Webex 服务的网络要求

Document Revision History

This article is intended for network administrators, particularly firewall and proxy security administrators, who want to use the Webex Suite of cloud collaboration services within their organization. The primary focus of this document is on the network requirements of Webex Meetings and Webex Messaging, and the document also provides links to documents that describe the network requirements for Webex Calling.

This article will help you configure network access to the Webex suite of services used by:

Cloud registered Webex app clients for Meetings, Messaging, and Calling
Cloud registered Webex Meetings Centre app clients
Cloud registered Cisco Video devices, Cisco IP Phones, Cisco video devices, and third-party devices that use SIP to connect to the Webex Suite services.

This document primarily focuses on the network requirements of Webex cloud registered products that use HTTPS signaling to communicate with Webex Suite services but also separately describes the network requirements for products that use SIP signaling to the Webex cloud. 以下将简要介绍这些差异：

Webex 支持的设备类型和协议摘要

云注册 Webex 应用程序和设备

所有云注册 Webex 应用程序和设备都使用 HTTPS 与 Webex 消息和会议服务进行通信：

The Webex app uses HTTPS signaling for Webex messaging and meeting services. The Webex app can also use the SIP protocol to join Webex meetings, but this is subject to the user either being called via their SIP address or choosing to dial a SIP URL to join a meeting (rather than use the meeting functionality native to the Webex app).
Cloud registered Cisco Video devices use HTTPS signaling for all Webex services.
当设备的 Webex Edge 功能被禁用时，通过 SIP 注册的本地设备也可使用 HTTPS 信令。This feature allows Webex devices to be administered via Webex Control Hub and to participate in Webex Meetings using HTTPS signaling (for details, see https://help.webex.com/en-us/cy2l2z/Webex-Edge-for-Devices).

Webex cloud and on-premises call control registered devices using SIP
The Webex Calling service and on-premises call control products such as Cisco Unified CM use SIP as their call control protocol. Cisco Video devices, Cisco IP Phones, and 3rd party products can join Webex Meetings using SIP. For on-premises SIP-based call control products such as Cisco Unified CM, a SIP session is established through a border controller such as Expressway C & E, or CUBE SBC for calls to and from the Webex Cloud.

For details on the specific network requirements for the Webex Calling service see: https://help.webex.com/en-us/b2exve/Port-Reference-Information-for-Cisco-Webex-Calling

云注册 Webex 应用程序和设备的传输协议和加密密码

All cloud registered Webex apps and Cisco Video devices initiate outbound connections only. Cisco’s Webex Cloud never initiates outbound connections to cloud registered Webex apps and Cisco Video devices, but can make outbound calls to SIP devices.

Webex services for meetings and messaging are hosted in globally distributed data centers that are either Cisco owned (e.g. Webex data centers for identity services, meeting services, and media servers) or hosted in a Cisco Virtual Private Cloud (VPC) on the Amazon AWS platform (e.g. Webex messaging micro-services, messaging storage services). Webex services also reside in Microsoft Azure data centers for Video Interop with Microsoft Teams (VIMT).

流量的类型：

Webex app and Cisco Video devices establish signaling and media connections to the Webex cloud.

Signaling traffic
Webex app and Cisco Video devices use HTTP as HTTP over TLS (HTTPS) and Secure Web Sockets (WSS) over TLS for REST based signaling to the Webex cloud. Signaling connections are outbound only and use URLs for session establishment to Webex services.

TLS signaling connections to Webex services use TLS version 1.2 or 1.3. The cipher selection is based on the Webex server TLS preference.

Using either TLS 1.2 or 1.3, Webex prefers ciphers suites using:

ECDHE for key negotiation
RSA-based certificates (3072-bit key size)
SHA2 authentication (SHA384 or SHA256)
Strong encryption ciphers using 128 or 256 bits (for example, AES_256_GCM)

Webex supports cipher suites in the following preference order for TLS version 1.2 connections*:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Note - CBC mode encryption is supported for older browsers without more secure GCM mode encryption.

Webex supports cipher suites in the following preference order for TLS version 1.3 connections*:

TLS_AES_256_GCM_SHA384
TLS_CHACHA_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

Note – With TLS 1.3, ECDHE key negotiation and RSA-based certificates are a mandatory part of the specification and this detail is therefore omitted in the cipher suite description.

*The cipher suites and cipher suite preference order may vary for some Webex services

Establishing signaling connections to Webex services using URLs
If you have deployed proxies, or firewalls to filter traffic leaving your enterprise network, the list of destination URLs that need to be allowed to access the Webex service can be found in the section "Domains and URLs that need to be accessed for Webex Services".

Webex strongly recommends that you do not alter or delete HTTP header values as they pass through your proxy/ firewall unless permitted in these guidelines https://www.w3.org/TR/ct-guidelines/#sec-altering-header-values. Modification or deleting of HTTP headers outside of these guidelines can impact access to Webex Services, including loss of access to Webex services by Webex apps and Cisco Video devices.

不支持按 IP 地址过滤 Webex 信令流量，因为 Webex 使用的 IP 地址是动态的，随时可能更改。

Media traffic
The Webex app and Cisco Video devices encrypt real-time media for audio, video, and content sharing streams using the following encryption ciphers:

AES-256-GCM 密码
AES-CM-128-HMAC-SHA1-80 密码

AES-256-GCM is the preferred encryption cipher by the Webex app and Cisco Video devices to encrypt real time media.

AES-CM-128-HMAC-SHA1 is a mature cipher that has proven interoperability between vendors. AES-CM-128-HMAC-SHA1 is typically used to encrypt media to Webex services from endpoints using SRTP with SIP signaling (e.g. Cisco and 3rd party SIP devices).

In preference order, Webex apps and Cisco Video devices support UDP, TCP and TLS as media transport protocols. If UDP ports are blocked by your firewall, Webex apps and Cisco Video devices will fall back to TCP. If TCP ports are blocked Webex apps and Cisco Video devices will fall back to TLS.

UDP – Cisco recommended media transport protocol
In line with RFC 3550 RTP – A Transport Protocol for Real-Time Applications, Cisco prefers and strongly recommends UDP as the transport protocol for all Webex voice and video media streams.

