For a calling deployment to be successful, it is vital to have a firewall and proxy that are correctly setup. Because Webex Calling is a global service, it employs SIP and HTTPS for call signaling as well as the corresponding addresses and ports for media, network connection, and gateway connections.
It is not necessary to leave ports open for every possible configuration of a firewall. However, if you are running rules that go from the inside out, you will need to open ports for the necessary protocols before you can let services out.
Network Address Translation (NAT)
The functionality of Network Address Translation or Port Address Translation is implemented at the border between two networks in order to translate address spaces or to prevent the collision of IP address spaces. Both of these translations are performed in order to avoid overlapping IP address spaces.
- When NAT is being used, it is not required to have an open port on the firewall for inbound traffic.
- Define binding periods that are sensible and avoid altering SIP on the NAT device as much as possible.
- It is recommended that a minimum NAT timeout be configured in order to guarantee the correct operation of devices. As an illustration, Cisco phones will send a follow-up REGISTER refresh message every one to two minutes.
- If your network uses NAT or SPI, then you should increase the timeout for the connections to at least 30 minutes. Because of this timeout, consumers’ mobile devices are able to maintain a solid connection while simultaneously having their battery life extended.
SIP Application Layer Gateway
We strongly advise that you disable the SIP Application Layer Gateway (ALG) or a function that is functionally equivalent if it is enabled on a router or a firewall that is SIP-aware. This will help ensure that the service continues to function properly.
To find out how to disable SIP ALG on specific devices, you should look through the documentation provided by the applicable manufacturer.
Proxy support for Webex Calling
The HTTP traffic that leaves and enters a company’s network is subject to inspection, restriction, and control thanks to the deployment of an internet firewall or an internet proxy and firewall by the company. Consequently, they were able to defend their network against a wide variety of threats.
Proxy servers carry out a variety of security-related tasks, including the following:
-
Allow or block access to specific URLs.
-
User authentication
-
IP address/domain/hostname/URI reputation lookup
-
Traffic decryption and inspection
When the proxy feature is configured, the settings will take effect for any programs that make use of the HTTP protocol.
The following items are included in the applications:
-
Webex Services
-
Customer device activation (CDA) procedures using Cisco Cloud provisioning platform such as GDS, EDOS device activation, provisioning & onboarding to Webex cloud.
-
Certificate Authentication
-
Firmware Upgrades
-
Status Reports
-
PRT Uploads
-
XSI Services
Only the Signaling traffic (HTTP/HTTPS) is sent to the proxy server if a proxy server address is defined. If no proxy server address is configured, all traffic is delivered to the origin server. Clients who register for the Webex Calling service using SIP are not routed through the proxy, and this applies to the related media as well. Therefore, these clients should be let to pass across the firewall unimpeded.
Supported Proxy Options, Configuration & Authentication types
The supported proxy types are:
-
Explicit Proxy (inspecting or noninspecting)—It is necessary to configure the clients, either the App or the Device, with explicit proxy in order to specify the server that will be used. This option can support authentication using any one of the following methods:
-
Transparent Proxy (noninspecting)—The Clients are not set up to use a particular proxy server address, therefore there is no need to make any adjustments for them to function properly with a noninspecting proxy.
-
Transparent Proxy (inspecting)—Clients are not configured to utilize a certain proxy server address as their default setting. There is no requirement for any changes to be made to HTTP’s setup; nonetheless, your clients, be they an app or a device, must a root certificate in order to trust the proxy. The inspecting proxies are used by the IT team to enforce policies regarding the sorts of content that are not allowed as well as the domains that are permitted to be visited.
