A correctly configured firewall is essential for a successful calling deployment. We require ports for signaling, media, network connectivity, and local gateway and because Webex Calling is a global service, we recommend that you leave all of the ports listed below open.
Not all firewall configurations need ports to be open but if you're running inside-to-outside rules, you should open ports to allow the protocols required for service out. As long as you deploy NAT, define reasonable binding periods, and avoid manipulating SIP on the NAT device, you shouldn't need to open ports inbound on the firewall.
If a router or firewall is SIP Aware, meaning it has SIP Application Layer Gateway (ALG) or something similar enabled, we recommend that you turn off this functionality to maintain correct operation of service. See the relevant manufacturer's documentation for information about how to disable SIP ALG on specific devices. |
Date |
We've Made the Following Changes to this Article |
---|---|
December 23, 2020 |
Added new Application Configuration IP addresses to the port reference images. |
December 22, 2020 |
Updated the Application Configuration row in the tables to include the following IP addresses: 135.84.171.154 and 135.84.172.154. Hid the network diagrams until these IP addresses can be added there as well. |
December 11, 2020 |
Updated the Device configuration and firmware management (Cisco devices) and the Application configuration rows for the supported Canadian domains. |
October 16, 2020 |
Updated the call signaling and media entries with the following IP addresses:
|
September 23, 2020 |
Under CScan, replaced 199.59.64.156 with 199.59.64.197. |
August 14, 2020 |
Added more IP addresses to support the introduction of data centers in Canada: Call signaling to Webex Calling (SIP TLS)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24 |
August 12, 2020 |
Added more IP addresses to support the introduction of data centers in Canada:
|
July 22, 2020 |
Added the following IP address to support the introduction of data centers in Canada: 135.84.173.146 |
June 9, 2020 |
We made the following changes to the CScan entry:
|
March 11, 2020 |
We added the following domain and IP addresses to application configuration:
We updated the following domains with additional IP addresses to device configuration and firmware management:
|
February 27, 2020 |
We added the following domain and ports to device configuration and firmware management: cloudupgrader.webex.com—443, 6970 |
Connection purpose |
Source addresses |
Source ports |
Protocol |
Destination addresses |
Destination ports |
---|---|---|---|---|---|
Call signaling to Webex Calling (SIP TLS) |
Local Gateway external (NIC) | 8000-65535 |
TCP |
85.119.56.128/26 85.119.57.128/26 128.177.14.0/25 128.177.36.0/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25 |
8934 |
Devices |
5060-5080 |
||||
Applications |
Ephemeral (OS dependent) |
||||
Call media to Webex Calling (SRTP) |
Local Gateway external NIC |
8000-48000† |
UDP |
85.119.56.128/26 85.119.57.128/26 128.177.14.0/25 128.177.36.0/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25 |
19560-65535 |
Devices |
19560-19660 |
||||
Applications |
Ephemeral |
||||
Call signaling to PSTN gateway (SIP TLS) | Local Gateway internal NIC | 8000-65535 | TCP | Your ITSP PSTN GW or Unified CM | Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM) |
Call media to PSTN gateway (SRTP) | Local Gateway internal NIC |
8000-48000† |
UDP | Your ITSP PSTN GW or Unified CM | Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM) |
Call signaling to publicly addressed endpoints (SIP TLS) |
85.119.56.128/26 85.119.57.128/26 128.177.14.0/25 128.177.36.0/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25 |
Ephemeral |
TCP |
Endpoint IP |
8934 |
Device configuration and firmware management (Cisco devices) |
Webex Calling devices |
Ephemeral |
TCP |
3.20.185.219 3.130.87.169 35.172.26.181 52.86.172.220 72.163.10.134 85.119.56.128/26 85.119.56.198 85.119.57.128/26 85.119.57.198 135.84.169.186 135.84.170.186 135.84.173.155 135.84.174.155 173.37.149.125 199.59.64.143 199.59.65.228 199.59.66.228 199.59.67.143 *Domains:
|
80, 443 |
**cloudupgrader.webex.com |
**443, 6970 |
||||
Device time synchronization (NTP) |
Webex Calling devices |
51494 |
UDP |
85.119.56.128/26 85.119.57.128/26 135.84.169.154 135.84.170.154 135.84.173.152 135.84.174.152 199.59.64.152 199.59.65.181 199.59.66.181 199.59.67.152 |
123 |
Device name resolution |
Webex Calling devices |
Ephemeral |
UDP and TCP |
Host-defined |
53 |
Application configuration |
Webex Calling applications |
Ephemeral |
TCP |
64.68.99.6 64.68.100.6 85.119.56.128/26 85.119.57.128/26 128.177.36.138 128.177.14.181 135.84.169.150 135.84.171.154 135.84.172.154 135.84.174.154 135.84.173.154 135.84.169.185 135.84.170.185 199.59.64.140 199.59.67.140 Domains:
|
80, 443, 1081, 2208, 8443, 5222, 5280-5281, 52644-52645 |
Application time synchronization |
Webex Calling applications |
123 |
UDP |
Host-defined |
123 |
Application name resolution |
Webex Calling applications |
Ephemeral |
UDP and TCP |
Host-defined |
53 |
Webex Calling applications |
Ephemeral |
UDP and TCP |
135.84.169.183 135.84.173.146 185.115.196.0/25 199.59.65.243 199.59.64.197 |
8934 and 80, 443, 19569-19760 |
† CUBE media port range is configurable with rtp-port range
*When a phone connects to a network for the first time or after a factory reset, if there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use activate.cisco.com instead of webapps.cisco.com for provisioning. Phones with firmware release prior to 11.2(1), continue to use webapps.cisco.com. We recommend that you allow both domains through your firewall.
