How does restricting external messaging work?

When you restrict external messaging for your users (or groups), this is what happens:

  • Your restrictions apply to all new spaces (spaces created after you change your restriction settings).

  • We apply your restrictions to your users' participation in existing spaces; both those owned by your organization and those owned by external organizations. When you disable external communication, new external participants can’t join internal spaces, and new internal participants can’t join external spaces. However, existing members can still communicate between internal and external spaces as before. These restrictions apply only to new participants joining after you disable external communication. Existing members retain their communication privileges within their spaces.

  • People are prevented from joining spaces if your settings restrict their participation.

  • We don’t retroactively remove users or groups from spaces if your changes would prevent them from joining.

  • After you have restricted external messaging, users who leave group spaces could be prevented from rejoining. This is because we apply the restrictions as people join.

  • Your restrictions don’t apply to bots.

Which domains are restricted?

You can use the External Communications controls to define a sophisticated policy that meets your organization's requirements, whether those are more permissive or more restrictive.

Allow all external messaging
The most permissive option, which doesn’t restrict messaging with users from external domains.
Allow all domains except the blocked domains
A permissive option, which allows communications with all domains except a list of blocked domains.
Allow selected domains only
A restrictive option, which prevents communications with all domains except a list of allowed domains. If you have an empty allow list, this becomes the most restrictive option. It is equivalent to "Block all external messaging".

Who is affected by the restrictions?

You can further refine your External Communications by defining which user groups are affected by the allow list or block list.

Allow all users except for selected groups
The policy has a wide effect. If you leave the groups list empty, it means all users in your organization are governed by the allow list or block list. Add groups to the list if you want to exempt them from the allow/block list.
Allow selected groups only
The policy has a narrow effect. If you leave the groups list empty, no users are governed by the allow list or block list. You can add groups to the list to include them in the allow/block policy
1

Sign in to Control Hub ( https://admin.webex.com) and go to Organization Settings > External Communication.

2

Select Allow selected domains only.

3

Read the caution and Confirm.

4

Click Manage allowed domains and then remove all domains from the allow list.

An empty allow list means that no domains are allowed for external communications.
5

Click Manage group permissions and select Allow all users except the selected groups. Remove all groups from the list.

No groups are exempted from the allow list. That means everybody is governed by the empty allow list.

All users in your organization are restricted from communicating with anyone in external organizations.

1

On the Organization Settings page, find External Communication and select Allow all domains except the blocked domains.

You see who this setting currently applies to, and links to Manage allowed domains and Manage group permissions.
2

Click Manage blocked domains to create your block list.

You'll see your list of Blocked domains. The list is empty if this is your first time. Otherwise, you can sort or search (filter) the list.

  1. To block a small number of domains, click Actions > Add domain.

    (If the list is empty, click Manually add.)

  2. Type the domain then press Enter (or comma).

    If you want to add more domains, keep typing them and pressing Enter after each.

  3. Click Add.

    The new domains are on the block list.

3

To remove domains, check the boxes next to the domains and click Remove. Confirm you want to Remove the domains.

The domains are removed from the block list.

4

Click Manage group permissions to define who can use the list:

You'll see a list of groups that are related to the block list.

The default state is Allow all users except for the selected groups. If there are no groups on the list, then all groups are affected by the block list.

You can also choose Allow selected groups only. If there are no groups on the list, then no groups are affected by the block list.

Either way, you create a list of groups as follows:

  1. Type some letters in the group name, then click on the group when Control Hub finds it.

    That group is now ready to be committed to the list.
  2. Continue searching for and selecting groups to add to the list.

  3. Click Save.

    You see a success message, and the list of groups is updated. (Click Manage group permissions again to see the updated list.)

5

To remove groups from the list:

  1. Search or sort the group list to find the group.

  2. Click the trashcan next to a group name.

  3. You can Remove all > Delete to clear all groups from this list.

Before you begin

You need to turn on Block external messaging (for everyone) before you can manage your allow list.
1

On the Organization Settings page, find External Communication and select Allow selected domains only.

You see who this setting currently applies to, and links to Manage allowed domains and Manage group permissions.
2

Click Manage allowed domains to create your allow list.

You'll see your list of Allowed Domains and the status of each. The list is empty if this is your first time. Otherwise, you can sort or search (filter) the list.