Configure the proxy addresses manually for Cisco IP Multiplatform Phones (MPP), Webex Room devices, and the Webex App by utilizing the following:
-
Platform OS
-
Device UI
-
Automatic discovery
While configuring, select the desired proxy configuration and type of authentication from the following options:
|
Product |
Proxy Configuration |
Authentication Type |
|---|---|---|
|
Webex for Mac |
Manual, WPAD, PAC |
No Auth, Basic, NTLM,† |
|
Webex for Windows |
Manual, WPAD, PAC, GPO |
No Auth, Basic, NTLM, †, Negotiate |
|
Webex for iOS |
Manual, WPAD, PAC |
No Auth, Basic, Digest, NTLM |
|
Webex for Android |
Manual, PAC |
No Auth, Basic, Digest, NTLM |
|
Webex Web App |
Supported through OS |
No Auth, Basic, Digest, NTLM, Negotiate |
|
Webex Room devices |
WPAD, PAC, or Manual |
No Auth, Basic, Digest |
|
Cisco IP Phones |
Manual, WPAD, PAC |
No Auth, Basic, Digest |
|
Webex Video Mesh Node |
Manual |
No Auth, Basic, Digest, NTLM |
For legends in the table:
-
†Mac NTLM Auth – It is not necessary for the machine to be logged on to the domain; however, the user will be required for a password.
-
†Windows NTLM Auth – Only when a computer is logged into the domain will support for it be available.
-
Web Proxy Auto Discovery (WPAD) – See Web Proxy Auto Discovery Protocol for details.
-
Proxy Auto Config (PAC) files – See Proxy Auto-Config Files for details.
-
To connect Cisco Webex Board, Desk, or Room Series device to a proxy server, see Connect your Board, Desk, or Room Series device to a proxy server.
-
For Cisco IP phones, see Set Up a Proxy Server as an example for configuring the proxy server and settings.
Configuring the client with a proxy address that does not enable authentication is required in order to use the No Authentication option. When configuring Proxy Authentication, make sure you use credentials that are legitimate. Web socket connections are susceptible to being disrupted by proxies that examine web traffic. If you have this issue, one potential solution is to disable the inspection of traffic headed to *.Webex.com and then try again. If there are already additional entries, you should put a semicolon after the entry that was just entered, and then enter the Webex exception after that.
Proxy settings for Windows OS
Both WinINet and WinHTTP are network libraries that support HTTP traffic and are supported by Microsoft Windows. These libraries enable Proxy configuration.WinINet extends and improves upon WinHTTP in every way.
- Only single-user, desktop client programs are supported by WinInet due to its design.
- WinHTTP was developed particularly for usage in server-based applications with multiple users.
WinINet should be the option you pick for your proxy setup settings if you have a choice between the two.
- to guarantee that users only log into programs utilizing accounts derived from domains that are included on a predetermined list.
- Make use of a proxy server to restrict the allowed domains and requests, and use it to intercept requests.
Proxy Inspection and Certificate Pinning
When establishing a TLS session, the Webex App and Devices check the certificates of the servers that they are connecting to. Verifying the chain of certificates leading up to the root certificate is required for certificate checks such as determining who issued the certificate and validating digital signatures. The Webex App and Devices make use of a set of trusted root CA certificates that have been put in the trust store of the operating system in order to carry out the validation tests.
If you have set up a TLS-inspecting Proxy to capture, decrypt, and examine Webex Calling traffic, then you are in the right place. Make sure that the certificate that the Proxy displays (in place of the Webex service certificate) has been signed by a certificate authority, and that the root certificate has been installed in the trust store of your Webex App or Webex device. This will ensure that the Webex service can be accessed securely.
-
For Webex App – Within the device’s operating system, install the CA certificate that will be utilized to sign the certificate that will be generated by the proxy.
-
For Webex Room devices and Cisco multiplatform IP Phones – Start the process of installing the CA certificate by opening a service request with the TAC team.
This table shows the Webex App and Webex Devices that support TLS inspection by Proxy servers
|
Product |
Supports Custom Trusted CAs for TLS inspection |
|---|---|
|
Webex App (Windows, Mac, iOS, Android, Web) |
Yes |
|
Webex Room Devices |
Yes |
|
Cisco IP Multiplatform (MPP) Phones |
Yes |
Firewall Configuration
Cisco’s Webex Calling and Webex Aware services are both supported in safe data centers owned and operated by Cisco and Amazon Web Services (AWS). A portion of Amazon’s IP subnets have been set aside for Cisco’s exclusive usage, and the AWS virtual private cloud has been modified to provide protection for the services that are housed there.
