FedRAMP Meetings/Webex For Government

Meetings Ports and IP Ranges Quick Reference
The following IP ranges are utilized by sites that are deployed on the FedRAMP meeting cluster.  For the purposes of this document these ranges are referred to as the 'Webex IP Ranges':

• 170.133.156.0/22 (170.133.156.0 to 170.133.159.255)
• 207.182.160.0/21 (207.182.160.0 to 207.182.167.255)
• 207.182.168.0/23 (207.182.168.0 to 207.182.169.255)
• 207.182.176.0/22 (207.182.176.0 to 207.182.179.255)
• 207.182.190.0/23 (207.182.190.0 to 207.182.191.255)
• 216.151.130.0/24 (216.151.130.0 to 216.151.130.255)
• 216.151.134.0/24 (216.151.134.0 to 216.151.134.255)
• 216.151.135.0/25 (216.151.135.0 to 216.151.135.127)
• 216.151.135.240/28 (216.151.135.240 to 216.151.135.255)
• 216.151.138.0/24 (216.151.138.0 to 216.151.138.255)
• 216.151.139.0/25 (216.151.139.0 to 216.151.139.127)
• 216.151.139.240/28 (216.151.139.241 to 216.151.139.254)

Services deployed on this IP range include, but not limited to, the following:

• The meeting website (e.g. customersite.webex.com)
• Meeting data servers
• Multimedia servers for computer audio (VoIP) and webcam video
• XML/API services including Productivity Tools scheduling
• Network-Based Recording (NBR) servers
• Secondary services when primary services are in maintenance or are experiencing technical difficulties

The following URIs are used to check the 'Certificate Revocation List' for our security certificates.  The Certificate Revocation Lists to ensure that no compromised certificates can be used to intercept secure Webex Traffic. This traffic occurs on TCP Port 80:

• *.quovadisglobal.com
• *.digicert.com
• *.identrust.com (IdenTrust certificates)

Note: 
The following UserAgents will be passed by Webex by the utiltp process in Webex, and should be allowed through an agency's firewall:

• UserAgent=WebexInMeetingWin
• UserAgent=WebexInMeetingMac
• UserAgent=prefetchDocShow
• UserAgent=standby

https://activation.webex.com/api/v1/ping as part of the allowed URLs. It is used as part of the device activation process, and "it’s used by the device before the device knows it’s a FedRAMP device. The device just sends it an activation code that has no FedRAMP information, the service sees that it’s a FedRAMP activation code and then it redirects them."


All FedRAMP traffic is required to use  TLS 1.2 Encryption and mTLS 1.2 Encryption for on-prem SIP registered Devices:
 

Ports Used by Webex Meeting Clients (including Cloud registered Devices)
Protocol	Port number(s)	Direction	Traffic Type	IP Range	Comments
TCP	80/443	Outbound to Webex	HTTP, HTTPS	Webex and AWS (Not recommended to filter by IP)	*.webex.com *.gov.ciscospark.com *.s3.us-gov-west-1.amazonaws.com (This is used to serve static content and files) Webex recommends filtering by URL.  IF Filtering by IP address you must allow AWS GovCloud, Cloudfront, and Webex IP ranges
TCP/UDP	53	Outbound to Local DNS	Domain Name Services (DNS)	Only DNS Server	Used for DNS lookups to discover the IP addresses of Webex servers in the cloud. Even though typical DNS lookups are done over UDP, some may require TCP, if the query responses cannot fit it in UDP packets
UDP	9000, 5004/	Outbound to Webex	Primary Webex Client Media (VoIP & Video RTP)	Webex	Webex client media port is used to exchange computer audio, webcam video, and content sharing streams. Opening this port is required to ensure the best possible media experience
TCP	5004, 443, 80	Outbound to Webex	Alternate Webex Client Media (VoIP & Video RTP)	Webex	Fall-back ports for media connectivity when UDP port 9000 is not open in the firewall
UDP/TCP	Audio: 52000 to 52049 Video:52100 to 52199	Inbound to Your Network	Webex Client Media(Voip and Video)	Return from AWS and Webex	Webex will communicate to the destination port received when the client makes its connection. A firewall should be configured to allow these return connections through. Note: This is enabled by default.
TCP/UDP	OS-Specific Ephemeral Ports	Inbound to Your Network	Return traffic from Webex	Return from AWS and Webex	Webex will communicate to the destination port received when the client makes its connection.  A firewall should be configured to allow these return connections through. Note: this is usually automatically opened in a stateful firewall however is listed here for completeness