Disadvantages of using TCP as a media transport protocol
Webex apps and Cisco Video devices also support TCP as a fall-back media transport protocol. 但是，Cisco 不建议将 TCP 作为语音和视频媒体流的传输协议。这是因为 TCP 是面向连接的，旨在可靠地将排序正确的数据传递给上层协议。在使用 TCP 时，发送方将重新传输丢失的数据包，直到它们被确认，而接收方会缓冲数据包流，直到丢失的数据包被恢复。对于媒体流而言，这种行为表现为延迟/抖动增加，而这又会影响通话参加者所体验的媒体质量。

Disadvantages of using TLS as a media transport protocol
Encrypted TCP connections (TLS) can suffer from a further degradation in media quality due to potential Proxy server bottlenecks. If TLS is used as the media transport protocol by Webex apps and Cisco Video devices with a configured proxy server, this media traffic will be routed through your proxy server which can create bandwidth bottlenecks and subsequent packet loss. Cisco strongly recommends that TLS is not used to transport media in production environments.

Webex 媒体使用出站至 Webex 云的对称的内部发起 5 元组（源 IP 地址、目标 IP 地址、源端口、目标端口、协议）流来双向流动。

The Webex app and Cisco Video devices also use STUN (RFC 5389) for firewall traversal and media node reachability testing. 有关更多详细信息，请参阅 Webex 防火墙技术文件。

Webex – Destination IP address ranges for media
To reach Webex media servers that process media traffic leaving your enterprise network, you must allow the IP subnets that host these media services to be reachable via your Enterprise firewall. 您可以在 Webex 媒体服务的 IP 子网部分查看发送到 Webex 媒体节点的媒体流量目标 IP 地址范围。

通过代理和防火墙的 Webex 流量

大多数客户部署互联网防火墙或互联网代理和防火墙，以限制和控制离开和进入其网络的 HTTP 流量。按照下面的防火墙和代理指南，启用从您的网络访问 Webex 服务。如果您仅使用防火墙，请注意，不支持使用 IP 地址过滤 Webex 信令流量，因为 Webex 信令使用的 IP 地址是动态的，随时可能更改。If your firewall supports URL filtering, configure the firewall to allow the Webex destination URLs listed in the section "Domains and URLs that need to be accessed for Webex Services".

Webex 服务 - 端口号和协议

The following table describes ports and protocols that need to be opened on your firewall to allows cloud registered Webex apps and Cisco Video devices to communicate with Webex cloud signaling and media services.

The Webex apps, devices, and services covered in this table include:
The Webex app, Cisco Video devices, Video Mesh Node, Hybrid Data Security node, Directory Connector, Calendar Connector, Management Connector, Serviceability Connector.
For guidance on ports and protocols for devices and Webex services using SIP can be found in the section "Network requirements for SIP based Webex services".

Webex 服务 - 端口号和协议
目标端口	协议	描述	使用此规则的设备
443	TLS	Webex HTTPS 信令。向 Webex 服务建立会话是基于定义的 URL，而不是 IP 地址。 If you are using a proxy server, or your firewall supports DNS resolution; refer to the section "Domains and URLs that need to be accessed for Webex Services" to allow signaling access to Webex services.	所有
123 (1)	UDP	网络时间协议 (NTP)	所有
53 (1)	UDP TCP	域名系统 (DNS) 用于 DNS 查找，以发现 Webex 云中的服务的 IP 地址。大部分 DNS 查询通过 UDP 进行；但是，DNS 查询也可以通过 TCP 进行。	所有
5004 和 9000	UDP 上的 SRTP	Encrypted audio, video, and content sharing on the Webex App and Cisco Video devices For a list of destination IP subnets refer to the section "IP subnets for Webex media services".	Webex App Cisco Video Devices Video Mesh Nodes
50,000 – 53,000	UDP 上的 SRTP	加密的音频、视频和视频内容共享 - 仅视频网格节点	视频网格节点
5004	TCP 上的 SRTP	在无法使用 UDP 时，TCP 用作加密的音频、视频和内容共享的回退传输协议。 For a list of destination IP subnets refer to the section "IP subnets for Webex media services".	Webex App Cisco Video Devices Video Mesh Nodes
443	TLS 上的 SRTP	在无法使用 UDP 和 TCP 时用作加密的音频、视频和内容共享的回退传输协议。 Media over TLS is not recommended in production environments For a list of destination IP subnets refer to the section "IP subnets for Webex media services".	Webex App Cisco Video Devices

如果您在企业网络中使用 NTP 和 DNS 服务，则端口 53 和 123 无需通过防火墙打开。

MTU size for Webex IPv4 and IPv6 Traffic

Webex supports both IPv4 and IPv6 for signaling and media services. For most customers, supporting Webex over IPv4 and IPv6 should not present any issues. Still, issues can arise if your network's Maximum Transmissible Unit (MTU) is set to non-default values.

The Maximum Transmissible Unit (MTU) is the maximum size of the IP packet that can be transmitted over a network link without fragmentation. The IPv6 RFC mandates a minimum MTU size of 1280 bytes. Most routing and switching devices support a default maximum MTU size of 1500 bytes on all interfaces.

IPv6 adds additional overhead to IP packets, which increases packet size compared to IPv4 traffic. The IPv6 RFC mandates a minimum MTU size of 1280 bytes.

Webex recommends keeping the default maximum transmission unit (MTU) size of 1500 bytes for all IP packets received and sent on your network. If you need to reduce the MTU size in your network, Webex recommend reducing this to no less than 1300 bytes.

Webex 媒体服务的 IP 子网

The majority of Webex media services are hosted in Cisco data centers.

Cisco also supports Webex media services in Microsoft Azure data centers for Video Integration with Microsoft Teams (VIMT). Microsoft has reserved its IP subnets for Cisco's sole use, and media services located in these subnets are secured within Microsoft Azure virtual network instances. For guidance on VIMT deployment, see https://help.webex.com/en-us/article/nffx8kj/Deploy-the-Webex-video-integration-for-Microsoft-Teams.

Configure your firewall to allow access to these destinations, Webex IP subnets, and transport protocol ports for media streams from Webex apps and devices.

