- Home
- /
- Article
This article is for network administrators, particularly firewall, and proxy security administrators who use Webex Calling services within their organization. It describes the network requirements and lists the addresses, ports, and protocols used for connecting your phones, the Webex App, and the gateways to Webex Calling services.
A correctly configured firewall and proxy are essential for a successful Calling deployment. Webex Calling uses SIP and HTTPS for call signaling and the associated addresses and ports for media, network connection, and gateway connectivity as Webex Calling is a global service.
Not all firewall configurations require ports to be open. However, if you're running inside-to-outside rules, you must open ports for the required protocols to let out services.
Network Address Translation (NAT)
Network Address Translation (NAT) and Port Address Translation (PAT) functionality are applied at the border between two networks to translate address spaces or to prevent the collision of IP address spaces.
Organizations use gateway technologies like firewalls and proxies that provide NAT or PAT services to provide internet access to Applications or devices that are on a private IP address space. These gateways make traffic from internal Apps or Devices to the internet appear to be coming from one or more publicly routable IP addresses.
-
If deploying NAT, it’s not mandatory to open an inbound port on the firewall.
-
Validate the NAT pool size required for App or Devices connectivity when multiple app users and devices access Webex Calling & Webex aware services using NAT or PAT. Ensure that adequate public IP addresses are assigned to the NAT pools to prevent port exhaustion. Port exhaustion contributes to internal users and devices being unable to connect to the Webex Calling and Webex Aware services.
-
Define reasonable binding periods and avoid manipulating SIP on the NAT device.
-
Configure a minimum NAT timeout to ensure proper operation of devices. Example: Cisco phones send a follow-up REGISTER refresh message every 1-2 minutes.
-
If your network implements NAT or SPI, then set a larger timeout (of at least 30 minutes) for the connections. This timeout allows reliable connectivity while reducing the battery consumption of the users' mobile devices.
SIP Application Layer Gateway
If a router or firewall is SIP Aware, that is the SIP Application Layer Gateway (ALG) or similar is enabled, we recommend that you turn off this functionality to maintain correct operation of service.
Check the relevant manufacturer's documentation for steps to disable SIP ALG on specific devices.
Proxy support for Webex Calling
Organizations deploy an internet firewall or internet proxy and firewall, to inspect, restrict, and control the HTTP traffic that leaves and enters their network. Thus protecting their network from various forms of cyberattacks.
Proxies perform several security functions such as:
-
Allow or block access to specific URLs.
-
User authentication
-
IP address/domain/hostname/URI reputation lookup
-
Traffic decryption and inspection
On configuring the proxy feature, it applies to all the applications that use the HTTP's protocol.
The applications include the following:
-
Webex Services
-
Customer device activation (CDA) procedures using Cisco Cloud provisioning platform such as GDS, EDOS device activation, provisioning & onboarding to Webex cloud.
-
Certificate Authentication
-
Firmware Upgrades
-
Status Reports
-
PRT Uploads
-
XSI Services
If a proxy server address is configured, then only the Signaling traffic (HTTP/HTTPS) is sent to the proxy server. Clients that use SIP to register to the Webex Calling service and the associated media aren’t sent to the proxy. Therefore, allow these clients to go through the firewall directly. |
Supported Proxy Options, configuration & Authentication types
The supported proxy types are:
-
Explicit Proxy (inspecting or noninspecting)—Configure the clients either App or Device with explicit proxy to specify the server to use. This option supports one of the following authentication types:
-
Transparent Proxy (noninspecting)—The Clients aren’t configured to use a specific proxy server address and don’t require any changes to work with a noninspecting proxy.
-
Transparent Proxy (inspecting)—The Clients aren’t configured to use a specific proxy server address. No HTTP's configuration changes are necessary; however, your clients either App or Devices need a root certificate so that they trust the proxy. The IT team uses the inspecting proxies to enforce policies on the websites to visit and the types of content that aren’t permitted.
