Network Requirements for Webex Services
Document Revision History
This article is intended for network administrators, particularly firewall and proxy security administrators who want to use Webex messaging and meetings services within their organization. It will help you configure your network to support to the Webex Services used by HTTPS based Webex app and Webex Room devices, as well as Cisco IP Phones, Cisco video devices and third party devices that use SIP to connect to the Webex Meetings service.
Webex cloud and on-premises call control registered devices using SIP
Network Requirements for cloud registered Webex apps and devices
All cloud registered Webex apps and Webex Room devices initiate outbound connections only. Cisco’s Webex Cloud never initiates outbound connections to cloud registered Webex apps and Webex Room devices, but can make outbound calls to SIP devices (see section x for details) . Webex services for meetings and messaging are primarily hosted in globally distributed data centers, that are either Cisco owned (e.g. Webex data centers for identity services, meeting services and media servers) or hosted in a Cisco Virtual Private Cloud (VPC) on the Amazon AWS platform (e.g. Webex messaging micro-services, messaging storage services and media servers). All data is encrypted in transit and at rest.
The Webex app and Webex devices use HTTPS and WSS (secure websockets) for signalling. Signalling connections are outbound only and use URLs for session establishment to Webex services.
Signalling traffic is protected by TLS using strong encryption suites. Webex services prefer TLS cipher suites using ECDHE for key negotiation, 256-bit symmetric encryption cipher keys and SHA-2 hash functions e.g.:
TLS version 1.2 only is supported by Webex services.
All Webex features other than real-time media are invoked over a signalling channel that uses TLS.
Establishing signalling connections to Webex services using URLs
If you have deployed proxies, or firewalls to filter traffic leaving your enterprise network, the list of destination URLs that need to be allowed to access the Webex service can be found here Webex Services URLs. Filtering Webex signalling traffic by IP address is not supported as the IP addresses used by Webex are dynamic and may change at any time.
The Webex app and Webex Room devices encrypt real-time media for audio, video, and content sharing streams using the following encryption ciphers:
AES-256-GCM is a modern encryption cipher with a 256-bit encryption key. AES-256-GCM is used by the Webex app and Webex Room devices* to encrypt meeting content. * The Webex app uses AES-256-GCM to encrypt content for all Webex Meeting types. Webex Room devices use AES-256-GCM for end to end encryption of the S-Frame media payload with the Zero Trust Security feature for Webex Meetings (feature rollout commences Q1 CY’21) for more details see https://www.cisco.com/c/en/us/solutions/collateral/collaboration/white-paper-c11-744553.html
AES-CM-128-HMAC-SHA1 is a mature cipher that has proven interoperability between vendors. AES-CM-128-HMAC-SHA1 is used to encrypt media to Webex services using SRTP, or SRTP with SIP signalling (e.g. Cisco and 3rd party SIP devices).
UDP – Cisco recommended media transport protocol
In line with RFC 3550 RTP – A Transport Protocol for Real -Time Applications, Cisco prefers and strongly recommends UDP as the transport protocol for all Webex voice and video media streams.
Disadvantages of using TCP as a media transport protocol
The Webex app and Webex Room devices also support TCP as a fall-back media transport protocol. However, Cisco does not recommend TCP as a transport protocol for voice and video media streams. This is because TCP is connection orientated, and designed to reliably deliver, correctly ordered, data to upper layer protocols. Using TCP, the sender will retransmit lost packets until they are acknowledged, and the receiver will buffer the packet stream until the lost packets are recovered. For media streams, this behavior manifests itself as increased latency/jitter, which in turn affects the media quality experienced by the call’s participants.
Because media over TLS can suffer from a degradation in media quality due to its connection orientated transport protocol and potential Proxy server bottlenecks, Cisco strongly recommends that TLS is not used to transport media in production environments.
Webex media flows in both directions using a symmetric inside-initiated, 5-tuple (Source IP address, Destination IP address, Source port, Destination port, protocol) stream outbound to the Webex Cloud.
The Webex app and Webex Room devices also uses STUN (RFC 5389) for firewall traversal and media node reachability testing. For more details, please see the Webex Firewall whitepaper.
Webex – Destination IP address ranges for media
To reach Webex media servers that process media traffic leaving your enterprise network, you must allow the IP subnets that host these media services to be reachable via your Enterprise firewall. The destination IP address ranges for media traffic sent to Webex media nodes can be found here: IP subnets for media for Webex media services
Webex traffic through Proxies and FirewallsMost customers deploy an internet firewall, or internet proxy and firewall, to restrict and control the HTTP based traffic that leaves and enters their network. Follow the firewall and proxy guidance below to enable access to Webex services from your network. Webex Services URLs.
Webex Services – Port Numbers and Protocols
The following table describes ports and protocols that need to be opened on your firewall to allows cloud registered Webex apps, and devices to communicate with Webex cloud signalling and media services.
(2) The recommendation to open your firewall for encrypted media traffic over UDP/TCP on port 33434 has been deprecated. However, Webex will still probe and use this port if port 5004 is not open.
Configure your firewall to allow access to these destination Webex IP subnets and transport protocol ports for media streams from Webex apps and devices. UDP is Cisco’s preferred transport protocol for media and we strongly recommend using only UDP to transport media. Webex apps and devices also support TCP and TLS as transport protocols for media, but these are not recommended in production environments as the connection orientated nature of these protocols can seriously affect media quality over lossy networks.
Webex apps and Webex Room Devices perform tests to detect the reachability of, and round-trip time to, a subset of nodes in each media cluster available to your organization. Media node reachability is tested over UDP, TCP and TLS transport protocols and occurs on start-up, a network change, and periodically while the app or device is running. The results of these tests are stored by the Webex app/ Webex device and sent to the Webex cloud prior to joining a meeting, or a call. The Webex cloud uses these reachability test results to assign the Webex app/ Webex device the best media server for the call based on transport protocol (UDP preferred), round trip time and media server resource availability.
If you have configured your firewall to allow traffic to only a subset of the IP subnets above, you may still see reachability test traffic traversing your network, in an attempt to reach media nodes in these blocked IP subnets. Media nodes on IP subnets that are blocked by your firewall will not be used by Webex apps and Webex Room devices.
Cisco does not support, or recommend, filtering a subset of IP addresses based on a particular geographic region, or cloud service provider. Filtering by region can cause serious degradation to the meeting experience, up to and including the inability to join meetings entirely.
Webex signalling traffic and Enterprise Proxy Configuration
Most organizations use proxy servers to inspect and control the HTTP traffic that leaves their network. Proxies can be used to perform several security functions such as allowing or blocking access to specific URLs, user authentication, IP address/domain/hostname/URI reputation look up, and traffic decryption and inspection. Proxy servers are also commonly used as the only path that can forward HTTP based internet destined traffic to the enterprise firewall, allowing the firewall to limit outbound internet traffic to that originating from the Proxy server(s) only.
Domains and URLs that need to be accessed for Webex Services
(1) From October 2019, user files will be uploaded and stored in the Cisco managed webexcontent.com domain.
Additional URLs for Webex Hybrid ServicesConfigure you Proxy to allow access to the URLs in the table below for Webex Hybrid Services. Access to these external domains can be restricted by configuring your Proxy to allow only the source IP addresses of your Hybrid Services nodes to reach these URLs.
|Webex for Mac||No Auth, Basic, NTLM (1)||Manual, WPAD, PAC|
|Webex for Windows||No Auth, Basic, NTLM (2), Negotiate||Manual, WPAD, PAC, GPO|
|Webex for iOS||No Auth, Basic, Digest, NTLM||Manual, WPAD, PAC|
|Webex for Android||No Auth, Basic, Digest, NTLM||Manual, PAC|
|Webex Web App||No Auth, Basic, Digest, NTLM, Negotiate||Supported via OS|
|Webex Room devices||No Auth, Basic, Digest||WPAD, PAC, or Manual|
|Webex Video Mesh Node||No Auth, Basic, Digest, NTLM||Manual|
|Hybrid Data Security Node||No Auth, Basic, Digest||Manual|
|Hybrid Services Host Management Connector||No Auth, Basic||Manual Configuration Expressway C: Applications > Hybrid Services > Connector Proxy|
|Hybrid Services: Directory Connector||No Auth, Basic, NTLM||Supported via Windows OS|
|Hybrid Services Expressway C: Calendar connector||No Auth, Basic, NTLM||Manual Configuration Expressway C:|
Applications > Hybrid Services > Connector Proxy : Username Password
Expressway C: Applications > Hybrid Services > Calendar Connector > Microsoft Exchange> Basic and/or NTLM
|Hybrid Services Expressway C: Call connector||No Auth, Basic||Manual Configuration Expressway C:|
Applications > Hybrid Services > Connector Proxy
(1): Mac NTLM Auth - Machine need not be logged onto domain, user prompted for password
(2): Windows NTLM Auth - Supported only if machine is logged onto domain
Proxy Inspection and Certificate Pinning
The Webex app and Webex devices validate the certificates of the servers they establish TLS sessions with. Certificate checks such as, the certificate issuer and digital signature rely upon verifying the chain of certificates up to the root certificate. To perform these validation checks the app or device uses a set of trusted root CA certificates installed in the operating system trust store.
