Chi Fai Leung wrote:
I know ...
1. Internal Admin Webex VM had the two networking ... I set the same vlan as the internal vlan already.
2. IRP Webex VM had the two networking .... I set one is for the DMZ vlan and second is for the internet vlan. <-- that should be set the same DMZ vlan? But the internet vlan is different ...
Where can I paste the real public IP?
PS: Not allow the Firewall to make the static NAT
PS: Not allow the the public Webex FQDN to represent the private IP address

I have replied your first question with the screenshot above. I am talkiing about the one that you shared the screenshot in.

share the screenshot that I requested for above and when I get home, I will upload screenshot from my CWMS

cheers

Hi,

I have found this text that I think will be very useful to you.  Please read page 60 onwards.

http://www.cisco.com/en/US/docs/collaboration/CWMS/1_5/Planning_Guide.pdf

Now to answer your questions again.

Question:

“1. If I enter the public IP, then the public VIP should not be in the same subnet as the IRP VM.

2. If I enter the DMZ private IP, then can pass, but where can I eneter the real public IP? NAT firewall?

2. IRP Webex VM had the two networking .... I set one is for the DMZ vlan and second is for the internet vlan. <-- that should be set the same DMZ vlan? But the internet vlan is different ...”

Answer: if the CWMS allows you to  set the Virtual IP address as an ip address that belongs to your DMZ subnet, that is perfectly fine. Even if that subnet is not a public ip address.

Question: But the internet vlan is different ...”

Answer: That is also perfectly fine because you don’t have to configure the true Public Virtual IP Address on the CWMS. You can actually use an internal ip address. You can just NAT external users to the true virtual Public IP address which may actually be a none-public or private IP address.

Here is my advice:

• •1)      Configure any Virtual IP address on the internet reverse proxy that CWMS allows you to configure.
• •2)      Forget about trying to configure the ‘true’ public virtual ip address anywhere on the CWMS. It does not matter.  Remember that when you configured your internet reverse proxy you were only allowed to give it one IP address? Therefore, what you now need to do is to place both of it’s network cards or interfaces on the same VLan so that it can have Ethernet redundancy.  The only requirement is that the internet reverse proxy’s ip address is in the same subnet as the virtual public ip address that you configure on CWMS. As soon as you configure the public virtual ip address in the CWMS web page, the reverse proxy will know about it and start pretending to be virtual IP address.
• •3)      Don’t worry about trying to configure the virtual public ip address on the CWMS because the proxy will learn this ip from the configuration that you entered in step 1.
• •4)      On your main outside firewall, configure the Public Virtual IP address (truly public IP)and NAT it to the  Webex site’s DMZ ‘public’ virtual IP address that is actually the  private IP  that you configured in step 1
• •5)      Make sure that  your external DNS server maps your webex site to the Public virtual IP address  that you configured on the firewall.
• •6)      This last step is optional but I would still advise that you configure your internal DNS  sever to map the webex site to the internal virtual IP address. The ip address that I am talking about here is the ip address that is used for administration.  I my lab, my Iphone can actually connect to my webex site without using the reverse proxy vlan local Lan Wireless.

If you still have any further question please feel free to ask. 

I deployed the Webex using the split-horizon network topology, that mean the internal users access the Webex site URL using the private VIP address and the external users (outside the external firewall) access the Webex site URL using the public VIP address.

1. The IRP Not Allow to enter two subnet IP

I had supposed the IRP have two virtual networking ports (One is for the DMZ VLAN; Second is for the Internet VLAN), but the IRP must be entered the same subnet network as the IRP IP addresses.

2. External firewall Not Allow to enter a static NAT

Actually, it could deploy the IRP and communicate with the internal Webex server using the DMZ private IP addresses, but the external firewall should be set a static NAT rule as (the public real IP of IRP) > (the DMZ private IP of IRP). But my environment is not allow to set a static NAT. Anyother methods can be deployed IRP without the NAT?

3. Internal DNS Not Allow to enter a public DNS record

I accepted the internal users use the internal Webex FQDN and the external users use the public Webex FQDN, that is the split-horizon network topology? right? How the meeting template attach two Webex FQDN links (Internal FQDN and external FQDN)?

