Solved: CUMP 8.5 - Meeting Director Network Security

Michael Mertens · ‎07-07-2013

We're in the design stage of a CUMP 8.5 with WebEx on-prem Type II (WebEx scheduling) deployment. WebEx node is obviously going into the DMZ. However, there are two camps about where to place the Meeting Director 1) also in the DMZ and 2) in the inside. There will be an active/standby MD in two different data centers. Since we proxy all connections to the outside, Meeting Director if placed in the internal network, will have it's TSP connection proxied via SOCKS. I'm attempting to assess the security mechanisms in place for Meeting Director and am hoping to get some help.

It appears to me that we'll generate a self-signed cert on the MeetingPlace Meeting Director server and upload it to our WebEx Admin site, for authentication of the MD's TSP connection request to the WebEx cloud- correct? Also, since this is SSL/TLS, then not only is the connection authenticated, but all packets are authenticated and encrypted (looks like 128-bit encryption by default)- correct?

Can anyone validate my statements or elaborate further on Meeting Director's security mechanisms in place?

Thanks for any/all input.

Mike.

Derek Johnson · ‎07-09-2013

Hi Mike,

As this affects some of my answers, I need to first understand the deployment of the WebEx node. As this product is currently End of Sale since last year, is this hardware/software already in place and just not configured or he it not been ordered yet? I think if this software has not already been delivered and licensed it may not be possible to include this in any design plans. For reference, the EoL announcement:

http://www.cisco.com/en/US/prod/collateral/voicesw/ps6789/ps5664/ps10728/end_of_life_notice_c51-704258_ps5669_Products_End-of-Life_Notice.html

Note that the MBDs in different data centers will be in Active/Active failover, where both systems will be load balancing conferences and have active TSP connections to eachother and the WebEx cloud. If placed on the internal network, TSP connections can be SOCKS proxied to the cloud, but connections to the WebEx node and other connections (such as to the WebEx site for initial config) must be direct.

A self signed cert is only manually generated on MP and uploaded to the WebEx cloud in the case of MP owned user profiles (MP Single Sign on), where this is used to authenticate the SSO redirect requests between MP and the WebEx cloud when users need to log in.

Otherwise, a self signed cert is automatically generated and used for authentication of the TSP connection (SHA1 with RSA encryption - 1024 bit RSA key size). As you found, this occurs inside of the 2048 bit SSL connection to the TSP load balancers (64.68.120.146 and 173.243.0.132). let me know if I can provide any more details about this or if you have any follow up questions.

Thanks,

Derek Johnson

View solution in original post

Derek Johnson · ‎07-09-2013

Hi Mike,

As this affects some of my answers, I need to first understand the deployment of the WebEx node. As this product is currently End of Sale since last year, is this hardware/software already in place and just not configured or he it not been ordered yet? I think if this software has not already been delivered and licensed it may not be possible to include this in any design plans. For reference, the EoL announcement:

http://www.cisco.com/en/US/prod/collateral/voicesw/ps6789/ps5664/ps10728/end_of_life_notice_c51-704258_ps5669_Products_End-of-Life_Notice.html

Note that the MBDs in different data centers will be in Active/Active failover, where both systems will be load balancing conferences and have active TSP connections to eachother and the WebEx cloud. If placed on the internal network, TSP connections can be SOCKS proxied to the cloud, but connections to the WebEx node and other connections (such as to the WebEx site for initial config) must be direct.

A self signed cert is only manually generated on MP and uploaded to the WebEx cloud in the case of MP owned user profiles (MP Single Sign on), where this is used to authenticate the SSO redirect requests between MP and the WebEx cloud when users need to log in.

Otherwise, a self signed cert is automatically generated and used for authentication of the TSP connection (SHA1 with RSA encryption - 1024 bit RSA key size). As you found, this occurs inside of the 2048 bit SSL connection to the TSP load balancers (64.68.120.146 and 173.243.0.132). let me know if I can provide any more details about this or if you have any follow up questions.

Thanks,

Derek Johnson

Michael Mertens · ‎07-09-2013

WOW! Does EoS/EoL for "WebEx Node for MCS" exclude "WebEx Node for UCS"?? Meaning, that we'll initially deploy an MCS-7835-I3 for WebEx Node functionality but due to MCS going EOS, we're planning to migrate our on-prem WebEx node to a UCS-C220-M3. Perhaps I am reading into the MCS too much? (We currently have MeetingPlace 8.0 with WebEx Node for MCS On-Prem (two nodes for redundancy) and will take one node to use for the initial CUMP 8.5 WebEx On-Prem solution.

Secondly, thanks for all the cert information. That is clarifies it for sure. Whether I have a TAC ticket or simply a forum questions you're always a help- THANKS!

Mike.

Derek Johnson · ‎07-10-2013

Hi Mike,

Even though they are installed on different platforms, the "WebEx node for MCS" refers to the MCS and UCS install of the software. The EoL also includes the part number WBX-NODE-K9= described as WebEx Node Server for MCS/UCS. This means that the End of Sale (and other dates) will apply equally to orders of the software to be deployed on MCS or UCS for either version of 8.x.

The one concern I would have is if you have access to or the ability to order the 8.5 install media for the WebEx Node. As there is no upgrade procedure for the node, every deployment of an 8.5 node is essentially a new install.

It's good to hear that the information was helpful. Let me know if you have any further questions.

Michael Mertens · ‎07-11-2013

Thanks so much for the clarification. We're getting the install media (I believe) although I haven't seen it yet from our European reseller/partner. I'm glad you brought this EoS/EoL up.

Thanks again Derek.

Mike.