Port Reference Information for Cisco Webex Calling

A correctly configured firewall is essential for a successful calling deployment. We require ports for signaling, media, network connectivity, and local gateway because Webex Calling is a global service. We recommend that you leave all the ports listed in the table open.

Not all firewall configurations need ports to be open but if you're running inside-to-outside rules, you must open ports to allow the protocols required for service out. There are no must open inbound ports on the firewall, if you deploy NAT, define reasonable binding periods, and avoid manipulating SIP on the NAT device

If a router or firewall is SIP Aware, meaning it has SIP Application Layer Gateway (ALG) or something similar enabled, we recommend that you turn off this functionality to maintain correct operation of service. See the relevant manufacturer's documentation for information about how to disable SIP ALG on specific devices.

For details on network requirements for Webex Meetings and Messaging, see Network Requirements for Webex Services.

Webex Calling Traffic Through Firewall

Most customers deploy an internet firewall, or internet proxy and firewall, to restrict and control the HTTP-based traffic that leaves and enters their network. The Webex Calling endpoints don’t support https proxy, except for soft clients, which support the following proxy environments and the corresponding authentication methods:

Manual Proxy Configuration
- No Authentication
- Basic
- NTLM
- Negotiate
WPAD Proxy Configuration
- No authentication
- Basic
PAC Proxy Configuration
- No Authentication
- Basic
- NTLM
- Negotiate

Follow the firewall guidance to enable access to Webex Calling services from your network.

Firewall Configuration

If your firewall supports URL filtering, configure the firewall to allow the Webex Calling destination URLs listed. See the Domains and URLs for Webex Calling Services table for details.

If you’re using a firewall that doesn’t support URL/domain filtering, then configure the firewall to filter traffic using IP address ranges and ports as listed in the IP Addresses and Ports for Webex Calling Services.

IP Addresses and Ports for Webex Calling Services

The following table describes ports and protocols that must be opened on your firewall to allow cloud registered Webex apps, and devices to communicate with Webex Calling cloud signalling and media services.


IP Subnets for Webex Calling Services

23.89.1.128/25	23.89.33.0/24	23.89.40.0/25
23.89.76.128/25	23.89.154.0/25	85.119.56.0/23
128.177.14.0/24	128.177.36.0/24	135.84.168.0/21
139.177.64.0/21	139.177.72.0/23	170.72.29.0/24
170.72.242.0/24	150.253.209.128/25	170.72.0.128/25
170.72.17.128/25	170.72.82.0/25	185.115.196.0/22
199.19.196.0/23	199.19.199.0/24	199.59.64.0/21


