- Introduction and Datacenter Topology For Your System
- Networking Topology For Your System
- Choosing the System Size
- Networking Changes Required For Your Deployment
- System Capacity Quick Reference Tables
- Configuring Cisco Unified Communications Manager (CUCM)
- Downloading and Mass Deploying Applications
- License Management
- SAML SSO Configuration
- Network Management
- Meeting Recordings
- Networking Checklist For Your System
- Networking Checklist for an Installation or Expansion With an Automatic Deployment, Public Access, and All Internal Virtual Machines
- Networking Checklist for an Installation or Expansion With a Manual Deployment, Public Access, and All Internal Virtual Machines
- Networking Checklist for an Installation or Expansion With Automatic Deployment, Public Access, and a Non-Split-Horizon DNS
- Networking Checklist For an Installation or Expansion With Manual Deployment, Public Access, and a Non-Split Horizon DNS
- Networking Checklist For an Installation or Expansion With Automatic Deployment, Public Access, and a Split-Horizon DNS
- Networking Checklist for an Installation or Expansion with Manual Deployment, Public Access, and a Split-Horizon DNS
- Networking Checklist for an Installation or Expansion with Automatic Deployment and No Public Access
- Networking Checklist For an Installation or Expansion With Manual Deployment and No Public Access
- Port Access When All the Virtual Machines Are in the Internal Network
- Port Access With an Internet Reverse Proxy in the DMZ Network
- Using NAT With Your System
- Forward Proxies
Networking Changes Required For Your Deployment
This chapter provides a list of the changes you need to make for your system deployment:
- Networking Checklist For Your System
- Networking Checklist for an Installation or Expansion With an Automatic Deployment, Public Access, and All Internal Virtual Machines
- Networking Checklist for an Installation or Expansion With a Manual Deployment, Public Access, and All Internal Virtual Machines
- Networking Checklist for an Installation or Expansion With Automatic Deployment, Public Access, and a Non-Split-Horizon DNS
- Networking Checklist For an Installation or Expansion With Manual Deployment, Public Access, and a Non-Split Horizon DNS
- Networking Checklist For an Installation or Expansion With Automatic Deployment, Public Access, and a Split-Horizon DNS
- Networking Checklist for an Installation or Expansion with Manual Deployment, Public Access, and a Split-Horizon DNS
- Networking Checklist for an Installation or Expansion with Automatic Deployment and No Public Access
- Networking Checklist For an Installation or Expansion With Manual Deployment and No Public Access
- Port Access When All the Virtual Machines Are in the Internal Network
- Port Access With an Internet Reverse Proxy in the DMZ Network
- Using NAT With Your System
- Forward Proxies
Networking Checklist For Your System
The networking checklist lists the networking changes required for your system, depending on your company's DNS configuration and whether or not you enable public access (users can host or attend meetings from the Internet or mobile devices).
Choose the appropriate checklist depending on whether you are using automatic system deployment (recommended for 50, 250, or 800 user deployments) or manual system deployment (required for a 2000 user deployment).
Networking Checklist for an Installation or Expansion With an Automatic Deployment, Public Access, and All Internal Virtual Machines
Virtual Machine Deployment
In an automatic deployment, we deploy all the virtual machines (other than the Admin virtual machine) for you. You may choose an automatic deployment if you are deploying a 50, 250, or 800 user system.
- Ensure that the Media virtual machine (if applicable) is on the same subnet as the Admin virtual machine.
- Ensure that the Internet Reverse Proxy virtual machines are in your internal network.
- Ensure that the ESXi hosts for all your virtual machines (including the Internet Reverse Proxy) are managed from the same VMware vCenter.
Required IP Addresses
Description | Network Location | IP Address | ||
---|---|---|---|---|
Real IP address of the Admin virtual machine | Internal | |||
Real IP address of the Media virtual machine (if applicable) | Internal (same subnet as Admin virtual machine) | |||
Real IP address of the Internet Reverse Proxy | Internal (may be on the same subnet as Admin virtual machine) | |||
Administration URL (used exclusively by the system. Maps to the private VIP address) | Internal (same subnet as Admin virtual machine) | |||
WebEx site URL (used exclusively by the system. Maps to the public VIP address) | Internal (same subnet as the Internet Reverse Proxy)
|
|||
Real IP address of the HA Admin virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |||
Real IP address of the HA Media virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |||
Real IP address of the HA Internet Reverse Proxy (if applicable) | Internal—same subnet as the primary system's Internet Reverse Proxy (but may use NAT with a private IP address) |
DNS Configuration
Make the following changes to your DNS configuration.
