Planning Guide and System Requirements for Cisco Webex Meetings Server Release 3.0

Networking Checklist for Your System

The networking checklist lists the networking changes required for your system, depending on your DNS configuration and whether or not you enable public access (allowing users to host or attend meetings from the Internet or a mobile device).

Choose the appropriate checklist depending on whether you are using automatic system deployment (recommended for 50, 250, or 800 user deployments) or manual system deployment (required for a 2000 user deployment).

All virtual machines, including the Internet Reverse Proxy, are in your internal network (easiest configuration)
- Networking Checklist for an Installation or Expansion, with an Automatic Deployment and Public Access
- Networking Checklist for an Installation or Expansion, with a Manual Deployment, Public Access, and All Internal Virtual Machines
Non-split-horizon DNS (the most common DNS configuration)
- Networking Checklist for an Installation or Expansion, with Automatic Deployment, Public Access, and a Non-Split-Horizon DNS
- Networking Checklist for an Installation or Expansion, with Manual Deployment, Public Access, and a Non-Split Horizon DNS
Split-horizon DNS
- Networking Checklist For an Installation or Expansion, with Automatic Deployment, Public Access, and a Split-Horizon DNS
- Networking Checklist for an Installation or Expansion, with Manual Deployment, Public Access, and a Split-Horizon DNS
Systems without public access
- Networking Checklist for an Installation or Expansion with Automatic Deployment and No Public Access
- Networking Checklist For an Installation or Expansion, with Manual Deployment and No Public Access

Networking Checklist for an Installation or Expansion, with an Automatic Deployment and Public Access

Virtual Machine Deployment

In an automatic deployment, we deploy all the virtual machines (other than the Admin virtual machine) for you. We recommend that you choose an automatic deployment if you are deploying a 50, 250, or 800 user system.

Verify that the Media virtual machine (if applicable) is on the same subnet as the Admin virtual machine.
Verify that the Internet Reverse Proxy virtual machines are in your internal network.
Verify that the ESXi hosts for all your virtual machines (including the Internet Reverse Proxy) are managed from the same VMware vCenter.

Required IP Addresses


Description	Network Location	IP Address
Real IP address of the Admin virtual machine	Internal
Real IP address of the Media virtual machine (if applicable)	Internal (same subnet as Admin virtual machine)
Real IP address of the Internet Reverse Proxy	Internal (may be on the same subnet as Admin virtual machine)
Administration URL (used exclusively by the system. Maps to the private VIP address)	Internal (same subnet as Admin virtual machine)
Webex site URL (used exclusively by the system. Maps to the public VIP address)	Internal (same subnet as the Internet Reverse Proxy). This IP address must be publicly routable.
Real IP address of the HA Admin virtual machine (if applicable)	Internal (same subnet as primary system Admin virtual machine)
Real IP address of the HA Media virtual machine (if applicable)	Internal (same subnet as primary system Admin virtual machine)
Real IP address of the HA Internet Reverse Proxy (if applicable)	Internal [same subnet as the primary system Internet Reverse Proxy (but can use NAT with a private IP address)]

DNS Configuration

Update the DNS server as follows. There are some limitations for the hostname portion of the Webex site URL and the Administration site URL. For a list of the words that you cannot use, see Webex Site and Webex Administration URLs.


Task	Examples
Hostnames and IP addresses of the internal virtual machines: Admin virtual machine and, if applicable, the Media virtual machine.	<admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address>
Hostname and IP address for the Internet Reverse Proxy virtual machine.	<IRP-vm-FQDN> <IRP-vm-IP-address>
Administration site URL and Private VIP address.	<Administration-site-URL> <Private-VIP-address>
Webex site URL and Public VIP address.	<Webex-site-URL> <Public-VIP-address>

Firewall Configuration

For security reasons, we recommend that you place the Internet Reverse Proxy in a subnet that is separate from the internal (Admin or Media) virtual machines. See Port Access When All the Virtual Machines Are in the Internal Network.

Network Routing Configuration


Task	Examples
Enable Layer 3 routing between the internal and DMZ networks.	Internal Subnet <internal-subnet>/24 DMZ Subnet <DMZ-subnet>/24
Verify that the Public VIP address and the Internet Reverse Proxy virtual machines are on the same subnet. [As you are deploying all your system virtual machines internally (the Internet Reverse Proxy is not in the DMZ), this subnet must be in the internal network.]	<Public-VIP-address> <IRP-vm-FQDN> <IRP-vm-IP-address>
Verify that the Private VIP address and internal virtual machines are on the same subnet.	<Private-VIP-address> <admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address>

Networking Checklist for an Installation or Expansion, with a Manual Deployment, Public Access, and All Internal Virtual Machines

Virtual Machine Deployment

In a manual deployment, you create all the virtual machines for your system using the OVA wizard from your vSphere client. You then install your system using a manual deployment.

You must choose a manual deployment if you are deploying a 2000 user system.

Ensure that any additional internal virtual machines (Media and Web, if applicable) are on the same subnet as the Admin virtual machine.
Ensure that the Internet Reverse Proxy virtual machines are in your internal network.

