07-16-2015 08:31 AM - edited 03-17-2019 05:21 PM
Can I provide WebEx Meeting Server service without IRP? If the answer is no, Why?
Why can I not just expose WebEx user interface to internet through the firewall?
Solved! Go to Solution.
07-16-2015 10:45 AM
Hi George,
It all depends on the DNS configuration (split DNS or non-split DNS). In split DNS setup, your WebEx Site URL on internal DNS servers resolved to Private VIP address which is hosted on the Admin VM, and joining meetings will go through the Private VIP and later on connect to Media VM directly. These connections are happening on variety of ports (listed in documentation)
However, if you point your internal DNS to resolve WebEx Site URL to Public VIP (which is hosted on IRP VM), then all the users will connect to IRP VM and will be tunneled to Media VM via IRP server. These connections are established via 443 only (and 8444 for streaming recordings).
You can verify different deployment options in the Planning Guide:
I hope this explains it a little bit better.
Let me know of any additional questions you might have.
-Dejan
07-16-2015 08:39 AM
Hi George,
By exposing your internal VMs directly to the internet, you would have to disclose your VMs hostnames, in addition to WebEx Site URL. Your Admin URL would be accessible from the internet, so if anyone figures out your password can access Admin interface and compromise your system. Additionally, options to allow use of mobile devices would be disabled if no Public Access is added to the system. The list goes on, so we strongly advise having an IRP if you plan to have external access and mobile access to the system.
-Dejan
07-16-2015 10:44 AM
You are saying the mobile devices would not be enabled? I do have an internal WebEx build with no IRP and mobile devices are enabled. Is there a technical explanation for the need for IRP? Would WebEx function if the admin and media servers were exposed to the internet with NAT?
I need to determine my final topology for the sake of project documentation and process.
07-16-2015 10:50 AM
Hi George,
If you do that, you would have to open many ports from the internet to your system which would cause many security issues. The deployment might work, but this hasn't been tested at all and is not officially supported. (in Planning Guide, having Admin and Media VM exposed to the internet is not part of any supported topology for the product).
Any issues with the access to the system deployed in such matter wouldn't be possible to raise with TAC/BU.
-Dejan
07-16-2015 09:54 AM
I expect the answer to be that internal clients interact with both the administrator and media servers. External clients have one tie point with the IRP which is the proxy for administrator and media servers. Please advise.
07-16-2015 10:45 AM
Hi George,
It all depends on the DNS configuration (split DNS or non-split DNS). In split DNS setup, your WebEx Site URL on internal DNS servers resolved to Private VIP address which is hosted on the Admin VM, and joining meetings will go through the Private VIP and later on connect to Media VM directly. These connections are happening on variety of ports (listed in documentation)
However, if you point your internal DNS to resolve WebEx Site URL to Public VIP (which is hosted on IRP VM), then all the users will connect to IRP VM and will be tunneled to Media VM via IRP server. These connections are established via 443 only (and 8444 for streaming recordings).
You can verify different deployment options in the Planning Guide:
I hope this explains it a little bit better.
Let me know of any additional questions you might have.
-Dejan
07-16-2015 10:50 AM
Ok. The simple answer is that internal clients interact with all involved internal servers for internal service. I have observed this on sniffer traces.
The IRP provides a single tie point proxy for internet clients to reach internal admin and media services.
Thanks Dejan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide