Securing Webex with Identity Management, Zero Trust Encryption, and Data Compliance

This lab explores Webex security and educates attendees on the practical steps required to enable and manage security features and functions available with Webex deployments, including:

Identity, Authentication (AuthN), and Authorization (AuthZ): Enable user provisioning and directory synchronization, explore settings and licensing templates, enable multi-factor authentication, and configure single sign-on (SSO) using SAML and OpenID Connect.
End-to-End (E2E) Encryption: Examine Webex zero trust end-to-end encrypted meetings and calling, along with media watermarking, and deepfake integration with Webex.
Compliance: Investigate compliance for Webex meetings and calling including eDiscovery with Theta Lake.

Table of Contents

About This Lab
Requirements
Lab Details
Topology
Getting Started
Module 1: Webex Identity and Authentication/Authorization with Duo
Module 2: Zero Trust End-to-End Encrypted Calling and Meetings, Media Watermarking, and Deepfake Detection
Module 3: Webex Compliance with Webex and Theta Lake
Appendix
- Explore Webex eDiscovery Search and Extraction Portal

Lab Sections Quick Links

About This Lab → About This Lab
Topology → Lab Topology
Getting Started → Getting Started
Module 1 → Webex Identity and Authentication/Authorization with Duo
Module 2 → Zero Trust End-to-End Encrypted Calling and Meetings, Media Watermarking, and Deepfake Detection
Module 3 → Webex Compliance with Webex and Theta Lake
Appendix → Explore Webex eDiscovery Search and Extraction Portal

About This Lab

Webex provides customers with a comprehensive set of security and compliance capabilities across the Webex suite. This includes:

On-premises or cloud corporate directory integration capabilities for managing Webex user identity and service provisioning.
Support for standard-based Security Assertion Markup Language (SAML) and Open ID Connect (OIDC) authentication and authorization mechanisms with single sign-on (SSO) and multi-factor authentication.
Built-in policy and compliance functionality as well as configurable integration(s) to third-party data loss prevention (DLP), eDiscovery, and Archival vendor solutions for messaging and meeting compliance.
State of the art end-to-end encryption and verified identity capabilities for zero trust meetings on the encrypted in transit, encrypted at rest Webex architecture to ensure that customer data is always protected.

Requirements

There are no requirements for this lab beyond the laptop provided and this lab guide will walk you through the entire lab.

Lab Details

This lab contains 3 modules:

Module 1: Webex Identity and Authentication/Authorization with Duo

This module explores Webex identity, provisioning, and authentication/authorization using Duo. This module explores SSO using SAML and OpenID Connect along with setting up multiple Identity Providers (IdP) in one organization. (Components: Active Directory, Webex Control Hub, Duo)
Module 2: Zero Trust End-to-End Encrypted Calling and Meetings, Media Watermarking, and Deepfake Detection
This module exampines Webex zero trust end-to-end encrypted meetings and calling, along with media watermarking, and deepfake integration with Webex. (Components: Webex Control Hub, Webex App, GetReal Labs)
Module 3: Webex Compliance with Webex and Theta Lake

This module investigates compliance for Webex meetings and calling including eDiscovery with Theta Lake. (Components: Webex Control Hub, Webex App, Theta Lake)

Upon completion of all modules, participants will gain a good working knowledge of the latest Webex security capabilities including identity management and provisioning with SSO, using multiple IdPs, messaging and meeting compliance with DLP/eDiscovery/Archive integrations, and zero trust E2EE meetings with verified identity.

Topology

This overall topology for this lab is shown in Figure 1 below. The topology consists of:

An on-premises network with Microsoft application server (e.g., Microsoft Active Directory / Domain Name Service (DNS)).
Three on-premises Windows Workstations with the Webex App serving as the software client used throughout this lab. These workstations are also used for all configuration as outlined in this guide.
Dedicated Webex organization enabling the delivery of cloud collaboration services including meeting, messaging, and calling.
Dedicated cloud service components for identity and compliance (Duo, Cisco Cloudlock, Theta Lake).

This lab includes pre-configured users and components to facilitate the lab scenarios covering the features and capabilities of Webex security. Most components are fully configurable with predefined administrative user accounts.

Refer to the Server and Application Credentials and Details table (Table 1) below for application server IP addresses and administration account credentials for accessing lab components and performing the required configuration and operations.

Note: You may not use all the components listed in Table 1 for this lab.

Server and Application Credentials

Note: WW, XXX, YY, and ZZZZ in the credentials below are unique to your pod. Refer to your eXpo page for these values.

Active Directory & DNS

Host Name: ad1.dcloud.cisco.com
IP Address: 198.18.133.1
Username: administrator
Password: dCloud123!
Description: Windows Server 2012

Workstation 1

Host Name: wkst1.dcloud.cisco.com
IP Address: 198.18.1.36
Windows Username: cholland / dCloud123!
Webex App User: cholland@cbXXX.dc-YY.com
- SSO disabled: dCloudZZZZ!
- SSO enabled: dCloud123!

Workstation 2

Host Name: wkst2.dcloud.cisco.com
IP Address: 198.18.1.37
Windows Username: aperez / dCloud123!
Webex App User: aperez@cbXXX.dc-YY.com
- SSO disabled: dCloudZZZZ!
- SSO enabled: dCloud123!

Workstation 3

Host Name: wkst3.dcloud.cisco.com
IP Address: 198.18.1.38
Windows Username: kmelby / dCloud123!
Webex App User: kmelby@cbXXX.dc-YY.com
- SSO disabled: dCloudZZZZ!
- SSO enabled: dCloud123!

Webex Control Hub

URL: https://admin.webex.com/
Users: cholland@cbXXX.dc-YY.com, aperez@cbXXX.dc-YY.com
Password (SSO disabled): dCloudZZZZ!
Password (SSO enabled): dCloud123!

Cisco Duo Admin Portal

URL: https://admin-demodemo.duosecurity.com
Username: cholland@cbXXX.dc-YY.com
Password: dCloud12345!

Cisco Cloudlock

URL: https://demo.cloudlockng.com/
Username: aperez@cbXXX.dc-YY.com
Password (SSO disabled): dCloudZZZZ!
Password (SSO enabled): dCloud123!

Theta Lake

URL: https://useast.thetalake.ai/
Username: aperez@cbXXX.dc-YY.com
Password: dCloud123!

Getting Started

Follow the steps below to connect to your lab pod before proceeding with Module 1.

From your workstation, navigate to the eXpo URL in Chrome.

Link to eXpo: https://expo.ciscodcloud.com/cr0ngam62v4rg3x7mljrz0tb3

Click Explore, enter your email address and accept the disclaimer. On the eXpo page, you will see two important tabs, Network and Details. To connect to your VMs, you will navigate to the Network tab and click the Remote Desktop link for the VM that the lab guide instructs you to access.
You can find the last 4 digits of your unique Session ID on the eXpo page. This is needed when authenticating to Webex prior to enabling SSO. You will also need the domain that is unique to your dCloud session. This can be found by clicking Details > DNS Address on your eXpo page.
In addition to connecting to the AD server and workstations via web RDP for endpoint operations, you will use a web browser and other applications on the workstations (as indicated in this lab guide) to perform all operations and configuration.