Required IP Addresses

Description

Network Location

IP Address

Real IP address of the Admin virtual machine

Internal

Real IP address of the Media virtual machine (if applicable)

Internal (same subnet as Admin virtual machine)

Real IP address of the second Media virtual machine (2000 user system only)

Internal (same subnet as Admin virtual machine)

Real IP address of the third Media virtual machine (2000 user system only)

Internal (same subnet as Admin virtual machine)

Real IP address of the Web virtual machine (2000 user system only)

Internal (same subnet as Admin virtual machine)

Real IP address of the second Web virtual machine (2000 user system only)

Internal (same subnet as Admin virtual machine)

Real IP address of the Internet Reverse Proxy

Internal (may be on the same subnet as Admin virtual machine)

Administration URL (used exclusively by the system. Maps to the private VIP address)

Internal (same subnet as Admin virtual machine)

Webex site URL (used exclusively by the system. Maps to the public VIP address)

Internal (same subnet as the Internet Reverse Proxy)

Note

This IP address must be publicly routable.

Real IP address of the HA Admin virtual machine (if applicable)

Internal (same subnet as primary system's Admin virtual machine)

Real IP address of the HA Media virtual machine (if applicable)

Internal (same subnet as primary system's Admin virtual machine)

Real IP address of the HA Web virtual machine (if applicable)

Internal (same subnet as primary system's Admin virtual machine)

Real IP address of the HA Internet Reverse Proxy (if applicable)

Internal—same subnet as the primary system's Internet Reverse Proxy (but may use NAT with a private IP address)

DNS Configuration

Make the following changes to your DNS configuration.

Note

There are some limitations for the hostname portion of the Webex site URL and the Administration site URL. For a list of the words that you may not use, see Webex Site and Webex Administration URLs.


Task	Example
Update your DNS Server with the hostnames and IP Addresses for the internal virtual machines: Admin virtual machine and if applicable, the Media and Web virtual machines.	<admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address> <web-vm-FQDN> <web-vm-IP-address>
Update your DNS server with the hostname and IP address for the Internet Reverse Proxy virtual machine.	<IRP-vm-FQDN> <IRP-vm-IP-address>
Update your DNS server with Administration site URL and Private VIP address information.	<Administration-site-URL> <Private-VIP-address>
Update your DNS server with Webex site URL and Public VIP address information.	<Webex-site-URL> <Public-VIP-address>

Firewall Configuration

For security reasons, we recommend that you place the Internet Reverse Proxy in a separate subnet from the internal (Admin, Media and Web, if applicable) virtual machines.

Although it is not recommended, we do also support placing all of your virtual machines (Internet Reverse Proxy and internal) on the same subnet. See Port Access When All the Virtual Machines Are in the Internal Network.

Network Routing Configuration

Make the following changes to your network routing.

Task

Compare These IP Addresses

Enable L3 (Layer 3) routing between the internal and DMZ networks for the following virtual machines: Admin virtual machine and if applicable, the Media and Web virtual machines

<admin-vm-FQDN>

<admin-vm-IP-address>

<media-vm-FQDN>

<media-vm-IP-address>

<web-vm-FQDN>

<web-vm-IP-address>

Ensure that the Public VIP address and the Internet Reverse Proxy virtual machines are on the same subnet.

Note

As you are deploying all your system virtual machines internally (the Internet Reverse Proxy is not in the DMZ), then this subnet must be in the internal network.

<Public-VIP-address>

<IRP-vm-FQDN>

<IRP-vm-IP-address>

Ensure that the Private VIP address and internal virtual machines (Admin, and Media and Web, if applicable) are on the same subnet.

<Private-VIP-address>

<admin-vm-FQDN>

<admin-vm-IP-address>

<media-vm-FQDN>

<media-vm-IP-address>

<web-vm-FQDN>

<web-vm-IP-address>

Networking Checklist for an Installation or Expansion, with Automatic Deployment, Public Access, and a Non-Split-Horizon DNS

Virtual Machine Deployment

In an automatic deployment, we deploy all the virtual machines (other than the Admin virtual machine) for you. We recommend that you choose an automatic deployment if you are deploying a 50, 250, or 800 user system.

Verify that the Media virtual machine (if applicable) is on the same subnet as the Admin virtual machine.
Verify that the Internet Reverse Proxy virtual machines are in your DMZ network.

Required IP Addresses


Description	Network Location	IP Address
Real IP address of the Admin virtual machine	Internal
Real IP address of the Media virtual machine (if applicable)	Internal (same subnet as Admin virtual machine)
Real IP address of the Internet Reverse Proxy	DMZ (but can use NAT with a private IP address)
Administration URL (used exclusively by the system. Maps to the private VIP address)	Internal (same subnet as Admin virtual machine)
Webex site URL (used exclusively by the system. Maps to the public VIP address)	DMZ (same subnet as the Internet Reverse Proxy)
Real IP address of the HA Admin virtual machine (if applicable)	Internal (same subnet as primary system Admin virtual machine)
Real IP address of the HA Media virtual machine (if applicable)	Internal (same subnet as primary system Admin virtual machine)
Real IP address of the HA Internet Reverse Proxy (if applicable)	DMZ [same subnet as the primary system Internet Reverse Proxy (but can use NAT with a private IP address)]

DNS Configuration

Update the DNS server as follows. There are some limitations for the hostname portion of the Webex site URL and the Administration site URL. For a list of the words that you cannot use, see Webex Site and Webex Administration URLs.


