Cisco Spark

Firewall and Network Requirements for the Cisco Spark App

Firewalls can sometimes interfere with the Cisco Spark app connections. If you're using the app on a Wi-Fi network behind a corporate firewall, the firewall may be interfering.

As a user, there are a few troubleshooting steps that you can try.

The following is some basic information to help administrators sort out any issues with the app. For more details about administrative features, setting details, and the port requirements if you're using Cisco phones, room devices, along with the app, see Requirements for Cisco Spark Services. For information about Cisco Spark security, read more.

Cisco Spark services are delivered over the cloud. Demand for cloud services is constantly changing. As it does, we add and remove Cisco Spark nodes in the Data Center. That way, the traffic can be adjusted along with the demand on-the-fly. It also means that the IP addresses are constantly changing. So we can't guarantee an IP address range for Cisco Spark services.

Cisco Spark uses TCP for messaging, file transfer, and screen sharing and UDP as the preferred method for audio and video.

For the best experience using Cisco Spark in your organization, configure your firewall to allow all outbound TCP and UDP traffic that is destined toward ports 5004 and 33434, as well as any inbound replies to that traffic. Port 5004 is the preferred port.
 
  • If your organization blocks UDP traffic, Cisco Spark for Windows and Cisco Spark for Mac automatically switch to using TCP traffic for audio and video. However, using TCP for media will cause latency issues and a degraded media experience.
  • If TCP traffic is also blocked, then Cisco Spark for Windows and Mac attempts to route traffic through your organization's HTTP Proxy for all services, including: messaging, file sharing, screen sharing, audio, and video. And since HTTP traffic uses TCP, the media quality is degraded.
If your organization is concerned about allowing UDP traffic, the Cisco ASA firewall works seamlessly with Cisco Spark to validate and allow only authorized UDP traffic. Contact your Cisco representative to discuss the Cisco ASA Firewall in your deployment. 

Ports

Functionality Protocol Ports
 Messaging & Call HTTPS 443
 Notifications WSS 443
 Screen Sharing (in app) TCP 5004*
33434
 Media: Cisco Spark App RTP/SRTP over UDP 5004*
33434
 Media: Cisco Spark App RTP/SRTP over TCP 5004*
33434
 Media: Cisco Hybrid Services RTP/SRTP over UDP 5004*
33434-33598**
 Media: Cisco Hybrid Services RTP/SRTP over TCP 5004*
33434-33598**
 
 *Preferred port.
**An older port range of 8000 to 8100 is still supported.
 











 







For the best performance, we recommend port 5004 as the preferred port. Support for port 33434 is provided for backwards compatibility, but traffic through port 33434 may experience throttling in some ISP networks. The Cisco Spark app uses port 33434 only when 5004 is blocked. Support for port 33434 will eventually be discontinued.

Proxy Support

Cisco Spark for Windows supports NTLM, Basic, Digest, and Negotiate proxy authentication. Kerberos is not supported.

We use certificate pinning to prevent man-in-the-middle attacks. Attackers can't inject false certificates which mimic ciscospark.com (or other domains) but have a different root or intermediate certificate authority (CA). You can read more about certificate pinning here.

If the enterprise firewall is setup to inspect HTTPS traffic, the app thinks it's another security threat to reject. So we recommend that you disable HTTPS traffic inspection for the domains that the Cisco Spark app uses.

These are the domains that the Cisco Spark app uses, so the proxy shouldn't modify HTTPS traffic on them.
  • *.wbx2.com
  • *.ciscospark.com
  • identity.webex.com
  • idbroker.webex.com
URLs to put on the allowed list:
  • *.localytics.com - Captures anonymous analytical and crash data.
  • *.rackcdn.com - Used for content and room storage.
  • *.clouddrive.com - Used for content and room storage.
  • *.crashlytics.com - Captures anonymous analytical and crash data.
  • *.webex.com - Connects the app with Cisco WebEx for things like identity management.
  • *.ciscospark.com - The core Cisco Spark services.
Note: For video calls to work with the Cisco Spark app, the media ports need to be open.

 

Limitations

  • The Cisco Spark app on mobile devices supports only TCP fallback.
  • Cisco Spark Room System media does not work if UDP traffic to both port 5004 and port 33434 is blocked. 
  • You can't use Cisco Spark for iPhone and iPad behind a proxy at this time.
  • McAfee Web Gateway version 7.1 or earlier that has NTLM authentication is not supported. This is a known restriction, see https://community.mcafee.com/message/203859

Did you find this article helpful?