Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco Webex Meeting Server On-Premise – IRP Issues

I am deploying the Webex Meeting Server On-Premise and using the Non-Split-Horizon network for the IRP.

Non-Split-Horizon.png

Actually, I have to input the Real IP and the public FQDN to the IRP deployment during the vCenter ova deployment. Should I set the NAT (from the real IP to the IRP private IP) on the external firewall? If not, how to communicate between the IRP and the internal Webex?

24 REPLIES
New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

Dont take my word for it but I would think along these lines:

1)The proxies should know the ip and fqdn of the admin vm as it was entered int the proxy during deployment.

2) I thouht the proxies were supposed to be configured with a public IP. If you have used a private, it might be worth NAT-ing to the  proxy's internal IP.

3) Also, may now need to create a DNS entrying to point to the public IP (e.g meetings@testlab.com) of the proxy so when people try to join your meetings, they are given a route-able ip address to connect with.

And by the way, can your firewall really handle everyone going though it for a meeting? With all that Video, audio and web presentation going on , it might be worth just modifying your deployment

Cheers

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

One more related question I want to ask about the resource usage. The hardware sepcification is the same of the internal Webex about the IRP. Will the external users use the IRP media resource? Will the internal users use the internal Webex media resource?

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

Dont take my word for it because as a support engineer, my deployment experience is pretty much in my badroom.  That said, here is my understanding:

1) The External-user-facing part of CWMS is the proxy. They only permit or terminates the connections from external devices ( mobiles included). You will need a proxy if you wish to connect with Iphones.  

2) Inside the network, we have the Admin, Media, Web and Media .

3) During a meeting, the Proxy VM on the outside of the network  connects to the Media /Web VM that is on the inside of the network. So even though the media to the external devices, are terminated on the proxy, the mixing and processing of the media happens on the inside.

4) Cisco recommends 1.5mbps per connection or device so if you send both internal and external users to the DMZ, you wan bandwith utizilation is going to take a massive hit.

5) According to your design, when meetings are hosted, everyone connects to the proxy and the proxy the sends everyone's media back into the Media VMs which are inside the network: Double trouble!

6) The best bet would be to deploy split horizen DNS but the second best woud be:

Internal Internet Reverse Proxy Network Topology

Please see detials here:


http://www.cisco.com/en/US/docs/collaboration/CWMS/1_5/Planning_Guide_chapter_01.html

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

Any luck with this, how did it turn out?

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

Not Yet!

Actually I deployed the internal Webex ova on the internal UCS server already, that is using right now.

Now, I want to deploy the IRP on the DMZ UCS server. But when I use the vCenter to deploy the ova and select the "50 Internet Reverse Proxy", that I entered the public FQDN and public IP address ..etc. After that the IRP can come up normally, it showed "Wait the internal Admin Webex"  <-- This is the problem ~ Where can I set the DMZ private IP to the IRP? Have two virtual network ports.

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

Hi

have you configured the admin sever to detect the proxy so that it can be joined to the webex network?

Please note that all virtual ip addresses are configured on the Admin Vm and not the proxy.

First of all, watch this Youtube clip from 15 min to about 20min. Between this time frame, you will see how the proxy is connected to the Admin VM and now to virtual ip address is configured.

http://youtu.be/BlEtbiNQyTI

After watching this, please not the following.

First of all consider this scenario.

1) you have two internal  CWMS admin servers

2) you have two external CWMSW proxy servers

3) If you watch the video above, you will notice that the private address that you configure has to belong to the same subnet as the two internal CWMS admin servers .

4) You will also notice that the external (public) Virtual ip address has to belong to the same subnet as the two reverse proxy servers public addresses

5) The two internal admin server listen for any ARP request for the internal Virtual IP address and respond to it. You can see this as a kind of HSRP.  The private virtual IP address is shared by the two internal Admin/web servers.  This is how high availability is achieved.

6) The two external proxy servers will automatically know to respond to any request coming to the Public Virtual IP address. This is the reason why the ip addresses of the proxy servers need to be on the same Vlan as the Public Virtual IP address so that the proxies can respond to any  ARP request coming to the public virtual IP address.  The servers monitor each other and it they spot that the other has gone down, it will start responding to the request coming to the public virtual ip.

7) You should make sure that you have configured routing and switching to allow the proxy and internal servers to communicate with each other. Make sure no firewall is blocking their communication. You will also find the ports that is used by the servers in the CWMS Planning Guide in case you really want to lock the firewall down.

