A correctly configured firewall is essential for a successful calling deployment. We require ports for signaling, media, network connectivity, and local gateway and because Webex Calling is a global service, we recommend that you leave all of the ports listed below open.

Not all firewall configurations need ports to be open but if you're running inside-to-outside rules, you should open ports to allow the protocols required for service out. As long as you deploy NAT, define reasonable binding periods, and avoid manipulating SIP on the NAT device, you shouldn't need to open ports inbound on the firewall.


If a router or firewall is SIP Aware, meaning it has SIP Application Layer Gateway (ALG) or something similar enabled, we recommend that you turn off this functionality to maintain correct operation of service. See the relevant manufacturer's documentation for information about how to disable SIP ALG on specific devices.

For details on network requirements for Webex Meetings and Messaging, see Network Requirements for Webex Services.

Webex Calling Traffic Through Firewall

Most customers deploy an internet firewall, or internet proxy and firewall, to restrict and control the HTTP based traffic that leaves and enters their network. As all Webex Calling endpoints don’t support http(s) proxy, please follow the firewall guidance below to enable access to Webex Calling services from your network.

Firewall Configuration

If your firewall supports URL filtering, configure the firewall to allow the Webex Calling destination URLs listed, which are outlined in the Domains and URLs for Webex Calling Services table.

However, if you are using a firewall that doesn’t support URL/domain filtering, configure the firewall to filter traffic using IP address ranges and ports listed in the IP Addresses and Ports for Webex Calling Services.

IP Addresses and Ports for Webex Calling Services

The following table describes ports and protocols that need to be opened on your firewall to allows cloud registered Webex apps, and devices to communicate with Webex Calling cloud signalling and media services.

IP Subnets for Webex Calling Services

85.119.56.0/23

128.177.14.0/24

128.177.36.0/24

135.84.168.0/21

139.177.64.0/21

139.177.72.0/23

185.115.196.0/22

199.19.196.0/23

199.19.199.0/24

199.59.64.0/21

Connection purpose

Source addresses

Source ports

Protocol

Destination addresses

Destination ports

Notes

Call signaling to Webex Calling (SIP TLS)

Local Gateway external (NIC) 8000-65535

TCP

Refer to IP Subnets for Webex Calling Services.

8934

These IPs/ports are needed for outbound SIP-TLS call signalling from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination).

Devices

5060-5080

Applications

Ephemeral (OS dependent)

Call media to Webex Calling (STUN,SRTP)

Local Gateway external NIC

8000-48000

UDP

Refer to IP Subnets for Webex Calling Services.

5004,19560-65535

These IPs/ports are needed for outbound SRTP call media from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination).

Devices

19560-19660

Applications

Ephemeral

Call signaling to PSTN gateway (SIP TLS) Local Gateway internal NIC 8000-65535 TCP Your ITSP PSTN GW or Unified CM Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM)
Call media to PSTN gateway (SRTP) Local Gateway internal NIC

8000-48000

UDP Your ITSP PSTN GW or Unified CM Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM)

Call signaling to publicly addressed endpoints (SIP TLS)

Refer to IP Subnets for Webex Calling Services.

Ephemeral

TCP

Endpoint IP

8934

These IPs/ports are needed for inbound SIP-TLS call signalling from Webex Calling Cloud (Source) to publicly addressed end points (Destination).

Device configuration and firmware management (Cisco devices)

Webex Calling devices

Ephemeral

TCP

3.20.185.219

3.130.87.169

3.134.166.179

443,6970

*These IPs belong to cloudupgrader.webex.com.

You need to enable cloudupgrader.webex.com and the 443, 6970 ports only when migrating from Enterprise phones (Cisco Unified CM) to Webex Calling. Go to upgrade.cisco.com for more information.

3.20.118.133

3.20.228.133

3.23.144.213

3.130.125.44

3.132.162.62

3.140.117.199

18.232.241.58

35.168.211.203

50.16.236.139

52.45.157.48

54.145.130.71

54.156.13.25

80,443

*These IPs belong to activation.webex.com.

These IPs are needed for secure onboarding of devices (MPP phones) via 16 digit activation code (GDS).

72.163.10.96/27

72.163.15.64/26

72.163.15.128/26

72.163.24.0/23

173.36.127.0/26

173.36.127.128/26

173.37.26.0/23

173.37.149.96/27

192.133.220.0/26

192.133.220.64/26

80,443

These IPs belong to activate.cisco.com.

This domain is used for CDA / EDOS - MAC address based provisioning. Used by devices (MPP phones, ATAs, and SPA ATAs) with newer firmware.

