Water Mark

Network Requirements for Webex Teams Services

view(s) people thought this was helpful

Network Requirements for Webex Teams Services

Network Requirements for Webex Teams Services


Document Revision History
 

This article is intended for network administrators, particularly firewall, proxy and web security administrators. It will help you configure your network to support Webex Teams.  For network requirements for classic Webex Meetings clients see WBX264 - How Do I Allow Webex Meetings Traffic on My Network?.

Webex Teams Network Requirements

All Webex Teams apps and devices initiate outbound connections only. Cisco’s Webex Cloud never initiates any connections to Webex Teams apps and devices. Webex Teams services are hosted in globally distributed data centers, that are either Cisco owned (e.g. Webex data centers for identity services, key management services and media servers) or hosted in a Cisco Virtual Private Cloud (VPC) on the Amazon AWS platform (e.g. Webex Teams micro-services, message and file storage services). All data is encrypted in transit and at rest.

Types of Traffic

Webex Teams apps and devices use two types of traffic: Signalling and Media

Signalling traffic
 
 
Webex Teams apps and devices use HTTPS and WSS (secure websockets) for signalling. Signalling connections are outbound only and use URLs (rather than IP addresses) for session establishment.
 

Signalling traffic is protected by TLS using strong encryption suites (256 bit, or 128 bit symmetric cipher key sizes, SHA-2 hash functions). TLS cipher suites using 256 bit symmetric cipher keys are preferred e.g.:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 

TLS version 1.2 only is supported by Webex Teams services.
 
All Webex Teams features other than real-time media depend on TLS signalling.
 

Webex Teams URLs for signalling traffic
If you have deployed proxies, or firewalls to filter traffic leaving your enterprise network, the list of destination URLs that need to be white listed to access the Webex Teams service can be found here Webex Teams URLs. Filtering Webex Teams signalling traffic by IP address is not supported as the IP addresses used by Webex Teams are dynamic and may change at any time.

Media traffic
Webex Teams apps and devices use encrypted real-time media for audio, video, and content sharing streams. Typically*, media from any Webex Teams app or device transits from the user’s location to media nodes in the Webex Cloud, where the streams are mixed and distributed. This is true for all call types e.g. 1:1 calls and multiparty calls. (*On-premise Video Mesh Nodes can also be deployed to mix and distribute media locally).
 

Cisco secures all Webex Teams media streams using the Secure Real-Time Transport Protocol (SRTP), described in RFC 3711. Cisco apps and devices encrypt media with the AES_CM_128_HMAC_SHA1_80 cipher suite.
 

In line with RFC 3550 RTP – A Transport Protocol for Real -Time Applications, Cisco prefers and strongly recommends UDP as the transport protocol for Webex Teams voice and video media streams.
 

Webex Teams apps and devices also support TCP as a fall-back media transport protocol. However, Cisco does not recommend TCP as a transport protocol for voice and video media streams. This is because TCP is connection orientated, and designed to reliably deliver, correctly ordered, data to upper layer protocols. Using TCP, the sender will retransmit lost packets until they are acknowledged, and the receiver buffer the packet stream until the lost packets are recovered. For media streams, this behavior manifests itself as increased latency/jitter, which in turn affects the media quality experienced by the call’s participants.
 

Webex Teams apps and devices also support TLS (HTTPS) as a tertiary option for media transport. Using TLS can also mean that this Webex Teams media traffic will need to pass through an enterprise’s proxy server to reach media servers in the Webex Cloud. Since proxy servers are, primarily, designed to intercept and forward HTTP based web traffic; media quality can be impacted if the proxy server reaches its performance threshold and drops packets when processing large numbers of high bandwidth media streams.
 

Webex Teams media flows in both directions using a symmetric inside-initiated, 5-tuple (Source IP address, Destination IP address, Source port, Destination port, protocol) stream outbound to the Webex Cloud.
 
Webex Teams also uses STUN (RFC 5389) for firewall traversal and media node reachability testing. For more details, please see the Webex Teams Firewall whitepaper.
 
