Managing Webex for BroadWorks

Provision Customer Organizations

In the current model, we automatically provision the customer organization when you onboard the first user through any of the methods described in this document. Provisioning happens only once for each customer.

Provision Users

You can provision users in these ways:

  • Use APIs

  • Assign Integrated IM&P (flowthrough provisioning)

Public Provisioning APIs

Cisco Webex will expose a set of public APIs to allow Service Providers to integrate Webex for BroadWorks subscriber provisioning into their existing provisioning workflows. As with all public APIs, we’ll make available the specification for these APIs on to entitled developers. If you wish to develop with these APIs, contact your Cisco representative to gain access.

Flowthrough Provisioning

On BroadWorks, you can provision users with the Enable Integrated IM&P option. This action causes the BroadWorks provisioning adapter to make an API call to provision the user on Cisco Webex. Our provisioning API is backwards-compatible with the UC-One SaaS API. BroadWorks AS requires no code change, only a configuration change to the API endpoint for the provisioning adapter.

Subscriber provisioning on Cisco Webex can take considerable (several minutes for the initial user within an enterprise). Webex performs the provisioning as a background task. So, success on flowthrough provisioning indicates that the provisioning has started. It doesn't indicate completion.

To confirm that users and the customer organization are fully provisioned on Cisco Webex, you must sign in to Partner Hub and look in your Customers list.

For more information, see User Provisioning and Activation Flows.

Add / Edit / Delete Users

You can add, edit, or delete users as follows:


Assign the Integrated IM&P service in BroadWorks to add the users.


Modify the user package with the provisioning API to edit the users.

You currently can't modify a user package in Control Hub. Use different templates, and different provisioning URLs, to apply different packages to different Enterprises or Groups.


To remove the Webex license of a user, unassign the Integrated IM&P service in BroadWorks.

User ID and Email Address Changes

Email ID and Alternate ID are the BroadWorks user attributes used with Webex for BroadWorks. The BroadWorks User ID is still the primary identifier of the user in BroadWorks. The following table describes the purposes of these different attributes, and what to do if you need to change them:

Attribute in BroadWorks Corresponding Attribute in Webex Purpose Notes
BroadWorks User ID None Primary identifier You cannot change this identifier and still link the user to the same account in Webex. You can delete the user and recreate if it’s wrong.
Email ID User ID Mandatory for flow-through provisioning (creating Webex User ID) when you assert that you trust email

There is a manual process to change this in both places if provisioned with wrong email:

  1. Change user’s email address in Control Hub

  2. Change Email ID attribute in BroadWorks

Do not change the BroadWorks user id. This is not yet supported.

Alternate ID None Enables authn of user, by email and password, against BroadWorks User ID Should be the same as the Email ID. If You cannot put the email in the Alternate ID attribute, users will have to enter their BroadWorks User ID when authenticating.

Reconfigure the System

You can reconfigure the system as follows:

  • Add a BroadWorks Cluster in Partner Hub—

  • Edit or Delete a BroadWorks Cluster in Partner Hub

  • Add a Customer Template in Partner Hub—

  • Edit or Delete a Customer Template in Partner Hub

Edit or Delete a BroadWorks Cluster in Partner Hub

You can edit or remove a BroadWorks cluster in Partner Hub.


Sign in to Partner Hub with your partner admin credentials at


Go to Settings and find the BroadWorks Calling section.


Click View Clusters.


Click the cluster that you want to edit or delete.

The cluster details display in a flyout pane on the right.

You have these options:

  • Change any details you need to change, and then click Save.
  • Click Delete to remove the cluster, then confirm.


    If a template is associated with the cluster, you can’t delete a cluster. Delete the associated templates before you delete the cluster. See Edit or Delete a Customer Template in Partner Hub.

The cluster list updates with your changes.

Edit or Delete a Customer Template in Partner Hub

You can edit or delete customer templates in Partner Hub.


Sign in to Partner Hub with your partner admin credentials at


Go to Settings and find the BroadWorks Calling section.


Click View Templates.


Click the template that you want to edit or delete.