You will need to configure your firewall to allow communication from all of your devices, programs, and services that are exposed to the internet in order for them to work effectively. Access is granted to all of the supported Webex Calling and Webex Aware cloud services, domain names, IP addresses, Ports, and protocols by virtue of this setup.
Whitelist or allow access to the following in order to ensure that both the Webex Calling and Webex Aware services operate appropriately.
- The domains and URLs that are discussed in the section titled Domains and URLs for Webex Calling Services
- IP subnets, Ports, and Protocols that are stated under the section entitled IP Subnets for Webex Calling Services
- If you are going to use Webex for meetings, messaging, or any of the other services, then you need to make sure that the domains and URLs that are specified in this article are also accessible on your network. This is referred to as the Network Requirements for Webex Services.
If you are merely utilizing a firewall, then filtering Webex is not necessary. Due to the fact that the IP address pools are dynamic and are subject to change at any time, calling traffic that only uses IP addresses is not enabled. Keep your rules up to date on a regular basis; neglecting to do so could have a negative influence on the experience that your users have. The practice of filtering a subset of IP addresses based on a particular geographical location or cloud service provider is not something that Cisco recommends. Filtering calls based on location can significantly degrade the quality of your call experience.
Use the option provided by an enterprise proxy server in the event that the Domain or URL filtering feature of your firewall is unavailable. This option filters and permits HTTPS signaling traffic to and from your Webex Calling and Webex Aware services in your Proxy server, before sending it on to your firewall. It does this by URL and domain.
UDP is Cisco’s preferred transport protocol for media when it comes to Webex Calling; nevertheless, the company suggests only adopting SRTP in place of UDP. In production contexts, Webex Calling does not support the use of TCP or TLS as media transport protocols. This is because the nature of these protocols, which is connection-oriented, has an effect on the media quality when used over lossy networks. In the event that you have any questions concerning the transfer protocol, please submit a support ticket.
Domains and URLs for Webex Calling Services
When there is a star (*) displayed at the beginning of a URL (for instance, *.webex.com), it denotes that users have access to the services offered by the top-level domain as well as all subdomains.
|
Domain / URL |
Description |
Webex Apps and devices using these domains / URLs |
||
|---|---|---|---|---|
|
Cisco Webex Services |
||||
|
*.broadcloudpbx.com |
Authorization microservices for Webex, which may be cross-launched from the Control Hub to the Calling Admin Portal. |
Control Hub |
||
|
*.broadcloud.com.au |
Webex Calling services in Australia. |
All |
||
|
*.broadcloud.eu |
Webex Calling services in Europe. |
All |
||
|
*.broadcloudpbx.net |
Calling client configuration and management services. |
Webex Apps |
||
|
*.webex.com *.cisco.com |
Core Webex Calling & Webex Aware services Identity provisioning Identity storage Authentication OAuth services Device onboarding Cloud Connected UC When a phone joins to a network for the first time or after a factory reset with no DHCP parameters configured, it contacts a device activation server for zero touch provisioning. This can happen either immediately after the phone connects to the network or after the factory reset. Webapps.cisco.com will continue to be used for provisioning phones with firmware releases earlier than 11.2(1); however, activate.cisco.com will be used for provisioning new phones. |
All |
||
|
*.ucmgmt.cisco.com |
Webex Calling services |
Control Hub |
||
|
*.wbx2.com and *.ciscospark.com |
Used for a variety of purposes including cloud awareness, CSDM, WDM, mercury, and others. These services are required for the apps and devices to be able to communicate with the Webex Calling and Webex Aware services before, during, and after the onboarding process. |
All |
||
|
*.webexapis.com |
Webex micro-services that handle your applications and any devices they may be installed on. Profile picture service Whiteboarding service Proximity service Presence service Registration service Calendaring service Search service |
All |
||
|
*.webexcontent.com |
Webex’s messaging service, which is connected to generic file storage and includes the following: User files Transcoded files Images Screenshots Whiteboard content Client & device logs Profile pictures Branding logos Log files Bulk CSV export files & import files (Control Hub) |
Webex Apps messaging services.
