Cisco Spark Network Requirements for Administrators
This article is intended for network administrators, particularly firewall and web security administrators. It will help you configure your network to support Cisco Spark.
Cisco Spark apps and endpoints initiate outbound connections. Cisco Collaboration Cloud never initiates any connections to the Cisco Spark apps. For more details on interaction between Cisco Spark and the network, please see the Cisco Spark Firewall whitepaper.
Types of Traffic
Cisco Spark apps and endpoints use two types of traffic:
HTTPS and WSS (secure websocket) traffic. This traffic is protected by TLS. All Cisco Spark features other than real-time media depend on this.
Real-time media (audio, video, and content sharing) traffic. This is primarily SRTP, but also includes STUN and other protocols necessary for media.
If there is a firewall, proxy, transparent proxy, or any other middle-box capable of filtering HTTPS traffic based on its content, see the list of URLs. Filtering HTTPS traffic by IP address is not supported as the IPs used are dynamic and may change at any time.
Cisco Spark Apps and Endpoints
The following table describes ports and protocols used by Cisco Spark apps and endpoints.
|Source IP||Destination IP||Destination Port||Protocol||Description||Devices using this rule|
|Your networks||ANY||443||TLS||HTTPS and WSS for signaling and messaging. If using an HTTP proxy, instead of opening this port in your firewall, see the URLs table.||All|
|Your Networks||ANY||5004 (1)(2)||UDP||SRTP audio, video & content sharing media||All|
|Your Networks||ANY||5004 (1)||TCP||Fallback for audio and video if UDP is closed. Used for content sharing on desktop and mobile apps||All except Cisco Spark Board|
|Your Networks||ANY||123||NTP||Time Synchronization||Cisco Spark Board (3)|
(1): Media flows in both directions using a symmetric inside-initiated, 5-tuple UDP or TCP stream outbound to Cisco Collaboration Cloud
(2): Usage of UDP port 33434 is deprecated, but for backward compatibility Cisco Spark will still probe and use this port if 5004 is not open.
(3): Latest software releases uses DHCP for time synchronization. Old software releases still need NTP on port 123.
Cisco Spark Call
|Source IP||Destination IP||Destination Port||Protocol||Description||Devices using this rule|
|Your Networks||ANY||123||UDP||NTP time synchronization||Desk Phones (8800 and 7800 series)|
|Your Networks||ANY||3478||UDP||Audio, Video||Desk Phones (8800 and 7800 series)|
|Your Networks||ANY||24000-29999, 36000-59999||UDP||SRTP audio & video media||Desk Phones (8800 and 7800 series)|
|Your Networks||ANY||5061||TLS||SIP signaling||Desk Phones (8800 and 7800 series)|
|Your Networks||ANY||8443||TLS||Signaling||Desk Phones (8800 and 7800 series)|
Hybrid Media Node
The Cisco Spark Hybrid Media Node provides a destination for media traffic on your network. Instead of all media going to Cisco Collaboration Cloud, it can remain on your network, for reduced Internet bandwidth usage and increased media quality. It requires the ports and protocols listed in the Hybrid Media Service Deployment Guide to be permitted in your firewall rules.
The following table describes the URLs that are used by Cisco Spark. If you use an HTTP/HTTPS proxy, ensure these URLs can be accessed. For details how Cisco Spark handles data sent to those URL see the Cisco Spark Security and Privacy whitepaper.
|URL||Description||Devices using this URL|
|*.adobedtm.com||Marketing & analytics||Cisco Spark Web app|
|*.appsflyer.com||Marketing campaign information||iOS, Android apps|
|*.ciscospark.com||Cisco Spark services||All|
|*.clouddrive.com||E2E-encrypted files uploaded to Cisco Spark spaces||All|
|*.crashlytics.com||Diagnostic & troubleshooting data||All|
|*.docker.io||Hybrid Services Containers||Hybrid Services|
|*.clients3.google.com/generate_204||Captive portal detection||Room Devices (DX, MX, SX, and Room Kit)|
|gds.huron-dev.com||Global Discovery Service - onboarding||Room Devices (DX, MX, SX, and Room Kit), Cisco Spark Board|
|*.huron-dev.com||Cisco Spark Call services||Desk Phones (8800 & 7800 series)|
|*.omtrdc.net||Marketing & usage telemetry||Cisco Spark Web app|
|*.optimizely.com||A/B testing & metrics||Cisco Spark Web app|
|*.webex.com||Authentication and WebEx integration||All|
|*.wbx2.com||Cisco Spark services||All|
HTTP Proxy Support
When Cisco Spark is running on a macOS or Windows operating system, it automatically uses the configured proxy. Other platforms do not currently support proxies.