8) All the CWMS servers should have access to the configured DNS server and that DNS server should be able to resolve the names of the CWMS servers as well as the Admin url and meeting Url

That should be all you need. If you encounter any further issues, please let the community know.

Cheers

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

Thanks for your reply!

I tried to add the piblic VIP, but that would show the error as below:

1. If I enter the public IP, then the public VIP should not be in the same subnet as the IRP VM.

2. If I enter the DMZ private IP, then can pass, but where can I eneter the real public IP? NAT firewall?

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

Chi Fai Leung wrote:

Thanks for your reply!

I tried to add the piblic VIP, but that would show the error as below:

1. If I enter the public IP, then the public VIP should not be in the same subnet as the IRP VM.

2. If I enter the DMZ private IP, then can pass, but where can I eneter the real public IP? NAT firewall?

The answer to the your question is already in this post but maybe I am not undestanding you correctly.  You do not have to place one enthernet port in one vlan an the other in another vlan. just place all of them in one vlan/subnet including the public virtual IP.  Even if the IRP has a private physical IP address, You can even set your public virutal IP address  to an interna IP. on the ouside of your firewall, you can configure a NAT rule that translate your external IP to the internal IP. This will still work but I think thats way too much  NAting. 

Can I please request that you share the  IP  configuration  page of the IRP please? You can  view the IP settings of the IRP Vm machin by using the Vcenter to view the properties.

Share this info with us and you should be fine. 

::::::::::::::::::::::::::::::::::::

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

I think the CWMS IRP will not fit on my network environment, this is complete isolation from the Internet firewall to DMZ network and the CWMS IRP is single arm, so I cannot deploy the CWMS IRP for the outside users at the my environment.

CF_CWMS_OneArm.png

New Member

Dear Sir,Can you tell me how

Dear Sir,

Can you tell me how many Ip address required for the IRP setup.

My IRP in DMZ, at the time of deployment of OVA I put an IP address 192.168.5.129 (DMZ sub net), then I have another IP address suppose to be for the Public VIP 192.168.5.134, which is nated to the real Public IP. 

Is it correct or I can use the same 192.168.5.129 as the Public VIP. and NAT this to the Real public?

 

If I am going to use Public VIP 192.168.5.134 which are the port required to open from Internal to DMZ

Toms

 

Cisco Employee

Hi Toms,You have to have TWO

Hi Toms,

You have to have TWO IP Addresses dedicated for IRP VM that will be on the same subnet:

Eth0 - IRP VMs IP address setup during deployment

Eth1 - Public VIP address setup during Public Access configuration

If you decide to assign a real public IP on the firewall, it needs to be NATed to Public VIP.

 

As for port requirements, please check the Planning Guide: http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide/Planning_Guide_chapter_0100.html#reference_CB65D7FE4B3746DDAF1649884AD777CE

 

I hope this helps.

-Dejan

New Member

Hello, Serenity and

Hello, Serenity and colleagues.

Will you able to  grant me access to video link ( http://youtu.be/BlEtbiNQyTI) . As I understand now its closed by privacy for me.

Or if someone already has this video - please share for me.

I am starting the design and need to have possibility to view this useful video file which will probably help me with understanding. If someone have this - please share.

Thanks in advance .

Cisco Employee

Hi,

Hi,

I am not sure what exact part of CWMS deployment you need assistance with, but you can find some useful videos here: https://supportforums.cisco.com/community/5726/conferencing#quicktabs-community_activity=3

I hope this will be of help.

-Dejan

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

Chi Fai Leung wrote:

Not Yet!

Actually I deployed the internal Webex ova on the internal UCS server already, that is using right now.

Now, I want to deploy the IRP on the DMZ UCS server. But when I use the vCenter to deploy the ova and select the "50 Internet Reverse Proxy", that I entered the public FQDN and public IP address ..etc. After that the IRP can come up normally, it showed "Wait the internal Admin Webex"  <-- This is the problem ~ Where can I set the DMZ private IP to the IRP? Have two virtual network ports.

Question: Have two virtual network ports.

Answer: Please put the two CWMS vertual port on the same VLAN. It is ment for ethernet redundancy: when a NIC card fails or switch port fails.

Cheers

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

I know ...

1. Internal Admin Webex VM had the two networking ... I set the same vlan as the internal vlan already.

2. IRP Webex VM had the two networking .... I set one is for the DMZ vlan and second is for the internet vlan. <-- that should be set the same DMZ vlan? But the internet vlan is different ...