Task | Example |
---|---|
Update your DNS Server with the hostnames and IP addresses for the internal virtual machines: Admin virtual machine and if applicable, the Media virtual machine. | |
Update your DNS server with the hostname and IP address for the Internet Reverse Proxy virtual machine. | |
Update your DNS server with Administration site URL and Private VIP address information. | |
Update your DNS server with WebEx site URL and Public VIP address information. |
Firewall Configuration
For security reasons, Cisco recommends that you place the Internet Reverse Proxy in a separate subnet from the internal (Admin and Media, if applicable) virtual machines.
Although it is not recommended, we do also support placing all of your virtual machines (Internet Reverse Proxy and internal) on the same subnet. See Port Access When All the Virtual Machines Are in the Internal Network.
Network Routing Configuration
Make the following changes to your network routing.
Task | Compare These IP Addresses | ||
---|---|---|---|
Enable L3 (Layer 3) routing between the internal and DMZ networks | |||
Ensure that the Public VIP address and the Internet Reverse Proxy virtual machines are on the same subnet.
|
|||
Ensure that the Private VIP address and internal virtual machines are on the same subnet. |
Networking Checklist for an Installation or Expansion With a Manual Deployment, Public Access, and All Internal Virtual Machines
Virtual Machine Deployment
In a manual deployment, you create all the virtual machines for your system using the OVA wizard from your vSphere client. You then install your system using a manual deployment.
You must choose a manual deployment if you are deploying a 2000 user system.
Required IP Addresses
Description | Network Location | IP Address | ||
---|---|---|---|---|
Real IP address of the Admin virtual machine | Internal | |||
Real IP address of the Media virtual machine (if applicable) | Internal (same subnet as Admin virtual machine) | |||
Real IP address of the second Media virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |||
Real IP address of the third Media virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |||
Real IP address of the Web virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |||
Real IP address of the second Web virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |||
Real IP address of the Internet Reverse Proxy | Internal (may be on the same subnet as Admin virtual machine) | |||
Administration URL (used exclusively by the system. Maps to the private VIP address) | Internal (same subnet as Admin virtual machine) | |||
WebEx site URL (used exclusively by the system. Maps to the public VIP address) | Internal (same subnet as the Internet Reverse Proxy)
|
|||
Real IP address of the HA Admin virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |||
Real IP address of the HA Media virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |||
Real IP address of the HA Web virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |||
Real IP address of the HA Internet Reverse Proxy (if applicable) | Internal—same subnet as the primary system's Internet Reverse Proxy (but may use NAT with a private IP address) |
DNS Configuration
Make the following changes to your DNS configuration.
Task | Example |
---|---|
Update your DNS Server with the hostnames and IP Addresses for the internal virtual machines: Admin virtual machine and if applicable, the Media and Web virtual machines. | |
Update your DNS server with the hostname and IP address for the Internet Reverse Proxy virtual machine. | |
Update your DNS server with Administration site URL and Private VIP address information. | |
Update your DNS server with WebEx site URL and Public VIP address information. |
Firewall Configuration
For security reasons, Cisco recommends that you place the Internet Reverse Proxy in a separate subnet from the internal (Admin, Media and Web, if applicable) virtual machines.
Although it is not recommended, we do also support placing all of your virtual machines (Internet Reverse Proxy and internal) on the same subnet. See Port Access When All the Virtual Machines Are in the Internal Network.
Network Routing Configuration
Make the following changes to your network routing.
Task | Compare These IP Addresses | ||
---|---|---|---|
Enable L3 (Layer 3) routing between the internal and DMZ networks for the following virtual machines: Admin virtual machine and if applicable, the Media and Web virtual machines | |||
Ensure that the Public VIP address and the Internet Reverse Proxy virtual machines are on the same subnet.
|
|||
Ensure that the Private VIP address and internal virtual machines (Admin, and Media and Web, if applicable) are on the same subnet. |
Networking Checklist for an Installation or Expansion With Automatic Deployment, Public Access, and a Non-Split-Horizon DNS
Virtual Machine Deployment
In an automatic deployment, we deploy all the virtual machines (other than the Admin virtual machine) for you. You may choose an automatic deployment if you are deploying a 50, 250, or 800 user system.
