Administration - Port Reference Information for Cisco Webex Calling

A correctly configured firewall is essential for a successful calling deployment. We require ports for signaling, media, network connectivity, and local gateway and because Webex Calling is a global service, we recommend that you leave all of the ports listed below open.

Not all firewall configurations need ports to be open but if you're running inside-to-outside rules, you should open ports to allow the protocols required for service out. As long as you deploy NAT, define reasonable binding periods, and avoid manipulating SIP on the NAT device, you shouldn't need to open ports inbound on the firewall.

If a router or firewall is SIP Aware, meaning it has SIP Application Layer Gateway (ALG) or something similar enabled, we recommend that you turn off this functionality to maintain correct operation of service. See the relevant manufacturer's documentation for information about how to disable SIP ALG on specific devices.


Date	We've Made the Following Changes to this Article

October 16, 2020	Updated the call signaling and media entries with the following IP addresses: 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24
September 23, 2020	Under CScan, replaced 199.59.64.156 with 199.59.64.197.
August 14, 2020	Added more IP addresses to support the introduction of data centers in Canada: Call signaling to Webex Calling (SIP TLS)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24
August 12, 2020	Added more IP addresses to support the introduction of data centers in Canada: Call media to Webex Calling (SRTP)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24 Call signaling to publicly addressed endpoints (SIP TLS)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24 Device configuration and firmware management (Cisco devices)—135.84.173.155,135.84.174.155 Device time synchronization—135.84.173.152, 135.84.174.152 Application configuration—135.84.173.154,135.84.174.154
July 22, 2020	Added the following IP address to support the introduction of data centers in Canada: 135.84.173.146
June 9, 2020	We made the following changes to the CScan entry: Corrected one of the IP addresses—changed 199.59.67.156 to 199.59.64.156 New features required new ports as well as UDP—19560-19760
March 11, 2020	We added the following domain and IP addresses to application configuration: jp.bcld.webex.com—135.84.169.150 client-jp.bcld.webex.com idbroker.webex.com—64.68.99.6, 64.68.100.6 We updated the following domains with additional IP addresses to device configuration and firmware management: cisco.broadcloud.eu—85.119.56.198, 85.119.57.198 webapps.cisco.com—72.163.10.134 activation.webex.com—35.172.26.181, 52.86.172.220 cloudupgrader.webex.com—3.130.87.169, 3.20.185.219
February 27, 2020	We added the following domain and ports to device configuration and firmware management: cloudupgrader.webex.com—443, 6970

Service Provider
Value Added Reseller

Table 1. Webex Calling (Production)
Connection purpose	Source addresses	Source ports	Protocol	Destination addresses	Destination ports
Call signaling to Webex Calling (SIP TLS)	Local Gateway external (NIC)	8000-65535	TCP	85.119.56.128/26 85.119.57.128/26 128.177.14.0/25 128.177.36.0/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25	8934
	Devices	5060-5080
	Applications	Ephemeral (OS dependent)
Call media to Webex Calling (SRTP)	Local Gateway external NIC	8000-48000^†	UDP	85.119.56.128/26 85.119.57.128/26 128.177.14.0/25 128.177.36.0/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25	19560-65535
	Devices	19560-19660
	Applications	Ephemeral
Call signaling to PSTN gateway (SIP TLS)	Local Gateway internal NIC	8000-65535	TCP	Your ITSP PSTN GW or Unified CM	Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM)
Call media to PSTN gateway (SRTP)	Local Gateway internal NIC	8000-48000^†	UDP	Your ITSP PSTN GW or Unified CM	Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM)
Call signaling to publicly addressed endpoints (SIP TLS)	85.119.56.128/26 85.119.57.128/26 128.177.14.0/25 128.177.36.0/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25	Ephemeral	TCP	Endpoint IP	8934
Device configuration and firmware management (Cisco devices)	Webex Calling devices	Ephemeral	TCP	3.20.185.219 3.130.87.169 35.172.26.181 52.86.172.220 72.163.10.134 85.119.56.128/26 85.119.56.198 85.119.57.128/26 85.119.57.198 135.84.169.186 135.84.170.186 135.84.173.155 135.84.174.155 173.37.149.125 199.59.64.143 199.59.65.228 199.59.66.228 199.59.67.143 *Domains: cisco-jp.bcld.webex.com cisco.broadcloud.com.au cisco.broadcloud.eu cisco.broadcloud.eu webapps.cisco.com activate.cisco.com activation.webex.com cisco.sipflash.com	80, 443
	Webex Calling devices	Ephemeral	TCP	**cloudupgrader.webex.com	**443, 6970
Device time synchronization (NTP)	Webex Calling devices	51494	UDP	85.119.56.128/26 85.119.57.128/26 135.84.169.154 135.84.170.154 135.84.173.152 135.84.174.152 199.59.64.152 199.59.65.181 199.59.66.181 199.59.67.152	123
Device name resolution	Webex Calling devices	Ephemeral	UDP and TCP	Host-defined	53
Application configuration	Webex Calling applications	Ephemeral	TCP	64.68.99.6 64.68.100.6 85.119.56.128/26 85.119.57.128/26 128.177.36.138 128.177.14.181 135.84.169.150 135.84.169.185 135.84.170.185 135.84.173.154 135.84.174.154 199.59.64.140 199.59.67.140 Domains: client-jp.bcld.webex.com jp.bcld.webex.com idbroker.webex.com	80, 443, 1081, 2208, 8443, 5222, 5280-5281, 52644-52645
Application time synchronization	Webex Calling applications	123	UDP	Host-defined	123
Application name resolution	Webex Calling applications	Ephemeral	UDP and TCP	Host-defined	53
CScan	Webex Calling applications	Ephemeral	UDP and TCP	135.84.169.183 135.84.173.146 185.115.196.0/25 199.59.65.243 199.59.64.197	8934 and 80, 443, 19569-19760