Where can I paste the real public IP?

PS: Not allow the Firewall to make the static NAT

PS: Not allow the the public Webex FQDN to represent the private IP address

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

Chi Fai Leung wrote:

I know ...

1. Internal Admin Webex VM had the two networking ... I set the same vlan as the internal vlan already.

2. IRP Webex VM had the two networking .... I set one is for the DMZ vlan and second is for the internet vlan. <-- that should be set the same DMZ vlan? But the internet vlan is different ...

Where can I paste the real public IP?

PS: Not allow the Firewall to make the static NAT

PS: Not allow the the public Webex FQDN to represent the private IP address

I have replied your first question with the screenshot above. I am talkiing about the one that you shared the screenshot in.

share the screenshot that I requested for above and when I get home, I will upload screenshot from my CWMS

cheers

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

Hi,

I have found this text that I think will be very useful to you.  Please read page 60 onwards.

http://www.cisco.com/en/US/docs/collaboration/CWMS/1_5/Planning_Guide.pdf

Now to answer your questions again.

Question:

“1. If I enter the public IP, then the public VIP should not be in the same subnet as the IRP VM.

2. If I enter the DMZ private IP, then can pass, but where can I eneter the real public IP? NAT firewall?

2. IRP Webex VM had the two networking .... I set one is for the DMZ vlan and second is for the internet vlan. <-- that should be set the same DMZ vlan? But the internet vlan is different ...

Answer: if the CWMS allows you to  set the Virtual IP address as an ip address that belongs to your DMZ subnet, that is perfectly fine. Even if that subnet is not a public ip address.

Question: But the internet vlan is different ...

Answer: That is also perfectly fine because you don’t have to configure the true Public Virtual IP Address on the CWMS. You can actually use an internal ip address. You can just NAT external users to the true virtual Public IP address which may actually be a none-public or private IP address.

Here is my advice:

  • •1)      Configure any Virtual IP address on the internet reverse proxy that CWMS allows you to configure.
  • •2)      Forget about trying to configure the ‘true’ public virtual ip address anywhere on the CWMS. It does not matter.  Remember that when you configured your internet reverse proxy you were only allowed to give it one IP address? Therefore, what you now need to do is to place both of it’s network cards or interfaces on the same VLan so that it can have Ethernet redundancy.  The only requirement is that the internet reverse proxy’s ip address is in the same subnet as the virtual public ip address that you configure on CWMS. As soon as you configure the public virtual ip address in the CWMS web page, the reverse proxy will know about it and start pretending to be virtual IP address.
  • •3)      Don’t worry about trying to configure the virtual public ip address on the CWMS because the proxy will learn this ip from the configuration that you entered in step 1.
  • •4)      On your main outside firewall, configure the Public Virtual IP address (truly public IP)and NAT it to the  Webex site’s DMZ ‘public’ virtual IP address that is actually the  private IP  that you configured in step 1
  • •5)      Make sure that  your external DNS server maps your webex site to the Public virtual IP address  that you configured on the firewall.
  • •6)      This last step is optional but I would still advise that you configure your internal DNS  sever to map the webex site to the internal virtual IP address. The ip address that I am talking about here is the ip address that is used for administration.  I my lab, my Iphone can actually connect to my webex site without using the reverse proxy vlan local Lan Wireless.

If you still have any further question please feel free to ask. 

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

I deployed the Webex using the split-horizon network topology, that mean the internal users access the Webex site URL using the private VIP address and the external users (outside the external firewall) access the Webex site URL using the public VIP address.

1. The IRP Not Allow to enter two subnet IP

I had supposed the IRP have two virtual networking ports (One is for the DMZ VLAN; Second is for the Internet VLAN), but the IRP must be entered the same subnet network as the IRP IP addresses.

2. External firewall Not Allow to enter a static NAT

Actually, it could deploy the IRP and communicate with the internal Webex server using the DMZ private IP addresses, but the external firewall should be set a static NAT rule as (the public real IP of IRP) > (the DMZ private IP of IRP). But my environment is not allow to set a static NAT. Anyother methods can be deployed IRP without the NAT?

3. Internal DNS Not Allow to enter a public DNS record

I accepted the internal users use the internal Webex FQDN and the external users use the public Webex FQDN, that is the split-horizon network topology? right? How the meeting template attach two Webex FQDN links (Internal FQDN and external FQDN)?

