cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1358
Views
10
Helpful
13
Replies
Highlighted
Beginner

CWMS IRP implemenation

Currently we have 50 user CMWS Admin server working fine,IRP server will be new and will be placed in DMZ network and will use Spit-Horizon network topology

I have few queries on this ..Because WebEx is new to me

1. While deploying I can see two VM network option .What is the requirement of two VM network in the same IRP system (Both the Public VIP and IRP Internal IP should be in the same VLAN and network segment) So do I need to have two cables connected from the switch to IRP server (in C220 M3) and Create two separate VM networks for Both each connections ?

2. Can I use dynamic NAT ? Static public IP is mandatory ?

3.Which DNS server I should use in IRP VM (Internal DNS,DMZ DNS or Public DNS) ? is there any relation between this DNS and Public URL on

4 .Other than NATing is there any other configuration from network side

 

Can you please help me on this

13 REPLIES 13
Highlighted
Cisco Employee

Hi NIshad,

 

Let me try to answer your questions below:

1. While deploying I can see two VM network option .What is the requirement of two VM network in the same IRP system (Both the Public VIP and IRP Internal IP should be in the same VLAN and network segment) So do I need to have two cables connected from the switch to IRP server (in C220 M3) and Create two separate VM networks for Both each connections ?  You can have a single physical adapter connected to the switchport and run both virtual adapters on the same physical adapter.

For each source network, select a destination network from the drop-down list in the Destination Networks column. Select Next.

Note: Both the VM Network and the VIP Network must be mapped to the same value in the Destination Network column. You can ignore the warning message about multiple source networks mapped to the same host network.

2. Can I use dynamic NAT ? Static public IP is mandatory ? Static public IP is mandatory. On your firewall you can assign a public IP that will be resolvable in the DNS on the Internet for WebEx Site URL, and then on your firewall you can configure NAT-ing of that public IP to the Public VIP IP configured on the IRP server. 

3.Which DNS server I should use in IRP VM (Internal DNS,DMZ DNS or Public DNS) ? is there any relation between this DNS and Public URL on In Split horizon DNS, Internal VMs and Private VIP address with be configured in internal DNS server so that WebEx Site URL will be routed to Private VIP internally. IRP VM should use a DNS server in the DMZ that will route WebEx Site URL to Public VIP configured on the IRP. While DNS in the internet will be configured to route WebEx Site URL to the public IP address you configured on your firewall and NATed to the Public VIP.

4 .Other than NATing is there any other configuration from network side  Not really. Just make sure that the IPs configured on the IRP VM (eth0 and eth1) are on the same subnet.

 

I hope this clarified things for you a little bit more. Feel free to ask any additional questions, but also reference the Planning Guide and Administration Guide for more details about all the requirements.

 

Kind regards,

-Dejan

 

Highlighted

Dear Dejan,

 

Thanks for your wonderful response .

Need few clarification of the DNS for IRP VM ,

We dont have DNS in DMZ ,We cannot use the Internal DNS as well ,So we need to use Public DNS(company.com) .

All the communication will be NATed from Public to DMZ ,

Our DNS is sitting Public

we have Etho and Eth1 in IRP server

Etho ==FQDN (Webex-irp.company.com)

Eth1 == Public Webex URL (meetings.company.com)

Can i achieve this by using only one public IP ?

can i bypass the DNS FQDN requiement for the Webex IRP server ?

 

 

Highlighted

Hi Nishand,

 

You can't use Public DNS unless all your internal VMs are publicly resolvable and you NAT all the CWMS internal VMs IPs as well. 

If you really want split-DNS configuration, you will need to have the following:

1. Internal DNS that has entries for all the VMs FQDNs for Eth0 (Admin, Media, IRP), as well as Admin URL and WebEx Site URL that will resolve to Private VIP (Eth 1 on Admin VM)

2. DMZ DNS that has entreis for all the VMs FQDNs for Eth0 (Admin, Media, IRP), as well as WebEx Site URL that will resolve to Public VIP (Eth 1 on IRP VM)

3. Public DNS that has an entry only for WebEx Site URL and resolves it to the IP address configured on the Firewall that is then NATed to Public VIP (Eth 1 on IRP VM)

 

The only other option is to not have split horizon DNS and point IRP VM to use internal DNS and that WebEx Site URL on the internal DNS is pointing to Public VIP (eth1 on IRP VM).

 

-Dejan

 

 

Highlighted

Dear Dejan,

 

Appriciate your support

 

  • We dont have seperate DNS in DMZ and no enduser will be accessing webex URL from DMZ
  • We will use our internal DNS for the IRP,which already have entries

Admin FQDN, Admin URL,Webex URL for internal[webexinternal.comany.com] and newly IRP FQDN.

