A correctly configured firewall is essential for a successful calling deployment. We require ports for signaling, media, network connectivity, and local gateway and because Webex Calling is a global service, we recommend that you leave all of the ports listed below open.
Not all firewall configurations need ports to be open but if you're running inside-to-outside rules, you should open ports to allow the protocols required for service out. As long as you deploy NAT, define reasonable binding periods, and avoid manipulating SIP on the NAT device, you shouldn't need to open ports inbound on the firewall.
If a router or firewall is SIP Aware, meaning it has SIP Application Layer Gateway (ALG) or something similar enabled, we recommend that you turn off this functionality to maintain correct operation of service. See the relevant manufacturer's documentation for information about how to disable SIP ALG on specific devices. |
For details on network requirements for Webex Meetings and Messaging, see Network Requirements for Webex Services.
IP Addresses and Ports for Webex Calling Services
Connection purpose |
Source addresses |
Source ports |
Protocol |
Destination addresses |
Destination ports |
Notes |
---|---|---|---|---|---|---|
Call signaling to Webex Calling (SIP TLS) |
Local Gateway external (NIC) | 8000-65535 |
TCP |
85.119.56.128/26 85.119.57.128/26 128.177.14.0/25 128.177.36.0/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25 |
8934 |
These IPs/ports are needed for outbound SIP-TLS call signalling from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination). |
Devices |
5060-5080 |
|||||
Applications |
Ephemeral (OS dependent) |
|||||
Call media to Webex Calling (STUN,SRTP) |
Local Gateway external NIC |
8000-48000† |
UDP |
85.119.56.128/26 85.119.57.128/26 128.177.14.0/25 128.177.36.0/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25 |
5004,19560-65535 |
These IPs/ports are needed for outbound SRTP call media from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination). |
Devices |
19560-19660 |
|||||
Applications |
Ephemeral |
|||||
Call signaling to PSTN gateway (SIP TLS) | Local Gateway internal NIC | 8000-65535 | TCP | Your ITSP PSTN GW or Unified CM | Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM) | |
Call media to PSTN gateway (SRTP) | Local Gateway internal NIC |
8000-48000† |
UDP | Your ITSP PSTN GW or Unified CM | Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM) | |
Call signaling to publicly addressed endpoints (SIP TLS) |
85.119.56.128/26 85.119.57.128/26 128.177.14.0/25 128.177.36.0/26 135.84.169.0/25 135.84.170.0/25 135.84.171.0/25 135.84.172.0/25 135.84.173.0/25 135.84.174.0/25 139.177.64.0/24 139.177.65.0/24 139.177.66.0/24 139.177.67.0/24 139.177.68.0/24 139.177.69.0/24 139.177.70.0/24 139.177.71.0/24 139.177.72.0/24 139.177.73.0/24 185.115.196.0/25 185.115.197.0/25 199.19.197.0/24 199.19.199.0/24 199.59.64.0/25 199.59.65.0/25 199.59.66.0/25 199.59.67.0/25 199.59.70.0/25 199.59.71.0/25 |
Ephemeral |
TCP |
Endpoint IP |
8934 |
These IPs/ports are needed for inbound SIP-TLS call signalling from Webex Calling Cloud (Source) to publicly addressed end points (Destination). |
Device configuration and firmware management (Cisco devices) |
Webex Calling devices |
Ephemeral |
TCP |
3.20.185.219 3.130.87.169 3.134.166.179 |
443,6970 |
*These IPs belong to cloudupgrader.webex.com. You need to enable cloudupgrader.webex.com and the 443, 6970 ports only when migrating from Enterprise phones (Cisco Unified CM) to Webex Calling. Go to upgrade.cisco.com for more information. |
