Cisco WebEx Meetings Server-Internal IRP vs Split Horizon

Similar Messages

• Ask the Experts: Single Sign-On with Cisco WebEx Meetings Server, Internet Reverse Proxy, and Enterprise License Manager Solutions

  With Arun Kumar
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Single Sign-On (SSO) with Cisco WebEx Meetings Server (Cisco WMS), Internet Reverse Proxy (IRP), and Enterprise License Manager (ELM) solutions.
  SSO standards such as Security Assertion Markup Language (SAML) 2.0 provide secure mechanisms for passing credentials and related information between different websites that have their own authorization and authentication systems. SSO enables simplified user authentication and management.
  IRP provides public access, enabling users to host or attend meetings from the Internet and mobile devices. Although IRP is optional, Cisco encourages its use because it provides a better user experience for your mobile workforce.
  Example question topics include:
  SSO profiles and SAML 2.0 Identity providers (IdPs) supported in Cisco WMS
  Basic configuration of IdPs
  Interaction between IdPs and Cisco WMS
  Difference between the cloud client implementation and Cisco WMS
  Meeting access behavior in a split-horizon network topology with SSO
  How to enable public access to Cisco WMS
  Cisco WMS ELM operations
  Cisco WMS ELM compared to other unified communications ELM or standalone ELM and compatibility/inoperability between them
  Arun Kumar is a team lead in the San Jose Conferencing Technical Assistance Center. He has over eight years of experience in conferencing technology and specializes in Cisco Unified Meeting Place Express and Cisco WebEx Meeting Server. He joined Cisco in 2010 as an escalation engineer for the Cisco Telepresence group. Before joining Cisco he worked for the UK's third-largest internet service provider Supanet on VoIP technology and the *Nix domain. Kumar holds a master of science degree in computer science from Sikkim Manipal University in India, and he holds CCIE (Voice) and VMware Certified Professional certifications.
  Remember to use the rating system to let Arun know if you have received an adequate response.
  Arun might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice, and Video community Other Subjects subcommunity shortly after the event. This event lasts through Monday May 17, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Mobile Service,
  CWMS and Jabber integrations:
  http://www.cisco.com/en/US/docs/voice_ip_comm/jabber/Windows/9_1/JABW_BK_E4CC9599_00_environment-configuration-guide_chapter_01.html#JABW_TK_SF2ED5E1_00
  In above link start from section: Set Up Cisco WebEx Meetings Server on Cisco Unified Presence
  then move to section: Add Cisco WebEx Meetings Server to a Profile
  Once done, move to section: Specify Conferencing Credentials in the Client side. You will see above server already listed there, just go ahead and enter your username and password (pleae make sure this user already exists on your CWMS) and accept any certificate/s if presented. Jabber Integration is done and you can start testing the same.
  Attached CWMS - AFDS integration doc.
  Please let me know if any furhter question.
  Thanks, Arun

• Cisco WebEx Meetings Server Enterprise License Manager

  Multi-facetted question for anyone who can answer:
  1)  Can Cisco WebEx Meetings Server(CWMS) use an off box Enterprise License Manager (ELM)
  2)  Can non-CWMS UC Applications utilize the embedded ELM that comes with CWMS in lieu of the scenario in the above question
  3)  If neither scenario 1 or 2 have "yes" answers, is there a roadmap in place for this to happen?
  Thanks in advance!

  Hello Mobile Service,
  CWMS and Jabber integrations:
  http://www.cisco.com/en/US/docs/voice_ip_comm/jabber/Windows/9_1/JABW_BK_E4CC9599_00_environment-configuration-guide_chapter_01.html#JABW_TK_SF2ED5E1_00
  In above link start from section: Set Up Cisco WebEx Meetings Server on Cisco Unified Presence
  then move to section: Add Cisco WebEx Meetings Server to a Profile
  Once done, move to section: Specify Conferencing Credentials in the Client side. You will see above server already listed there, just go ahead and enter your username and password (pleae make sure this user already exists on your CWMS) and accept any certificate/s if presented. Jabber Integration is done and you can start testing the same.
  Attached CWMS - AFDS integration doc.
  Please let me know if any furhter question.
  Thanks, Arun

• Is it possible to import Tracking Codes with Cisco WebEx Meetings Server 2.5?