Configure the proxy addresses manually for Webex Room devices, Cisco IP Multiplatform Phones (MPP), and Webex App using:
-
Platform OS
-
Device UI
-
Automatic discovery
While configuring, choose from the following Proxy configurations & authentication types:
Product |
Proxy Configuration |
Authentication Type |
---|---|---|
Webex for Mac |
Manual, WPAD, PAC |
No Auth, Basic, NTLM,† |
Webex for Windows |
Manual, WPAD, PAC, GPO |
No Auth, Basic, NTLM, †, Negotiate |
Webex for iOS |
Manual, WPAD, PAC |
No Auth, Basic, Digest, NTLM |
Webex for Android |
Manual, PAC |
No Auth, Basic, Digest, NTLM |
Webex Web App |
Supported through OS |
No Auth, Basic, Digest, NTLM, Negotiate |
Webex Room devices |
WPAD, PAC, or Manual |
No Auth, Basic, Digest |
Cisco IP Phones |
Manual, WPAD, PAC |
No Auth, Basic, Digest |
Webex Video Mesh Node |
Manual |
No Auth, Basic, Digest, NTLM |
For legends in the table:
-
†Mac NTLM Auth - Machine need not be logged on to the domain, user prompted for a password
-
†Windows NTLM Auth - Supported only if a machine is logged onto the domain
-
Web Proxy Auto Discovery (WPAD) - See Web Proxy Auto Discovery Protocol for details.
-
Proxy Auto Config (PAC) files - See Proxy Auto-Config Files for details.
-
To connect Cisco Webex Board, Desk, or Room Series device to a proxy server, see Connect your Board, Desk, or Room Series device to a proxy server.
-
For Cisco IP phones, see Set Up a Proxy Server as an example for configuring the proxy server and settings.
For |
Proxy settings for Windows OS
Microsoft Windows support two network libraries for HTTP traffic (WinINet and WinHTTP) that allow Proxy configuration.WinINet is a superset of WinHTTP.
-
WinInet is designed for single-user, desktop client applications only
-
WinHTTP is designed primarily for multiuser, server-based applications
When selecting between the two, choose WinINet for your proxy configuration settings. For details, see wininet-vs-winhttp.
Refer to Configure a list of allowed domains to access Webex while on your corporate network for details on the following:
-
To ensure that people only sign in to applications using accounts from a predefined list of domains.
-
Use a proxy server to intercept requests and limit the domains that are allowed.
Proxy Inspection and Certificate Pinning
The Webex App and Devices validate the certificates of the servers when they establish the TLS sessions. Certificate checks that such as the certificate issuer and digital signature rely on verifying the chain of certificates up to the root certificate. To perform the validation checks, the Webex App and Devices use a set of trusted root CA certificates installed in the operating system trust store.
If you have deployed a TLS-inspecting Proxy to intercept, decrypt and inspect Webex Calling traffic. Ensure that the certificate the Proxy presents (in lieu of the Webex service certificate) is signed by a certificate authority, and the root certificate is installed in the trust store of your Webex App or Webex device.
-
For Webex App - Install the CA certificate that is used to sign the certificate by the proxy in the operating system of the device.
-
For Webex Room devices and Cisco multiplatform IP Phones - Open a service request with TAC team to install the CA certificate.
This table shows the Webex App and Webex Devices that support TLS inspection by Proxy servers
Product |
Supports Custom Trusted CAs for TLS inspection |
---|---|
Webex App (Windows, Mac, iOS, Android, Web) |
Yes |
Webex Room Devices |
Yes |
Cisco IP Multiplatform (MPP) Phones |
Yes |
Firewall configuration
Cisco supports Webex Calling and Webex Aware services in secure Cisco and Amazon Web Services (AWS) data centers. Amazon has reserved its IP subnets for Cisco’s sole use, and secured the services located in these subnets within the AWS virtual private cloud.
Configure your firewall to allow communication from your devices, applications, and internet-facing services to perform their functions properly. This configuration allows access to all the supported Webex Calling and Webex Aware cloud services, domain names, IP addresses, Ports, and protocols.