Task	Example
Hostnames and IP addresses of the internal virtual machines: Admin virtual machine and, if applicable, the Media virtual machine.	<admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address>
Hostname and IP address for the Internet Reverse Proxy virtual machine.	<IRP-vm-FQDN> <IRP-vm-IP-address>
Administration site URL and Private VIP address.	<Administration-site-URL> <Private-VIP-address>
Webex site URL and Public VIP address.	<Webex-site-URL> <Public-VIP-address>

Firewall Configuration

For security reasons, we recommend that you place the Internet Reverse Proxy in a subnet that is separate from the internal (Admin or Media) virtual machines. See Port Access When All the Virtual Machines Are in the Internal Network.

Network Routing Configuration

Make the following changes to your network routing.


Task	Compare These IP Addresses
Enable Layer 3 routing between the internal and DMZ networks.	Internal Subnet <internal-subnet>/24 DMZ Subnet <DMZ-subnet>/24
Verify that the Public VIP address and the Internet Reverse Proxy virtual machines are on the same subnet.	<Public-VIP-address> <IRP-vm-FQDN> <IRP-vm-IP-address>
Verify that the Private VIP address and internal virtual machines are on the same subnet.	<Private-VIP-address> <admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address>

Networking Checklist for an Installation or Expansion, with Manual Deployment, Public Access, and a Non-Split Horizon DNS

Virtual Machine Deployment

In a manual deployment, you create all the virtual machines for your system using the OVA wizard from your vSphere client. You then install your system using a manual deployment.

You must choose a manual deployment if you are deploying a 2000 user system.

Ensure that any additional internal virtual machines (Media and Web, if applicable) are on the same subnet as the Admin virtual machine.
Ensure that the Internet Reverse Proxy virtual machines are in your DMZ network.

Required IP Addresses


Description	Network Location	IP Address
Real IP address of the Admin virtual machine	Internal
Real IP address of the Media virtual machine (if applicable)	Internal (same subnet as Admin virtual machine)
Real IP address of the second Media virtual machine (2000 user system only)	Internal (same subnet as Admin virtual machine)
Real IP address of the third Media virtual machine (2000 user system only)	Internal (same subnet as Admin virtual machine)
Real IP address of the Web virtual machine (2000 user system only)	Internal (same subnet as Admin virtual machine)
Real IP address of the second Web virtual machine (2000 user system only)	Internal (same subnet as Admin virtual machine)
Real IP address of the Internet Reverse Proxy	DMZ (but may use NAT with a private IP address)
Administration URL (used exclusively by the system. Maps to the private VIP address)	Internal (same subnet as Admin virtual machine)
Webex site URL (used exclusively by the system. Maps to the public VIP address)	DMZ (same subnet as the Internet Reverse Proxy)
Real IP address of the HA Admin virtual machine (if applicable)	Internal (same subnet as primary system's Admin virtual machine)
Real IP address of the HA Media virtual machine (if applicable)	Internal (same subnet as primary system's Admin virtual machine)
Real IP address of the HA Web virtual machine (if applicable)	Internal (same subnet as primary system's Admin virtual machine)
Real IP address of the HA Internet Reverse Proxy (if applicable)	DMZ—same subnet as the primary system's Internet Reverse Proxy (but may use NAT with a private IP address)

DNS Configuration

Make the following changes to your DNS configuration.

Note

There are some limitations for the hostname portion of the Webex site URL and the Administration site URL. For a list of the words that you may not use, see Webex Site and Webex Administration URLs.


Task	Example
Update your DNS Server with the hostnames and IP Addresses for the internal virtual machines: Admin virtual machine and if applicable, the Media and Web virtual machines.	<admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address> <web-vm-FQDN> <web-vm-IP-address>
Update your DNS server with the hostname and IP address for the Internet Reverse Proxy virtual machine.	<IRP-vm-FQDN> <IRP-vm-IP-address>
Update your DNS server with Administration site URL and Private VIP address information.	<Administration-site-URL> <Private-VIP-address>
Update your DNS server with Webex site URL and Public VIP address information.	<Webex-site-URL> <Public-VIP-address>

Firewall Configuration

For security reasons, we recommend that you place the Internet Reverse Proxy in a separate subnet from the internal (Admin, Media and Web, if applicable) virtual machines. See Port Access With an Internet Reverse Proxy in the DMZ Network.

Network Routing Configuration

Make the following changes to your network routing.


Task	Compare These IP Addresses
Enable L3 (Layer 3) routing between the internal and DMZ networks for the following virtual machines: Admin virtual machine and if applicable, the Media and Web virtual machines	<admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address> <web-vm-FQDN> <web-vm-IP-address>
Ensure that the Public VIP address and the Internet Reverse Proxy virtual machines are on the same subnet.	<Public-VIP-address> <IRP-vm-FQDN> <IRP-vm-IP-address>
Ensure that the Private VIP address and internal virtual machines (Admin, and Media and Web, if applicable) are on the same subnet.	<Private-VIP-address> <admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address> <web-vm-FQDN> <web-vm-IP-address>

Networking Checklist For an Installation or Expansion, with Automatic Deployment, Public Access, and a Split-Horizon DNS

Virtual Machine Deployment

In an automatic deployment, we deploy all the virtual machines (other than the Admin virtual machine) for you. We recommend that you choose an automatic deployment if you are deploying a 50, 250, or 800 user system.

Verify that the Media virtual machine (if applicable) is on the same subnet as the Admin virtual machine.
Verify that the Internet Reverse Proxy virtual machines are in your DMZ network.

Required IP Addresses


Description	Network Location	IP Address
Real IP address of the Admin virtual machine	Internal
Real IP address of the Media virtual machine (if applicable)	Internal (same subnet as Admin virtual machine)
Real IP address of the Internet Reverse Proxy	DMZ (but can use NAT with a private IP address)
Administration URL (used exclusively by the system. Maps to the private VIP address)	Internal (same subnet as Admin virtual machine)
Webex site URL (used exclusively by the system. Maps to two VIP addresses):	Internal users—Internal (same subnet as Admin virtual machine) External users—DMZ (same subnet as the Internet Reverse Proxy)
Real IP address of the HA Admin virtual machine (if applicable)	Internal (same subnet as primary system Admin virtual machine)
Real IP address of the HA Media virtual machine (if applicable)	Internal (same subnet as primary system Admin virtual machine)
Real IP address of the HA Internet Reverse Proxy (if applicable)	DMZ [same subnet as the primary system Internet Reverse Proxy (but can use NAT with a private IP address)]

DNS Configuration

Update the DNS server as follows. There are some limitations for the hostname portion of the Webex site URL and the Administration site URL. For a list of the words that you cannot use, see Webex Site and Webex Administration URLs.


Task	Example
Hostnames and IP addresses of the internal virtual machines: Admin virtual machine and, if applicable, the Media virtual machine.	<admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address>
Hostname and IP address for the DMZ virtual machine.	<IRP-vm-FQDN> <IRP-vm-IP-address>
Webex site URL, Administration site URL, and Private VIP address information.	<Administration-site-URL> <Private-VIP-address> <Webex-site-URL> <Private-VIP-address>
Webex site URL and Public VIP address.	<Webex-site-URL> <Public-VIP-address>

Firewall Configuration

For security reasons, we recommend that you place the Internet Reverse Proxy in a subnet that is separate from the internal (Admin or Media) virtual machines. See Port Access When All the Virtual Machines Are in the Internal Network.

Network Routing Configuration

Make the following changes to your network routing.


Task	Compare These IP Addresses
Enable Layer 3 routing between the internal and DMZ networks.	Internal Subnet <internal-subnet>/24 DMZ Subnet <DMZ-subnet>/24
Verify that the Public VIP address and the Internet Reverse Proxy virtual machines are on the same subnet.	<Public-VIP-address> <IRP-vm-FQDN> <IRP-vm-IP-address>
Verify that the Private VIP address and internal virtual machines are on the same subnet.	<Private-VIP-address> <admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address>

Networking Checklist for an Installation or Expansion, with Manual Deployment, Public Access, and a Split-Horizon DNS

Virtual Machine Deployment

In a manual deployment, you create all the virtual machines for your system using the OVA wizard from your vSphere client. You then install your system using a manual deployment.

You must choose a manual deployment if you are deploying a 2000 user system.

Ensure that any additional internal virtual machines (Media and Web, if applicable) are on the same subnet as the Admin virtual machine.
Ensure that the Internet Reverse Proxy virtual machines are in your DMZ network.

Required IP Addresses


Description	Network Location	IP Address
Real IP address of the Admin virtual machine	Internal
Real IP address of the Media virtual machine (if applicable)	Internal (same subnet as Admin virtual machine)
Real IP address of the second Media virtual machine (2000 user system only)	Internal (same subnet as Admin virtual machine)
Real IP address of the third Media virtual machine (2000 user system only)	Internal (same subnet as Admin virtual machine)
Real IP address of the Web virtual machine (2000 user system only)	Internal (same subnet as Admin virtual machine)
Real IP address of the second Web virtual machine (2000 user system only)	Internal (same subnet as Admin virtual machine)
Real IP address of the Internet Reverse Proxy	DMZ (but may use NAT with a private IP address)
Administration URL (used exclusively by the system. Maps to the private VIP address)	Internal (same subnet as Admin virtual machine)
Webex site URL (used exclusively by the system. Maps to two VIP addresses) internal users—private VIP address external users—public VIP address	Internal users—Internal (same subnet as Admin virtual machine) External users—DMZ (same subnet as the Internet Reverse Proxy)
Real IP address of the HA Admin virtual machine (if applicable)	Internal (same subnet as primary system's Admin virtual machine)
Real IP address of the HA Media virtual machine (if applicable)	Internal (same subnet as primary system's Admin virtual machine)
Real IP address of the HA Web virtual machine (if applicable)	Internal (same subnet as primary system's Admin virtual machine)
Real IP address of the HA Internet Reverse Proxy (if applicable)	DMZ—same subnet as the primary system's Internet Reverse Proxy (but may use NAT with a private IP address)

DNS Configuration

Make the following changes to your DNS configuration.

Note

There are some limitations for the hostname portion of the Webex site URL and the Administration site URL. For a list of the words that you may not use, see Webex Site and Webex Administration URLs.


Task	Example
Update your DNS Server (that enables internal lookup) with the hostnames and IP Addresses for the internal virtual machines: Admin virtual machine and if applicable, the Media and Web virtual machines.	<admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address> <web-vm-FQDN> <web-vm-IP-address>
Update your DNS server (that enables internal lookup) with the hostname and IP address for the DMZ virtual machine.	<IRP-vm-FQDN> <IRP-vm-IP-address>
Update your DNS server (that enables internal lookup) with Webex site URL, Administration site URL, and Private VIP address information.	<Administration-site-URL> <Private-VIP-address> <Webex-site-URL> <Private-VIP-address>
Update your DNS server (that enables external lookup) with Webex site URL and Public VIP address information.	<Webex-site-URL> <Public-VIP-address>

Firewall Configuration

For security reasons, we recommend that you place the Internet Reverse Proxy in a separate subnet from the internal (Admin, Media and Web, if applicable) virtual machines. See Port Access With an Internet Reverse Proxy in the DMZ Network.

