Water Mark
Jul 13, 2021 | view(s) | people thought this was helpful

Network Requirements for Webex Services

Network Requirements for Webex Services

Document Revision History
 
This article is intended for network administrators, particularly firewall and proxy security administrators who want to use Webex messaging and meetings services within their organization. It will help you configure your network to support the Webex Services used by HTTPS based Webex app and Webex Room devices, as well as Cisco IP Phones, Cisco video devices, and third-party devices that use SIP to connect to the Webex Meetings service.
This document primarily focuses on the network requirements of Webex cloud registered products that use HTTPS signaling to Webex cloud services, but also separately describes the network requirements of products that use SIP signaling to join Webex Meetings. These differences are summarized below:

Webex cloud registered apps and devices

All cloud registered Webex apps and devices use HTTPS to communicate with Webex messaging and meetings services:

  • Cloud registered Webex Room devices use HTTPS signaling for all Webex services.
  • On-premises SIP registered Webex devices can also use HTTPS signaling if the Webex Edge for devices feature is enabled. This feature allows Webex devices to be administered via Webex Control Hub and to participate in Webex Meetings using HTTPS signaling (for details see https://help.webex.com/en-us/cy2l2z/Webex-Edge-for-Devices).
  • The Webex App uses HTTPS signaling for Webex messaging and meeting services. The Webex app can also use the SIP protocol to join Webex meetings, but this is subject to the user either being called via their SIP address or choosing to dial a SIP URL to join a meeting (rather than use the functionality of the meeting native to the Webex app).
Webex cloud and on-premises call control registered devices using SIP
The Webex Calling service and on-premises call control products such as Cisco Unified CM use SIP as their call control protocol. Webex Room devices, Cisco IP Phones, and 3rd party products can join Webex Meetings using SIP. For on-premises SIP-based call control products such as Cisco Unified CM, a SIP session is established through a border controller such as Expressway C & E, or CUBE SBC for calls to and from the Webex Cloud.

For details on the specific network requirements for the Webex Calling service see: https://help.webex.com/en-us/b2exve/Port-Reference-Information-for-Cisco-Webex-Calling
 

All cloud registered Webex apps and Webex Room devices initiate outbound connections only. Cisco’s Webex Cloud never initiates outbound connections to cloud registered Webex apps and Webex Room devices, but can make outbound calls to SIP devices. Webex services for meetings and messaging are primarily hosted in globally distributed data centers, that are either Cisco owned (e.g. Webex data centers for identity services, meeting services, and media servers) or hosted in a Cisco Virtual Private Cloud (VPC) on the Amazon AWS platform (e.g. Webex messaging micro-services, messaging storage services and media servers). All data is encrypted in transit and at rest.

Types of Traffic:

The Webex app and Webex Room devices establish signaling and media connections to the Webex cloud.

Signaling traffic
The Webex app and Webex devices use HTTPS and WSS (secure websockets) for signaling. Signaling connections are outbound only and use URLs for session establishment to Webex services.

Signaling traffic is protected by TLS using strong encryption suites. Webex services prefer TLS cipher suites using ECDHE for key negotiation, 256-bit symmetric encryption cipher keys and SHA-2 hash functions e.g.:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 
TLS version 1.2 only is supported by Webex services.
 
All Webex features other than real-time media are invoked over a signaling channel that uses TLS.
 
Establishing signaling connections to Webex services using URLs
If you have deployed proxies, or firewalls to filter traffic leaving your enterprise network, the list of destination URLs that need to be allowed to access the Webex service can be found in the section "Domains and URLs that need to be accessed for Webex Services". Filtering Webex signaling traffic by IP address is not supported as the IP addresses used by Webex are dynamic and may change at any time.

Media traffic
The Webex app and Webex Room devices encrypt real-time media for audio, video, and content sharing streams using the following encryption ciphers:

  • AES-256-GCM cipher
  • AES-CM-128-HMAC-SHA1-80 cipher

AES-256-GCM is a modern encryption cipher with a 256-bit encryption key. AES-256-GCM is used by the Webex app and Webex Room devices* to encrypt meeting content.     * The Webex app uses AES-256-GCM to encrypt content for all Webex Meeting types. Webex Room devices use AES-256-GCM for an end to end encryption of the S-Frame media payload with the Zero Trust Security feature for Webex Meetings (feature rollout commences Q1 CY’21) for more details see Zero-Trust Security for Webex Technical Paper

AES-CM-128-HMAC-SHA1 is a mature cipher that has proven interoperability between vendors. AES-CM-128-HMAC-SHA1 is used to encrypt media to Webex services using SRTP, or SRTP with SIP signaling (e.g. Cisco and 3rd party SIP devices).

UDP – Cisco recommended media transport protocol
In line with RFC 3550 RTP – A Transport Protocol for Real-Time Applications, Cisco prefers and strongly recommends UDP as the transport protocol for all Webex voice and video media streams.
 