Whitelist or open access to the following so that the Webex Calling and Webex Aware services function correctly.
-
The URLs/Domains mentioned under the section Domains and URLs for Webex Calling Services
-
IP subnets, Ports, and Protocols mentioned under the section IP Subnets for Webex Calling Services
-
If you're using the Webex Meetings, Messaging, and other services then ensure you have the Domains/URLs mentioned in this article are also open Network Requirements for Webex Services
If you’re using only a firewall, then filtering Webex Calling traffic using IP addresses alone is not supported as the IP address pools are dynamic and may change at any time. Update your rules regularly, failing to update your firewall rules list could impact your users' experience. Cisco doesn’t endorse filtering a subset of IP addresses based on a particular geographic region or cloud service provider. Filtering by region can cause severe degradation to your calling experience.
If your firewall doesn’t support Domain/URL filtering, then use an Enterprise Proxy server option. This option filters/allows by URL/domain the HTTPs signaling traffic to Webex Calling and Webex Aware services in your Proxy server, before forwarding to your firewall.
For Webex Calling, UDP is Cisco’s preferred transport protocol for media, and it recommends using only SRTP over UDP. TCP and TLS as transport protocols for media aren’t supported for Webex Calling in production environments. The connection-orientated nature of these protocols affects media quality over lossy networks. If you have queries regarding the transport protocol, raise a support ticket.
Domains and URLs for Webex Calling services
A * shown at the beginning of a URL (for example, *.webex.com) indicates that services in the top-level domain and all subdomains are accessible.
Domain / URL |
Description |
Webex Apps and devices using these domains / URLs | ||
---|---|---|---|---|
Cisco Webex Services | ||||
*.broadcloudpbx.com |
Webex authorization microservices for cross-launch from Control Hub to Calling Admin Portal. |
Control Hub | ||
*.broadcloud.com.au |
Webex Calling services in Australia. |
All | ||
*.broadcloud.eu |
Webex Calling services in Europe. |
All | ||
*.broadcloudpbx.net |
Calling client configuration and management services. |
Webex Apps | ||
*.webex.com *.cisco.com |
Core Webex Calling & Webex Aware services
When a phone connects to a network for the first time or after a factory reset with no DHCP options set, it contacts a device activation server for zero touch provisioning. New phones use activate.cisco.com and phones with firmware release earlier than 11.2(1), continue to use webapps.cisco.com for provisioning. Download the device firmware and locale updates from binaries.webex.com. |
All | ||
*.ucmgmt.cisco.com |
Webex Calling services |
Control Hub | ||
*.wbx2.com and *.ciscospark.com |
Used for cloud awareness, CSDM, WDM, mercury, and so on. These services are necessary for the Apps and devices to reach out to Webex Calling & Webex Aware services during and after onboarding. |
All | ||
*.webexapis.com |
Webex microservices that manage your applications and devices.
|
All | ||
*.webexcontent.com |
Webex Messaging services related to general file storage including:
|
Webex Apps Messaging services.
