Meetings ports and IP ranges quick reference

The following IP ranges are utilized by sites deployed on the FedRAMP meeting cluster. For this document, these ranges are referred to as the 'Webex IP Ranges':

  • 150.253.150.0/23 (150.253.150.0 to 150.253.151.255)
  • 144.196.224.0/21 (144.196.224.0 to 144.196.231.255)
  • 23.89.18.0/23 (23.89.18.0 to 23.89.19.255)
  • 163.129.16.0/21 (163.129.16.0 to 163.129.23.255)
  • 170.72.254.0/24 (170.72.254.0 to 170.72.254.255)
  • 170.133.156.0/22 (170.133.156.0 to 170.133.159.255)
  • 207.182.160.0/21 (207.182.160.0 to 207.182.167.255)
  • 207.182.168.0/23 (207.182.168.0 to 207.182.169.255)
  • 207.182.176.0/22 (207.182.176.0 to 207.182.179.255)
  • 207.182.190.0/23 (207.182.190.0 to 207.182.191.255)
  • 216.151.130.0/24 (216.151.130.0 to 216.151.130.255)
  • 216.151.134.0/24 (216.151.134.0 to 216.151.134.255)
  • 216.151.135.0/25 (216.151.135.0 to 216.151.135.127)
  • 216.151.135.240/28 (216.151.135.240 to 216.151.135.255)
  • 216.151.138.0/24 (216.151.138.0 to 216.151.138.255)
  • 216.151.139.0/25 (216.151.139.0 to 216.151.139.127)
  • 216.151.139.240/28 (216.151.139.241 to 216.151.139.254)

Deployed services

Services deployed on this IP range include, but are not limited to, the following:

  • The meeting website (e.g., customersite.webex.com)
  • Meeting data servers
  • Multimedia servers for computer audio (VoIP) and webcam video
  • XML/API services, including Productivity Tools scheduling
  • Network-Based Recording (NBR) servers
  • Secondary services when primary services are in maintenance or are experiencing technical difficulties

The following URIs are used to check the 'Certificate Revocation List' for our security certificates. The Certificate Revocation Lists to ensure that no compromised certificates can be used to intercept secure Webex Traffic. This traffic occurs on TCP Port 80:

  • *.quovadisglobal.com
  • *.digicert.com
  • *.identrust.com (IdenTrust certificates)

The following UserAgents will be passed by Webex by the utiltp process in Webex and should be allowed through an agency's firewall:

  • UserAgent=WebexInMeetingWin
  • UserAgent=WebexInMeetingMac
  • UserAgent=prefetchDocShow
  • UserAgent=standby

https://activation.webex.com/api/v1/ping as part of the allowed URLs. It is used as part of the device activation process, and "the device uses it before it knows it’s a FedRAMP device. The device sends it an activation code with no FedRAMP information, the service sees that it’s a FedRAMP activation code, and then it redirects them."

All FedRAMP traffic requires TLS 1.2 encryption and mTLS 1.2 encryption for on-prem SIP registered devices.

Ports used by Webex Meetings clients (including cloud-registered devices)

ProtocolPort number(s)DirectionTraffic typeIP rangeComments
TCP80/443Outbound to WebexHTTP, HTTPSWebex and AWS (Not recommended to filter by IP)
  • *.webex.com
  • *.gov.ciscospark.com
  • *.s3.us-gov-west-1.amazonaws.com (This is used to serve static content and files)
  • *.wbx2.com

Webex recommends filtering by URL. IF Filtering by IP address, you must allow AWS GovCloud, Cloudfront, and Webex IP ranges.

TCP/UDP53Outbound to Local DNSDomain Name Services (DNS)Only DNS ServerUsed for DNS lookups to discover the IP addresses of Webex servers in the cloud. Even though typical DNS lookups are done over UDP, some may require TCP, if the query responses cannot fit it in UDP packets.
UCP9000, 5004Outbound to WebexPrimary Webex Client Media (VoIP & Video RTP)WebexWebex client media port is used to exchange computer audio, webcam video, and content sharing streams. Opening this port is required to ensure the best possible media experience.
TCP5004, 443, 80Outbound to WebexAlternate Webex Client Media (VoIP & Video RTP)WebexFall-back ports for media connectivity when UDP port 9000 is not open in the firewall
UDP/TCP

Audio: 52000 to 52049

Video: 52100 to 52199

Inbound to your NetworkWebex Client Media (Voip and Video)Return from AWS and Webex

Webex will communicate to the destination port received when the client makes its connection. A firewall should be configured to allow these return connections through.

This is enabled by default.
TCP/UDPOS-Specific Ephemeral PortsInbound to your NetworkReturn traffic from WebexReturn from AWS and Webex

Webex will communicate to the destination port received when the client makes its connection. A firewall should be configured to allow these return connections through.

This is usually automatically opened in a stateful firewall, however it' listed here for completeness.

For customers enabling Webex for Government who cannot allow URL-based filtering for HTTPS, you will need to allow connectivity with AWS Gov Cloud West (region: us‐gov‐west‐1) and Cloud Front (service: CLOUDFRONT). Please review AWS documentation to identify the IP ranges for AWS Gov Cloud West region and AWS Cloud Front. AWS documentation is available at https://docs.aws.amazon.com/general/latest/gr/aws‐ip‐ranges.html. Webex strongly recommends filtering by URL when possible.

Cloudfront is used for static content delivered via Content Delivery Network to give customers the best performance around the country.

Ports used by premise-registered Cisco video collaboration devices

See also the Cisco Webex Meetings Enterprise Deployment Guide for Video Device-Enabled Meetings

ProtocolPort numbersDirectionAccess typeIP rangeComments
TCP5061—5070Outbound to WebexSIP SignalingWebexThe Webex media edge listens on these ports
TCP5061, 5065Inbound to your networkSIP SignalingWebexInbound SIP Signaling traffic from the Webex Cloud
TCP5061Outbound to WebexSIP signaling from Cloud registered devicesAWSInbound calls from Webex App 1:1 Calling and Cloud registered devices to your on-premise registered SIP URI. *5061 is the default port. Webex supports 5061—5070 ports to be used by customers as defined in their SIP SRV Record
TCP/UDP1719, 1720, 15000—19999Outbound to WebexH.323 LSWebexIf your endpoint requires gatekeeper communication, also open port 1719, which includes Lifesize
TCP/UDPEphemeral Ports, 36000—59999InboundMedia portsWebexIf you're using a Cisco Expressway, the media ranges need to be set to 36000-59999. If you are using a third-party endpoint or call control, they need to be configured to use this range.
TCP443InboundOn-Premise Device ProximityLocal networkWebex app or Webex Desktop App must have an IPv4 route-able path between itself and the video device using HTTPS

For customers enabling Webex for Government receiving Inbound calls from Webex App 1:1 Calling and Cloud registered devices to your on-premise registered SIP URI. You must also allow connectivity with AWS Gov Cloud West (region: us‐gov‐west‐1). Please review AWS documentation to identify the IP ranges for the AWS Gov Cloud West region. The AWS documentation is available at https://docs.aws.amazon.com/general/latest/gr/aws‐ip‐ranges.html.

Ports used by Edge Audio

This is only required if you leverage Edge Audio.

ProtocolPort numbersDirectionAccess typeIP rangeComments
TCP5061—5062Inbound to your networkSIP SignalingWebexInbound SIP signaling for Edge Audio
TCP5061—5065Outbound to WebexSIP SignalingWebexOutbound SIP signaling for Edge Audio
TCP/UDPEphemeral Ports, 8000—59999Inbound to your networkMedia PortsWebexOn an enterprise firewall, ports need to be opened up for incoming traffic to the Expressway with a port range from 8000—59999

Configure mTLS using the following options:

Domains and URLs for Webex Calling services

A * shown at the beginning of a URL (for example, *.webex.com) indicates that services in the top-level domain and all subdomains are accessible.

Table 3. Webex services
Domain/URLDescriptionWebex apps and devices using these domains/URLs

*.webex.com

*.cisco.com

*.webexgov.us

Core Webex Calling & Webex Aware services

Identity provisioning

Identity storage

Authentication

OAuth services

Device onboarding

When a phone connects to a network for the first time or after a factory reset with no DHCP options set, it contacts a device activation server for zero touch provisioning. New phones use activate.cisco.com and phones with firmware release earlier than 11.2(1), continue to use webapps.cisco.com for provisioning.

Download the device firmware and locale updates from binaries.webex.com.

All
*.wbx2.com and *.ciscospark.comUsed for cloud awareness, CSDM, WDM, mercury, and so on. These services are necessary for the Apps and devices to reach out to Webex Calling & Webex Aware services during and after onboarding.All
*.webexapis.com

Webex microservices that manage your applications and devices.

Profile picture service

Whiteboarding service

Proximity service

Presence service

Registration service

Calendaring service

Search service

All
*.webexcontent.com

Webex Messaging service related to general file storage including:

User files

Transcoded files

Images

Screenshots

Whiteboard content

Client & device logs

Profile pictures

Branding logos

Log files

Bulk CSV export files & import files (Control Hub)

Webex App messaging services.
File storage using webexcontent.com replaced by clouddrive.com in October 2019
Table 4. Additional Webex-related services (third-party domains)
Domain/URLDescriptionWebex apps and devices using these domains/URLs

*.appdynamics.com

*.eum-appdynamics.com

Performance tracking, error and crash capture, session metrics.Control Hub
*.huron-dev.comWebex Calling micro services like toggle services, phone number ordering, and assignment services.Control Hub
*.sipflash.comDevice management services. Firmware upgrades and secure onboarding purposes.Webex apps

*.google.com

*.googleapis.com

Notifications to Webex apps on mobile devices (Example: new message, when call is answered)

For IP Subnets, refer to these links

Google Firebase Cloud Messaging (FCM) service

Apple Push Notification Service (APNS)

Webex App

IP subnets for Webex Calling services

  • 23.89.18.0/23
  • 163.129.16.0/21
  • 150.253.150.0/23
  • 144.196.224.0/21
  • 144.196.16.0/24

Ports used by Webex Calling

Table 5. Webex Calling and Webex Aware services
Connection purposeSource addressesSource portsProtocolDestination addressesDestination portsNotes
Call signaling to Webex Calling (SIP TLS)Local Gateway external (NIC)8000—65535TCPRefer to IP Subnets for Webex Calling Services.5062, 8934

These IPs/ports are needed for outbound SIP-TLS call signaling from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination).

Port 5062 (required for Certificate-based trunk). And port 8934 (required for Registration-based trunk

Devices5060—50808934
ApplicationsEphemeral (OS dependent)
Call media to Webex Calling (SRTP)Local Gateway external NIC8000—48198*UDPRefer to IP Subnets for Webex Calling Services.

8500—8700,19560—65535 (SRTP over UDP)

STUN, ICE-Lite based media optimization is not supported for Webex for Government.

These IPs/ports are used for outbound SRTP call media from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination).

For certain network topologies where firewalls are used within a customer premise, allow access for the mentioned source and destination port ranges inside your network for the media to flow through.

Example: For applications, allow the source and destination port range 8500—8700.

Devices19560—19660
Applications8500—8700
Call signaling to PSTN gateway (SIP TLS)Local Gateway internal NIC8000—65535TCPYour ITSP PSTN GW or Unified CMDepends on PSTN option (for example, typically 5060 or 5061 for Unified CM)
Call media to PSTN gateway (SRTP)Local Gateway internal NIC8000—48198*UDPYour ITSP PSTN GW or Unified CMDepends on the PSTN option (for example, typically 5060 or 5061 for Unified CM)
Device configuration and firmware management (Cisco devices)Webex Calling devicesEphemeralTCP

3.20.185.219

3.130.87.169

3.134.166.179

72.163.10.96/27

72.163.15.64/26

72.163.15.128/26

72.163.24.0/23

72.163.10.128/25

173.37.146.128/25

173.36.127.0/26

173.36.127.128/26

173.37.26.0/23

173.37.149.96/27

192.133.220.0/26

192.133.220.64/26

443, 6970

Required for the following reasons:

  1. Migrating from Enterprise phones (Cisco Unified CM) to Webex Calling. See upgrade.cisco.com for more information. The cloudupgrader.webex.com uses ports: 6970,443 for the firmware migration process.

  2. Firmware upgrades and secure onboarding of devices (MPP and Room or Desk phones) using the 16-digit activation code (GDS).

  3. For CDA / EDOS - MAC address-based provisioning. Used by devices (MPP phones, ATAs, and SPA ATAs) with newer firmware.

  4. When a phone connects to a network for the first time or after a factory reset, without the DHCP options set, it contacts a device activation server for zero touch provisioning. New phones use "activate.cisco.com" instead of "webapps.cisco.com" for provisioning. Phones with firmware released earlier than 11.2(1) continue to use "webapps.cisco.com". It is recommended to allow all these IP subnets.

Application configurationWebex Calling applicationsEphemeralTCP

62.109.192.0/18

64.68.96.0/19

150.253.128.0/17

207.182.160.0/19

443, 8443Used for Idbroker Authentication, Application configuration services for clients, Browser based web access for self-care AND Administrative interfaces access.
Device time synchronization (NTP)Webex Calling devices51494UDPRefer to IP Subnets for Webex Calling Services.123These IP addresses are needed for Time Synchronization for Devices (MPP phones, ATAs, and SPA ATAs)
Device name resolution and application name resolutionWebex Calling devicesEphemeralUDP and TCPHost-defined53

Used for DNS lookups to discover the IP addresses of Webex Calling services in the cloud.

Even though typical DNS lookups are done over UDP, some may require TCP, if the query responses can’t fit it in UDP packets.
Application time synchronizationWebex Calling applications123UPDHost-defined123
CScanWeb based Network readiness Pre-qualification tool for Webex CallingEphemeralUPDRefer to IP Subnets for Webex Calling Services.19569—19760Web based Network readiness Prequalification tool for Webex Calling. Go to cscan.webex.com for more information.
Table 6. Additional Webex Calling and Webex Aware services (third-party)
Connection purposeSource addressesSource portsProtocolDestination addressesDestination portsNotes
Push notifications APNS and FCM servicesWebex Calling applicationsEphemeralTCP

Refer to IP Subnets mentioned under the links

Apple Push Notification Service(APNS)

Google-Firebase Cloud Messaging (FCM)

443, 2197, 5228, 5229, 5230, 5223Notifications to Webex apps on mobile devices (Example: When you receive a new message or when a call is answered)
  • *CUBE media port range is configurable with rtp-port range.
  • If a proxy server address is configured for your Apps and Devices, the signaling traffic is sent to the proxy. Media transported SRTP over UDP is not sent to the proxy server. It must flow directly to your firewall instead.
  • If you are using NTP and DNS services within your enterprise network, then open the ports 53 and 123 through your firewall.