When you restrict external messaging for your users (or groups), this is what happens:

  • Your restrictions apply to all new spaces.

  • We apply your restrictions to your users' participation in existing spaces; both those owned by your organization and those owned by external organizations.

  • People are prevented from joining spaces if your settings restrict their participation.

  • We do not retroactively remove users or groups from spaces if your changes would prevent them from joining.

  • After you have restricted external messaging, users who leave spaces could be prevented from rejoining. This is because we apply the restrictions as people join.

  • You restrictions do not apply to bots.

1

Sign in to Control Hub (https://admin.webex.com) and go to Organization Settings > External Communication.

2

Turn on Block external messaging.

3

Read the caution, check the box to acknowledge the consequences, and click Done.

All users in your organization are restricted from communicating with anyone in external organizations.

What to do next

You may want to create a list of allowed external domains, and restrict which groups can use that allow list. You can also prevent users from joining externally-owned spaces.

1

Sign in to Control Hub (https://admin.webex.com) and go to Organization Settings > External Communication.

2

Enable Group Spaces.

3

Click Save.

Users in your organization can't be invited to group spaces owned by another organization. This ensures that for compliance your organization has access to all data generated by participants across spaces.

Before you begin

You need to turn on Block external messaging (for everyone) before you can manage your allow list.

1

On the Organization Settings page, find External Communication and click Manage domains and permissions.

You'll see your list of Allowed Domains and the status of each. The list is empty if this is your first time. Otherwise, you can sort or search (filter) the list.

2

To add a small number of domains, click Actions > Add domain.

(If the list is empty, click Manually add.)

  1. Type the domain then press Enter (or comma).

    If you want to add more domains, keep typing them and pressing Enter after each.

  2. Click Check domain.

    We check whether these domains are verified or claimed by other organizations in Webex, and show their status. You can add unverified domains, but if the status is Unverified when you're expecting a claimed or verified domain, maybe you made a typo.

  3. Click Add.

    The new domains are on the allow list.

3

To remove a small number of domains, check the boxes next to the domains and click Remove. Confirm you want to Remove the domains.

The domains are removed from the allow list.

How does the allow list affect my users (or groups)?

Users or groups in your organization can communicate with users whose email addresses are in the domains on your allow list. Specifically, users or groups can:

  • Add people from those domains into spaces owned by your organization.

  • Join spaces created by people from those domains.

  • Create spaces with people from those domains.


When users from your organization start to share a space with users in an external organization using a Webex board, the allowed domains list is not applied and the space is not shared.

What does the status mean?

  • Claimed in Webex means one organization controls this domain, and other organizations cannot have users with this domain.

  • Verified means an organization has proved that it owns the domain.

  • Unverified means that no organization has yet proven that it owns the domain. That does not mean users from these domains are impostors, because Webex organizations are not required to verify their domains.

Read more about Managing domains and why we recommend verifying your domains.

This task does not apply to your organization unless you are synchronizing your Active Directory groups with Webex. See https://www.cisco.com/go/hybrid-services-directory for details.

Before you begin

You need to turn on Block external messaging and create an allow list before you can permit some groups to communicate with users from the allowed domains.

1

On the Organization Settings page, find External Communication and click Manage domains and permissions.

You'll see your list of Allowed Domains.

2

Click Manage permissions.

You'll see the list of groups that have permission to use the allow list. The default state is Allow All Groups). This means all groups may use the allow list. You can also choose Allow Specific Groups to limit the allow list.
3

Add groups to the list to enable them to use the allow list:

  1. Click Add group permissions.

  2. Type some letters in the group name, then click on the group when Control Hub finds it.

    That group is now ready to be committed to the list.
  3. Continue searching for and selecting groups to add to the list.

  4. Click Save.

    You see a success message, and the list of groups permitted to use the allow list is updated. (Click Manage permissions again to see the updated list.)

    All other groups are prevented from messaging users from domains on the allow list.

4

To prevent groups from using the allow list:

  1. Search or sort the group list to find the group.

  2. Click the trashcan next to a group name to prevent this group using the allow list. Users in those groups are not prevented from messaging in spaces to which they already belong.

  3. You can Remove all > Delete to clear all groups from this list.

    This action results in all groups being enabled to use the allow list. That is, all users in your organization can communicate with external people from domains on the allow list.

All groups that are not on the group permissions list are prevented from messaging users from domains on the allow list.

If the list is empty, all groups can message users from domains on the allow list.

Sometimes you want to add or remove more than a few domains. For bulk operations, you can use CSV file import and/or export.

We don't remove domains from your allow list if they are not in the imported CSV file. We also don't add (duplicate) domains from the CSV file if they are already on your allow list.

1

On the Organization Settings page, find External Communication and click Manage domains and permissions.

You'll see your list of Allowed Domains.

2

Add up to 1000 domains to your allow list:

  1. Click Import CSV.

  2. Click Download a sample CSV, paste your list of domains into the Domains column.

    You don't need to use our sample file. You could also create your own text file with a list of domains. Put Domains on the first line, and each domain you want to allow goes on a new line.

  3. Save it as something meaningful, like messaging-allow-list.csv.

  4. Browse to and select messaging-allow-list.csv, or drag it from your file browser and drop it on the box in Control Hub.

  5. Click Next.

    We analyze the file, checking whether each domain is claimed or verified by another organization in Webex, and then display a preview of your allow list. You can delete any entries you don't need, or you can (optional) Remove all unverified domains.

  6. Click Start import.

    Wait a short while, then you'll see the results. You can save the results out if you need them.

  7. Click View allowed domains and you'll see your new allow list.

3

To remove multiple domains from the list:

  1. Click Actions > Export CSV.

  2. Save the downloaded file in case you need to revert it, e.g. original-allow-list.csv.

  3. Make a copy that you can edit e.g. reduced-allow-list.csv.

  4. In that file, delete all the domains you want to remove from the allow list.

  5. In the Allowed Domains list in Control Hub, check the select all box next to the Domains column header.

  6. Click Remove, and confirm you want to Remove the domains.

    All domains are removed from the allow list, leaving it empty.

  7. Import your reduced list from the CSV file, as described above.

People in your organization may be able to make calls to external people in the following scenarios:

  • If your users make calls using a Webex SIP address. For more information, see Cisco Webex SIP Addresses.

  • If you have an on-premises call environment and assign Hybrid Calling to your users. For more information, see the Deployment Guide for Cisco Webex Hybrid Call Service.

  • If you have cloud calling through Webex Calling (formerly Spark Call) and assign the Webex Calling (formerly Spark Call) service to your users.