|
||
|
*.accompany.com |
People insights integration |
Webex Apps |
||
|
Additional Webex-Related Services (Third-Party Domains) |
||||
|
*.appdynamics.com *.eum-appdynamics.com |
Performance tracking, error and crash capture, session metrics. |
Control Hub |
||
|
*.huron-dev.com |
Webex Calling provides a number of different types of micro services, including assignment services, toggle services, and phone number ordering services. |
Control Hub |
||
|
*.sipflash.com |
Device management services. For the purposes of secure onboarding and firmware upgrades (mostly for the US). |
Webex Apps |
||
|
*.walkme.com *.walkmeusercontent.com |
Webex user guide client. New users are provided with an onboarding experience as well as use tours. For more information about WalkMe, click here. |
Webex Apps |
||
|
*.google.com *.googleapis.com |
Notifications sent to Webex apps installed on mobile devices (such as when a new message is received or a call is answered, for example). For IP Subnets refer to these links Google Firebase Cloud Messaging (FCM) service Apple Push Notification Service (APNS) Apple provides a list of the IP subnets that are used for the APNS service. |
Webex App | ||
IP Subnets for Webex Calling Services
|
IP Subnets for Webex Calling Services*† |
||
|---|---|---|
|
23.89.0.0/16 |
85.119.56.0/23 |
128.177.14.0/24 |
|
128.177.36.0/24 |
135.84.168.0/21 |
139.177.64.0/21 |
|
139.177.72.0/23 |
150.253.209.128/25 |
170.72.0.0/16 |
|
170.133.128.0/18 |
185.115.196.0/22 |
199.59.64.0/21 |
|
199.19.196.0/23 |
199.19.199.0/24 |
|
|
Connection purpose |
Source addresses |
Source Ports |
Protocol |
Destination addresses |
Destination ports |
Notes |
|
|---|---|---|---|---|---|---|---|
|
Call signaling to Webex Calling (SIP TLS) |
Local Gateway external (NIC) |
8000-65535 |
TCP |
Refer to IP Subnets for Webex Calling Services. |
5062, 8934 |
These IPs and ports are essential for outbound SIP-TLS call signaling from local gateways, devices, and applications (the Source) to the Webex Calling Cloud (the Destination), which is where the call will be received. Port 5062 (required for Certificate-based trunk). And port 8934 (required for Registration-based trunk |
|
|
Devices |
5060-5080 |
8934 |
|||||
|
Applications |
Ephemeral (OS dependent) |
||||||
|
Call media to Webex Calling (STUN, SRTP) |
Local Gateway external NIC |
8000-48198†* |
UDP |
Refer to IP Subnets for Webex Calling Services. |
5004, 9000 (STUN Ports) 19560-65535 (SRTP over UDP) |
|
|
|
Devices |
19560-19660 |
||||||
|
Applications |
8500-8700 |
||||||
| Call signaling to PSTN gateway (SIP TLS) | Local Gateway internal NIC | 8000-65535 |
TCP |
Your ITSP PSTN GW or Unified CM | Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM) | ||
| Call media to PSTN gateway (SRTP) | Local Gateway internal NIC |
8000-48198†* |
UDP |
Your ITSP PSTN GW or Unified CM | Depends on PSTN option (for example, typically 5060 or 5061 for Unified CM) | ||
|
Device configuration and firmware management (Cisco devices) |
Webex Calling devices |
Ephemeral |
TCP |
3.20.185.219 3.130.87.169 3.134.166.179 72.163.10.96/27 72.163.15.64/26 72.163.15.128/26 72.163.24.0/23 72.163.10.128/25 173.37.146.128/25 173.36.127.0/26 173.36.127.128/26 173.37.26.0/23 173.37.149.96/27 192.133.220.0/26 192.133.220.64/26 |
443, 6970 |
Required for the following reasons:
|
|
|
Application configuration |
Webex Calling applications |
Ephemeral |
TCP |
62.109.192.0/18 64.68.96.0/19 150.253.128.0/17 207.182.160.0/19 |
443, 8443 |
Used for Authentication with Idbroker, Application Configuration Services for Clients, Browser-based Web Access for Self-Care, and Access to Administrative Interfaces. |
|
|
Device time synchronization (NTP) |
Webex Calling devices |
51494 |
UDP |
Refer to IP Subnets for Webex Calling Services. |
123 |
These IP addresses are required in order to properly synchronize the time on devices (MPP phones, ATAs, and SPA ATAs, specifically). |
|
|
Device name resolution and Application name resolution |
Webex Calling devices |
Ephemeral |
UDP and TCP |
Host-defined |
53 |
Utilized for conducting DNS lookups in order to locate the IP addresses of Webex Calling services hosted in the cloud. Even while DNS lookups are often carried out over UDP, some may need to be carried out over TCP if the query replies are too large to fit within UDP packets. |
|
|
Application time synchronization |
Webex Calling applications |
123 |
UDP |
Host-defined |
123 |
||
|
Web based Network readiness Pre-qualification tool for Webex Calling |
Ephemeral |
TCP |
Refer to IP Subnets for Webex Calling Services. |
8934 and 443 |
Preparedness for Web-based Networks Instrument for the prequalification of Webex Calling. For further information, please visit cscan.webex.com. |
