topic Re: can we allow sign in to webex only using defined company account ? in General Topics

can we allow sign in to webex only using defined company account ?

Deepak25 — Sun, 18 Jul 2021 19:32:58 GMT

I have followed below article and tried to configure http header insertion in URL filtering profile , but still able to login using other company account.

https://help.webex.com/en-us/m0jby2/Configure-a-List-of-Allowed-Domains-to-Access-Webex-While-on-Your-Corporate-Network#task_C0E05337A65BA687DD68241E79076D38

Also in url filtering log, no logs showing for http header. We have enabled decryption for any destination and any service but no luck.

Also as per finding , cisco-spark app traffic is not showing decrypted in url filtering logs. It could be due to ssl decryption exclusion for cisco-spark.

Re: can we allow sign in to webex only using defined company account ?

Barber52 — Mon, 19 Jul 2021 12:20:44 GMT

If you are having login issues with Webex Meetings, we have some Click the Can't access your account? link to access sign-in assistance.

Re: can we allow sign in to webex only using defined company account ?

BPry — Mon, 19 Jul 2021 17:17:51 GMT

@Deepak25,

Have you taken a packet capture and verified that the header is actually being inserted when it traverses the firewall? WebEx is where that header actually gets read to determine if the account should be able to login or not, and if you're able to login with a domain not specified in the header it would point towards your insertion not working.

Re: can we allow sign in to webex only using defined company account ?

Deepak25 — Wed, 11 Aug 2021 21:20:04 GMT

We can't do pcap as traffic is https. I am suspecting header used in cisco webex login.

In my testing I am using http header "CiscoSpark-Allowed-Domains" , not sure whether this header correct or not.

Did decryption. Also in Device > decryption exclusion , disabled webex related domains to allow decryption for those domains, but no luck.

Re: can we allow sign in to webex only using defined company account ?

OmkarM — Sat, 16 Jul 2022 08:26:12 GMT

++You need to configure decryption to be able to read http header insertion by firewall.

++Then follow below steps Ref Link : https://help.webex.com/en-us/article/m0jby2/Configure-a-list-of-allowed-domains-to-access-Webex-while-on-your-corporate-network

++Add the HTTP header CiscoSpark-Allowed-Domains: and include a comma separated list of allowed domains. You must include the destination domains: identity.webex.com, identity-eu.webex.com, idbroker.webex.com, idbroker-secondary.webex.com, idbroker-b-us.webex.com, idbroker-eu.webex.com, atlas-a.wbx2.com and your proxy server includes the custom header for requests sent to these destination domains.

For example, to allow users from the example.com domain, add:

CiscoSpark-Allowed-Domains:example.com

for domain(s):identity.webex.com, identity-eu.webex.com, idbroker.webex.com, idbroker-secondary.webex.com, idbroker-b-us.webex.com, idbroker-eu.webex.com, atlas-a.wbx2.com

++Create a rule for Webex and add webex in applications and applicable security policy which we created as ttp header insertion

Attached few snap