A correctly configured firewall is essential for a successful calling deployment. We require ports for signaling, media, network connectivity, and local gateway and because Webex Calling is a global service, we recommend that you leave all of the ports listed below open.

Not all firewall configurations need ports to be open but if you're running inside-to-outside rules, you should open ports to allow the protocols required for service out. As long as you deploy NAT, define reasonable binding periods, and avoid manipulating SIP on the NAT device, you shouldn't need to open ports inbound on the firewall.


If a router or firewall is SIP Aware, meaning it has SIP Application Layer Gateway (ALG) or something similar enabled, we recommend that you turn off this functionality to maintain correct operation of service. See the relevant manufacturer's documentation for information about how to disable SIP ALG on specific devices.

Date

We've Made the Following Changes to this Article

October 16, 2020

Updated the call signaling and media entries with the following IP addresses:

  • 139.177.64.0/24

  • 139.177.65.0/24

  • 139.177.66.0/24

  • 139.177.67.0/24

  • 139.177.68.0/24

  • 139.177.69.0/24

  • 139.177.70.0/24

  • 139.177.71.0/24

  • 139.177.72.0/24

  • 139.177.73.0/24

September 23, 2020

Under CScan, replaced 199.59.64.156 with 199.59.64.197.

August 14, 2020

Added more IP addresses to support the introduction of data centers in Canada:

Call signaling to Webex Calling (SIP TLS)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24

August 12, 2020

Added more IP addresses to support the introduction of data centers in Canada:

  • Call media to Webex Calling (SRTP)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24

  • Call signaling to publicly addressed endpoints (SIP TLS)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24

  • Device configuration and firmware management (Cisco devices)—135.84.173.155,135.84.174.155

  • Device time synchronization—135.84.173.152, 135.84.174.152

  • Application configuration—135.84.173.154,135.84.174.154

July 22, 2020

Added the following IP address to support the introduction of data centers in Canada: 135.84.173.146

June 9, 2020

We made the following changes to the CScan entry:
  • Corrected one of the IP addresses—changed 199.59.67.156 to 199.59.64.156

  • New features required new ports as well as UDP—19560-19760

March 11, 2020

We added the following domain and IP addresses to application configuration:

  • jp.bcld.webex.com—135.84.169.150

  • client-jp.bcld.webex.com

  • idbroker.webex.com—64.68.99.6, 64.68.100.6

We updated the following domains with additional IP addresses to device configuration and firmware management:

  • cisco.broadcloud.eu—85.119.56.198, 85.119.57.198

  • webapps.cisco.com—72.163.10.134

  • activation.webex.com—35.172.26.181, 52.86.172.220

  • cloudupgrader.webex.com—3.130.87.169, 3.20.185.219

February 27, 2020

We added the following domain and ports to device configuration and firmware management:

cloudupgrader.webex.com—443, 6970

Table 1. Webex Calling (Production)

Connection purpose

Source addresses

Source ports

Protocol

Destination addresses

Destination ports

Call signaling to Webex Calling (SIP TLS)

Local Gateway external (NIC) 8000-65535

TCP

85.119.56.128/26

85.119.57.128/26

128.177.14.0/25

128.177.36.0/26

135.84.169.0/25

135.84.170.0/25

135.84.171.0/25

135.84.172.0/25

135.84.173.0/25

135.84.174.0/25

139.177.64.0/24

139.177.65.0/24

139.177.66.0/24

139.177.67.0/24

139.177.68.0/24

139.177.69.0/24

139.177.70.0/24

139.177.71.0/24

139.177.72.0/24

139.177.73.0/24

185.115.196.0/25

185.115.197.0/25

199.19.197.0/24

199.19.199.0/24

199.59.64.0/25

199.59.65.0/25

199.59.66.0/25

199.59.67.0/25

199.59.70.0/25

199.59.71.0/25

8934

Devices

5060-5080

Applications

Ephemeral (OS dependent)

Call media to Webex Calling (SRTP)

Local Gateway external NIC

8000-48000

UDP

85.119.56.128/26

85.119.57.128/26

128.177.14.0/25

128.177.36.0/26

135.84.169.0/25

135.84.170.0/25

135.84.171.0/25

135.84.172.0/25

135.84.173.0/25

135.84.174.0/25

139.177.64.0/24

139.177.65.0/24

139.177.66.0/24

139.177.67.0/24

139.177.68.0/24

139.177.69.0/24

139.177.70.0/24

139.177.71.0/24

139.177.72.0/24

139.177.73.0/24

185.115.196.0/25

185.115.197.0/25

199.19.197.0/24

199.19.199.0/24

199.59.64.0/25

199.59.65.0/25

199.59.66.0/25

199.59.67.0/25

199.59.70.0/25

199.59.71.0/25

19560-65535

Devices

19560-19660

Applications

Ephemeral

Call signaling to PSTN gateway (SIP TLS) Local Gateway internal NIC 8000-65535 TCP Your ITSP PSTN GW or Unified CM Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM)
Call media to PSTN gateway (SRTP) Local Gateway internal NIC