Webex apps and Cisco Video devices support UDP, TCP, and TLS as media transport protocols. If UDP ports are blocked by your firewall, Webex apps and Cisco Video devices will fall back to TCP. If TCP ports are blocked, Webex apps and Cisco Video devices will fall back to TLS.

UDP is Cisco’s preferred transport protocol for media, and we strongly recommend using only UDP to transport media. Webex apps and Cisco Video devices also support TCP and TLS as transport protocols for media, but these are not recommended in production environments as the connection-orientated nature of these protocols can seriously affect media quality over lossy networks.
注：
以下为 Webex 媒体服务的 IP 子网。不支持按 IP 地址过滤 Webex 信令流量，因为 Webex 使用的 IP 地址是动态的，随时可能更改。HTTP signaling traffic to Webex services can be filtered by URL/domain in your Enterprise Proxy server before being forwarded to your firewall.

媒体服务的 IP 子网
4.152.214.0/24*	66.114.160.0/20
4.158.208.0/24*	66.163.32.0/19
4.175.120.0/24*	69.26.160.0/19
20.50.235.0/24*	114.29.192.0/19
20.53.87.0/24*	144.196.0.0/16
20.57.87.0/24*	150.253.128.0/17
20.68.154.0/24*	163.129.0.0/16
20.76.127.0/24*	170.72.0.0/16
20.108.99.0/24*	170.133.128.0/18
20.120.238.0/23*	173.39.224.0/19
23.89.0.0/16	173.243.0.0/20
40.119.234.0/24*	207.182.160.0/19
44.234.52.192/26	209.197.192.0/19
52.232.210.0/24*	210.4.192.0/20
62.109.192.0/18	216.151.128.0/19
64.68.96.0/19

* Azure data centers – used to host Video Integration for Microsoft Teams (aka Microsoft Cloud Video Interop) services

Webex apps and Cisco Video Devices perform tests to detect the reachability of, and round-trip time to, a subset of nodes in each media cluster available to your organization. 媒体节点可达性通过 UDP、TCP 和 TLS 传输协议进行测试，在启动、网络更改时发生，并在应用程序或设备运行时定期发生。The results of these tests are stored and sent to the Webex cloud prior to joining a meeting or a call. The Webex cloud uses these reachability test results to assign the Webex app/ Webex device the best media server for the call based on transport protocol (UDP preferred), round trip time, and media server resource availability.

Cisco does not support or recommend filtering a subset of IP addresses based on a particular geographic region or cloud service provider. 按地区过滤可能导致会议体验严重下降，最严重的情况包括完全无法加入会议。

如果您已经将防火墙配置为仅允许向上述 IP 子网的子集传输流量，您仍然可能会看到可访问性测试流量穿越您的网络，以尝试访问这些被阻止的 IP 子网中的媒体节点。Media nodes on IP subnets that are blocked by your firewall will not be used by Webex apps and Cisco Video devices.

Webex 信令流量和企业代理配置

许多组织使用代理服务器来检查和控制离开其网络的 HTTP 流量。代理可用于执行若干安全功能，例如允许或阻止访问特定 URL、用户验证、IP 地址/域/主机名/URI 信誉查找以及流量解密和检查。代理服务器通常也用作可以将基于 HTTP 的发往互联网的流量转发到企业防火墙的唯一路径，从而允许防火墙将出站互联网流量限制为仅源自这些代理服务器的流量。代理服务器必须配置为允许 Webex 信令流量访问下文中列出的域/URL：

Webex strongly recommends that you do not alter or delete HTTP header values as they pass through your proxy/ firewall unless permitted in these guidelines https://www.w3.org/TR/ct-guidelines/#sec-altering-header-values. Modification or deleting of HTTP headers outside of these guidelines can impact access to Webex Services, including loss of access to Webex services by Webex apps and Cisco Video devices.