  1. To add a small number of domains, click Actions > Add domain.

    (If the list is empty, click Manually add.)

  2. To add a small number of domains, click Actions > Add domain.

  3. Type the domain then press Enter (or comma).

    If you want to add more domains, keep typing them and pressing Enter after each.

  4. Click Check domain.

    We check whether these domains are verified or claimed by other organizations in Webex, and show their status. You can add unverified domains, but if the status is Unverified when you're expecting a claimed or verified domain, maybe you made a typo.

  5. Click Add.

    The new domains are on the allow list.

3

To remove domains, check the boxes next to the domains and click Remove. Confirm you want to Remove the domains.

The domains are removed from the allow list.

4

Click Manage group permissions to define who can use the list:

You'll see a list of groups that are related to the allow list.

The default state is Allow all users except for the selected groups. If there are no groups on the list, then all groups may use the allow list.

You can also choose Allow selected groups only. If there are no groups on the list, then no groups may use the allow list.

Either way, you create a list of groups as follows:

  1. Type some letters in the group name, then click on the group when Control Hub finds it.

    That group is now ready to be committed to the list.
  2. Continue searching for and selecting groups to add to the list.

  3. Click Save.

    You see a success message, and the list of groups is updated. (Click Manage group permissions again to see the updated list.)

5

To remove groups from the list:

  1. Search or sort the group list to find the group.

  2. Click the trashcan next to a group name.

  3. You can Remove all > Delete to clear all groups from this list.

How does the allow list affect my users (or groups)?

Users or groups in your organization can communicate with users whose email addresses are in the domains on your allow list. Specifically, users or groups can:

  • Add people from those domains into spaces owned by your organization.

  • Join spaces created by people from those domains.

  • Create spaces with people from those domains.

When users from your organization start to share a space with users in an external organization using a Webex board, the allowed domains list is not applied and the space is not shared.

What does the status mean?

  • Claimed in Webex means one organization controls this domain, and other organizations cannot have users with this domain.

  • Verified means an organization has proved that it owns the domain.

  • Unverified means that no organization has yet proven that it owns the domain. That does not mean users from these domains are impostors, because Webex organizations are not required to verify their domains.

Read more about Managing domains and why we recommend verifying your domains.

1

Sign in to Control Hub ( https://admin.webex.com) and go to Organization Settings > External Communication.

2

Enable Group Spaces.

Users in your organization can't be invited to group spaces owned by another organization. This ensures that for compliance your organization has access to all data generated by participants across spaces.

Sometimes you want to add or remove more than a few domains to your allow list. For these bulk operations, you can use CSV file import and/or export.

We don't remove domains from the list if they are not in the imported CSV file. We also don't add (duplicate) domains from the CSV file if they are already on your list.

1

On the Organization Settings page, find External Communication.

2

Click Manage allowed domains.

You'll see your list of domains.

3

Add up to 1000 domains to the list:

  1. Click Actions > Import CSV.

  2. Click Download a sample CSV, paste your list of domains into the Domains column.

    You don't need to use our sample file. You could also create your own text file with a list of domains. Put Domains on the first line, and each domain you want to allow goes on a new line.

  3. Save it as something meaningful, like messaging-domain-list.csv.

  4. Browse to and select messaging-domain-list.csv, or drag it from your file browser and drop it on the box in Control Hub.

  5. Click Next.

    We analyze the file, checking whether each domain is claimed or verified by another organization in Webex, and then display a preview of your allow list. You can delete any entries you don't need, or you can (optional) Remove all unverified domains.

  6. Click Start import.

    Wait a short while, then you'll see the results. You can save the results out if you need them.

  7. Click View allowed domains and you'll see your new allow list.

4

To remove multiple domains from the list:

  1. Click Actions > Export CSV.

  2. Save the downloaded file in case you need to revert it, e.g. original-domain-list.csv.

  3. Make a copy that you can edit e.g. reduced-domain-list.csv.

  4. In that file, delete all the domains you want to remove from the allow list.

  5. Remove all domains from the list, in Control Hub. In the Allowed Domains list in Control Hub, check the select all box next to the Domains column header.

  6. Click Remove, and confirm you want to Remove the domains.

    All domains are removed from the list, leaving it empty.

  7. Import your reduced list from the CSV file, as described above.

People in your organization may be able to make calls to external people in the following scenarios: