Network Requirements for Webex Services
This document is geared toward network administrators, in particular those responsible for the management of firewalls and proxies, who are interested in implementing Webex messaging and meeting services within their respective companies. It will assist you in configuring your network to support the Webex Services that are utilized by HTTPS-based Webex app devices and Webex Room devices, in addition to Cisco IP Phones, Cisco video devices, and third-party devices that utilize SIP to communicate to the Webex Meetings service.
Changes to the IP subnets for Webex media services and URLs for Webex services are typically published 30 days in advance of when they are activated. However, these details may be updated with less advanced warning if necessary to address support escalations, security incidents, or other immediate operational requirements.
This document focuses predominantly on the network requirements of Webex cloud registered products that make use of HTTPS signaling to connect to Webex cloud services. However, it also describes, in a separate section, the network requirements for products that make use of SIP signaling to join Webex Meetings. The following is a rundown of these distinctions:
Webex cloud registered apps and devicesWhen communicating with Webex messaging and meeting services, each and every Webex program and device that is cloud-registered does so via HTTPS:
- All Webex services are communicated over HTTPS when using devices that are cloud registered as Webex Rooms.
- If the Webex Edge for devices functionality is turned on, on-premises SIP-registered Webex devices will also have the ability to use HTTPS signaling. This feature makes it possible for Webex devices to participate in Webex Meetings while using HTTPS signaling (for more information, visit https://help.webex.com/en-us/cy2l2z/Webex-Edge-for-Devices). Webex Control Hub can be used to administrate Webex devices.
- The Webex App communicates with Webex’s communications and meeting services using HTTPS signaling. The SIP protocol is also capable of being used by the Webex app in order to attend Webex meetings; however, in order for this to occur, the user must either be called on their SIP address or manually dial a SIP URL in order to join a meeting. (rather than use the functionality of the meeting native to the Webex app).
Webex cloud and on-premises call control registered devices using SIP
Transport protocols and encryption ciphers for cloud registered Webex apps and devices
Webex traffic through Proxies and Firewalls
The majority of customers constrain and control the HTTP-based traffic that leaves and enters their networks with the help of an internet firewall, also known as an internet proxy and firewall. To permit access to Webex services from your network, follow the firewall and proxy configuration instructions that are provided below. Be aware that filtering Webex signaling traffic using IP addresses is not supported if you are only utilizing a firewall. This is due to the fact that the IP addresses utilized by Webex signaling services are dynamic and are subject to change at any given moment. If the firewall you use has the capability to filter URLs, you will need to configure it to enable access to the Webex destination URLs that are mentioned in the section titled “Domains and URLs that need to be accessed for Webex Services.”
The table that follows provides information about the ports and protocols that need to be opened on your firewall in order to make it possible for cloud-registered Webex applications and devices to communicate with Webex cloud signaling and media services.
This table provides information on the following Webex applications, devices, and services: the Webex app; Webex Room devices; the Video Mesh Node; the Hybrid Data Security node; the Directory Connector; the Calendar Connector; the Management Connector; and the Serviceability Connector.
In the section titled “Network requirements for SIP based Webex services,” you will find guidelines on the ports and protocols that should be used for devices and Webex services that make use of SIP.
| Webex Services – Port Numbers and Protocols | |||
| Destination Port | Protocol | Description | Devices using this rule |
| 443 | TLS | Signaling over HTTPS for Webex. Establishing a session to use Webex services is done through the utilization of specified URLs rather than IP addresses.Refer to the portion titled “Domains and URLs that need to be accessed for Webex Services” in order to enable signaling access to Webex services if you are utilizing a proxy server or if your firewall supports DNS resolution. |
All |
| 444 | TLS | Video Mesh Node provides encrypted signaling in order to set up cascade media interactions with Webex in the cloud. | Video Mesh Node |
| 123 (1) | UDP | Network Time Protocol (NTP) | All |
| 53 (1) | UDP TCP |
Domain Name System (DNS) Utilized for conducting DNS lookups in order to locate the IP addresses of services hosted within the Webex cloud. |
All |
| 5004 and 9000 | SRTP over UDP | Sharing of audio, video, and other information on the Webex App and the Webex Room devices that is encrypted
Please refer to the portion titled “IP subnets for Webex media services” for a list of the destination IP subnets. |
Webex App Webex Room Devices Video Mesh Nodes |
| 50,000 – 53,000 | SRTP over UDP | Sharing of encrypted audio, video, and other information is exclusive to the Video Mesh Node. | Video Mesh Node |
| 5004 | SRTP over TCP | TCP can also be used as a backup transport protocol for sharing encrypted audio, video, and other material in the event that UDP cannot be used. Please refer to the portion titled “IP subnets for Webex media services” for a list of the destination IP subnets. |
Webex App Webex Room Devices Video Mesh Nodes |
| 443 | SRTP over TLS | Used as a backup transport protocol for sharing encrypted audio, video, and other material if UDP and TCP cannot be used for some reason.
It is not recommended to transmit media over TLS in operational environments. Please refer to the portion titled “IP subnets for Webex media services” for a list of the destination IP subnets. |
Webex App
Webex Room Devices (2) |
- Ports 53 and 123 do not need to be enabled through your firewall if you are using the Network Time Protocol (NTP) and Domain Name System (DNS) services within your business network.
- On a Webex Room device, the transmission of TLS signaling information will be directed to the proxy server if the address of a proxy server has been configured. The media that is being transported using TLS is not sent to the proxy server; rather, it is sent straight to your firewall, just like media that is being transported using UDP and TCP.
IP subnets for Webex media services
Webex signaling traffic and Enterprise Proxy Configuration
The vast majority of businesses make use of proxy servers so they can monitor and manage the HTTP traffic that departs their local networks. Proxy servers are capable of performing a wide variety of security tasks, including user authentication, traffic decryption and inspection, reputation lookups for IP addresses, domain names, and hostnames, and access control to particular URLs. Proxies can also be used to restrict access to websites entirely. Proxy servers are also frequently used as the only path that can forward HTTP-based internet-destined traffic to the enterprise firewall. This enables the firewall to limit outbound internet traffic to only that which originates from the Proxy server(s). Proxy servers are also commonly used as the only path that can forward HTTP-based internet-destined traffic to the enterprise firewall. In order for Webex signaling traffic to access the domains and URLs mentioned in the following section, your Proxy server needs to be configured to enable access to those domains and URLs.
Note: When there is an asterisk (*) displayed at the beginning of a URL (for example, *.webex.com), it signifies that all of the services available in the top level domain as well as all of the subdomains have to be accessible.
| Cisco Webex Services URLs | ||
| Domain / URL | Description | Webex Apps and devices using these domains / URLs |
| *.wbx2.com *.ciscospark.com *.webexapis.com |
Webex micro-services. For example : Messaging service File management service Key management service Software upgrade service Profile picture service Whiteboarding service Proximity service Presence service Registration service Calendaring service Search service |
All |
| *.webex.com *.cisco.com |
Webex Meetings services Identity provisioning Identity storage Authentication OAuth services Device onboarding Cloud Connected UC |
All |
| *.webexcontent.com (1) | Webex messaging service – general file storage including:
User files, |
All Note: Your organization may still be using cloudrive.com to store older files – for more information see (1) |
| Additional Webex related services – Cisco Owned domains | ||
| URL | Description | Webex Apps and devices using these domains / URLs |
| *.accompany.com | People Insights Integration | Webex Apps |
| Additional Webex related services – Third Party domains | ||
| URL | Description | Webex Apps and devices using these domains / URLs |
| *.sparkpostmail1.com *.sparkpostmail.com |
e-mail utility for sending out announcements, newsletters, and registration information | All |
| *.giphy.com | Users are given the ability to exchange GIF images. This function is turned on by default, but it can be turned off through Control Hub if desired. | Webex App |
| safebrowsing.googleapis.com | Utilized for the purpose of conducting security checks on URLs prior to unfurling them within the message thread. This function is turned on by default, but it can be turned off through Control Hub if desired. | Webex App |
| *.walkme.com s3.walkmeusercontent.com |
Webex User Guidance software. Offers new users an orientation as well as guided walks of its functionality.
For more info see https://support.walkme.com/knowledge-base/access-requirements-for-walkme/ |
Webex web based apps |
| speech.googleapis.com texttospeech.googleapis.comspeech-services-manager-a.wbx2.com |
Webex Assistant makes use of Google Speech Services in order to perform speech identification and text-to-speech conversion. Opt-in support is available through the Control Hub but is disabled by default. It is also possible to turn off Assistant on a device-by-device basis.Webex Assistant makes use of Google Speech Services in order to perform speech identification and text-to-speech conversion. Opt-in support is available through the Control Hub but is disabled by default. It is also possible to turn off Assistant on a device-by-device basis. | Webex Room Kit and Webex Room devices The following is a list of documents that contain information on the Webex Room devices that support Webex Assistant: https://help.webex.com/hzd1aj/Enable-Cisco-Webex-Assistant |
| msftncsi.com/ncsi.txt
captive.apple.com/hotspot-detect.html |
A review performed by a third party to determine whether or not there is a connection to the internet, even though there is a connection to the underlying network. The Webex app does its own checks to ensure that it is connected to the internet, but it also has the ability to use these URLs provided by third parties as a backup. |
Webex App |
| *.appdynamics.com *.eum-appdynamics.com |
Monitoring of performance, recording of errors and crashes, and gathering session information (3) | Webex App Webex Web App |
| *.amplitude.com | A/B testing & metrics (3) | Webex Web App Webex Android App |
| *.vbrickrev.com | Attendees watching Webex Events Webcasts make use of this domain. | Webex Events |
| *.slido.com *.sli.do *.data.logentries.comslido-assets-production.s3.eu-west-1.amazonaws.com |
Used for the Slido PPT add-in and to enable surveys and quizzes to be created in the pre-meeting using Slido webpages.
Slido users can use this to export question and response pairs, poll results, and other data. |
All |
| *.quovadisglobal.com *.digicert.com *.godaddy.com *.identrust.com *.lencr.org |
Utilized for the purpose of submitting requests for Certificate Revocation Lists to these Certificate Authorities Note that in order to ascertain the revocation status of certificates, Webex supports both the CRL and OCSP stapling protocols. Because of OCSP encoding, Webex applications and devices are exempt from having to communicate with the relevant Certificate Authorities. |
All |
| *.intel.com | Used for requesting Certificate Revocation Lists and checking the certificate status with Intel’s OCSP service, for certificates that were sent with background pictures and are used by Webex applications and devices. | All |
| *.google.com *.googleapis.com |
Notifications sent to applications running on mobile devices from Webex (e.g. new message) (Firebase Cloud Messaging) application provided by Google Firebase. https://firebase.google.com/docs/cloud-messaging/concept-options#messaging-ports-and-your-firewall Apple Push Notification Service (APNS) |
Webex App |
| cdnjs.cloudflare.com cdn.jsdelivr.net static2.sharepointonline.com appsforoffice.microsoft.com | URLs for the Webex Scheduler that are compatible with Microsoft Outlook Webex Scheduler allows users of Microsoft Outlook to schedule Webex meetings or Webex Personal Room meetings straight from Microsoft Outlook, in any browser. Webex Meetings can be scheduled in Webex Personal Room meetings. For details see: Click here |
All |
| Core Webex services being deprecated (2) | ||
| URL | Description | Webex Apps and devices using these domains / URLs |
| *.clouddrive.com | Webex communications file storage
Since October 2019, clouddrive.com has been superseded by webexcontent.com for file storage. There’s a chance that your company is still storing earlier files on cloudrive.com; for more information, see the link above. (1) |
All |
| *.ciscosparkcontent.com | Log file transfers The *.webexcontent.com domain is currently being used by the log file storing service. |
Webex App |
| *.rackcdn.com | Content Delivery Network (CDN) for the *.clouddrive.com domain | All |
(1) From October 2019, user files will be uploaded and stored in the Cisco managed webexcontent.com domain.
Files that are uploaded before October 2019 will continue to be stored in the clouddrive.com domain and will continue to be accessible from the Webex app until the retention period that has been set for your organization is attained. (when they will then be deleted). It is possible that during this time you will require access to both the webexcontent.com domain (for downloading new files) and the clouddrive.com domain. (for old files).
If you enforce the use of the webexcontent.com domain only: In Webex messaging spaces that you are a member of, older files that have been uploaded and stored in the clouddrive.com domain (by you or a participating organization) will not be accessible for viewing or downloading.
If you enforce the use of the clouddrive.com domain only: You will not be able to submit files, and new files that are uploaded and stored in the webexcontent.com domain by another organization whose space you are participating in cannot be retrieved. This restriction applies to both you and the other organization.
(2) Beginning in October 2019, new Webex customers will have the option to skip over these domains because Webex will no longer use them for the storing of customer files. You should be aware, however, that if you join a space that is controlled by another organization and that other organization has been using the clouddrive.com domain to store files that you require, you will be required to grant access to the clouddrive.com domain. (i.e. files were uploaded prior to October 2019).
(3) Webex employs the services of third parties for the collection of diagnostic and troubleshooting data, as well as the collection of crash and utilization metrics. The datasheets for Webex’s privacy settings detail the information that could be transmitted to various third-party websites. For details see:
- https://trustportal.cisco.com/c/dam/r/ctp/docs/privacydatasheet/collaboration/cisco-webex-meetings-privacy-data-sheet.pdf
- https://trustportal.cisco.com/c/r/ctp/trust-portal.html?doctype=Privacy%20Data%20Sheet|Privacy%20Data%20Map&search_keyword=webex#/1552559092865176
Content Delivery Networks used by Webex Services
Webex employs the services of a Content Delivery Network (CDN) in order to send static files and content to Webex applications and devices in a time-efficient manner. You do not need to add the domains of the Content Delivery Network (CDN) to the list of domains that are permitted to access Webex services if you are controlling access to Webex services by using a proxy server. (as DNS resolution to the CDN CNAME is performed by your Proxy after initial URL filtering). DNS resolution is handled by the operating system of your Webex app or device if you are not using a Proxy server (for example, if you are only using a firewall to filter URLs). In this case, you will need to add the following CDN URLs to the domain to enable list in your firewall in order to allow access to these websites.
Additional URLs for Webex Hybrid Services
Your Webex signaling traffic must be able to access the domains and URLs mentioned in the previous section before your Proxy server can be considered properly configured.The following are some of the additional proxy features that are pertinent to Webex services that are supported:
Proxy Features
Proxy Authentication Support
It is possible to use proxies as access control devices, which will prevent users or devices from gaining access to external resources until the proxy is provided with credentials that have legitimate access permissions. Proxies are capable of supporting a wide variety of authentication protocols, including Basic Authentication, Digest Authentication, (Windows-based) NTLM, Kerberos, and Negotiate, among others. (Kerberos with NTLM fallback).