When a phone connects to a network for the first time or after a factory reset, and there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use "activate.cisco.com" instead of "webapps.cisco.com" for provisioning. Phones with firmware release earlier than 11.2(1) continues to use "webapps.cisco.com". We recommend that you allow both the domain names through your firewall.

72.163.10.128/25

173.37.146.128/25

80,443

These IPs belong to webapps.cisco.com.

This domain is used for CDA / EDOS - MAC address based provisioning. Used by devices (MPP phones, ATAs, and SPA ATAs) with older firmware.

When a phone connects to a network for the first time or after a factory reset, and there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use "activate.cisco.com" instead of "webapps.cisco.com" for provisioning. Phones with firmware release earlier than 11.2(1) continues to use "webapps.cisco.com". We recommend that you allow both the domain names through your firewall.

Refer to IP Subnets for Webex Calling Services.

80,443

These IPs are needed for Device configuration and firmware management for Webex Calling.

Device time synchronization (NTP)

Webex Calling devices

51494

UDP

Refer to IP Subnets for Webex Calling Services.

123

These IP addresses are needed for Time Synchronization for Devices (MPP phones, ATAs, and SPA ATAs)

Device name resolution

Webex Calling devices

Ephemeral

UDP and TCP

Host-defined

53

Application configuration

Webex Calling applications

Ephemeral

TCP

62.109.192.0/18

64.68.96.0/19

150.253.128.0/17

207.182.160.0/19

80, 443

These IPs belong to Webex Idbroker Authentication Services and used by clients, i.e. Webex Applications.

Refer to IP Subnets for Webex Calling Services.

80, 443, 8443

These IPs belong to Webex Calling application configuration services and used by clients, i.e.Webex Applications.

Application time synchronization

Webex Calling applications

123

UDP

Host-defined

123

Application name resolution

Webex Calling applications

Ephemeral

UDP and TCP

Host-defined

53

CScan

Webex Calling applications

Ephemeral

UDP and TCP

Refer to IP Subnets for Webex Calling Services.

8934 and 80, 443, 19569-19760

These IPs are used by CScan services used by clients, i.e.Webex Applications. Go to cscan.webex.com for more information.

† CUBE media port range is configurable with rtp-port range.

*These IP addresses/ranges are not owned by Cisco and are subject to change periodically. If you are using a firewall, we recommend to allow the urls listed.

Domains and URLs for Webex Calling Services

Domain / URL

Description

Webex apps and devices using these domains / URLs

Cisco Webex Services

*.broadcloudpbx.com

Webex authorization micro-services for cross-launch from Control Hub to Calling Admin Portal.

Control Hub

*.broadcloud.com.au

Webex Calling services in Australia.

All

*.broadcloud.eu

Webex Calling services in Europe.

All

*.broadcloudpbx.net

Calling client configuration and management services.

Webex Apps

*.cisco.com

When a phone connects to a network for the first time or after a factory reset, if there are no DHCP options set up, it contacts a device activation server for zero touch provisioning. New phones use activate.cisco.com and phones with firmware release prior to 11.2(1), continue to use webapps.cisco.com for provisioning.

MPP Phones, Control Hub

*.ucmgmt.cisco.com

Webex Calling services

Control Hub

*.webex.com

Webex Core Services for Calling, Meeting, and Messaging like Authentication, etc.

All

*.wbx2.com and *.ciscospark.com

Webex micro-services, like Software upgrade service.

All

Additional Webex-Related Services (Third-Party Domains)

*.appdynamics.com

*.eum-appdynamics.com

Performance tracking, error and crash capture, session metrics.

Control Hub

*.huron-dev.com

Webex Calling micro services like toggle services, phone number ordering, and assignment services.

Control Hub

*.sipflash.com

Device management services (mostly for US).

Webex Apps

*.walkme.com *.walkmeusercontent.com

Webex user guidance client. Provides onboarding and usage tours for new users.

For more information about WalkMe, click here.

Webex Apps

If your network firewall supports domain allow lists for http(s) traffic, like *.webex.com, it is highly recommended to allow all of these domains.

Webex Meetings/Messaging - Network Requirements

If you are deploying Webex Calling with Webex Meetings and Messaging services, the network requirements for the Webex Meetings and Messaging services can be found in Network Requirements for Webex Services.

Document Revision History

Date

We've Made the Following Changes to this Article

April 2, 2021

Added *.ciscospark.com under Domains and URLs for Webex Calling Services to support Webex Calling use cases in Webex app.

March 25, 2021

Added 6 new IP ranges for activate.cisco.com, which will come in effect starting May 8, 2021.