† CUBE media port range is configurable with rtp-port range

*When a phone connects to a network for the first time or after a factory reset, if there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use activate.cisco.com instead of webapps.cisco.com for provisioning. Phones with firmware release prior to 11.2(1), continue to use webapps.cisco.com. We recommend that you allow both domains through your firewall.

**You need to enable cloudupgrader.webex.com and the 443, 6970 ports only when migrating from Enterprise phones (Cisco Unified CM) to Webex Calling. Go to upgrade.cisco.com for more information.

Table 2. Webex Calling (Production)
Connection purpose	Source addresses	Source ports	Protocol	Destination addresses	Destination ports
Call signaling to Webex Calling (SIP TLS)	Local Gateway external NIC	8000-65535	TCP	85.119.56.128/26 85.119.57.128/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25 128.177.14.0/25 128.177.36.0/26	8934
	Devices	5060-5080
	Applications	Ephemeral (OS dependent)
Call media to Webex Calling (SRTP)	Local Gateway external NIC	8000-48000^†	UDP	85.119.56.128/26 85.119.57.128/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25 128.177.14.0/25 128.177.36.0/26	19560-65535
	Devices	19560-19660
	Applications	Ephemeral
Call signaling to PSTN gateway (SIP TLS)	Local Gateway internal NIC	8000-65535	TCP	Your ITSP, PSTN GW, or Unified CM	Depends on PSTN option, eg. Unified CM typically 5060 or 5061
Call media to PSTN gateway (SRTP)	Local Gateway internal NIC	8000-48000^†	UDP	Your ITSP, PSTN GW, or Unified CM	Depends on PSTN option
Call signaling to publicly addressed endpoints (SIP TLS)	85.119.56.128/26 85.119.57.128/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25	Ephemeral	TCP	Endpoint IP	8934
Device configuration and firmware management (Cisco devices)	Webex Calling devices	Ephemeral	TCP	3.130.87.169, 3.20.185.219 35.172.26.181, 52.86.172.220 72.163.10.134 85.119.56.198 85.119.57.198 135.84.169.186 135.84.170.186 135.84.173.155 135.84.174.155 173.37.149.125 199.59.64.143 199.59.65.228 199.59.66.228 199.59.67.143 *Domains: cisco-jp.bcld.webex.com cisco.broadcloud.eu cisco. broadcloud.com.au cisco.sipflash.com webapps.cisco.com activate.cisco.com activation.webex.com	80, 443
	Webex Calling devices	Ephemeral	TCP	**cloudupgrader.webex.com	**443, 6970
Device time synchronization (NTP)	Webex Calling devices	51494	UDP	85.119.56.218 85.119.57.218 135.84.169.154 135.84.170.154 135.84.173.152 135.84.174.152 199.59.64.152 199.59.65.181 199.59.66.181 199.59.67.152	123
Device name resolution	Webex Calling devices	Ephemeral	UDP and TCP	Host-defined	53
Application configuration	Webex Calling applications	Ephemeral	TCP	64.68.99.6 64.68.100.6 85.119.56.197 85.119.57.197 128.177.36.138 128.177.14.181 135.84.169.150 135.84.169.185 135.84.170.185 135.84.173.154 135.84.174.154 199.59.64.140 199.59.67.140 Domains: client-jp.bcld.webex.com jp.bcld.webex.com idbroker.webex.com	80, 443
Application time synchronization	Webex Calling applications	123	UDP	Host-defined	123
Application name resolution	Webex Calling applications	Ephemeral	UDP and TCP	Host-defined	53
CScan	Webex Calling applications	Ephemeral	UDP and TCP	135.84.169.183 135.84.173.146 185.115.196.129 199.59.65.243 199.59.64.197	8934 and 80, 443, 19560-19760

† CUBE media port range is configurable with rtp-port range

*When a phone connects to a network for the first time or after a factory reset, if there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones activate.cisco.com instead of webapps.cisco.com for provisioning. Phones with firmware release prior to 11.2(1), continue to use webapps.cisco.com. We recommend that you allow both domains through your firewall.

**You need to enable cloudupgrader.webex.com and the 443, 6970 ports only when migrating from Enterprise phones (Cisco Unified CM) to Webex Calling. Go to upgrade.cisco.com for more information.

Port Reference Information for Cisco Webex Calling

Was this article helpful?

What was great?

Where did we go wrong?

Thanks for your feedback.

Recently Viewed