Here is a list of the addresses, ports, and protocols used for connecting your phones, the Webex App, and gateways to Cisco Webex Calling. This article is for network administrators, particularly firewall and proxy security administrators who use Webex Calling services within their organization.
A correctly configured firewall is essential for a successful calling deployment. We require ports for signaling, media, network connectivity, and local gateway because Webex Calling is a global service. We recommend that you leave all the ports listed in the table open.
Not all firewall configurations need ports to be open but if you're running inside-to-outside rules, you must open ports to allow the protocols required for service out. There are no must open inbound ports on the firewall, if you deploy NAT, define reasonable binding periods, and avoid manipulating SIP on the NAT device
If a router or firewall is SIP Aware, meaning it has SIP Application Layer Gateway (ALG) or something similar enabled, we recommend that you turn off this functionality to maintain correct operation of service. See the relevant manufacturer's documentation for information about how to disable SIP ALG on specific devices. |
For details on network requirements for Webex Meetings and Messaging, see Network Requirements for Webex Services.
Webex Calling Traffic Through Firewall
Most customers deploy an internet firewall, or internet proxy and firewall, to restrict and control the HTTP-based traffic that leaves and enters their network. The Webex Calling endpoints don’t support https proxy, except for soft clients, which support the following proxy environments and the corresponding authentication methods:
-
Manual Proxy Configuration
-
No Authentication
-
Basic
-
NTLM
-
Negotiate
-
-
WPAD Proxy Configuration
-
No authentication
-
Basic
-
-
PAC Proxy Configuration
-
No Authentication
-
Basic
-
NTLM
-
Negotiate
-
Follow the firewall guidance to enable access to Webex Calling services from your network.
Firewall Configuration
If your firewall supports URL filtering, configure the firewall to allow the Webex Calling destination URLs listed. See the Domains and URLs for Webex Calling Services table for details.
If you’re using a firewall that doesn’t support URL/domain filtering, then configure the firewall to filter traffic using IP address ranges and ports as listed in the IP Addresses and Ports for Webex Calling Services.
IP Addresses and Ports for Webex Calling Services
The following table describes ports and protocols that must be opened on your firewall to allow cloud registered Webex apps, and devices to communicate with Webex Calling cloud signalling and media services.
IP Subnets for Webex Calling Services |
||
---|---|---|
23.89.1.128/25 |
23.89.33.0/24 |
23.89.40.0/25 |
23.89.76.128/25 |
23.89.154.0/25 |
85.119.56.0/23 |
128.177.14.0/24 |
128.177.36.0/24 |
135.84.168.0/21 |
139.177.64.0/21 |
139.177.72.0/23 |
170.72.29.0/24 |
170.72.242.0/24 |
150.253.209.128/25 |
170.72.0.128/25 |
170.72.17.128/25 |
170.72.82.0/25 |
185.115.196.0/22 |
199.19.196.0/23 |
199.19.199.0/24 |
199.59.64.0/21 |
Connection purpose |
Source addresses |
Source ports |
Protocol |
Destination addresses |
Destination ports |
Notes |
---|---|---|---|---|---|---|
Call signaling to Webex Calling (SIP TLS) |
Local Gateway external (NIC) | 8000-65535 |
TCP |
Refer to IP Subnets for Webex Calling Services. |
5062, 8934 |
These IPs/ports are needed for outbound SIP-TLS call signaling from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination). |
Devices |
5060-5080 |
|||||
Applications |
Ephemeral (OS dependent) |
|||||
Call media to Webex Calling (STUN, SRTP) |
Local Gateway external NIC |
8000-48198† |
UDP |
Refer to IP Subnets for Webex Calling Services. |
5004, 19560-65535 |
These IPs/ports are needed for outbound SRTP call media from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination). |
Devices |
19560-19660 |
|||||
Applications |
Ephemeral |
|||||
Call signaling to PSTN gateway (SIP TLS) | Local Gateway internal NIC | 8000-65535 | TCP | Your ITSP PSTN GW or Unified CM | Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM) | |