Network Routing Configuration

Make the following changes to your network routing.


Task	Compare These IP Addresses
Enable L3 (Layer 3) routing between the internal and DMZ networks for the following virtual machines: Admin virtual machine and if applicable, the Media and Web virtual machines	<admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address> <web-vm-FQDN> <web-vm-IP-address>
Ensure that the Public VIP address and the Internet Reverse Proxy virtual machines are on the same subnet.	<Public-VIP-address> <IRP-vm-FQDN> <IRP-vm-IP-address>
Ensure that the Private VIP address and internal virtual machines (Admin virtual machine and if applicable, the Media and Web virtual machines) are on the same subnet.	<Private-VIP-address> <admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address> <web-vm-FQDN> <web-vm-IP-address>

Networking Checklist for an Installation or Expansion with Automatic Deployment and No Public Access

Virtual Machine Deployment

In an automatic deployment, we deploy all the virtual machines (other than the Admin virtual machine) for you. We recommend that you choose an automatic deployment if you are deploying a 50, 250, or 800 user system.

Verify that the Media virtual machine (if applicable) is on the same subnet as the Admin virtual machine.

Required IP Addresses


Description	Network Location	IP Address
Real IP address of the Admin virtual machine	Internal
Real IP address of the Media virtual machine (if applicable)	Internal (same subnet as Admin virtual machine)
Administration URL (used exclusively by the system. Maps to the private VIP address)	Internal (same subnet as Admin virtual machine)
Real IP address of the HA Admin virtual machine (if applicable)	Internal (same subnet as primary system Admin virtual machine)
Real IP address of the HA Media virtual machine (if applicable)	Internal (same subnet as primary system Admin virtual machine)
Real IP address of the HA Internet Reverse Proxy (if applicable)	Internal (same subnet as primary system Admin virtual machine)

DNS Configuration

Update the DNS server as follows. There are some limitations for the hostname portion of the Webex site URL and the Administration site URL. For a list of the words that you cannot use, see Webex Site and Webex Administration URLs.


Task	Example
Hostnames and IP addresses of the internal virtual machines: Admin virtual machine and, if applicable, the Media virtual machine.	<admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address>
Webex site URL, Administration site URL, and Private VIP address information.	<Administration-site-URL> <Private-VIP-address> <Webex-site-URL> <Private-VIP-address>

Firewall Configuration


Task	Example
Configure all the firewalls inside your internal network to permit web browsers to access the Private VIP address.	HTTP <Private-VIP-address>:80 HTTPS <Private-VIP-address>:443

Network Routing Configuration


Task	Compare These IP Addresses
Verify that the Private VIP address and internal virtual machines are on the same subnet.	<Private-VIP-address> <admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address>

Networking Checklist For an Installation or Expansion, with Manual Deployment and No Public Access

Virtual Machine Deployment

In a manual deployment, you create all the virtual machines for your system using the OVA wizard from your vSphere client. You then install your system using a manual deployment.

You must choose a manual deployment if you are deploying a 2000 user system.

Ensure that any additional internal virtual machines (Media and Web, if applicable) are on the same subnet as the Admin virtual machine.

Required IP Addresses


Description	Network Location	IP Address
Real IP address of the Admin virtual machine	Internal
Real IP address of the Media virtual machine (if applicable)	Internal (same subnet as Admin virtual machine)
Real IP address of the second Media virtual machine (2000 user system only)	Internal (same subnet as Admin virtual machine)
Real IP address of the third Media virtual machine (2000 user system only)	Internal (same subnet as Admin virtual machine)
Real IP address of the Web virtual machine (2000 user system only)	Internal (same subnet as Admin virtual machine)
Real IP address of the second Web virtual machine (2000 user system only)	Internal (same subnet as Admin virtual machine)
Administration URL (used exclusively by the system. Maps to the private VIP address)	Internal (same subnet as Admin virtual machine)
Webex site URL (used exclusively by the system. Maps to the private VIP address)	Internal (same subnet as Admin virtual machine)
Real IP address of the HA Admin virtual machine (if applicable)	Internal (same subnet as primary system's Admin virtual machine)
Real IP address of the HA Media virtual machine (if applicable)	Internal (same subnet as primary system's Admin virtual machine)
Real IP address of the HA Web virtual machine (if applicable)	Internal (same subnet as primary system's Admin virtual machine)

DNS Configuration

Make the following changes to your DNS configuration.

Note

There are some limitations for the hostname portion of the Webex site URL and the Administration site URL. For a list of the words that you may not use, see Webex Site and Webex Administration URLs.


Task	Example
Update your DNS Server (that enables internal lookup) with the hostnames and IP Addresses for the internal virtual machines: Admin virtual machine and if applicable, the Media and Web virtual machines.	<admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address> <web-vm-FQDN> <web-vm-IP-address>
Update your DNS server with Administration site URL, Webex site URL, and Private VIP address information.	<Administration-site-URL> <Private-VIP-address> <Webex-site-URL> <Private-VIP-address>

Firewall Configuration

Make the following changes to your firewalls.