针对 Webex 服务需要访问的域和 URL

注：URL 开头显示的 *（例如 *.webex.com）表示顶级域和所有子域中的服务都必须可访问。

Cisco Webex 服务 URL
域/URL	描述	使用这些域/URL 的 Webex 应用程序和设备
.webex.com .cisco.com .wbx2.com .ciscospark.com *.webexapis.com	Webex 微服务。 For example : Webex Meetings services Messaging services File management service Key management service Software upgrade service Profile picture service Whiteboarding service Proximity service Presence service Registration service Calendaring service Search service Identity services Authentication OAuth services Device onboarding Cloud Connected UC	所有
*.webexcontent.com (1)	Webex storage for user-generated content and logs, including: Shared files, Transcoded files, Images, Screenshots, Whiteboard content, Client & device logs, Profile pictures, Branding logos, images Log files Bulk CSV export files & import files (Control Hub)	All
其他 Webex 相关服务 - Cisco 拥有的域
URL	描述	使用这些域/URL 的 Webex 应用程序和设备
*.accompany.com	People Insights 集成	Webex 应用程序
其他 Webex 相关服务 - 第三方域
URL	描述	使用这些域/URL 的 Webex 应用程序和设备
.sparkpostmail1.com .sparkpostmail.com	时事通讯、注册信息、公告的电子邮件服务	所有
*.giphy.com	允许用户共享 GIF 图像。此功能缺省为开启状态，但可在 Control Hub 中禁用	Webex 应用程序
safebrowsing.googleapis.com	Used to perform safety checks on URLs before unfurling them in the message stream. 此功能缺省为开启状态，但可在 Control Hub 中禁用	Webex 应用程序
*.walkme.com s3.walkmeusercontent.com	Webex 用户指南客户端。Provides onboarding and usage tours for new users For more info, see https://support.walkme.com/knowledge-base/access-requirements-for-walkme/	Webex 基于 Web 的应用程序
speech.googleapis.com texttospeech.googleapis.com speech-services-manager-a.wbx2.com	Google Speech 服务。Webex Assistant 用它来处理语音识别和文字到语音转换。Disabled by default, opt-in via Control Hub. 也可针对每个设备禁用助理。	Webex Room Kit and Cisco Video devices Details of Cisco Video devices that support Webex Assistant are documented here: https://help.webex.com/hzd1aj/Enable-Cisco-Webex-Assistant
msftncsi.com/ncsi.txt captive.apple.com/hotspot-detect.html	Third-party internet connectivity checks to identify cases where there is a network connection but no connection to the Internet. The Webex app performs its own internet connectivity checks but can also use these 3rd party URLs as a fallback.	Webex 应用程序
.appdynamics.com .eum-appdynamics.com	性能跟踪、错误和崩溃捕捉、会话指标 (1)	Webex 应用程序 Webex Web 应用程序
*.amplitude.com	A/B 测试和指标 (1)	Webex Web App Webex Android App
.livestream.webex.com .vbrickrev.com	This domain is used by attendees viewing Webex Events and Webcasts	Webex Events, Webex Webcasts
.slido.com .sli.do *.data.logentries.com slido-assets-production.s3.eu-west-1.amazonaws.com	Used for Slido PPT add-in and to allow Slido webpages to create polls/quizzes in pre-meeting Used for exporting questions and answers, poll results, etc, from Slido	所有
.quovadisglobal.com .digicert.com .godaddy.com .identrust.com *.lencr.org	用于从证书颁发机构请求证书吊销列表 - 注意：Webex 支持通过 CRL 和 OCSP Stapling 来判断证书的吊销状态。 With OCSP stapling, Webex apps and devices do not need to contact these Certificate Authorities	所有
*.intel.com	用于针对通过 Webex 应用程序和设备所使用背景图像发送的证书，请求证书吊销列表并检查 Intel OCSP 服务的证书状态	所有
.google.com .googleapis.com	给移动设备上 Webex 应用程序的通知（例如新消息） Google Firebase Cloud Messaging (FCM) 服务 https://firebase.google.com/docs/cloud-messaging/concept-options#messaging-ports-and-your-firewall Apple 推送通知服务 (APNS) https://support.apple.com/en-us/HT203609 注 - 对于 APNS，Apple 仅列出该服务的 IP 子网	Webex 应用程序
cdnjs.cloudflare.com cdn.jsdelivr.net static2.sharepointonline.com appsforoffice.microsoft.com	URLs for Webex Scheduler for Microsoft Outlook Microsoft Outlook users can use the Webex Scheduler to schedule Webex meetings or Webex Personal Room meetings directly from Microsoft Outlook in any browser. For details see:单击这里	所有
Core Webex services being deprecated
URL	描述	使用这些域/URL 的 Webex 应用程序和设备
*.clouddrive.com	Webex storage for user generated content and logs File storage on clouddrive.com was replaced by webexcontent.com in Oct 2019 Organizations with long retention periods for user generated content may still be using cloudrive.com to store older files	所有
*.ciscosparkcontent.com	日志文件上传日志文件存储服务现在使用 *.webexcontent.com 域	Webex App
*.rackcdn.com	*.clouddrive.com 域的内容分发网络 (CDN)	所有

(1) Webex 通过第三方对数据收集和崩溃及使用情况指标收集进行诊断和故障排除。Webex 隐私数据手册中介绍了可能发送给这些第三方网站的数据。有关详细信息，请参阅：

Content Delivery Networks used by Webex Services
Webex uses Content Delivery Network (CDN) services to efficiently deliver static files and content to Webex apps and devices. 如果您使用代理服务器控制对 Webex 服务的访问，则无需将 CDN 域添加到 Webex 服务允许的域列表中（因为 DNS 解析为 CDN CNAME 的操作在初始 URL 过滤后由您的代理执行）。If you are not using a Proxy server (e.g. you are only using a firewall to filter URLs), DNS resolution is performed by the OS of your Webex app / device, and you will need to add the following CDN URLs to the domain to allow list in your firewall :

*.cloudfront.net

*.akamaiedge.net

*.akamai.net

*.fastly.net

用于 Webex 混合服务的其他 URL

将代理配置为允许访问下表中 Webex 混合服务的 URL。可通过将代理配置为仅允许混合服务节点的源 IP 地址访问这些 URL，以限制对这些外部域的访问。

Cisco Webex 混合服务 URL
URL	描述	用于：
.docker.com (1) .docker.io (1) *dkr.ecr.us-east-1.amazonaws.com	混合服务容器	视频网格节点混合数据安全节点
*s3.amazonaws.com (1)	日志文件上传	视频网格节点混合数据安全节点
*.cloudconnector.webex.com	User Synchronization	混合服务目录连接器

(1) We plan to phase out the use of *.docker.com and *.docker.io for Hybrid Services Containers, eventually replacing them with subdomains in *.amazonaws.com.
注：
If you use a Cisco Web Security Appliance (WSA) Proxy and want to automatically update the URLs used by Webex services, please refer to the WSA Webex Services configuration document for guidance on how to deploy a Webex External Feed-in AsyncOS for Cisco Web Security.

For a CSV file containing the list of Webex Services URIs, see: Webex Services CSV File

代理服务器必须配置为允许 Webex 信令流量访问上一部分中列出的域/URL。 Support for additional proxy features relevant to Webex services is discussed below:

代理功能

代理验证支持

Proxies can be used as access control devices, blocking access to external resources until the user/device provides valid access permission credentials to the proxy. Several authentication methods are supported by Proxies, such as Basic Authentication, Digest Authentication (Windows-based) NTLM, Kerberos, and Negotiate (Kerberos with NTLM fallback).

For the “No Authentication” case in the table below, the device can be configured with a Proxy address but does not support authentication. When Proxy Authentication is being used, valid credentials must be configured and stored in the OS of Webex App or Cisco Video Device.

