Network requirements for Webex for Government (FedRAMP)
Government network requirement guidelines including IP ranges and port configuration for Webex Meetings and Webex Calling.
Meetings ports and IP ranges quick reference
The following IP ranges are utilized by sites deployed on the FedRAMP meeting cluster. For this document, these ranges are referred to as the 'Webex IP Ranges':
- 150.253.150.0/23 (150.253.150.0 to 150.253.151.255)
- 144.196.224.0/21 (144.196.224.0 to 144.196.231.255)
- 23.89.18.0/23 (23.89.18.0 to 23.89.19.255)
- 163.129.16.0/21 (163.129.16.0 to 163.129.23.255)
- 170.72.254.0/24 (170.72.254.0 to 170.72.254.255)
- 170.133.156.0/22 (170.133.156.0 to 170.133.159.255)
- 207.182.160.0/21 (207.182.160.0 to 207.182.167.255)
- 207.182.168.0/23 (207.182.168.0 to 207.182.169.255)
- 207.182.176.0/22 (207.182.176.0 to 207.182.179.255)
- 207.182.190.0/23 (207.182.190.0 to 207.182.191.255)
- 216.151.130.0/24 (216.151.130.0 to 216.151.130.255)
- 216.151.134.0/24 (216.151.134.0 to 216.151.134.255)
- 216.151.135.0/25 (216.151.135.0 to 216.151.135.127)
- 216.151.135.240/28 (216.151.135.240 to 216.151.135.255)
- 216.151.138.0/24 (216.151.138.0 to 216.151.138.255)
- 216.151.139.0/25 (216.151.139.0 to 216.151.139.127)
- 216.151.139.240/28 (216.151.139.241 to 216.151.139.254)
Deployed services
Services deployed on this IP range include, but are not limited to, the following:
- The meeting website (e.g., customersite.webex.com)
- Meeting data servers
- Multimedia servers for computer audio (VoIP) and webcam video
- XML/API services, including Productivity Tools scheduling
- Network-Based Recording (NBR) servers
- Secondary services when primary services are in maintenance or are experiencing technical difficulties
The following URIs are used to check the 'Certificate Revocation List' for our security certificates. The Certificate Revocation Lists to ensure that no compromised certificates can be used to intercept secure Webex Traffic. This traffic occurs on TCP Port 80:
- *.quovadisglobal.com
- *.digicert.com
- *.identrust.com (IdenTrust certificates)
The following UserAgents will be passed by Webex by the utiltp process in Webex and should be allowed through an agency's firewall:
- UserAgent=WebexInMeetingWin
- UserAgent=WebexInMeetingMac
- UserAgent=prefetchDocShow
- UserAgent=standby
https://activation.webex.com/api/v1/ping as part of the allowed URLs. It is used as part of the device activation process, and "the device uses it before it knows it’s a FedRAMP device. The device sends it an activation code with no FedRAMP information, the service sees that it’s a FedRAMP activation code, and then it redirects them."
All FedRAMP traffic requires TLS 1.2 encryption and mTLS 1.2 encryption for on-prem SIP registered devices.
Ports used by Webex Meetings clients (including cloud-registered devices)
Protocol | Port number(s) | Direction | Traffic type | IP range | Comments |
---|---|---|---|---|---|
TCP | 80/443 | Outbound to Webex | HTTP, HTTPS | Webex and AWS (Not recommended to filter by IP) |
Webex recommends filtering by URL. IF Filtering by IP address, you must allow AWS GovCloud, Cloudfront, and Webex IP ranges. |
TCP/UDP | 53 | Outbound to Local DNS | Domain Name Services (DNS) | Only DNS Server | Used for DNS lookups to discover the IP addresses of Webex servers in the cloud. Even though typical DNS lookups are done over UDP, some may require TCP, if the query responses cannot fit it in UDP packets. |
UCP | 9000, 5004 | Outbound to Webex | Primary Webex Client Media (VoIP & Video RTP) | Webex | Webex client media port is used to exchange computer audio, webcam video, and content sharing streams. Opening this port is required to ensure the best possible media experience. |
TCP | 5004, 443, 80 | Outbound to Webex | Alternate Webex Client Media (VoIP & Video RTP) | Webex | Fall-back ports for media connectivity when UDP port 9000 is not open in the firewall |
UDP/TCP |
Audio: 52000 to 52049 Video: 52100 to 52199 | Inbound to your Network | Webex Client Media (Voip and Video) | Return from AWS and Webex |
Webex will communicate to the destination port received when the client makes its connection. A firewall should be configured to allow these return connections through. This is enabled by default. |
TCP/UDP | OS-Specific Ephemeral Ports | Inbound to your Network | Return traffic from Webex | Return from AWS and Webex |
Webex will communicate to the destination port received when the client makes its connection. A firewall should be configured to allow these return connections through. This is usually automatically opened in a stateful
firewall, however it' listed here for completeness. |
For customers enabling Webex for Government who cannot allow URL-based filtering for HTTPS, you will need to allow connectivity with AWS Gov Cloud West (region: us‐gov‐west‐1) and Cloud Front (service: CLOUDFRONT). Please review AWS documentation to identify the IP ranges for AWS Gov Cloud West region and AWS Cloud Front. AWS documentation is available at https://docs.aws.amazon.com/general/latest/gr/aws‐ip‐ranges.html. Webex strongly recommends filtering by URL when possible.
