Please read

Christian Wolf, Solutions Engineer

Marc Dionysius, Senior Solutions Engineer

Best practices to deploy and troubleshoot Webex

My CxO had a bad Meeting!

BRKCOL-2055

Agenda

• Meeting Experience

• Requirements for Webex

• Power of the Webex Platform

• ThousandEyes & Webex

BRKCOL-2055

3

Expectation

How a good Meeting can look like

4

Reality

BRKCOL-2055

CS

HR

MT

Expectation

Why is video turned off?

5

Reality

BRKCOL-2055

Experience can be different

6

BRKCOL-2055

Participant 1

• Selfview

• Remote Participant

• Conclusion: Good Meeting

Participant 2

• Selfview

• Remote Participant

• Conclusion: Moderate Meeting

Quality measurement

Latency / Delay

The finite amount of time it

takes a packet to reach the

receiving endpoint after being

transmitted from the sending

endpoint. In the case of voice,

this is the amount of time it

takes for a sound to travel

from the speaker’s mouth to a

listener’s ear.

7

Jitter (Delay variation)

The difference in the end-to-

end delay between packets.

For example, if one packet

requires 100 ms to traverse

the network from the source

endpoint to the destination

endpoint and the following

packet requires 125 ms to

make the same trip, then the

delay variation is 25 ms.

Packet Loss

A relative measure of the

number of packets that were

not received compared to the

total number of packets

transmitted. Loss is typically a

function of availability. If the

network is Highly Available,

then loss during periods of

non-congestion would be

essentially zero.

BRKCOL-2055

Cisco Enterprise QoS Solution Reference Network Design Guide

Mean Opinion Score (MOS)

A quality indicator for analog and digital voice

and video communications, as well as

audiovisual systems. MOS is an easy-to-

understand rating that ranges from a bad

experience with a value of 1 to an excellent

one with a value of 5

Quality measurement

8

BRKCOL-2055

MOS

Quality

5 Excellent

4 Good

3 Fair

2 Poor

1 Bad

Cisco Networking Academy - LinkedIn

Requirements

for Webex

Webex Traffic is Firewall Friendly

12

BRKCOL-2055

Webex Clients

Firewall Friendly

Voice, Video and Content Share

Messages, Meeting/Device Signaling,

Notifications, Control and Analytics Traffic

SIP Signaling/Media

HTTPS/WSS – TCP 443

UDP/TCP – 9000/5004

TCP - 5060-5080

UDP - 19560-65535

Recap:

Traffic Flow Examples

for Cisco Webex

Services

14

Traffic Flow Example – Permissive Network

BRKCOL-2055

Workloads:

Webex Calling

Webex Messaging

Webex Meeting

Webex Devices

Internal

DMZ

Internet

SIP Control

Other Control

Real Time

Traffic

15

Traffic Flow Example with HTTP Proxy

BRKCOL-2055

Workloads:

Webex Calling

Webex Messaging

Webex Meeting

Webex Devices

Internal

DMZ

Internet

Proxy

SIP Control

Other Control

Real Time

Traffic

Proxy support – what does it mean ?

16

• When we talk about proxy

support we only talking HTTPS

and WSS traffic.

• Media over proxies it isn’t

recommended, proxy were not

design to handle media, their

performance is really bad and

doesn’t scale.

Messages, Media Signalization,

notifications, Control and Analytics Traffic

Voice, Video and Content Share

HTTPS and WSS

SRTP and STUN

Teams Clients

BRKCOL-2055

17

Traffic Flow Example – Restricted Direct

Communication Outbound

BRKCOL-2055

Workloads:

Webex Calling

Webex Messaging

Webex Meeting

Webex Devices

Internal

DMZ

Internet

Proxy

Video Mesh

Node (VMN)

SIP Control

Other Control

Real Time

Traffic

18

Traffic Flow Example – Restricted Direct

Communication Outbound

BRKCOL-2055

Workloads:

Webex Calling

Webex Messaging

Webex Meeting

Webex Devices

Internal

DMZ

Internet

Proxy

VMN

Proxy

Internal

Servers

SIP Control

Other Control

Real Time

Traffic

19

Traffic Flow Example – Restricted Direct

Communication Outbound

BRKCOL-2055

Workloads:

Webex Calling

Webex Messaging

Webex Meeting

Webex Devices

Internal

DMZ

Internet

Proxy

VMN

Proxy

Internal

Servers

SIP Control

Other Control

Real Time

Traffic

Webex Video Mesh

✅ Any Webex registered device

✅ Webex App Web-Client

✅ Webex App (on Webex Suite

platform)

✅ Webex App (without full-featured

Webex experience)

✅ Unified UCM registered devices

✅ Cisco VCS/Expressway registered

endpoints

What is currently supported?