In the instance presented in the table below labeled “No Authentication,” the device has the capability of being configured with a Proxy address, but it does not support authentication. Valid credentials have to be configured and saved in the operating system of the Webex app or the Webex room device whenever the Proxy Authentication method is utilized.
Proxy addresses can be configured directly for Webex Room devices and the Webex App using the platform’s operating system (OS) or the device’s user interface (UI), or they can be automatically discovered using mechanisms such as:
Those files that have the Web Proxy Auto Discovery (WPAD) and/or Proxy Auto Config (PAC) extensions are as follows:
- https://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector3000/WPADAP.html
- https://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector2972/PACAP.html
| Product | Authentication Type | Proxy Configuration |
| Webex for Mac | No Auth, Basic, NTLM (1) | Manual, WPAD, PAC |
| Webex for Windows | No Auth, Basic, NTLM (2), Negotiate | Manual, WPAD, PAC, GPO |
| Webex for iOS | No Auth, Basic, Digest, NTLM | Manual, WPAD, PAC |
| Webex for Android | No Auth, Basic, Digest, NTLM | Manual, PAC |
| Webex Web App | No Auth, Basic, Digest, NTLM, Negotiate | Supported via OS |
| Webex Room devices | No Auth, Basic, Digest | WPAD, PAC, or Manual |
| Webex Video Mesh Node | No Auth, Basic, Digest, NTLM | Manual |
| Hybrid Data Security Node | No Auth, Basic, Digest | Manual |
| Hybrid Services Host Management Connector | No Auth, Basic | Manual Configuration Expressway C: Applications > Hybrid Services > Connector Proxy |
| Hybrid Services: Directory Connector | No Auth, Basic, NTLM | Supported via Windows OS |
| Hybrid Services Expressway C: Calendar connector | No Auth, Basic, NTLM | Manual Configuration Expressway C: Applications > Hybrid Services > Connector Proxy : Username Password Expressway C: Applications > Hybrid Services > Calendar Connector > Microsoft Exchange> Basic and/or NTLM |
| Hybrid Services Expressway C: Call connector | No Auth, Basic | Manual Configuration Expressway C: Applications > Hybrid Services > Connector Proxy |
(1): Mac NTLM Auth – Machine need not be logged onto the domain, user prompted for a password
(2): Windows NTLM Auth – Supported only if a machine is logged onto the domain
Guidance on Proxy settings for Windows OS
Both WinINet and WinHTTP are network libraries that support HTTP communication and are supported by Microsoft Windows. These libraries enable Proxy configuration. WinInet was developed specifically for use in desktop client applications with a single user, whereas WinHTTP was developed predominantly with multi-user and server-based applications in mind. WinINet is a superset of WinHTTP, so if you have to choose between the two protocols for your proxy configuration settings, you should go with WinINet. For additional information, see:
see https://docs.microsoft.com/en-us/windows/win32/wininet/wininet-vs-winhttp
Proxy Inspection and Certificate Pinning
The Webex software and Webex devices check the validity of the server certificates before establishing TLS connections with those servers. Verifying the sequence of certificates leading up to the root certificate is necessary for performing certificate checks such as determining the certificate issuer and validating digital signatures. In order to carry out these validation checks, the application or device makes use of a collection of trustworthy root CA certificates that have been installed in the trust store of the operating system.
If you have deployed a TLS-inspecting Proxy to intercept, decrypt, and inspect Webex traffic, you need to make sure that the certificate the Proxy presents (instead of the Webex service certificate) has been signed by a certificate authority, and that the root certificate of the certificate authority is installed in the trust store of your Webex App or Webex device. If you have not done so already, you should do so now. The CA certificate that was used to verify the certificate that was used by the Proxy needs to be installed into the operating system of the device before the Webex App can be used on it. Create a support request with TAC to have this CA certificate installed into the RoomOS software for Webex Room devices, and they will assist you.
The following chart outlines the Webex app and Webex device support that is available for TLS inspection by proxy servers:
| Product | Supports Custom Trusted CAs for TLS inspection |
| Webex App (Windows, Mac, iOS, Android, Web) |
Yes* |
| Webex Room Devices | Yes |
| Cisco Webex Video Mesh | Yes |
| Hybrid Data Security Service | Yes |
| Hybrid Services – Directory, Calendar, Management Connectors | No |
“* Note – The Webex app does not support the decryption and inspection of TLS sessions for use with Webex Meetings video services when using a proxy server. You will need to establish a TLS inspection exemption for traffic that is sent to *mcs*.webex.com, *cb*.webex.com, and *mcc*.webex.com if you want to inspect the traffic that is sent to the services that are hosted in the webex.com domain.
Please take note that the Webex app does not currently support the SNI extension for TLS-based media interactions. Failure to establish a connection to the Webex audio and video services will take place if a proxy server stipulates the existence of SNI.