 
For customers enabling Webex for Government who are not able to allow URL-based filtering for HTTPS, you will need to allow connectivity with AWS Gov Cloud West (region: us‐gov‐west‐1) and Cloud Front (service: CLOUDFRONT). Please review AWS documentation to identify the IP ranges for AWS Gov Cloud West region and AWS Cloud Front. AWS documentation is available at https://docs.aws.amazon.com/general/latest/gr/aws‐ip‐ranges.html 
Cisco Webex strongly recommends filtering by URL when possible. 

Cloudfront is used for static content delivered via Content Delivery Network to give customers the best performance around the country.  
 

Ports Used by Premise Registered Cisco Video Collaboration Devices (See also the Cisco Webex Meetings Enterprise Deployment Guide for Video Device-Enabled Meetings)
Protocol	Port Number(s)	Direction	Access Type	IP Range	Comments
TCP	5061-5070	Outbound to Webex	SIP Signaling	Webex	The Webex media edge listens on these ports
TCP	5061, 5065	Inbound to Your Network	SIP Signaling	Webex	Inbound SIP Signaling traffic from the Webex Cloud
TCP	5061	Inbound to your network	SIP signaling from Cloud registered devices	AWS	Inbound calls from Webex App 1:1 Calling and Cloud registered devices to your on-premise registered SIP URI.  *5061 is the default port.  Webex supports 5061-5070 ports to be used by customers as defined in their SIP SRV Record
TCP/UDP	1719, 1720, 15000-19999	Both Inbound & Outbound	H.323 LS	Webex	If your endpoint requires gatekeeper communication, also open port 1719 which includes Lifesize
TCP/UDP	Ephemeral Ports, 36000-59999	Both Inbound & Outbound	Media ports	Webex	If you're using a Cisco Expressway, the media ranges need to be set to 36000-59999. If you are using a third-party endpoint or call control, they need to be configured to use this range
TCP	443	Outbound to Premise registered Video Device	On-Premise Device Proximity	Local Network	The Webex app or Webex Desktop App must have an IPv4 route-able path between itself and the video device using HTTPS

For customers enabling Webex for Government receiving Inbound calls from Webex App 1:1 Calling and Cloud registered devices to your on-premise registered SIP URI.   You must also allow connectivity with AWS Gov Cloud West (region: us‐gov‐west‐1). Please review AWS documentation to identify the IP ranges for AWS Gov Cloud West region.  The AWS documentation is available at https://docs.aws.amazon.com/general/latest/gr/aws‐ip‐ranges.html
 

Ports Used by Webex Edge Audio (Only needed for customers leveraging Webex Edge Audio)
Protocol	Port Number(s)	Direction	Access Type	IP Range	Comments
TCP	5061, 5062	Inbound to Your Network	SIP Signaling	Webex	Inbound SIP signaling for Webex Edge Audio
TCP	5061, 5065	Outbound to Webex	SIP Signaling	Webex	Outbound SIP signaling for Webex Edge Audio
TCP/UDP	Ephemeral Ports, 8000-59999	Inbound to Your Network	Media Ports	Webex	On an enterprise firewall, ports need to be opened up for incoming traffic to Expressway with a port range from 8000 - 59999

To configure mTLS, see below:

• Configure Expressway | Mutual TLS Authentication.
• Supported Root Certificate Authorities | Cisco Webex Audio and Video Platforms.
• Cisco Webex Edge Audio | Configuration Guide.