20

🚫 Webex Calling registered phones

🚫 Webex Meeting Client

🚫 Webex App (with full-featured

Webex experience)

🚫 Webex Callback to a SIP URI that is

on an on-premise registered

endpoint

BRKCOL-2055

Supported

Unsupported

21

Traffic Flow Example – Private Network for

Webex Traffic

BRKCOL-2055

Workloads:

Webex Calling

Webex Messaging

Webex Meeting

Webex Devices

Edge Connect

Internal

DMZ

Internet

Proxy

Equinix/

Megaport (early Access)

SIP Control

Other Control

Real Time

Traffic

22

Traffic Flow Example with On-Premise

Solution

BRKCOL-2055

Internal

DMZ

Internet

Workloads:

On-premise Calling

Webex Calling

Webex Messaging

Webex Meeting

Webex Devices

Edge Audio

SIP Control

Other Control

Real Time

Traffic

Proxy

23

Traffic Flow Example with On-Premise

Solution

BRKCOL-2055

Internal

DMZ

Internet

SIP Control

Other Control

Real Time

Traffic

Workloads:

On-premise Calling

Webex Calling

Webex Messaging

Webex Meeting

Webex Devices

Edge Audio

Proxy

24

Traffic Flow Example – Dedicated Instance

BRKCOL-2055

Workloads:

Webex Calling

Webex Messaging

Webex Meeting

Webex Devices

Webex Calling DI

Internal

DMZ

Internet

Equinix/Megaport (early Access)

SIP Control

Other Control

Real Time

Traffic

Proxy

Real Time Traffic

Considerations

Options for Voice, Video and Content Sharing

media in Webex

26

BRKCOL-2055

• Option 1 – Access Webex Service through Edge Connect

• Option 2 – Access to the Webex Service through Video Mesh Node.

• Option 3 – Direct access to the Webex Service using UDP protocol for media using

specific destination IP addresses and firewalls with STUN support.

• Option 4 – Direct access to the Webex Service using UDP protocol for media using

specific destination IP addresses and firewalls without STUN support.

• Option 5 – Direct access to the Webex Service using UDP protocol for media using any

destination IP addresses and firewalls with STUN support.

• Option 6 – Direct access to the Webex Service using UDP protocol for media using any

destination IP addresses and firewalls without STUN support.

• Option 7 – Direct access to the Webex Service using TCP protocol for media. Not

supported for Webex Calling

• Option 8 – Access to the Webex Service using Proxy for media. Not supported for Webex Calling

Further Information for Webex Media traffic

• IP Subnets for Webex Media services are documented here:

Networking Requirements for Webex – please subscribe and watch

for updates and changes

• Webex uses UDP from any Webex Client inside the customer

network using source ports

Voice 52000-52099

Video 52100-52299

• Enabling dedicated source port ranges is optional

27

BRKCOL-2055

https://help.webex.com/en-us/article/WBX000028782/Network-Requirements-for-Webex-Services#id_134135

Webex App Behavior

Port 9000 is currently the media port used by Webex Meetings prior to the Webex Suite

platform (more details on following slides).

Port 5004 is the preferred port for the Webex App, as well as Webex Devices and is also

recognized by the Internet Assigned Numbering Authority (IANA) as the recommended port for

RTP media (RFC3551 and RFC4571).