In this lab, you will primarily utilize the following VMs:

Active Directory: ad1.dcloud.cisco.com
Workstation 1: wkst1.dcloud.cisco.com
Workstation 2: wkst2.dcloud.cisco.com
Workstation 3: wkst3.dcloud.cisco.com

Configure Your Lab Values

Now that you have your eXpo page open and can see your unique pod values, enter them below. This will automatically replace the placeholders (cbXXX, dc-YY.com, dCloudZZZZ!) throughout the entire lab guide.

Module 1: Webex Identity and Authentication/Authorization with Duo

In this module, you will start by integrating an on-premises Active Directory (AD) with a Duo tenant. From there, you will set up an integration between Duo and Webex for user provisioning via SCIM 2.0. This is designed to simulate a common scenario where an organization needs to migrate away from an on-premises AD deployment to a cloud platform for identity. Once the migration from AD to Duo has been completed, there will be a brief section covering licensing information so you can ensure that you are properly licensing your users. Next, you will configure Single Sign-On (SSO) with Duo using SAML and OpenID Connect (OIDC). During the process you will learn the configuration differences along with some of the advantages and disadvantages of SAML and OIDC. Finally, you will explore enabling built-in Multi-Factor Authentication for Webex.

There are 6 sections in this module:

i. Sync Users from Active Directory to Duo

ii. Sync Users from Duo to Webex

iii. Webex Licensing and Settings Templates

iv. Configuring Duo To Use Active Directory for User Authentication

v. Single Sign-On with Webex and Duo (SAML and OIDC)

vi. Multiple Identity Providers with Webex

vii. Enable Multi-Factor Authentication (MFA) using Duo

Sync Users from Active Directory to Duo

The Duo Authentication Proxy is a tool that allows administrators to connect their on-premises identity infrastructure to Duo. In this section of the lab, you will use Duo Authentication Proxy to add the on-premises AD users to your Duo tenant. Integrating your on-premises directories with Duo reduces friction for users during authentication by providing a common identity for accessing both cloud and on-premises resources.

At the end of this section, you will have synchronized on-premises AD users into Duo.

First, you need to access your Duo tenant so you can set up a connection between Duo Authentication Proxy and your AD server.
Connect to the Active Directory server (ad1) via Remote Desktop.
Open the DUO folder on desktop, then open the Duo-URL.txt document.
Copy and paste the URL in this document into the browser.
This page will provide you with your Duo admin email address. Note that the password here is a suggestion -- not a requirement. Click Activate Account > Get started to begin setting up your admin account.
When prompted for a password, use dCloud12345!
Next, you need to add your second factor, so click Continue.
You will not be using a Passkey, so click Skip for now.
Scan the QR code with your mobile device or raise your hand for a proctor to scan with a lab device and then click Continue.
Click Continue to Duo Admin Panel Login.
Log in with cholland@cbXXX.dc-YY.com. If you do not see a password prompt, navigate to https://admin-demodemo.duosecurity.com to log in.
After authenticating, navigate to Users > Administrators > Admin Login Settings.
Disable Always require a Verified Duo Push.
Scroll down and set the Absolute Session Length to 10 hours.
Next, navigate to Users > External Directories:
Click Add External Directory > Active Directory:
Select Add new connection > Continue:
Minimize the browser and launch the Duo Authentication Proxy Manager from Desktop. Once the application is open, delete all text from the configuration, then can paste the text from the example below into your auth proxy:

Example

[cloud]
ikey=
skey=
api_host=api-demodemo.duosecurity.com
[ad_client]
host=ad1.dcloud.cisco.com
service_account_username=administrator
service_account_password=dCloud123!
search_dn=DC=dcloud,DC=cisco,DC=com

Important

You will need to pull the ikey and skey from your Duo admin portal:

The [cloud] section of the authproxy.cfg provides a means by which the auth proxy can connect to your Duo tenant.

The [ad_client] section provides credentials allowing the auth proxy to search and authenticate users from AD.

In this lab, we are not encrypting the password but in a production environment, it is strongly recommended to do so. Information on how to do that can be found here:

https://duo.com/docs/adsync#encrypting-passwords.
Once you have filled in the config, click Validate in the Duo Authentication Proxy Manager and verify that there are no errors in the Output. If you see additional text in the config, you may not have cleared the text that is entered by default. Please repeat step 16 so that your configuration looks like the below screenshot.

Tip

If you see any red or yellow text, verify that there is nothing missing in the configuration.
Once your configuration validates successfully, click Save.
Finally, click Start Service, wait a few seconds, and verify that the service starts successfully.
With the Auth proxy configured and the service running on AD1, go back to the Duo Admin portal. If you were logged out, log back in with your admin account (cholland@cbXXX.dc-YY.com // dCloud12345!) and select Users > External Directories > AD Sync > Edit connection.
Once you're on the AD Sync Connection page, click Test Connection (step 5).
The Status section should still reflect that the Auth Proxy is Not Connected but you should see a check next to Add Authentication Proxy.
Scroll down and fill out the Directory Configuration section with the following information:

Directory Configuration

Domain controller Hostname: ad1.dcloud.cisco.com
Port: 389
Base DN: DC=dcloud,DC=cisco,DC=com
Authentication type: Integrated
Transport type: Clear
Click Save and verify that the Status changes to Connected.
Click Back to AD Sync at the top of the page and you will now see the AD Connection is Connected to Duo.
Add the Lab Users group to the Groups field (scroll down to find the group, list is alphabetical).
In the Synced Attributes section make a few changes:

a. Change Username to userprincipalname
b. Change Email Adress to userprincipalname
c. Add Attribute > First Name
d. Add Attribute > Last Name
Click Complete Setup
The page will refresh, and you can now configure the sync schedule or select specific users that you want to sync. For now, click Enable high frequency syncing for this directory and click Sync Now.

You should see 31 users and 1 group synced. If not, investigate this before proceeding.
Navigate to Users > Users and verify that you have 31 users listed and that their username and email address match:

At this point, all the demo users have been synced from the on-prem AD into Duo. Next, you will provision these users from Duo to Webex. Some of these users already exist on Webex as they were provisioned through some other process. Integrating Duo with Webex for provisioning will allow future changes for these existing users to be reflected on Webex. Also, any new users added to the Lab Users group will be automatically provisioned to Webex.

Sync Users from Duo to Webex

To facilitate user provisioning to Webex, you will utilize the SCIM 2.0 API endpoints available in Webex. With other connectors, this required pulling an API token with the appropriate scopes. However, Duo has a connector that is much easier to configure.

On the Duo Admin portal, navigate to Applications > Applications
Click Add application and then click + Add for Cisco Webex (with Control Hub)
We will not be configuring Single Sign-On yet, so click the Provisioning tab. Select the Cloud Connection authentication mode, then select Add new connection > Continue.

A new tab will open requiring you to log into Webex with your administrator account. The URL used for this tab allows Duo to acquire an OAuth access token with the necessary scopes for user provisioning to Webex. A refresh token is also provided so that the integration should never need reauthorization (unless it is paused for an extended period).
Authenticate with cholland@cbXXX.dc-YY.com // dCloudZZZZ!
After authenticating, you will be advised of the scopes that Duo is requesting.
Click Accept and you will be redirected back to Duo with an indication that the connection from Duo to Webex has been established:

Notice that you can see the org name here (in case you have multiple Webex applications in your Duo org. You are also given the name of the administrator that authorized the connection.

