Network Requirements for Webex for Government (FedRAMP)

Webex for Government Meetings Ports and IP Ranges

Network Requirements for Webex for Government (FedRAMP).

FedRAMP Webex Meetings Ports and IP Ranges.

FedRAMP Meetings/Webex For Government

Meetings Ports and IP Ranges Quick Reference
The following IP ranges are utilized by sites that are deployed on the FedRAMP meeting cluster.  For the purposes of this document these ranges are referred to as the 'Webex IP Ranges':

  • 170.133.156.0/22 (170.133.156.0 to 170.133.159.255)
  • 207.182.160.0/21 (207.182.160.0 to 207.182.167.255)
  • 207.182.168.0/23 (207.182.168.0 to 207.182.169.255)
  • 207.182.176.0/22 (207.182.176.0 to 207.182.179.255)
  • 207.182.190.0/23 (207.182.190.0 to 207.182.191.255)
  • 216.151.130.0/24 (216.151.130.0 to 216.151.130.255)
  • 216.151.134.0/24 (216.151.134.0 to 216.151.134.255)
  • 216.151.135.0/25 (216.151.135.0 to 216.151.135.127)
  • 216.151.135.240/28 (216.151.135.240 to 216.151.135.255)
  • 216.151.138.0/24 (216.151.138.0 to 216.151.138.255)
  • 216.151.139.0/25 (216.151.139.0 to 216.151.139.127)
  • 216.151.139.240/28 (216.151.139.241 to 216.151.139.254)
Services deployed on this IP range include, but not limited to, the following:
  • The meeting website (e.g. customersite.webex.com)
  • Meeting data servers
  • Multimedia servers for computer audio (VoIP) and webcam video
  • XML/API services including Productivity Tools scheduling
  • Network-Based Recording (NBR) servers
  • Secondary services when primary services are in maintenance or are experiencing technical difficulties
The following URIs are used to check the 'Certificate Revocation List' for our security certificates.  The Certificate Revocation Lists to ensure that no compromised certificates can be used to intercept secure Webex Traffic. This traffic occurs on TCP Port 80:
  • *.quovadisglobal.com
  • *.digicert.com
  • *.identrust.com (IdenTrust certificates)
Note
The following UserAgents will be passed by Webex by the utiltp process in Webex, and should be allowed through an agency's firewall:
  • UserAgent=WebexInMeetingWin
  • UserAgent=WebexInMeetingMac
  • UserAgent=prefetchDocShow
  • UserAgent=standby
https://activation.webex.com/api/v1/ping as part of the allowed URLs. It is used as part of the device activation process, and "it’s used by the device before the device knows it’s a FedRAMP device. The device just sends it an activation code that has no FedRAMP information, the service sees that it’s a FedRAMP activation code and then it redirects them."


All FedRAMP traffic is required to use  TLS 1.2 Encryption and mTLS 1.2 Encryption for on-prem SIP registered Devices:
 
Ports Used by Webex Meeting Clients (including Cloud registered Devices)
ProtocolPort number(s)DirectionTraffic TypeIP RangeComments
TCP80/443Outbound to WebexHTTP, HTTPSWebex and AWS (Not recommended to filter by IP)*.webex.com
*.gov.ciscospark.com
*.s3.us-gov-west-1.amazonaws.com (This is used to serve static content and files)

Webex recommends filtering by URL.  IF Filtering by IP address you must allow AWS GovCloud, Cloudfront, and Webex IP ranges
TCP/UDP53Outbound to Local DNSDomain Name Services (DNS)Only DNS ServerUsed for DNS lookups to discover the IP addresses of Webex servers in the cloud. Even though typical DNS lookups are done over UDP, some may require TCP, if the query responses cannot fit it in UDP packets
UDP9000, 5004/
 
