Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
782
Views
0
Helpful
6
Replies

MSE Desgin

ahmed Abouelnour
Level 1
Level 1

‎12-23-2014 12:09 AM - edited ‎07-05-2021 02:09 AM

For network design ,is there any best practice or recommendation for installing MSE  , is there any problem for installing MSE & WCS/Prime inside datacenter behind firewall
OR it is better to install WCS/Prime & MSE beside WLCs without firewall 

Thanks

Labels:
0 Helpful
6 Replies 6

Scott Fella
Hall of Fame
Hall of Fame

‎12-23-2014 01:49 AM

The only device that should be behind the FW is an anchor WLC. Most of all my designs have the WLC's, PI, and MSE in the inside and maybe in different subnets, but only a guest anchor WLC would be behind a FW in the DMZ.

-Scott

-Scott
*** Please rate helpful posts ***
0 Helpful

ahmed Abouelnour
Level 1
Level 1
In response to Scott Fella

‎12-24-2014 10:15 PM

Thanks Scott and moh_setan1988 for your help

I just wanted to know if there was any best practice for this point or not ,because i searched a lot in cisco documents and did not find any thing taking about this

Also i was thinking would be it be safe to put WCS/Prime without any firewall protecting them from network threats 

Did any one face problem with that before

 

Thanks

Ahmed

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to ahmed Abouelnour

‎12-25-2014 06:40 AM

There is no reason to really place them behind a firewall. Prime typically is on a VM so that's usually placed in the server vlan. MSE also can be a VM and placed in the same server vlan. Appliance have been treated like servers also, so look at where your servers are currently placed. If it's behind a firewall due to you companies policies, then both should be placed behind the firewall for consistency. If you look at many of the design documents, these devices are in the internal network and not in the DMZ.  Most companies don't want to poke holes in the firewall for these devices to sit in because they believe now your opening up the firewall more to threats. 

-Scott

-Scott
*** Please rate helpful posts ***
0 Helpful

ahmed Abouelnour
Level 1
Level 1
In response to Scott Fella

‎12-26-2014 05:28 AM

Thanks scott that was convincing analysis

 

Thanks

Ahmed

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to ahmed Abouelnour

‎12-26-2014 07:50 AM

No problem

-Scott

-Scott
*** Please rate helpful posts ***
0 Helpful

moh_setan1988
Level 1
Level 1

‎12-24-2014 01:45 AM

Hi Ahmed,

 

There is no issue with adding the devices behind the firewall, but you need to make sure that the ports that are used between the WLC <-> MSE and MSE <-> WCS are all opened.

 

You can refer to the link below which is showing the needed ports for the communication:

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html

 

Kind Regards

Mohammad Setan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card