Task	Example
Configure all the firewalls inside your internal network to permit web browsers to access the Private VIP address.	HTTP <Private-VIP-address>:80 HTTPS <Private-VIP-address>:443

Network Routing Configuration

Make the following changes to your network routing.


Task	Compare These IP Addresses
Ensure that the Private VIP address and internal virtual machines (Admin, and Media and Web, if applicable) are on the same subnet.	<Private-VIP-address> <admin-vm-FQDN> <admin-vm-IP-address> <media-vm-FQDN> <media-vm-IP-address> <web-vm-FQDN> <web-vm-IP-address>

Webex Site and Webex Administration URLs

Webex Site URL

Users access the Webex site URL to schedule, host, or attend meetings. This URL resolves to either the private VIP address or the public VIP address, depending on whether or not you are using a split-horizon DNS.

Resolves to the public VIP address for all users, when you do not have split-horizon DNS.
Resolves to the public VIP address for external users when you have split-horizon DNS.
Resolves to the private VIP address for internal users when you have split-horizon DNS.

Note

Ports 80 and 443 must be open for the Webex site URL.

Webex Administration URL

Administrators access the Webex Administration URL to configure, manage, and monitor the system. This URL resolves to the private VIP address.

Note

Ports 80 and 443 must be open for the Webex Administration URL.

Names for the Webex Site and Webex Administration URLs

You may choose almost any names for these URLs, comprising all lowercase characters. However, you cannot use the following as the hostname in the URLs:

the same name as the hostnames for any of the virtual machines in the system
authentication
client
companylogo
dispatcher
docs
elm-admin
elm-client-services
emails
maintenance
manager
orion
oriondata
oriontemp
nbr
npp
probe
reminder
ROOT
solr
TomcatROOT
upgradeserver
url0107ld
version
WBXService
webex

Port Access When All the Virtual Machines Are in the Internal Network

This section describes the port access required in the external firewall when all the system virtual machines (Admin, and if applicable, Media, Web, and Internet Reverse Proxy) are in the internal network. This is the Internal Internet Reverse Proxy network topology.

Ensure that the firewall or any load balancing solution redirects requests to the ports listed below to ensure end users can host and join meetings successfully.

TCP Port 80 to the public virtual IP (VIP) address
TCP Port 443 to the public virtual IP (VIP) address

Note

The Web node and Admin node send SMTP requests to the configured Email server. If there is a firewall between the internal Web and Admin virtual machines and the Email server, SMTP traffic might be blocked. To ensure Email server configuration and Email notification work properly, port 25 or 465 (secure SMTP port number) must be open between the Email server and the Web and the Admin virtual machines.

Port Access With an Internet Reverse Proxy in the DMZ Network

This section describes the port access required in the internal and external firewalls when you have internal virtual machines (Admin, and if applicable, Media and Web) in the internal network, and the Internet Reverse Proxy (IRP) in the DMZ network.

Configure access control lists (ACLs) on the switch that permits traffic to the ESXi hosts for the system virtual machines.

Port Access in the External Firewall

Enabled public access by opening port 80 (HTTP) in addition to port 443 (HTTPS), so users can enter the Webex site URL without having to remember whether it is HTTP or HTTPS. Although port 80 is open, all the network traffic flows over port 443 (SSL encrypted HTTPS).

Important

Ensure that the firewall or any load balancing solution redirects requests to the ports listed below to ensure users can host and join meetings successfully.

Restriction

Configure TCP port 64700 on the IRP machine to deny any requests that come to the public VIP address. In the external firewall, this limits access to this port for requests only from the Admin virtual machines.


Protocol	Port	Source	Destination	Why It Is Needed
TCP	443	Any external clients.	Public VIP (Eth1) of the IRP.	External clients access the Webex site URL by using HTTPS. TCP connections are initiated from the external client machines to the IRP virtual machines.
TCP	80	Any external clients.	Public VIP (Eth1) of the IRP.	External clients accessing the Webex site URL by using HTTP. TCP connections are initiated from the external client machines to the IRP virtual machines.
TCP	8444 (Introduced in 2.5MR1, 2.6, and 2.0MR6HF.)	Any external clients.	Public VIP (Eth1) of the IRP.	External clients accessing the Webex recordings by using HTTPS. TCP connections are initiated from the external client machines to the IRP virtual machines.
UDP	53	Real IP (Eth0) of the IRP.	DNS server.	This is needed if you have a firewall between the virtual machines and the DNS server, for your system to deploy and operate successfully.

Port Access in the Internal Firewall

If you have restrictions on connections from the internal network to the DMZ network, then the table in this section applies. Allow TCP connections outbound from the internal network to the DMZ network segment.

Note

No TCP connections need to be allowed from the DMZ segment in to the internal network for this product to work properly.

Note

Using iptables or access control lists (ACLs), configure the firewall so that connections to port 64616 only come from the Admin virtual machine.

Note

The Web node and Admin node send SMTP requests to the configured Email server. If there is a firewall between the internal Web and Admin virtual machines and the Email server, SMTP traffic might be blocked. To ensure Email server configuration and Email notification work properly, port 25 or 465 (secure SMTP port number) must be open between the Email server and the Web and the Admin virtual machines.

Note

Especially when the IRP is in the DMZ network, allow Internet Control Message Protocol (ICMP) echo requests and replies. Otherwise, the IRP detect and the DNS server availability validation might fail if the ICMP echo reply is not received.

Protocol

Port

Source

Destination

Why It Is Needed

TCP

64001

All internal virtual machines (Eth0 IP).