802.1X – Port based Network Access control
| Product | Supports 802.1X | Notes |
| Webex App (Windows, Mac, iOS, Android, Web) |
Yes | Supported via OS |
| Webex Room Devices | Yes | EAP-FAST EAP-MD5 EAP-PEAP EAP-TLS EAP-TTLS Configure 802.1X via GUI or Touch 10 Upload Certs via HTTP interface |
| Video Mesh Node | No | Use MAC address bypass |
| Hybrid Data Security Service | No | Use MAC address bypass |
| Hybrid Services – Directory, Calendar, Management Connectors | No | Use MAC address bypass |
SIP is used as the call control protocol for Webex Meetings and for direct (1:1) calls from/to cloud-registered Webex apps and Webex Room devices. The Webex cloud supports inbound and outbound communications using this protocol. Webex Meetings are also supported.
SIP conversations will be routed through Webex meetings.
Participants equipped with SIP apps and devices are able to attend a meeting using Webex Meetings in one of two ways:
- Calling the SIP URI that has been assigned to the conference (for example, meetingnumber@webex.com), or
- The Webex cloud will call the SIP URI that was indicated by the participant (for example, my-device@customer.com).
Calls between SIP apps/devices and cloud registered the Webex app/Webex Room devices
The Webex cloud allows users of SIP apps and devices to:
- Accept calls from Webex applications and devices that are registered in the cloud.
- Dial in using cloud-registered Webex applications and devices in Webex Rooms
SIP applications and devices are required to establish a connection to or from the Webex cloud in both of the scenarios described above. The SIP app or device will be registered to a SIP-based call control application (such as Unified CM), which generally has a SIP Trunk connection to Expressway C and E, which enables inbound and outbound calls (over the internet) to the Webex Cloud. The SIP app or device will be used to make calls to the Webex Cloud.
SIP apps and devices may be:
- The Webex Room device will subscribe to Unified CM using the SIP protocol.
- IP Phones from Cisco that use the SIP protocol to register with Unified Communications Manager or the Webex Calling service
- An application or gadget developed by a third party that uses a third party SIP call control application
Note *
If the router or SIP firewall you are using is SIP Aware, which means that it has SIP Application Layer Gateway (ALG) or a feature that is functionally equivalent activated, we advise that you disable this functionality so that the service continues to operate as intended. For information on how to deactivate SIP ALG on particular devices, please refer to the documentation provided by the applicable manufacturer.
The ports and protocols that must be used in order to gain access to the Webex SIP services are outlined in the accompanying table:
| Ports and Protocols for Webex SIP Services | |||
| Source Port | Destination Port | Protocol | Description |
| Expressway Ephemeral ports | Webex cloud 5060 – 5070 | SIP over TCP/TLS/MTLS | SIP signaling from Expressway E to the Webex cloud Transport protocols: TCP/TLS/MTLS |
| Webex Cloud Ephemeral ports | Expressway 5060 – 5070 | SIP over TCP/TLS/MTLS | SIP signaling from the Webex cloud to Expressway E
Transport protocols: TCP/TLS/MTLS |
| Expressway 36000 – 59999 |
Webex cloud 49152 -59999 |
RTP/SRTP over UDP | Unencrypted/ Encrypted media from Expressway E to the Webex cloud Media Transport protocol: UDP |
| Webex cloud 49152 – 59999 |
Expressway 36000 – 59999 |
RTP/SRTP over UDP | Unencrypted/ Encrypted media from the Webex cloud to Expressway E
Media Transport protocol: UDP |
Unencrypted signaling can be sent over the SIP connection between Expressway E and the Webex server using TCP, and encrypted signaling can be sent over the connection using TLS or MTLS.It is recommended to use encrypted SIP signaling because it allows the certificates to be validated before moving forward with the communication. These certificates are exchanged between the Webex cloud and Expressway E.
It is standard practice to make use of Expressway in order to enable SIP calls to be made to the Webex cloud as well as B2B SIP calls to be made to other organizations. Set up your firewall so that it will allow:
- All outbound SIP signaling traffic from Expressway E nodes
- All inbound SIP signaling traffic to your Expressway E nodes
In the event that you want to restrict the amount of incoming and outgoing SIP signaling, as well as the media bandwidth associated with it, to and from the Webex cloud. Your firewall needs to be configured to enable traffic to the IP subnets used for Webex media services (for more information, see the section titled “IP subnets used for Webex media services”) as well as the following AWS regions: us-east-1, us-east-2, eu-central-1, us-gov-west-2, and us-west-2. You can find the IP address ranges that correspond to these AWS locations here : https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
Due to the fact that AWS frequently modifies the IP address ranges used in their subnets, this website is not instantly updated when any changes are made. Amazon recommends subscribing to the following notification service in order to dynamically monitor changes to AWS IP address ranges: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#subscribe-notifications
The same destination IP subnets are used for Webex Media when SIP-based Webex services are being used. (listed here)
| Protocol | Port Number(s) | Direction | Access Type | Comments |
| TCP | 5061, 5062 | Inbound | SIP Signalling | Inbound SIP signaling for Webex Edge Audio |
| TCP | 5061, 5065 | Outbound | SIP Signalling | Outbound SIP signaling for Webex Edge Audio |
| TCP/UDP | Ephemeral Ports 8000 – 59999 |
Inbound | Media Ports | On an enterprise firewall, pinholes need to be opened up for incoming traffic to Expressway with a port range from 8000 – 59999 |
Cisco Webex Video Mesh
Your organization’s network can make use of a neighborhood media service thanks to Cisco Webex Video Mesh. You have the option of keeping your media on your local network rather than uploading it to Webex Cloud. This will allow you to make better use of your available Internet bandwidth while also improving the overall quality of your media. For information, see the Cisco Webex Video Mesh Deployment Guide.