50.16.236.139 54.145.130.71 |
80,443 |
*These IPs belong to activation.webex.com. These IPs are needed for secure onboarding of devices (MPP phones) via 16 digit activation code (GDS). |
||||
72.163.10.96/27 173.37.149.96/27 |
80,443 |
These IPs belong to activate.cisco.com. This domain is used for CDA / EDOS - MAC address based provisioning. Used by devices (MPP phones, ATAs, and SPA ATAs) with newer firmware. When a phone connects to a network for the first time or after a factory reset, and there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use "activate.cisco.com" instead of "webapps.cisco.com" for provisioning. Phones with firmware release earlier than 11.2(1) continues to use "webapps.cisco.com". We recommend that you allow both the domain names through your firewall. |
||||
72.163.10.128/25 173.37.146.128/25 |
80,443 |
These IPs belong to webapps.cisco.com. This domain is used for CDA / EDOS - MAC address based provisioning. Used by devices (MPP phones, ATAs, and SPA ATAs) with older firmware. When a phone connects to a network for the first time or after a factory reset, and there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use "activate.cisco.com" instead of "webapps.cisco.com" for provisioning. Phones with firmware release earlier than 11.2(1) continues to use "webapps.cisco.com". We recommend that you allow both the domain names through your firewall. |
||||
85.119.56.128/26 85.119.56.198 85.119.57.128/26 85.119.57.198 135.84.169.186 135.84.170.186 135.84.173.155 135.84.174.155 199.59.64.143 199.59.65.228 199.59.66.228 199.59.67.143 |
80,443 |
These IPs are needed for Device configuration and firmware management for Webex Calling. |
||||
Device time synchronization (NTP) |
Webex Calling devices |
51494 |
UDP |
85.119.56.128/26 85.119.57.128/26 135.84.169.154 135.84.170.154 135.84.173.152 135.84.174.152 199.59.64.152 199.59.65.181 199.59.66.181 199.59.67.152 |
123 |
These IP addresses are needed for Time Synchronization for Devices (MPP phones, ATAs, and SPA ATAs) |
Device name resolution |
Webex Calling devices |
Ephemeral |
UDP and TCP |
Host-defined |
53 |
|
Application configuration |
Webex Calling applications |
Ephemeral |
TCP |
62.109.192.0/19 64.68.96.0/19 150.253.128.0/17 207.182.160.0/19 |
80, 443 |
These IPs belong to Webex Idbroker Authentication Services and used by clients, i.e. Webex Applications. |
85.119.56.128/26 85.119.57.128/26 128.177.36.138 128.177.14.181 135.84.169.150 135.84.171.154 135.84.172.154 135.84.174.154 135.84.173.154 135.84.169.185 135.84.170.185 199.59.64.140 199.59.64.237 199.59.67.140 199.59.67.237 |
80, 443, 8443 |
These IPs belong to Webex Calling application configuration services and used by clients, i.e.Webex Applications. |
||||
Application time synchronization |
Webex Calling applications |
123 |
UDP |
Host-defined |
123 |
|
Application name resolution |
Webex Calling applications |
Ephemeral |
UDP and TCP |
Host-defined |
53 |
|
Webex Calling applications |
Ephemeral |
UDP and TCP |
135.84.169.183 135.84.173.146 185.115.196.0/25 199.59.65.243 199.59.64.197 |
8934 and 80, 443, 19569-19760 |
These IPs are used by CScan services used by clients, i.e.Webex Applications. Go to cscan.webex.com for more information. |
† CUBE media port range is configurable with rtp-port range.
*These IP addresses/ranges are not owned by Cisco and are subject to change periodically. If you are using a firewall, we recommend to whitelist urls listed.