Finally, notice that there is a Reauthorize button. This would be necessary if Duo's access and refresh tokens expire, which would only happen if the integration were paused for an extended period. If this occurs, clicking Reauthorize would walk you through the same flow you just completed so Duo could acquire new tokens.
The default configuration maps the Duo email address to the username in Webex. This is the only required field but not ideal. To add a few commonly used values, click the Edit Mappings button and select:

displayName
name.familyName
name.givenName
Click Save Mapping.
Next change the Email Address attribute to Username and notice that the default Duo mappings to the newly selected attributes is correct:
Finally, to select the users you want to sync, scroll down to the Groups section and select the Lab Users group.

By default, Duo will sync the members of the Lab Users group and create a Lab Users group on Webex. Any members of this group on Duo will also be members of the newly created Webex group. This is great for automating license and settings assignment on groups of users, however, if you prefer not to sync group objects, you can tick the Exclude group information box.

For this lab, leave the box unticked so the group object is included in the sync.
Click Save and enable and wait about 5-10 seconds, then click the refresh button in the Recent logs section:

Scroll down and you should see successful user and group provisioning. If you see any errors here, they need to be corrected before proceeding. A common failure point is leaving the Webex username attribute set to Email Address in Duo. This attribute needs to be adjusted so that you are syncing the user's Duo Username to Webex.
Once you have validated that there are no provisioning errors, navigate to Control Hub (https://admin.webex.com) and log in with your admin account cholland@cbXXX.dc-YY.com.
Select Organization Settings and change Control Hub's idle timeout to No timeout then click Save.
Select Groups and you should see your Lab Users group in the Webex groups section.
Click Create a group and name the group Messaging and click Next
Click Add manually, add the following users, then click Save > Done:

Anita Perez
Charles Holland
Eric Steele
Kellie Melby
Ricardo Filice
Taylor Bard
The Members tab for the group should reflect the 6 new members.

You have now configured user/group provisioning from Duo to Webex. Any new users added to the Lab Users group on AD would be automatically provisioned to Webex.

Webex Licensing and Settings Templates

Now that you're synchronizing users and groups into Webex, you can use these groups to manage licensing and settings for your users. Automated license and settings template assignment can be done on a group no matter how it was created (synchronized, locally created in Control Hub, or created via the Groups API or the SCIM 2.0 Groups API endpoint). This automation can be configured before syncing users into Webex, but the more common scenario is an organization where the users are already synced, and the licensing or settings configuration needs to be modified -- that's what you will do in this section.

Webex uses a combination of Organization-based licensing and Group-based licensing:

Organization-based licensing → All users that are synchronized into the organization will be granted these licenses. Typically, this is used to grant all users access to basic features like basic messaging and meetings.

Group-based licensing → Each group can be assigned specific licenses and users who are members of those groups will receive those licenses automatically. Users can be members of multiple groups so each premium feature can be tied to a different group for granular control over license distribution.

When these two features are combined with disabling license preservation, the following will occur:

All users synced to the org will have access to basic features.
As users are added to specific groups, they can be assigned licenses for premium features.
If the user is subsequently removed from a group, any license granted by being a member of that group will be removed.

This is an effective way to automate license management while ensuring that oversubscription does not occur. While this is very powerful, this is not a universal solution. In some scenarios, a subset of users in a specific directory group(s) will need different licenses than other users in those group(s). In these scenarios, license management can be handled by using local Webex groups either manually via Control Hub or programmatically via API.

Click Users > Licenses.
Click Set up under the Organization-based licenses section.
In the Messaging section, you should find that Basic Messaging is already assigned. If it is not, tick the box to select it:
Select Calling and ensure that Call on Webex (1:1 call, non-PSTN) is ticked.
To ensure that these licenses are assigned to all your users, tick the Existing users box and untick Preserve licenses for existing users. This will ensure that users are only granted licenses for the basic features unless they are granted premium licenses by being a member of specific groups.
Take some time to read the prompt so that you understand how disabling Preserve licenses for existing users works. When you are ready, tick the box and click Ok.
Click Save. At this point in the lab, users only have access to basic messaging, basic meetings, and Call on Webex. You can verify this by going to the Users page and selecting any user, you should see the following:

Tip

It may take a minute to apply to all users so wait a minute and refresh the page if you still see additional licenses. Moving forward, you will assign premium features to users in specific groups.
Navigate to Users > Licenses and click Manage in the Group-based licenses section.
Select the Messaging group in the Webex groups tab.
Click Assignments > Set up.
You may be unable to click the Set up button if licenses are still being adjusted from your previous change. If you see this message, you can just wait until the Background tasks running... banner disappears and then refresh the page.
Next, you will configure all licenses that should be assigned to members of this group.

a. Tick Advanced Messaging in the Messaging section.

b. Select Calling and untick Call on Webex.

c. Ensure Existing users and Preserve licenses for existing users are both ticked, then click Save at the bottom of the page.
You'll automatically return to Messaging > Assignments where you can see your license template assigned to the group.
Click Groups in the side panel and click Create a group.
Enter Meetings as the group name and click Next.
Click Add manually.
Type cholland and select cholland@cbXXX.dc-YY.com. Type aperez and select aperez@cbXXX.dc-YY.com:
Click Save.
Click Assign group resources.
Click Set up in the Licenses section.
Here you will configure all licenses that should be assigned to members of this group.

a. Disable all Messaging and Calling licenses and select Webex Meetings Suite in the Meeting section.

b. Tick Existing users to ensure that these licenses are applied to the two existing members of this group, not just newly added members. Untick Preserve licenses for existing users.
Click Save.
You'll automatically return to the Meetings > Assignments where you can see your licenses template assigned to the group.
To verify that your licenses were successfully applied to Charles Holland and Anita Perez (due to their group membership), click the Members tab and click on cholland@cbXXX.dc-YY.com or aperez@cbXXX.dc-YY.com. On the Summary tab, you should see Advanced Messaging and the Meetings Suite licenses applied due to their membership in the Messaging and Meetings groups. You will also see licensing for the basic Webex features due to the Organization licensing configuration.
Lastly, go back to the Users > Licenses page and toggle the Preserve licenses for users joining another group option off. Disabling this option forces Webex to check a user's group membership(s) any time they are added to or removed from any group. Any licenses they should be granted (or no longer have access to) will be adjusted accordingly.
Click Remove license preservation to continue.

Important

Any license(s) manually applied to a user independent of a group membership change (such as via API or Control Hub) would also be removed when a user's group membership changes.

Here are some of the key takeaways regarding Webex licensing:

Webex uses a combination of Organization-based licensing and Group-based licensing depending on the organization's configuration.
If Preserve licenses for users joining another group is enabled, removing a user from a group will not remove the licenses they received when joining that group, so it will not help prevent oversubscription.
Service licenses are assigned to users regardless of their status. For example, an inactive user still consumes a license. You should remove licenses from any user if they don\'t need the services anymore.
More information about license management in Control Hub can be found here.

Next, you will explore settings templates.

Navigate to Services > Messaging > Templates > Create template.
Select Use a predefined template > Teachers > Next.
No changes need to be made so set the template name to No Restrictions and click Create template and next.
Click the search box and enter Messaging, then select the Messaging group, and click Done.
You will be taken back to the Messaging > Templates page for Messaging.
Click Create template > Use a predefined template > Students > Next.
Leave the template name as Students, disable all of the toggles, and click Create template and next.
Search for and select the Meetings group, then click Done.
You will be taken back to the settings template page for Messaging. Notice that there are now two templates and the rank for these templates can be modified by clicking Rank.