Cisco Employee

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

2. External firewall Not Allow to enter a static NAT

Actually,  it could deploy the IRP and communicate with the internal Webex server  using the DMZ private IP addresses, but the external firewall should be  set a static NAT rule as (the public real IP of IRP) > (the DMZ  private IP of IRP). But my environment is not allow to set a static NAT.  Anyother methods can be deployed IRP without the NAT?

Answer : If static NAT is not allowed, you can use port forwarding for the port 80 and 443.

3. Internal DNS Not Allow to enter a public DNS record

I accepted the internal users use the internal Webex FQDN and the external users use the public Webex FQDN, that is the split-horizon network topology? right? How the meeting template attach two Webex FQDN links (Internal FQDN and external FQDN)?

Answer : Your internal users will be connected to your internal DNS server, hence you have to configure your internal DNS server to reply with Private VIP, so they connect to the internal server. External Users will be querying public DNS server where you have to configure the Public DNS server to reply with public VIP so that they connect via IRP

Regards,

Hari

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

Answer : If static NAT is not allowed, you can use port forwarding for the port 80 and 443.

Reply: As the DMZ security, that would not have the layer 3 routing from the Internet to DMZ. I don't undersatnd the role of IRP, that should be one leg for the DMZ and one leg for the Internet.

Answer : Your internal users will be connected to your internal DNS server, hence you have to configure your internal DNS server to reply with Private VIP, so they connect to the internal server. External Users will be querying public DNS server where you have to configure the Public DNS server to reply with public VIP so that they connect via IRP

Reply: How about the meeting template attach two Webex FQDN links (Internal FQDN and external FQDN)?

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

I still faced on one question about the language.

1. "Call Me" service: "Welcome to Webex! You will be place into the meeing ...."  <-- Why it will play the simple chinese language 1st, then play the english language on the "Call me at a new number"? The system is set the language as the "English" already, but it still play the mandarin, then play the english. Where can I set the english only?

2. The time clock show: When I opened a meeting, the right corner would show the chinese character, e.g. "7 Jan" > "一月七日". Why? Where can I set the english only?

"Call me at a new number": it will play the simple chinese language, then play the english language.

Select the "Internal Number Call" and press "9 39224416", that play the english language only as "Welcome t Webex. You will be place into the meeting ...."

Cisco Employee

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

As the DMZ security,  that would not have the layer 3 routing from the Internet to DMZ. I  don't undersatnd the role of IRP, that should be one leg for the DMZ and  one leg for the Internet.

Answer : Does your DMZ network has internet routable public IP? If yes, then we don't need a NAT from internet to DMZ. Most of the deployment, will not allow traffic from Internet to hit Internal network directly, hence, we need IRP in those scenarios.

How about the meeting template attach two Webex FQDN links (Internal FQDN and external FQDN)?

As I see here, both the internal and external FQDN will have the same host name [Webex URL]. When resolved from internal it will go to private VIP and when resolve from external network it will resolve to public VIP

For your question related to language, could you please set the language to English in the user profile setting. This should display all text in English. When users calls a country for which localized audio prompts are available, users will hear dual-mode audio prompts.

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

I see what u mean, but on the internal Webex depolyment, it was no add the IRP and the internal users are using the internal Webex with internal FQDN right now.

Now, I want to add back the IRP as below:

Next

       Option 2: Then the system request me to input the same subnet of the FQDN detected IP, that should be DMZ subnet.

PS: My internal DNS server is not allow to add a real public FQDN to represent a private IP address.

I know once I set the real public FQDN, then the proxy wil be functional, but I cannot in my stage. I have to redeploy the internal Webex and tick the IRP during the deployment?

For my question related to language, I set the language to English in the user profile setting already. This is displayed all text in English. But when I use the Call Me service and select the Hong Kong location to call, the broadcast audio still play the mandarin then English ...

Really thanks for all helps~

New Member

Re: Cisco Webex Meeting Server On-Premise – IRP Issues

Is it possible for me to add a temp. DNS server to add a A-record? The zone of temp. DNS is the public domain as the IRP public FQDN (e.g. xxx.abc.com) to disguise the public domain and the A-record (e.g. webirp.abc.com) will represent to the DMZ ip address as 172.16.201.23, then I can pass the "Add Public Access" part.

5042
Views
10
Helpful
24
Replies
CreatePlease to create content