Call media to PSTN gateway (SRTP) | Local Gateway internal NIC |
8000-48198† |
UDP | Your ITSP PSTN GW or Unified CM | Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM) | |
Call signaling to publicly addressed endpoints (SIP TLS) |
Refer to IP Subnets for Webex Calling Services. |
Ephemeral |
TCP |
Endpoint IP |
8934 |
These IPs/ports are needed for inbound SIP-TLS call signaling from Webex Calling Cloud (Source) to publicly addressed end points (Destination). |
Device configuration and firmware management (Cisco devices) |
Webex Calling devices |
Ephemeral |
TCP |
3.20.185.219 3.130.87.169 3.134.166.179 |
443,6970 |
*These IPs belong to cloudupgrader.webex.com. You must enable cloudupgrader.webex.com and the 443, 6970 ports only when migrating from Enterprise phones (Cisco Unified CM) to Webex Calling. Go to upgrade.cisco.com for more information. |
170.72.231.0 170.72.231.10 170.72.231.161 |
443 |
*These IPs belong to activation.webex.com. These IPs are required for secure onboarding of devices (MPP and Room or Desk phones) using the 16-digit activation code (GDS). Firmware upgrade |
||||
72.163.10.96/27 72.163.15.64/26 72.163.15.128/26 72.163.24.0/23 173.36.127.0/26 173.36.127.128/26 173.37.26.0/23 173.37.149.96/27 192.133.220.0/26 192.133.220.64/26 |
443 |
These IPs belong to activate.cisco.com. This domain is used for CDA / EDOS - MAC address based provisioning. Used by devices (MPP phones, ATAs, and SPA ATAs) with newer firmware. When a phone connects to a network for the first time or after a factory reset, and there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use "activate.cisco.com" instead of "webapps.cisco.com" for provisioning. Phones with firmware release earlier than 11.2(1) continues to use "webapps.cisco.com". We recommend that you allow both the domain names through your firewall. |
||||
72.163.10.128/25 173.37.146.128/25 |
443 |
These IPs belong to webapps.cisco.com. This domain is used for CDA / EDOS - MAC address based provisioning. Used by devices (MPP phones, ATAs, and SPA ATAs) with older firmware. When a phone connects to a network for the first time or after a factory reset, and there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use "activate.cisco.com" instead of "webapps.cisco.com" for provisioning. Phones with firmware release earlier than 11.2(1) continues to use "webapps.cisco.com". We recommend that you allow both the domain names through your firewall. |
||||
Refer to IP Subnets for Webex Calling Services. |
443 |
These IPs are needed for Device configuration and firmware management for Webex Calling. |
||||
Device time synchronization (NTP) |
Webex Calling devices |
51494 |
UDP |
Refer to IP Subnets for Webex Calling Services. |
123 |
These IP addresses are needed for Time Synchronization for Devices (MPP phones, ATAs, and SPA ATAs) |
Device name resolution |
Webex Calling devices |
Ephemeral |
UDP and TCP |
Host-defined |
53 |
|
Application configuration |
Webex Calling applications |
Ephemeral |
TCP |
62.109.192.0/18 64.68.96.0/19 150.253.128.0/17 207.182.160.0/19 |
443 |
These IPs belong to Webex Idbroker Authentication Services and used by clients, i.e. Webex Applications. |
Refer to IP Subnets for Webex Calling Services. |
443, 8443 |
These IPs belong to Webex Calling application configuration services and used by clients, i.e.Webex Applications. |
||||
Application time synchronization |
Webex Calling applications |
123 |
UDP |
Host-defined |
123 |
|
Application name resolution |
Webex Calling applications |
Ephemeral |
UDP and TCP |
Host-defined |
53 |
|
Webex Calling applications |
Ephemeral |
UDP and TCP |
Refer to IP Subnets for Webex Calling Services. |
8934 and 443, 19569-19760 |
These IPs are used by CScan services that are used by clients, i.e.Webex Applications. Go to cscan.webex.com for more information. |
|
Webex Features# |
Webex Calling Devices |
Ephemeral |
TCP |
|
443 |
These IP addresses and domains are used by Webex Calling Devices to interface with Webex Cloud Services such as Directory, Call History and Meetings. |
† CUBE media port range is configurable with rtp-port range.
