Network Requirements for Webex for Government (FedRAMP)
Webex for Government Meetings Ports and IP Ranges
Network Requirements for Webex for Government (FedRAMP).
FedRAMP Webex Meetings Ports and IP Ranges.
FedRAMP Meetings/Webex For Government
Meetings Ports and IP Ranges Quick Reference
The following IP ranges are utilized by sites that are deployed on the FedRAMP meeting cluster. For the purposes of this document these ranges are referred to as the 'Webex IP Ranges':
- 170.133.156.0/22 (170.133.156.0 to 170.133.159.255)
- 207.182.160.0/21 (207.182.160.0 to 207.182.167.255)
- 207.182.168.0/23 (207.182.168.0 to 207.182.169.255)
- 207.182.176.0/22 (207.182.176.0 to 207.182.179.255)
- 207.182.190.0/23 (207.182.190.0 to 207.182.191.255)
- 216.151.130.0/24 (216.151.130.0 to 216.151.130.255)
- 216.151.134.0/24 (216.151.134.0 to 216.151.134.255)
- 216.151.135.0/25 (216.151.135.0 to 216.151.135.127)
- 216.151.135.240/28 (216.151.135.240 to 216.151.135.255)
- 216.151.138.0/24 (216.151.138.0 to 216.151.138.255)
- 216.151.139.0/25 (216.151.139.0 to 216.151.139.127)
- 216.151.139.240/28 (216.151.139.241 to 216.151.139.254)
- The meeting website (e.g. customersite.webex.com)
- Meeting data servers
- Multimedia servers for computer audio (VoIP) and webcam video
- XML/API services including Productivity Tools scheduling
- Network-Based Recording (NBR) servers
- Secondary services when primary services are in maintenance or are experiencing technical difficulties
- *.quovadisglobal.com
- *.digicert.com
- *.identrust.com (IdenTrust certificates)
The following UserAgents will be passed by Webex by the utiltp process in Webex, and should be allowed through an agency's firewall:
- UserAgent=WebexInMeetingWin
- UserAgent=WebexInMeetingMac
- UserAgent=prefetchDocShow
- UserAgent=standby
All FedRAMP traffic is required to use TLS 1.2 Encryption and mTLS 1.2 Encryption for on-prem SIP registered Devices:
Ports Used by Webex Meeting Clients (including Cloud registered Devices) | |||||
Protocol | Port number(s) | Direction | Traffic Type | IP Range | Comments |
TCP | 80/443 | Outbound to Webex | HTTP, HTTPS | Webex and AWS (Not recommended to filter by IP) | *.webex.com *.gov.ciscospark.com *.s3.us-gov-west-1.amazonaws.com (This is used to serve static content and files) Webex recommends filtering by URL. IF Filtering by IP address you must allow AWS GovCloud, Cloudfront, and Webex IP ranges |
TCP/UDP | 53 | Outbound to Local DNS | Domain Name Services (DNS) | Only DNS Server | Used for DNS lookups to discover the IP addresses of Webex servers in the cloud. Even though typical DNS lookups are done over UDP, some may require TCP, if the query responses cannot fit it in UDP packets |
UDP | 9000, 5004/ | Outbound to Webex | Primary Webex Client Media (VoIP & Video RTP) | Webex | Webex client media port is used to exchange computer audio, webcam video, and content sharing streams. Opening this port is required to ensure the best possible media experience |
TCP | 5004, 443, 80 | Outbound to Webex | Alternate Webex Client Media (VoIP & Video RTP) | Webex | Fall-back ports for media connectivity when UDP port 9000 is not open in the firewall |
UDP/TCP | Audio: 52000 to 52049 Video:52100 to 52199 | Inbound to Your Network | Webex Client Media(Voip and Video) | Return from AWS and Webex | Webex will communicate to the destination port received when the client makes its connection. A firewall should be configured to allow these return connections through. Note: This is enabled by default. |
TCP/UDP | OS-Specific Ephemeral Ports | Inbound to Your Network | Return traffic from Webex | Return from AWS and Webex | Webex will communicate to the destination port received when the client makes its connection. A firewall should be configured to allow these return connections through. Note: this is usually automatically opened in a stateful firewall however is listed here for completeness |
For customers enabling Webex for Government who are not able to allow URL-based filtering for HTTPS, you will need to allow connectivity with AWS Gov Cloud West (region: us‐gov‐west‐1) and Cloud Front (service: CLOUDFRONT). Please review AWS documentation to identify the IP ranges for AWS Gov Cloud West region and AWS Cloud Front. AWS documentation is available at https://docs.aws.amazon.com/general/latest/gr/aws‐ip‐ranges.html
Cisco Webex strongly recommends filtering by URL when possible.
Cloudfront is used for static content delivered via Content Delivery Network to give customers the best performance around the country.
Ports Used by Premise Registered Cisco Video Collaboration Devices (See also the Cisco Webex Meetings Enterprise Deployment Guide for Video Device-Enabled Meetings) | |||||
Protocol | Port Number(s) | Direction | Access Type | IP Range | Comments |
TCP | 5061-5070 | Outbound to Webex | SIP Signaling | Webex | The Webex media edge listens on these ports |
TCP | 5061, 5065 | Inbound to Your Network | SIP Signaling | Webex | Inbound SIP Signaling traffic from the Webex Cloud |
TCP | 5061 | Inbound to your network | SIP signaling from Cloud registered devices | AWS | Inbound calls from Webex App 1:1 Calling and Cloud registered devices to your on-premise registered SIP URI. *5061 is the default port. Webex supports 5061-5070 ports to be used by customers as defined in their SIP SRV Record |
TCP/UDP | 1719, 1720, 15000-19999 | Both Inbound & Outbound | H.323 LS | Webex | If your endpoint requires gatekeeper communication, also open port 1719 which includes Lifesize |
TCP/UDP | Ephemeral Ports, 36000-59999 | Both Inbound & Outbound | Media ports | Webex | If you're using a Cisco Expressway, the media ranges need to be set to 36000-59999. If you are using a third-party endpoint or call control, they need to be configured to use this range |
TCP | 443 | Outbound to Premise registered Video Device | On-Premise Device Proximity | Local Network | The Webex app or Webex Desktop App must have an IPv4 route-able path between itself and the video device using HTTPS |
For customers enabling Webex for Government receiving Inbound calls from Webex App 1:1 Calling and Cloud registered devices to your on-premise registered SIP URI. You must also allow connectivity with AWS Gov Cloud West (region: us‐gov‐west‐1). Please review AWS documentation to identify the IP ranges for AWS Gov Cloud West region. The AWS documentation is available at https://docs.aws.amazon.com/general/latest/gr/aws‐ip‐ranges.html
Ports Used by Webex Edge Audio (Only needed for customers leveraging Webex Edge Audio) | |||||
Protocol | Port Number(s) | Direction | Access Type | IP Range | Comments |
TCP | 5061, 5062 | Inbound to Your Network | SIP Signaling | Webex | Inbound SIP signaling for Webex Edge Audio |
TCP | 5061, 5065 | Outbound to Webex | SIP Signaling | Webex | Outbound SIP signaling for Webex Edge Audio |
TCP/UDP | Ephemeral Ports, 8000-59999 | Inbound to Your Network | Media Ports | Webex | On an enterprise firewall, ports need to be opened up for incoming traffic to Expressway with a port range from 8000 - 59999 |
- Configure Expressway | Mutual TLS Authentication.
- Supported Root Certificate Authorities | Cisco Webex Audio and Video Platforms.
- Cisco Webex Edge Audio | Configuration Guide.
Was this article helpful?