  Is it possible to import Tracking Codes with Cisco WebEx Meetings Server 2.5?

  Hi,
  In documentation, you can find only what is possible and supported in the product. We don't document what is not supported. 
  At this time, there is no feature request submitted for this as I assume no one requested such a feature. If your customer really needs this feature, I advise you to reach out to your/their Cisco Account Manager, explain the feature you would like to see, so they can reach out to Product Management and see if this could be built in the next product version.
  I hope this helps.
  -Dejan

• Cisco WebEx Meetings Server (CWMS) NFR? More than 180 day Demo?

  Everyone,
  I know about the Trial license 180 days for CWMS but for our demo use I would like to get a NFR so we can install onsite without having to worry about licencing every 180 days.
  I don't think I saw CWMS in our UC 9.0 NFR Kit - so any help would be great.
  Thanks,
  Brian Wyland

  Hi Brian,
  CWMS is still not part of NFR kit, if you have valid UCSS you can get via PUT tool or get in touch with your Cisco AM and they will be able to help you.
  HTH
  Arun

• Webex Meetings Server emails w/Exchange 2010

  Can someone tell me the correct format for entering the email address in Webex Meetings Server for sending notification emails?  I can get them working internally with Exchange 2010 but they seem to come from [email protected]  Does this mean I need to setup a mailbox for a user called admin?  How is it configured with authentication enabled? 
  I've tried the username as -
  webex
  [email protected]
  myinternaldomain.local\webex - this doesn't work as the '\' character doesn't get saved when you apply this config
  There is an AD user called webex configured with a mailbox on Exchange 2010.
  I've got no visibility of the Exchange side, but any advice I can pass on would be much appreciated.  Apparently, with email authentication off I can only send emails to internal domains that AD is authoritative for, but this is obviously no use for Webex conferencing.
  Thanks in advance,
  Jason

  Our account is set up as ourdomain.webex.com. This gets us to the sign in page. We use Zimbra so our e-mail is set up that when we start a meeting or schedule a meeting, an e-mail is sent to the host that they can forward to the people they wish to attend(it has all the needed meeting info in it). It usually doesn't send an invite directly unless you use  the 'invite others' window once the meeting has started.
  When I set up my webex account on our server I used my email and a password (not AD) That is what I use to sign in on the server to start a meeting.
  Hope that helps.
  Mike

• Cisco Webex Meeting Server v2.5 Certificate Type

  Dear Team,
  We have installed Cisco Webex Meeting Server v2.5 and we need to but a public CA.
  i have created the CSR file (Using SAN) and i sent to the CA vendor but they asked my about the certificate type.
  Cisco or Tomcat or what?
  i have searched in Admin and Planning guide but i didn't find the answer.
  Apprentice your answer.
  BR,
  HS

  Hi HS,
  Apache/Tomcat cert is what you need.
  Kind regards,
  -Dejan

• VCenter is a must for webex meetings server ?

  Hi all,
  Is vCenter is a must for webex meetings server ?
  if I do not have vCenter, is it possible to deploy it?
  thanks.

  Correct, vCenter is required. No way around it afaik.
  Please rate useful posts.

