A correctly configured firewall is essential for a successful calling deployment. We require ports for signaling, media, network connectivity, and local gateway and because Webex Calling is a global service, we recommend that you leave all of the ports listed below open.
Not all firewall configurations need ports to be open but if you're running inside-to-outside rules, you should open ports to allow the protocols required for service out. As long as you deploy NAT, define reasonable binding periods, and avoid manipulating SIP on the NAT device, you shouldn't need to open ports inbound on the firewall.
 |
If a router or firewall is SIP Aware, meaning it has SIP Application Layer Gateway (ALG) or something similar enabled, we recommend that you turn off this functionality to maintain correct operation of service. See the relevant manufacturer's documentation for information about how to disable SIP ALG on specific devices. |
For details on network requirements for Webex Meetings and Messaging, see Network Requirements for Webex Services.
Webex Calling Traffic Through Firewall
Most customers deploy an internet firewall, or internet proxy and firewall, to restrict and control the HTTP based traffic that leaves and enters their network. As all Webex Calling endpoints don’t support http(s) proxy, please follow the firewall guidance below to enable access to Webex Calling services from your network.
Firewall Configuration
If your firewall supports URL filtering, configure the firewall to allow the Webex Calling destination URLs listed, which are outlined in the Domains and URLs for Webex Calling Services table.
However, if you are using a firewall that doesn’t support URL/domain filtering, configure the firewall to filter traffic using IP address ranges and ports listed in the IP Addresses and Ports for Webex Calling Services.
IP Addresses and Ports for Webex Calling Services
The following table describes ports and protocols that need to be opened on your firewall to allows cloud registered Webex apps, and devices to communicate with Webex Calling cloud signalling and media services.
|
IP Subnets for Webex Calling Services |
||
|---|---|---|
|
85.119.56.0/23 |
128.177.14.0/24 |
128.177.36.0/24 |
|
135.84.168.0/21 |
139.177.64.0/21 |
139.177.72.0/23 |
|
185.115.196.0/22 |
199.19.196.0/23 |
199.19.199.0/24 |
|
199.59.64.0/21 |
||
|
Connection purpose |
Source addresses |
Source ports |
Protocol |
Destination addresses |
Destination ports |
Notes |
|---|---|---|---|---|---|---|
|
Call signaling to Webex Calling (SIP TLS) |
Local Gateway external (NIC) | 8000-65535 |
TCP |
Refer to IP Subnets for Webex Calling Services. |
8934 |
These IPs/ports are needed for outbound SIP-TLS call signalling from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination). |
|
Devices |
5060-5080 |
|||||
|
Applications |
Ephemeral (OS dependent) |
|||||
|
Call media to Webex Calling (STUN,SRTP) |
Local Gateway external NIC |
8000-48000† |
UDP |
Refer to IP Subnets for Webex Calling Services. |
5004,19560-65535 |
These IPs/ports are needed for outbound SRTP call media from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination). |
|
Devices |
19560-19660 |
|||||
|
Applications |
Ephemeral |
|||||
| Call signaling to PSTN gateway (SIP TLS) | Local Gateway internal NIC | 8000-65535 | TCP | Your ITSP PSTN GW or Unified CM | Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM) | |
| Call media to PSTN gateway (SRTP) | Local Gateway internal NIC |
8000-48000† |
UDP | Your ITSP PSTN GW or Unified CM | Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM) | |
|
Call signaling to publicly addressed endpoints (SIP TLS) |
Refer to IP Subnets for Webex Calling Services. |
Ephemeral |
TCP |
Endpoint IP |
8934 |