Disadvantages of using TCP as a media transport protocol
The Webex app and Webex Room devices also support TCP as a fall-back media transport protocol. However, Cisco does not recommend TCP as a transport protocol for voice and video media streams. This is because TCP is connection orientated, and designed to reliably deliver, correctly ordered, data to upper-layer protocols. Using TCP, the sender will retransmit lost packets until they are acknowledged, and the receiver will buffer the packet stream until the lost packets are recovered. For media streams, this behavior manifests itself as increased latency/jitter, which in turn affects the media quality experienced by the call’s participants.
 
Because media over TLS can suffer from a degradation in media quality due to its connection-orientated transport protocol and potential Proxy server bottlenecks, Cisco strongly recommends that TLS is not used to transport media in production environments.
 
Webex media flows in both directions using a symmetric inside-initiated, 5-tuple (Source IP address, Destination IP address, Source port, Destination port, protocol) stream outbound to the Webex Cloud.
 
The Webex app and Webex Room devices also use STUN (RFC 5389) for firewall traversal and media node reachability testing. For more details, please see the Webex Firewall Technical Paper.
 
Webex  – Destination IP address ranges for media
To reach Webex media servers that process media traffic leaving your enterprise network, you must allow the IP subnets that host these media services to be reachable via your Enterprise firewall. The destination IP address ranges for media traffic sent to Webex media nodes can be found in the section "IP subnets for Webex media services".

Webex traffic through Proxies and Firewalls

Most customers deploy an internet firewall, or internet proxy and firewall, to restrict and control the HTTP based traffic that leaves and enters their network. Follow the firewall and proxy guidance below to enable access to Webex services from your network. If you are using a firewall only, note that filtering Webex signaling traffic using IP addresses is not supported, as the IP addresses used by Webex signaling services are dynamic and may change at any time. If your firewall supports URL filtering, configure the firewall to allow the Webex destination URLs listed in the section "Domains and URLs that need to be accessed for Webex Services".

The following table describes ports and protocols that need to be opened on your firewall to allows cloud registered Webex apps and devices to communicate with Webex cloud signaling and media services.

The Webex apps, devices, and services covered in this table include:
The Webex app, Webex Room devices, Video Mesh Node, Hybrid Data Security node, Directory Connector, Calendar Connector, Management Connector, Serviceability Connector.
For guidance on ports and protocols for devices and Webex services using SIP can be found in the section "Network requirements for SIP based Webex services".

Webex Services - Port Numbers and Protocols

Destination Port

Protocol

Description

Devices using this rule

443TLSWebex HTTPS signaling.
Session establishment to Webex services is based on defined URLs, rather than IP addresses.

If you are using a proxy server, or your firewall supports DNS resolution; refer to the section "Domains and URLs that need to be accessed for Webex Services" to allow signaling access to Webex services.
All
444TLSVideo Mesh Node secure signaling to establish cascade media connections to the Webex cloudVideo Mesh Node
123 (1)UDPNetwork Time Protocol (NTP)All
53 (1)UDP
TCP
Domain Name System (DNS)

Used for DNS lookups to discover the IP addresses of services in the Webex cloud.
Most DNS queries are made over UDP; however, DNS queries may use TCP as well.

 
All
5004 and 9000*SRTP over UDPEncrypted audio, video, and content sharing on the Webex App and Webex Room devices

For a list of destination IP subnets refer to the section "IP subnets for Webex media services".

*The Webex App uses UDP port 9000 to connect to Webex Meetings media services
Webex App*

Webex Room Devices

Video Mesh Nodes
5004SRTP over TCPUsed for encrypted content sharing on the Webex App and Webex Room devices

TCP also serves as a fallback transport protocol for encrypted audio and video if UDP cannot be used.

For a list of destination IP subnets refer to the section "IP subnets for Webex media services".
Webex App

Webex Room Devices

Video Mesh Nodes
33434 (2)SRTP over UDP

SRTP over TCP
Optional

Port 33434 is used for encrypted media if port 5004 is blocked by your firewall.

Note that a TCP socket on port 33434 will be established, but only used if connections failover TCP and UDP on port 5004 and UDP on port 33434. (2)

For a list of destination IP subnets refer to the section "IP subnets for Webex media services".
Webex App

Webex Room Devices
443 (2)SRTP over TLSUsed as a fallback transport protocol for encrypted audio, video and content sharing if UDP and TCP cannot be used.

Media over TLS is not recommended in production environments

For a list of destination IP subnets refer to the section "IP subnets for Webex media services".
Webex App (3)

Webex Room Devices
(1)    If you are using NTP and DNS services within your enterprise network, then ports 53 and 123 do not need to be opened through your firewall.
(2)    The recommendation to open your firewall for encrypted media traffic over UDP/TCP on port 33434 has been deprecated. However, Webex will still probe and use this port if port 5004 is not open.
(3)    The Webex Web-based app and Webex SDK do not support media over TLS.
 