Webex Teams – Destination IP address ranges for media
If you wish to control the destination of media traffic leaving your enterprise network, the destination IP address ranges for media traffic sent to Webex Teams media nodes can be found here: Webex Teams IP subnets for media

Webex Teams traffic through Proxies and Firewalls

Most customers deploy an internet firewall, or internet proxy and firewall, to restrict and control the HTTP based traffic that leaves and enters their network. Follow the firewall and proxy guidance below to enable access to Webex Teams services from your network.

Firewall Configuration

If you are using a firewall only, note that filtering Webex Teams signalling traffic using IP addresses is not supported, as the IP addresses used by Webex Teams signalling are dynamic and may change at any time. If your firewall supports URL filtering, white list the Webex Teams destination URLs listed here Webex Teams URLs.

Webex Teams Apps and Devices – Port Numbers and Protocols

The following table describes ports and protocols used by Webex Teams apps and devices.

Source IP

Destination IP

Destination Port

Protocol

Description

Devices using this rule

Your networksANY443TLSHTTPS and WSS for signalling and messaging. Session establishment to these Webex Teams services is based on defined URLs, rather than IP addresses.

If your firewall supports DNS resolution, or you are using a proxy server; use these Webex Teams URLs to white list access to Webex Teams services.
All
Video Mesh NodeANY444TLSVideo Mesh Node Secure Cascade Signalling to the Webex cloudVideo Mesh Node
Video Mesh Nodes

Hybrid Data Security Nodes

Webex Hybrid Services Connectors
ANY123 (1)UDPNetwork Time Protocol (NTP)Video Mesh Nodes

Hybrid Data Security Nodes

Webex Hybrid Services Connectors
Video Mesh Nodes

Hybrid Data Security Nodes

Webex Hybrid Services Connectors
ANY53 (1)UDP/TCPDomain Name System (DNS)

Most DNS queries are made over UDP; however, DNS queries may use TCP as well.
Video Mesh Nodes

Hybrid Data Security Nodes

Webex Hybrid Services Connectors
Your NetworksSee Webex Teams IP subnets for media5004UDP SRTPSecure audio, video, and content sharing on Webex Teams devicesWebex Teams Apps

Webex Teams Devices

Video Mesh Nodes
Your NetworksSee Webex Teams IP subnets for media5004TCP SRTPUsed for secure content sharing on Webex Teams desktop and mobile apps.
Also serves as a fallback transport for audio and video if UDP cannot be used.
Webex Teams Apps

Webex Teams Devices

Video Mesh Nodes
Your NetworksSee Webex Teams IP subnets for media33434 (2)UDP SRTP/ TCP SRTPOptional

Port 33434 is used for encrypted media if port 5004 is blocked. Note that a TCP socket on port 33434 will be established, but only used if connections fail over TCP/UDP on port 5004 and UDP on port 33434. (2)
Webex Teams Apps

Webex Teams Devices
Your NetworksSee Webex Teams IP subnets for media443 (2)TLS/HTTPS SRTPUsed as a fallback transport for audio, video and content sharing if UDP and TCP cannot be used.Webex Teams Apps

Webex teams Devices
Video Mesh Nodes in your networksSee Webex Teams IP subnets for media5004UDP SRTP/
TCP SRTP
Secure audio, video & content sharing media from Video Mesh Node to the Webex Cloud
(SRTP over TCP is also supported, but not recommended)
Video Mesh Node Cascade connections
Your NetworksSee Webex Teams IP subnets for media33434-33598UDP SRTPSecure audio, video & content sharing mediaSIP calls to the Webex Teams cloud, including Hybrid Call Calling Service, see: Network Requirements for Hybrid Calling SIP Signalling
(1)    If you configure a local NTP and DNS server on the Video Mesh Node or Hybrid Data Security Node OVA, then ports 53 and 123 do not need to be opened through the firewall.
(2)    The recommendation to open your firewall for encrypted media traffic over UDP/TCP on port 33434 has been deprecated. However, Webex Teams will still probe and use these ports if 5004 is not open. Note - Classic Webex Meeting clients currently use UDP port 9000 for media for details see: WBX264 - How Do I Allow Webex Meetings Traffic on My Network?

Webex Teams IP subnets for media

  • 64.68.96.0/19 (CIDR) or 64.68.96.0 - 64.68.127.255 (net range)
  • 66.114.160.0/20 (CIDR) or 66.114.160.0 - 66.114.175.255 (net range)
  • 66.163.32.0/19 (CIDR) or 66.163.32.0 - 66.163.63.255 (net range)
  • 170.133.128.0/18 (CIDR) or 170.133.128.0 - 170.133.191.255 (net range)
  • 173.39.224.0/19 (CIDR) or 173.39.224.0 - 173.39.255.255 (net range)
  • 173.243.0.0/20 (CIDR) or 173.243.0.0 - 173.243.15.255 (net range)
  • 207.182.160.0/19 (CIDR) or 207.182.160.0 - 207.182.191.255 (net range)
  • 209.197.192.0/19 (CIDR) or 209.197.192.0 - 209.197.223.255 (net range)
  • 216.151.128.0/19 (CIDR) or 216.151.128.0 - 216.151.159.255 (net range)
  • 114.29.192.0/19 (CIDR) or 114.29.192.0 - 114.29.223.255 (net range)
  • 210.4.192.0/20 (CIDR) or 210.4.192.0 - 210.4.207.255 (net range)
  • 69.26.176.0/20 (CIDR) or 69.26.176.0 - 69.26.191.255 (net range)
  • 62.109.192.0/18 (CIDR) or 62.109.192.0 - 62.109.255.255 (net range)
  • 69.26.160.0/19 (CIDR) or 69.26.160.0 - 69.26.191.255 (net range)
Note: The above list of IP ranges for cloud media resources is not exhaustive, and there may be other IP ranges used by Cisco Webex Teams which are not included in the above list. However, the Webex Teams app and devices will be able to function normally without being able to connect to unlisted media IP addresses.

Cisco does not support, or recommend, filtering IP addresses for a particular geographic region. Filtering by region can cause serious degradation to the Webex Teams meeting experience up to and including the inability to join meetings entirely.

Proxy Configuration

Many organizations use proxies to inspect and control the HTTP traffic that leaves their network. Proxies can be used to perform several security functions such as URL whitelisting and blacklisting, user authentication, IP address/domain/hostname/URI reputation look up, and traffic decryption and inspection. The proxy features relevant to Webex Teams are discussed below.

Webex Teams URLs

The following table describes the URLs that are used by Webex Teams. If your organization uses a proxy, ensure that these URLs can be accessed. For details on how Webex Teams handles data sent to these URLs see the Webex Teams Security and Privacy whitepaper.

Cisco Webex Teams Services

URL

Description

Webex Teams Apps and Devices using these URLs and additional Notes

*.wbx2.comWebex Teams micro-services.
For example :
Messaging service
File management service
Key management service
Software upgrade service
Profile picture service
Whiteboarding service
Proximity service
Registration service
Calendaring service
Search service
All
*.webex.comIdentity provisioning
Identity storage
Authentication
Device onboarding
OAuth services
All
*.ciscospark.comOther Webex Teams services including :
Presence service
Device onboarding service
All
*.webexcontent.com (1)Webex Teams -General File storage including:

User files,
Transcoded files,
Images,
Screenshots,
Whiteboard content,
Client & device logs,
Profile pictures,
Branding logos,
Bulk CSV export files & import files (Control Hub)
All

Note :
webexcontent.com replaced clouddrive.com for file storage in Oct 2019

Your organization may still be using cloudrive.com for older files – for details see (1)
*.activation.webex.com




*.activate.cisco.com
*.webapps.cisco.com
Device onboarding
and service discovery

Used for onboarding devices to the Webex Teams service and Webex Calling service.
Webex Teams :
SX, DX, MX, Room Kit series Room Devices, Webexboard, Webex Share

 

Core Webex Teams services being deprecated (2)

URL

Description

Webex Teams Apps, Devices and Hybrid Services using these URLs and additional notes

*.clouddrive.com
or
*storage101.ord1.clouddrive.com
*storage101.dfw1.clouddrive.com
*storage101.iad3.clouddrive.com
Webex Teams -
General File storage

Being deprecated
 
New file storage service : *.webexcontent.com
All

Note :
webexcontent.com replaced clouddrive.com for file storage in Oct 2019

Your organization may still be using cloudrive.com for older files – for details see (1)
*.ciscosparkcontent.comLog File uploads

Being deprecated

New file storage service: *.webexcontent.com
Webex Teams Apps
*.rackcdn.comContent Delivery Network (CDN) for *.clouddrive.com

Being deprecated
 
New file storage service (*.webexcontent.com) does not use this CDN service
All

Additional Webex Teams related services – Cisco Owned domains

URL

Description

Webex Teams Apps, Devices and Hybrid Services using these URLs

*.accompany.comPeople Insights IntegrationWebex Teams Apps
*.huron-dev.comDevice onboarding and service discovery

Used for onboarding Cisco Phones to the Spark Calling service
Spark Call Service:
Cisco IP Phones
7800 & 8800 series

Additional Webex Teams related services – Third Party domains

URL

Description

Webex Teams Apps and Devices using these URLs

*.sparkpostmail1.come-mail service for newsletters, registration info, announcementsAll
*.giphy.comAllows users to share GIF images. This feature is on by default but can be disabled in Control HubWebex Teams Apps
safebrowsing.googleapis.comUsed to perform safety-checks on URLs before unfurling them in the message stream. This feature is on by default, but can be disabled in Control HubWebex Teams Apps
*.walkme.com

s3.walkmeusercontent.com
Webex Teams User Guidance client. Provides onboarding and usage tours for new users

For more info see https://support.walkme.com/knowledge-base/access-requirements-for-walkme/
Webex Teams Apps

speech.googleapis.com
texttospeech.googleapis.com

speech-services-manager-a.wbx2.com

Google Speech Services. Used by Webex Assistant to handle speech recognition and text-to-speech. Disabled by default, is opt-in via Control Hub. Assistant can also be disabled on a per-device basis.Webex Room Kit and Webex Room devices

Details of Webex Teams devices that support Webex Assistant are documented here:
https://help.webex.com/en-us/hzd1aj/Enable-Cisco-Webex-Assistant
msftncsi.com/ncsi.txt

captive.apple.com/hotspot-detect.html
Third party internet connectivity check to identify cases where there is a network connection, but no connection to the Internet.

Webex Teams performs its own internet connectivity checks, but can also use these 3rd party URLs as a fall back.
Webex Teams Apps
*.crashlytics.comDiagnostic & troubleshooting data (3)All
*.eum-appdynamics.comPerformance tracking, error and crash capture, session metrics (3)Webex Teams Web App
*.amplitiude.com
*.segment.com
*.segment.io
A/B testing & metrics (3)Webex Teams:
Web App
Android App

 

(1) From October 2019, user files will be uploaded and stored in the Cisco managed webexcontent.com domain.

Files uploaded prior to October 2019 will remain in the clouddrive.com domain and be accessible from Webex Teams until the retention period for your organization is reached (when they will then be deleted).During this period, you may need access to both the webexcontent.com domain (for new files) and the clouddrive.com domain (for old files).

If you enforce the use of the webexcontent.com domain only:  Old files uploaded and stored in the clouddrive.com domain (by you, or a participating organization) will not be available for viewing & download in Teams spaces that you are a member of.

If you enforce the use of the clouddrive.com domain only:  You will not be able to upload files, and new files uploaded and stored in the webexcontent.com domain by another organization whose space you are participating in, will not be retrievable.

(2) New customers (from October 2019 and later) can choose to omit these domains as they are no longer used for file storage by Webex Teams. Note however, that you will need to use these domains if you join a space owned by another organization that has been using these domains for file storage (i.e. files were uploaded prior to October 2019).

(3) Webex Teams uses third parties for diagnostic and troubleshooting data collection; and the collection of crash and usage metrics. The data that may be sent to these third party sites is described in the Webex Privacy datasheet. For details see: https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-webex-privacy-data-sheet.pdf

Additional URLs for Webex Teams Hybrid Services

For Hybrid Services, access to external domains can be further restricted by configuring your Proxy to allow only the source IP address of your Hybrid Services nodes to reach these URLs (except for the webexcontent.com domain which is also used by Webex Teams apps and devices).

Core Webex Teams services

URL

Description

Used by:

*.cloudfront.netHybrid Services UpgradesVideo Mesh Node
Hybrid Data Security Node
*.docker.com **
*.docker.io **
Hybrid Services Containers (1)Video Mesh Node
Hybrid Data Security Node
*.core-os.netCore OS upgrades   Video Mesh Node
Hybrid Data Security Node
*.amazonaws.com **Hybrid Services Containers
Core OS upgrades,
Log File uploads
Video Mesh Node
Hybrid Data Security Node
*.cloudconnector.cisco.comUser Synchronization  Hybrid Services Directory Connector

Core Webex Teams services being deprecated

URL

Description

Webex Teams Hybrid Services using these URLs and additional notes

*.clouddrive.comLog File uploadsExpressway Hybrid Connectors

Note :
From October 2019, log files will be no longer be uploaded and stored in the clouddrive.com domain, but instead will use the Cisco  managed webexcontent.com domain.

(1) We plan to phase out the use of *.docker.com and *.docker.io for Hybrid Services Containers, eventually replacing them with *.amazonaws.com.

Note: If you use a Cisco Web Security Appliance (WSA) Proxy and want to automatically update the URLs used by Webex Teams, please refer to the WSA Webex Teams configuration document for guidance on how to deploy a Webex Teams External Feed in AsyncOS for Cisco Web Security.

For a CSV file containing the list of Webex Teams URIs see: Webex Teams CSV File

Proxy Features

Proxy Authentication Support

Proxies can be used as access control devices, blocking access to external resources until the user/ device provides valid access permission credentials to the proxy. Several authentication methods are supported by Proxies such as Basic Authentication, Digest Authentication, (Windows based) NTLM, Kerberos and Negotiate (Kerberos with NTLM fallback).

With No Authentication the device can be configured with a Proxy address, but does not support authentication. When Proxy Authentication is being used, valid credentials must be configured and stored in the OS of Webex Teams Device/ Application.

For Webex Teams devices and Apps, Proxy addresses can be configured manually via the platform OS or device UI, or automatically discovered using mechanisms such as Web Proxy Auto Discovery (WPAD) see: https://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector3000/WPADAP.html and/or Proxy Auto Config (PAC) files see: https://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector2972/PACAP.html

Product

Authentication Type

Proxy Configuration

Webex Teams for MacNo Auth, Basic, NTLM (1)Manual, WPAD, PAC
Webex Teams for WindowsNo Auth, Basic, NTLM (2), NegotiateManual, WPAD, PAC, GPO
Webex Teams for iOSNo Auth, Basic, Digest, NTLMManual, WPAD, PAC
Webex Teams for AndroidNo Auth, Basic, Digest, NTLMManual, PAC
Webex Teams Web AppNo Auth, Basic, Digest, NTLM, NegotiateSupported via OS
Room Devices: SX, DX, MX, Room Kit series and Webex BoardNo Auth, Basic, DigestWPAD, PAC, or Manual
Webex Calling (formerly Spark Calling) IP PhonesN/A – SIP signallingN/A
Webex Video Mesh NodeNo Auth, Basic, Digest, NTLMManual
Hybrid Data Security NodeNo Auth, Basic, DigestManual
Hybrid Services Host Management ConnectorNo Auth, BasicManual Configuration Expressway C: Applications > Hybrid Services > Connector Proxy
Hybrid Services: Directory ConnectorNo Auth, Basic, NTLMSupported via Windows OS
Hybrid Services Expressway C: Calendar connectorNo Auth, Basic, NTLMManual Configuration Expressway C:
Applications > Hybrid Services > Connector Proxy : Username Password
Expressway C: Applications > Hybrid Services > Calendar Connector > Microsoft Exchange> Basic and/or NTLM
Hybrid Services Expressway C: Call connectorNo Auth, BasicManual Configuration Expressway C:
Applications > Hybrid Services > Connector Proxy

(1): Mac NTLM Auth - Machine need not be logged onto domain, user prompted for password
(2): Windows NTLM Auth - Supported only if machine is logged onto domain
(3): Webex Board HTTP Proxy setup

Proxy Inspection and Certificate Pinning

Webex Teams validates the certificates of the systems it communicates with. It does this by ensuring that the certificates presented when establishing a TLS session can be validated against the list of trusted root CA certificates installed in the operating system of the Webex Teams App or device. Webex Teams Apps and devices also check that certificates are not issued by a known malicious, or compromised Certificate Authority.

If you have deployed a TLS-inspecting Proxy, ensure that the certificate it presents has a trust chain allowing successful validation by Webex Teams Apps and Devices. For Webex Teams Apps the CA certificate used to sign the certificate used by the Proxy needs to be installed into the operating system of the device. For Webex Teams devices, open a service request with TAC to install this CA certificate into the RoomOS software.

The following table lists support for custom trusted root CAs installed in the operating system, as described above.

Product

Supports Custom Trusted CAs for TLS inspection

Notes

Webex Teams for iOSYes 
Webex Teams for AndroidYes 
Webex Teams for MacYes 
Webex Teams for WindowsYes 
Webex Teams Web AppYes 
Room Devices: SX, DX, MX, Room Kit series and Webex BoardYes 
Webex Calling (formerly Spark Calling) IP PhonesNo 
Cisco Webex Video MeshYes 
Hybrid Data Security ServiceYes 
Hybrid Services – Directory, Calendar, Call, Management ConnectorsNo 

802.1X – Port based Network Access control

Product

Supports 802.1X

Notes

Webex Teams for iOSYesSupported via OS
Webex Teams for AndroidYesSupported via OS
Webex Teams for MacYesSupported via OS
Webex Teams for WindowsYesSupported via OS
Webex Teams Web AppYesSupported via OS
Room Devices: SX, DX, MX, Room Kit series and Webex BoardYesEAP-FAST  
EAP-MD5
EAP-PEAP
EAP-TLS
EAP-TTLS
Configure 802.1X via GUI or Touch 10
Upload Certs via HTTP interface
Webex Calling (formerly Spark Calling) IP PhonesNo 
Cisco Webex Video MeshNoUse MAC address bypass
Hybrid Data Security ServiceNoUse MAC address bypass
Hybrid Services – Directory, Calendar, Call, Management ConnectorsNoUse MAC address bypass

Cisco Webex Video Mesh

Cisco Webex Video Mesh provides a destination for media traffic on your network. Instead of all media going to Webex Cloud, it can remain on your network, for reduced Internet bandwidth usage and increased media quality. For details, see the Cisco Webex Video Mesh Deployment Guide.


Webex Teams Hybrid services

Webex Teams Hybrid Services let you add the meetings and messaging capabilities of Webex Teams to your existing Cisco Unified Communications deployment. For general deployment guidance on Webex Teams Hybrid Services see: Preferred Architecture for Webex Teams Hybrid Services

The following Webex Teams Hybrid services are available today:

Hybrid Calling Service

Call Service connects Cisco call control with the Webex cloud for a single, integrated user experience.

There are two core capabilities in Call Service:

  • Call Service Aware makes Webex Teams aware of all calls across your Cisco unified communications system, thus enabling a variety of capabilities.
  • Call Service Connect connects Webex Teams with Cisco Unified Communications Manager so they work together. As part of this service, the Webex Teams app can be used as a mobile soft client for voice and video calling and shares an extension with your Cisco desk phone.

For details see the Hybrid Call Services Deployment Guide
 

Network Requirements for Hybrid Calling SIP Signalling


Hybrid Calling uses SIP signalling between Expressway C, Expressway E and the Webex cloud. Hybrid Calling is used to establish calls between on-premises devices (registered to Cisco Unified CM) and Webex Teams apps and devices (registered to the Webex Teams cloud using HTTPS).

The SIP connection between your Expressway E and the Webex Teams Cloud uses Mutual TLS (MTLS) to verify the authenticity of both the Express E and the Webex Cloud edge. For more information see Important Items for Hybrid Services Deployments.

If the SIP signalling to and from Expressway E passes through your firewall, you will need to allow outbound and inbound SIP signalling traffic to and from the Webex Teams Cloud to reach your Expressway E nodes.
This can be achieved by whitelisting SIP signalling traffic to and from the following AWS regions us-east-2, eu-central-1, us-gov-west-2, us-west-2 to the IP address of your Expressway E node(s). The IP address ranges for these AWS regions can be found here: https://docs.aws.amazon.com/quicksight/latest/user/regions.html
Media for Hybrid Calling uses the same destination IP subnets as Webex Teams and Webex Meetings (listed here)

Hybrid Calendar Service

The Hybrid Calendar service connects Microsoft Exchange, Office 365 or Google Calendar to Webex Teams, making it easier to schedule and join meetings, especially when mobile.

For details see: Deployment Guide for Webex Teams Hybrid Calendar Service


Hybrid Directory Service

The Hybrid Directory service connects Active Directory to Webex Teams. It enables a user to see and add company contacts to their Webex Teams rooms and easily click to call or message. It also offers a simple administrative process that automatically and securely extends enterprise directory contacts to the cloud and keeps them in sync for accuracy and consistency.

For details see: Deployment Guide for Cisco Directory Connector

 

Webex Calling – Network Requirements

The network requirements for the Webex Calling service can be found here : https://help.webex.com/b2exve/Port-Reference-Information-for-Cisco-Webex-Calling
 

Document Revision History - Network Requirements for Webex Teams Services

 

Revision Date

New and Changed Information

03/13/20New URL added for the walkme.com service
TLS media transport for Room OS devices added
New section added : Network Requirements for Hybrid Calling SIP Signalling
Link added for the Webex Calling network requirements document
12/11/19Minor text changes, Update of the Webex Teams Apps and Devices – Port Numbers and Protocols table, Update and reformat of the Webex Teams URLs tables. Remove NTLM Proxy Auth support for Management Connector and Call Connector hybrid services
10/14/19TLS Inspection support for Room Devices added
9/16/2019Addition of TCP support requirement for DNS systems using TCP as a transport protocol.
Addition of the URL *.walkme.com – This service provides onboarding and usage tours for new users.
Amendments to the service URLs used by Web Assistant.
8/28/2019*.sparkpostmail1.com URL added
e-mail service for newsletters, registration info, announcements
8/20/2019Proxy support added for Video Mesh Node and Hybrid Data Security service
8/15/2019Overview of Cisco and AWS data centre used for Webex Teams Service.
*.webexcontent.com URL added for file storage
Note on deprecation of clouddrive.com for file storage
*.walkme.com URL added for metrics and testing
7/12/2019*.activate.cisco.com and *.webapps.cisco.com URLs added
Text to Speech URLs updated to *.speech-googleapis.wbx2.com and
*.texttospeech-googleapis.wbx2.com
*.quay.io URL removed
Hybrid Services Containers URL updated to *.amazonaws.com
6/27/2019Added *.accompany.com whitelist requirement for People Insights feature
4/25/2019Added 'Webex Teams services' for line about TLS version support.
Added 'Webex Teams' to media streams line under Media traffic.
Added 'geographic' before region in Webex Teams IP subnets for media section.
Made other minor edits to wording.
Edited Webex Teams URLs table, by updating URL for A/B testing & metrics, and adding new row for Google Speech Services.
In 'Additional URLs for Webex Teams Hybrid Services' section, removed '10.1' version info after AsyncOS.
Updated text in 'Proxy Authentication Support' section.
 
