Dual nic VCSE with jabber guest config

jidesh chandran · ‎09-18-2015

HI

I was planning to do the implementation on jabber gust server with new VCS C and E cluster (only for jabber guest).

I am not using any NAT , Public IP on nic 2 and private IP for Nic 1

my default route is towards NIC 2 public ip . So route add for vcs ip via nic 1.

VCS (10.10.1.2)-------->firewall---->VCSE nic 1 (192.168.1.2) ----VCSE nic 2 (40.40.40.4)--internet

i have confusion on below part

1 customer requesting to avoid access to VCS to public iP, open the port towards NIC 1 is sufficient ?

2 how can i access the Express way via HTTP/S , this port has been mapped to 9443 and 9980 ?

3 i saw the firewall IP Port Usage Doc , in that it is listed that required access from Public IP to vcs IP on UDP 36000-59999 , this will work if i add route add vcs ip via nic 1?

Acevirgil de Ocampo · ‎09-20-2015

For your queries on 1 & 2:

It is recommended to access only the VCS-E via its LAN 1 interface (private IP) using HTTP/HTTPS/SSH. Since your VCS-E LAN 2 is directly connected to internet (no firewall), you can create Firewall rules and apply on the LAN 2 interface to deny any inapplicable services. Take a look on this guide starting p.32:

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/admin_guide/Cisco-VCS-Administrator-Guide-X8-5-1.pdf

I would also suggest and as a best practice to deploy VCS-E with NAT to maximize the Advanced networking feature using Dual NIC for more secured environment.

For #3:

Port range 36000-59999 UDP are for media traversal (outbound ports for both VCS and listening ports for VCS-E)

Routing would not be enough. You need to define these ports on your firewall between VCS Control and VCS Expressway.

Also you need to add a static route on your VCS-E so that traffic from VCS-C can reach VCS-E LAN 1.

Using SSH:

xcommand routeadd address: 10.10.1.x prefixlength: y gateway: 192.168.1.z interface: LAN1

10.10.1.x = network on VCS Control

y = subnet on VCS Control

192.168.1.z = Gateway of LAN1 (VCS-E)

regards,

Acevirgil

shawnangelo · ‎09-21-2015

Basically, in Advanced Networking Mode (dual NIC), there is only a single default gateway specified. Due to this, static routes have to be added for internal networks (if that is the what the deployment model requires). There are instances where either NIC1 or NIC2 would be your outside NIC (clustered/unclustered). Regardless with Jabber guest you need to ensure that there is connectivity between the external E NIC and the JGuest server as well....

Page 25(32) will show some more detail.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Guest/10_5/icg/JABC_BK_JA306F08_00_jabber-guest-install-and-configure.pdf

jidesh chandran · ‎09-22-2015

hi shawnangelo, in deployment model two nic used with out NAT and first nic towards VCS and 2nd nic (public ip ) towards to internet . 2nd nic network used as gateway . and for nic 1 required static routes for internal networks .

Because of the static route available on the VCSE, the communication between jabber guest server (VCS ) from Public ip will possible ?

shawnangelo · ‎09-22-2015

Apologies, I was confused by the initial post. I said connectivity between the JGuest server and Expressay E with the External NIC, but I meant the Internal NIC. If you JGuest and VCS-C are on the same subnet and connectivity exists between those two already this should not be a concern.