2. External firewall Not Allow to enter a static NAT

Actually,  it could deploy the IRP and communicate with the internal Webex server  using the DMZ private IP addresses, but the external firewall should be  set a static NAT rule as (the public real IP of IRP) > (the DMZ  private IP of IRP). But my environment is not allow to set a static NAT.  Anyother methods can be deployed IRP without the NAT?

Answer : If static NAT is not allowed, you can use port forwarding for the port 80 and 443.

3. Internal DNS Not Allow to enter a public DNS record

I accepted the internal users use the internal Webex FQDN and the external users use the public Webex FQDN, that is the split-horizon network topology? right? How the meeting template attach two Webex FQDN links (Internal FQDN and external FQDN)?

Answer : Your internal users will be connected to your internal DNS server, hence you have to configure your internal DNS server to reply with Private VIP, so they connect to the internal server. External Users will be querying public DNS server where you have to configure the Public DNS server to reply with public VIP so that they connect via IRP

Regards,

Hari

Answer : If static NAT is not allowed, you can use port forwarding for the port 80 and 443.

Reply: As the DMZ security, that would not have the layer 3 routing from the Internet to DMZ. I don't undersatnd the role of IRP, that should be one leg for the DMZ and one leg for the Internet.

Answer : Your internal users will be connected to your internal DNS server, hence you have to configure your internal DNS server to reply with Private VIP, so they connect to the internal server. External Users will be querying public DNS server where you have to configure the Public DNS server to reply with public VIP so that they connect via IRP

Reply: How about the meeting template attach two Webex FQDN links (Internal FQDN and external FQDN)?

I still faced on one question about the language.

1. "Call Me" service: "Welcome to Webex! You will be place into the meeing ...."  <-- Why it will play the simple chinese language 1st, then play the english language on the "Call me at a new number"? The system is set the language as the "English" already, but it still play the mandarin, then play the english. Where can I set the english only?

2. The time clock show: When I opened a meeting, the right corner would show the chinese character, e.g. "7 Jan" > "一月七日". Why? Where can I set the english only?

"Call me at a new number": it will play the simple chinese language, then play the english language.

Select the "Internal Number Call" and press "9 39224416", that play the english language only as "Welcome t Webex. You will be place into the meeting ...."

As the DMZ security,  that would not have the layer 3 routing from the Internet to DMZ. I  don't undersatnd the role of IRP, that should be one leg for the DMZ and  one leg for the Internet.

Answer : Does your DMZ network has internet routable public IP? If yes, then we don't need a NAT from internet to DMZ. Most of the deployment, will not allow traffic from Internet to hit Internal network directly, hence, we need IRP in those scenarios.

How about the meeting template attach two Webex FQDN links (Internal FQDN and external FQDN)?

As I see here, both the internal and external FQDN will have the same host name [Webex URL]. When resolved from internal it will go to private VIP and when resolve from external network it will resolve to public VIP

For your question related to language, could you please set the language to English in the user profile setting. This should display all text in English. When users calls a country for which localized audio prompts are available, users will hear dual-mode audio prompts.

I see what u mean, but on the internal Webex depolyment, it was no add the IRP and the internal users are using the internal Webex with internal FQDN right now.

Now, I want to add back the IRP as below:

Next

       Option 2: Then the system request me to input the same subnet of the FQDN detected IP, that should be DMZ subnet.

PS: My internal DNS server is not allow to add a real public FQDN to represent a private IP address.

I know once I set the real public FQDN, then the proxy wil be functional, but I cannot in my stage. I have to redeploy the internal Webex and tick the IRP during the deployment?

For my question related to language, I set the language to English in the user profile setting already. This is displayed all text in English. But when I use the Call Me service and select the Hong Kong location to call, the broadcast audio still play the mandarin then English ...

Really thanks for all helps~

Is it possible for me to add a temp. DNS server to add a A-record? The zone of temp. DNS is the public domain as the IRP public FQDN (e.g. xxx.abc.com) to disguise the public domain and the A-record (e.g. webirp.abc.com) will represent to the DMZ ip address as 172.16.201.23, then I can pass the "Add Public Access" part.