Required IP Addresses
Description | Network Location | IP Address |
---|---|---|
Real IP address of the Admin virtual machine | Internal | |
Real IP address of the Media virtual machine (if applicable) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the Internet Reverse Proxy | DMZ (but may use NAT with a private IP address) | |
Administration URL (used exclusively by the system. Maps to the private VIP address) | Internal (same subnet as Admin virtual machine) | |
WebEx site URL (used exclusively by the system. Maps to the public VIP address) | DMZ (same subnet as the Internet Reverse Proxy) | |
Real IP address of the HA Admin virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |
Real IP address of the HA Media virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |
Real IP address of the HA Internet Reverse Proxy (if applicable) | DMZ—same subnet as the primary system's Internet Reverse Proxy (but may use NAT with a private IP address) |
DNS Configuration
Make the following changes to your DNS configuration.
Task | Example |
---|---|
Update your DNS Server with the hostnames and IP Addresses for the internal virtual machines: Admin virtual machine and if applicable, the Media virtual machine. | |
Update your DNS server with the hostname and IP address for the Internet Reverse Proxy virtual machine. | |
Update your DNS server with Administration site URL and Private VIP address information. | |
Update your DNS server with WebEx site URL and Public VIP address information. |
Firewall Configuration
For security reasons, Cisco recommends that you place the Internet Reverse Proxy in a separate subnet from the internal (Admin and Media, if applicable) virtual machines. See Port Access With an Internet Reverse Proxy in the DMZ Network.
Network Routing Configuration
Make the following changes to your network routing.
Task | Compare These IP Addresses |
---|---|
Enable L3 (Layer 3) routing between the internal and DMZ networks | |
Ensure that the Public VIP address and the Internet Reverse Proxy virtual machines are on the same subnet. | |
Ensure that the Private VIP address and internal virtual machines are on the same subnet. |
Networking Checklist For an Installation or Expansion With Manual Deployment, Public Access, and a Non-Split Horizon DNS
Virtual Machine Deployment
In a manual deployment, you create all the virtual machines for your system using the OVA wizard from your vSphere client. You then install your system using a manual deployment.
You must choose a manual deployment if you are deploying a 2000 user system.
Required IP Addresses
Description | Network Location | IP Address |
---|---|---|
Real IP address of the Admin virtual machine | Internal | |
Real IP address of the Media virtual machine (if applicable) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the second Media virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the third Media virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the Web virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the second Web virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the Internet Reverse Proxy | DMZ (but may use NAT with a private IP address) | |
Administration URL (used exclusively by the system. Maps to the private VIP address) | Internal (same subnet as Admin virtual machine) | |
WebEx site URL (used exclusively by the system. Maps to the public VIP address) | DMZ (same subnet as the Internet Reverse Proxy) | |
Real IP address of the HA Admin virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |
Real IP address of the HA Media virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |
Real IP address of the HA Web virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |
Real IP address of the HA Internet Reverse Proxy (if applicable) | DMZ—same subnet as the primary system's Internet Reverse Proxy (but may use NAT with a private IP address) |
DNS Configuration
Make the following changes to your DNS configuration.
Task | Example |
---|---|
Update your DNS Server with the hostnames and IP Addresses for the internal virtual machines: Admin virtual machine and if applicable, the media and Web virtual machines. | |
Update your DNS server with the hostname and IP address for the Internet Reverse Proxy virtual machine. | |
Update your DNS server with Administration site URL and Private VIP address information. | |
Update your DNS server with WebEx site URL and Public VIP address information. |
Firewall Configuration
For security reasons, Cisco recommends that you place the Internet Reverse Proxy in a separate subnet from the internal (Admin, Media and Web, if applicable) virtual machines. See Port Access With an Internet Reverse Proxy in the DMZ Network.
Network Routing Configuration
Make the following changes to your network routing.
Task | Compare These IP Addresses |
---|---|
Enable L3 (Layer 3) routing between the internal and DMZ networks for the following virtual machines: Admin virtual machine and if applicable, the Media and Web virtual machines | |
Ensure that the Public VIP address and the Internet Reverse Proxy virtual machines are on the same subnet. | |
Ensure that the Private VIP address and internal virtual machines (Admin, and Media and Web, if applicable) are on the same subnet. |
Networking Checklist For an Installation or Expansion With Automatic Deployment, Public Access, and a Split-Horizon DNS
Virtual Machine Deployment
In an automatic deployment, we deploy all the virtual machines (other than the Admin virtual machine) for you. You may choose an automatic deployment if you are deploying a 50, 250, or 800 user system.
Required IP Addresses
Description | Network Location | IP Address |
---|---|---|
Real IP address of the Admin virtual machine | Internal | |
Real IP address of the Media virtual machine (if applicable) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the Internet Reverse Proxy | DMZ (but may use NAT with a private IP address) | |
Administration URL (used exclusively by the system. Maps to the private VIP address) | Internal (same subnet as Admin virtual machine) | |
WebEx site URL (used exclusively by the system. Maps to two VIP addresses) | ||
Real IP address of the HA Admin virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |
Real IP address of the HA Media virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |
Real IP address of the HA Internet Reverse Proxy (if applicable) | DMZ—same subnet as the primary system's Internet Reverse Proxy (but may use NAT with a private IP address) |
DNS Configuration
Make the following changes to your DNS configuration.
Task | Example |
---|---|
Update your DNS Server (that enables internal lookup) with the hostnames and IP Addresses for the internal virtual machines: Admin virtual machine and if applicable, the Media virtual machine. | |
Update your DNS server (that enables internal lookup) with the hostname and IP address for the DMZ virtual machine. | |
Update your DNS server (that enables internal lookup) with WebEx site URL, Administration site URL, and Private VIP address information. | |
Update your DNS server (that enables external lookup) with WebEx site URL and Public VIP address information. |
Firewall Configuration
For security reasons, Cisco recommends that you place the Internet Reverse Proxy in a separate subnet from the internal (Admin and Media, if applicable) virtual machines. See Port Access With an Internet Reverse Proxy in the DMZ Network.
Network Routing Configuration
Make the following changes to your network routing.
Task | Compare These IP Addresses |
---|---|
Enable L3 (Layer 3) routing between the internal and DMZ networks | |
Ensure that the Public VIP address and the Internet Reverse Proxy virtual machines are on the same subnet. | |
Ensure that the Private VIP address and internal virtual machines are on the same subnet. |
Networking Checklist for an Installation or Expansion with Manual Deployment, Public Access, and a Split-Horizon DNS
Virtual Machine Deployment
In a manual deployment, you create all the virtual machines for your system using the OVA wizard from your vSphere client. You then install your system using a manual deployment.
You must choose a manual deployment if you are deploying a 2000 user system.
Required IP Addresses
Description | Network Location | IP Address |
---|---|---|
Real IP address of the Admin virtual machine | Internal | |
Real IP address of the Media virtual machine (if applicable) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the second Media virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the third Media virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the Web virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the second Web virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the Internet Reverse Proxy | DMZ (but may use NAT with a private IP address) | |
Administration URL (used exclusively by the system. Maps to the private VIP address) | Internal (same subnet as Admin virtual machine) | |
WebEx site URL (used exclusively by the system. Maps to two VIP addresses) | ||
Real IP address of the HA Admin virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |
Real IP address of the HA Media virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |
Real IP address of the HA Web virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |
Real IP address of the HA Internet Reverse Proxy (if applicable) | DMZ—same subnet as the primary system's Internet Reverse Proxy (but may use NAT with a private IP address) |
DNS Configuration
Make the following changes to your DNS configuration.
Task | Example |
---|---|
Update your DNS Server (that enables internal lookup) with the hostnames and IP Addresses for the internal virtual machines: Admin virtual machine and if applicable, the Media and Web virtual machines. | |
Update your DNS server (that enables internal lookup) with the hostname and IP address for the DMZ virtual machine. | |
Update your DNS server (that enables internal lookup) with WebEx site URL, Administration site URL, and Private VIP address information. | |
Update your DNS server (that enables external lookup) with WebEx site URL and Public VIP address information. |
Firewall Configuration
For security reasons, Cisco recommends that you place the Internet Reverse Proxy in a separate subnet from the internal (Admin, Media and Web, if applicable) virtual machines. See Port Access With an Internet Reverse Proxy in the DMZ Network.
Network Routing Configuration
Make the following changes to your network routing.