The order of preference for port usage will be:

1. 5004 UDP

2. 9000 UDP

3. 5004 TCP

4. 443 TLS*

* TLS 443 is not supported on the Webex Teams Web App, Webex Javascript

BRKCOL-2055

28

Prior to Meeting Suite platform - Webex MC

Application Process atmgr.exe

Protocol UDP

Source Address Local IP Address

* Source Port Audio 52.000 to 52.049

* Source Port Video 52.100 to 52.199

Destination Address See Network Requirements for

Webex

Destination Port 9000 (Fallback: TLS 443)

Firewall Considerations

29

BRKCOL-2055

Webex Meeting Suite platform

Application Process ciscocollabhost.exe

Protocol UDP

Source Address Local IP Address

* Source Port Audio 52.000 to 52.049

* Source Port Video 52.100 to 52.199

Destination Address See Network Requirements for Webex

Destination Port 5004 (Fallback: UDP 9000, TCP 5004,TLS 443)

Firewall Considerations

30

BRKCOL-2055

Workload Summary for Webex App

Workload

Windows

Process

Default

Source Ports

Dedicated

Source Ports

Enabling

dedicated Ports

Destination

Ports

Fallback Ports

MC Meetings

(xlaunch)

atmgr.exe Ephemeral

Audio: 52.000-52.049

Video: 52.100-52.199

Registry key UDP 9000 TLS 443

Suite

Meetings

platform

ciscocollabhost.exe Ephemeral

Audio: 52.000-52.049

Video: 52.100-52.199

Feature toggle:

desktop-qos-enabled

UDP 5004

5004 (fallback: UDP

9000, TCP 5004, TLS

443)

Webinar atmgr.exe Ephemeral

Audio: 52.000-52.049

Video: 52.100-52.199

Registry key UDP 9000

9000 (fallback: TCP

5004, TLS 443, 80)

Call on

Webex

ciscocollabhost.exe Ephemeral

Audio: 52.000-52.049

Video: 52.100-52.199

Feature toggle:

desktop-qos-enabled

UDP 5004

UCM Call ciscocollabhost.exe

SIP Profile/

Jabber

SIP Profile/Jabber SIP Profile/Jabber

UDP

16386-32766

Webex

Calling

ciscocollabhost.exe Ephemeral

UDP

19560-65535

31

BRKCOL-2055

Quality of Service Considerations

Native DSCP Marking

32

BRKCOL-2055

Best Effort

DSCP AF41

[802.11 UP 5]

Cisco Webex Endpoints,

Clients* & Video Mesh Node

DSCP EF

[802.11 UP 6]

Enterprise

Network

Audio:

• Audio of voice calls

• Audio of video calls

• Related RTCP

Video:

• Main video

• Presentation/content

• Related RTCP

Other Traffic (TCP):

• Messaging

• File transfer

• Whiteboard

• Configuration

• Call/meeting setup

*: Clients running on Windows

®

require AD Group Policy Object to enable native DSCP marking

Quality of Service considerations

Webex App for Mac and mobile can mark audio, video and screen share packets with appropriate

DSCP markings as default

• Audio DSCP: EF

• Video and Screen Share DSCP: AF41

Windows will remark any third-party app marked DSCP packets to 0, therefore a Group Policy is

required for Windows to mark audio, video and screen share with appropriate DSCP markings.

The Group Policy setting is to mark any packets with a DSCP marking based on:

• Application Process Path

• Source Port

Action:

Customers may need to reimplement QoS Group Policy due as the in-meeting process is changing

and source port may be different.

33

BRKCOL-2055

Quality of Service Considerations

Video Mesh specifics

34

BRKCOL-2055

• Video Mesh nodes leverage a different set of port for internal communication vs. traffic directed to

the Webex cloud

• QoS is enabled by default, can be disabled if required to optimize port ranges.

Read carefully -> Video mesh Deployment Guide - Ports and Protocols used

QoS disabled

QoS enabled

(default)

