Webex Teams Inspection Capabilities

Webex Teams supports SSL/TLS/HTTPS inspection, which allows enterprise proxies to do the following:

• Decrypt Internet-bound traffic.

• Inspect the traffic.

• Re-encrypt the traffic before sending it on to its destination.

The signaling traffic from Webex devices uses TLS for session encryption. Within a Webex Teams TLS session, messages and content such as files and documents are also encrypted, so SSL/TLS/HTTPS inspection has limited value because these messages and files cannot be decrypted and inspected. Some information is visible in the decrypted TLS session, such as API calls, obfuscated user IDs (such as a Universally Unique User Identifier [UUID], a 128-bit random value that represents the Webex Teams user ID), and so on. Figure 6-44 shows SSL/TLS/HTTPS signaling inspection by a proxy server.


Figure 6-44 SSL/TLS/HTTPS signaling inspection by a proxy server

Webex Teams apps and Webex devices use certificate pinning to verify that they are connecting to Cisco’s Webex service and to ensure that the session data is not intercepted, read, or modified while in transit. SSL/TLS/HTTPS inspection is a form of man-in-the-middle (MITM) attack.

Cisco pins server certificates to a few root Certificate Authorities (CAs) that have committed to not issue intermediate certificates through both the issuer’s Certification Practice Statement and the root certificate containing a “pathLenConstraint” field in the Basic Constraints extension, which is set to zero (0) to indicate that no CA certificates can follow the issuing certificate in a certification path. This means that, ordinarily, Webex apps will not accept an impersonation certificate sent by a proxy for SSL inspection.

SSL/TLS/HTTPS Inspection for Webex Teams Desktop Apps

The Webex Teams apps rely on the certificates installed in the underlying OS Trust store to bypass the Webex Teams certificate pinning process. If the enterprise CA certificate exists in the OS Trust store, the Webex Teams app will trust certificates signed by the enterprise CA, when presented to it by the proxy server. This bypasses the certificate pinning process used by the Webex Teams app and allows a TLS connection to be established to the proxy server.

SSL/TLS/HTTPS Inspection for Webex Teams Devices

The Webex Teams devices download a list of trusted certificates during the onboarding process. To include your Enterprise CA certificate into the device trust list for your organization, open a service request (SR) with Cisco TAC.

For details on Webex Teams app and device support for SSL/TLS/HTTPS inspection, see the “Network Requirements for Webex Teams Services” article at https://help.webex.com/article/WBX000028782.

Leave a Reply

Your email address will not be published. Required fields are marked *