**You need to enable cloudupgrader.webex.com and the 443, 6970 ports only when migrating from Enterprise phones (Cisco Unified CM) to Webex Calling. Go to upgrade.cisco.com for more information.
Connection purpose |
Source addresses |
Source ports |
Protocol |
Destination addresses |
Destination ports |
---|---|---|---|---|---|
Call signaling to Webex Calling (SIP TLS) |
Local Gateway external NIC |
8000-65535 |
TCP |
85.119.56.128/26 85.119.57.128/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25 128.177.14.0/25 128.177.36.0/26 |
8934 |
Devices |
5060-5080 |
||||
Applications |
Ephemeral (OS dependent) |
||||
Call media to Webex Calling (SRTP) |
Local Gateway external NIC |
8000-48000† |
UDP |
85.119.56.128/26 85.119.57.128/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25 128.177.14.0/25 128.177.36.0/26 |
19560-65535 |
Devices |
19560-19660 |
||||
Applications |
Ephemeral |
||||
Call signaling to PSTN gateway (SIP TLS) |
Local Gateway internal NIC |
8000-65535 |
TCP |
Your ITSP, PSTN GW, or Unified CM |
Depends on PSTN option, eg. Unified CM typically 5060 or 5061 |
Call media to PSTN gateway (SRTP) |
Local Gateway internal NIC |
8000-48000† |
UDP |
Your ITSP, PSTN GW, or Unified CM |
Depends on PSTN option |
Call signaling to publicly addressed endpoints (SIP TLS) |
85.119.56.128/26 85.119.57.128/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25 |
Ephemeral |
TCP |
Endpoint IP |
8934 |
Device configuration and firmware management (Cisco devices) |
Webex Calling devices |
Ephemeral |
TCP |
3.130.87.169, 3.20.185.219 35.172.26.181, 52.86.172.220 72.163.10.134 85.119.56.198 85.119.57.198 135.84.169.186 135.84.170.186 135.84.173.155 135.84.174.155 173.37.149.125 199.59.64.143 199.59.65.228 199.59.66.228 199.59.67.143 *Domains:
|
80, 443 |
**cloudupgrader.webex.com |
**443, 6970 |
||||
Device time synchronization (NTP) |
Webex Calling devices |
51494 |
UDP |
85.119.56.218 85.119.57.218 135.84.169.154 135.84.170.154 135.84.173.152 135.84.174.152 199.59.64.152 199.59.65.181 199.59.66.181 199.59.67.152 |
123 |
Device name resolution |
Webex Calling devices |
Ephemeral |
UDP and TCP |
Host-defined |
53 |
Application configuration |
Webex Calling applications |
Ephemeral |
TCP |
64.68.99.6 64.68.100.6 85.119.56.197 85.119.57.197 128.177.36.138 128.177.14.181 135.84.169.150 135.84.171.154 135.84.172.154 135.84.173.154 135.84.174.154 135.84.169.185 135.84.170.185 199.59.64.140 199.59.67.140 Domains:
|
80, 443 |
Application time synchronization |
Webex Calling applications |
123 |
UDP |
Host-defined |
123 |
Application name resolution |
Webex Calling applications |
Ephemeral |
UDP and TCP |
Host-defined |
53 |
Webex Calling applications |
Ephemeral |
UDP and TCP |
135.84.169.183 135.84.173.146 185.115.196.129 199.59.65.243 199.59.64.197 |
8934 and 80, 443, 19560-19760 |
† CUBE media port range is configurable with rtp-port range
*When a phone connects to a network for the first time or after a factory reset, if there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones activate.cisco.com instead of webapps.cisco.com for provisioning. Phones with firmware release prior to 11.2(1), continue to use webapps.cisco.com. We recommend that you allow both domains through your firewall.
**You need to enable cloudupgrader.webex.com and the 443, 6970 ports only when migrating from Enterprise phones (Cisco Unified CM) to Webex Calling. Go to upgrade.cisco.com for more information.