You can use the following steps as guidelines to configure your web proxy server.

Before you begin

  • You must install a proxy server that can perform Transport Layer Security (TLS) interception, HTTP header insertion, and filter destinations using fully qualified domain names (FQDNs) or URLs.

    The following are tested Web proxy servers and the detailed steps are provided below to configure these proxy servers:

    • Cisco Web Security Appliance (WSA)

    • Blue Coat

  • To ensure you have the ability to do HTTP header insertions in an HTTPS connection, TLS interception must be configured on your proxy. Ensure you follow all the requirements specific to your proxy server.

1

Route all outbound traffic to Cisco Webex through your web proxy servers.

2

Enable TLS interception on the proxy server.

3

For each Cisco Webex request:

  1. Intercept the request.

  2. Add the HTTP header CiscoSpark-Allowed-Domains: and include a comma separated list of allowed domains. You must include the destination domains: identity.webex.com, identity-eu.webex.com, idbroker.webex.com, idbroker-secondary.webex.com, idbroker-b-us.webex.com, idbroker-au.webex.com, atlas-a.wbx2.com and your proxy server includes the custom header for requests sent to these destination domains.

    For example, to allow users from the example.com domain, add:

    • CiscoSpark-Allowed-Domains:example.com

    • for domain(s):identity.webex.com, identity-eu.webex.com, idbroker.webex.com, idbroker-secondary.webex.com, idbroker-b-us.webex.com, idbroker-au.webex.com, atlas-a.wbx2.com

    If you have users in multiple email domains, you must include all the domains in the comma separated list of allowed domains. For example, to allow users from the example.com, the example1.com and example2.com domains, add:

    • CiscoSpark-Allowed-Domains:example.com,example1.com,example2.com

    • for domain(s):identity.webex.com, identity-eu.webex.com, idbroker.webex.com, idbroker-secondary.webex.com, idbroker-b-us.webex.com, idbroker-au.webex.com, atlas-a.wbx2.com

People who attempt to sign in to Webex Teams from an unauthorized account receive an error.

You can use Cisco Web Security Appliances (WSA) proxy server to intercept requests and limit the domains that are allowed. Add custom headers in WSA and these headers are applied to outgoing Transport Layer Security (TLS) traffic to request special handling from destination servers.

1

Access the WSA CLI.

2

Enter advancedproxyconfig.

3

Enter CUSTOMHEADERS.

4

Enter NEW.

5

Enter CiscoSpark-Allowed-Domains: EXAMPLE.COM.

Where EXAMPLE.COM is the domain to use this header with.

6

Enter identity.webex.com, identity-eu.webex.com, idbroker.webex.com, idbroker-secondary.webex.com, idbroker-b-us.webex.com, idbroker-au.webex.com, atlas-a.wbx2.com.

7

Select Return.

8

Select Return and enter Commit.

You can create a policy in the Blue Coat Visual Policy Manager, the policy intercepts the Transport Layer Security (TLS) traffic and adds the Webex Teams header.

1

In the Visual Policy Manager, select Policy > Add SSL Intercept Layer.

  1. Click Add rule, right-click the Action column, and select Set.

  2. Click New and select Enable HTTPS Interception.

  3. Modify the name, click OK, and then OK.

2

Select Policy > Add Web Access Layer.

  1. Add Cisco Spark to the layer name.

  2. Click Add rule, right-click the Destination column and select Set.

    • Click New, select Request URL Object and for Simple Match URL, enter identity.webex.com, identity-eu.webex.com, idbroker.webex.com, idbroker-secondary.webex.com, idbroker-b-us.webex.com, idbroker-au.webex.com, atlas-a.wbx2.com.

    • Click Add, click Close, and then click OK.

  3. Right-click the Action column and select Set.

    • Click New, select Control Request Header, and modify the name to include Cisco Spark.

    • For Header Name enter CiscoSpark-Allowed-Domains, and in Set value add your enterprise domains. You can add multiple domains separated by commas.

    • Click OK and then click OK.

3

Click Install Policy.