These IPs/ports are needed for inbound SIP-TLS call signalling from Webex Calling Cloud (Source) to publicly addressed end points (Destination). |
|
Device configuration and firmware management (Cisco devices) |
Webex Calling devices |
Ephemeral |
TCP |
3.20.185.219 3.130.87.169 3.134.166.179 |
443,6970 |
*These IPs belong to cloudupgrader.webex.com. You need to enable cloudupgrader.webex.com and the 443, 6970 ports only when migrating from Enterprise phones (Cisco Unified CM) to Webex Calling. Go to upgrade.cisco.com for more information. |
|
3.20.118.133 3.20.228.133 3.23.144.213 3.130.125.44 3.132.162.62 3.140.117.199 18.232.241.58 35.168.211.203 50.16.236.139 52.45.157.48 54.145.130.71 54.156.13.25 |
80,443 |
*These IPs belong to activation.webex.com. These IPs are needed for secure onboarding of devices (MPP phones) via 16 digit activation code (GDS). |
||||
|
72.163.10.96/27 72.163.15.64/26 72.163.15.128/26 72.163.24.0/23 173.36.127.0/26 173.36.127.128/26 173.37.26.0/23 173.37.149.96/27 192.133.220.0/26 192.133.220.64/26 |
80,443 |
These IPs belong to activate.cisco.com. This domain is used for CDA / EDOS - MAC address based provisioning. Used by devices (MPP phones, ATAs, and SPA ATAs) with newer firmware. When a phone connects to a network for the first time or after a factory reset, and there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use "activate.cisco.com" instead of "webapps.cisco.com" for provisioning. Phones with firmware release earlier than 11.2(1) continues to use "webapps.cisco.com". We recommend that you allow both the domain names through your firewall. |
||||
|
72.163.10.128/25 173.37.146.128/25 |
80,443 |
These IPs belong to webapps.cisco.com. This domain is used for CDA / EDOS - MAC address based provisioning. Used by devices (MPP phones, ATAs, and SPA ATAs) with older firmware. When a phone connects to a network for the first time or after a factory reset, and there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use "activate.cisco.com" instead of "webapps.cisco.com" for provisioning. Phones with firmware release earlier than 11.2(1) continues to use "webapps.cisco.com". We recommend that you allow both the domain names through your firewall. |
||||
|
Refer to IP Subnets for Webex Calling Services. |
80,443 |
These IPs are needed for Device configuration and firmware management for Webex Calling. |
||||
|
Device time synchronization (NTP) |
Webex Calling devices |
51494 |
UDP |
Refer to IP Subnets for Webex Calling Services. |
123 |
These IP addresses are needed for Time Synchronization for Devices (MPP phones, ATAs, and SPA ATAs) |
|
Device name resolution |
Webex Calling devices |
Ephemeral |
UDP and TCP |
Host-defined |
53 |
|
|
Application configuration |
Webex Calling applications |
Ephemeral |
TCP |
62.109.192.0/18 64.68.96.0/19 150.253.128.0/17 207.182.160.0/19 |
80, 443 |
These IPs belong to Webex Idbroker Authentication Services and used by clients, i.e. Webex Applications. |
|
Refer to IP Subnets for Webex Calling Services. |
80, 443, 8443 |
These IPs belong to Webex Calling application configuration services and used by clients, i.e.Webex Applications. |
||||
|
Application time synchronization |
Webex Calling applications |
123 |
UDP |
Host-defined |
123 |
|
|
Application name resolution |
Webex Calling applications |
Ephemeral |
UDP and TCP |
Host-defined |
53 |
|
|
Webex Calling applications |
Ephemeral |
UDP and TCP |
Refer to IP Subnets for Webex Calling Services. |
8934 and 80, 443, 19569-19760 |
These IPs are used by CScan services used by clients, i.e.Webex Applications. Go to cscan.webex.com for more information. |
† CUBE media port range is configurable with rtp-port range.
*These IP addresses/ranges are not owned by Cisco and are subject to change periodically. If you are using a firewall, we recommend to allow the urls listed.