Connection purpose	Source addresses	Source ports	Protocol	Destination addresses	Destination ports	Notes
Call signaling to Webex Calling (SIP TLS)	Local Gateway external (NIC)	8000-65535	TCP	Refer to IP Subnets for Webex Calling Services.	5062, 8934	These IPs/ports are needed for outbound SIP-TLS call signaling from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination).
	Devices	5060-5080
	Applications	Ephemeral (OS dependent)
Call media to Webex Calling (STUN, SRTP)	Local Gateway external NIC	8000-48198^†	UDP	Refer to IP Subnets for Webex Calling Services.	5004, 19560-65535	These IPs/ports are needed for outbound SRTP call media from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination).
	Devices	19560-19660
	Applications	Ephemeral
Call signaling to PSTN gateway (SIP TLS)	Local Gateway internal NIC	8000-65535	TCP	Your ITSP PSTN GW or Unified CM	Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM)
Call media to PSTN gateway (SRTP)	Local Gateway internal NIC	8000-48198^†	UDP	Your ITSP PSTN GW or Unified CM	Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM)
Call signaling to publicly addressed endpoints (SIP TLS)	Refer to IP Subnets for Webex Calling Services.	Ephemeral	TCP	Endpoint IP	8934	These IPs/ports are needed for inbound SIP-TLS call signaling from Webex Calling Cloud (Source) to publicly addressed end points (Destination).
Device configuration and firmware management (Cisco devices)	Webex Calling devices	Ephemeral	TCP	3.20.185.219 3.130.87.169 3.134.166.179	443,6970	*These IPs belong to cloudupgrader.webex.com. You must enable cloudupgrader.webex.com and the 443, 6970 ports only when migrating from Enterprise phones (Cisco Unified CM) to Webex Calling. Go to upgrade.cisco.com for more information.
				170.72.231.0 170.72.231.10 170.72.231.161	443	*These IPs belong to activation.webex.com. These IPs are required for secure onboarding of devices (MPP and Room or Desk phones) using the 16-digit activation code (GDS). Firmware upgrade
				72.163.10.96/27 72.163.15.64/26 72.163.15.128/26 72.163.24.0/23 173.36.127.0/26 173.36.127.128/26 173.37.26.0/23 173.37.149.96/27 192.133.220.0/26 192.133.220.64/26	443	These IPs belong to activate.cisco.com. This domain is used for CDA / EDOS - MAC address based provisioning. Used by devices (MPP phones, ATAs, and SPA ATAs) with newer firmware. When a phone connects to a network for the first time or after a factory reset, and there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use "activate.cisco.com" instead of "webapps.cisco.com" for provisioning. Phones with firmware release earlier than 11.2(1) continues to use "webapps.cisco.com". We recommend that you allow both the domain names through your firewall.
				72.163.10.128/25 173.37.146.128/25	443	These IPs belong to webapps.cisco.com. This domain is used for CDA / EDOS - MAC address based provisioning. Used by devices (MPP phones, ATAs, and SPA ATAs) with older firmware. When a phone connects to a network for the first time or after a factory reset, and there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use "activate.cisco.com" instead of "webapps.cisco.com" for provisioning. Phones with firmware release earlier than 11.2(1) continues to use "webapps.cisco.com". We recommend that you allow both the domain names through your firewall.
				Refer to IP Subnets for Webex Calling Services.	443	These IPs are needed for Device configuration and firmware management for Webex Calling.
Device time synchronization (NTP)	Webex Calling devices	51494	UDP	Refer to IP Subnets for Webex Calling Services.	123	These IP addresses are needed for Time Synchronization for Devices (MPP phones, ATAs, and SPA ATAs)
Device name resolution	Webex Calling devices	Ephemeral	UDP and TCP	Host-defined	53
Application configuration	Webex Calling applications	Ephemeral	TCP	62.109.192.0/18 64.68.96.0/19 150.253.128.0/17 207.182.160.0/19	443	These IPs belong to Webex Idbroker Authentication Services and used by clients, i.e. Webex Applications.
Application configuration	Webex Calling applications	Ephemeral	TCP	Refer to IP Subnets for Webex Calling Services.	443, 8443	These IPs belong to Webex Calling application configuration services and used by clients, i.e.Webex Applications.
Application time synchronization	Webex Calling applications	123	UDP	Host-defined	123
Application name resolution	Webex Calling applications	Ephemeral	UDP and TCP	Host-defined	53
CScan	Webex Calling applications	Ephemeral	UDP and TCP	Refer to IP Subnets for Webex Calling Services.	8934 and 443, 19569-19760	These IPs are used by CScan services that are used by clients, i.e.Webex Applications. Go to cscan.webex.com for more information.
Webex Features^#	Webex Calling Devices	Ephemeral	TCP	.wbx2.com .ciscospark.com .webexapis.com .webex.com .cisco.com .webexcontent.com	443	These IP addresses and domains are used by Webex Calling Devices to interface with Webex Cloud Services such as Directory, Call History and Meetings.

† CUBE media port range is configurable with rtp-port range.

*These IP addresses/ranges are not owned by Cisco and are subject to change periodically. If you are using a firewall, we recommend allowing the urls listed.