You have these options:

  • Edit any details that you need to change, and then click Save.
  • Click Delete to remove the template, then confirm.




Provisioning account name / password

User-supplied strings

You do not need to re-enter the provisioning account details when editing a template. The empty password/password confirm fields are there to change the credentials if you need to, but leave them empty to keep the values you originally supplied.

Prefill user email address in login page


It can take up to 7 hours for a change in this setting to take effect. That is, after you enable it, users may still need to enter their email addresses at the login screen.

The cluster list updates with your changes.

Increasing Capacity

XSP Farms

We recommend you use the capacity planner to determine how many additional XSP resources you need for the proposed increase in subscriber numbers. For either of the dedicated NPS or dedicated Webex for BroadWorks farms, you have the following scalability options:

  • Scale dedicated farm: Add one or more XSP servers to the farm that needs extra capacity. Install and activate the same set of applications and configurations as the farm’s existing nodes.

  • Add dedicated farm: Add a new, dedicated XSP farm. You’ll need to create a new cluster and new templates in Partner Hub, so you can start adding new customers on the new farm, to relieve pressure on existing farm.

  • Add specialized farm: If you are experiencing bottlenecks for a particular service, you may want to create a separate XSP farm for that purpose, taking into consideration the co-residency requirements listed in this document. You may need to reconfigure your Control Hub clusters and DNS entries if you change the URL of the service that has a new farm.

In all cases, the monitoring and resourcing of your BroadWorks environment is your responsibility. Should you wish to engage Cisco assistance, you can contact your account representative, who can arrange professional services.

Managing HTTP Server Certificates

You must manage these certificates for mTLS authenticated web applications on your XSPs:

  • Our chain of trust certificate from Cisco Webex cloud

  • Your XSP’s HTTP server interfaces’ certificates

Chain of Trust

You download the chain of trust certificate from Control Hub and install it on your XSPs during your initial configuration. We expect to update the certificate before it expires, and notify you of how and when to change it.

Your HTTP Server Interfaces

The XSP must present a publicly signed server certificate to Webex, as described in Order Certificates. A self-signed certificate is generated for the interface when you first secure the interface. This certificate is valid for one year from that date. You must replace the self-signed certificate with a publicly signed certificate. It’s your responsibility to request a new certificate before it expires.

Troubleshooting Webex for BroadWorks

Subscribe to the Webex Status Page

First check when you experience an unexpected interruption of service. If you haven't changed your configuration in Control Hub or BroadWorks before the interruption, check the status page. Read more about subscribing for status and incident notifications at Webex Help Center.

Use Control Hub Analytics

Webex tracks usage and quality data for your organization and your customer’s organizations. Read more about the Control Hub Analytics on Webex Help Center.

Network Issues

Customers or users are not being created in Control Hub with flowthrough provisioning:

  • Can the application server reach the provisioning URL?

  • Are the provisioning account and password correct, does that account exist in BroadWorks?

Clusters are consistently failing connectivity tests:

The mTLS connection to authentication service is expected to fail when you create the first cluster in Partner Hub, because you need to create the cluster to get access to the Webex certificate chain. Without that, you cannot create a trust anchor on the authentication service XSPs, so the test mTLS connection from Partner Hub is not successful.

  • Are the XSP interfaces publicly accessible?

  • Are you using the correct ports? You can enter a port in the interface definition on the cluster.

Interfaces Failing Validation

Xsi-Actions and Xsi-Events Interfaces:

  • Check that the interface URLs are correctly entered on the cluster in Partner Hub, including the /v2.0/ at the end of the URLs.
  • Check the firewall allows communication between Webex and these interfaces.

  • Review the interface configuration advice in this document.

Authentication Service Interface:

  • Check that the interface URLs are correctly entered on the cluster in Partner Hub, including the /v2.0/ at the end of the URLs.
  • Check the firewall allows communication between Webex and these interfaces.