  • 72.163.15.64/26

  • 72.163.15.128/26

  • 173.36.127.0/26

  • 173.36.127.128/26

  • 192.133.220.0/26

  • 192.133.220.64/26

March 4, 2021

Replaced Webex Calling discrete IPs and smaller IP ranges with simplified ranges in a separate table for ease of understanding for firewall configuration.

February 26, 2021

Added 5004 as destination port for Call media to Webex Calling (STUN,SRTP) to support Interactive Connectivity Establishment (ICE) that will be available in Webex Calling in April 2021.

February 22, 2021

Domains and URLs are now listed within a separate table.

IP Addresses and Ports table is adjusted to group IP addresses for the same services together.

Notes column added to the IP Addresses and Ports table to better understand the needs.

The following IP addresses were moved to simplified ranges for device configuration and firmware management (Cisco devices):

activate.cisco.com

  • 72.163.10.125 -> 72.163.10.96/27

  • 173.37.149.125 -> 173.37.149.96/27

webapps.cisco.com

  • 173.37.146.134 -> 173.37.146.128/25

  • 72.163.10.134 -> 72.163.10.128/25

The following IP addresses were added for Application Configuration because Cisco Webex client is being pointed to a newer DNS SRV in Australia in March 2021.

  • 199.59.64.237

  • 199.59.67.237

January 21, 2021

We have added the following IP addresses to device configuration and firmware management (Cisco devices):

  • 3.134.166.179

  • 50.16.236.139

  • 54.145.130.71

  • 72.163.10.125

  • 72.163.24.0/23

  • 173.37.26.0/23

  • 173.37.146.134

We have removed the following IP addresses from device configuration and firmware management (Cisco devices):

  • 35.172.26.181

  • 52.86.172.220

  • 52.203.31.41

We have added the following IP addresses to application configuration:

  • 62.109.192.0/19

  • 64.68.96.0/19

  • 207.182.160.0/19

  • 150.253.128.0/17

We have removed the following IP addresses from application configuration:

  • 64.68.99.6

  • 64.68.100.6

We have removed the following port numbers from application configuration:

  • 1081, 2208, 5222, 5280-5281, 52644-52645

We have added the following domains to application configuration:

  • idbroker-b-us.webex.com

  • idbroker-eu.webex.com

  • ty6-wxt-jp.bcld.webex.com

  • os1-wxt-jp.bcld.webex.com

December 23, 2020

Added new Application Configuration IP addresses to the port reference images.

December 22, 2020

Updated the Application Configuration row in the tables to include the following IP addresses: 135.84.171.154 and 135.84.172.154.

Hid the network diagrams until these IP addresses can be added there as well.

December 11, 2020

Updated the Device configuration and firmware management (Cisco devices) and the Application configuration rows for the supported Canadian domains.

October 16, 2020

Updated the call signaling and media entries with the following IP addresses:

  • 139.177.64.0/24

  • 139.177.65.0/24

  • 139.177.66.0/24

  • 139.177.67.0/24

  • 139.177.68.0/24

  • 139.177.69.0/24

  • 139.177.70.0/24

  • 139.177.71.0/24

  • 139.177.72.0/24

  • 139.177.73.0/24

September 23, 2020

Under CScan, replaced 199.59.64.156 with 199.59.64.197.

August 14, 2020

Added more IP addresses to support the introduction of data centers in Canada:

Call signaling to Webex Calling (SIP TLS)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24

August 12, 2020

Added more IP addresses to support the introduction of data centers in Canada:

  • Call media to Webex Calling (SRTP)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24

  • Call signaling to publicly addressed endpoints (SIP TLS)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24

  • Device configuration and firmware management (Cisco devices)—135.84.173.155,135.84.174.155

  • Device time synchronization—135.84.173.152, 135.84.174.152

  • Application configuration—135.84.173.154,135.84.174.154

July 22, 2020

Added the following IP address to support the introduction of data centers in Canada: 135.84.173.146

June 9, 2020

We made the following changes to the CScan entry:
  • Corrected one of the IP addresses—changed 199.59.67.156 to 199.59.64.156

  • New features required new ports as well as UDP—19560-19760

March 11, 2020

We added the following domain and IP addresses to application configuration:

  • jp.bcld.webex.com—135.84.169.150

  • client-jp.bcld.webex.com

  • idbroker.webex.com—64.68.99.6, 64.68.100.6

We updated the following domains with additional IP addresses to device configuration and firmware management:

  • cisco.broadcloud.eu—85.119.56.198, 85.119.57.198

  • webapps.cisco.com—72.163.10.134

  • activation.webex.com—35.172.26.181, 52.86.172.220

  • cloudupgrader.webex.com—3.130.87.169, 3.20.185.219

February 27, 2020

We added the following domain and ports to device configuration and firmware management:

cloudupgrader.webex.com—443, 6970