||
|
UDP |
19569-19760 |
||||||
|
Additional Webex Calling & Webex Aware Services (Third-Party) |
|||||||
|
Push notifications APNS and FCM services |
Webex Calling Applications |
Ephemeral |
TCP |
Refer to IP Subnets mentioned under the links |
443, 2197, 5228, 5229, 5230, 5223 |
Notifications should be sent to Webex Apps installed on mobile devices (For instance, when you get a new message or when you pick up the phone and answer a call) |
|
-
The CUBE media port range can be configured independently from the RTPP port range.
-
Signaling traffic will be directed to the proxy server if you have set your apps and devices to use a proxy server address. The proxy server does not receive any media that is being transmitted SRTP via UDP. Instead, traffic must be directed straight to your firewall.
-
If your business network uses NTP and DNS services, you will need to allow traffic across ports 53 and 123 in your firewall in order to communicate with those services.
Webex Meetings/Messaging – Network Requirements
The MPP devices are now integrated with the Webex Cloud, enabling users to access features such as Call History, Directory Search, and Meetings. Check out the Network Requirements for Webex Services article to learn more about the network specifications needed for these Webex services. If you use the Webex App for meetings, messaging, or any of the other services it provides, then you need to check that the Domains/URLs/Addresses specified in this article are accessible.
Document Revision History
|
Date |
We’ve made the following changes to this article |
|---|---|
|
March 5, 2023 |
Including the following in the updated version of the article:
|
|
March 7, 2023 |
We have completely rewritten the article to now include the following:
|
|
November 15, 2022 |
For the sake of device configuration and firmware administration for Cisco equipment, we have included the following IP addresses:
Following are some IP addresses that have been deleted from device configuration and firmware management for Cisco devices by our team:
|
|
November 14, 2022 |
Added the IP subnet 170.72.242.0/24 for Webex Calling service. |
|
September 08, 2022 |
The Cisco MPP Firmware will eventually upgrade the host URL for MPP firmware upgrades so that it points to https://binaries.webex.com. This change will affect all regions. The performance of the firmware upgrade has been improved as a result of this adjustment. |
|
August 30, 2022 |
Because there is no dependency on Port 80, the reference to it has been removed from the rows in the Port table that pertain to Device configuration and firmware management (Cisco devices), Application configuration, and CScan. |
|
August 18, 2022 |
The solution has not been altered in any way. Call signaling for Webex Calling (SIP TLS) has had its destination ports 5062 (needed for Certificate-based trunk) and 8934 (necessary for Registration-based trunk) brought up to date accordingly. |
|
July 26, 2022 |
Added support for the firmware upgrading of Cisco 840/860 devices, which requires the addition of the 54.68.1.225 IP Address. |
|
July 21, 2022 |
Call signaling for Webex Calling (SIP TLS) have had their destination ports 5062 and 8934 brought up to date. |
|
July 14, 2022 |
Included the URLs that provide support for a fully operational state of the Webex Aware services. Added the IP subnet 23.89.154.0/25 for the Webex Calling service. |
|
June 27, 2022 |
Updated the Domain and URLs for Webex Calling services: *.broadcloudpbx.com *.broadcloud.com.au *.broadcloud.eu *.broadcloudpbx.net |
|
June 15, 2022 |
under the heading IP Addresses and Ports, the following ports and protocols have been added for Webex Calling Services:
Information that has been updated in the section titled “Webex Meetings/Messaging – Network Requirements” |
|
May 24, 2022 |
Added the IP subnet 52.26.82.54/24 to 52.26.82.54/32 for Webex Calling service |
|
May 6, 2022 |
Added the IP subnet 52.26.82.54/24 for Webex Calling service |
|
April 7, 2022 |
The range of internal and external UDP ports on the Local Gateway has been updated to 8000-48198. |
|
April 5, 2022 |
The following IP subnets have been added for use with the Webex Calling service:
|
|
March 29, 2022 |
For the Webex Calling service, the following IP subnets have been added:
|
|
September 20, 2021 |
The Webex Calling service now has support for the following four newly added IP subnets:
|
|
April 2, 2021 |
Added support for Webex Calling use cases in the Webex app by adding *.ciscospark.com to the list of Domains and URLs for Webex Calling Services. |
|
March 25, 2021 |
Six new IP ranges have been included at activate.cisco.com, and the implementation of these ranges is scheduled to begin on May 8th, 2021.