  • In Public DNS we have entry of Webex URL (meeting.company.com) to point to Public VIP of IRP VM

 Can you please verify this  ?

 

Highlighted

Hi Nishad,

 

As for internal DNS setting, it is not per documentation, but might be sufficient. I don't think IRP server will need to resolve WebEx Site URL to Public VIP to make Eth1 interface up and functional. You can test this for sure.

As for Public DNS, if you plan to use some public IP address on the firewall and then NAT it to Public VIP (eth1 on IRP), then your Public DNS should resolve WebEx Site URL to that public IP on the firewall and not Public VIP. If you didn't have NAT and your Eth0 and Eth1 on IRP VM were using public IP addresses, then Public DNS should be configured to resolve WebEx Site URL to Public VIP.

 

I hope this clarifies it further.

-Dejan

Highlighted

Dear Dejan,

 

We are trying to add Public access in CWMS ,It detects the IRP server and In IRP server shows connected ,

But the CWMS server when i given Public VIP it shows processing for 10 min and after that giving error "error.dmz.-1"

Highlighted

Hi Nishand,

That is the problem because in your Internal DNS your WebEx Site URL resolves to Private VIP and not Public VIP, so IRP VM cannot resolve this and bring the Eth1 up.

That is the reason why you would need DNS in DMZ for a real Split-horizon setup.

You can try to temporarily change your Internal DNS server to resolve WebEx Site URL to Public VIP address, and add Public Access then.

 

Once it is added, you can try reverting the DNS change and see if it will work. This hasn't been tested and is not officially supported, but at this time, you can try doing it to see if it will work.

 

-Dejan

 

Highlighted

Dear Dejan,

 

DNS change i cannot do it now ,I will try next day .I believe the Private VIP will become invalid on that time

Question:

*If i change the IRP server DNS to my Public DNS , CWMS DNS is internal and IRP DNS will be Public .

When i add Public access i should give FQDN of IRP server

my internal DNS how will resolve FQDN from DNS in outside and get it connected ,Because internal DNS and Outside DNS is entirely different 

Please help ,I dont know this question is valid or not

 

 

Highlighted

Hi Nishad,

 

First, your Private VIP will still be valid as it Admin URL will still be resolving to Private VIP. However, your internal users will be connecting to the IRP VM when they are accessing WebEx Site URL.

 

If you plan to configure your IRP VM to use a public DNS, you will have to have all your CWMS VMs FQDNs as well as WebEx Site URL defined in that Public DNS and point back to the public IPs that would than need to be NATed to the network. This is not a good solution and can provide unnecessary exposure of your CWMS solution to the internet. 

 

Since you don't have IRP VM in the DNS, I strongly suggest that you don't go with the split-DNS solution and just use your Internal DNS (IRP VM will have to be granted access) and resolve WebEx Site URL to Public VIP address, and since you will have NAT, have the Public DNS resolve WebEx Site URL to public IP that will then be NATed to Public VIP.

 

-Dejan

Highlighted

That was a good suggestion .

 

I can see there is  only one single WebEx Site URL we will be having for WebEx  attending meetings ,Even from internal and outside ,I am not able to see the option to give different WebEx Site URL  for IRP

"That is the problem because in your Internal DNS your WebEx Site URL resolves to Private VIP and not Public VIP, so IRP VM cannot resolve this and bring the Eth1 up".

how IRP VM will resolve the URL which launched in different domain and Eth1 will come up ?

internalDNS.com         :InternalVM

PublicDNS.com           :IRPvm

WebEx Site URL :https://meetings.internalDNS.com

Now how the PublicDNS will resolve " https://meetings.internalDNS.com" and Public VIP bring up in server ?

is it possible ?

 

InternalDNS and P

Highlighted

hi now im implement webex + irp(DMZ) on non split horizon but no able see login page for meeting.

only need NAT for public VIP address right? or need nat for IRP ip address?

 

thks

Highlighted

Hi Juan,

If you are NATing public IP address on your Firewall to CWMS, you should NAT it to Public VIP address. There is no need to NAT anything to Eth0 of the IRP VM.

Kind regards,

-Dejan

Highlighted

Hi there, 

 

I have the same question. 

We want to deploy a non split horizon DNS CWMS and we have different domains in our internal and external DNS. 

Internal dns domain is: tata.local

External is tata.com

Tata.com is not resolvable from internal dns. So which webex url should we use? Meeting.tata.com is not resolvable from internal dns

 

Regards