|Product||Authentication||Auto Discovery||PAC Support|
|Cisco Spark for Mac||None||OS provided||OS provided|
|Cisco Spark for Windows||None, Negotiate, NTLM||OS provided||OS provided|
|Cisco Spark for iOS||N/A||N/A||N/A|
|Cisco Spark for Android||N/A||N/A||N/A|
|Room Devices (SX, DX, MX, and Room Kit series)||N/A||N/A||N/A|
|Cisco Spark Board||N/A||N/A||N/A|
|Cisco Spark Call Phones (8800 and 7800 series)||N/A||N/A||N/A|
|Hybrid Media Node||N/A||N/A||N/A|
HTTPS Inspection and Certificate Pinning
Cisco Spark validates the certificates of the systems it communicates with. It does this by ensuring that the certificates presented when establishing a TLS session can be validated against the list of trusted root CAs installed in the operating system of the device. Cisco Spark also ensures that the certificate is not issued by a known malicious or compromised CA.
If you have deployed a TLS-inspecting device, ensure that the certificate it presents has a trust chain allowing successful validation on devices running the Cisco Spark app. This requires installing a CA certificate into the operating system of the device.
The following table lists support for custom trusted root CAs installed in the operating system, as described above.
|Product||Supports Custom Trusted CAs||Notes|
|Cisco Spark for iOS||No|
|Cisco Spark for Android||No|
|Cisco Spark for Mac||Yes|
|Cisco Spark for Windows||Yes|
|Room Devices (SX, DX, MX, and Room Kit series)||Yes||Requires support ticket*|
|Cisco Spark Board||No|
|Cisco Spark Call Phones (8800 and 7800 series)||No|
|Hybrid Media Node||No|
*In order for Cisco Spark Room devices and Cisco Spark Board to obtain the CA certificate necessary to validate communication through your TLS-inspecting proxy, please contact your CSM or open a case with the Cisco TAC.
|Greater than 2 Mbps||Good|
|Less than 2 Mbps but greater than 100 Kbps||Fair|
|Less than 100 Kbps||Poor|
The bandwidth levels apply to all Cisco Spark services. They are based specifically on video bandwidth requirements—For example, a video call through the Cisco Spark app, a supported phone, or room system.
Note These bandwidth levels are not required for audio only calls, but we recommend that you use the video bandwidth requirements as a guideline.
Bandwidth Information for Phone Calls
Audio Bandwidth for Phones
Based on the codecs being used by the service, we recommend that you allot 80 Kbps bandwidth for each audio-only desk phone or endpoint. For example, for one connection, allot 80 Kbps for audio. For ten simultaneous connections, allot 800 Kbps.
Video Bandwidth for Phones
The 8800 series desk phones determine video quality. These phones find the highest bandwidth level they can maintain, and they move this level up or down as needed. The bandwidth can range from 64Kbps up to 2.5 Mbps.
We recommend that you allot at least 2 Mbps of bandwidth for each video device (for video and audio streams). For example, for one connection, allot 2 Mbps for video and audio. For ten simultaneous connections, allot 20 Mbps.
An Example of Total Bandwidth Requirements for Each Phone
A call within your customer's organization between two on-site users is considered two simultaneous connections.
For audio-only phones such as the 78xx series, we recommend that you allot 80 Kbs per phone. For an audio call between two users on one site, 160 Kbs per call (two connections) is required.
For video endpoints such as the 88xx series , we recommend that you allow 2 Mbps per video endpoint. For a video call between two users on one site, 4 Mbps per call (two connections) is required.
Caution If Bandwidth minimums are not met, users may experience degraded media quality and dropped calls.
For example, in a trial in which two video endpoints and three audio endpoints are deployed, the trial setup requires a minimum of 4.24 Mbps. Here is how that bandwidth requirement is calculated:
Video—2 Mbps x 2
Audio—80 Kbps x 3
Total—4 Mbps + 240 Kbps = 4.24 Mbps
Bandwidth Information for Cisco Spark Board
Cisco Spark Board uses the following minimum bandwidth for resolution/frame rate:
720p30 from 768 Kbps
1080p30 from 1.72 Mbps
For multipoint calls, up to 4.3Mbps transmit and 10Mbps receive is required.
Bandwidth Information for Cisco Spark Room Devices
Depending on the model, a room device can use up to 3 or 6 Mbps up and down, if available. In all cases, the system can use the minimum bandwidth level, as low as 64 Kbps, if the network is constrained.
|Model or Series||Bandwidth Up and Down||Video and Content Quality|
|SX10 and DX80||Up to 3Mbps||720p30 for main video, 1080p5 for content|
|SX20, SX80, MX series, Room Kit & Room Kit Plus||Up to 6Mbps||1080p30 for main video and content|
For point-to-point calls, the room device sends 1080p30 if 2.2 Mbps is allocated. For multipoint calls, 3 Mbps is required to send 1080p30.