Settings templates allow you to configure settings for a large group of users very quickly. These templates allow application of pre-defined settings to users and they can must be given a rank.

If a user is a member of two groups and both groups have different settings templates for the same product (Messaging, Meetings, or Calling), then the template with the higher rank is applied to the user. For reference, the highest rank is 1.
Select Groups > Messaging > Assignments and notice that the No Restrictions settings template has been applied to the group.
Select Users > Charles Holland and notice that he is a member of three groups -- two of which have a messaging settings template applied.
Click the Messaging tab and notice that Charles' messaging settings are coming from the No Restrictions template with all toggles enabled. Because the No Restrictions template has a higher rank than the Students template, it was applied to Charles Holland.

Using groups to automatically apply settings and licenses to users when they are provisioned is a powerful feature that greatly reduces administrative overhead in large environments.

Configuring Duo to Use Active Directory for User Authentication

To summarize your progress thus far:

You've synced your on-prem AD users and groups to Duo.
Any changes made to these users and groups on AD will sync to Duo.
The Duo catalog application is provisioning the selected users and groups to Webex via SCIM 2.
You've learned the basics of license and settings templates to help minimize administrative overhead after provisioning users.

As Duo is configured right now, it will attempt to authenticate users locally. This will not work as none of the users have credentials in Duo. To work around this, you will configure Duo to authenticate users via the Duo Authentication Proxy. This allows AD to be leveraged for authentication so all users can log in with their existing credentials.

Open your tab to the Duo admin portal or navigate to https://admin-demodemo.duosecurity.com and log in with your admin account, cholland@cbXXX.dc-YY.com
Click Applications > SSO Settings
Select External Authentication Sources > Add Source.
Click Add Active Directory, tick the box regarding the privacy statement, then click Configure Active Directory.
Click Add Authentication Proxy
Scroll down and ensure that you have Windows selected and copy the [sso] section in Step 1.2
Step 1.1 in Duo provides the location of the authproxy.cfg file where this section needs to be added, however, the Duo Authentication Proxy Manager should still be running and in your taskbar so open the window and paste the [sso] section at the end of your config.
Once you have added this section to your config, click the Windows button, enter cmd and launch Command Prompt.
Back in the Duo admin portal, copy the text in step 2.
Paste this text into the command prompt and ensure that the proxy service is restarted successfully.
Your auth proxy is now connected to the cloud. Open the Duo Authentication Proxy Manager window.
Click Validate, ensure there are no errors, and then click Save.

Important

Note: If you attempt to do the Validate/Save before running the command above, you will see this error:
Finally, as the program instructs -- click Restart Service.
Back in the Duo Admin panel, click the Run test button and verify that the status changes to Connected to Duo.
Scroll back to the top of this page and click Active Directory Configuration.
Scroll down and update the Active Directory server configuration section:

Domain controller(s): ad1.dcloud.cisco.com
Port: 389
Base DNs: DC=dcloud,DC=cisco,DC=com
Authentication type: Integrated
Transport Type: Clear - unencrypted
Set the Email and Duo username attribute to userprincipalname and set Username normalization to None
Scroll down and click Save and enable.
After saving, you will be taken back to the External Authentication Sources tab where the Active Directory source you just configured will be Enabled. You will also see a notification that you must configure a permitted domain to allow for authentication via AD.

Tip

To provide some clarity on the current state of the environment -- previously you configured the Duo Authentication Proxy to sync users from the on-prem AD server to Duo. You have now configured the proxy to receive authentication requests from Duo when users attempt to log in, validate their credentials with AD, and send the result back to Duo.

At this stage, Duo will not leverage the proxy for authentication because it authenticates users locally, by default. Before you can use the proxy, you must verify your dCloud domain in Duo so that you can route authentication to the proxy.
To proceed, click Add permitted domains.
Scroll down and click Add email domain in the Permitted Domains section.
Enter your pod domain on this page (cbXXX.dc-YY.com) and click Add.
After adding the domain, note the Status column. If the status is Verified, skip to step 28. If the status is Unverified, you will need to verify it manually, so click Copy next to the verification code.
Next, open the home page in your browser and select Identity and Misc. Links > DNS Verification.
Click Load session.xml and navigate to C:\dcloud to find the session.xml file, then click Open.
Notice that the boxes will be filled in from the XML file. Paste the verification code copied in previous step into the Value field Click Submit.
Back on the Duo Admin panel, click Verify.

If you receive an Unable to verify error, the TXT record is not present on the DNS server yet -- wait another minute and try again.

Do not proceed until the domain is Verified.
After verifying the domain, scroll up and click the Routing Rules tab and change the Default rule to the Active Directory authentication source then click Save.

Now, any user that Duo attempts to log in to an application protected by Duo will be authenticated in the background by Active Directory via the authentication proxy. Administrators can configure SSO routing rules in Duo to authenticate users via different sources based on specific criteria:

Duo application being accessed
Domain of user's email address
User's network (individual address, address range, or CIDR block)

Routing rules are not needed for this lab.

Single Sign-On with Webex and Duo (SAML and OIDC)

The next section walks you through enabling SSO and explains some of the differences between SAML and OpenID Connect. Duo supports both SAML and OIDC, so that will allow you to configure two separate IdPs on Webex using the same Duo tenant. Webex supports the use of multiple IdPs which allows you to route users to a specific identity provider based on the domain of their email address or their group membership in Webex. You will configure two separate applications in Duo (one SAML, and one OIDC) both authenticating users for the same Webex org to simulate two different identity providers.

The next section will require multiple logins to test various aspects of SSO on Webex. If you receive an error at any point during your testing, try using a new browser or closing ALL private/incognito windows to ensure you're using a fresh session with no cached logins.

Duo SSO Setup (SAML)

In this section, you will learn how to configure SSO for Webex using Duo as the Identity Provider (IdP). This integration will utilize SAML.

At this point in the lab guide, you have configured the Duo Authentication Proxy to synchronize users from AD to Duo and to authenticate user credentials for Duo. Now you can proceed with configuring SSO on Webex.

Log in to Control Hub (https://admin.webex.com) using cholland@cbXXX.dc-YY.com
Navigate to Security & Privacy and select the Authentication tab then click Activate SSO.
Select SAML and click Next.
Select the Self-signed by Cisco certificate option and click Download metadata and click Next.

a. Leave this tab open on Step 3: Configure IdP metadata -- you will come back to this page after performing some changes in Duo.
Next, open your Duo Admin panel tab or navigate to https://admin-demodemo.duosecurity.com and log in with your admin account, cholland@cbXXX.dc-YY.com
Navigate to Applications > Applications and select Cisco Webex (with Control Hub) - Single Sign-On.
On the Single Sign-On tab:

a. Rename the application Cisco Webex (with Control Hub) -- SAML+SCIM.

b. In the User access section, select Enable for all users.

c. Click Download XML to get a copy of the Duo metadata.

d. In the Service Provider section, click browse and select the idb-meta-...-SP.xml file that you downloaded from Webex in step 4.

e. Tick the Custom Attribute box and enter userprincipalname to ensure the correct value is returned from AD to Duo.
Scroll to the bottom of the page and click Save.
After you save the changes, scroll down and select Edit Global Policy.
Click **Dismiss if you receive the popup regarding the new policy editor.
Click Authenication policy and select Skip MFA then click Save.
Go back to your Control Hub tab and on Step 3: Configure IdP metadata:

a. Select Upload your IdP's metadata

b. Select Less secure

c. Click Browse and select the metadata file you downloaded from Duo.
Click Next.