Hybrid Calendar Service
The Hybrid Calendar service allows Microsoft Exchange, Office 365, or Google Calendar to be connected to Webex, which makes it simpler to schedule meetings and attend them, particularly when using a mobile device.
For details see: Deployment Guide for Webex Hybrid Calendar Service
Hybrid Directory Service
On-premises software for synchronizing user identities with those stored in the Webex cloud is referred to as Cisco Directory Connector. It provides a straightforward administrative procedure that, once initiated, automatically, and securely extends enterprise directory contacts to the cloud and maintains synchronization between the two locations to ensure correctness and consistency. For details see: Deployment Guide for Cisco Directory Connector
Preferred Architecture for Webex Hybrid Services
The overarching hybrid architecture, as well as its components and general design best practices, are outlined in the Preferred Architecture for Cisco Webex Hybrid Services document.
See: Preferred Architecture for Webex Hybrid Services
If in addition to deploying Webex Meetings and Webex Messaging services, you will also be implementing Webex Calling, then the network requirements for the Webex Calling service can be found here:
https://help.webex.com/b2exve/Port-Reference-Information-for-Cisco-Webex-Calling
Customers who need a catalog of IP address ranges and ports for Webex FedRAMP services can get it here.
This information can be obtained at the following location:
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaboration/WebexforGovernment/FedRAMP_Meetings_Ports_IP_Ranges_Quick_Reference.pdf
| Revision Date | New and Changed Information |
| 3/17/2023 | This document’s introduction now includes new guidance on providing advance notification of network changes. It can be found in the section labeled “Additional Guidance.” Internet Protocol Subnets for the Webex Media Services Section: Additional direction has been provided for the integration of Webex videos into Microsoft Teams. (VIMT). |
| 2/23/2023 | Additional IP subnets for media have been introduced, and their addresses are 144.196.0.0/16 and 163.129.0.0/16. After at least 30 days have passed since the publication, the activation of these IP subnets will take place. |
| 2/09/2023 | Republished (fixed non clickable tabs) Test Article |
| 1/23/2023 | Republished with duplicated subnets removed (66.114.160.0 and 66.163.32.0) |
| 1/11/2023 | TLS has been introduced to the Webex Web App and SDK as a fallback transport protocol for encrypted audio, video, and content sharing. This protocol will be used in the event that UDP and TCP are unable to be used. |
| 1/11/2023 | New IP subnets for media added: 4.152.214.0/24, 4.158.208.0/24, 4.175.120.0/24 (Azure Data Centres for VIMT) |
| 10/14/2022 | New slido URL added : *.slido-assets-production.s3.eu-west-1.amazonaws.com |
| 9/15/2022 | New IP subnet for media added : 20.120.238.0/23 (Azure Data Centre for VIMT) |
| 9/12/2022 | URLs for Webex Scheduler for Microsoft Outlook added. |
| 8/12/2022 | A note was added in Port Number and Protocols section. RoomOS devices do not send media transported over TLS to a configured Proxy server. |
| 8/12/2022 | The IP subnets for Webex media – The IP subnets table has been updated to reflect the removal of AWS IP subnet 18.230.160.0/25. These media nodes are now using IP addresses that are owned by Cisco and are located in subnets that are already mentioned in the table. |
| 8/12/2022 | Access to all domains and subdomains is necessary in order to use the URLs that are listed in the Domains and URLs for Webex services section, as was emphasized by the addition of a note to that effect. |
| 6//25/2022 | Additional requirements introduced for the notification services provided by Google and Apple |
| 6/25/2022 | The domains and URLs database has been updated to include the new webex URL *.webexapis.com. |
| 6/22/2022 | SIP deployments with Cisco Unified Communications Manager have had additional guidance introduced. |
| 4/5/2022 | The AWS IP subnets used for media services are being removed because they are no longer needed. |
| 12/14/2021 | New media UDP port ranges (50,000 – 53,000) added for Video Mesh Node Port 9000 for media over TCP removed – Use of this destination port for media over TCP will be deprecated in January 2022 Port 33434 for media over UDP and TCP removed – Use of the destination port for media over UDP and TCP will be deprecated in January 2022 |
| 11/11/2021 | Updated Webex Services-Table of Port Numbers and Protocols, as well as URLs for Cisco Webex Services. |
| 10/27/2021 | Added *.walkme.com and s3.walkmeusercontent.com in the domains table. |
| 10/26/2021 | Added Guidance on Proxy settings for Windows OS |
| 10/20/2021 | Added CDN URLs to the domain allow list in your firewall |
| 10/19/2021 | The Webex app uses AES-256-GCM or AES-128-GCM to encrypt content for all Webex Meeting types. |