Outbound to WebexPrimary Webex Client Media (VoIP & Video RTP)WebexWebex client media port is used to exchange computer audio, webcam video, and content sharing streams. Opening this port is required to ensure the best possible media experience
TCP5004, 443, 80Outbound to WebexAlternate Webex Client Media (VoIP & Video RTP)WebexFall-back ports for media connectivity when UDP port 9000 is not open in the firewall
UDP/TCPAudio: 52000 to 52049
Video:52100 to 52199 
Inbound to Your NetworkWebex Client Media(Voip and Video)Return from AWS and WebexWebex will communicate to the destination port received when the client makes its connection. A firewall should be configured to allow these return connections through. Note: This is enabled by default.
TCP/UDPOS-Specific Ephemeral PortsInbound to Your NetworkReturn traffic from WebexReturn from AWS and WebexWebex will communicate to the destination port received when the client makes its connection.  A firewall should be configured to allow these return connections through. Note: this is usually automatically opened in a stateful firewall however is listed here for completeness
 
For customers enabling Webex for Government who are not able to allow URL-based filtering for HTTPS, you will need to allow connectivity with AWS Gov Cloud West (region: us‐gov‐west‐1) and Cloud Front (service: CLOUDFRONT). Please review AWS documentation to identify the IP ranges for AWS Gov Cloud West region and AWS Cloud Front. AWS documentation is available at https://docs.aws.amazon.com/general/latest/gr/aws‐ip‐ranges.html 
Cisco Webex strongly recommends filtering by URL when possible. 

Cloudfront is used for static content delivered via Content Delivery Network to give customers the best performance around the country.  
 
Ports Used by Premise Registered Cisco Video Collaboration Devices
(See also the Cisco Webex Meetings Enterprise Deployment Guide for Video Device-Enabled Meetings)
ProtocolPort Number(s)DirectionAccess TypeIP RangeComments
TCP5061-5070Outbound to WebexSIP SignalingWebexThe Webex media edge listens on these ports
TCP5061, 5065Inbound to Your NetworkSIP SignalingWebexInbound SIP Signaling traffic from the Webex Cloud
TCP5061Inbound to your networkSIP signaling from Cloud registered devicesAWSInbound calls from Webex App 1:1 Calling and Cloud registered devices to your on-premise registered SIP URI.  *5061 is the default port.  Webex supports 5061-5070 ports to be used by customers as defined in their SIP SRV Record
TCP/UDP1719, 1720, 15000-19999Both Inbound & Outbound  H.323 LSWebexIf your endpoint requires gatekeeper communication, also open port 1719 which includes Lifesize
TCP/UDPEphemeral Ports, 36000-59999Both Inbound & OutboundMedia portsWebexIf you're using a Cisco Expressway, the media ranges need to be set to 36000-59999. If you are using a third-party endpoint or call control, they need to be configured to use this range
TCP443Outbound to Premise registered Video DeviceOn-Premise Device ProximityLocal NetworkThe Webex app or Webex Desktop App must have an IPv4 route-able path between itself and the video device using HTTPS

For customers enabling Webex for Government receiving Inbound calls from Webex App 1:1 Calling and Cloud registered devices to your on-premise registered SIP URI.   You must also allow connectivity with AWS Gov Cloud West (region: us‐gov‐west‐1). Please review AWS documentation to identify the IP ranges for AWS Gov Cloud West region.  The AWS documentation is available at https://docs.aws.amazon.com/general/latest/gr/aws‐ip‐ranges.html
 
Ports Used by Webex Edge Audio
(Only needed for customers leveraging Webex Edge Audio)
ProtocolPort Number(s)DirectionAccess TypeIP RangeComments
TCP5061, 5062Inbound to Your NetworkSIP SignalingWebexInbound SIP signaling for Webex Edge Audio
TCP5061, 5065Outbound to WebexSIP SignalingWebexOutbound SIP signaling for Webex Edge Audio
TCP/UDPEphemeral Ports, 8000-59999Inbound to Your NetworkMedia PortsWebexOn an enterprise firewall, ports need to be opened up for incoming traffic to Expressway with a port range from 8000 - 59999
To configure mTLS, see below:

Was this article helpful?