Tip

Note that you have the option to enable Just-In-Time (JIT) provisioning at this point to allow Webex to create users if they have a valid assertion from your IdP, but they do not exist in Webex. You will not be configuring Just-In-Time user provisioning in this lab but feel free to click Show optional attributes to see which attributes are available, then click Next.
Click Copy URL to clipboard and open a new incognito tab in Chrome (Ctrl+Shift+N) or Firefox (Ctrl+Shift+P).
Paste the URL in the private window and you will be prompted to sign in to Duo. You can use cholland@cbXXX.dc-YY.com.
When prompted for the password, you will need to use the password stored in AD (dCloud123!).
You should see a Single Sign-on succeeded message.
At this point, you can close the private window and go back to SSO test page. Click Next and select Successful test, then click Activate.

You now have a working SSO configuration with Duo using SAML. The next step is creating a second SSO integration with Duo that uses OpenID Connect so that you can see the configuration differences.

Duo SSO Setup (OIDC)

OIDC is an identity layer that is added to the OAuth 2.0 protocol. One of the advantages of OIDC compared to SAML is that certificates are no longer needed to establish a trust relationship between the client and IdP. OIDC utilizes a client ID and client secret generated during setup to establish trust between the two entities. This translates into less administrative overhead from an initial configuration perspective (no metadata file exchange) along with lower risk of user impact (such as logins failing because the SP or IdP certificate was renewed or expired, and metadata was not properly re-exchanged).

Start by navigating to https://admin-demodemo.duosecurity.com.
Navigate to Applications > Application Catalog and search for Generic OIDC Relying Party then click Add.
Update the configuration:

Name: Webex OIDC
User Access: Enable for all users
Allow PKCE only authentication: Enabled
Refresh Tokens: Enabled
Sign-In Redirect URLs: https://idbroker-b-us.webex.com/idb/Consumer/oidc/sp
Scopes: Enable profile and email
Since you have already modified the global policy to disable the 2FA requirement, scroll to the bottom of the page and click Save.
Leave this tab open and switch to your https://admin.webex.com tab and log back in if needed.
Navigate to Security > Authentication > Add an IdP.
Select OpenID Connect and click Next.
You will need to fill in a few required boxes:

a. Name → Duo_OIDC

b. Client ID and Client Secret → You can find these in the Metadata section in Duo - Click the Copy buttons and paste this information into Webex.

When pasting the Client ID and secret into Webex, notice that the Webex redirect URL is provided here. This is the same for all Webex orgs and matches what you pasted into Duo in step 3.

c. Scopes
- This lets you define what optional information the Relying party can request. The email scope is required since that's how users are identified in Webex and openid is required because it indicates that Webex will request an OIDC ID token.
- Disable address, phone, and profile as you do not need them for this lab.
d. Allow Proof Key for Code Exchange (PKCE) Configuration
- Toggle this on to improve the security of your authentication process. More detail will be provided about how PKCE works and its purpose after you've finished configuring the OIDC IdP.
e. Discovery URL
- This allows the relying party to request the capabilities and endpoint URLs from the OpenID Provider (IdP).
- This will be specific to your Duo tenant and can be found on your Webex OIDC application page in Duo. Copy and paste this value into Webex.
Verify that you have filled in all the information before proceeding:

Notice that you can enable JIT provisioning/update with OpenID Connect as you could with SAML. You will not be using it in this lab, but it is an option for your production environment.
Once you have provided the required information, click Next. You need to perform another SSO test to verify that your configuration is correct. Click Copy URL to clipboard and open a new incognito tab in Chrome (Ctrl+Shift+N) or Firefox (Ctrl+Shift+P).
Paste the URL in the private window and you will be prompted to sign in to Duo. You can use cholland@cbXXX.dc-YY.com // dCloud123!.
Once you see Single Sign-on succeeded, you can close the incognito tab and click Next.

a. If you receive Single Sign On Failed when performing your SSO test, a configuration error has occurred. A common issue is pasting a URL, client ID, or client secret with a space appended to the end. Be sure to check all your values to make sure there is no trailing space.
Since this is your second IdP, you will be prompted to configure a routing rule. This allows Webex to have criteria that dictate to which IdP a user will be routed during authentication.
On the Set up a routing rule page, enter a rule name of GroupRule, select a routing type of groups, and search for and select the Meetings group, then click Add.

Tip

You have the option of allowing MFA in Webex for any user authenticating through this IdP. This can be a great option to increase security for Webex logins without needing to make changes on the IdP. For now, leave the option on Keep the current MFA status which will use the global config in Organization Settings.
Back on the Single sign-on & multiple identity providers page, you'll see your SAML IdP and your new OIDC IdP. In this lab, both are using the same Duo tenant, however, that is just for demonstration purposes. You can have different Duo tenants, or completely different identity platforms configured for SSO.

Important

If at any point you become locked out of your org, you can access https://admin.webex.com/manage-sso using cholland@cbXXX.dc-YY.com to disable SSO. You will need to open Outlook on WKST1 to retrieve a code that will be emailed to cholland.

OpenID Connect -- Proof Key for Code Exchange (PKCE)

When enabling SSO with OIDC, you enabled the option to allow PKCE:

Unlike SAML, OIDC has different login flows which make it very flexible and suitable for many deployment types. The most common OAuth flows are listed below, in order of least secure to most secure:

Implicit Flow (deprecated in OAuth 2.1 -- included here for awareness)
Device Authorization Flow
Authorization Code Flow
Authorization Code Flow with PKCE

By default, the Webex application uses Authorization Code Flow when authenticating users. In this model, the user never directly sees access or refresh tokens. Instead, the Identity Provider (IdP) issues a short-lived authorization code, which the Webex application forwards to the Webex cloud. Webex then exchanges that code for access, refresh, and ID tokens over a secure backchannel using its client credentials. This ensures that tokens are never exposed in the browser or during redirects, reducing the risk of interception.

Authorization Code Flow with PKCE is an enhancement designed for public clients like the Webex desktop and mobile apps, which cannot safely store a client secret. Instead of a static secret, the app generates a one-time code verifier and sends a hashed version of it (the code challenge) during the initial request. When redeeming the authorization code, the app must present the original verifier. If an attacker were to intercept the authorization code, they would not be able to exchange it for tokens without also having the verifier.

This is why PKCE is recommended for any deployment where the client is not a secure backend server that can be trusted to store sensitive secrets --- such as the Webex application. Refer to the diagram below for a visualization of the login process when PKCE is enabled.

For more technical information, refer to the RFC for Auth Code Flow w/ PKCE: https://datatracker.ietf.org/doc/html/rfc7636

Multiple Identity Providers with Webex

Multiple IdPs is a powerful tool that allows administrators to route users to a different IdP depending on either their group or their domain. This feature also allows you to use Webex Common Identity (CI) as an IdP which means users will use local Webex authentication rather than being routed to a third-party IdP. Some common use-cases for this feature include:

Mergers and acquisitions
Education or government institutions
Partners using Webex as a consumer service
Global enterprises with separate IT organizations

While powerful, this feature should only be used as a last resort. A rogue administrator could configure Webex to route users to an IdP that may not be monitored by an organization's security admins. If this IdP looked identical to the one with which users were accustomed to authenticating, users may not be aware that they are giving their credentials to a bad actor. In a different scenario, an IdP could be configured with a less strict password policy than is required by the security team.