| ||
*.accompany.com |
People insights integration |
Webex Apps | ||
Additional Webex-Related Services (Third-Party Domains) | ||||
*.appdynamics.com *.eum-appdynamics.com |
Performance tracking, error and crash capture, session metrics. |
Control Hub | ||
*.huron-dev.com |
Webex Calling micro services like toggle services, phone number ordering, and assignment services. |
Control Hub | ||
*.sipflash.com |
Device management services. Firmware upgrades and secure onboarding purposes. |
Webex Apps | ||
*.walkme.com *.walkmeusercontent.com |
Webex user guidance client. Provides onboarding and usage tours for new users. For more information about WalkMe, click here. |
Webex Apps | ||
*.google.com *.googleapis.com |
Notifications to Webex apps on mobile devices (Example: new message, when call is answered) For IP Subnets, refer to these links Google Firebase Cloud Messaging (FCM) service Apple Push Notification Service (APNS)
| Webex App |
IP Subnets for Webex Calling services
IP Subnets for Webex Calling Services*† | ||
---|---|---|
23.89.0.0/16 |
85.119.56.0/23 |
128.177.14.0/24 |
128.177.36.0/24 |
135.84.168.0/21 |
139.177.64.0/21 |
139.177.72.0/23 |
144.196.0.0/16 |
150.253.156.128/25 |
150.253.128.0/17 |
170.72.0.0/16 |
170.133.128.0/18 |
185.115.196.0/22 |
199.19.196.0/23 |
199.19.199.0/24 |
199.59.64.0/21 |
Connection purpose |
Source addresses |
Source Ports |
Protocol |
Destination addresses |
Destination ports |
Notes | |
---|---|---|---|---|---|---|---|
Call signaling to Webex Calling (SIP TLS) |
Local Gateway external (NIC) |
8000-65535 |
TCP |
Refer to IP Subnets for Webex Calling Services. |
5062, 8934 |
These IPs/ports are needed for outbound SIP-TLS call signaling from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination). Port 5062 (required for Certificate-based trunk). And port 8934 (required for Registration-based trunk | |
Devices |
5060-5080 |
8934 | |||||
Applications |
Ephemeral (OS dependent) | ||||||
Call signaling from Webex Calling (SIP TLS) to Local Gateway |
Webex Calling address range. Refer to IP Subnets for Webex Calling Services |
8934 |
TCP |
IP or IP range chosen by customer for their Local Gateway |
Port or port range chosen by customer for their Local Gateway |
Applies to certificate-based local gateways. It is required to establish a connection from Webex Calling to a Local Gateway. Registration-based local gateway works on reusing a connection created from the local gateway. Destination port is customer chosen Configure trunks | |
Call media to Webex Calling (STUN, SRTP, T38) | Local Gateway external NIC |
8000-48198†* |
UDP |
Refer to IP Subnets for Webex Calling Services. |
5004, 9000 (STUN Ports) 8500-8700,19560-65535 (SRTP over UDP) |
| |
Devices |
19560-19660 | ||||||
Applications |
8500-8700 | ||||||
Call signaling to PSTN gateway (SIP TLS) | Local Gateway internal NIC | 8000-65535 |
TCP | Your ITSP PSTN GW or Unified CM | Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM) | ||
Call media from Webex Calling (SRTP, T38) |
Webex Calling address range. Refer to IP Subnets for Webex Calling Services |
19560-65535 (SRTP over UDP) |
UDP |
IP or IP range chosen by customer for their Local Gateway |
Media port range chosen by customer for their Local Gateway |
Webex calling allows all remote devices to perform media latching if the device is behind a NAT. For certificate based local gateway, it is required to allow ingress access for specific port range. Refer to the network requirements specific to NAT when deploying a certificate-based local gateway. | |
Call media to PSTN gateway (SRTP) | Local Gateway internal NIC |
8000-48198†* |
UDP | Your ITSP PSTN GW or Unified CM | Depends on the PSTN option (for example, typically 5060 or 5061 for Unified CM) | ||
Device configuration and firmware management (Cisco devices) |
Webex Calling devices |
Ephemeral |
TCP |
3.20.185.219 3.130.87.169 3.134.166.179 72.163.10.96/27 72.163.15.64/26 72.163.15.128/26 72.163.24.0/23 72.163.10.128/25 173.37.146.128/25 173.36.127.0/26 173.36.127.128/26 173.37.26.0/23 173.37.149.96/27 192.133.220.0/26 192.133.220.64/26 |
443, 6970 |
Required for the following reasons:
| |
Application configuration |
Webex Calling applications |
Ephemeral |
TCP |
62.109.192.0/18 64.68.96.0/19 150.253.128.0/17 207.182.160.0/19 |