• WebEx Meeting Server 1.5 - Call drop after entering meeting number and #

  Hi everyone,
  Just installed a new CWMS server version 1.5... all features seem to work EXCEPT when I use the call in function, I type in the meeting number, hit # and the call is terminated.
  I read through this document:
  http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/b_troubleshootingGuide/b_troubleshootingGuide_chapter_01000.pdf
  From the document:
  Call-In Issues
  • Problem Users hear a reorder tone before or after the complete number is dialed.
  • Problem The "Your call cannot be completed as dialed" message is played by the annunciator.
  • Problem During call-back, a user's call terminates after pressing 1 to join the meeting.
  • Problem During call-in, a user's call terminates after entering the meeting ID followed by #.
  Possible Cause You need to reconfigure your CUCM servers.
  Solution Reconfigure your CUCM settings as follows: Use the "<NONE>" partition and "<NONE>" CSS
  (Calling Search Space) for all Cisco WebEx Meetings Server related entities in CUCM (for example, route
  patterns, SIP route patterns, SIP trunks, etc.).
  Solution Use one partition and one CSS specifically assigned for all Cisco WebEx Meetings Server related
  entities. For more information refer to the system guide for your CUCM version.
  I configured my route pattern to use <NONE> and all other option as <NONE> and still the call is terminated.
  I created a css_webex CSS and put in pt_internal and assigned that and I still get terminated.
  Am I missing something here?

  Personally, I never really use the null partition but before we go there.  You have a couple different route patterns.  The first is an inbound call pattern(s) that are going to be standard route patterns (i.e. numeric) and you'll have some outbound PSTN patterns for the actual outdialing that CWMS does.  You then have some SIP route patterns that can either be defined as IP or FQDN for each media server.  After you connect and then want to join a meeting, those SIP route patterns are used to redirect you to the appropriate server where a meeting is hosted.  For those patterns, are you using IP or FQDN and what partition are they in?  If you are using FQDN then you may need to change to IP depending on your DNS configuration on CUCM.
  Hailey

• Convert Cisco WebEx .WRF and .ARF files for Mac OSX to .WMV

  Since the Cisco WebEx Recording Editor doesn't appear to support Mac OSX, is there a way to convert Cisco WebEx recordings, .WRF and .ARF files, to .WMV or .SWF for a Mac OSX users?

  Hi Ben,
  Here is a copy/paste from the Arcsoft site:
  What is a PHB file?
  Question
  What is a PHB file?
  Answer
  PHB files are proprietary album files used by some of our programs, namely PhotoBase. Albums do not store your images. They serve as links to files stored on your computer or removable drive. If you delete the original file, the thumbnail in the album basically becomes a dead link. For example, if you have files on a floppy disk and create an album, you'll always need to have that floppy in the drive whenever you want to view the full images. Likewise, if you have a digital camera that is read as a removable drive, you would need to have it connected if you create the album directly from the camera. The best thing to do is copy all of your images into a folder on your computer, then create the album referencing those files. Albums are useful because they let you preview and organize files on your system in a convenient fashion. It is also from albums that slide shows are made with some of our programs.

• Split-horizon DNS server

  Hi,
  is it possible to use novell-named on OES 2 Linux to create split-horizon DNS server? Something like this: Two-in-one DNS server with BIND9 | HowtoForge - Linux Howtos and Tutorials. What I want to achieve is "to resolve to internal IPs when you are inside and external IPs when you are outside".
  We have some services (web applications, Groupwise messenger etc.) which can be accessed from the LAN using private addresses and which are also visible from the public network (Internet).
  Currently we have Netware 6.5 with DNS Proxy binded to internal address and some hostnames bound to internal IP addresses inside hosts file (and therefore resolved by DNS Proxy with private addresses for LAN clients) and named bound to public IP and serving DNS requests from public network. But we'd like to migrate everything from Netware to OES 2 Linux.
  Any help is much appreciated!
  Bruno

  Originally Posted by joharmon
  Just found this:
  Is Views for DNS Supported or Possible on NetWare or OES?
  Bad news but thanks for your answer!
  Bruno

• FreeRadius and Cisco 2600 Terminal Server [IOS 12.1(3)T]