Cloudfront is used for static content delivered via Content Delivery Network to give customers the best performance around the country.
Ports used by premise-registered Cisco video collaboration devices
See also the Cisco Webex Meetings Enterprise Deployment Guide for Video Device-Enabled Meetings
Protocol | Port numbers | Direction | Access type | IP range | Comments |
---|---|---|---|---|---|
TCP | 5061—5070 | Outbound to Webex | SIP Signaling | Webex | The Webex media edge listens on these ports |
TCP | 5061, 5065 | Inbound to your network | SIP Signaling | Webex | Inbound SIP Signaling traffic from the Webex Cloud |
TCP | 5061 | Outbound to Webex | SIP signaling from Cloud registered devices | AWS | Inbound calls from Webex App 1:1 Calling and Cloud registered devices to your on-premise registered SIP URI. *5061 is the default port. Webex supports 5061—5070 ports to be used by customers as defined in their SIP SRV Record |
TCP/UDP | 1719, 1720, 15000—19999 | Outbound to Webex | H.323 LS | Webex | If your endpoint requires gatekeeper communication, also open port 1719, which includes Lifesize |
TCP/UDP | Ephemeral Ports, 36000—59999 | Inbound | Media ports | Webex | If you're using a Cisco Expressway, the media ranges need to be set to 36000-59999. If you are using a third-party endpoint or call control, they need to be configured to use this range. |
TCP | 443 | Inbound | On-Premise Device Proximity | Local network | Webex app or Webex Desktop App must have an IPv4 route-able path between itself and the video device using HTTPS |
For customers enabling Webex for Government receiving Inbound calls from Webex App 1:1 Calling and Cloud registered devices to your on-premise registered SIP URI. You must also allow connectivity with AWS Gov Cloud West (region: us‐gov‐west‐1). Please review AWS documentation to identify the IP ranges for the AWS Gov Cloud West region. The AWS documentation is available at https://docs.aws.amazon.com/general/latest/gr/aws‐ip‐ranges.html.
Ports used by Edge Audio
This is only required if you leverage Edge Audio.
Protocol | Port numbers | Direction | Access type | IP range | Comments |
---|---|---|---|---|---|
TCP | 5061—5062 | Inbound to your network | SIP Signaling | Webex | Inbound SIP signaling for Edge Audio |
TCP | 5061—5065 | Outbound to Webex | SIP Signaling | Webex | Outbound SIP signaling for Edge Audio |
TCP/UDP | Ephemeral Ports, 8000—59999 | Inbound to your network | Media Ports | Webex | On an enterprise firewall, ports need to be opened up for incoming traffic to the Expressway with a port range from 8000—59999 |
Configure mTLS using the following options:
- Configure Expressway | Mutual TLS Authentication.
- Supported Root Certificate Authorities | Cisco Webex Audio and Video Platforms.
- Edge Audio | Configuration Guide.
Domains and URLs for Webex Calling services
A * shown at the beginning of a URL (for example, *.webex.com) indicates that services in the top-level domain and all subdomains are accessible.