For Cisco Video devices and the Webex App, Proxy addresses can be configured manually via the platform OS, or device UI, or automatically discovered using mechanisms such as:

Web 代理自动发现 (WPAD) 和/或代理自动配置 (PAC) 文件：

产品	验证类型	代理配置
Mac 版 Webex	不验证、基本、NTLM (1)	手动、WPAD、PAC
Windows 版 Webex	不验证、基本、NTLM (2)、协商	手动、WPAD、PAC、GPO
iOS 版 Webex	不验证、基本、摘要、NTLM	手动、WPAD、PAC
Android 版 Webex	不验证、基本、摘要、NTLM	手动、PAC
Webex Web 应用程序	不验证、基本、摘要、NTLM、协商	通过 OS 提供支持
Cisco Video devices	不验证、基本、摘要	WPAD、PAC 或手动
Webex 视频网格节点	不验证、基本、摘要、NTLM	手动
混合数据安全节点	不验证、基本、摘要	手动
混合服务主机管理连接器	不验证、基本	手动配置 Expressway C：应用程序 > 混合服务 > 连接器代理
混合服务：Directory Connector	不验证、基本、NTLM	通过 Windows OS 提供支持
混合服务 Expressway C：日历连接器	不验证、基本、NTLM	手动配置 Expressway C： Applications > Hybrid Services > Connector Proxy : Username Password Expressway C: 应用程序 > 混合服务 > 日历连接器 > Microsoft Exchange > 基本和/或 NTLM
混合服务 Expressway C：呼叫连接器	不验证、基本	手动配置 Expressway C：应用程序 > 混合服务 > 连接器代理

(1): Mac NTLM Auth - Machine need not be logged onto the domain, user prompted for a password
(2): Windows NTLM Auth - Supported only if a machine is logged onto the domain

Guidance on Proxy settings for Windows OS
Microsoft Windows supports two network libraries for HTTP traffic (WinINet and WinHTTP) that allow Proxy configuration. WinInet 专为单用户桌面客户端应用程序设计；WinHTTP 主要针对基于
服务器的多用户应用程序设计。WinINet 是 WinHTTP 的超集；在两者之间选择时，您应使用 WinINet 进行代理配置设置。For more info, see https://docs.microsoft.com/en-us/windows/win32/wininet/wininet-vs-winhttp

代理检查和证书置顶

The Webex app and Cisco Video devices validate the certificates of the servers they establish TLS sessions with. Certificate checks such as, the certificate issuer and digital signature, rely upon verifying the chain of certificates up to the root certificate. To perform these validation checks, the app or device uses a set of trusted root CA certificates installed in the operating system trust store.

If you have deployed a TLS-inspecting Proxy to intercept, decrypt, and inspect Webex traffic, ensure that the certificate the Proxy presents (in lieu of the Webex service certificate) has been signed by a certificate authority whose root certificate is installed in the trust store of your Webex App or Webex device. 对于 Webex 应用程序，用于签署代理使用的证书的 CA 证书需要安装到设备的操作系统中。For Cisco Video devices, open a service request with TAC to install this CA certificate into the RoomOS software.

The table below shows the Webex app and Webex device support for TLS inspection by Proxy servers:

产品	支持自定义受信任 CA 以进行 TLS 检查
Webex 应用程序（Windows、Mac、iOS、Android、Web）	Yes*
Cisco Video Devices	有
Cisco Webex 视频网	有
混合数据安全服务	有
混合服务 - 目录、日历、管理连接器	不支持

"* 注 - Webex 应用程序不支持代理服务器对 Webex Meetings 媒体服务的 TLS 会话进行解密和检查。If you wish to inspect traffic sent to services in the webex.com domain, you must create a TLS inspection exemption for traffic sent to *mcs*.webex.com, *cb*.webex.com and *mcc*.webex.com.
Note - The Webex app does not support SNI extension for TLS based media connections. 如果代理服务器必须使用 SNI 扩展，Webex 音频和视频服务则会连接失败。

802.1X – 基于端口的网络访问控制

产品	支持 802.1X	笔记
Webex 应用程序（Windows、Mac、iOS、Android、Web）	有	通过 OS 提供支持
Cisco Video Devices	有	EAP-FAST EAP-MD5 EAP-PEAP EAP-TLS EAP-TTLS 通过 GUI 或 Touch 10 配置 802.1X 通过 HTTP 接口上传证书
视频网格节点	不支持	使用 MAC 地址旁路
混合数据安全服务	不支持	使用 MAC 地址旁路
混合服务 - 目录、日历、管理连接器	不支持	使用 MAC 地址旁路

基于 SIP 的 Webex 服务的网络要求

The Webex cloud supports inbound and outbound calls using SIP as the call control protocol for Webex Meetings and for direct (1:1) calls from/to cloud registered Webex apps and Cisco Video devices.

SIP calls for Webex Meetings
Webex Meetings allows participants with SIP apps and devices to join a meeting by either:

呼叫会议的 SIP URI（例如，meetingnumber@webex.com），或者
Webex 云呼叫参加者指定的 SIP URI（例如，my-device@customer.com）

Calls between SIP apps/devices and cloud registered the Webex app/Cisco Video devices
The Webex cloud allows users of SIP apps and devices to:

Be called by cloud registered Webex apps and Cisco Video devices
Call cloud registered Webex apps and Cisco Video devices

在上述两种情况下，SIP 应用程序和设备都需要建立与 Webex 云之间的会话。The SIP app or device will be registered to a SIP based call control application (such as Unified CM), which typically has a SIP Trunk connection to Expressway C and E that allows inbound and outbound calls (over the internet) to the Webex Cloud.

SIP 应用程序和设备可能为：

Cisco Video device using SIP to register to Unified CM
使用 SIP 注册到 Unified CM 或 Webex Calling 服务的 Cisco IP 电话
使用第三方 SIP 呼叫控制应用程序的第三方 SIP 应用程序或设备

Note * If a router or SIP firewall is SIP Aware, meaning it has SIP Application Layer Gateway (ALG) or something similar enabled, we recommend that you turn off this functionality to maintain the correct operation of service. 有关如何在特定设备上禁用 SIP ALG 的信息，请参阅相关制造商的文档

下表描述了访问 Webex SIP 服务所需的端口和协议：

Webex SIP 服务的端口和协议
源端口	目标端口	协议	描述
Expressway Ephemeral ports	Webex Cloud 5060 - 5070	SIP over TCP/TLS/MTLS	从 Expressway E 到 Webex 云的 SIP 信令传输协议：TCP/TLS/MTLS
Webex Cloud Ephemeral ports	Expressway 5060 - 5070	SIP over TCP/TLS/MTLS	从 Webex 云到 Expressway E 的 SIP 信令传输协议：TCP/TLS/MTLS
Expressway 36000 - 59999	Webex cloud 49152 -59999	RTP/SRTP over UDP	从 Expressway E 到 Webex 云的未加密/加密媒体媒体传输协议：UDP
Webex cloud 49152 - 59999	Expressway 36000 - 59999	RTP/SRTP over UDP	从 Webex 云到 Expressway E 的未加密/加密媒体媒体传输协议：UDP

Expressway E 和 Webex 云之间的 SIP 连接支持使用 TCP 的未加密信令，以及使用 TLS 或 MTLS 的加密信令。 Encrypted SIP signaling is preferred as the certificates exchanged between the Webex cloud and Expressway E can be validated before proceeding with the connection.

Expressway 通常用于启用到 Webex 云的 SIP 呼叫以及到其他组织的 B2B SIP 呼叫。配置您的防火墙以允许：

来自 Expressway E 节点的所有出站 SIP 信令流量
到 Expressway E 节点的所有入站 SIP 信令流量

如果您希望限制与 Webex 云之间的入站和出站 SIP 信令流量及相关媒体流量。Configure your firewall to allow SIP signaling and medial traffic to access the IP subnets for Webex media services (refer to the section "IP subnets for Webex media services") and the following AWS regions: us-east-1、us-east-2、eu-central-1、us-gov-west-2、us-west-2。The IP address ranges for these AWS regions can be found here: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

* This webpage is not instantaneously updated, as AWS makes regular changes to the IP address ranges in their subnets. To dynamically track AWS IP address range changes, Amazon recommends subscribing to the following notification service: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#subscribe-notifications

基于 SIP 的 Webex 服务的媒体对 Webex 媒体使用相同的目标 IP 子网（在此处列出）

Webex Edge 音频的网络要求

协议	端口号码	指导	登录时间	意见、评论
TCP	5061, 5062	Inbound	SIP Signalling	用于 Webex Edge 音频的入站 SIP 信令
TCP	5061, 5065	Outbound	SIP Signalling	用于 Webex Edge 音频的出站 SIP 信令
TCP/UDP	Ephemeral Ports 8000 - 59999	Inbound	Media Ports	在企业防火墙上，需要打开针孔才能将流量传入 Expressway，并且端口范围介于 8000 - 59999 之间

其他 Webex 混合服务和文档摘要

Cisco Webex 视频网

Cisco Webex 视频网在您的网络上提供本地媒体服务。媒体并不会全部传到 Webex Cloud，而是可以留在您的网络上，从而减少互联网带宽用量，并提高媒体质量。有关详细信息，请参阅 Cisco Webex 视频网部署指南。

混合日历服务

混合日历服务将 Microsoft Exchange、Office 365 或 Google Calendar 连接到 Webex，从而简化安排和加入会议的操作，尤其是在移动时。

For details, see: Deployment Guide for Webex Hybrid Calendar Service

混合目录服务

Cisco 目录连接器是一个用于向 Webex 云进行身份同步的本地应用程序。它还提供了一个简单的管理流程，可以自动安全地将企业目录联系人扩展到云并使其保持同步，从而保证准确性和一致性。

For details, see: Deployment Guide for Cisco Directory Connector

Webex 混合服务的首选体系结构

Cisco Webex 混合服务的首选架构描述了整体混合体系结构、其组件和总体设计最佳实践。请参阅： Preferred Architecture for Webex Hybrid Services

Webex Calling - 网络要求

If you are also deploying Webex Calling with Webex Meetings and Messaging services, the network requirements for the Webex Calling service can be found here: https://help.webex.com/b2exve/Port-Reference-Information-for-Cisco-Webex-Calling

Webex Events - Network Requirements

If you are also deploying Webex Events with Webex Meetings and Messaging services, the network requirements for the Webex Events service can be found here: https://help.socio.events/en/articles/4796797-what-domains-emails-should-be-allowlisted-by-my-attendees-network-admins

适用于 FedRAMP 客户的 Webex 服务

For customers who require the list of IP address ranges and ports for Webex FedRAMP services
This information can be found here : https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaboration/WebexforGovernment/FedRAMP_Meetings_Ports_IP_Ranges_Quick_Reference.pdf