  Hi Cisco People
  I'm using FreeRadius 2 and Cisco 2600 Terminal server to coordinate access to cisco routers based on time‏ ranges.
  Basically we are an education/training environment where we have some students accessing the routers and switches for practise, terminal server are used to consolidate the console access, and these terminal servers authenticate the users through a Radius server (as shown in the following figure). Additionally, the students are categorized into few groups. We want to implement policy on the radius server so that only a certain group can access the resources in a given duration of time (the user should be dropped from the terminal when the subscribed time is reached and cannot access thereafter .) 
  +++++++++++++++                                           +++++++++++++++++                                      +++++++++++++
  +         User          +++++++++++++++++++++++   Cisco 2600          +++++++++++++++++++++   Network      +
  +                          +                                           +   Terminal Serv     +                                      +    Devices      +
  +++++++++++++++                                           +++++++++++++++++                                      +++++++++++++
                                                                                          (NAS)
                                                                                              +
                                                                                              +
                                                                                 +++++++++++++++     
                                                                                +   FreeRadius      +
                                                                                +++++++++++++++
  Right now I'm able to do the "hello-world" setup with the following users and clients.conf. On the terminal server side, aaa new-model is enabled on the cisco terminal server to communicate with this radius server.
  users
  =============
  cisco Auth-Type := System
    Service-Type = NAS-Prompt-User,
    cisco-avpair = "shell:priv-lvl=15"
  clients.conf
  ==============
  client 192.168.1.1 {
    secret = SECRET_KEY
    shortname = termserver
    nastype = cisco
  A typical transaction would be :
  Access-Request
  =======
          NAS-IP-Address = 192.168.1.1
          NAS-Port = 35
          NAS-Port-Type = Async
          User-Name = "cisco"
          Calling-Station-Id = "1.1.1.1"
          User-Password = "cisco"
  Access-Accept
  =======
          Service-Type = NAS-Prompt-User
          Cisco-AVPair = "shell:priv-lvl=15"
  This works fine but doesn't provide any timing limitations. So I have modified the FreeRadius config to be :
  users
  =============
  cisco Auth-Type := System
    Service-Type = NAS-Prompt-User,
    cisco-avpair = "shell:priv-lvl=15",
    Session-Timeout = 20
  Cisco Terminal Server
  ==============
  aaa new-model
  aaa authentication login default group radius local none
  aaa authorization exec default group radius if-authenticated 
  aaa accounting exec default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa accounting connection default start-stop group radius
  After this, I am able to see that the terminal server actually receives an Access-Accept including the Session-Timeout attributes like the following :
          Service-Type = NAS-Prompt-User
          Cisco-AVPair = "shell:priv-lvl=15"
          Session-Timeout = 20
  But the problem is that it doesn't really terminate the session after the 20 seconds are reached . My questions is that :
  1. Is the terminal server really able to enforce such time limit after receiving the attribute ?
  2. Is the 2600 terminal server  with [IOS 12.1(3)T] compliant with RFC 2865?
  3. What can I do so that the terminal server forces the user to be logged out after the session time limit is reached ?
  Thanks
  Frank

  Frank,
  I think you should use the login time s well:
  Login-Time
  Login-Time is a very powerful internal check AVP. It allows flexible authorization and its value is used by the logintime (rlm_logintime) module to determine if a person is allowed to authenticate to the FreeRADIUS server or not. This value is also used to calculate the Session-Timeout reply value. Session-Timeout is subsequently used by the NAS to limit access time.
  The following line will grant Alice access only between 08:00 and 18:00 each day.
  "alice" Cleartext-Password := "passme", Login-Time := 'Al0800-1800'
  The logintime module will calculate the reply value of Session-Timeout if Alice has logged in within the permitted timeslots to inform the NAS how long she is allowed to stay connected. If Alice tries to access the network when she is not permitted, the request will be rejected.
  http://www.packtpub.com/article/getting-started-with-freeradius
  http://wiki.freeradius.org/config/Users
  yes, the terminal server is RFC 2865 compliant.
  Rate if Useful :)
  Sharing knowledge makes you Immortal.
  Regards,
  Ed

• Cisco ASA - Web Server Publishing

  My requirement is I need to publish 2 Web Servers to internet behind Cisco ASA.
  The users will be using secure https acccess to the Web Server.
  I have only 1 Public IP Address assigned to access both the Web Servers.
  Wanted to know what are the things required in the Cisco ASA firewall.
  1. What type of licenses ?
  2. What type of certificates ?
  3. How can i use a single Public IP to access to both the Web servers. Does the Cisco ASA supports this.
  I dont want any client software on the end users PC.....

