin servers .

4) You will also notice that the external (public) Virtual ip address has to belong to the same subnet as the two reverse proxy servers public addresses

5) The two internal admin server listen for any ARP request for the internal Virtual IP address and respond to it. You can see this as a kind of HSRP.  The private virtual IP address is shared by the two internal Admin/web servers.  This is how high availability is achieved.

6) The two external proxy servers will automatically know to respond to any request coming to the Public Virtual IP address. This is the reason why the ip addresses of the proxy servers need to be on the same Vlan as the Public Virtual IP address so that the proxies can respond to any  ARP request coming to the public virtual IP address.  The servers monitor each other and it they spot that the other has gone down, it will start responding to the request coming to the public virtual ip.

7) You should make sure that you have configured routing and switching to allow the proxy and internal servers to communicate with each other. Make sure no firewall is blocking their communication. You will also find the ports that is used by the servers in the CWMS Planning Guide in case you really want to lock the firewall down.

8) All the CWMS servers should have access to the configured DNS server and that DNS server should be able to resolve the names of the CWMS servers as well as the Admin url and meeting Url

That should be all you need. If you encounter any further issues, please let the community know.

Cheers

Thanks for your reply!

I tried to add the piblic VIP, but that would show the error as below:

1. If I enter the public IP, then the public VIP should not be in the same subnet as the IRP VM.

2. If I enter the DMZ private IP, then can pass, but where can I eneter the real public IP? NAT firewall?

Chi Fai Leung wrote:

Thanks for your reply!

I tried to add the piblic VIP, but that would show the error as below:

1. If I enter the public IP, then the public VIP should not be in the same subnet as the IRP VM.

2. If I enter the DMZ private IP, then can pass, but where can I eneter the real public IP? NAT firewall?

The answer to the your question is already in this post but maybe I am not undestanding you correctly.  You do not have to place one enthernet port in one vlan an the other in another vlan. just place all of them in one vlan/subnet including the public virtual IP.  Even if the IRP has a private physical IP address, You can even set your public virutal IP address  to an interna IP. on the ouside of your firewall, you can configure a NAT rule that translate your external IP to the internal IP. This will still work but I think thats way too much  NAting. 

Can I please request that you share the  IP  configuration  page of the IRP please? You can  view the IP settings of the IRP Vm machin by using the Vcenter to view the properties.

Share this info with us and you should be fine. 

::::::::::::::::::::::::::::::::::::

I think the CWMS IRP will not fit on my network environment, this is complete isolation from the Internet firewall to DMZ network and the CWMS IRP is single arm, so I cannot deploy the CWMS IRP for the outside users at the my environment.

CF_CWMS_OneArm.png

Dear Sir,

Can you tell me how many Ip address required for the IRP setup.

My IRP in DMZ, at the time of deployment of OVA I put an IP address 192.168.5.129 (DMZ sub net), then I have another IP address suppose to be for the Public VIP 192.168.5.134, which is nated to the real Public IP. 

Is it correct or I can use the same 192.168.5.129 as the Public VIP. and NAT this to the Real public?

 

If I am going to use Public VIP 192.168.5.134 which are the port required to open from Internal to DMZ

Toms

 

Hi Toms,

You have to have TWO IP Addresses dedicated for IRP VM that will be on the same subnet:

Eth0 - IRP VMs IP address setup during deployment

Eth1 - Public VIP address setup during Public Access configuration

If you decide to assign a real public IP on the firewall, it needs to be NATed to Public VIP.

 

As for port requirements, please check the Planning Guide: http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide/Planning_Guide_chapter_0100.html#reference_CB65D7FE4B3746DDAF1649884AD777CE

 

I hope this helps.

-Dejan

Hello, Serenity and colleagues.

Will you able to  grant me access to video link ( http://youtu.be/BlEtbiNQyTI) . As I understand now its closed by privacy for me.

Or if someone already has this video - please share for me.

I am starting the design and need to have possibility to view this useful video file which will probably help me with understanding. If someone have this - please share.

Thanks in advance .

Hi,

I am not sure what exact part of CWMS deployment you need assistance with, but you can find some useful videos here: https://supportforums.cisco.com/community/5726/conferencing#quicktabs-community_activity=3

I hope this will be of help.

-Dejan

Chi Fai Leung wrote:

Not Yet!

Actually I deployed the internal Webex ova on the internal UCS server already, that is using right now.

Now, I want to deploy the IRP on the DMZ UCS server. But when I use the vCenter to deploy the ova and select the "50 Internet Reverse Proxy", that I entered the public FQDN and public IP address ..etc. After that the IRP can come up normally, it showed "Wait the internal Admin Webex"  <-- This is the problem ~ Where can I set the DMZ private IP to the IRP? Have two virtual network ports.

Question: Have two virtual network ports.

Answer: Please put the two CWMS vertual port on the same VLAN. It is ment for ethernet redundancy: when a NIC card fails or switch port fails.

Cheers

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: