Network Requirements for Webex Teams Services
Network Requirements for Webex Teams Services
Document Revision History
This article is intended for network administrators, particularly firewall, proxy and web security administrators. It will help you configure your network to support Webex Teams. For network requirements for classic Webex Meetings clients see WBX264 - How Do I Allow Webex Meetings Traffic on My Network?.
All Webex Teams apps and devices initiate outbound connections only. Cisco’s Webex Cloud never initiates any connections to Webex Teams apps and devices. Webex Teams services are hosted in globally distributed data centers, that are either Cisco owned (e.g. Webex data centers for identity services, key management services and media servers) or hosted in a Cisco Virtual Private Cloud (VPC) on the Amazon AWS platform (e.g. Webex Teams micro-services, message and file storage services). All data is encrypted in transit and at rest.
Webex Teams apps and devices use HTTPS and WSS (secure websockets) for signalling. Signalling connections are outbound only and use URLs (rather than IP addresses) for session establishment.
Signalling traffic is protected by TLS using strong encryption suites (256 bit, or 128 bit symmetric cipher key sizes, SHA-2 hash functions). TLS cipher suites using 256 bit symmetric cipher keys are preferred e.g.:
TLS version 1.2 only is supported by Webex Teams services.
All Webex Teams features other than real-time media depend on TLS signalling.
Webex Teams URLs for signalling traffic
If you have deployed proxies, or firewalls to filter traffic leaving your enterprise network, the list of destination URLs that need to be white listed to access the Webex Teams service can be found here Webex Teams URLs. Filtering Webex Teams signalling traffic by IP address is not supported as the IP addresses used by Webex Teams are dynamic and may change at any time.
Webex Teams apps and devices use encrypted real-time media for audio, video, and content sharing streams. Typically*, media from any Webex Teams app or device transits from the user’s location to media nodes in the Webex Cloud, where the streams are mixed and distributed. This is true for all call types e.g. 1:1 calls and multiparty calls. (*On-premise Video Mesh Nodes can also be deployed to mix and distribute media locally).
Cisco secures all Webex Teams media streams using the Secure Real-Time Transport Protocol (SRTP), described in RFC 3711. Cisco apps and devices encrypt media with the AES_CM_128_HMAC_SHA1_80 cipher suite.
In line with RFC 3550 RTP – A Transport Protocol for Real -Time Applications, Cisco prefers and strongly recommends UDP as the transport protocol for Webex Teams voice and video media streams.
Webex Teams apps and devices also support TCP as a fall-back media transport protocol. However, Cisco does not recommend TCP as a transport protocol for voice and video media streams. This is because TCP is connection orientated, and designed to reliably deliver, correctly ordered, data to upper layer protocols. Using TCP, the sender will retransmit lost packets until they are acknowledged, and the receiver buffer the packet stream until the lost packets are recovered. For media streams, this behavior manifests itself as increased latency/jitter, which in turn affects the media quality experienced by the call’s participants.
Webex Teams apps and devices also support TLS (HTTPS) as a tertiary option for media transport. Using TLS can also mean that this Webex Teams media traffic will need to pass through an enterprise’s proxy server to reach media servers in the Webex Cloud. Since proxy servers are, primarily, designed to intercept and forward HTTP based web traffic; media quality can be impacted if the proxy server reaches its performance threshold and drops packets when processing large numbers of high bandwidth media streams.
Webex Teams media flows in both directions using a symmetric inside-initiated, 5-tuple (Source IP address, Destination IP address, Source port, Destination port, protocol) stream outbound to the Webex Cloud.
Webex Teams also uses STUN (RFC 5389) for firewall traversal and media node reachability testing. For more details, please see the Webex Teams Firewall whitepaper.
Webex Teams – Destination IP address ranges for media
If you wish to control the destination of media traffic leaving your enterprise network, the destination IP address ranges for media traffic sent to Webex Teams media nodes can be found here: Webex Teams IP subnets for media
Webex Teams traffic through Proxies and FirewallsMost customers deploy an internet firewall, or internet proxy and firewall, to restrict and control the HTTP based traffic that leaves and enters their network. Follow the firewall and proxy guidance below to enable access to Webex Teams services from your network. Webex Teams URLs.
Webex Teams Apps and Devices – Port Numbers and Protocols
The following table describes ports and protocols used by Webex Teams apps and devices.