文档修订历史记录 - Webex 服务的网络要求

修订日期	新增和更改的信息
08/19/2024	Included images with Branding logos for the (*.webexconnect.com) Domains and URLs section
08/02/2024	Webex IPv6 Support section - Changed text to emphasize the MTU size for IPv4 and IPv6 traffic.
07/26/2024	Added new subdomain *dkr.ecr.us-east-1.amazonaws.com under Additional URLs for Webex Hybrid Services
07/26/2024	Guidance on recommended IP packet Maximum Transmissible Unit (MTU) size for IPv6 traffic to Webex Services
04/08/2024	Added a missing period before (webex.com and cisco.com) under the Cisco Webex Servers URLs subdomain
12/06/2023	Revised introduction with a focus on the Webex Suite of Services
12/06/2023	Revision of section: Transport protocols and encryption ciphers for cloud registered Webex apps and devices. Updated information on the TLS versions and Cipher Suites in use and preferred by Webex Suite Services Additional details and guidance on media transport protocols Cisco Video devices now support sending media over TLS through a Proxy server, aligning behavior with that of the Webex app. Addition of guidance on Proxy configuration (Webex strongly recommends that you do not alter or delete HTTP header values as they pass through your proxy/ firewall unless permitted…)
12/06/2023	Revision of IP subnets for Webex media services section Media services no longer reside in AWS, only in Webex Data Centres and Microsoft Azure Data Centres for VIMT. Additional text on media transport protocols and preferences
12/06/2023	Webex signaling traffic and Enterprise Proxy Configuration section Addition of guidance on Proxy configuration (Webex strongly recommends that you do not alter or delete HTTP header values as they pass through your proxy/ firewall unless permitted…)
12/06/2023	Cisco Webex Services URLs table: Rows 1 and 2 merged (.webex.com, .cisco.com, .wbx2.com etc) The text is to be revised to reflect that the Webex suite uses common services for meetings and messaging. .livestream.webex.com added for Webex Webcasts A section on Core Webex services being deprecated: Text simplified
10/09/2023	A link to VIMT doc has been included
8/29/2023	Removed port 444 TLS for Video Mesh Node (no longer used).
5/24/2023	Added Webex Events – Network Requirements
2/23/2023	New IP subnets for media added (144.196.0.0/16 and 163.129.0.0/16) These IP subnets will be activated 30 days or more after publication here.
2/9/2023	已重新发布（修复了不可单击的标签页）
1/23/2023	已重新发布，删除了重复的子网（66.114.169.0 和 66.163.32.0）
1/11/2023	Webex Web 应用程序和 SDK - ，添加了 TLS，在无法使用 UDP 和 TCP 时用作加密的音频、视频和内容共享的回退传输协议
1/11/2023	添加了媒体的新 IP 子网：4.152.214.0/24, 4.158.208.0/24, 4.175.120.0/24 (Azure Data Centres for VIMT)
10/14/2022	添加了新的 Slido URL：*.slido-assets-production.s3.eu-west-1.amazonaws.com
9/15/2022	New IP subnet for media added : 20.120.238.0/23 (Azure Data Centre for VIMT)
9/12/2022	添加了 Webex Scheduler for Microsoft Outlook 的 URL。
8/12/2022	在“端口号和协议”部分中新增了说明。RoomOS 设备不会将通过 TLS 传输的媒体发送到配置的代理服务器。
8/12/2022	Webex 媒体的 IP 子网 - AWS IP 子网 18.230.160.0/25 已从 IP 子网表中删除。这些媒体节点现在使用表中已列出的子网中 Cisco 拥有的 IP 地址。
8/12/2022	添加了说明，强调对于“Webex 服务的域和 URL”部分下列出的 URL，需要有权访问所有域和子域。
6//25/2022	添加了 Google 和 Apple 通知服务的要求
6/25/2022	新的 Webex URL *.webexapis.com 已添加到域和 URL 表
6/22/2022	为使用 Cisco Unified CM 的 SIP 部署新增了额外指南
4/5/2022	删除了媒体服务的 AWS IP 子网 - 这些子网已过时
12/14/2021	为视频网格节点添加了新的媒体 UDP 端口范围 (50,000 - 53,000) 为采用 TCP 的媒体删除了端口 9000 - 2022 年 1 月将针对采用 TCP 的媒体弃用此目标端口为采用 UDP 和 TCP 的媒体删除了端口 33434 - 2022 年 1 月将针对采用 UDP 和 TCP 的媒体弃用此目标端口
11/11/2021	更新了 Webex 服务 - 端口号和协议及 Cisco Webex 服务 URL 表。
10/27/2021	在域表格中添加了 *.walkme.com 和 s3.walkmeusercontent.com。
10/26/2021	为 Windows 操作系统添加了“关于代理的指南”设置
10/20/2021	将 CDN URL 添加到防火墙中的域允许列表
10/19/2021	Webex 应用程序使用 AES-256-GCM 或 AES-128-GCM 加密所有 Webex Meeting 类型的内容。
10/18/2021	添加了新的 IP 子网（20.57.87.0/24、20.76.127.0/24 和 20.108.99.0/24），它们用于托管 Microsoft Teams 视频集成（也称为 Microsoft Cloud Video Interop）服务以及我们为 Webex 服务使用的内容分发网络添加的域（.cloudfront.net、.akamaiedge.net、.akamai.net 和 *.fastly.net）
10/11/2021	更新了域和 URL 部分中的信任门户链接。
10/04/2021	从域表中移除 *.walkme.com 和 s3.walkmeusercontent.com，因为不再需要它们。
07/30/2021	更新了“代理功能”部分中的注释
07/13/2021	更新了“代理功能”部分中的注释
07/02/2021	将 .s3.amazonaws.com 改为 s3.amazonaws.com
06/30/2021	更新了“Webex 混合服务的其他 URL”列表。
06/25/2021	将 *.appdynamics.com 域添加到列表中
06/21/2021	将 *.lencr.org 域添加到列表中。
06/17/2021	更新了“Webex SIP 服务的端口和协议”表
06/14/2021	更新了“Webex SIP 服务的端口和协议”表
05/27/2021	更新了“Webex 混合服务的其他 URL”部分中的表格。
04/28/2021	添加了用于 SlidoPPT 加载项的域，允许Slido网页创建会议前投票/测验
04/27/2021	添加了用于 Webex Edge 音频的 23.89.0.0/16 IP 范围
04/26/2021	添加了 20.68.154.0/24*，因为它是 Azure 子网
04/21/2021	更新了 Webex 混合服务的其他 URL 下的 Webex 服务 CSV 文件
04/19/2021	添加了 20.53.87.0/24*，因为它是用于 VIMT/CVI 的 Azure DC
04/15/2021	在 Webex Events 网络广播中增加了 *.vbrickrev.com 域。
03/30/2021	重大文档版式修订。
03/30/2021	增加了 Webex 基于 Web 应用程序和 Webex SDK 媒体支持的详细信息（不包括通过 TLS 传输的媒体）。
03/29/2021	列明了 Webex Edge for Devices 功能并随附文档链接。
03/15/2021	添加了域 *.identrust.com
02/19/2021	为 FedRAMP 客户添加了 Webex 服务部分