|
|
March 4, 2021 |
Webex was replaced. In order to make the process of firewall configuration easier to grasp, discrete IP addresses and smaller IP ranges, together with simplified IP ranges, are listed in a separate table. |
|
February 26, 2021 |
To facilitate Interactive Connectivity Establishment (ICE), which will be accessible in Webex Calling in April 2021, port 5004 has been added as a destination port for Call media sent to Webex Calling (STUN, SRTP). |
|
February 22, 2021 |
A new table has been created just for listing domains and URLs.
Adjustments have been made to the IP Addresses and Ports table to group IP addresses that correspond to the same service. Adding a column titled “Notes” to the table containing the IP Addresses and Ports will assist in better understanding the requirements. Changing the following IP addresses to more simple ranges in order to facilitate device configuration and firmware administration (for Cisco devices):
Adding the following IP addresses for Application Configuration as the Cisco Webex client in Australia in March 2021 points to a more recent DNS SRV.
|
|
January 21, 2021 |
Device setup and firmware management for Cisco devices have been updated with the addition of the following IP addresses:
Following are some IP addresses that have been deleted from device configuration and firmware management for Cisco devices by our team:
The configuration of the application now includes the following IP addresses, which we’ve added:
The application configuration no longer includes the following IP addresses, which we have removed:
The setup of the application no longer includes the following port numbers because they were removed by us:
The application configuration now includes the following domains after our additions:
|
|
December 23, 2020 |
The port reference images have been updated to include the newly added Application Configuration IP addresses. |
|
December 22, 2020 |
Added the IP addresses 135.84.171.154 and 135.84.172.154 to the Application Configuration entry in the tables when they were updated. Until these IP addresses are added, the network diagrams should remain hidden. |
|
December 11, 2020 |
rows pertaining to supported Canadian domains have had their Device configuration and firmware management (Cisco devices) as well as their Application configuration rows updated. |
|
October 16, 2020 |
The following IP addresses were added to the call signaling and media entries after they were updated:
|
|
September 23, 2020 |
Under CScan, replaced 199.59.64.156 with 199.59.64.197. |
|
August 14, 2020 |
Added more IP addresses to support the introduction of data centers in Canada: Call signaling to Webex Calling (SIP TLS)—135.84.173.0/25,135.84.174.0/25, 199.19.197.0/24, 199.19.199.0/24 |
|
August 12, 2020 |
Added more IP addresses to support the introduction of data centers in Canada:
|
|
July 22, 2020 |
Included the following IP address in order to facilitate the establishment of data centers in Canada: 135.84.173.146 |
|
June 9, 2020 |
The CScan entry has been updated to reflect the following changes:
|
|
March 11, 2020 |
In order to complete the setting of the program, we added the following domains and IP addresses:
Following is a list of domains that have had their device configuration and firmware management systems updated with additional IP addresses:
|
|
February 27, 2020 |
We expanded the capabilities of device configuration and firmware administration by adding the following domains and ports: cloudupgrader.webex.com—443, 6970 |