Cisco supports Webex media services in secure Cisco, Amazon Web Services (AWS) and Microsoft Azure data centers. Amazon and Microsoft have reserved their IP subnets for Cisco’s sole use, and media services located in these subnets are secured within AWS virtual private cloud and Microsoft Azure virtual network instances. The virtual networks in the Microsoft Azure cloud are used to host servers for Microsoft’s Cloud Video Interop (CVI) service.

Configure your firewall to allow access to these destinations Webex IP subnets and transport protocol ports for media streams from Webex apps and devices. UDP is Cisco’s preferred transport protocol for media and we strongly recommend using only UDP to transport media. Webex apps and devices also support TCP and TLS as transport protocols for media, but these are not recommended in production environments as the connection-orientated nature of these protocols can seriously affect media quality over lossy networks.

Note: The IP subnets listed below are for Webex media services. Filtering Webex signaling traffic by IP address is not supported as the IP addresses used by Webex are dynamic and may change at any time. HTTP signaling traffic to Webex services can be filtered by URL/domain in your Enterprise Proxy server, before being forwarded to your firewall.
 

IP subnets for media services

3.22.157.0/2618.181.204.0/2569.26.160.0/19
3.25.56.0/2518.230.160.0/25114.29.192.0/19
3.101.70.0/2520.50.235.0/24*150.253.128.0/17
3.101.71.0/2420.53.87.0/24*170.72.0.0/16
3.101.77.128/2820.68.154.0/24*170.133.128.0/18
3.235.73.128/2523.89.0.0/16173.39.224.0/19
3.235.80.0/2340.119.234.0/24*173.243.0.0/20
3.235.122.0/2444.234.52.192/26207.182.160.0/19
3.235.123.0/2552.232.210.0/24*209.197.192.0/19
18.132.77.0/2562.109.192.0/18210.4.192.0/20
18.141.157.0/2564.68.96.0/19216.151.128.0/19
18.181.18.0/2566.114.160.0/20 
18.181.178.128/2566.163.32.0/19 
* Azure data centers – used to host Video Integration for Microsoft Teams (aka Microsoft Cloud Video Interop) services

Webex apps and Webex Room Devices perform tests to detect the reachability of, and round-trip time to, a subset of nodes in each media cluster available to your organization. Media node reachability is tested over UDP, TCP, and TLS transport protocols and occurs on start-up, a network change, and periodically while the app or device is running. The results of these tests are stored by the Webex app/ Webex device and sent to the Webex cloud prior to joining a meeting, or a call. The Webex cloud uses these reachability test results to assign the Webex app/ Webex device the best media server for the call based on transport protocol (UDP preferred), round trip time, and media server resource availability.

If you have configured your firewall to allow traffic to only a subset of the IP subnets above, you may still see reachability test traffic traversing your network, in an attempt to reach media nodes in these blocked IP subnets. Media nodes on IP subnets that are blocked by your firewall will not be used by Webex apps and Webex Room devices.

Cisco does not support, or recommend, filtering a subset of IP addresses based on a particular geographic region, or cloud service provider. Filtering by region can cause serious degradation to the meeting experience, up to and including the inability to join meetings entirely.

Webex signaling traffic and Enterprise Proxy Configuration

Most organizations use proxy servers to inspect and control the HTTP traffic that leaves their network. Proxies can be used to perform several security functions such as allowing or blocking access to specific URLs, user authentication, IP address/domain/hostname/URI reputation lookup, and traffic decryption and inspection. Proxy servers are also commonly used as the only path that can forward HTTP based internet destined traffic to the enterprise firewall, allowing the firewall to limit outbound internet traffic to that originating from the Proxy server(s) only. Your Proxy server must be configured to allow Webex signaling traffic to access the domains/ URLs listed in the section below:

Cisco Webex Services URLs

Domain / URL

Description

Webex Apps and devices using these domains / URLs

*.wbx2.com
*.ciscospark.com
Webex micro-services.
For example :
Messaging service
File management service
Key management service
Software upgrade service
Profile picture service
Whiteboarding service
Proximity service
Presence service
Registration service
Calendaring service
Search service
All
*.webex.com
*.cisco.com
Webex Meetings services
Identity provisioning
Identity storage
Authentication
OAuth services
Device onboarding
Cloud Connected UC
All
*.webexcontent.com (1)Webex messaging service - general file storage including:

User files,
Transcoded files,
Images,
Screenshots,
Whiteboard content,
Client & device logs,
Profile pictures,
Branding logos,
Log files
Bulk CSV export files & import files (Control Hub)
All

