12-29-2013 04:01 PM - edited 03-17-2019 03:50 PM
I am deploying the Webex Meeting Server On-Premise and using the Non-Split-Horizon network for the IRP.
Actually, I have to input the Real IP and the public FQDN to the IRP deployment during the vCenter ova deployment. Should I set the NAT (from the real IP to the IRP private IP) on the external firewall? If not, how to communicate between the IRP and the internal Webex?
01-03-2014 01:26 AM
I know ...
1. Internal Admin Webex VM had the two networking ... I set the same vlan as the internal vlan already.
2. IRP Webex VM had the two networking .... I set one is for the DMZ vlan and second is for the internet vlan. <-- that should be set the same DMZ vlan? But the internet vlan is different ...
Where can I paste the real public IP?
PS: Not allow the Firewall to make the static NAT
PS: Not allow the the public Webex FQDN to represent the private IP address
01-03-2014 11:31 AM
Chi Fai Leung wrote:
I know ...
1. Internal Admin Webex VM had the two networking ... I set the same vlan as the internal vlan already.
2. IRP Webex VM had the two networking .... I set one is for the DMZ vlan and second is for the internet vlan. <-- that should be set the same DMZ vlan? But the internet vlan is different ...
Where can I paste the real public IP?
PS: Not allow the Firewall to make the static NAT
PS: Not allow the the public Webex FQDN to represent the private IP address
I have replied your first question with the screenshot above. I am talkiing about the one that you shared the screenshot in.
share the screenshot that I requested for above and when I get home, I will upload screenshot from my CWMS
cheers
01-03-2014 04:01 PM
Hi,
I have found this text that I think will be very useful to you. Please read page 60 onwards.
http://www.cisco.com/en/US/docs/collaboration/CWMS/1_5/Planning_Guide.pdf
Now to answer your questions again.
Question:
“1. If I enter the public IP, then the public VIP should not be in the same subnet as the IRP VM.
2. If I enter the DMZ private IP, then can pass, but where can I eneter the real public IP? NAT firewall?
2. IRP Webex VM had the two networking .... I set one is for the DMZ vlan and second is for the internet vlan. <-- that should be set the same DMZ vlan? But the internet vlan is different ...”
Answer: if the CWMS allows you to set the Virtual IP address as an ip address that belongs to your DMZ subnet, that is perfectly fine. Even if that subnet is not a public ip address.
Question: But the internet vlan is different ...”
Answer: That is also perfectly fine because you don’t have to configure the true Public Virtual IP Address on the CWMS. You can actually use an internal ip address. You can just NAT external users to the true virtual Public IP address which may actually be a none-public or private IP address.
Here is my advice:
If you still have any further question please feel free to ask.
01-05-2014 03:20 AM
I deployed the Webex using the split-horizon network topology, that mean the internal users access the Webex site URL using the private VIP address and the external users (outside the external firewall) access the Webex site URL using the public VIP address.
1. The IRP Not Allow to enter two subnet IP
I had supposed the IRP have two virtual networking ports (One is for the DMZ VLAN; Second is for the Internet VLAN), but the IRP must be entered the same subnet network as the IRP IP addresses.
2. External firewall Not Allow to enter a static NAT
Actually, it could deploy the IRP and communicate with the internal Webex server using the DMZ private IP addresses, but the external firewall should be set a static NAT rule as (the public real IP of IRP) > (the DMZ private IP of IRP). But my environment is not allow to set a static NAT. Anyother methods can be deployed IRP without the NAT?
3. Internal DNS Not Allow to enter a public DNS record
I accepted the internal users use the internal Webex FQDN and the external users use the public Webex FQDN, that is the split-horizon network topology? right? How the meeting template attach two Webex FQDN links (Internal FQDN and external FQDN)?
01-06-2014 07:14 PM
2. External firewall Not Allow to enter a static NAT
Actually, it could deploy the IRP and communicate with the internal Webex server using the DMZ private IP addresses, but the external firewall should be set a static NAT rule as (the public real IP of IRP) > (the DMZ private IP of IRP). But my environment is not allow to set a static NAT. Anyother methods can be deployed IRP without the NAT?