443, 8443 |
Used for Idbroker Authentication, Application configuration services for clients, Browser based web access for self-care AND Administrative interfaces access. | |
Device time synchronization (NTP) |
Webex Calling devices |
51494 |
UDP |
Refer to IP Subnets for Webex Calling Services. |
123 |
These IP addresses are needed for Time Synchronization for Devices (MPP phones, ATAs, and SPA ATAs) | |
Device name resolution and Application name resolution |
Webex Calling devices |
Ephemeral |
UDP and TCP |
Host-defined |
53 | Used for DNS lookups to discover the IP addresses of Webex Calling services in the cloud. Even though typical DNS lookups are done over UDP, some may require TCP, if the query responses can’t fit it in UDP packets. | |
Application time synchronization |
Webex Calling applications |
123 |
UDP |
Host-defined |
123 | ||
Web based Network readiness Pre-qualification tool for Webex Calling |
Ephemeral |
TCP |
Refer to IP Subnets for Webex Calling Services. |
8934 and 443 |
Web based Network readiness Prequalification tool for Webex Calling. Go to cscan.webex.com for more information. | ||
UDP |
19569-19760 | ||||||
Additional Webex Calling & Webex Aware Services (Third-Party) | |||||||
Push notifications APNS and FCM services |
Webex Calling Applications |
Ephemeral |
TCP |
Refer to IP Subnets mentioned under the links |
443, 2197, 5228, 5229, 5230, 5223 |
Notifications to Webex Apps on mobile devices (Example: When you receive a new message or when a call is answered) |
|
Webex Meetings/Messaging - Network Requirements
Onboard the MPP devices to the Webex Cloud for services like Call History, Directory Search, and Meetings. See the network requirements for these Webex services in Network Requirements for Webex Services. If you're using meetings, Messaging and other services fromWebex App, then ensure that the Domains/URLs/Addresses mentioned in this article are open.
References
To know What's new in Webex Calling, see What's new in Webex Calling
For Security requirements for Webex Calling, see Article
Webex Calling Media Optimization with Interactive Connectivity Establishment (ICE) Article
Document Revision History
Date |
We've made the following changes to this article | ||
---|---|---|---|
November 29, 2023 |
Updated the IP Subnets for Webex Calling services to include a larger set of IP addresses to accommodate Webex Calling region expansion for future growth.
The IP Subnets for Webex Calling services sections under Webex Calling (SIP TLS) and Call media to Webex Calling (STUN, SRTP) is updated for clarity on certificate-based trunking and the firewall requirements for Local Gateway. | ||
August 14, 2023 |
We’ve added the following IP addresses 144.196.33.0/25 and 150.253.156.128/25 to support increased capacity requirements for Edge and Webex Calling Services.
| ||
July 5, 2023 |
Added the link https://binaries.webex.com to install the Cisco MPP Firmware. | ||
March 7, 2023 |
We've overhauled the entire article to include:
| ||
March 5, 2023 |
Updating the article to include the following:
| ||
November 15, 2022 |
We’ve added the following IP addresses for device configuration and firmware management (Cisco devices):
We’ve removed the following IP addresses from device configuration and firmware management (Cisco devices):
| ||
November 14, 2022 |
Added the IP subnet 170.72.242.0/24 for the Webex Calling service. | ||
September 08, 2022 |
The Cisco MPP Firmware transitions to use https://binaries.webex.com as the host URL for MPP firmware upgrades in all regions. This change improves firmware upgrade performance. | ||
August 30, 2022 |
Removed reference to Port 80 from Device configuration and firmware management (Cisco devices), Application configuration and CScan rows in the Port table as there’s no dependency. | ||
August 18, 2022 |
No change in the solution. Updated the destination ports 5062 (required for Certificate-based trunk), 8934 (required for Registration-based trunk) for Call signaling to Webex Calling (SIP TLS). | ||
July 26, 2022 |
Added the 54.68.1.225 IP Address, which is required for firmware upgrade of Cisco 840/860 devices. | ||
July 21, 2022 |
Updated the destination ports 5062, 8934 for Call signaling to Webex Calling (SIP TLS). | ||