01/27/2021	为云连接 UC 服务增加了 .cisco.com 域，以及由指示的 Microsoft Teams 视频集成（即 Microsoft Cloud Video Interop）的 Webex Calling 载入 IP 子网
01/05/2021	描述 Webex 应用程序会议和消息传递服务的网络要求的新文档
11/13/20	从媒体表的 IP 子网中删除了 https://155.190.254.0/23 子网
10/7/2020	从“Webex Teams 混合服务的其他 URL”中删除了 *.cloudfront.net 行
9/29/2020	为 Webex Teams 媒体服务增加了新 IP 子网 (20.53.87.0/24)
9/29/2020	Webex 设备重命名为 Webex Room 设备
9/29/2020	*.core-os.net URL removed from table : 用于 Webex Teams 混合服务的其他 URL
9/7/2020	更新了 AWS 区域链接
08/25/20	简化了媒体的 Webex Teams IP 子网的表和文本
8/10/20	增加了关于通过 Webex Edge Connect 测试媒体节点可达性以及 Cisco IP 子网使用情况的其他详细信息
7/31/20	为 AWS 和 Azure 数据中心中的媒体服务增加了新的 IP 子网
7/31/20	针对到 Webex Teams 云的 SIP 呼叫增加了新的 UDP 目标媒体端口
7/27/20	增加 170.72.0.0/16 (CIDR) 或 170.72.0.0 - 170.72.255.255（网段）
5/5/20	在第三方域表中增加了 sparkpostmail.com
4/22/20	增加新的 IP 范围 150.253.128.0/17
03/13/20	New URL added for the walkme.com service TLS media transport for Room OS devices added New section added : Network Requirements for Hybrid Calling SIP Signalling Link added for the Webex Calling network requirements document
12/11/19	微小文本更改、更新 Webex Teams 应用程序和设备 - 端口号和协议表、更新 Webex Teams URL 表并重新设置其格式。删除对管理连接器和呼叫连接器混合服务的 NTLM 代理验证支持
10/14/19	增加了对 Room 设备的 TLS 检查支持
9/16/2019	增加了使用 TCP 作为传输协议的 DNS 系统的 TCP 支持要求。增加了 URL *.walkme.com – 此服务为新用户提供加入和使用教程。修正了 Web Assistant 所使用的服务 URL。
8/28/2019	*增加了 .sparkpostmail1.com URL 时事通讯、注册信息、公告的电子邮件服务
8/20/2019	增加了视频网格节点和混合数据安全服务的代理支持功能
8/15/2019	Overview of Cisco and AWS data centre used for Webex Teams Service. .webexcontent.com URL added for file storage Note on deprecation of clouddrive.com for file storage .walkme.com URL added for metrics and testing
7/12/2019	增加了 .activate.cisco.com 和 .webapps.cisco.com URL 文本转语音 URL 更新为 .speech-googleapis.wbx2.com 和 .texttospeech-googleapis.wbx2.com 删除了 .quay.io URL 混合服务容器 URL 更新为 .amazonaws.com
6/27/2019	增加了 People Insights 功能的 *.accompany.com 允许列表要求
4/25/2019	为有关 TLS 版本支持的行增加了“Webex Teams 服务”。为媒体流量下的“媒体流”行增加了“Webex Teams”。在媒体部分的 Webex Teams IP 子网区域之前添加了“地理”二字。对用词略作了编辑。通过更新 A/B 测试和指标的 URL 以及在 Google Speech 服务中增加新行，对“Webex Teams URL”表进行了编辑。在“用于 Webex Teams 混合服务的其他 URL”部分中，删除了 AsyncOS 之后的版本信息“10.1”。更新了“代理验证支持”部分中的文本。
3/26/2019	已将此处链接的 URL“请参阅 WSA Webex Teams 配置文档以获取指导信息”从 https://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/guide-c07-739977.pdf 更改为 https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-5/user_guide/b_WSA_UserGuide_11_5_1.html 已将 URL“api.giphy.com”更改为 *.giphy.com
2/21/2019	应 John Costello 的要求，已将“Webex Calling”更新为“Webex Calling（之前称为 Spark Calling）”，这是因为即将通过 BroadCloud 发布同名产品 Webex Calling。
2/6/2019	已将文本“混合媒体节点”更新为“Webex 视频网格节点”
1/11/2019	已将文本“上传到 Webex Teams 空间和 Avatar 存储的端到端加密文件”更新为“上传到 Webex Teams 空间、Avatar 存储、Webex Teams 品牌徽标的端到端加密文件”
1/9/2019	已更新以删除以下行：“*为了让 Webex Room 设备获取验证通过 TLS 检查代理的通信所必需的 CA 证书，请联系您的 CSM 或向 Cisco TAC 提交支持申请。”
2018 年 12 月 5 日	更新了 URL：从 Webex Teams URL 表的 4 个条目中删除了“https://”： https://api.giphy.com -> api.giphy.com https://safebrowsing.googleapis.com -> safebrowsing.googleapis.com http://www.msftncsi.com/ncsi.txt -> msftncsi.com/ncsi.txt https://captive.apple.com/hotspot-detect.html -> captive.apple.com/hotspot-detect.html 更新了 Webex Teams 链接的 .CSV 文件，以显示上述修订后的链接
2018 年 11 月 30 日	新的 URL： .ciscosparkcontent.com, .storage101.ord1.clouddrive.com, .storage101.dfw1.clouddrive.com, .storage101.iad3.clouddrive.com, https://api.giphy.com, https://safebrowsing.googleapis.com, http://www.msftncsi.com/ncsi.txt, https://captive.apple.com/hotspot-detect.html, .segment.com, .segment.io, .amplitude.com,.eum-appdynamics.com, .docker.io, .core-os.net, .s3.amazonaws.com, .identity.api.rackspacecloud.com
	对用于 Windows、iOS 和 Android 系统的其他代理验证方法的支持
	Webex Board 采用了 Room 设备的操作系统和功能；以下 Room 设备都可以使用代理功能：SX、DX、MX、Room Kit 系列和 Webex Board
	iOS 和 Android 应用程序对 TLS 检查的支持
	删除了 Room 设备上对 TLS 检查的支持：SX、DX、MX、Room Kit 系列和 Webex Board
	Webex Board 采用了 Room 设备的操作系统和功能；支持 802.1X
2018 年 11 月 21 日	Following Note added to IP Subnets for media section : The above IP range list for cloud media resources is not exhaustive, and there may be other IP ranges used by Webex Teams which are not included in the above list. 但是，Webex Teams 应用程序和设备将能够正常运行，但无法连接到未列出的媒体 IP 地址。
2018 年 10 月 19 日	Note added : Webex Teams use of third parties for diagnostic and troubleshooting data collection; and the collection of crash and usage metrics. Webex 隐私数据手册中介绍了可能发送给这些第三方网站的数据。For details see : https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-webex-privacy-data-sheet.pdf
2018 年 10 月 19 日	独立表格 - 用于混合服务的其他 URL：.cloudfront.net、.docker.com、.quay.io、.cloudconnector.cisco.com、*.clouddrive.com
2018 年 8 月 7 日	Note added to Ports and Protocols table : If you configure a local NTP and DNS server in the Video Mesh Node’s OVA, then ports 53 and 123 are not required to be opened through the firewall.
2018 年 5 月 7 日	重大文档修订
2022 年 4 月 24 日	更新了以更改 Webex 媒体服务的 IP 子网部分中的段落顺序。The paragraph starting with "If you have configured your firewall .. " was moved below the paragraph starting with "Cisco does not support ..."