Power of the Webex

Platform

The Webex Platform

36

BRKCOL-2055

Integration &

Interoperability

SDK APIs

Security &

Manageability

SustainabilitySecurity Control

Hub

Language

Intelligence

Audio

Intelligence

Video

Intelligence

Artificial

Intelligence

Customer driven deployment

37

BRKCOL-2055

Direct Connection to the

Webex Datacenter

Meeting Resources

on-premises

Webex Meeting Audio via

the Internet or Edge Connect

Connect Audio Video Mesh

2 3

Webex Edge for Meetings

1

The Challenge of Cloud Media

38

BRKCOL-2055

Solution

Webex Video Mesh

InternetWebex Device

Webex App

Webex

App

Webex

App

Internal

Problem

§ 1:1 meetings use a cloud resource to meet

§ Multiparty meetings use a cloud resource to meet

§ Signaling and media go to and from the cloud

§ Increased bandwidth requirement for the Internet

with adoption of Webex Meetings

1.5 MB

3 MB

1.5 MB

Video Mesh Node

39

BRKCOL-2055

Video

Mesh node

Cascade Link

On-premises registered Cisco and third-party

standards-based SIP endpoints and standards-based

SIP clients

Webex-registered

devices and Webex App

Corporate Network

Webex Meetings &

Webex App

Webex-registered devices, and

any standards-based SIP/H.323

endpoints

O

v

e

r

f

l

o

w

O

v

e

r

f

l

o

w

Webex AI

Introducing Real-time Media Models (RMM)

41

BRKCOL-2055

Text

Email

Messages

Transcripts

Documents

Audio

Video

Reactions

Gestures

Voice tones

Inflections

Great communication involves more than words

Artificial Intelligence in Webex

42

BRKCOL-2055

Audio Intelligence

• Optimize for my voice

• Optimize for all voices

• Telephony noise removal

• Bandwidth extension

• Audio watermarking

Video Intelligence

• Gesture based reactions

• Background Augmentation

• Immersive share

• People Focus

• Face Recognition

• Lighting Correction

Natural Language

• Webex AI Assistant

• Meeting Summary/actions items

• Automatic chapters

• Summarize if late to meeting

• Chat summaries

• Change message tone

• Message translation

43

Video Super Resolution

Video Intelligence

BRKCOL-2055

Original video

at 1080p

Downscaled to

270p

through the

network

Super resolution

to 1080p

Control Hub

Visualize your spaces

• New Workspaces view including third-party peripherals

• Ensure your workspaces are ready to go with actionable, real-time

insights

45

BRKCOL-2055

Alerts centre

• Alerts to be delivered through email, webhooks, or in a Webex App space

• Alerts for the last 14 days will appear in the Alerts section

• Export historical alerts for the last 30 days in a CSV

46

BRKCOL-2055

Analytics

• Interactive data visualizations

• Usage and adoption trends

47

BRKCOL-2055

• Quality for Meetings, Messaging, Calling, Devices

• Workspace utilization and Sustainability

Service Dashboards

• Pre-populated performance charts

• Custom dashboards

• Charts from Meetings, Calling, Messaging, Devices and Workspaces

48

BRKCOL-2055

Reports

49

BRKCOL-2055

• Usage and quality reports for the organization

• Pre-set and customizable report templates

• Schedule recurring reports

Live Meetings

50

BRKCOL-2055

• Visualize all meetings that are currently in progress in your organization

• Proactively catch network issues before they become widespread

• Data automatically updates every 10 minutes

Troubleshooting

51

BRKCOL-2055

• Search for a user’s email address, meeting number, Conference ID, phone number, device

name or MAC address.

• Current meetings and calls up to 21 days in the past are available to view

ThousandEyes &

Webex

ThousandEyes is the observer of the Internet

53

BRKCOL-2055

Network Tests

54

BRKCOL-2055

Voice Layer and BGP Tests

55

BRKCOL-2055

ThousandEyes Agents

56

BRKCOL-2055

Enterprise / Cloud Agents Endpoint Agents

Supported Test Types

• Voice Tests

• Transaction Tests

• Page Load Tests

• HTTP Server Tests

• FTP Tests

• Network Agent to Server Tests

• Network Agent to Agent Tests

• Bi-directional Agent to Agent

Tests

• DNS Server Tests

• DNS trace Tests

• HTTP Server Tests

• Network Agent to Server Tests

Number of Tests

Unlimited Depends on License

Path Visualization

TCP-Based TCP-Based

End-to-End Network Metrics

TCP-Based TCP-Based

QoS Specification

Configurable Fixed

57

Workflow

BRKCOL-2055

ThousandEyes Endpoint Agent is embedded as

part of the RoomOS firmware

ThousandEyes Synthetic Tests will run when

Webex meetings are in progress

The agent will be enabled in Control Hub &

integration will work on Day 1

Network path visibility in Control Hub and

Thousand Eyes portal.

Network Connections

58

BRKCOL-2055

D

e

v

i

c

e

R

e

g

i

s

t

e

r

s

w

i

t

h

W

e

b

e

x

C

l

o

u

d

u

s

i

n

g

T

L

S

4

3

S

e

n

d

s

e

s

e

n

t

i

a

l

a

n

d

e

v

i

c

e

m

e

t

r

i

c

s

t

o

t

h

e

T

h

o

u

s

a

n

d

E

y

e

s

e

r

v

i

c

e

s

p

l

a

t

f

o

r

m

USA Region

Hostname:

• https://c1.eb.thousandeyes.com

• https://data.eb.thousandeyes.com

EMEA Region

Hostname:

• https://c1.eb.eu1.thousandeyes.com

• https://data.eb.eu1.thousandeyes.com

* Room OS Endpoint agent

needs to be able to reach the

ThousandEyes SaaS Service

Cisco Codec (Pro / EQ)

Cisco Desk Series

* Except for Desk Camera

Cisco Board Pro Series

Cisco Room Series

* Except for Navigator

Supported Webex (Cloud) Devices

59

BRKCOL-2055

Configuration

ThousandEyes Account Token

61

BRKCOL-2055

• An API token will be

used to enable

ThousandEyes on the

Org level in Webex

ControlHub

• Generate the oAuth

token from your

ThousandEyes portal

• Browse to Account

Settings → Users and

Roles→ OAuth Bearer

Token

ThousandEyes Connection String

62

BRKCOL-2055

• Connection Strings

will be used to

register the endpoints

agents on the

RoomOS devices to

the relevant account

group (ThousandEyes

tenant)

• Browse to Endpoint

Agents → Agent

Settings → Add New

Endpoint Agent

Will be used in Webex ControlHub, when enabling RoomOS

devices

ThousandEyes Agent Labels

63

BRKCOL-2055

• First, create a label to

match all RoomOS

devices

• Browse to Endpoint

Agents → Agent

Settings → Agent

Labels → Add New

Label

• Create a selector for

Platform -> Linux

ThousandEyes Synthetic Tests

64

BRKCOL-2055

• Browse to Endpoint

Agents → Test

Settings → Synthetic

Tests → Monitor

Application

• Select the Webex

template

• Enter your Webex

Site ID Name

• Under Source Agents

match on Agent

labels with the one

created in the

previous step

Activation in Control Hub

65

BRKCOL-2055

Ensure that the Webex

org have ThousandEyes

enabled (org level toggle)

• On Control Hub,

navigate to

Organization settings

→ ThousandEyes

Activation in Control Hub

66

BRKCOL-2055

• Enable the Toggle

• Paste the OAuth

Token that was

copied from the

ThousandEyes portal.

Agent Enablement

67

BRKCOL-2055

Connection String will

allow the Endpoint agents

on the RoomOS devices

to start the provisioning

flow with ThousandEyes

service and start relaying

data.

• Navigate to Devices

→ Settings →

ThousandEyes

• Enable ThousandEyes

Agent toggle

Agent Enablement

68

BRKCOL-2055

• Enter Connection

String that was

copied earlier from

the ThousandEyes

Endpoint Agent page

and press Save

• For individual device

enablement set

Connection String

through template or

device for

xConfiguration

ThousandEyes

ConnectionString

Endpoint Agent Verification

69

BRKCOL-2055

• After installing

Endpoint Agents on

the RoomOS devices,

you will find them

listed under Endpoint

Agents → Agents

Settings.

• They are listed using

SEP<MAC Address>

Troubleshooting

Troubleshooting Flow

71

BRKCOL-2055

Closing

Recap

• Experience depends on multiple factors, you can not control all of

them

• Webex traffic is Firewall Friendly

• Webex platform leverages AI, provides flexibility and offers built-in

tools

• Cisco offers cross architecture deployments for better

troubleshooting and deeper insights

BRKCOL-2055

73

Best Practices

• Deploy Webex as close as possible to the deployment plan

• Use UDP instead of TCP or TLS

• No IP filtering for Cisco Datacenters

• If you want to use a Media proxy, think about Video Mesh Node

• Register your Video devices to Webex, or at least link them

• Use Cisco’s cross architecture power

• Split tunneling for VPN connections

BRKCOL-2055

74

Thank youThank you