Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1005
Views
50
Helpful
8
Replies

CWMS Deployment

Go to solution
JustForVoice_2
Level 4
Level 4

‎04-01-2015 05:36 AM - edited ‎03-17-2019 05:02 PM

Hello,

I’ve a question regarding the CWMS deployment. Is it an optional to deploy using Split-Horizon or Non-Split-Horizon? Or I have to check with the DNS administrator and based on the setup I have to select the deployment method?

As per the planning guide of CWMS:

Disadvantages of a Non-Split-Horizon Topology: Complex setup, but not as complex as the split-horizon network topology.

So, can I choose Non-Split-Horizon?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dpetrovi
Cisco Employee
Cisco Employee
In response to JustForVoice_2

‎04-02-2015 07:27 AM

If you use SPLIT HORIZON, if an internal end user accesses the WebEx Site, it will be redirected to the Private VIP and admin VM, and admin VM hostname will be exposed in the web browser's address bar. 

Some network admins don't want that, so they direct all internal users to Public VIP and use NON-SPLIT HORIZON. However, this approach generates a lot more traffic through the DMZ firewall as all internal users are going out to DMZ to IRP and then being tunneled back into the internal network. 

Hence, if you don't care about exposing admin VM hostname to internal end users, you can decrease the traffic to the DMZ by using SPLIT HORIZON. If you want simple configuration and don't care about the traffic to the DMZ, then use NON-SPLIT HORIZON approach.

Most common approach I've seen customers use is SPLIT HORIZON.

-Dejan

View solution in original post

8 Replies 8

Go to solution
dpetrovi
Cisco Employee
Cisco Employee

‎04-01-2015 06:38 AM

Hi,

Yes, of course. Keep in mind that the use of DNS (split or non-split horizon) is not something you specify during the deployment. You deploy CWMS as long as the DNS server is reachable and can resolve the CWMS hostnames to the appropriate IPs.

Split horizon and non-split horizon means only where your WebEx Site URL will resolve for the internal clients: will it resolve to Public VIP (which means all your internal users will be going out to IRP server and then coming back in to Admin/Media VMs when joining meetings), or it will resolve to Private VIP (meaning that internal users will go your Admin VM when joining meetings). 

Split horizon is useful when you want to cut the amount of traffic going from inside the network to DMZ and back.

I hope this clarifies this a little bit.

-Dejan

Go to solution
JustForVoice_2
Level 4
Level 4
In response to dpetrovi

‎04-01-2015 07:45 AM

Thank you for your reply, (+5)

But still it is not too clear. You said: is not something you specify during the deployment. And then you mentioned some information about both.

Now are there questions that I should ask our DNS admin to help me to choose?

0 Helpful

Go to solution
dpetrovi
Cisco Employee
Cisco Employee
In response to JustForVoice_2

‎04-01-2015 09:22 AM

Hi,

You should definitely consult with your DNS admin to see what your DNS deployment can support. 

All the requirements are listed in the Planning Guide as there are different kinds of the deployment and requirements:  http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide/Planning_Guide_chapter_0100.html

Share these with your DNS admin, and see what is possible to do in your environment.

Let me know if there is anything specific I can elaborate on.

Kind regards,

-Dejan

Go to solution
JustForVoice_2
Level 4
Level 4
In response to dpetrovi

‎04-02-2015 12:44 AM

Hello,

Thank you for sharing the links (+5).

 

The DNS admin in my customer is not qualified, and he could not distinguish.

Can I say the following:

  • If the name of my CWMS is: cwms.example.local (for internal users) and IRP is cwms.example.com then it is Non-Split-Horizon.

  • If the name of my CWMS is: cwms.example.com (for internal and external users) then in this case it is Split-Horizon.

0 Helpful

Go to solution
dpetrovi
Cisco Employee
Cisco Employee
In response to JustForVoice_2

‎04-02-2015 05:47 AM

Hi,

Actually, it would be other way around.

Here are some examples for 250/800 user systems:

Admin VM hostname: admin.domain.com 192.168.0.1

Media VM hostname: media.domain.com 192.168.0.2

IRP VM hostname: irp.domain.com 192.168.1.3 (DMZ network)

Admin URL: admindashboard.domain.com

WebEx Site URL: webexsite.domain.com

Private VIP: 192.168.0.5

Public VIP: 192.168.1.10 (must be in the same subnet as IRP IP address)

 

SPLIT HORIZON DNS 

Internal DNS server is configured like this:

admin.domain.com 192.168.0.1

media.domain.com 192.168.0.2

irp.domain.com 192.168.1.3 

admindashboard.domain.com 192.168.0.5 (Private VIP)

webexsite.domain.com 192.168.0.5 (Private VIP)

 

DMZ DNS server (if your IRP server can't reach internal DNS through the DMZ firewall)

admin.domain.com 192.168.0.1

media.domain.com 192.168.0.2

irp.domain.com 192.168.1.3 

admindashboard.domain.com 192.168.0.5 (Private VIP)

webexsite.domain.com 192.168.1.10 (Public VIP)

 

External DNS server (on the internet) is configured like this:

webexsite.domain.com 192.168.1.10 (Public VIP)

 

NON-SPLIT HORIZON DNS

Internal DNS server is configured like this:

admin.domain.com 192.168.0.1

media.domain.com 192.168.0.2

irp.domain.com 192.168.1.3 

admindashboard.domain.com 192.168.0.5 (Private VIP)

webexsite.domain.com 192.168.1.10 (Public VIP) - this is the only difference

 

DMZ DNS server (if your IRP server can't reach internal DNS through the DMZ firewall)

admin.domain.com 192.168.0.1

media.domain.com 192.168.0.2

irp.domain.com 192.168.1.3 

admindashboard.domain.com 192.168.0.5 (Private VIP)

webexsite.domain.com 192.168.1.10 (Public VIP)

 

External DNS server (on the internet) is configured like this:

webexsite.domain.com 192.168.1.10 (Public VIP)

 

I hope this helps.

-Dejan

Go to solution
JustForVoice_2
Level 4
Level 4
In response to dpetrovi

‎04-02-2015 07:07 AM

 

Thank you too much for your previous post, it helps me and it deserves more than 5.

So, split horizon and non-split are the exactly the same except the record of Webex site in internal DNS server.

So is there any limitation in DNS design could prevent the admin from configuring one these scenarios?  So it is a must to use one them.

0 Helpful

Go to solution
dpetrovi
Cisco Employee
Cisco Employee
In response to JustForVoice_2

‎04-02-2015 07:27 AM

If you use SPLIT HORIZON, if an internal end user accesses the WebEx Site, it will be redirected to the Private VIP and admin VM, and admin VM hostname will be exposed in the web browser's address bar. 

Some network admins don't want that, so they direct all internal users to Public VIP and use NON-SPLIT HORIZON. However, this approach generates a lot more traffic through the DMZ firewall as all internal users are going out to DMZ to IRP and then being tunneled back into the internal network. 

Hence, if you don't care about exposing admin VM hostname to internal end users, you can decrease the traffic to the DMZ by using SPLIT HORIZON. If you want simple configuration and don't care about the traffic to the DMZ, then use NON-SPLIT HORIZON approach.

Most common approach I've seen customers use is SPLIT HORIZON.

-Dejan

Go to solution
JustForVoice_2
Level 4
Level 4
In response to dpetrovi

‎04-02-2015 07:35 AM

Thank you too much.

 

I will discuss this with my customer and select one.

 

Again thank you too much

0 Helpful
Customers Also Viewed These Support Documents