Due to the inherent risk of a feature like this, new alerts have been created to notify administrators when key changes are made. These alerts can be found at Security & Privacy > Audit > Admin activities:

When IdP is added to Webex, an alert is generated.

When an IdP is deleted, an alert is generated.

When a routing rule is created, an alert is generated.

When the routing rule order is modified, an alert is generated.

These alerts provide notice if an administrator makes changes to the SSO configuration. In addition, you can also enable logging of authentication events by navigating to Security > Audit > Authentication Activities > Generate Access and enable Allow user authentication data. Refer to the screenshot below for sample data with this toggle enabled.

If there is an issue with SSO at any point, a full administrator can use https://admin.webex.com/manage-sso to disable SSO or update the IdP metadata.

At this point in the lab, you have already configured two IdPs, Duo (SAML) and Duo (OIDC). Since you configured the SAML integration first, it is configured as your default IdP. This means that any users not matching the GroupRule routing rule you created will be sent to your SAML integration. Note that in this lab, we're using the same Duo tenant for both IdPs but in a production environment, these can be separate Duo tenants, or separate providers such as Entra ID, PingFederate, AD FS, ForgeRock, Shibboleth, etc.

In the next section, you will configure local Webex authentication for a group of users and set up appropriate routing rules so that users are authenticated locally with Webex rather than routed to an external IdP.

Return to Control Hub and navigate to the Groups page in the Management section of the side panel.
In the Webex groups section, click the Create a group button:
Enter WxLocalAuth as the group name and click Next.
Select Add manually, then search for chall and tbard and select both users to add them to the group.
Click Save then Done.
Navigate to Security & Privacy > Authentication > Identity Provider > Add an IdP
Select Webex, then click Next.
Take a minute to read the disclaimer providing more information about utilizing local Webex authentication.
Tick the box for I've read and understood how Webex IdP works. And click Next.
On the Set up a routing rule page, add the following rule:

a. Rule Name: WxLocalAuthRule

b. Routing Type: groups

c. Selected groups: WxLocalAuth
Click Add and you will be sent back to the Identity Provider tab with a new Webex entry:
Click the Routing Rules tab and move the WxLocalAuthRule to the top of the list by clicking the handle on the left side of the box and dragging the rule up.
A few key notes about routing rules:

a. Any time a user logs in to an account in this organization, Webex will check their uid (email address) against these rules. These rules are checked in order of priority and the user will be routed based on the first rule they match.

b. Due to this logic, rules should be placed in a most specific > least specific order.

c. Domain rules require that the domain(s) be verified or claimed, or you will not be able to add them to the rule.

d. Domain rules can consist of multiple domains.

e. Group rules can specify either locally created Webex groups or synchronized groups.

f. Groups rules can consist of multiple groups.

g. In this scenario, the two users that you added to the WxLocalAuth group (chall and tbard) will match Rule #1 and they will route to the Webex Identity Broker for authentication. No other users will match that rule, so they would then be checked against Rule #2. If they don't match that rule, they would match the Default Rule, so they would be redirected to Duo for authentication via the SAML application.

h. The default rule does not have a filter so it will match all users. It is likely that some users will match multiple rules (for example, they may match two different group rules or a group and domain rule). Remember, however, that Webex checks the user against rules in order and the user will be routed as soon as they match a rule -- they will not be checked against lower priority rules.
Open a new incognito or private window in your browser and navigate to https://web.webex.com. Click Sign in and enter tbard@cbXXX.dc-YY.com. and click next. You should be routed to Webex rather than Duo for authentication. This means that your rule is working as expected -- no need to log in.
Next, close your private/incognito window to clear any cached information, then open a new private/incognito window.
Navigate to https://web.webex.com and enter aperez@cbXXX.dc-YY.com (ensuring that you update the XXX and YY with your session #s).

a. This user's group membership will be checked to see if she matches the criteria for the WxLocalAuthRule. Since Anita Perez is not in the WxLocalAuth group, she will not match the rule.

b. Next, her group membership will be checked against GroupRule. She is in the selected group, so you should be routed to Duo_OIDC for authentication.

c. In a few steps, you will check the Authentication log in Duo to verify that users are being routed to the SAML and OIDC integrations as expected so be sure to complete a successful login with aperez@cbXXX.dc-YY.com.
Finally, close your private/incognito window to clear any cached information, then open a new private/incognito window.
Navigate to https://web.webex.com and log in with jdock@cbXXX.dc-YY.com.
Now that you've successfully authenticated to both the OIDC application (aperez) and SAML application (jdock), open the Duo admin portal (https://admin-demodemo.duosecurity.com).
Navigate to Reports > Authentication Log.
Verify that jdock and aperez authenticated to the correct applications:

It is very common to attempt this test in a browser that has a cached login for a different user (such as jdock or aperez). If you receive an error during testing, try using a new browser or try to close ALL private/incognito windows to ensure you're using a fresh session with no cached logins.

You now have a working multiple IdP configuration. This configuration can be much more complex -- this scenario was designed to provide a high-level introduction and overview of the feature.

Enable Multi-Factor Authentication (MFA) using Duo

NOTE: Enabling MFA on Webex through Control Hub requires Duo Authenticator. This can only be installed on Android or iOS. If you want to proceed with this section but you do not want to install the Authenticator on your mobile device, please raise your hand and let a proctor know and we can use one of our lab devices for you. If you'd rather not go through this section, feel free to skip to the next module as the rest of the guide is not contingent on this feature.

Webex has native support for MFA using the Duo Authenticator. Administrators are given 3 different options when enabling this feature in Control Hub:

Allow MFA per user (users in the org have the option to enable MFA)
Mandatory MFA when accessing Control Hub
Mandatory MFA for the organization (MFA required when accessing any Webex service).

For this lab, you will enable MFA for anyone accessing Control Hub.

Navigate to https://admin.webex.com and log in with cholland@cbXXX.dc-YY.com.
Select Organization Settings and search for Multi-factor Authentication.
Select Allow Multi-Factor Authentication > Require mandatory MFA for selected applications > Allow MFA.
Click Save.
Next, open an incognito or private window in your browser. Ensure that there are no other incognito windows open because any Webex sessions from those window(s) can cause issues.
Navigate to https://admin.webex.com and log in with cholland@cbXXX.dc-YY.com.
You will go through the SSO login flow with Duo but since you are now forcing MFA on Webex, you will be prompted to set up Duo Authenticator after you authenticate:
Click Next.
You will be presented with a QR code. Launch the Duo Authenticator on your mobile device and tap Add (or raise your hand and request to use a proctor's device).
Once the code has been scanned into the Duo Authenticator app, click Next.
You will be asked to enter the 6-digit Time-based One-Time Password (TOTP) after which you will be redirected to Control Hub.
After the code is successfully confirmed, close the incognito/private window and you should still be logged into Control Hub in your other browser session.
Toggle Allow Multi-Factor Authentication off and click Save.

This section demonstrates that even when SSO is enabled, the collaboration administrator can still force an increased level of security for Webex. This may seem unnecessary if the IdP already requires MFA, but some organizations don't force MFA and collaboration administrators can still choose to utilize this feature to increase security on the Webex platform.

This concludes the module on Webex Identity. Before proceeding to the next module, close your remote session to AD1 since modules 2 and 3 both require usage of Workstations 1-3.