| 10/18/2021 | Added new IP subnets (20.57.87.0/24*, 20.76.127.0/24*, and 20.108.99.0/24*) used to host Video Integration for Microsoft Teams (aka Microsoft Cloud Video Interop) services, as well as the domains (*.cloudfront.net, *.akamaiedge.net, *.akamai, and *.fastly.net) that we have added for Content Delivery Networks that are used by Webex services. Added new domain |
| 10/11/2021 | Updated the Trust Portal link in Domain and URL section. |
| 10/04/2021 | Removed *.walkme.com and s3.walkmeusercontent.com from domains table as they are no longer needed. |
| 07/30/2021 | Updated the Note in Proxy Features section |
| 07/13/2021 | Updated the Note in Proxy Features section |
| 07/02/2021 | Changed *.s3.amazonaws.com to *s3.amazonaws.com |
| 06/30/2021 | Updated the Additional URLs for Webex Hybrid Services list. |
| 06/25/2021 | Added *.appdynamics.com domain to the list |
| 06/21/2021 | Added *.lencr.org domain to the list. |
| 06/17/2021 | Updated Ports and Protocols for Webex SIP Services table |
| 06/14/2021 | Updated Ports and Protocols for Webex SIP Services table |
| 05/27/2021 | Updated the table in Additional URLs for Webex Hybrid Services section. |
| 04/28/2021 | Added domains for Slido PPT add-in and to allow Slido webpages to create polls/quizzes in pre-meeting |
| 04/27/2021 | Added 23.89.0.0/16 IP range for Webex Edge Audio |
| 04/26/2021 | Added 20.68.154.0/24* as it is an Azure Subnet |
| 04/21/2021 | Updated the Webex Services CSV file under Additional URLs for Webex Hybrid Services |
| 04/19/2021 | Added 20.53.87.0/24* as it is an Azure DC for VIMT/CVI |
| 04/15/2021 | Added domain *.vbrickrev.com for Webex Events Webcasts. |
| 03/30/2021 | Substantial document layout revision. |
| 03/30/2021 | Details of Webex web-based app and Webex SDK media support added (No media over TLS). |
| 03/29/2021 | Webex Edge for devices features listed with a link to the documentation. |
| 03/15/2021 | Added domain *.identrust.com |
| 02/19/2021 | Added section for Webex Services for FedRAMP customer |
| 01/27/2021 | *.cisco.com domain added for Cloud Connected UC service, and Webex Calling onboarding IP subnets for Video Integration for Microsoft Teams (aka Microsoft Cloud Video Interop) indicated by * |
| 01/05/2021 | New document that describes the network requirements for the Webex app Meetings and Messaging services |
| 11/13/20 | Removed subnet https://155.190.254.0/23 from the IP subnets for media table |
| 10/7/2020 | Removed *.cloudfront.net row from Additional URLs for Webex Teams Hybrid Services |
| 9/29/2020 | New IP subnet (20.53.87.0/24) added for Webex Teams Media services |
| 9/29/2020 | Webex devices renamed to Webex Room devices |
| 9/29/2020 | *.core-os.net URL removed from table : Additional URLs for Webex Teams Hybrid Services |
| 9/7/2020 | Updated AWS regions link |
| 08/25/20 | Simplification of the table and text for Webex Teams IP subnets for media |
| 8/10/20 | Additional information has been added regarding the testing process for reachability to media nodes as well as the utilization of Cisco IP subnets with Webex Edge Connect. |
| 7/31/20 | Added new IP subnets for media services in AWS and Azure data centers |
| 7/31/20 | Added new UDP destination media ports for SIP calls to the Webex Teams cloud |
| 7/27/20 | Added 170.72.0.0/16 (CIDR) or 170.72.0.0 – 170.72.255.255 (net range) |
| 5/5/20 | Added sparkpostmail.com in Third Party domains table |
| 4/22/20 | Added new IP range 150.253.128.0/17 |
| 03/13/20 | New URL added for the walkme.com service TLS media transport for Room OS devices added New section added : Network Requirements for Hybrid Calling SIP Signalling Link added for the Webex Calling network requirements document |
| 12/11/19 | Modifications to the content that are not major, Table of Webex Teams Apps and Devices – Port Numbers and Protocols has been updated to reflect the latest information. The URLs tables on Webex Teams have been updated and formatted in a new way. Eliminate support for NTLM Proxy Auth for composite services consisting of Management Connector and Call Connector. |
| 10/14/19 | TLS Inspection support for Room Devices added |
| 9/16/2019 | An additional prerequisite for DNS systems that use TCP as their transport protocol is the addition of TCP support. The addition of the URL “.walkme.com,” which refers to a service that guides new users through the onboarding and utilization processes. Changes have been made to the URLs of the services that are used by Web Assistant. |
| 8/28/2019 | *.sparkpostmail1.com E-mail service for newsletters, information on registering, and announcements has been introduced via URL. |
| 8/20/2019 | Proxy support added for Video Mesh Node and Hybrid Data Security service |
| 8/15/2019 | An overview of the Cisco and Amazon Web Services data center that is used for the Webex Teams service. *.webexcontent.com URL inserted for file storage Notice regarding the discontinuation of use of clouddrive.com as a location for file storing *.walkme.com URL introduced in order to track metrics and conduct testing |