# To enable complete operation of Webex Aware services, ensure that you allow access to these urls:

*.webex.com
*wbx2.com
*.ciscospark.com

Domains and URLs for Webex Calling Services


Domain / URL	Description	Webex apps and devices using these domains / URLs
Cisco Webex Services
*.broadcloudpbx.com	Webex authorization microservices for cross-launch from Control Hub to Calling Admin Portal.	Control Hub
*.broadcloud.com.au	Webex Calling services in Australia.	All
*.broadcloud.eu	Webex Calling services in Europe.	All
*.broadcloudpbx.net	Calling client configuration and management services.	Webex Apps
*.cisco.com	When a phone connects to a network for the first time or after a factory reset, if there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use activate.cisco.com and phones with firmware release prior to 11.2(1), continue to use webapps.cisco.com for provisioning.	MPP Phones, Control Hub
*.ucmgmt.cisco.com	Webex Calling services	Control Hub
*.webex.com	Webex Core Services for Calling, Meeting, and Messaging like Authentication, etc.	All
.wbx2.com and .ciscospark.com	Webex micro-services, like Software upgrade service.	All
*.binaries.webex.com	Cisco MPP Firmware uses this as the host URL for upgrades in all regions.	Cisco MPP Firmware upgrade
Additional Webex-Related Services (Third-Party Domains)
.appdynamics.com .eum-appdynamics.com	Performance tracking, error and crash capture, session metrics.	Control Hub
*.huron-dev.com	Webex Calling micro services like toggle services, phone number ordering, and assignment services.	Control Hub
*.sipflash.com	Device management services (mostly for US).	Webex Apps
.walkme.com .walkmeusercontent.com	Webex user guidance client. Provides onboarding and usage tours for new users. For more information about WalkMe, click here.	Webex Apps

If your network firewall supports domain allow lists for http(s) traffic, like *.webex.com, it is highly recommended to allow all of these domains.

Webex Meetings/Messaging - Network Requirements

The MPP devices now onboard to the Webex Cloud for services like Call History, Directory Search and Meetings. The network requirements for these Webex services can be found in Network Requirements for Webex Services. These requirements also apply when deploying Webex Video Devices.