END of MODULE 1

Continue with either Module 2 or Module 3:

Module 1: Webex Identity (current)
Module 2: Zero Trust Encryption
Module 3: Webex Compliance
Conclusion

Module 2: Zero Trust End-to-End Encrypted Calling and Meetings, Media Watermarking, and Deepfake Detection.

In this module, you will learn about Zero-Trust End-to-End Encrypted calling and meetings, learn how you can use watermarking for preventing media leakage. Finally we will walkthrough the process of deepfake detection in a meeting.

There are 6 sections in this module:

i. Schedule an End-to-End Encrypted Meeting

ii. Features in an End-to-End Encrypted Meeting

iii. Audio and Visual Watermarking and Watermark Analysis

iv. Deepfake Detection with GetReal and Webex

v. Provision Users and Configure Zero Trust End-to-End Encrypted Calling

vi. Zero Trust End-to-End Encrypted Calling

Schedule an End-to-End Encrypted Meeting

In this section, you will learn how to schedule an E2EE meeting and learn the benefits and features of an E2EE meeting.

Before proceeding with the configuration, it's important to understand how an E2EE meeting works at a high level. End-to-end encrypted meetings are designed to ensure that meeting content can only be accessed by the desired parties. The meeting content encryption key is generated by the meeting host, encrypted with media encryption key, and shared with other participants. Webex cloud services DO NOT have access to content encryption key. Without the encryption key, Webex cannot decrypt any of the meeting content, so features like meeting chat transcripts, files, whiteboards, annotations, and recordings are not available when the meeting ends.

Features that can be provided by processing information locally device are available in End-to-End encrypted meetings:

Audio and video watermarking
Face and gesture recognition
Room interpretation
People presence detection
Proximity pairing
Background noise removal

Additionally, E2EE meetings are available to enterprise and consumer customers and are supported by the Webex App (desktop and mobile) and Webex devices with up to 1000 participants.

Before you start this section, lets enable watermarking capabilities in Control Hub, you will need it for the next section.

RDP to WKST1, ensure that you are logged into the Webex app with Charles's credentials , cholland@cbXXX.dc-YY.com and password dCloud123! (if you didn't complete module 1, the password will be dCloudZZZZ!).
Navigate to admin.webex.com and click on Sign in with credentials for cholland, cholland@cbXXX.dc-YY.com and password dCloud123! (if you didn't complete module 1, the password will be dCloudZZZZ!).
In Control Hub, navigate to Organization Settings and scroll down to the option for 'Add an audio watermark' and 'Show visual watermarks' and enable them. Enable all the three options below 'Show visual watermarks'. Click Save.

This will enable the digital watermarking option to present itself to users when scheduling meetings of supported types. Please note that it will take some time in some cases about 15 minutes for the option to appear for end users once enabled in Control Hub.

You will now schedule an end-to-end encrypted meeting.
Once you have enabled watermarks, configure the meeting site for end-to-end encrypted meetings. Go to Services-->Meeting and copy the site name.
Open an instance of Chrome browser on the workstation 1 and navigate to the sitename e.g. cbXXXYY.webex.com and sign in with credentials for cholland, cholland@cbXXX.dc-YY.com and password dCloud123! (if you didn't complete module 1, the password will be dCloudZZZZ!).
Click Schedule > Schedule a meeting, set the meeting type to Webex Meetings Pro-End to End Encryption_VOIPonly.
Set a Meeting topic, Date/Time, and invitees (Anita Perez aperez@cbXXX.dc-YY.com and Kellie Melby kmelby@cbXXX.dc-YY.com).
Click on Schedule and click Start. Click 'Open Webex' to start the meeting in the Webex App.
To start, let Charles be the only participant in the meeting.
- Click OK on the No Microphone found prompt.
- Click on Start Meeting.Click OK on the "No Microphone found" after starting the meeting.
- Observe the blue shield icon at the top left of the meeting window, the padlock indicates that this is an E2EE meeting.
In the meeting window, click the Meeting Info option and then Security. Ensure that you are seeing the security code, the server connection as TLS with AES-256-GCM-SHA384, and Media connection is AEAD-AES-256-GCM.

Make a note of the security code.

Navigate to the Participants Tab and click on the "i" icon next to Charles's name. You will see the certificate and therefore the identity of Charles is verified by Webex. You can click the "i" to see the certificate information.
Now login to WKST2 with dcloud\aperez (password dCloud123!). Launch the Webex App and login with aperez@cbXXX.dc-YY.com and password dCloud123! (if you didn't complete module 1, the password will be dCloudZZZZ!). You will see the Join meeting notification:
Click on Join, click OK in the No microphone found prompt. Click Join Meeting to enter the meeting.

Click on Meeting Info then select Security and observe the security code. It has changed now that a new attendee has joined. Feel free to verify the certificate for Anita.
Login to WKST3 with dcloud\kmelby (password provided in the pod sheet). Launch the Webex App and login with kmelby@cbXXX.dc-YY.com and password dCloud123! (if you didn't complete module 1, the password will be dCloudZZZZ!). You will see the Join meeting notification, join the meeting by clicking on the green Join button.

Click on Meeting Info > Security and verify that the security code has changed again. Feel free to verify the certificate for Kellie.

Important

Message Layer Security (MLS) uses key packages to identify users and to generate new meeting encryption keys as participants join the meeting. Note that, like the meeting security code, the meeting encryption key changes every time a new participant joins the end-to-end encrypted meeting.

Each MLS key package contains:

Participant's Identity Info & Public Key (Verified Credentials/certificate).
A tree hash value that represents the cryptographic group state and credentials of the group members (meeting participants).
An identifier for the current version of the meeting encryption key.
A new meeting encryption key is created when participants join or leave the meeting.

Important

Secure Frames: Secure Media Frames provide an extra layer of authenticated encryption for media.

The whole media frame is encrypted before being placed into individual SRTP payloads. SFrames use MLS to provide the encryption keys that each meeting participant needs to decrypt media.

Features in an End-to-End Encrypted Meeting

In this section, you will learn some features that are made available in an End-to-End Encrypted (E2EE) meeting.

Record the Meeting: Navigate to WKST1 and open the meeting that is still in progress. Click the record button. The only option that is made available is 'Save to my computer'. There is no cloud recording option available because Webex does not have access to the media encryption keys needed to decrypt the media:

Note the message that displays when you hover over the Record button indicating that AI summaries are only available for cloud-based recordings. Since the only option here is to record to the local computer, AI meeting summaries won't be available.This is important point to remember about end-to-end encrypted meetings.
Connect to a Video System: In an E2EE meeting, Cisco video devices (RoomOS) can seamlessly join a meeting. In this lab, there are no video endpoints available for testing. However, you should know that Cisco video devices (RoomOS) can join an E2EE meeting. Refer to the screenshots below showing a video device joining a meeting and the identity certificate issued to the device.
Click the arrow next to the Unmute button to review. Audio Options: Zero Trust E2EE meetings do not give Webex access to meeting encryption keys. This means that cloud services and endpoints that need to decrypt meeting content cannot participate in E2EE meetings: e.g., PSTN and SIP endpoints. So, the only audio-only option available is a computer running the Webex App.
Webex Smart Audio: Webex Smart Audio and noise removal is available in an E2EE meeting because the processing for this feature is handled locally on the device.
Gestures and Reactions: Gestures and reactions are available in an E2EE meeting.
Raise hand is available in an E2EE Meeting from both the Webex app and the video endpoint.
On WKST1, navigate to the desktop, there is PowerPoint presentation called presentation.pptx, launch the presentation.
Return to Webex App and click on share, select Show me in Front of Presentation and select Microsoft PowerPoint from the options and click Share.Once completed "Stop Sharing"
Click on the ellipsis icon "..." next to reactions and explore other features available in an end to end encrypted meetings like "whiteboards" and "Enable Sign Language Interpretation" and designate Anita as the interpreter.
Finally the end the meeting for All.

