Table Of Contents
Configuring External Access to Cisco Unified MeetingPlace Web Conferencing
About Firewalls
Firewall Basics
Port Access Requirements with a Firewall
How to Configure Secure Sockets Layer
About Segmented Meeting Access
About the SMA-2S Configuration
About the SMA-2S Configuration with SSL and Segmented DNS
How to Configure the SMA-2S Deployment
Configuring External Access to Cisco Unified MeetingPlace Web Conferencing
Though you can provide external access to Cisco Unified MeetingPlace web conferences by simply opening ports in your firewall, we do not recommend this option because it lacks security. Alternately, Cisco Unified MeetingPlace Web Conferencing supports a segmented meeting access configuration that allow you to provide external access to your users while maintaining network security.
See the following sections:
•
About Firewalls
•How to Configure Secure Sockets Layer
•About Segmented Meeting Access
•How to Configure the SMA-2S Deployment
About Firewalls
Firewall Basics
A firewall is a security device set up to protect a local area network (LAN) from unwanted Internet access. However, you can provide limited access by opening specific TCP ports to allow inbound access to public servers while leaving other portions of the network protected. For example, when a user on the Internet connects to a company home page, the user must pass through TCP port 80 of the company firewall to access the web server, as shown in Figure 5-1.
Therefore, if you do nothing else, you can allow external access to Cisco Unified MeetingPlace web conferences by opening ports on your network.
Figure 5-1 Typical Firewall Setup
1
|
Cisco Unified MeetingPlace web server inside the private corporate network.
|
2
|
End user system outside the private corporate network.
|
Port Access Requirements with a Firewall
As long as port 80 is open inbound on your firewall for both of the hostnames or IP addresses on your Web Conferencing server, external users who are using the meeting console are able to participate in a Cisco Unified MeetingPlace web conference. However, port 80 requires "tunneling" on the meeting console connection (the Web Conferencing hostname or IP address) and results in slower web conferencing. Therefore, for an optimal web conferencing experience, we strongly recommend that you open TCP port 80 inbound for the Home Page hostname or IP address and also open TCP port 1627 inbound for the Web Conferencing hostname or IP address.
If your deployment is using SSL, make sure port 443 is open inbound on your firewall for both of the hostnames or IP addresses on your Web Conferencing server.
If external attendees are also located behind a firewall, they must open the same ports outbound on their end.
How to Configure Secure Sockets Layer
Secure Sockets Layer (SSL) secures information shared in a web conference by encrypting the data for travel across the network.
Restrictions
•Cisco Unified MeetingPlace Web Conferencing must be installed before you configure SSL.
•If you are using SSL on an external web server, make sure that the hostname on the SSL certificate resolves to the external web server IP address.
•If you are using SSL on a system with a segmented DNS, make sure that the hostname on the SSL certificate differs from the segmented DNS name. To change either the Home Page hostname or the Web Conferencing hostname, see the "Configuring the Web Server" section on page 2-26.
•If users will access your Web Conferencing server through a firewall, make sure that TCP port 443 is open inbound on your firewall for both of the hostnames or IP addresses on your server.
Task List
1. Use the SSL/TLS configuration page to generate certificate signing requests to send to an authorized Certificate Authority in order to apply for a digital identity certificate. You need two certificates: one for the Home Page hostname, and one for the Web Conferencing hostname. For instructions, see the "To Create a New Certificate Signing Request and Obtain a Certificate File" procedure.
2. When you receive the certificate files from your certificate provider, apply the certificates to the Cisco Unified MeetingPlace Web Conferencing website. For instructions, see the "To Apply the SSL Certificate to the Cisco Unified MeetingPlace Web Conferencing Websites" procedure.
3. Enable the Require SSL field on the Web Server administrative page. For instructions, see the "To Enable SSL" procedure.
4. Test the SSL connection. For instructions, see the "To Test the Web Server Over an HTTPS Connection" procedure.
To Create a New Certificate Signing Request and Obtain a Certificate File
Step 1 Sign in to Cisco Unified MeetingPlace Web Conferencing.
Step 2 From the Welcome page, click Admin.
Step 3 Click SSL/TLS. The SSL/TLS page appears.
Step 4 Click the Edit icon for the Home Page hostname.
Step 5 In the applicable fields, enter your company name and organization unit/department.
Step 6 In the applicable fields, enter the complete, official names of your city/locality and state/province. Do not use abbreviations.
Step 7 Choose your country/region.
Step 8 Click Generate Request. The new certificate signing request (CSR) appears in the text box below. The request is signed with an auto-generated private key. To see the value of the private key, click the Private Key link.
Step 9 Copy the contents of the CSR text box to a text file, and send this file to your certificate provider in return for a certificate file.
Caution If your certificate provider asks for your server type, specify Apache or Custom, not Microsoft or IIS. If you attempt to install a Microsoft or IIS certificate by using the SSL/TLS configuration pages, when you attempt to reboot the system, Cisco Unified MeetingPlace Web Conferencing does not restart, logs an error about the certificate, and disables SSL so you can restart and fix the problem.
Step 10 Click Back.
Step 11 Repeat Step 3 through Step 10 for the Web Conferencing hostname.
Step 12 When you receive the .cer files from your certificate provider, continue with the "To Apply the SSL Certificate to the Cisco Unified MeetingPlace Web Conferencing Websites" procedure.
To Apply the SSL Certificate to the Cisco Unified MeetingPlace Web Conferencing Websites
Step 1 Sign in to Cisco Unified MeetingPlace Web Conferencing.
Step 2 From the Welcome page, click Admin.
Step 3 Click SSL/TLS. The SSL/TLS page appears.
Step 4 Click the Edit icon for the Home Page hostname.
Step 5 Open the certificate file for the Home Page hostname in a text editor, and copy the text to the clipboard.
Step 6 In the text box at the bottom of the page, paste the text from the certificate you obtained for this hostname. Make sure the text you paste includes the begin and end certificate delimiters.
Step 7 Click Install Certificate. The host is now set up with a certificate.
Step 8 Click Back.
Step 9 Repeat Step 3 through Step 8 for the Web Conferencing hostname.
Step 10 Continue with the "To Enable SSL" procedure.
To Enable SSL
Step 1 From the SSL/TLS page, click Toggle SSL to turn SSL on.
Step 2 Click Reboot Server. The server shuts down and restarts.
Note If the Web Conferencing server cannot validate the SSL certificates, the server will log an error and toggle SSL to off. In this case, you will need to restart the Web Conferencing service and fix the issue, then repeat the steps in this procedure.
To Test the Web Server Over an HTTPS Connection
Step 1 From the web server, use a web browser to connect to https://hostname.domain.com, the Fully Qualified Domain Name, or FQDN, of the web server.
If the Cisco Unified MeetingPlace Web Conferencing home page appears, the connection to the Home Page hostname is successful.
If any security warning dialog boxes appear, configure SSL not to show the dialog boxes. For detailed information, see Microsoft Knowledge Base Articles 813618 and 257873 on the Microsoft website.
Step 2 Sign in to Cisco Unified MeetingPlace Web Conferencing.
Step 3 Click Immediate Meeting.
If the meeting console opens, the connection to the Web Conferencing hostname is successful.
About Segmented Meeting Access
While external participation is possible by controlling port access through a firewall, we highly recommend that you consider a segmented meeting access (SMA) configuration instead. SMA configurations isolate some meetings on the private corporate network while exposing others, designated as external, to the Internet. Users designate their meetings as internal or external during the scheduling process by setting the Allow External Web Participants parameter on the New Meeting scheduling page.
Note The Segmented Meeting Access-1 Server (SMA-1S) configuration is no longer supported in Cisco Unified MeetingPlace Web Conferencing Release 6.x.
About the SMA-2S Configuration
Note For system requirements, see the System Requirements for Cisco Unified MeetingPlace, at http://www.cisco.com/en/US/products/sw/ps5664/ps5669/prod_installation_guides_list.html.
In the Segmented Meeting Access-2 Servers (SMA-2S) configuration, Cisco Unified MeetingPlace Web Conferencing is deployed on two separate web servers or two separate clusters of web servers. One is on the internal network, behind the firewall; the other is on another network segment, such as a demilitarized zone (DMZ). The internal server or cluster is only accessible from behind the firewall while the external server or cluster is accessible from inside or outside the firewall.
While internal users have access to the full-access Web Conferencing user interface, external users have access to an attend-only web page that only allows attendance to external meetings.