Note:
File storage using webexcontent.com replaced clouddrive.com in October 2019

Your organization may still be using cloudrive.com to store older files – for more information see (1)

Additional Webex related services - Cisco Owned domains

URL

Description

Webex Apps and devices using these domains / URLs

*.accompany.comPeople Insights IntegrationWebex Apps

Additional Webex related services – Third Party domains

URL

Description

Webex Apps and devices using these domains / URLs

*.sparkpostmail1.com
*.sparkpostmail.com
e-mail service for newsletters, registration info, announcementsAll
*.giphy.comAllows users to share GIF images. This feature is on by default but can be disabled in Control HubWebex App
safebrowsing.googleapis.comUsed to perform safety-checks on URLs before unfurling them in the message stream. This feature is on by default, but can be disabled in Control HubWebex App
*.walkme.com

s3.walkmeusercontent.com
Webex app User Guidance client. Provides onboarding and usage tours for new users

For more info see https://support.walkme.com/knowledge-base/access-requirements-for-walkme/
Webex App

speech.googleapis.com
texttospeech.googleapis.com

speech-services-manager-a.wbx2.com

Google Speech Services. Used by Webex Assistant to handle speech recognition and text-to-speech. Disabled by default, is opt-in via Control Hub. Assistant can also be disabled on a per-device basis.Webex Room Kit and Webex Room devices

Details of Webex Room devices that support Webex Assistant are documented here:
https://help.webex.com/hzd1aj/Enable-Cisco-Webex-Assistant
msftncsi.com/ncsi.txt

captive.apple.com/hotspot-detect.html
Third-party internet connectivity check to identify cases where there is a network connection, but no connection to the Internet.

The Webex app performs its own internet connectivity checks, but can also use these 3rd party URLs as a fallback.
Webex App
*.appdynamics.com
*.eum-appdynamics.com
Performance tracking, error and crash capture, session metrics (3)Webex App
Webex Web App
*.amplitude.comA/B testing & metrics (3)Webex Web App
Webex Android App

 
*.vbrickrev.comThis domain is used by attendees viewing Webex Events WebcastsWebex Events
*.slido.com
*.sli.do
*.data.logentries.com
Used for Slido PPT add-in and to allow Slido webpages to create polls/quizzes in pre-meetingAll
*.quovadisglobal.com
*.digicert.com
*.godaddy.com
*.identrust.com
*.lencr.org
Used to request Certificate Revocation Lists from these Certificate Authorities

Note - Webex supports both CRL and OCSP stapling to determine the revocation status of certificates. 

With OCSP stapling, Webex apps and devices do not need to contact these Certificate Authorities
All
Core Webex services being deprecated (2)
URLDescriptionWebex Apps and devices using these domains / URLs
*.clouddrive.comWebex messaging file storage

File storage using webexcontent.com replaced clouddrive.com in Oct 2019

Your organization may still be using cloudrive.com to store older files – for more information see (1)
All
*.ciscosparkcontent.comLog file uploads
The log file storage service now uses the *.webexcontent.com domain
Webex App

 
*.rackcdn.comContent Delivery Network (CDN) for the *.clouddrive.com domainAll

(1) From October 2019, user files will be uploaded and stored in the Cisco managed webexcontent.com domain.

Files uploaded prior to October 2019 will remain in the clouddrive.com domain and be accessible from the Webex app until the retention period for your organization is reached (when they will then be deleted). During this period, you may need access to both the webexcontent.com domain (for new files) and the clouddrive.com domain (for old files).

If you enforce the use of the webexcontent.com domain only:  Old files uploaded and stored in the clouddrive.com domain (by you, or a participating organization) will not be available for viewing & download in Webex messaging spaces that you are a member of.

If you enforce the use of the clouddrive.com domain only:  You will not be able to upload files, and new files uploaded and stored in the webexcontent.com domain by another organization whose space you are participating in, will not be retrievable.

(2) New customers (from October 2019 and later) can choose to omit these domains as they are no longer used for file storage by Webex. Note however, that you will need to allow access to the clouddrive.com domain, if you join a space owned by another organization that has been using the clouddrive.com domain to store files that you require (i.e. files were uploaded prior to October 2019).

(3) Webex uses third parties for diagnostic and troubleshooting data collection; and the collection of crash and usage metrics. Data that may be sent to these third party sites is described in the Webex Privacy datasheets. For details see:

Configure your Proxy to allow access to the URLs in the table below for Webex Hybrid Services. Access to these external domains can be restricted by configuring your Proxy to allow only the source IP addresses of your Hybrid Services nodes to reach these URLs.
 

