Configure a list of allowed domains to access Webex while on your corporate network

You can use the following steps as guidelines to configure your web proxy server.

Before you begin

You must install a proxy server that can perform Transport Layer Security (TLS) interception, HTTP header insertion, and filter destinations using fully qualified domain names (FQDNs) or URLs.

The following are tested Web proxy servers and the detailed steps are provided below to configure these proxy servers:
- Cisco Web Security Appliance (WSA)
- Blue Coat
To ensure you have the ability to do HTTP header insertions in an HTTPS connection, TLS interception must be configured on your proxy. See the information about proxies, in Network requirements for Webex services, and ensure you meet the requirements specific to your proxy server.

Route all outbound traffic to Webex through your web proxy servers.

Enable TLS interception on the proxy server.

For each Webex request:

Intercept the request.
Add the HTTP header CiscoSpark-Allowed-Domains: and include a comma separated list of allowed domains. You must include the destination domains: idbroker.webex.com, idbroker-secondary.webex.com, idbroker-b-us.webex.com, idbroker-eu.webex.com, atlas-a.wbx2.com, idbroker-ca.webex.com and your proxy server includes the custom header for requests sent to these destination domains.
For example, to allow users from the example.com domain, add:
- CiscoSpark-Allowed-Domains:example.com
- for domain(s):idbroker.webex.com, idbroker-secondary.webex.com, idbroker-b-us.webex.com, idbroker-eu.webex.com, atlas-a.wbx2.com, idbroker-ca.webex.com.
If you have users in multiple email domains, you must include all the domains in the comma separated list of allowed domains. For example, to allow users from the example.com, the example1.com and example2.com domains, add:
- CiscoSpark-Allowed-Domains:example.com,example1.com,example2.com
- for domain(s):idbroker.webex.com, idbroker-secondary.webex.com, idbroker-b-us.webex.com, idbroker-eu.webex.com, atlas-a.wbx2.com, idbroker-ca.webex.com.

People who attempt to sign in to Webex App from an unauthorized account receive an error.

Add custom headers with Cisco Web Security Appliances to allow domains

You can use Cisco Web Security Appliances (WSA) proxy server to intercept requests and limit the domains that are allowed. Add custom headers in WSA and these headers are applied to outgoing Transport Layer Security (TLS) traffic to request special handling from destination servers.

1	Access the WSA CLI.
2	Enter `advancedproxyconfig`.
3	Enter `CUSTOMHEADERS`.
4	Enter `NEW`.
5	Enter `CiscoSpark-Allowed-Domains: EXAMPLE.COM`. Where EXAMPLE.COM is the domain to use this header with.
6	Enter `idbroker.webex.com, idbroker-secondary.webex.com, idbroker-b-us.webex.com, idbroker-eu.webex.com, atlas-a.wbx2.com, idbroker-ca.webex.com`.
7	Select Return.
8	Select Return and enter `Commit`.

Add policy to allow domains with Blue Coat

You can create a policy in the Blue Coat Visual Policy Manager, the policy intercepts the Transport Layer Security (TLS) traffic and adds the Webex App header.

In the Visual Policy Manager, select Policy > Add SSL Intercept Layer.

Click Add rule, right-click the Action column, and select Set.
Click New and select Enable HTTPS Interception.
Modify the name, click OK, and then OK.

Select Policy > Add Web Access Layer.

Add Cisco Spark to the layer name.
Click Add rule, right-click the Destination column and select Set.
- Click New, select Request URL Object and for Simple Match URL, enter idbroker.webex.com, idbroker-secondary.webex.com, idbroker-b-us.webex.com, idbroker-eu.webex.com, atlas-a.wbx2.com, idbroker-ca.webex.com.
- Click Add, click Close, and then click OK.
Right-click the Action column and select Set.
- Click New, select Control Request Header, and modify the name to include Cisco Spark.
- For Header Name enter CiscoSpark-Allowed-Domains, and in Set value add your enterprise domains. You can add multiple domains separated by commas.
- Click OK and then click OK.

Click Install Policy.