July 14, 2022 |
Added the URLs that support a complete function of Webex Aware services. Added the IP subnet 23.89.154.0/25 for the Webex Calling service. | ||
June 27, 2022 |
Updated the Domain and URLs for Webex Calling services: *.broadcloudpbx.com *.broadcloud.com.au *.broadcloud.eu *.broadcloudpbx.net | ||
June 15, 2022 |
Added the following ports and protocols under IP Addresses and Ports for Webex Calling Services:
Updated information in Webex Meetings/Messaging - Network Requirements section | ||
May 24, 2022 |
Added the IP subnet 52.26.82.54/24 to 52.26.82.54/32 for Webex Calling service | ||
May 6, 2022 |
Added the IP subnet 52.26.82.54/24 for Webex Calling service | ||
April 7, 2022 |
Updated the Local Gateway internal and external UDP port range to 8000-48198† | ||
April 5, 2022 |
Added the following IP subnets for Webex Calling service:
| ||
March 29, 2022 |
Added the following IP subnets for Webex Calling service:
| ||
September 20, 2021 |
Added 4 new IP subnets for Webex Calling service:
| ||
April 2, 2021 |
Added *.ciscospark.com under Domains and URLs for Webex Calling Services to support Webex Calling use cases in Webex app. | ||
March 25, 2021 |
Added 6 new IP ranges for activate.cisco.com, which will come in effect starting May 8, 2021.
| ||
March 4, 2021 |
Replaced Webex Calling discrete IPs and smaller IP ranges with simplified ranges in a separate table for ease of understanding for firewall configuration. | ||
February 26, 2021 |
Added 5004 as destination port for Call media to Webex Calling (STUN, SRTP) to support Interactive Connectivity Establishment (ICE) that will be available in Webex Calling in April 2021. | ||
February 22, 2021 |
Domains and URLs are now listed within a separate table. IP Addresses and Ports table are adjusted to group IP addresses for the same services. Adding the Notes column to the IP Addresses and Ports table that aids in understanding the requirements. Moving the following IP addresses to simplified ranges for device configuration and firmware management (Cisco devices):
Adding the following IP addresses for Application Configuration because Cisco Webex client points to a newer DNS SRV in Australia in March 2021.
| ||
January 21, 2021 |
We’ve added the following IP addresses to device configuration and firmware management (Cisco devices):
We’ve removed the following IP addresses from device configuration and firmware management (Cisco devices):
We’ve added the following IP addresses to the application configuration:
We’ve removed the following IP addresses from the application configuration:
We’ve removed the following port numbers from the application configuration:
We’ve added the following domains to the application configuration:
| ||
December 23, 2020 |
Added new Application Configuration IP addresses to the port reference images. | ||
December 22, 2020 |
Updated the Application Configuration row in the tables to include the following IP addresses: 135.84.171.154 and 135.84.172.154. Hid the network diagrams until these IP addresses are added. | ||
December 11, 2020 |
Updated the Device configuration and firmware management (Cisco devices) and the Application configuration rows for the supported Canadian domains. | ||
October 16, 2020 |
Updated the call signaling and media entries with the following IP addresses:
| ||
September 23, 2020 |
Under CScan, replaced 199.59.64.156 with 199.59.64.197. | ||
August 14, 2020 |
Added more IP addresses to support the introduction of data centers in Canada: Call signaling to Webex Calling (SIP TLS)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24 | ||
August 12, 2020 |
Added more IP addresses to support the introduction of data centers in Canada:
| ||
July 22, 2020 |
Added the following IP address to support the introduction of data centers in Canada: 135.84.173.146 | ||
June 9, 2020 |
We made the following changes to the CScan entry:
| ||
March 11, 2020 |
We added the following domain and IP addresses to the application configuration:
We updated the following domains with additional IP addresses to device configuration and firmware management:
| ||
February 27, 2020 |
We added the following domain and ports to device configuration and firmware management: cloudupgrader.webex.com—443, 6970 |