If you have deployed a TLS-inspecting Proxy to intercept, decrypt and inspect Webex traffic, ensure that the certificate the Proxy presents (in lieu of the Webex service certificate) has been signed by a certificate authority, whose root certificate is installed in the trust store of your Webex App or Webex device. For the Webex App, the CA certificate used to sign the certificate used by the Proxy needs to be installed into the operating system of the device. For Webex Room devices, open a service request with TAC to install this CA certificate into the RoomOS software.
The table below shows Webex app and Webex device support for TLS inspection by Proxy servers
Supports Custom Trusted CAs for TLS inspection
(Windows, Mac, iOS, Android, Web)
|Webex Room Devices||Yes|
|Cisco Webex Video Mesh||Yes|
|Hybrid Data Security Service||Yes|
|Hybrid Services – Directory, Calendar, Management Connectors||No|
* Note - The Webex app does not support the decryption and inspection of TLS sessions for Webex Meeting services in the “webex.com” domain. Support for TLS inspection of Webex Meetings services is planned for Q1 CY’21.
802.1X – Port based Network Access control
(Windows, Mac, iOS, Android, Web)
|Yes||Supported via OS|
|Webex Room Devices||Yes||EAP-FAST |
Configure 802.1X via GUI or Touch 10
Upload Certs via HTTP interface
|Video Mesh Node||No||Use MAC address bypass|
|Hybrid Data Security Service||No||Use MAC address bypass|
|Hybrid Services – Directory, Calendar, Management Connectors||No||Use MAC address bypass|
Network requirements for SIP based Webex services
The Webex cloud supports inbound and outbound calls using SIP as the call control protocol for Webex Meetings and for direct (1:1) calls from/to cloud registered Webex apps and Webex Room devices.
SIP calls for Webex Meetings
Webex Meetings allows participants with SIP apps and devices to join a meeting by either:
- Calling the SIP URI for the meeting (e.g. firstname.lastname@example.org), or
- The Webex cloud calling the participant’s specified SIP URI (e.g. email@example.com )
Calls between SIP apps/devices and cloud registered the Webex app/Webex Room devices
The Webex cloud allows users of SIP apps and devices to:
- Be called by cloud registered Webex apps and Webex Room devices
- Call cloud registered Webex apps and Webex Room devices
In both of the above cases, SIP apps and devices need to establish a session to/from the Webex cloud. The SIP app or device will be registered to a SIP based call control application (such as Unified CM), which typically has a SIP Trunk connection to Expressway C and E that allow inbound and outbound calls (over the internet) to the Webex Cloud.
SIP apps and devices may be:
- The Webex Room device using SIP to register to Unified CM
- Cisco IP Phones using SIP to register to Unified CM, or the Webex Calling service
- A third party SIP app or device using a third party SIP call control application
The following table describes the ports and protocols required for access to Webex SIP services:
|Ports and Protocols for Webex SIP Services|
|Source Port||Destination Port||Protocol||Description|
|Expressway Ephemeral ports|
Webex cloud 5060 - 5070
|SIP over TCP/TLS/MTLS||SIP signalling from Expressway E to the Webex cloud|
Transport protocols : UDP/TCP/MTLS
|Webex Cloud Ephemeral ports ||Expressway 5060 - 5070||SIP over TCP/TLS/MTLS||SIP signalling from the Webex cloud to Expressway E|
Transport protocols : UDP/TCP/MTLS
36000 - 59999
|RTP/SRTP over UDP||Unencrypted/ Encrypted media from Expressway E to the Webex cloud|
Media Transport protocol : UDP
49152 - 59999
36000 - 59999
|RTP/SRTP over UDP||Unencrypted/ Encrypted media from the Webex cloud to Expressway E|
Media Transport protocol : UDP
The SIP connection between Expressway E and the Webex cloud supports unencrypted signalling using TCP, and encrypted signalling using TLS, or MTLS. Encrypted SIP signalling is preferred as the certificates exchanged between the Webex cloud and Expressway E can be validated before proceeding with the connection.