Answer : If static NAT is not allowed, you can use port forwarding for the port 80 and 443.
3. Internal DNS Not Allow to enter a public DNS record
I accepted the internal users use the internal Webex FQDN and the external users use the public Webex FQDN, that is the split-horizon network topology? right? How the meeting template attach two Webex FQDN links (Internal FQDN and external FQDN)?
Answer : Your internal users will be connected to your internal DNS server, hence you have to configure your internal DNS server to reply with Private VIP, so they connect to the internal server. External Users will be querying public DNS server where you have to configure the Public DNS server to reply with public VIP so that they connect via IRP
Regards,
Hari
01-06-2014 07:34 PM
Answer : If static NAT is not allowed, you can use port forwarding for the port 80 and 443.
Reply: As the DMZ security, that would not have the layer 3 routing from the Internet to DMZ. I don't undersatnd the role of IRP, that should be one leg for the DMZ and one leg for the Internet.
Answer : Your internal users will be connected to your internal DNS server, hence you have to configure your internal DNS server to reply with Private VIP, so they connect to the internal server. External Users will be querying public DNS server where you have to configure the Public DNS server to reply with public VIP so that they connect via IRP
Reply: How about the meeting template attach two Webex FQDN links (Internal FQDN and external FQDN)?
01-07-2014 12:34 AM
I still faced on one question about the language.
1. "Call Me" service: "Welcome to Webex! You will be place into the meeing ...." <-- Why it will play the simple chinese language 1st, then play the english language on the "Call me at a new number"? The system is set the language as the "English" already, but it still play the mandarin, then play the english. Where can I set the english only?
2. The time clock show: When I opened a meeting, the right corner would show the chinese character, e.g. "7 Jan" > "一月七日". Why? Where can I set the english only?
"Call me at a new number": it will play the simple chinese language, then play the english language.
Select the "Internal Number Call" and press "9 39224416", that play the english language only as "Welcome t Webex. You will be place into the meeting ...."
01-07-2014 05:35 AM
As the DMZ security, that would not have the layer 3 routing from the Internet to DMZ. I don't undersatnd the role of IRP, that should be one leg for the DMZ and one leg for the Internet.
Answer : Does your DMZ network has internet routable public IP? If yes, then we don't need a NAT from internet to DMZ. Most of the deployment, will not allow traffic from Internet to hit Internal network directly, hence, we need IRP in those scenarios.
How about the meeting template attach two Webex FQDN links (Internal FQDN and external FQDN)?
As I see here, both the internal and external FQDN will have the same host name [Webex URL]. When resolved from internal it will go to private VIP and when resolve from external network it will resolve to public VIP
For your question related to language, could you please set the language to English in the user profile setting. This should display all text in English. When users calls a country for which localized audio prompts are available, users will hear dual-mode audio prompts.
01-07-2014 07:29 AM
I see what u mean, but on the internal Webex depolyment, it was no add the IRP and the internal users are using the internal Webex with internal FQDN right now.
Now, I want to add back the IRP as below:
Next
Option 2: Then the system request me to input the same subnet of the FQDN detected IP, that should be DMZ subnet.
PS: My internal DNS server is not allow to add a real public FQDN to represent a private IP address.
I know once I set the real public FQDN, then the proxy wil be functional, but I cannot in my stage. I have to redeploy the internal Webex and tick the IRP during the deployment?
For my question related to language, I set the language to English in the user profile setting already. This is displayed all text in English. But when I use the Call Me service and select the Hong Kong location to call, the broadcast audio still play the mandarin then English ...
Really thanks for all helps~
01-09-2014 10:23 PM
Is it possible for me to add a temp. DNS server to add a A-record? The zone of temp. DNS is the public domain as the IRP public FQDN (e.g. xxx.abc.com) to disguise the public domain and the A-record (e.g. webirp.abc.com) will represent to the DMZ ip address as 172.16.201.23, then I can pass the "Add Public Access" part.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide