Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
600
Views
5
Helpful
4
Replies

CWMS virtual machine placement

Go to solution
Chris Deren
Hall of Fame
Hall of Fame

‎08-20-2015 05:50 AM - edited ‎03-17-2019 05:27 PM

250 port CWMS deployment where customer is planning on putting all virtual machines (admin, media and IRP) in a co-lo data center. This data center is configured with only DMZ networks and no Internal network. Customer wants to place all VMs on the same DMZ subnet and the only references I am able to find in the CWMS deployment guide are the following:
 
Under non-split horizon deployment:
Firewall Configuration
For security reasons, we recommend that you place the Internet Reverse Proxy in a subnet that is separate from the internal (Admin or Media) virtual machines.
 
Under all-internal deployment I see the following:
Firewall Configuration
For security reasons, Cisco recommends that you place the Internet Reverse Proxy in a separate subnet from the internal (Admin, Media and Web, if applicable) virtual machines.
Although it is not recommended, we do also support placing all of your virtual machines (Internet Reverse Proxy and internal) on the same subnet. See Port Access When All the Virtual Machines Are in the Internal Network.
 
Would placing all Vms in DMZ be a supported model and if so is there a list of ports that would need to be open between Admin/Media nodes and internal network (CUCM, DNS, SMTP, user machines)?
 
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dpetrovi
Cisco Employee
Cisco Employee

‎08-20-2015 06:18 AM

Hi Chris,

Well, in your case, it looks like deployment model would be "all-internal" deployment with a premise that all the VMs are on the same subnet in the DMZ. You will still have external Firewall that needs to be configured as if IRP was only in DMZ zone, while you will have to add more rules to your Internal Firewall to account for all the port requirements. 

 

Hence, make sure all of the following ports are opened on the internal firewall:

http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide/Planning_Guide_chapter_0100.html#reference_125F962B1D20407186B1654C7A3F5873

For external firewall (again, only small list of ports like 443, 80, 8444, and 53 to Public VIP). For internal firewall, well, all other ports listed in the above document pretty much all the way down to the section for NATing. You will have different sections with tables and notes, so make sure all those ports are included especially the ones from clients to the system.

If you need more details, do let me know.

-Dejan

View solution in original post

4 Replies 4

Go to solution
dpetrovi
Cisco Employee
Cisco Employee

‎08-20-2015 06:18 AM

Hi Chris,

Well, in your case, it looks like deployment model would be "all-internal" deployment with a premise that all the VMs are on the same subnet in the DMZ. You will still have external Firewall that needs to be configured as if IRP was only in DMZ zone, while you will have to add more rules to your Internal Firewall to account for all the port requirements. 

 

Hence, make sure all of the following ports are opened on the internal firewall:

http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide/Planning_Guide_chapter_0100.html#reference_125F962B1D20407186B1654C7A3F5873

For external firewall (again, only small list of ports like 443, 80, 8444, and 53 to Public VIP). For internal firewall, well, all other ports listed in the above document pretty much all the way down to the section for NATing. You will have different sections with tables and notes, so make sure all those ports are included especially the ones from clients to the system.

If you need more details, do let me know.

-Dejan

Go to solution
Chris Deren
Hall of Fame
Hall of Fame
In response to dpetrovi

‎08-20-2015 07:23 AM

Thank you Dejan.

0 Helpful

Go to solution
Chris Deren
Hall of Fame
Hall of Fame
In response to dpetrovi

‎09-03-2015 07:19 AM

Dejan,

Just to circle back on this one as customer is finally ready to work on this, I reviewed the section you referenced, and would this be the list of ports needed to be opened between Admin/Media and internal network,

to/from CUCM - port 5060, 8443, anything else?

For clients from internal network - 22, 443, 65002, 65102, 80, 10200, UDP 9000-9003 (250 port system)

 

0 Helpful

Go to solution
dpetrovi
Cisco Employee
Cisco Employee
In response to Chris Deren

‎09-03-2015 07:45 AM

Hi Chris,

In addition to 5060, CUCM connection also needs port 5062 (of course if they don't use TLS; if they use TLS, then 5061 and 5063).

Also, not sure where SMTP server is located, but you will need to ensure that VMs have access to SMTP server for e-mail notifications (port 25 or 465 (secure SMTP port number).

Make sure that access to DNS server is allowed (port 53) as well as ICMP protocol between the VMs themselves as well as between VMs and DNS server.

Make sure port 8444 is allowed between the VMs and the clients for NBR recording download.

Everything else you listed already. I believe I didn't miss anything, but always double check with the documentation.

 

I hope this helps.

-Dejan

0 Helpful
Customers Also Viewed These Support Documents