Expressway is commonly used to enable SIP calls to the Webex cloud and B2B SIP calls to other organizations. Configure your firewall to allow:
- All outbound SIP signalling traffic from Expressway E nodes
- All inbound SIP signalling traffic to your Expressway E nodes
If you wish to limit inbound and outbound SIP signalling and related media traffic to and from the Webex cloud. Configure your firewall to allow traffic to the IP subnets for Webex media and following AWS regions: us-east-1, us-east-2, eu-central-1, us-gov-west-2, us-west-2. The IP address ranges for these AWS regions can be found here:
* This webpage is not instantaneously updated, as AWS makes regular changes to the IP address ranges in their subnets. To dynamically track AWS IP address ranges changes, Amazon recommends subscribing to the following notification service: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#subscribe-notifications
Media for SIP based Webex services uses the same destination IP subnets as Webex Teams and Webex Meetings (listed here)
Network Requirements for Webex Edge Audio
|Protocol||Port Number(s)||Direction||Access Type||Comments|
|TCP||5061, 5062||Inbound||SIP Signalling||Inbound SIP signalling for Webex Edge Audio|
|TCP||5061, 5065||Outbound||SIP Signalling||Outbound SIP signalling for Webex Edge Audio|
8000 - 59999
|Inbound||Media Ports||On an enterprise firewall, pinholes need to be opened up for incoming traffic to Expressway with port range from 8000 - 59999|
A summary of other Webex Hybrid Services
Cisco Webex Video Mesh
Cisco Webex Video Mesh provides a local media service in your network. Instead of all media going to Webex Cloud, it can remain on your network, for reduced Internet bandwidth usage and increased media quality. For details, see the Cisco Webex Video Mesh Deployment Guide.
Hybrid Calendar Service
The Hybrid Calendar service connects Microsoft Exchange, Office 365 or Google Calendar to Webex, making it easier to schedule and join meetings, especially when mobile.
For details see: Deployment Guide for Webex Hybrid Calendar Service
Hybrid Directory Service
Cisco Directory Connector is an on-premises application for identity synchronization in to the Webex cloud. It offers a simple administrative process that automatically and securely extends enterprise directory contacts to the cloud and keeps them in sync for accuracy and consistency.
For details see: Deployment Guide for Cisco Directory Connector
Preferred Architecture for Webex Hybrid services
The Preferred Architecture for Cisco Webex Hybrid Services describes the overall hybrid architecture, its components, and general design best practices. See: Preferred Architecture for Webex Hybrid Services
Webex Calling - Network Requirements
If you are also deploying Webex Calling with Webex Meetings and Messaging services, the network requirements for the Webex Calling service can be found here: https://help.webex.com/b2exve/Port-Reference-Information-for-Cisco-Webex-Calling
Document Revision History - Network Requirements for Webex Services
New and Changed Information
|01/05/2021||New document that describes the network requirements for the Webex app Meetings and Messaging services|
|11/13/20||Removed subnet https://188.8.131.52/23 from the IP subnets for media table|
|10/7/2020||Removed *.cloudfront.net row from Additional URLs for Webex Teams Hybrid Services|
|9/29/2020||New IP subnet (184.108.40.206/24) added for Webex Teams Media services|
|9/29/2020||Webex devices renamed to Webex Room devices|
|9/29/2020||*.core-os.net URL removed from table : Additional URLs for Webex Teams Hybrid Services|
|9/7/2020||Updated AWS regions link|
|08/25/20||Simplification of the table and text for Webex Teams IP subnets for media|
|8/10/20||Additional details added on how reachability to media nodes is tested and Cisco IP subnet usage with Webex Edge Connect|
|7/31/20||Added new IP subnets for media services in AWS and Azure data centers|
|7/31/20||Added new UDP destination media ports for SIP calls to the Webex Teams cloud|
|7/27/20||Added 220.127.116.11/16 (CIDR) or 18.104.22.168 - 22.214.171.124 (net range)|
|5/5/20||Added sparkpostmail.com in Third Party domains table|
|4/22/20||Added new IP range 126.96.36.199/17|
|03/13/20||New URL added for the walkme.com service|
TLS media transport for Room OS devices added
New section added : Network Requirements for Hybrid Calling SIP Signalling
Link added for the Webex Calling network requirements document
|12/11/19||Minor text changes, Update of the Webex Teams Apps and Devices – Port Numbers and Protocols table, Update and reformat of the Webex Teams URLs tables. Remove NTLM Proxy Auth support for Management Connector and Call Connector hybrid services|
|10/14/19||TLS Inspection support for Room Devices added|
|9/16/2019||Addition of TCP support requirement for DNS systems using TCP as a transport protocol.|
Addition of the URL *.walkme.com – This service provides onboarding and usage tours for new users.