Real IP (Eth0) of the IRP virtual machines.

Establishes reverse connections to the IRP. TCP connections are established from the internal virtual machines to the IRP virtual machines.

TCP

64002

Admin and web virtual machines (Eth0 IP).

Real IP (Eth0) of the IRP virtual machines.

Establishes reverse connections to the IRP. TCP connections are established from the internal virtual machines to the IRP virtual machines.

TCP

7001

All internal virtual machines (Eth0 IP).

Real IP (Eth0) of the IRP virtual machines.

Establishes reverse connections to the IRP. TCP connections are initiated from the internal virtual machines to the IRP virtual machines.

TCP

64616

Admin virtual machines (Eth0 IP).

Real IP (Eth0) of the IRP virtual machines.

Bootstrap the IRP. TCP connections are initiated from the Admin virtual machines to the IRP virtual machines.

Note

Using iptables or access control lists (ACLs), configure the firewall so that connections to port 64616 only come from the Admin virtual machine.

TCP

22

Any internal client machines.

Real IP (Eth0) of the IRP virtual machines.

Troubleshooting the IRP virtual machines using a Remote Support Account.

TCP

443

Any internal client machines.

Private VIP (Eth1) of the Admin virtual machines.

Real IP (Eth0) of the Media virtual machines.

Internal users accessing the Webex site URL by using HTTPS. TCP connections are established from the internal client machine to the Admin virtual machine.

TCP

443

Private VIP (Eth1) of the Admin virtual machines and Real IP (Eth0) of the Media virtual machines.

Public VIP (Eth1) of the IRP.

TCP

65002

Any internal client machines.

Any internal virtual machines.

Controls network traffic between internal virtual machines.

TCP

65102

Any internal client machines.

Any internal virtual machines.

Controls network traffic between internal virtual machines.

TCP

80

Any internal client machines.

Private VIP (Eth1) of the Admin virtual machines.

Internal users accessing the Webex site URL using HTTP. TCP connections are established from the internal client machine to the Admin virtual machine.

UDP

53

All internal virtual machines (Eth0 IP).

DNS server.

If you have a firewall between the virtual machines and the DNS server, for your system to deploy and operate successfully.

TCP

8443

Cisco Webex Meetings Server Web Node.

CUCM

For AXL traffic in a multi-data center system between Cisco Webex Meetings Server and CUCM to allow LDAP CUCM failover.

VMware vCenter Ports

Ports Open for Deployment

These are some of the ports that are used during the deployment of a Single-data Center (SDC) Cisco Webex Meetings Server (CWMS). Once the deployment completes, you can close any ports that were opened solely for the deployment.

TCP Port 443 should be open, in both directions, between vCenter and the Admin virtual machine for secure https management during an automatic system deployment. The Admin virtual machine uses this port to provide vCenter credentials to deploy the virtual machines automatically in vCenter.

The ports listed below are used for communication between the ESXi host and vCenter. If the ESXi host and vCenter are connected to a separate management network, you may not need to open these ports through the firewall. For a complete list of ports used by vCenter and the ESXi host, see your VMware documentation.

UDP/TCP Port 902 in both directions between vCenter and the ESXi hosts for vCenter management
(Optional) TCP Port 22 from the vSphere client to the ESXi hosts for SSH management
UDP Port 514 from the ESXi hosts for your system to the internal syslog
TCP Port 5989 in both directions between vCenter and the ESXi hosts for XML management

The default UDP port used for external clients for audio and video data transmission is SSL (port 443).

Ports Open to Support Multi-data Center


Ports to open between the CWMS internal virtual machines	tcp 8080 tcp 8081 tcp 8082 tcp 9809 tcp 9810 tcp 9811 tcp 9812 tcp 9813 tcp 9814 tcp 9815 tcp 9816 tcp 9817 tcp 9818 tcp 9819 tcp 9820 tcp 9840 tcp 6502 tcp 12340 tcp 12342 tcp 12442 tcp 7001 tcp 7003 tcp 7004 tcp 7005 tcp:5060 tcp 5061 tcp 5062 tcp 5063 tcp 22
Ports to open between the CWMS internal virtual machines and Virtual IPs	tcp 443 tcp 80
Ports to open between Internet Reverse Proxy IPs and the CWMS internal virtual machines	tcp 7001 tcp 64001 tcp 64700 tcp 64616
UDP ports to open between the CWMS internal virtual machines ¹	udp range:10000:19999 udp range:16000:32000 udp range:9000:9011 (Medium system) udp range:9000:9009 (Large system) udp 5060 udp 5062

¹ Media components for PC audio and video use these ports.

Cisco Webex Meeting Center Ports

The UDP ports used for internal clients for audio and video data transmission between UDP and SSL include:
- For 50 user systems, use UDP port 9000
- For 250 user systems, use UDP ports 9000, 9001, 9002, 9003
- For 800 user systems, use UDP ports 9000, 9001, 9002, 9003, 9004, 9005, 9006, 9007, 9008, 9009, 9010, 9011
- For 2000 user systems, use UDP ports 9000, 9001, 9002, 9003, 9004, 9005, 9006, 9007, 9008, 9009
With the appropriate network settings, internal media servers allow connections through any port used by Meeting Center.
The Internet Reverse Proxy only accepts connections from Webex Meetings through TCP ports 80 and 443.

Using NAT With Your System

Network Address Translation (NAT) traversal is supported for virtual machine IP addresses and for the virtual IP addresses (Public and Private VIPs) that are used in your system.