| 7/12/2019 | URL additions were made for *.activate.cisco.com and *.webapps.cisco.com. Text to Speech URLs updated to *.speech-googleapis.wbx2.com and *.textto-speech-googleapis.wbx2.com *.quay.io URL removed Hybrid Services Containers URL updated to *.amazonaws.com Text to Speech URLs updated to *.speech-googleapis.wbx2.com and *.textto-speech-googleapis. |
| 6/27/2019 | Added *.accompany.com allowed list requirement for People Insights feature |
| 4/25/2019 | Added “Webex Teams services” to the section about supporting different TLS versions. The line for media sources under Media traffic has been updated to include “Webex Teams.” In the Webex Teams IP subnets for the media section, the word “geographic” was added before the location. Wording has also undergone some additional small edits. Table of Webex Teams URLs was modified by adding a new entry for Google Speech Services and updating the URL for the A/B testing and metrics page. In the portion titled “Additional URLs for Webex Teams Hybrid Services,” the version information for “10.1” was removed from after AsyncOS. Text in the portion titled “Proxy Authentication Support” has been updated. |
| 3/26/2019 | Changed the URL linked here “please refer to the WSA Webex Teams configuration document for guidance” from https://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/guide-c07-739977.pdf to https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-5/user_guide/b_WSA_UserGuide_11_5_1.html
Changed the URL “api.giphy.com” to *.giphy.com |
| 2/21/2019 | Updated ‘Webex Calling’ to read “Webex Calling (formerly Spark Calling) as requested by John Costello, due to upcoming product launch of same name – Webex Calling through BroadCloud. |
| 2/6/2019 | Updated text ‘Hybrid Media Node’ to read ‘Webex Video Mesh Node’ |
| 1/11/2019 | Text that previously stated “End to End encrypted files uploaded to Webex Teams spaces and Avatar storage” has been updated to state that “End to End encrypted files uploaded to Webex Teams spaces, Avatar storage, and Webex Teams branding Logos” instead. |
| 1/9/2019 | Updated to remove the following line: “*Please contact your CSM or open a case with the Cisco TAC in order for Webex Room devices to obtain the CA certificate necessary to validate communication through your TLS- inspecting proxy.” |
| 5th December 2018 | Updated URLs: Removed ‘https://’ from 4 entries in the Webex Teams URLs table: https://api.giphy.com -> api.giphy.com
|
| 30th November 2018 | New URLs : *.ciscosparkcontent.com, *.storage101.ord1.clouddrive.com, *.storage101.dfw1.clouddrive.com, *.storage101.iad3.clouddrive.com, https://api.giphy.com, https://safebrowsing.googleapis.com, http://www.msftncsi.com/ncsi.txt, https://captive.apple.com/hotspot-detect.html, *.segment.com, *.segment.io, *.amplitude.com,*.eum-appdynamics.com, *.docker.io, *.core-os.net, *.s3.amazonaws.com, *.identity.api.rackspacecloud.com |
| Additional Proxy Authentication Method Support for Windows, iOS, and Android Devices | |
| Webex Board has adopted the operating system and characteristics of Room Device; Proxy features are shared by Webex Board and Room Devices’ SX, DX, MX, and Room Kit series products. | |
| Support for TLS Inspection by iOS and Android Apps | |
| The following Room Devices have had their support for TLS Inspection taken away: SX, DX, MX, Room Kit series, and Webex Board. | |
| Webex Board adopts Room Device OS and features ; 802.1X support | |
| 21st November 2018 | In the IP Subnets for media portion, the following note has been added: It should be noted that the IP range list presented earlier for cloud media resources is not comprehensive. Webex Teams may make use of additional IP ranges that are not presented in the previously presented list. However, despite being unable to connect to the unlisted media IP addresses, the Webex Teams app and devices will still be able to function regularly. |
| 19th October 2018 | Note added : The Webex Teams utilizes third parties for the collection of diagnostic and troubleshooting data, in addition to the collection of utilization metrics and crash data. The Webex Privacy datasheet contains details about the information that could be transmitted to these third-party websites. For details see : https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-webex-privacy-data-sheet.pdf |
| Separate table for Additional URLs used by Hybrid Services : *.cloudfront.net, *.docker.com, *.quay.io, *.cloudconnector.cisco.com, *.clouddrive.com | |
| 7th August 2018 | Note added to the Ports and Protocols table: If you configure a local NTP and DNS server in the Video Mesh Node’s OVA, then ports 53 and 123 do not need to be enabled through the firewall. This is because the local servers will take care of those responsibilities. |
| 7th May 2018 | Substantial document revision |
| 24th April 2022 | The order of the paragraphs in the portion pertaining to IP Subnets for Webex media services has been updated to reflect this change. The paragraph that began “If you have configured your firewall…” was relocated so that it now begins directly below the paragraph that began “Cisco does not support…” |