Domain/URL | Description | Webex apps and devices using these domains/URLs |
---|---|---|
*.webex.com *.cisco.com *.webexgov.us |
Core Webex Calling & Webex Aware services Identity provisioning Identity storage Authentication OAuth services Device onboarding When a phone connects to a network for the first time or after a factory reset with no DHCP options set, it contacts a device activation server for zero touch provisioning. New phones use activate.cisco.com and phones with firmware release earlier than 11.2(1), continue to use webapps.cisco.com for provisioning. Download the device firmware and locale updates from binaries.webex.com. | All |
*.wbx2.com and *.ciscospark.com | Used for cloud awareness, CSDM, WDM, mercury, and so on. These services are necessary for the Apps and devices to reach out to Webex Calling & Webex Aware services during and after onboarding. | All |
*.webexapis.com |
Webex microservices that manage your applications and devices. Profile picture service Whiteboarding service Proximity service Presence service Registration service Calendaring service Search service | All |
*.webexcontent.com |
Webex Messaging service related to general file storage including: User files Transcoded files Images Screenshots Whiteboard content Client & device logs Profile pictures Branding logos Log files Bulk CSV export files & import files (Control Hub) | Webex App messaging services. File storage using
webexcontent.com replaced by clouddrive.com in October 2019 |
Domain/URL | Description | Webex apps and devices using these domains/URLs |
---|---|---|
*.appdynamics.com *.eum-appdynamics.com | Performance tracking, error and crash capture, session metrics. | Control Hub |
*.huron-dev.com | Webex Calling micro services like toggle services, phone number ordering, and assignment services. | Control Hub |
*.sipflash.com | Device management services. Firmware upgrades and secure onboarding purposes. | Webex apps |
*.google.com *.googleapis.com |
Notifications to Webex apps on mobile devices (Example: new message, when call is answered) For IP Subnets, refer to these links | Webex App |
IP subnets for Webex Calling services
- 23.89.18.0/23
- 163.129.16.0/21
- 150.253.150.0/23
- 144.196.224.0/21
- 144.196.16.0/24
Ports used by Webex Calling
Connection purpose | Source addresses | Source ports | Protocol | Destination addresses | Destination ports | Notes |
---|---|---|---|---|---|---|
Call signaling to Webex Calling (SIP TLS) | Local Gateway external (NIC) | 8000—65535 | TCP | Refer to IP Subnets for Webex Calling Services. | 5062, 8934 |
These IPs/ports are needed for outbound SIP-TLS call signaling from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination). Port 5062 (required for Certificate-based trunk). And port 8934 (required for Registration-based trunk |
Devices | 5060—5080 | 8934 | ||||
Applications | Ephemeral (OS dependent) | |||||
Call media to Webex Calling (SRTP) | Local Gateway external NIC | 8000—48198†* | UDP | Refer to IP Subnets for Webex Calling Services. |
8500—8700,19560—65535 (SRTP over UDP) |
STUN, ICE-Lite based media optimization is not supported for Webex for Government. These IPs/ports are used for outbound SRTP call media from Local Gateways, Devices, and Applications (Source) to Webex Calling Cloud (Destination). For certain network topologies where firewalls are used within a customer premise, allow access for the mentioned source and destination port ranges inside your network for the media to flow through. Example: For applications, allow the source and destination port range 8500—8700. |
Devices | 19560—19660 | |||||
Applications | 8500—8700 | |||||
Call signaling to PSTN gateway (SIP TLS) | Local Gateway internal NIC | 8000—65535 | TCP | Your ITSP PSTN GW or Unified CM | Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM) | |
Call media to PSTN gateway (SRTP) | Local Gateway internal NIC | 8000—48198†* | UDP | Your ITSP PSTN GW or Unified CM | Depends on the PSTN option (for example, typically 5060 or 5061 for Unified CM) | |
Device configuration and firmware management (Cisco devices) | Webex Calling devices | Ephemeral | TCP |
3.20.185.219 3.130.87.169 3.134.166.179 72.163.10.96/27 72.163.15.64/26 72.163.15.128/26 72.163.24.0/23 72.163.10.128/25 173.37.146.128/25 173.36.127.0/26 173.36.127.128/26 173.37.26.0/23 173.37.149.96/27 192.133.220.0/26 192.133.220.64/26 | 443, 6970 |
Required for the following reasons:
|
Application configuration | Webex Calling applications | Ephemeral | TCP |
62.109.192.0/18 64.68.96.0/19 150.253.128.0/17 207.182.160.0/19 | 443, 8443 | Used for Idbroker Authentication, Application configuration services for clients, Browser based web access for self-care AND Administrative interfaces access. |
Device time synchronization (NTP) | Webex Calling devices | 51494 | UDP | Refer to IP Subnets for Webex Calling Services. | 123 | These IP addresses are needed for Time Synchronization for Devices (MPP phones, ATAs, and SPA ATAs) |
Device name resolution and application name resolution | Webex Calling devices | Ephemeral | UDP and TCP | Host-defined | 53 | Used for DNS lookups to discover the IP addresses of Webex Calling services in the cloud. Even though typical DNS lookups are done over UDP, some may require TCP, if the query responses can’t fit it in UDP packets. |
Application time synchronization | Webex Calling applications | 123 | UPD | Host-defined | 123 | |
CScan | Web based Network readiness Pre-qualification tool for Webex Calling | Ephemeral | UPD | Refer to IP Subnets for Webex Calling Services. | 19569—19760 | Web based Network readiness Prequalification tool for Webex Calling. Go to cscan.webex.com for more information. |
Connection purpose | Source addresses | Source ports | Protocol | Destination addresses | Destination ports | Notes |
---|---|---|---|---|---|---|
Push notifications APNS and FCM services | Webex Calling applications | Ephemeral | TCP |
Refer to IP Subnets mentioned under the links | 443, 2197, 5228, 5229, 5230, 5223 | Notifications to Webex apps on mobile devices (Example: When you receive a new message or when a call is answered) |
- †*CUBE media port range is configurable with rtp-port range.
- If a proxy server address is configured for your Apps and Devices, the signaling traffic is sent to the proxy. Media transported SRTP over UDP is not sent to the proxy server. It must flow directly to your firewall instead.
- If you are using NTP and DNS services within your enterprise network, then open the ports 53 and 123 through your firewall.