The following schematic diagram illustrates a typical NAT traversal for a 50 user system without High Availability (HA). By using NAT, you can reduce the number of public IP addresses required for the product to just one IP address, instead of two (or three if you deploy HA). You can also deploy similar NAT deployments as long as these meet the overall system requirements.

Important

The use of multiple NATs and firewalls tends to increase latency, affecting the quality of real time-traffic for users.

Also, when using multiple NAT domains, routing between these various NAT domains can be challenging. You can use NAT-ed IP addresses as long as the following requirements are met:

All the virtual machines in the system can use NAT-ed IP addresses, with the exception of the Internet Reverse Proxy virtual machine. NAT between the Administration virtual machine and the Internet Reverse Proxy virtual machine is not supported. The IP address of the Internet Reverse Proxy virtual machine (its real IP address) must be reachable by the Administration virtual machine through the internal network.
The public VIP address itself does not need to be publicly visible, but it must be translatable from the Internet.
When deploying public access, the Webex site URL must be mapped to an Internet-visible IP address. This Internet-visible IP address must be accessible by external users and also map to the public VIP address you configure during the system deployment.

You can choose to make the public VIP address visible from the Internet. If you choose not to make it publicly visible, then it must be translatable from the Internet.

In the diagram, an external user accesses the Webex site to join or host a meeting. Following a DNS lookup, the IP address for the Webex site is the NAT public IP address (Eth0). This NAT public IP address is for the external NAT firewall router (Firewall and NAT router 1), between the external network and the DMZ network.

The firewall router receives this request from the external user, and internally routes the request to the NAT private IP address for the router (Eth1, exposed to the DMZ network). Eth1 then sends the request to the public VIP address (also a NAT IP address in the private networking segment for the Webex site).

You can use NAT IP addresses for the public VIP address, and the Internet Reverse Proxy IP addresses. The only NAT public IP address is the Eth0 IP address for the NAT firewall router.

Note

To ensure this NAT firewall router (between the Internet and DMZ network) routes the incoming packet correctly, set port mapping configuration on the NAT device, or apply other similar mechanisms to ensure the packet is routed correctly to the public VIP address and the Internet Reverse Proxy.

There is usually a second internal NAT firewall router between the DMZ network and the internal network. Similar to the external NAT firewall router, Eth0 is a DMZ NAT private IP address and is an interface to the DMZ network. Eth1 is also a NAT private IP address that is an interface to the internal network.

You can use NAT IP addresses for the private VIP address and the Administration virtual machine IP addresses.

For more information about NAT, see http://www.cisco.com/c/en/us/tech/ip/ip-addressing-services/tech-tech-notes-list.html.

Forward Proxies

If your network topology includes forward proxies, they must meet specific requirements for the Internet Reverse Proxy to work properly. See "Use of Forward Proxies in Your System" in the Cisco Webex Meetings Server Troubleshooting Guide for complete details.

Results

Chapter: Networking Changes Required For Your Deployment

Networking Changes Required For Your Deployment

Networking Checklist for Your System

Networking Checklist for an Installation or Expansion, with an Automatic Deployment and Public Access

Virtual Machine Deployment

Required IP Addresses

DNS Configuration

Firewall Configuration

Network Routing Configuration

Networking Checklist for an Installation or Expansion, with a Manual Deployment, Public Access, and All Internal Virtual Machines

Virtual Machine Deployment

Required IP Addresses

DNS Configuration

Firewall Configuration

Network Routing Configuration

Networking Checklist for an Installation or Expansion, with Automatic Deployment, Public Access, and a Non-Split-Horizon DNS

Virtual Machine Deployment

Required IP Addresses

DNS Configuration

Firewall Configuration

Network Routing Configuration

Networking Checklist for an Installation or Expansion, with Manual Deployment, Public Access, and a Non-Split Horizon DNS

Virtual Machine Deployment

Required IP Addresses

DNS Configuration

Firewall Configuration

Network Routing Configuration

Networking Checklist For an Installation or Expansion, with Automatic Deployment, Public Access, and a Split-Horizon DNS

Virtual Machine Deployment

Required IP Addresses

DNS Configuration

Firewall Configuration

Network Routing Configuration

Networking Checklist for an Installation or Expansion, with Manual Deployment, Public Access, and a Split-Horizon DNS

Virtual Machine Deployment

Required IP Addresses

DNS Configuration

Firewall Configuration

Network Routing Configuration

Networking Checklist for an Installation or Expansion with Automatic Deployment and No Public Access

Virtual Machine Deployment

Required IP Addresses

DNS Configuration

Firewall Configuration

Network Routing Configuration

Networking Checklist For an Installation or Expansion, with Manual Deployment and No Public Access

Virtual Machine Deployment

Required IP Addresses

DNS Configuration

Firewall Configuration

Network Routing Configuration

Webex Site and Webex Administration URLs

Webex Site URL

Webex Administration URL

Names for the Webex Site and Webex Administration URLs

Port Access When All the Virtual Machines Are in the Internal Network

Port Access With an Internet Reverse Proxy in the DMZ Network

Port Access in the External Firewall

Port Access in the Internal Firewall

VMware vCenter Ports

Ports Open for Deployment

Ports Open to Support Multi-data Center

Cisco Webex Meeting Center Ports

Using NAT With Your System

Forward Proxies

Was this Document Helpful?

Contact Cisco

Related Cisco Community Discussions