The SMA-2S configuration is the preferred and most secure deployment model if you want to provide external access to Cisco Unified MeetingPlace web conferences.
Note We recommend that you configure external web servers to use Secure Sockets Layer (SSL). This provides optimum security and resolves proxy server issues that can prevent users from joining a web conference. For SSL configuration instructions, see the "How to Configure Secure Sockets Layer" section.
Figure 5-2 Segmented Meeting Access-2 Server Configuration
1
|
Internal Cisco Unified MeetingPlace web server.
•This web server sits inside the private corporate network.
|
2
|
External Cisco Unified MeetingPlace web server.
•This web server sits in a network segment, such as a DMZ.
|
3
|
Internal user.
•Internal users enter internal meetings through the internal web server.
•Internal users enter external meetings through the external web server.
|
4
|
External user.
•External users can enter external meetings only.
•Users enter these meetings through the external web server.
|
About the SMA-2S Configuration with SSL and Segmented DNS
If your Cisco Unified MeetingPlace Web Conferencing system has SSL configured on the external web server and a segmented DNS, the segmented DNS name cannot be the same as the SSL certificate name on the external or internal machine. See the following example for configuration guidelines.
Example
You have a SMA-2S configuration where SSL is required for external users, but not required for internal users who are accessing the internal or external machine.
•The segmented DNS name is meetingplace.company.com.
•The SSL certificate name for the external machine is meetingplace1.cisco.com.
•The hostname for the external machine from the internal machine is meetingplace1.
•All URLs and click-to-attend links are in the form of http://meetingplace.company.com.
When users access http://meetingplace.company.com from the external network, the external machine will automatically redirect them to HTTPS plus whatever hostname is configured in the database—in this case, meetingplace1.
Note If you force SSL on all users, both internal and external users will be required to use SSL when they access the external web server.
How to Configure the SMA-2S Deployment
This section provides an overview of the SMA-2S configuration process.
Before You Begin
•Read the "About the SMA-2S Configuration" section.
•When you install multiple web servers, make sure that you synchronize the Purge parameters. For more information, see the "About Web Conferencing Data Storage" section on page 3-1.
•Install Cisco Unified MeetingPlace Web Conferencing on your internal web server. For instructions, see the Installation and Upgrade Guide for Cisco Unified MeetingPlace Web Conferencing, at http://www.cisco.com/en/US/products/sw/ps5664/ps5669/prod_installation_guides_list.html.
•Copy GUIDS from your internal web server to your external web server. For instructions, see the Installation and Upgrade Guide for Cisco Unified MeetingPlace Web Conferencing, at http://www.cisco.com/en/US/products/sw/ps5664/ps5669/prod_installation_guides_list.html.
•Install Cisco Unified MeetingPlace Web Conferencing on your external web server. For instructions, see the Installation and Upgrade Guide for Cisco Unified MeetingPlace Web Conferencing, at http://www.cisco.com/en/US/products/sw/ps5664/ps5669/prod_installation_guides_list.html.
Task List for Configuring the SMA-2S Deployment
1. From the internal web server, configure external meeting redirection. For instructions, see the "To Configure Redirection of External Meetings" procedure.
2. (Optional) Configure your external web server for Secure Sockets Layer (SSL) support. For instructions, see the "How to Configure Secure Sockets Layer" section.
3. Test your configuration. For instructions, see the "To Test Internal Meetings" procedure, and the "To Test External Meetings" procedure.
To Configure Redirection of External Meetings
External meetings are held on an external web server so that users can access their meetings from the Internet. Rather than have all of your users log in to a particular external web server, configure automatic redirection of all external meetings from your internal web servers to a designated external web server.
You must have properly installed Cisco Unified MeetingPlace Web Conferencing on all of your internal and external web servers before beginning this procedure.
Step 1 From the internal web server, sign in to Cisco Unified MeetingPlace Web Conferencing.
Step 2 From the Welcome page, click Admin, then click Web Server.
Step 3 From a blank Web Server Name field, enter the name of a new web server to represent your designated external web server.
Step 4 For Hostname, enter the fully qualified domain name (FQDN) of your external web server, that is, hostname.domain.com. If your web server is not in a Domain Name Server (DNS), enter the IP address instead.
•You must be able to resolve this hostname from the internal web server.