  ThanksI do have 2 Public IP address for my 2 servers.That is clear.
  I thought you said you just have 1 Public IP in your first post. Anyways, if you do have 2 Public IPs for each server, then use Static NAT instead of PAT. Use the same commands but without the port information.
  Prior 8.3:
  static (inside,outside) public_ip1 web_server1 
  static (inside,outside) public_ip2 web_server2
  8.3 or later:
  object network web_server1_real
  host web_server1
  nat (inside,outside) static public_ip1
  object network web_server2_real
  host web_server2
  nat (inside,outside) static public_ip2
  Because Application1 will be published to the web server and the web server will be published to internet, the web server is the one to be published through ASA. I am not sure how you use Application1 and how you will publish it to the web server internally so this is out of the scope of my help.
  About Application2's security, the question is, how do you want to achieve security for App2? We have several types of security. Having the ASA infront of Application2, using NAT and using ACLs, this will achieve Access Control. However, if you want to achieve data encryption between internet clients and App2, then you have to consider PKI (or certificates) to achieve this. You also can consider IPsec remote access vpn for the App2 server. It all depends on what security flavor do you like.
  Regards,
  AM

• E8350 - Issues with MS Communicator 2007R2, MS Outlook 2007, and Cisco Webex

  While connecting to work using the E8350 router over vpn (Cisco AnyConnect 3.0.0), MS Communicator 2007 R2 fade from green to white meaning lost connection, MS Outlook 2007, Cisco Webex shut down for no reason.  I have to reboot laptop to fix the issue.  Look in the event viewer log, I have the following error messages:
  Session "Communicator" failed to start with the following error 0xC0000022
  and
  Unable to resolve the DNS hostname of the login server  [email protected]
  I was hoping the moved from wrt1900ac to E8350 would solve it but I guess not.   I'm back on my EA6400 router for work purposes.  Need to wait for firmware fix I hope.

  I recommend using a LRT214\224 as your main router and the WRT1900AC with OpenWRT McWRT v1.0.5 in a LAN to LAN configuration. This would be more of a bullet proof setup IMO.
  Please remember to Kudo those that help you.
  Linksys
  Communities Technical Support

• Cisco Webex Connect Jabber 7.2.2 History Missing

  Running Cisco Webex Connect 7.2.2 on W7 x64.
  Anyone run into chat history missing or only showing 1 day of chat when you know that you shoud have weeks and weeks with certain persons?  Default is 9999 days.  Had someone ask me to start CWC as administrator and set to some other value, like 9998 days.  Worked for a while and resurfaced.  Other peers having same issue, so I know it is not specific to my machine.  Even got new machine recently with same OS and CWC and problem has surfaced on this new machine too.
  I saw that the chat is stored in a db3 file.  I do find a couple of those on my machine but not sure if the client is buggy or the file truely is missing the chats.  Would need a dBase III browser to find out more.
  Is there a more current release of CWC 7.2.2 that might have bug fixes in it that relate to chat history being toast?
  Would love to hear from others in here including Cisco support.

  Joe,
  I normally do not monitor this side of the community, but I am active contributor of the Unified Computing Forum, but somehow I happen to come accross your post, so I wanted to take a minute and ask you if you have tried to open a case directly with the team that support Webex? 
  http://www.cisco.com/en/US/prod/ps10352/webex_technical_support.html   <<< Look for "Sign in to contact support." on the right
  I hope that helps.
  -Kenny