8000-48000

UDP Your ITSP PSTN GW or Unified CM Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM)

Call signaling to publicly addressed endpoints (SIP TLS)

85.119.56.128/26

85.119.57.128/26

128.177.14.0/25

128.177.36.0/26

135.84.169.0/25

135.84.170.0/25

135.84.171.0/25

135.84.172.0/25

135.84.173.0/25

135.84.174.0/25

139.177.64.0/24

139.177.65.0/24

139.177.66.0/24

139.177.67.0/24

139.177.68.0/24

139.177.69.0/24

139.177.70.0/24

139.177.71.0/24

139.177.72.0/24

139.177.73.0/24

185.115.196.0/25

185.115.197.0/25

199.19.197.0/24

199.19.199.0/24

199.59.64.0/25

199.59.65.0/25

199.59.66.0/25

199.59.67.0/25

199.59.70.0/25

199.59.71.0/25

Ephemeral

TCP

Endpoint IP

8934

Device configuration and firmware management (Cisco devices)

Webex Calling devices

Ephemeral

TCP

3.20.185.219

3.130.87.169

35.172.26.181

52.86.172.220

72.163.10.134

85.119.56.128/26

85.119.56.198

85.119.57.128/26

85.119.57.198

135.84.169.186

135.84.170.186

135.84.173.155

135.84.174.155

173.37.149.125

199.59.64.143

199.59.65.228

199.59.66.228

199.59.67.143

*Domains:

  • cisco-jp.bcld.webex.com

  • cisco.broadcloud.com.au

  • cisco.broadcloud.eu

  • cisco.broadcloud.eu

  • webapps.cisco.com

  • activate.cisco.com

  • activation.webex.com

  • cisco.sipflash.com

80, 443

**cloudupgrader.webex.com

**443, 6970

Device time synchronization (NTP)

Webex Calling devices

51494

UDP

85.119.56.128/26

85.119.57.128/26

135.84.169.154

135.84.170.154

135.84.173.152

135.84.174.152

199.59.64.152

199.59.65.181

199.59.66.181

199.59.67.152

123

Device name resolution

Webex Calling devices

Ephemeral

UDP and TCP

Host-defined

53

Application configuration

Webex Calling applications

Ephemeral

TCP

64.68.99.6

64.68.100.6

85.119.56.128/26

85.119.57.128/26

128.177.36.138

128.177.14.181

135.84.169.150

135.84.169.185

135.84.170.185

135.84.173.154

135.84.174.154

199.59.64.140

199.59.67.140

Domains:

  • client-jp.bcld.webex.com

  • jp.bcld.webex.com

  • idbroker.webex.com

80, 443, 1081, 2208, 8443, 5222, 5280-5281, 52644-52645

Application time synchronization

Webex Calling applications

123

UDP

Host-defined

123

Application name resolution

Webex Calling applications

Ephemeral

UDP and TCP

Host-defined

53

CScan

Webex Calling applications

Ephemeral

UDP and TCP

135.84.169.183

135.84.173.146

185.115.196.0/25

199.59.65.243

199.59.64.197

8934 and 80, 443, 19569-19760

† CUBE media port range is configurable with rtp-port range

*When a phone connects to a network for the first time or after a factory reset, if there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use activate.cisco.com instead of webapps.cisco.com for provisioning. Phones with firmware release prior to 11.2(1), continue to use webapps.cisco.com. We recommend that you allow both domains through your firewall.

**You need to enable cloudupgrader.webex.com and the 443, 6970 ports only when migrating from Enterprise phones (Cisco Unified CM) to Webex Calling. Go to upgrade.cisco.com for more information.

Table 2. Webex Calling (Production)

Connection purpose

Source addresses

Source ports

Protocol

Destination addresses

Destination ports

Call signaling to Webex Calling (SIP TLS)

Local Gateway external NIC

8000-65535

TCP

85.119.56.128/26

85.119.57.128/26

135.84.169.0/25

135.84.170.0/25

135.84.171.0/25

135.84.172.0/25

135.84.173.0/25

135.84.174.0/25

139.177.64.0/24

139.177.65.0/24

139.177.66.0/24

139.177.67.0/24

139.177.68.0/24

139.177.69.0/24

139.177.70.0/24

139.177.71.0/24

139.177.72.0/24

139.177.73.0/24

185.115.196.0/25

185.115.197.0/25

199.19.197.0/24

199.19.199.0/24

199.59.64.0/25

199.59.65.0/25

199.59.66.0/25

199.59.67.0/25

199.59.70.0/25

199.59.71.0/25

128.177.14.0/25

128.177.36.0/26

8934

Devices

5060-5080

Applications

Ephemeral (OS dependent)