Domains and URLs for Webex Calling Services
Domain / URL |
Description |
Webex apps and devices using these domains / URLs |
---|---|---|
Cisco Webex Services |
||
*.broadcloudpbx.com |
Webex authorization micro-services for cross-launch from Control Hub to Calling Admin Portal. |
Control Hub |
*.broadcloud.com.au |
Webex Calling services in Australia. |
All |
*.broadcloud.eu |
Webex Calling services in Europe. |
All |
*.broadcloudpbx.net |
Calling client configuration and management services. |
Webex Apps |
*.cisco.com |
When a phone connects to a network for the first time or after a factory reset, if there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use activate.cisco.com and phones with firmware release prior to 11.2(1), continue to use webapps.cisco.com for provisioning. |
MPP Phones, Control Hub |
*.ucmgmt.cisco.com |
Webex Calling services |
Control Hub |
*.webex.com |
Webex Core Services for Calling, Meeting, and Messaging like Authentication, etc. |
All |
*.wbx2.com |
Webex micro-services, like Software upgrade service. |
All |
Additional Webex-Related Services (Third-Party Domains) |
||
*.appdynamics.com *.eum-appdynamics.com |
Performance tracking, error and crash capture, session metrics. |
Control Hub |
*.huron-dev.com |
Webex Calling micro services like toggle services, phone number ordering, and assignment services. |
Control Hub |
*.sipflash.com |
Device management services (mostly for US). |
Webex Apps |
*.walkme.com *.walkmeusercontent.com |
Webex user guidance client. Provides onboarding and usage tours for new users. For more information about WalkMe, click here. |
Webex Apps |
If your network firewall supports domain whitelisting for http(s) traffic, like *.webex.com, it is highly recommended to whitelist all these domains.
Webex Meetings/Messaging - Network Requirements
If you are deploying Webex Calling with Webex Meetings and Messaging services, the network requirements for the Webex Meetings and Messaging services can be found in Network Requirements for Webex Services.
Document Revision History
Date |
We've Made the Following Changes to this Article |
---|---|
February 26, 2021 |
Added 5004 as destination port for Call media to Webex Calling (STUN,SRTP) to support Interactive Connectivity Establishment (ICE) that will be available in Webex Calling in April 2021. |
February 22, 2021 |
Domains and URLs are now listed within a separate table. IP Addresses and Ports table is adjusted to group IP addresses for the same services together. Notes column added to the IP Addresses and Ports table to better understand the needs. The following IP addresses were moved to simplified ranges for device configuration and firmware management (Cisco devices):
The following IP addresses were added for Application Configuration because Cisco Webex client is being pointed to a newer DNS SRV in Australia in March 2021.
|
January 21, 2021 |
We have added the following IP addresses to device configuration and firmware management (Cisco devices):
We have removed the following IP addresses from device configuration and firmware management (Cisco devices):
We have added the following IP addresses to application configuration:
We have removed the following IP addresses from application configuration:
We have removed the following port numbers from application configuration:
We have added the following domains to application configuration:
|
December 23, 2020 |
Added new Application Configuration IP addresses to the port reference images. |
December 22, 2020 |
Updated the Application Configuration row in the tables to include the following IP addresses: 135.84.171.154 and 135.84.172.154. Hid the network diagrams until these IP addresses can be added there as well. |
December 11, 2020 |
Updated the Device configuration and firmware management (Cisco devices) and the Application configuration rows for the supported Canadian domains. |
October 16, 2020 |
Updated the call signaling and media entries with the following IP addresses:
|
September 23, 2020 |
Under CScan, replaced 199.59.64.156 with 199.59.64.197. |
August 14, 2020 |
Added more IP addresses to support the introduction of data centers in Canada: Call signaling to Webex Calling (SIP TLS)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24 |
August 12, 2020 |
Added more IP addresses to support the introduction of data centers in Canada:
|
July 22, 2020 |
Added the following IP address to support the introduction of data centers in Canada: 135.84.173.146 |
June 9, 2020 |
We made the following changes to the CScan entry:
|
March 11, 2020 |
We added the following domain and IP addresses to application configuration:
We updated the following domains with additional IP addresses to device configuration and firmware management:
|
February 27, 2020 |
We added the following domain and ports to device configuration and firmware management: cloudupgrader.webex.com—443, 6970 |