Cisco Webex Hybrid services URLs

URL

Description

Used by:

*.docker.com (1)
*.docker.io (1)
Hybrid Services ContainersVideo Mesh Node
Hybrid Data Security Node
*s3.amazonaws.com (1)Log File uploadsVideo Mesh Node
Hybrid Data Security Node
*.cloudconnector.webex.comUser Synchronization  Hybrid Services Directory Connector

(1) We plan to phase out the use of *.docker.com and *.docker.io for Hybrid Services Containers, eventually replacing them with *.amazonaws.com.

Note: If you use a Cisco Web Security Appliance (WSA) Proxy and want to automatically update the URLs used by Webex services, please refer to the WSA Webex Services configuration document for guidance on how to deploy a Webex External Feed-in AsyncOS for Cisco Web Security.

For a CSV file containing the list of Webex Services URIs see: Webex Services CSV File


Your Proxy server must be configured to allow Webex signaling traffic to access the domains/ URLs listed in the previous section.  Support for additional proxy features relevant to Webex services is discussed below:

Proxy Authentication Support

Proxies can be used as access control devices, blocking access to external resources until the user/ device provides valid access permission credentials to the proxy. Several authentication methods are supported by Proxies such as Basic Authentication, Digest Authentication, (Windows-based) NTLM, Kerberos and Negotiate (Kerberos with NTLM fallback).

For the “No Authentication” case in the table below, the device can be configured with a Proxy address but does not support authentication. When Proxy Authentication is being used, valid credentials must be configured and stored in the OS of Webex App or Webex Room Device.

For Webex Room devices and the Webex App, Proxy addresses can be configured manually via the platform OS, or device UI, or automatically discovered using mechanisms such as:

Web Proxy Auto Discovery (WPAD) and/or Proxy Auto Config (PAC) files:

Product

Authentication Type

Proxy Configuration

Webex for MacNo Auth, Basic, NTLM (1)Manual, WPAD, PAC
Webex for WindowsNo Auth, Basic, NTLM (2), NegotiateManual, WPAD, PAC, GPO
Webex for iOSNo Auth, Basic, Digest, NTLMManual, WPAD, PAC
Webex for AndroidNo Auth, Basic, Digest, NTLMManual, PAC
Webex Web AppNo Auth, Basic, Digest, NTLM, NegotiateSupported via OS
Webex Room devicesNo Auth, Basic, DigestWPAD, PAC, or Manual
Webex Video Mesh NodeNo Auth, Basic, Digest, NTLMManual
Hybrid Data Security NodeNo Auth, Basic, DigestManual
Hybrid Services Host Management ConnectorNo Auth, BasicManual Configuration Expressway C: Applications > Hybrid Services > Connector Proxy
Hybrid Services: Directory ConnectorNo Auth, Basic, NTLMSupported via Windows OS
Hybrid Services Expressway C: Calendar connectorNo Auth, Basic, NTLMManual Configuration Expressway C:
Applications > Hybrid Services > Connector Proxy : Username Password
Expressway C: Applications > Hybrid Services > Calendar Connector > Microsoft Exchange> Basic and/or NTLM
Hybrid Services Expressway C: Call connectorNo Auth, BasicManual Configuration Expressway C:
Applications > Hybrid Services > Connector Proxy

(1): Mac NTLM Auth - Machine need not be logged onto the domain, user prompted for a password
(2): Windows NTLM Auth - Supported only if a machine is logged onto the domain

 

Proxy Inspection and Certificate Pinning

The Webex app and Webex devices validate the certificates of the servers they establish TLS sessions with. Certificate checks such as, the certificate issuer and digital signature rely upon verifying the chain of certificates up to the root certificate. To perform these validation checks the app or device uses a set of trusted root CA certificates installed in the operating system trust store.

If you have deployed a TLS-inspecting Proxy to intercept, decrypt and inspect Webex traffic, ensure that the certificate the Proxy presents (in lieu of the Webex service certificate) has been signed by a certificate authority, whose root certificate is installed in the trust store of your Webex App or Webex device. For the Webex App, the CA certificate used to sign the certificate used by the Proxy needs to be installed into the operating system of the device. For Webex Room devices, open a service request with TAC to install this CA certificate into the RoomOS software.

The table below shows Webex app and Webex device support for TLS inspection by Proxy servers

Product

Supports Custom Trusted CAs for TLS inspection

Webex App
(Windows, Mac, iOS, Android, Web)
Yes*
 
Webex Room DevicesYes
Cisco Webex Video MeshYes
Hybrid Data Security ServiceYes
Hybrid Services – Directory, Calendar, Management ConnectorsNo

"* Note - The Webex app does not support Proxy server decryption and inspection of TLS sessions for Webex Meetings media services. If you wish to inspect traffic sent to services in the webex.com domain, you must create a TLS inspection exemption for traffic sent to *mcs*.webex.com and *cb*.webex.com.
Note - The Webex app does not support SNI extension for TLS based media connections. Connection failure to the Webex audio and video services will occur if a proxy server requires the presence of SNI.