Document Revision History


Date	We've made the following changes to this article
November 15, 2022	We’ve added the following IP addresses for device configuration and firmware management (Cisco devices): 170.72.231.0 170.72.231.10 170.72.231.161 We’ve removed the following IP addresses from device configuration and firmware management (Cisco devices): 3.20.118.133 3.20.228.133 3.23.144.213 3.130.125.44 3.132.162.62 3.140.117.199 18.232.241.58 35.168.211.203 50.16.236.139 52.45.157.48 54.145.130.71 54.156.13.25 52.26.82.54 54.68.1.225
November 14, 2022	Added the IP subnet 170.72.242.0/24 for Webex Calling service.
September 08, 2022	The Cisco MPP Firmware will transition to use https://binaries.webex.com as the host URL for MPP firmware upgrades in all regions. This change improves firmware upgrade performance.
August 30, 2022	Removed reference to Port 80 from Device configuration and firmware management (Cisco devices), Application configuration and CScan rows in the Port table as there’s no dependency.
August 18, 2022	No change in the solution. Updated the destination ports 5062 (required for Certificate-based trunk), 8934 (required for Registration-based trunk) for Call signaling to Webex Calling (SIP TLS).
July 26, 2022	Added the 54.68.1.225 IP Address, which is required for firmware upgrade of Cisco 840/860 devices.
July 21, 2022	Updated the destination ports 5062, 8934 for Call signaling to Webex Calling (SIP TLS).
July 14, 2022	Added the URLs that support complete function of Webex Aware services. Added the IP subnet 23.89.154.0/25 for Webex Calling service.
June 27, 2022	Updated the Domain and URLs for Webex Calling services: .broadcloudpbx.com .broadcloud.com.au .broadcloud.eu .broadcloudpbx.net
June 15, 2022	Added the following ports and protocols under IP Addresses and Ports for Webex Calling Services: Connection purpose: Webex Features Source addresses: Webex Calling Devices Source ports: Ephemeral Protocol: TCP Destination addresses: Refer to IP Subnets and Domains that are defined in Webex Meetings/Messaging - Network Requirements. Destination ports: 443 Notes: These IP addresses and domains are used by Webex Calling Devices to interface with Webex Cloud Services such as Directory, Call History and Meetings. Updated information in Webex Meetings/Messaging - Network Requirements section
May 24, 2022	Added the IP subnet 52.26.82.54/24 to 52.26.82.54/32 for Webex Calling service
May 6, 2022	Added the IP subnet 52.26.82.54/24 for Webex Calling service
April 7, 2022	Updated the Local Gateway internal and external UDP port range to 8000-48198^†
April 5, 2022	Added the following IP subnets for Webex Calling service: 23.89.40.0/25 23.89.1.128/25
March 29, 2022	Added the following IP subnets for Webex Calling service: 23.89.33.0/24 150.253.209.128/25
September 20, 2021	Added 4 new IP subnets for Webex Calling service: 23.89.76.128/25 170.72.29.0/24 170.72.17.128/25 170.72.0.128/25
April 2, 2021	Added .ciscospark.com under Domains and URLs for Webex Calling Services* to support Webex Calling use cases in Webex app.
March 25, 2021	Added 6 new IP ranges for activate.cisco.com, which will come in effect starting May 8, 2021. 72.163.15.64/26 72.163.15.128/26 173.36.127.0/26 173.36.127.128/26 192.133.220.0/26 192.133.220.64/26
March 4, 2021	Replaced Webex Calling discrete IPs and smaller IP ranges with simplified ranges in a separate table for ease of understanding for firewall configuration.
February 26, 2021	Added 5004 as destination port for Call media to Webex Calling (STUN, SRTP) to support Interactive Connectivity Establishment (ICE) that will be available in Webex Calling in April 2021.
February 22, 2021	Domains and URLs are now listed within a separate table. IP Addresses and Ports table are adjusted to group IP addresses for the same services. Notes column is added to the IP Addresses and Ports table to understand the requirements. The following IP addresses were moved to simplified ranges for device configuration and firmware management (Cisco devices): activate.cisco.com 72.163.10.125 -> 72.163.10.96/27 173.37.149.125 -> 173.37.149.96/27 webapps.cisco.com 173.37.146.134 -> 173.37.146.128/25 72.163.10.134 -> 72.163.10.128/25 The following IP addresses are added for Application Configuration because Cisco Webex client is being pointed to a newer DNS SRV in Australia in March 2021. 199.59.64.237 199.59.67.237
January 21, 2021	We’ve added the following IP addresses to device configuration and firmware management (Cisco devices): 3.134.166.179 50.16.236.139 54.145.130.71 72.163.10.125 72.163.24.0/23 173.37.26.0/23 173.37.146.134 We’ve removed the following IP addresses from device configuration and firmware management (Cisco devices): 35.172.26.181 52.86.172.220 52.203.31.41 We’ve added the following IP addresses to the application configuration: 62.109.192.0/19 64.68.96.0/19 207.182.160.0/19 150.253.128.0/17 We’ve removed the following IP addresses from the application configuration: 64.68.99.6 64.68.100.6 We’ve removed the following port numbers from the application configuration: 1081, 2208, 5222, 5280-5281, 52644-52645 We’ve added the following domains to the application configuration: idbroker-b-us.webex.com idbroker-eu.webex.com ty6-wxt-jp.bcld.webex.com os1-wxt-jp.bcld.webex.com
December 23, 2020	Added new Application Configuration IP addresses to the port reference images.
December 22, 2020	Updated the Application Configuration row in the tables to include the following IP addresses: 135.84.171.154 and 135.84.172.154. Hid the network diagrams until these IP addresses can be added there as well.
December 11, 2020	Updated the Device configuration and firmware management (Cisco devices) and the Application configuration rows for the supported Canadian domains.
October 16, 2020	Updated the call signaling and media entries with the following IP addresses: 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24
September 23, 2020	Under CScan, replaced 199.59.64.156 with 199.59.64.197.
August 14, 2020	Added more IP addresses to support the introduction of data centers in Canada: Call signaling to Webex Calling (SIP TLS)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24
August 12, 2020	Added more IP addresses to support the introduction of data centers in Canada: Call media to Webex Calling (SRTP)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24 Call signaling to publicly addressed endpoints (SIP TLS)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24. Device configuration and firmware management (Cisco devices)—135.84.173.155,135.84.174.155 Device time synchronization—135.84.173.152, 135.84.174.152 Application configuration—135.84.173.154,135.84.174.154
July 22, 2020	Added the following IP address to support the introduction of data centers in Canada: 135.84.173.146
June 9, 2020	We made the following changes to the CScan entry: Corrected one of the IP addresses—changed 199.59.67.156 to 199.59.64.156. New features require new ports and UDP—19560-19760
March 11, 2020	We added the following domain and IP addresses to application configuration: jp.bcld.webex.com—135.84.169.150 client-jp.bcld.webex.com idbroker.webex.com—64.68.99.6, 64.68.100.6 We updated the following domains with additional IP addresses to device configuration and firmware management: cisco.webexcalling.eu—85.119.56.198, 85.119.57.198 webapps.cisco.com—72.163.10.134 activation.webex.com—35.172.26.181, 52.86.172.220 cloudupgrader.webex.com—3.130.87.169, 3.20.185.219
February 27, 2020	We added the following domain and ports to device configuration and firmware management: cloudupgrader.webex.com—443, 6970