Choose your model
Registration-Based vs. Certificate-Based
Registration-Based
Simple, fast to set up
- Max 250 concurrent calls per trunk
- Cisco CUBE only
- Auth via digest: username + password
- Works with dynamic NAT
- No public DNS record needed
- Supports automated troubleshooting via Control Hub connector
- Min IOS XE: 17.6.1a (17.12.2+ recommended)
Certificate-Based
Scale + third-party SBCs
- Supports 250+ concurrent calls
- CUBE + Oracle, AudioCodes, Ribbon, anynode, Italtel
- Auth via mutual TLS: LGW FQDN verified
- Requires public IP or static NAT
- Requires domain claim + DNS A or SRV record
- Only option for Webex for Government (FedRAMP)
- Min IOS XE: 17.9.1a
Cert requirementServer Auth EKU only, no wildcard certs. Some SBCs enforce Client Auth EKU; configure SBC to accept Server Auth EKU alone.
Gov noteWebex for Gov: cert-based only. Must use FIPS-compliant GCM ciphers. Min IOS XE 17.12.1a. T.38 fax and STUN/ICE-Lite not supported.