cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1344
Views
15
Helpful
6
Replies

Can I provide WebEx Meeting Server service without IRP?

George Paxson
Level 1
Level 1

Can I provide WebEx Meeting Server service without IRP?  If the answer is no, Why?

 

Why can I not just expose WebEx user interface to internet through the firewall?

1 Accepted Solution

Accepted Solutions

Hi George,

It all depends on the DNS configuration (split DNS or non-split DNS). In split DNS setup, your WebEx Site URL on internal DNS servers resolved to Private VIP address which is hosted on the Admin VM, and joining meetings will go through the Private VIP and later on connect to Media VM directly. These connections are happening on variety of ports (listed in documentation)

 

However, if you point your internal DNS to resolve WebEx Site URL to Public VIP (which is hosted on IRP VM), then all the users will connect to IRP VM and will be tunneled to Media VM via IRP server. These connections are established via 443 only (and 8444 for streaming recordings). 

 

You can verify different deployment options in the Planning Guide: 

http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide/Planning_Guide_chapter_010.html

http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide/Planning_Guide_chapter_0100.html

 

I hope this explains it a little bit better.

Let me know of any additional questions you might have.

 

-Dejan

View solution in original post

6 Replies 6

dpetrovi
Cisco Employee
Cisco Employee

Hi George,

By exposing your internal VMs directly to the internet, you would have to disclose your VMs hostnames, in addition to WebEx Site URL. Your Admin URL would be accessible from the internet, so if anyone figures out your password can access Admin interface and compromise your system. Additionally, options to allow use of mobile devices would be disabled if no Public Access is added to the system. The list goes on, so we strongly advise having an IRP if you plan to have external access and mobile access to the system.

 

-Dejan

You are saying the mobile devices would not be enabled?  I do have an internal WebEx build with no IRP and mobile devices are enabled.  Is there a technical explanation for the need for IRP?  Would WebEx function if the admin and media servers were exposed to the internet with NAT?

I need to determine my final topology for the sake of project documentation and process.

Hi George,

If you do that, you would have to open many ports from the internet to your system which would cause many security issues. The deployment might work, but this hasn't been tested at all and is not officially supported. (in Planning Guide, having Admin and Media VM exposed to the internet is not part of any supported topology for the product).

Any issues with the access to the system deployed in such matter wouldn't be possible to raise with TAC/BU.

-Dejan

 

 

George Paxson
Level 1
Level 1

I expect the answer to be that internal clients interact with both the administrator and media servers.  External clients have one tie point with the IRP which is the proxy for administrator and media servers.  Please advise.

Hi George,

It all depends on the DNS configuration (split DNS or non-split DNS). In split DNS setup, your WebEx Site URL on internal DNS servers resolved to Private VIP address which is hosted on the Admin VM, and joining meetings will go through the Private VIP and later on connect to Media VM directly. These connections are happening on variety of ports (listed in documentation)

 

However, if you point your internal DNS to resolve WebEx Site URL to Public VIP (which is hosted on IRP VM), then all the users will connect to IRP VM and will be tunneled to Media VM via IRP server. These connections are established via 443 only (and 8444 for streaming recordings). 

 

You can verify different deployment options in the Planning Guide: 

http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide/Planning_Guide_chapter_010.html

http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide/Planning_Guide_chapter_0100.html

 

I hope this explains it a little bit better.

Let me know of any additional questions you might have.

 

-Dejan

Ok.  The simple answer is that internal clients interact with all involved internal servers for internal service.  I have observed this on sniffer traces.

 

The IRP provides a single tie point proxy for internet clients to reach internal admin and media services.

 

Thanks Dejan