Amendments to the service URLs used by Web Assistant.
|8/28/2019||*.sparkpostmail1.com URL added|
e-mail service for newsletters, registration info, announcements
|8/20/2019||Proxy support added for Video Mesh Node and Hybrid Data Security service|
|8/15/2019||Overview of Cisco and AWS data centre used for Webex Teams Service.|
*.webexcontent.com URL added for file storage
Note on deprecation of clouddrive.com for file storage
*.walkme.com URL added for metrics and testing
|7/12/2019||*.activate.cisco.com and *.webapps.cisco.com URLs added|
Text to Speech URLs updated to *.speech-googleapis.wbx2.com and
*.quay.io URL removed
Hybrid Services Containers URL updated to *.amazonaws.com
|6/27/2019||Added *.accompany.com allowed list requirement for People Insights feature|
|4/25/2019||Added 'Webex Teams services' for line about TLS version support.|
Added 'Webex Teams' to media streams line under Media traffic.
Added 'geographic' before region in Webex Teams IP subnets for media section.
Made other minor edits to wording.
Edited Webex Teams URLs table, by updating URL for A/B testing & metrics, and adding new row for Google Speech Services.
In 'Additional URLs for Webex Teams Hybrid Services' section, removed '10.1' version info after AsyncOS.
Updated text in 'Proxy Authentication Support' section.
|3/26/2019||Changed the URL linked here "please refer to the WSA Webex Teams configuration document for guidance" from https://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/guide-c07-739977.pdf to https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-5/user_guide/b_WSA_UserGuide_11_5_1.html|
Changed the URL "api.giphy.com" to *.giphy.com
|2/21/2019||Updated 'Webex Calling' to read "Webex Calling (formerly Spark Calling) as requested by John Costello, due to upcoming product launch of same name - Webex Calling through BroadCloud.|
|2/6/2019||Updated text 'Hybrid Media Node' to read 'Webex Video Mesh Node'|
|1/11/2019||Updated text 'End to End encrypted files uploaded to Webex Teams spaces and Avatar storage' to now read 'End to End encrypted files uploaded to Webex Teams spaces, Avatar storage, Webex Teams branding Logos'|
|1/9/2019||Updated to remove following line: '*In order for Webex Room devices to obtain the CA certificate necessary to validate communication through your TLS-inspecting proxy, please contact your CSM, or open a case with the Cisco TAC.'|
|5th December 2018||Updated URLs: Removed 'https://' from 4 entries in the Webex Teams URLs table:|
https://api.giphy.com -> api.giphy.com
https://safebrowsing.googleapis.com -> safebrowsing.googleapis.com
http://www.msftncsi.com/ncsi.txt -> msftncsi.com/ncsi.txt
https://captive.apple.com/hotspot-detect.html -> captive.apple.com/hotspot-detect.html
|30th November 2018||New URLs :|
*.ciscosparkcontent.com, *.storage101.ord1.clouddrive.com, *.storage101.dfw1.clouddrive.com, *.storage101.iad3.clouddrive.com, https://api.giphy.com, https://safebrowsing.googleapis.com, http://www.msftncsi.com/ncsi.txt, https://captive.apple.com/hotspot-detect.html, *.segment.com, *.segment.io, *.amplitiude.com,*.eum-appdynamics.com, *.docker.io, *.core-os.net, *.s3.amazonaws.com, *.identity.api.rackspacecloud.com
|Support for additional Proxy Authentication Methods for Windows, iOS and Android|
|Webex Board adopts Room Device OS and features ; Proxy features shared by Room Devices: SX, DX, MX, Room Kit series and Webex Board|
|Support for TLS Inspection by iOS and Android Apps|
|Removal of support for TLS Inspection removed on Room Devices: SX, DX, MX, Room Kit series and Webex Board|
|Webex Board adopts Room Device OS and features ; 802.1X support|
|21st November 2018||Following Note added to IP Subnets for media section : The above IP range list for cloud media resources is not exhaustive, and there may be other IP ranges used by Webex Teams which are not included in the above list. However, the Webex Teams app and devices will be able to function normally without being able to connect to the unlisted media IP addresses.|
|19th October 2018||Note added : Webex Teams use of third parties for diagnostic and troubleshooting data collection; and the collection of crash and usage metrics. The data that may be sent to these third party sites is described in the Webex Privacy datasheet. For details see : https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-webex-privacy-data-sheet.pdf|
|Separate table for Additional URLs used by Hybrid Services : *.cloudfront.net, *.docker.com, *.quay.io, *.cloudconnector.cisco.com, *.clouddrive.com|
|7th August 2018||Note added to Ports and Protocols table : If you configure a local NTP and DNS server in the Video Mesh Node’s OVA, then ports 53 and 123 are not required to be opened through the firewall.|
|7th May 2018||Substantial document revision|