*These IP addresses/ranges are not owned by Cisco and are subject to change periodically. If you are using a firewall, we recommend allowing the urls listed.
# To enable complete operation of Webex Aware services, ensure that you allow access to these urls:
-
*.webex.com
-
*wbx2.com
-
*.ciscospark.com
Domains and URLs for Webex Calling Services
Domain / URL |
Description |
Webex apps and devices using these domains / URLs |
---|---|---|
Cisco Webex Services |
||
*.broadcloudpbx.com |
Webex authorization microservices for cross-launch from Control Hub to Calling Admin Portal. |
Control Hub |
*.broadcloud.com.au |
Webex Calling services in Australia. |
All |
*.broadcloud.eu |
Webex Calling services in Europe. |
All |
*.broadcloudpbx.net |
Calling client configuration and management services. |
Webex Apps |
*.cisco.com |
When a phone connects to a network for the first time or after a factory reset, if there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use activate.cisco.com and phones with firmware release prior to 11.2(1), continue to use webapps.cisco.com for provisioning. |
MPP Phones, Control Hub |
*.ucmgmt.cisco.com |
Webex Calling services |
Control Hub |
*.webex.com |
Webex Core Services for Calling, Meeting, and Messaging like Authentication, etc. |
All |
*.wbx2.com and *.ciscospark.com |
Webex micro-services, like Software upgrade service. |
All |
*.binaries.webex.com |
Cisco MPP Firmware uses this as the host URL for upgrades in all regions. |
Cisco MPP Firmware upgrade |
Additional Webex-Related Services (Third-Party Domains) |
||
*.appdynamics.com *.eum-appdynamics.com |
Performance tracking, error and crash capture, session metrics. |
Control Hub |
*.huron-dev.com |
Webex Calling micro services like toggle services, phone number ordering, and assignment services. |
Control Hub |
*.sipflash.com |
Device management services (mostly for US). |
Webex Apps |
*.walkme.com *.walkmeusercontent.com |
Webex user guidance client. Provides onboarding and usage tours for new users. For more information about WalkMe, click here. |
Webex Apps |
If your network firewall supports domain allow lists for http(s) traffic, like *.webex.com, it is highly recommended to allow all of these domains.
Webex Meetings/Messaging - Network Requirements
The MPP devices now onboard to the Webex Cloud for services like Call History, Directory Search and Meetings. The network requirements for these Webex services can be found in Network Requirements for Webex Services. These requirements also apply when deploying Webex Video Devices.