Product

Supports 802.1X

Notes

Webex App
(Windows, Mac, iOS, Android, Web)
YesSupported via OS
Webex Room DevicesYesEAP-FAST  
EAP-MD5
EAP-PEAP
EAP-TLS
EAP-TTLS
Configure 802.1X via GUI or Touch 10
Upload Certs via HTTP interface
Video Mesh NodeNoUse MAC address bypass
Hybrid Data Security ServiceNoUse MAC address bypass
Hybrid Services – Directory, Calendar, Management ConnectorsNoUse MAC address bypass

The Webex cloud supports inbound and outbound calls using SIP as the call control protocol for Webex Meetings and for direct (1:1) calls from/to cloud registered Webex apps and Webex Room devices.

SIP calls for Webex Meetings
Webex Meetings allows participants with SIP apps and devices to join a meeting by either:

  • Calling the SIP URI for the meeting (e.g. meetingnumber@webex.com), or
  • The Webex cloud calling the participant’s specified SIP URI (e.g. my-device@customer.com )


Calls between SIP apps/devices and cloud registered the Webex app/Webex Room devices
The Webex cloud allows users of SIP apps and devices to:

  • Be called by cloud registered Webex apps and Webex Room devices
  • Call cloud registered Webex apps and Webex Room devices

In both of the above cases, SIP apps and devices need to establish a session to/from the Webex cloud. The SIP app or device will be registered to a SIP based call control application (such as Unified CM), which typically has a SIP Trunk connection to Expressway C and E that allows inbound and outbound calls (over the internet) to the Webex Cloud.

SIP apps and devices may be:

  • The Webex Room device using SIP to register to Unified CM
  • Cisco IP Phones using SIP to register to Unified CM, or the Webex Calling service
  • A third party SIP app or device using a third party SIP call control application

The following table describes the ports and protocols required for access to Webex SIP services:

Ports and Protocols for Webex SIP Services
Source PortDestination PortProtocolDescription
Expressway Ephemeral ports      Webex cloud 5060 - 5070SIP over TCP/TLS/MTLS SIP signaling from Expressway E to the Webex cloud

Transport protocols: TCP/TLS/MTLS
Webex Cloud Ephemeral ports    

 
Expressway 5060 - 5070    SIP over TCP/TLS/MTLS    SIP signaling from the Webex cloud to Expressway E

Transport protocols: TCP/TLS/MTLS
Expressway
36000 - 59999    
Webex cloud
49152 -59999    

 
RTP/SRTP over UDP
    
Unencrypted/ Encrypted media from Expressway E to the Webex cloud

Media Transport protocol: UDP
Webex cloud
49152 - 59999  
 Expressway
36000 - 59999    
RTP/SRTP over UDP    Unencrypted/ Encrypted media from the Webex cloud to Expressway E

Media Transport protocol: UDP

The SIP connection between Expressway E and the Webex cloud supports unencrypted signaling using TCP, and encrypted signaling using TLS, or MTLS. Encrypted SIP signaling is preferred as the certificates exchanged between the Webex cloud and Expressway E can be validated before proceeding with the connection.

Expressway is commonly used to enable SIP calls to the Webex cloud and B2B SIP calls to other organizations. Configure your firewall to allow:

  • All outbound SIP signaling traffic from Expressway E nodes
  • All inbound SIP signaling traffic to your Expressway E nodes

If you wish to limit inbound and outbound SIP signaling and related media traffic to and from the Webex cloud. Configure your firewall to allow traffic to the IP subnets for Webex media (refer to the section "IP subnets for Webex media services") and following AWS regions: us-east-1, us-east-2, eu-central-1, us-gov-west-2, us-west-2. The IP address ranges for these AWS regions can be found here: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html 

* This webpage is not instantaneously updated, as AWS makes regular changes to the IP address ranges in their subnets. To dynamically track AWS IP address ranges changes, Amazon recommends subscribing to the following notification service: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#subscribe-notifications

Media for SIP based Webex services uses the same destination IP subnets for Webex Media (listed here)

ProtocolPort Number(s)DirectionAccess TypeComments
TCP    5061, 5062    Inbound    SIP Signalling    Inbound SIP signaling for Webex Edge Audio
TCP    5061, 5065    Outbound    SIP Signalling    Outbound SIP signaling for Webex Edge Audio
TCP/UDP    Ephemeral Ports
8000 - 59999    
Inbound    Media Ports    On an enterprise firewall, pinholes need to be opened up for incoming traffic to Expressway with a port range from 8000 - 59999

 

Cisco Webex Video Mesh

Cisco Webex Video Mesh provides a local media service in your network. Instead of all media going to Webex Cloud, it can remain on your network, for reduced Internet bandwidth usage and increased media quality. For details, see the Cisco Webex Video Mesh Deployment Guide.

Hybrid Calendar Service

The Hybrid Calendar service connects Microsoft Exchange, Office 365 or Google Calendar to Webex, making it easier to schedule and join meetings, especially when mobile.

For details see: Deployment Guide for Webex Hybrid Calendar Service

Hybrid Directory Service

Cisco Directory Connector is an on-premises application for identity synchronization into the Webex cloud. It offers a simple administrative process that automatically and securely extends enterprise directory contacts to the cloud and keeps them in sync for accuracy and consistency.

For details see: Deployment Guide for Cisco Directory Connector

Preferred Architecture for Webex Hybrid Services

The Preferred Architecture for Cisco Webex Hybrid Services describes the overall hybrid architecture, its components, and general design best practices. See: Preferred Architecture for Webex Hybrid Services

Webex Calling - Network Requirements

If you are also deploying Webex Calling with Webex Meetings and Messaging services, the network requirements for the Webex Calling service can be found here: https://help.webex.com/b2exve/Port-Reference-Information-for-Cisco-Webex-Calling
 

For customers who require the list of IP address ranges and ports for Webex FedRAMP services
This information can be found here : https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaboration/WebexforGovernment/FedRAMP_Meetings_Ports_IP_Ranges_Quick_Reference.pdf

Revision Date

New and Changed Information

07/13/2021Updated the Note in Proxy Features section
07/02/2021Changed *.s3.amazonaws.com to *s3.amazonaws.com
06/30/2021Updated the Additional URLs for Webex Hybrid Services list.
06/25/2021Added *.appdynamics.com domain to the list
06/21/2021Added *.lencr.org domain to the list.
06/17/2021Updated Ports and Protocols for Webex SIP Services table
06/14/2021Updated Ports and Protocols for Webex SIP Services table
05/27/2021Updated the table in Additional URLs for Webex Hybrid Services section.
04/28/2021Added domains for Slido PPT add-in and to allow Slido webpages to create polls/quizzes in pre-meeting
04/27/2021Added 23.89.0.0/16 IP range for Webex Edge Audio
04/26/2021Added 20.68.154.0/24* as it is an Azure Subnet
04/21/2021Updated the Webex Services CSV file under Additional URLs for Webex Hybrid Services
04/19/2021Added 20.53.87.0/24* as it is an Azure DC for VIMT/CVI
04/15/2021Added domain *.vbrickrev.com for Webex Events Webcasts.
03/30/2021Substantial document layout revision.
03/30/2021Details of Webex web-based app and Webex SDK media support added (No media over TLS).
03/29/2021Webex Edge for devices features listed with a link to the documentation.
03/15/2021Added domain *.identrust.com
02/19/2021Added section for Webex Services for FedRAMP customer
01/27/2021*.cisco.com domain added for Cloud Connected UC service, and Webex Calling onboarding IP subnets for Video Integration for Microsoft Teams (aka Microsoft Cloud Video Interop) indicated by *
01/05/2021New document that describes the network requirements for the Webex app Meetings and Messaging services
11/13/20Removed subnet https://155.190.254.0/23 from the IP subnets for media table
10/7/2020Removed *.cloudfront.net row from Additional URLs for Webex Teams Hybrid Services
9/29/2020New IP subnet (20.53.87.0/24) added for Webex Teams Media services
9/29/2020Webex devices renamed to Webex Room devices
9/29/2020*.core-os.net URL removed from table : Additional URLs for Webex Teams Hybrid Services
9/7/2020Updated AWS regions link
08/25/20Simplification of the table and text for Webex Teams IP subnets for media
8/10/20Additional details added on how reachability to media nodes is tested and Cisco IP subnet usage with Webex Edge Connect
7/31/20Added new IP subnets for media services in AWS and Azure data centers
7/31/20Added new UDP destination media ports for SIP calls to the Webex Teams cloud
7/27/20Added 170.72.0.0/16 (CIDR) or 170.72.0.0 - 170.72.255.255 (net range)
5/5/20Added sparkpostmail.com in Third Party domains table
4/22/20Added new IP range 150.253.128.0/17
03/13/20New URL added for the walkme.com service
TLS media transport for Room OS devices added
New section added : Network Requirements for Hybrid Calling SIP Signalling
Link added for the Webex Calling network requirements document
12/11/19Minor text changes, Update of the Webex Teams Apps and Devices – Port Numbers and Protocols table, Update and reformat of the Webex Teams URLs tables. Remove NTLM Proxy Auth support for Management Connector and Call Connector hybrid services
10/14/19TLS Inspection support for Room Devices added
9/16/2019Addition of TCP support requirement for DNS systems using TCP as a transport protocol.
Addition of the URL *.walkme.com – This service provides onboarding and usage tours for new users.
Amendments to the service URLs used by Web Assistant.
8/28/2019*.sparkpostmail1.com URL added
e-mail service for newsletters, registration info, announcements
8/20/2019Proxy support added for Video Mesh Node and Hybrid Data Security service
8/15/2019Overview of Cisco and AWS data centre used for Webex Teams Service.
*.webexcontent.com URL added for file storage
Note on deprecation of clouddrive.com for file storage
*.walkme.com URL added for metrics and testing
7/12/2019*.activate.cisco.com and *.webapps.cisco.com URLs added
Text to Speech URLs updated to *.speech-googleapis.wbx2.com and
*.texttospeech-googleapis.wbx2.com
*.quay.io URL removed
Hybrid Services Containers URL updated to *.amazonaws.com
6/27/2019Added *.accompany.com allowed list requirement for People Insights feature
4/25/2019Added 'Webex Teams services' for line about TLS version support.
Added 'Webex Teams' to media streams line under Media traffic.
Added 'geographic' before region in Webex Teams IP subnets for media section.
Made other minor edits to wording.
Edited Webex Teams URLs table, by updating URL for A/B testing & metrics, and adding new row for Google Speech Services.
In 'Additional URLs for Webex Teams Hybrid Services' section, removed '10.1' version info after AsyncOS.
Updated text in 'Proxy Authentication Support' section.
 