(2) The recommendation to open your firewall for encrypted media traffic over UDP/TCP on port 33434 has been deprecated. However, Webex Teams will still probe and use these ports if 5004 is not open. Note - Classic Webex Meeting clients currently use UDP port 9000 for media for details see: WBX264 - How Do I Allow Webex Meetings Traffic on My Network?
Many organizations use proxies to inspect and control the HTTP traffic that leaves their network. Proxies can be used to perform several security functions such as URL whitelisting and blacklisting, user authentication, IP address/domain/hostname/URI reputation look up, and traffic decryption and inspection. The proxy features relevant to Webex Teams are discussed below.
The following table describes the URLs that are used by Webex Teams. If your organization uses a proxy, ensure that these URLs can be accessed. For details on how Webex Teams handles data sent to these URLs see the Webex Teams Security and Privacy whitepaper.
(1) From October 2019, user files will be uploaded and stored in the Cisco managed webexcontent.com domain.
Additional URLs for Webex Teams Hybrid ServicesFor Hybrid Services, access to external domains can be further restricted by configuring your Proxy to allow only the source IP address of your Hybrid Services nodes to reach these URLs (except for the webexcontent.com domain which is also used by Webex Teams apps and devices).
(1) We plan to phase out the use of *.docker.com and *.docker.io for Hybrid Services Containers, eventually replacing them with *.amazonaws.com.
Proxy Authentication Support
Proxies can be used as access control devices, blocking access to external resources until the user/ device provides valid access permission credentials to the proxy. Several authentication methods are supported by Proxies such as Basic Authentication, Digest Authentication, (Windows based) NTLM, Kerberos and Negotiate (Kerberos with NTLM fallback).
(1): Mac NTLM Auth - Machine need not be logged onto domain, user prompted for password
Proxy Inspection and Certificate Pinning
Webex Teams validates the certificates of the systems it communicates with. It does this by ensuring that the certificates presented when establishing a TLS session can be validated against the list of trusted root CA certificates installed in the operating system of the Webex Teams App or device. Webex Teams Apps and devices also check that certificates are not issued by a known malicious, or compromised Certificate Authority.
802.1X – Port based Network Access control
Cisco Webex Video Mesh
Cisco Webex Video Mesh provides a destination for media traffic on your network. Instead of all media going to Webex Cloud, it can remain on your network, for reduced Internet bandwidth usage and increased media quality. For details, see the Cisco Webex Video Mesh Deployment Guide.
Document Revision History - Network Requirements for Webex Teams Services
New and Changed Information
|7/31/20||Added new IP subnets for media services in AWS and Azure data centres|
|7/31/20||Added new UDP destination media ports for SIP calls to the Webex Teams cloud|
|7/27/20||Added 220.127.116.11/16 (CIDR) or 18.104.22.168 - 22.214.171.124 (net range)|
|5/5/20||Added sparkpostmail.com in Third Party domains table|
|4/22/20||Added new IP range 126.96.36.199/17|
|03/13/20||New URL added for the walkme.com service|
TLS media transport for Room OS devices added
New section added : Network Requirements for Hybrid Calling SIP Signalling
Link added for the Webex Calling network requirements document
|12/11/19||Minor text changes, Update of the Webex Teams Apps and Devices – Port Numbers and Protocols table, Update and reformat of the Webex Teams URLs tables. Remove NTLM Proxy Auth support for Management Connector and Call Connector hybrid services|
|10/14/19||TLS Inspection support for Room Devices added|
|9/16/2019||Addition of TCP support requirement for DNS systems using TCP as a transport protocol.|
Addition of the URL *.walkme.com – This service provides onboarding and usage tours for new users.
Amendments to the service URLs used by Web Assistant.
|8/28/2019||*.sparkpostmail1.com URL added|
e-mail service for newsletters, registration info, announcements
|8/20/2019||Proxy support added for Video Mesh Node and Hybrid Data Security service|
|8/15/2019||Overview of Cisco and AWS data centre used for Webex Teams Service.|
*.webexcontent.com URL added for file storage
Note on deprecation of clouddrive.com for file storage
*.walkme.com URL added for metrics and testing
|7/12/2019||*.activate.cisco.com and *.webapps.cisco.com URLs added|
Text to Speech URLs updated to *.speech-googleapis.wbx2.com and
*.quay.io URL removed
Hybrid Services Containers URL updated to *.amazonaws.com
|6/27/2019||Added *.accompany.com whitelist requirement for People Insights feature|
|4/25/2019||Added 'Webex Teams services' for line about TLS version support.|
Added 'Webex Teams' to media streams line under Media traffic.