Document Revision History
Date |
We've made the following changes to this article |
---|---|
November 15, 2022 |
We’ve added the following IP addresses for device configuration and firmware management (Cisco devices):
We’ve removed the following IP addresses from device configuration and firmware management (Cisco devices):
|
November 14, 2022 |
Added the IP subnet 170.72.242.0/24 for Webex Calling service. |
September 08, 2022 |
The Cisco MPP Firmware will transition to use https://binaries.webex.com as the host URL for MPP firmware upgrades in all regions. This change improves firmware upgrade performance. |
August 30, 2022 |
Removed reference to Port 80 from Device configuration and firmware management (Cisco devices), Application configuration and CScan rows in the Port table as there’s no dependency. |
August 18, 2022 |
No change in the solution. Updated the destination ports 5062 (required for Certificate-based trunk), 8934 (required for Registration-based trunk) for Call signaling to Webex Calling (SIP TLS). |
July 26, 2022 |
Added the 54.68.1.225 IP Address, which is required for firmware upgrade of Cisco 840/860 devices. |
July 21, 2022 |
Updated the destination ports 5062, 8934 for Call signaling to Webex Calling (SIP TLS). |
July 14, 2022 |
Added the URLs that support complete function of Webex Aware services. Added the IP subnet 23.89.154.0/25 for Webex Calling service. |
June 27, 2022 |
Updated the Domain and URLs for Webex Calling services: *.broadcloudpbx.com *.broadcloud.com.au *.broadcloud.eu *.broadcloudpbx.net |
June 15, 2022 |
Added the following ports and protocols under IP Addresses and Ports for Webex Calling Services:
Updated information in Webex Meetings/Messaging - Network Requirements section |
May 24, 2022 |
Added the IP subnet 52.26.82.54/24 to 52.26.82.54/32 for Webex Calling service |
May 6, 2022 |
Added the IP subnet 52.26.82.54/24 for Webex Calling service |
April 7, 2022 |
Updated the Local Gateway internal and external UDP port range to 8000-48198† |
April 5, 2022 |
Added the following IP subnets for Webex Calling service:
|
March 29, 2022 |
Added the following IP subnets for Webex Calling service:
|
September 20, 2021 |
Added 4 new IP subnets for Webex Calling service:
|
April 2, 2021 |
Added *.ciscospark.com under Domains and URLs for Webex Calling Services to support Webex Calling use cases in Webex app. |
March 25, 2021 |
Added 6 new IP ranges for activate.cisco.com, which will come in effect starting May 8, 2021.
|
March 4, 2021 |
Replaced Webex Calling discrete IPs and smaller IP ranges with simplified ranges in a separate table for ease of understanding for firewall configuration. |
February 26, 2021 |
Added 5004 as destination port for Call media to Webex Calling (STUN, SRTP) to support Interactive Connectivity Establishment (ICE) that will be available in Webex Calling in April 2021. |
February 22, 2021 |
Domains and URLs are now listed within a separate table. IP Addresses and Ports table are adjusted to group IP addresses for the same services. Notes column is added to the IP Addresses and Ports table to understand the requirements. The following IP addresses were moved to simplified ranges for device configuration and firmware management (Cisco devices):
The following IP addresses are added for Application Configuration because Cisco Webex client is being pointed to a newer DNS SRV in Australia in March 2021.
|
January 21, 2021 |
We’ve added the following IP addresses to device configuration and firmware management (Cisco devices):
We’ve removed the following IP addresses from device configuration and firmware management (Cisco devices):
We’ve added the following IP addresses to the application configuration:
We’ve removed the following IP addresses from the application configuration:
We’ve removed the following port numbers from the application configuration:
We’ve added the following domains to the application configuration:
|
December 23, 2020 |
Added new Application Configuration IP addresses to the port reference images. |
December 22, 2020 |
Updated the Application Configuration row in the tables to include the following IP addresses: 135.84.171.154 and 135.84.172.154. Hid the network diagrams until these IP addresses can be added there as well. |
December 11, 2020 |
Updated the Device configuration and firmware management (Cisco devices) and the Application configuration rows for the supported Canadian domains. |
October 16, 2020 |
Updated the call signaling and media entries with the following IP addresses:
|
September 23, 2020 |
Under CScan, replaced 199.59.64.156 with 199.59.64.197. |
August 14, 2020 |
Added more IP addresses to support the introduction of data centers in Canada: Call signaling to Webex Calling (SIP TLS)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24 |
August 12, 2020 |
Added more IP addresses to support the introduction of data centers in Canada:
|
July 22, 2020 |
Added the following IP address to support the introduction of data centers in Canada: 135.84.173.146 |
June 9, 2020 |
We made the following changes to the CScan entry:
|
March 11, 2020 |
We added the following domain and IP addresses to application configuration:
We updated the following domains with additional IP addresses to device configuration and firmware management:
|
February 27, 2020 |
We added the following domain and ports to device configuration and firmware management: cloudupgrader.webex.com—443, 6970 |