cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1623
Views
0
Helpful
4
Replies

CWMS non-split horizon dns question - how to use dmz ip and not public

The public vip should be in the same subnet as the Internet Reverse Proxy vm

The public vip address should be visible from the internet

Problem is the meeting.cwms.com has to resolve to the public ip address since there is non-split horizon dns. 

So no way to have CWMS see the dmz ip and not the public. 

Is there a way to deploy with DMZ ip addresses on the public vip and irp machines and NAT to public ip addressing ?

Surely there must! See below for my networking plans:

admin machine (internal)

admin.cwms.local

host ip - 192.168.1.63

private vip - 192.168.1.64 (meetingadmin.cwms.com)

 

irp machine (dmz)

irp.cwms.local

host ip - 172.16.1.1

public vip - 172.16.1.2 <-nat-> 24.1.1.2 (meeting.cwms.com)

 

media machine (internal)

media.cwms.local

host ip - 192.168.1.62

4 Replies 4

dpetrovi
Cisco Employee
Cisco Employee

  • When deploying public access, the WebEx site URL must be mapped to an Internet-visible IP address. This Internet-visible IP address must be accessible by external users and also map to the public VIP address you configure during the system deployment.

the webex site url (meeting.cwms.com) resolves to a public ip

theres a validation step where you input this url and it must match the public vip address. 

how then if your public vip address is an internal ip will it ever get past this step ???

Hi Jeff,

This is the validation that happens when you are configuring Public Access on CWMS (Adding IRP to the deployment).

CWMS will be referencing internal DNS server where you will configured WebEx Site URL to resolve to the Public VIP address in your DMZ network. All your internal machines will be connecting to Public VIP address directly.

Hence, your internal DNS will be able to validate that WebEx Site URL is resolving to the Public VIP you configured during Adding Public Access step. 

As for external participants, those are easy. Your external DNS (on the internet), will resolve WebEx Site URL to public IP address configured on the firewall, and you will then NAT that public IP address to the Public VIP address in the DMZ.

I hope this clarifies it a little bit more, but do let me know of any additional questions you might have.

-Dejan

If I could resolve the meeting url differently internal than external I wouldn't have this problem. Thus why I titled this "non split horizon dns"

meeting.cwms.com will resolve to the public ip address internal AND external - there is only one dns zone!

so again, how can I NAT with this configuration?