Task | Compare These IP Addresses |
---|---|
Enable L3 (Layer 3) routing between the internal and DMZ networks for the following virtual machines: Admin virtual machine and if applicable, the Media and Web virtual machines | |
Ensure that the Public VIP address and the Internet Reverse Proxy virtual machines are on the same subnet. | |
Ensure that the Private VIP address and internal virtual machines (Admin virtual machine and if applicable, the Media and Web virtual machines) are on the same subnet. |
Networking Checklist for an Installation or Expansion with Automatic Deployment and No Public Access
Virtual Machine Deployment
In an automatic deployment, we deploy all the virtual machines (other than the Admin virtual machine) for you. You may choose an automatic deployment if you are deploying a 50, 250, or 800 user system.
Required IP Addresses
Description | Network Location | IP Address |
---|---|---|
Real IP address of the Admin virtual machine | Internal | |
Real IP address of the Media virtual machine (if applicable) | Internal (same subnet as Admin virtual machine) | |
Administration URL (used exclusively by the system. Maps to the private VIP address) | Internal (same subnet as Admin virtual machine) | |
WebEx site URL (used exclusively by the system. Maps to the private VIP address) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the HA Admin virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |
Real IP address of the HA Media virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) |
DNS Configuration
Make the following changes to your DNS configuration.
Task | Example |
---|---|
Update your DNS Server (that enables internal lookup) with the hostnames and IP Addresses for the internal virtual machines: Admin virtual machine and if applicable, the Media virtual machine. | |
Update your DNS server with Administration site URL, WebEx site URL, and Private VIP address information. |
Firewall Configuration
Make the following changes to your firewalls.
Task | Example |
---|---|
Configure all the firewalls inside your internal network to permit web browsers to access the Private VIP address. | HTTP <Private-VIP-address>:80 HTTPS <Private-VIP-address>:443 |
Network Routing Configuration
Make the following changes to your network routing.
Task | Compare These IP Addresses |
---|---|
Ensure that the Private VIP address and internal virtual machines (Admin virtual machine, and Media virtual machine, if applicable) are on the same subnet. |
Networking Checklist For an Installation or Expansion With Manual Deployment and No Public Access
Virtual Machine Deployment
In a manual deployment, you create all the virtual machines for your system using the OVA wizard from your vSphere client. You then install your system using a manual deployment.
You must choose a manual deployment if you are deploying a 2000 user system.
Required IP Addresses
Description | Network Location | IP Address |
---|---|---|
Real IP address of the Admin virtual machine | Internal | |
Real IP address of the Media virtual machine (if applicable) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the second Media virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the third Media virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the Web virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the second Web virtual machine (2000 user system only) | Internal (same subnet as Admin virtual machine) | |
Administration URL (used exclusively by the system. Maps to the private VIP address) | Internal (same subnet as Admin virtual machine) | |
WebEx site URL (used exclusively by the system. Maps to the private VIP address) | Internal (same subnet as Admin virtual machine) | |
Real IP address of the HA Admin virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |
Real IP address of the HA Media virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) | |
Real IP address of the HA Web virtual machine (if applicable) | Internal (same subnet as primary system's Admin virtual machine) |
DNS Configuration
Make the following changes to your DNS configuration.
Task | Example |
---|---|
Update your DNS Server (that enables internal lookup) with the hostnames and IP Addresses for the internal virtual machines: Admin virtual machine and if applicable, the Media and Web virtual machines. | |
Update your DNS server with Administration site URL, WebEx site URL, and Private VIP address information. |
Firewall Configuration
Make the following changes to your firewalls.
Task | Example |
---|---|
Configure all the firewalls inside your internal network to permit web browsers to access the Private VIP address. |
Network Routing Configuration
Make the following changes to your network routing.
Task | Compare These IP Addresses |
---|---|
Ensure that the Private VIP address and internal virtual machines (Admin, and Media and Web, if applicable) are on the same subnet. |
Port Access When All the Virtual Machines Are in the Internal Network
This section describes the port access required in the external firewall when all the system virtual machines (Admin, and if applicable, Media, Web, and Internet Reverse Proxy) are in the internal network. This is the Internal Internet Reverse Proxy network topology.
Port Access in the External Firewall
If you have enabled public access, then the following ports are open inbound directly from the Internet to the Internet Reverse Proxy virtual machines in the internal network:
Ensure that the firewall or any load balancing solution redirects requests to the ports listed below to ensure end users can host and join meetings successfully.
Port Access With an Internet Reverse Proxy in the DMZ Network
This section describes the port access required in the internal and external firewalls when you have internal virtual machines (Admin, and if applicable, media and web) in the internal network, and the Internet Reverse Proxy in the DMZ network.
Configure access control lists (ACLs) on the switch that permits traffic to the ESXi hosts for the system's virtual machines.
Port Access in the External Firewall
If you have enabled public access, then the following ports are open inbound from the Internet to the Internet Reverse Proxy virtual machines in the DMZ:
Ensure that the firewall or any load balancing solution redirects requests to the ports listed below to ensure end users can host and join meetings successfully.
Note |
Cisco strongly recommends that you open port 80 (http) in addition to port 443 (https), to simplify the end user experience (in a browser, users enter the WebEx site URL without having to remember whether it is http or https. However, for this product, the actual network traffic always flows over port 443 (SSL encrypted https). |
Protocol | Port | Source | Destination | Why It Is Needed |
---|---|---|---|---|
TCP | 443 | Any external clients | Public VIP (Eth1) of the Internet Reverse Proxy | External clients accessing the WebEx site URL using https. TCP connections are initiated from the external client machines to the Internet Reverse Proxy virtual machines. |
TCP | 80 | Any external clients | Public VIP (Eth1) of the Internet Reverse Proxy | External clients accessing the WebEx site URL using http. TCP connections are initiated from the external client machines to the Internet Reverse Proxy virtual machines. |
UDP | 53 | Real IP (Eth0) of the Internet Reverse Proxy | DNS server | This is needed if you have a firewall between the virtual machines and the DNS server, for your system to deploy and operate successfully. |
Port Access in the Internal Firewall
The following ports must be open when the Internet Reverse Proxy is in the DMZ network. If you have restrictions on connections from the internal network to the DMZ network, then the following table applies. Allow TCP connections outbound from the internal network to the DMZ network segment on the following ports.
Note |
No TCP connections need to be allowed from the DMZ segment in to the internal network for this product to work properly. |
Note |
UDP port 10162 is the only port that is open inbound from the DMZ to the internal virtual machines. This port is required for monitoring of the Internet Reverse Proxy by the system. |
Protocol | Port | Source | Destination | Why It Is Needed |
---|---|---|---|---|
TCP | 64001 | All internal virtual machines (Eth0 IP) | Real IP (Eth0) of the Internet Reverse Proxy virtual machines | This is needed by the internal virtual machines for establishing reverse connections to the Internet Reverse Proxy. TCP connections are established from the internal virtual machines to the Internet Reverse Proxy virtual machines. |
TCP | 7001 | All internal virtual machines (Eth0 IP) | Real IP (Eth0) of the Internet Reverse Proxy virtual machines | This is needed by the internal virtual machines for establishing reverse connections to the Internet Reverse Proxy. TCP connections are initiated from the internal virtual machines to the Internet Reverse Proxy virtual machines. |
TCP | 64616 | Admin virtual machines (Eth0 IP) | Real IP (Eth0) of the Internet Reverse Proxy virtual machines | This is needed for bootstrapping the Internet Reverse Proxy. TCP connections are initiated from the Admin virtual machines to the Internet Reverse Proxy virtual machines. |
TCP | 873 | Admin virtual machines (Eth0 IP) | Real IP (Eth0) of the Internet Reverse Proxy virtual machines | This is needed to collect logs from the Internet Reverse Proxy. TCP connections are initiated from the Admin virtual machines to the Internet Reverse Proxy virtual machines. |
TCP | 22 | Any internal client machines | Real IP (Eth0) of the Internet Reverse Proxy virtual machines | This is needed for troubleshooting the Internet Reverse Proxy virtual machines using a Remote Support Account. |
TCP | 443 | Any internal client machines | Private VIP (Eth1) of the Admin virtual machines | Internal users accessing the WebEx site URL using https. TCP connections are established from the internal client machine to the Admin virtual machine. |
TCP | 80 | Any internal client machines | Private VIP (Eth1) of the Admin virtual machines | Internal users accessing the WebEx site URL using http. TCP connections are established from the internal client machine to the Admin virtual machine. |
TCP | 10200 | Any internal client machines | Real IP (Eth0) of the Admin virtual machines | This is needed for the initial system deployment. TCP connections are established from the internal client machines to the Admin virtual machines. |
UDP | 161 | Real IP (Eth0) of the Admin virtual machines | Real IP (Eth0) of the Internet Reverse Proxy | Needed to allow SNMP GET requests to be sent from the Admin virtual machines to the Internet Reverse Proxy virtual machines. The UDP connection is initiated from the Admin virtual machines to the Internet Reverse Proxy virtual machines. |
UDP | 10162 | Real IP (Eth0) of the Internet Reverse Proxy | Real IP (Eth0) of the Admin virtual machines | Needed to allow SNMP traps and information to be sent from the Internet Reverse Proxy virtual machines to the Admin virtual machines. The UDP connection is initiated inbound from the Internet Reverse Proxy to the Admin virtual machines. |
UDP | 53 | All internal virtual machines (Eth0 IP) | DNS server | This is needed if you have a firewall between the virtual machines and the DNS server, for your system to deploy and operate successfully. |
VMware vCenter Ports
These ports are only used for communication between the ESXi host and vCenter. If the ESXi host and vCenter are connected to a separate management network, you may not need to open these ports through the firewall.