3/26/2019Changed the URL linked here "please refer to the WSA Webex Teams configuration document for guidance" from https://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/guide-c07-739977.pdf to https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-5/user_guide/b_WSA_UserGuide_11_5_1.html

Changed the URL "api.giphy.com" to *.giphy.com
2/21/2019Updated 'Webex Calling' to read "Webex Calling (formerly Spark Calling) as requested by John Costello, due to upcoming product launch of same name - Webex Calling through BroadCloud.
2/6/2019Updated text 'Hybrid Media Node' to read 'Webex Video Mesh Node'
1/11/2019Updated text 'End to End encrypted files uploaded to Webex Teams spaces and Avatar storage' to now read 'End to End encrypted files uploaded to Webex Teams spaces, Avatar storage, Webex Teams branding Logos'
1/9/2019Updated to remove following line: '*In order for Webex Room devices to obtain the CA certificate necessary to validate communication through your TLS-inspecting proxy, please contact your CSM, or open a case with the Cisco TAC.'
5th December 2018Updated URLs: Removed 'https://' from 4 entries in the Webex Teams URLs table:

https://api.giphy.com                           ->  api.giphy.com 
https://safebrowsing.googleapis.com             ->  safebrowsing.googleapis.com
http://www.msftncsi.com/ncsi.txt                ->  msftncsi.com/ncsi.txt
https://captive.apple.com/hotspot-detect.html   ->  captive.apple.com/hotspot-detect.html
  • Updated linked .CSV file for Webex Teams to show revised links shown above
30th November 2018New URLs :
*.ciscosparkcontent.com, *.storage101.ord1.clouddrive.com, *.storage101.dfw1.clouddrive.com, *.storage101.iad3.clouddrive.com, https://api.giphy.com, https://safebrowsing.googleapis.com, http://www.msftncsi.com/ncsi.txt, https://captive.apple.com/hotspot-detect.html, *.segment.com, *.segment.io, *.amplitude.com,*.eum-appdynamics.com, *.docker.io, *.core-os.net, *.s3.amazonaws.com, *.identity.api.rackspacecloud.com
Support for additional Proxy Authentication Methods for Windows, iOS and Android
Webex Board adopts Room Device OS and features ; Proxy features shared by Room Devices: SX, DX, MX, Room Kit series and Webex Board
Support for TLS Inspection by iOS and Android Apps
Removal of support for TLS Inspection removed on Room Devices: SX, DX, MX, Room Kit series and Webex Board
Webex Board adopts Room Device OS and features ; 802.1X support
21st November 2018Following Note added to IP Subnets for media section : The above IP range list for cloud media resources is not exhaustive, and there may be other IP ranges used by Webex Teams which are not included in the above list. However, the Webex Teams app and devices will be able to function normally without being able to connect to the unlisted media IP addresses.
19th October 2018Note added : Webex Teams use of third parties for diagnostic and troubleshooting data collection; and the collection of crash and usage metrics. The data that may be sent to these third party sites is described in the Webex Privacy datasheet. For details see : https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-webex-privacy-data-sheet.pdf
Separate table for Additional URLs used by Hybrid Services : *.cloudfront.net, *.docker.com, *.quay.io, *.cloudconnector.cisco.com, *.clouddrive.com
7th August 2018Note added to Ports and Protocols table : If you configure a local NTP and DNS server in the Video Mesh Node’s OVA, then ports 53 and 123 are not required to be opened through the firewall.
7th May 2018Substantial document revision

Was this article helpful?

Related Articles

Recently Viewed

×