Call media to Webex Calling (SRTP)

Local Gateway external NIC

8000-48000

UDP

85.119.56.128/26

85.119.57.128/26

135.84.169.0/25

135.84.170.0/25

135.84.171.0/25

135.84.172.0/25

135.84.173.0/25

135.84.174.0/25

139.177.64.0/24

139.177.65.0/24

139.177.66.0/24

139.177.67.0/24

139.177.68.0/24

139.177.69.0/24

139.177.70.0/24

139.177.71.0/24

139.177.72.0/24

139.177.73.0/24

185.115.196.0/25

185.115.197.0/25

199.19.197.0/24

199.19.199.0/24

199.59.64.0/25

199.59.65.0/25

199.59.66.0/25

199.59.67.0/25

199.59.70.0/25

199.59.71.0/25

128.177.14.0/25

128.177.36.0/26

19560-65535

Devices

19560-19660

Applications

Ephemeral

Call signaling to PSTN gateway (SIP TLS)

Local Gateway internal NIC

8000-65535

TCP

Your ITSP, PSTN GW, or Unified CM

Depends on PSTN option, eg. Unified CM typically 5060 or 5061

Call media to PSTN gateway (SRTP)

Local Gateway internal NIC

8000-48000

UDP

Your ITSP, PSTN GW, or Unified CM

Depends on PSTN option

Call signaling to publicly addressed endpoints (SIP TLS)

85.119.56.128/26

85.119.57.128/26

135.84.169.0/25

135.84.170.0/25

135.84.171.0/25

135.84.172.0/25

135.84.173.0/25

135.84.174.0/25

139.177.64.0/24

139.177.65.0/24

139.177.66.0/24

139.177.67.0/24

139.177.68.0/24

139.177.69.0/24

139.177.70.0/24

139.177.71.0/24

139.177.72.0/24

139.177.73.0/24

185.115.196.0/25

185.115.197.0/25

199.19.197.0/24

199.19.199.0/24

199.59.64.0/25

199.59.65.0/25

199.59.66.0/25

199.59.67.0/25

199.59.70.0/25

199.59.71.0/25

Ephemeral

TCP

Endpoint IP

8934

Device configuration and firmware management (Cisco devices)

Webex Calling devices

Ephemeral

TCP

3.130.87.169,

3.20.185.219

35.172.26.181,

52.86.172.220

72.163.10.134

85.119.56.198

85.119.57.198

135.84.169.186

135.84.170.186

135.84.173.155

135.84.174.155

173.37.149.125

199.59.64.143

199.59.65.228

199.59.66.228

199.59.67.143

*Domains:

  • cisco-jp.bcld.webex.com

  • cisco.broadcloud.eu

  • cisco. broadcloud.com.au

  • cisco.sipflash.com

  • webapps.cisco.com

  • activate.cisco.com
  • activation.webex.com

80, 443

**cloudupgrader.webex.com

**443, 6970

Device time synchronization (NTP)

Webex Calling devices

51494

UDP

85.119.56.218

85.119.57.218

135.84.169.154

135.84.170.154

135.84.173.152

135.84.174.152

199.59.64.152

199.59.65.181

199.59.66.181

199.59.67.152

123

Device name resolution

Webex Calling devices

Ephemeral

UDP and TCP

Host-defined

53

Application configuration

Webex Calling applications

Ephemeral

TCP

64.68.99.6

64.68.100.6

85.119.56.197

85.119.57.197

128.177.36.138

128.177.14.181

135.84.169.150

135.84.169.185

135.84.170.185

135.84.173.154

135.84.174.154

199.59.64.140

199.59.67.140

Domains:

  • client-jp.bcld.webex.com

  • jp.bcld.webex.com

  • idbroker.webex.com

80, 443

Application time synchronization

Webex Calling applications

123

UDP

Host-defined

123

Application name resolution

Webex Calling applications

Ephemeral

UDP and TCP

Host-defined

53

CScan

Webex Calling applications

Ephemeral

UDP and TCP

135.84.169.183

135.84.173.146

185.115.196.129

199.59.65.243

199.59.64.197

8934 and 80, 443, 19560-19760

† CUBE media port range is configurable with rtp-port range

*When a phone connects to a network for the first time or after a factory reset, if there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones activate.cisco.com instead of webapps.cisco.com for provisioning. Phones with firmware release prior to 11.2(1), continue to use webapps.cisco.com. We recommend that you allow both domains through your firewall.

**You need to enable cloudupgrader.webex.com and the 443, 6970 ports only when migrating from Enterprise phones (Cisco Unified CM) to Webex Calling. Go to upgrade.cisco.com for more information.