- UDP/TCP Port 902 in both directions between vCenter and the ESXi hosts for vCenter management
- (Optional) TCP Port 22 from the vSphere client to the ESXi hosts for SSH management
- TCP Port 443 from vCenter to the ESXi hosts for secure https management
- UDP Port 514 from the ESXi hosts for your system to the internal syslog
- TCP Port 5989 in both directions between vCenter and the ESXi hosts for XML management
Using NAT With Your System
Cisco supports Network Address Translation (NAT) traversal with this product for virtual machine IP addresses and for the virtual IP addresses (Public and Private VIPs) that are used in your system.
Note |
For more information about NAT, see http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml. |
The following schematic diagram illustrates a typical NAT traversal for a 50 user system without HA. By using NAT, you can reduce the number of public IP addresses required for the product to just one IP address, instead of two (or three if you deploy HA). You may also deploy similar NAT deployments as long as these meet the overall system requirements.
Note |
The use of multiple NATs and firewalls tends to increase latency, affecting the quality of real time-traffic for users. |
When using multiple NAT domains, then routing between these various NAT domains may be challenging. However, you may use NAT-ed IP addresses as long as the following requirements are met:
- All the virtual machines in the system may use NAT-ed IP addresses.
- The Internet Reverse Proxy virtual machine IP address must be reachable by the Admin virtual machine in the internal network.
- The public VIP address itself does not need to be publicly visible, but it must be translatable from the Internet.
- When deploying public access, the WebEx site URL must be mapped to an Internet-visible IP address. This Internet-visible IP address must be accessible by external users and also map to the public VIP address you configure during the system deployment. You may choose to make the public VIP address visible from the Internet. If you choose not to make it publicly visible, then it must be translatable from the Internet.
In the diagram, an external user accesses the WebEx site to join or host a meeting. Following a DNS lookup, the IP address for the WebEx site is the NAT public IP address (Eth0). This NAT public IP address is for the external NAT firewall router (Firewall and NAT router 1), between the external network and the DMZ network.
The firewall router receives this request from the external user, and internally routes the request to the NAT private IP address for the router (Eth1, exposed to the DMZ network). Eth1 then sends the request to the public VIP address (also a NAT IP address in the private networking segment for the WebEx site).
You may use NAT IP addresses for the public VIP address, and the Internet Reverse Proxy IP addresses. The only NAT public IP address is the Eth0 IP address for the NAT firewall router.
Note |
To ensure this NAT firewall router (between the Internet and DMZ network) routes the incoming packet correctly, set port mapping configuration on the NAT device, or apply other similar mechanisms to ensure the packet is routed correctly to the public VIP address and the Internet Reverse Proxy. |
There is usually a second internal NAT firewall router between the DMZ network and the internal network. Similar to the external NAT firewall router, Eth0 is a DMZ NAT private IP address and is an interface to the DMZ network. Eth1 is also a NAT private IP address that is an interface to the internal network.
You may use NAT IP addresses for the private VIP address and the Admin virtual machine IP addresses.
Forward Proxies
If your network topology includes forward proxies, they must meet specific requirements for the Internet Reverse Proxy to work properly. See "Use of Forward Proxies in Your System" in the Cisco WebEx Meetings Server Troubleshooting Guide for complete details.