  • Review the interface configuration advice in this document, with particular attention to:

    1. Make sure you shared RSA keys across all XSPs.
    2. Make sure you provided AuthService URL to the web container on all XSPs.
    3. If you edited the TLS cipher configuration, check that you used the correct naming convention. The XSP requires that you enter the IANA name format for the TLS ciphers. An earlier version of this document incorrectly listed the required cipher suites in the OpenSSL naming convention.

Client Issues

Verify the Client is Connected to BroadWorks

  1. Sign in to Webex Teams.

  2. Check that the Calling Options icon (a handset with a gear above it) is present on the sidebar.

    If the icon is not present, the user may not yet be enabled for the calling service in Control Hub.

  3. Open the Settings/Preferences menu and go to the Phone Services section. You should see the status SSO Session You're signed in.

    If a different phone service, such as Webex Calling, is shown, the user is not using Webex for BroadWorks.

This verification means:

  • The client has successfully transveresed the required Webex microservices.

  • The user has successfully authenticated.

  • The client has been issued a long-lived JSON web token by your BroadWorks system.

  • The client has retrieved its device profile and has registered to BroadWorks.

Client Logs

All Webex Teams clients can Send Logs to Webex. This is the best option for mobile clients. You should also record the user email address and approximate time the issue occurred if you are seeking assistance from TAC. For more information, see Where Do I Find Support for Cisco Webex Teams?

If you need to manually collect logs from a Windows PC, they are located as follows:

Windows PC: C:\Users\{username}\AppData\Local\CiscoSpark

Mac: /Users/{username}/Library/Logs/SparkMacDesktop

User Sign-In Issues

mTLS Auth Misconfigured

If all users are affected, check the mTLS connection from Webex to your Authentication Service URL:

  • Check that either the authentication service application, or the interface it uses, are configured for mTLS.

  • Check that the Webex certificate chain is installed as a trust anchor.

  • Check that the server certificate on the interface/application is valid, and signed by a well-known CA.

Known BroadWorks Misconfigurations

chainDepth too low

  • Conditions: You followed the procedure to copy the certificate chain to the XSP, and used it to create a trust anchor for validating Cisco Webex client connections. The XSP is running R21 SP1.

  • Symptom: In R21, XSP_CLI/Interface/HttpClientAuthentication/Trusts> get does not show all of the certificates that are expected in the issuer chain.

  • Cause: In R21 there is a chainDepth parameter which, if set too low, will prevent the whole certificate issuer chain from being added to the trust anchor.

  • Fix: /XSP_CLI/Interface/Http?ClientAuthentication> set chainDepth 3

    At the time of writing, the Webex client certificate chain has 2 intermediate issuers. Do not set this parameter below 2, especially if it is already higher. In the case that chainDepth is not below 2, these symptoms could indicate a corrupt chain file.


Steady State Support Policy

The Service Provider is the first point of contact for the end customer (enterprise) support. Escalate issues that the SP can't resolve to TAC. BroadWorks server version support follows the BroadSoft policy of the current version and two previous major versions (N-2). Read more at

Escalation Policy

  • You (Service Provider/ Partner) are the first point of contact for end customer (enterprise) support.

  • Issues that cannot be resolved by the SP are escalated to TAC.

BroadWorks Versions

Self-Support Resources

  • Users can find support through the Webex Help Center, where there is a Webex for BroadWorks-specific page listing common Teams help and support topics.

  • Teams can be customized with this help URL and a problem report URL.

  • Teams users can send feedback or logs directly from the client. The logs go to the Webex cloud, where they can be analyzed by Cisco Webex DevOps.

  • We also have a Help Center page dedicated to administrator-level help for Webex for BroadWorks.

Collect Information for Submitting a Service Request

When you see errors in Control Hub, they might have attached information that can help TAC to investigate your problem. For example, if you see a tracking ID for a particular error, or an error code, save the text to share with us.

Try to include at least the following information when you’re submitting a query or opening a case:

  • Customer Organization ID and Partner Organization ID (each ID is a string of 32 hex digits, separated by hyphens)

  • TrackingID (also a 32 hex digit string) if the interface or error message provides one

  • User email address (if a particular user is experiencing issues)

  • Client versions (if the issue has symptoms noticed through the client)