Domains and URLs for Webex Calling Services
|
Domain / URL |
Description |
Webex apps and devices using these domains / URLs |
|---|---|---|
|
Cisco Webex Services |
||
|
*.broadcloudpbx.com |
Webex authorization micro-services for cross-launch from Control Hub to Calling Admin Portal. |
Control Hub |
|
*.broadcloud.com.au |
Webex Calling services in Australia. |
All |
|
*.broadcloud.eu |
Webex Calling services in Europe. |
All |
|
*.broadcloudpbx.net |
Calling client configuration and management services. |
Webex Apps |
|
*.cisco.com |
When a phone connects to a network for the first time or after a factory reset, if there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use activate.cisco.com and phones with firmware release prior to 11.2(1), continue to use webapps.cisco.com for provisioning. |
MPP Phones, Control Hub |
|
*.ucmgmt.cisco.com |
Webex Calling services |
Control Hub |
|
*.webex.com |
Webex Core Services for Calling, Meeting, and Messaging like Authentication, etc. |
All |
|
*.wbx2.com and *.ciscospark.com |
Webex micro-services, like Software upgrade service. |
All |
|
Additional Webex-Related Services (Third-Party Domains) |
||
|
*.appdynamics.com *.eum-appdynamics.com |
Performance tracking, error and crash capture, session metrics. |
Control Hub |
|
*.huron-dev.com |
Webex Calling micro services like toggle services, phone number ordering, and assignment services. |
Control Hub |
|
*.sipflash.com |
Device management services (mostly for US). |
Webex Apps |
|
*.walkme.com *.walkmeusercontent.com |
Webex user guidance client. Provides onboarding and usage tours for new users. For more information about WalkMe, click here. |
Webex Apps |
If your network firewall supports domain allow lists for http(s) traffic, like *.webex.com, it is highly recommended to allow all of these domains.
Webex Meetings/Messaging - Network Requirements
If you are deploying Webex Calling with Webex Meetings and Messaging services, the network requirements for the Webex Meetings and Messaging services can be found in Network Requirements for Webex Services.
Document Revision History
|
Date |
We've Made the Following Changes to this Article |
|---|---|
|
April 2, 2021 |
Added *.ciscospark.com under Domains and URLs for Webex Calling Services to support Webex Calling use cases in Webex app. |
|
March 25, 2021 |
Added 6 new IP ranges for activate.cisco.com, which will come in effect starting May 8, 2021.
|
|
March 4, 2021 |
Replaced Webex Calling discrete IPs and smaller IP ranges with simplified ranges in a separate table for ease of understanding for firewall configuration. |
|
February 26, 2021 |
Added 5004 as destination port for Call media to Webex Calling (STUN,SRTP) to support Interactive Connectivity Establishment (ICE) that will be available in Webex Calling in April 2021. |
|
February 22, 2021 |
Domains and URLs are now listed within a separate table. IP Addresses and Ports table is adjusted to group IP addresses for the same services together. Notes column added to the IP Addresses and Ports table to better understand the needs. The following IP addresses were moved to simplified ranges for device configuration and firmware management (Cisco devices):
The following IP addresses were added for Application Configuration because Cisco Webex client is being pointed to a newer DNS SRV in Australia in March 2021.
|
|
January 21, 2021 |
We have added the following IP addresses to device configuration and firmware management (Cisco devices):
We have removed the following IP addresses from device configuration and firmware management (Cisco devices):
We have added the following IP addresses to application configuration:
We have removed the following IP addresses from application configuration:
We have removed the following port numbers from application configuration:
We have added the following domains to application configuration:
|
|
December 23, 2020 |
Added new Application Configuration IP addresses to the port reference images. |
|
December 22, 2020 |
Updated the Application Configuration row in the tables to include the following IP addresses: 135.84.171.154 and 135.84.172.154. Hid the network diagrams until these IP addresses can be added there as well. |
|
December 11, 2020 |
Updated the Device configuration and firmware management (Cisco devices) and the Application configuration rows for the supported Canadian domains. |
|
October 16, 2020 |
Updated the call signaling and media entries with the following IP addresses:
|
|
September 23, 2020 |
Under CScan, replaced 199.59.64.156 with 199.59.64.197. |
|
August 14, 2020 |
Added more IP addresses to support the introduction of data centers in Canada: Call signaling to Webex Calling (SIP TLS)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24 |
|
August 12, 2020 |
Added more IP addresses to support the introduction of data centers in Canada:
|
|
July 22, 2020 |
Added the following IP address to support the introduction of data centers in Canada: 135.84.173.146 |
|
June 9, 2020 |
We made the following changes to the CScan entry:
|
|
March 11, 2020 |
We added the following domain and IP addresses to application configuration:
We updated the following domains with additional IP addresses to device configuration and firmware management:
|
|
February 27, 2020 |
We added the following domain and ports to device configuration and firmware management: cloudupgrader.webex.com—443, 6970 |
Join the conversation