3/26/2019Changed the URL linked here "please refer to the WSA Webex Teams configuration document for guidance" from https://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/guide-c07-739977.pdf to https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-5/user_guide/b_WSA_UserGuide_11_5_1.html

Changed the URL "api.giphy.com" to *.giphy.com
2/21/2019Updated 'Webex Calling' to read "Webex Calling (formerly Spark Calling) as requested by John Costello, due to upcoming product launch of same name - Webex Calling through BroadCloud.
2/6/2019Updated text 'Hybrid Media Node' to read 'Webex Video Mesh Node'
1/11/2019Updated text 'End to End encrypted files uploaded to Webex Teams spaces and Avatar storage' to now read 'End to End encrypted files uploaded to Webex Teams spaces, Avatar storage, Webex Teams branding Logos'
1/9/2019Updated to remove following line: '*In order for Webex Teams Room devices to obtain the CA certificate necessary to validate communication through your TLS-inspecting proxy, please contact your CSM, or open a case with the Cisco TAC.'
5th December 2018Updated URLs: Removed 'https://' from 4 entries in the Webex Teams URLs table:

https://api.giphy.com                           ->  api.giphy.com 
https://safebrowsing.googleapis.com             ->  safebrowsing.googleapis.com
http://www.msftncsi.com/ncsi.txt                ->  msftncsi.com/ncsi.txt
https://captive.apple.com/hotspot-detect.html   ->  captive.apple.com/hotspot-detect.html
  • Updated linked .CSV file for Webex Teams to show revised links shown above
30th November 2018New URLs :
*.ciscosparkcontent.com, *.storage101.ord1.clouddrive.com, *.storage101.dfw1.clouddrive.com, *.storage101.iad3.clouddrive.com, https://api.giphy.com, https://safebrowsing.googleapis.com, http://www.msftncsi.com/ncsi.txt, https://captive.apple.com/hotspot-detect.html, *.segment.com, *.segment.io, *.amplitiude.com,*.eum-appdynamics.com, *.docker.io, *.core-os.net, *.s3.amazonaws.com, *.identity.api.rackspacecloud.com
Support for additional Proxy Authentication Methods for Windows, iOS and Android
Webex Board adopts Room Device OS and features ; Proxy features shared by Room Devices: SX, DX, MX, Room Kit series and Webex Board
Support for TLS Inspection by iOS and Android Apps
Removal of support for TLS Inspection removed on Room Devices: SX, DX, MX, Room Kit series and Webex Board
Webex Board adopts Room Device OS and features ; 802.1X support
21st November 2018Following Note added to IP Subnets for media section : The above IP range list for cloud media resources is not exhaustive, and there may be other IP ranges used by Cisco Webex Teams which are not included in the above list. However, the Webex Teams app and devices will be able to function normally without being able to connect to the unlisted media IP addresses.
19th October 2018Note added : Webex Teams use of third parties for diagnostic and troubleshooting data collection; and the collection of crash and usage metrics. The data that may be sent to these third party sites is described in the Webex Privacy datasheet. For details see : https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-webex-privacy-data-sheet.pdf
Separate table for Additional URLs used by Hybrid Services : *.cloudfront.net, *.docker.com, *.quay.io, *.cloudconnector.cisco.com, *.clouddrive.com
7th August 2018Note added to Ports and Protocols table : If you configure a local NTP and DNS server in the Video Mesh Node’s OVA, then ports 53 and 123 are not required to be opened through the firewall.
7th May 2018Substantial document revision

Receive email updates to this article!

Was this article helpful?

Related Articles

Recently Viewed