•If you are using SSL, make sure that the hostname on the SSL certificate resolves to the external web server IP address.
•If you are using SSL and a segmented DNS, make sure that the DNS name and the SSL certificate name differ.
Step 5 To add this web server to the database, click Submit.
This server now appears as part of your list of web servers on the bottom portion of the page.
•If you only have one internal web server and one external web server, continue with the "To Test Internal Meetings" procedure.
•If you have more than one internal web server, continue with Step 6.
Step 6 Return to the main Admin page and click Site. The Site administrative page appears.
Step 7 Click the Site Name that represents your cluster of internal web servers.
•There should only be one site indicated on this page unless you deployed WebConnect.
•Site Name should have a default value equal to the NetBIO name of the first web server you installed in this cluster.
Step 8 For DMZ Web Server, choose the external web server you just added.
This configures the internal web servers in this cluster to point to this external web server in the case of external meetings.
Step 9 Click Submit.
Tip The external cluster does not require any additional SQL Server database configurations.
Step 10 Continue with the "To Test Internal Meetings" procedure.
To Test Internal Meetings
Step 1 Open your web browser to an internal Cisco Unified MeetingPlace Web Conferencing website.
Step 2 Sign in by using a Cisco Unified MeetingPlace profile with System Manager privileges.
Step 3 Schedule a meeting with internal access and add two attachment files.
a. From the Welcome page, click Schedule Meeting.
b. Set your meeting details, including meeting date and time.
c. For Allow External Web Participants, click No.
d. Click Attachments/Recordings and add two attachments: a document file and a Microsoft PowerPoint attachment, then click OK.
e. Click Schedule.
Step 4 Verify that you received a notification for the meeting you scheduled in Step 3.
Step 5 From inside the private corporate network, verify that the internal click-to-attend link in your notification works.
a. Click the click-to-attend link.
b. If you attended a meeting on this web server previously, you are directed to the meeting console.
c. If you have not attended a meeting on this web server previously, the full-access Cisco Unified MeetingPlace Web Conferencing user interface appears.
Step 6 From the Internet, verify that the internal click-to-attend link in your notification does not work.
Step 7 Verify that you can attend the meeting.
•If you attended a meeting on this web server previously, click the click-to-attend link to go directly in to the meeting console.
•If you have not attended a meeting on this web server previously, enter the meeting ID and click Attend Meeting from the Cisco Unified MeetingPlace Web Conferencing home page.
Step 8 Verify that you are logged in as your profile by verifying that your profile name appears in the meeting console.
Step 9 Continue with the "To Test External Meetings" procedure.
To Test External Meetings
You must have a Cisco Unified MeetingPlace profile with System Manager privileges to complete this procedure.
Step 1 Open your web browser to an internal Cisco Unified MeetingPlace Web Conferencing website.
Step 2 Sign in by using a Cisco Unified MeetingPlace profile with System Manager privileges.
Step 3 Schedule a meeting with external access, and add two attachment files by completing the following steps:
a. From the Welcome page, click Schedule Meeting.
b. Set your meeting details, including your meeting date and time.
c. For Allow External Web Participants, click Yes.
d. Click Attachments/Recordings and add two attachments: a document file and a Microsoft PowerPoint attachment, then click OK.
e. Click Schedule.
Step 4 Verify that you received a notification for the meeting you scheduled in Step 3.
Step 5 Verify that the external click-to-attend link in your notification works.
a. Click the click-to-attend link.
b. If you attended a meeting on this web server previously, you are directed to the meeting console.
c. If you have not attended a meeting on this web server previously, the external attend-only Cisco Unified MeetingPlace Web Conferencing user interface appears.
Step 6 Verify that you can attend the meeting.
•If you attended a meeting on this web server previously, click the click-to-attend link to go directly in to the meeting console.
•If you have not attended a meeting on this web server previously, enter a meeting ID and click Attend Meeting.
Step 7 Verify that you are logged in as your profile by verifying that your profile name appears in the meeting console.
Step 8 Verify that you can access the attachments and slide show from the external web server.
a. From the meeting console, click the Attachments tab to verify that you can open an attachment.
b. From the meeting console, click the Slides tab to verify that you can see the slides.
c. Switch to Presentation mode to verify that the first slide appears in the web collaboration window.