Added 'geographic' before region in Webex Teams IP subnets for media section.
Made other minor edits to wording.
Edited Webex Teams URLs table, by updating URL for A/B testing & metrics, and adding new row for Google Speech Services.
In 'Additional URLs for Webex Teams Hybrid Services' section, removed '10.1' version info after AsyncOS.
Updated text in 'Proxy Authentication Support' section.
|3/26/2019||Changed the URL linked here "please refer to the WSA Webex Teams configuration document for guidance" from https://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/guide-c07-739977.pdf to https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-5/user_guide/b_WSA_UserGuide_11_5_1.html|
Changed the URL "api.giphy.com" to *.giphy.com
|2/21/2019||Updated 'Webex Calling' to read "Webex Calling (formerly Spark Calling) as requested by John Costello, due to upcoming product launch of same name - Webex Calling through BroadCloud.|
|2/6/2019||Updated text 'Hybrid Media Node' to read 'Webex Video Mesh Node'|
|1/11/2019||Updated text 'End to End encrypted files uploaded to Webex Teams spaces and Avatar storage' to now read 'End to End encrypted files uploaded to Webex Teams spaces, Avatar storage, Webex Teams branding Logos'|
|1/9/2019||Updated to remove following line: '*In order for Webex Teams Room devices to obtain the CA certificate necessary to validate communication through your TLS-inspecting proxy, please contact your CSM, or open a case with the Cisco TAC.'|
|5th December 2018||Updated URLs: Removed 'https://' from 4 entries in the Webex Teams URLs table:|
https://api.giphy.com -> api.giphy.com
https://safebrowsing.googleapis.com -> safebrowsing.googleapis.com
http://www.msftncsi.com/ncsi.txt -> msftncsi.com/ncsi.txt
https://captive.apple.com/hotspot-detect.html -> captive.apple.com/hotspot-detect.html
|30th November 2018||New URLs :|
*.ciscosparkcontent.com, *.storage101.ord1.clouddrive.com, *.storage101.dfw1.clouddrive.com, *.storage101.iad3.clouddrive.com, https://api.giphy.com, https://safebrowsing.googleapis.com, http://www.msftncsi.com/ncsi.txt, https://captive.apple.com/hotspot-detect.html, *.segment.com, *.segment.io, *.amplitiude.com,*.eum-appdynamics.com, *.docker.io, *.core-os.net, *.s3.amazonaws.com, *.identity.api.rackspacecloud.com
|Support for additional Proxy Authentication Methods for Windows, iOS and Android|
|Webex Board adopts Room Device OS and features ; Proxy features shared by Room Devices: SX, DX, MX, Room Kit series and Webex Board|
|Support for TLS Inspection by iOS and Android Apps|
|Removal of support for TLS Inspection removed on Room Devices: SX, DX, MX, Room Kit series and Webex Board|
|Webex Board adopts Room Device OS and features ; 802.1X support|
|21st November 2018||Following Note added to IP Subnets for media section : The above IP range list for cloud media resources is not exhaustive, and there may be other IP ranges used by Cisco Webex Teams which are not included in the above list. However, the Webex Teams app and devices will be able to function normally without being able to connect to the unlisted media IP addresses.|
|19th October 2018||Note added : Webex Teams use of third parties for diagnostic and troubleshooting data collection; and the collection of crash and usage metrics. The data that may be sent to these third party sites is described in the Webex Privacy datasheet. For details see : https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-webex-privacy-data-sheet.pdf|
|Separate table for Additional URLs used by Hybrid Services : *.cloudfront.net, *.docker.com, *.quay.io, *.cloudconnector.cisco.com, *.clouddrive.com|
|7th August 2018||Note added to Ports and Protocols table : If you configure a local NTP and DNS server in the Video Mesh Node’s OVA, then ports 53 and 123 are not required to be opened through the firewall.|
|7th May 2018||Substantial document revision|