Audio and Visual Watermarking and Watermark Analysis

In this section, you will learn how watermarking can help with data leak protection. Audio and visual watermarking can help identify the source of unauthorized recordings, images, captures of confidential meetings.

Audio Watermark

The audio watermark feature can't identify the person responsible for recording the meeting, but it can help identify the source client or device that was recorded.

Feature details:

Add a unique identifier (indiscernible, hidden watermark) for each client or device in a watermarked meeting.
Available with all Meetings.
Admin can control availability of the audio watermarking feature for their organization.
Admin can upload media files for watermark analysis via Control Hub to identify the source client or device that was recorded.
Admin can get details of the meeting from identified watermarks, such as meeting number, host name, etc.
Admin can only analyze watermarks for meetings hosted in their organization.
Watermark information is retained for the same duration as the organization's meeting information.

Visual Watermark

Visual watermarks superimpose a watermark image over the meeting video and shared content. Each meeting participant sees a watermark image with their own email address. If a meeting participant isn\'t signed in to Webex, the watermark includes their display name and email address. Users can adjust the watermark opacity, so the pattern is visible but doesn\'t cause too much distraction.
Local recordings are disabled when audio watermarks are turned on.

Let's look at enabling and testing these features: We have already enabled the Control Hub Toggles for these features at the beginning of the module.

Step 1: Audio Watermarking

If not already logged in, log in to WKST1 as dCloud\cholland and dCloud123! Launch the Webex App and go to Meetings. Click on Schedule a Meeting and invite Anita and Kelly to the meeting. Ensure that the meeting link is set to "Generate a one-time meeting link"
Click on Advanced Settings. Select the Security tab on top and select the tick for Add watermarks to meeting audio.
Pay close attention to the capabilities available with watermarking.

Click on the arrow next to Advanced Settings on the top of the window to return to basic settings.
Click on Schedule, there is no need to start the meeting as you shall use a shared org to test watermark analysis.

For the purpose of this lab and the practicality of multiple participants recording audio simultaneously for testing this feature, the below part is review only. Please see a proctor to get an audio file for testing with a shared org in Step 2 below.

There are many factors involved in successfully decoding a recorded watermark. These include distance between the recording device and the speaker outputting the audio, audio volume, environmental noise, etc.

Webex watermarking has additional resiliency to being encoded multiple times as might happen when the media is shared. The goal of the feature is to enable a successful decode of the watermark identifier in a broad but reasonable set of circumstances. The goal is that a recording device, such as a mobile phone, laying on a desk near a personal endpoint or laptop client will create a recording that yields a successful analysis. As the recording device is moved away from the source or obscured from hearing the full audio spectrum it will degrade the chances of a successful analysis. In summary, the recording device needs a reasonable capture of the meeting audio. If a user captures the audio on the computer that is hosting the client, then no limitations should apply.

Once about 90 seconds have elapsed, end the meeting and the stop the recording.

Step 2: Watermark Analysis:

Next, you will analyze if the watermarks are present in the recording.

Please reach out to one of the proctors for an audio file for analysis.
If not already logged in, log in to WKST1 and open an incognito instance of Chrome.
If you haven\'t received the file, please do not proceed to step 4.

Navigate to admin.webex.com and login with cholland@cb460.dc-01.com and password as dCloud8088! - (please note this is a shared instance that will be used by other attendees, kindly do not make any changes).

In Control Hub, navigate to Troubleshooting listed in the sidebar.

Select the Watermark Analysis tab and select Analyze File.

The Analyze audio watermark popup allows you to provide a name e.g., Pod1watermark for the analysis and some additional notes to help associate this request to any internal investigation case or point of contact. The file requirements are listed on the dialog and as of this writing we are guiding to a minimum supported length of 90 seconds.
The following audio file formats are supported: .wav, .aac, .mp3, .mp4, .avi or .mov. Upload the recorded meeting .mp4 file to the analysis tool and provide an Analysis name and note for reference:
The dialog will guide you through the process. Once the upload has completed, click Close. The analysis depends on the size of the file. After a short delay, you should see that the analysis is complete.

Note that since other lab attendees are also uploading files you may see multiple instances of watermark analysis in the list.
Now, if the meeting recording was leaked, or if someone was recording the meeting using a phone or other source, an administrator could use this feature to determine which user's device, or location may have been compromised during the meeting. When you click on the analyzed file you will quickly see the leak / watermark source where this mp4/mp3 file originated from.

When Audio Watermarking is enabled, the meeting audio includes a unique identifier for each participant. An administrator can upload audio recordings to Control Hub where an analysis is performed, and these watermarks can be detected.
- To be analyzed, the recording must be an AAC, MP3, M4A, WAV, MP4, AVI, or MOV file no larger than 500MB.
- The recording must be longer than 90 seconds.
- You can only analyze recordings for meetings hosted by users in your organization.
- Analyzed recordings are deleted as soon as the analysis is complete.
Logout of the test control hub and use the login credentials provided in your eXpo dCloud Session for the subsequent sections.

Step 3: Visual Watermarking

If not already logged in, log in to WKST1 as dCloud\cholland and dCloud123! (if you didn't complete module 1, the password will be dCloudZZZZ!).
If required, launch the Webex App and go to Meetings. Click on Schedule a Meeting and invite Anita and Kelly to the meeting. Ensure that the meeting link is set to "Generate a one-time meeting link"
Click on Advanced Settings. Select the Security tab on top and select the option for "Add Visual watermarks to participant videos and shared content".
There is a slider to adjust the watermark's opacity level with a preview of what the watermark will look like. This gives you control over how visible the watermark will be during a meeting. Lower opacity means less distraction for meeting participants, while higher opacity shows a much clearer watermark. Set the opacity level to higher than 50%.
Click on the arrow next to Advanced Settings on the top of the window to return to basic settings.
Click on Schedule and click on Start meeting.
Click OK in the Microphone Not Available prompt. Click 'Start meeting' to launch the meeting.

Login to WKST2 with Anita and WKST3 as Kellie and join the meeting.

Navigate to WKST1 and explore the recording capabilities. Only cloud recording capabilities are available when visual watermarks are enabled. Once enabled for a meeting during scheduling, the visual watermark feature cannot be turned off. To have a meeting without visual watermarking, a new meeting must be scheduled. If a user is on an older version that does not support visual watermarking and attempts to join a meeting where it is required, they will not be allowed to join the meeting. Local recording is always disabled when visual watermark is turned on for a meeting.On WKST 1, share a document named presentation.pptx, now navigate to WKST2 and see that the watermark is present on the shared content. This provides traceability of the data loss to the source that captured or took screenshots.

End the meeting for all.

Deepfake Detection with GetReal Security and Webex.

Cisco has partnered with GetReal Security to integrate advanced deepfake detection capabilities directly into the Webex platform, addressing the growing security threat of AI-generated synthetic media in enterprise communications.

Cisco Webex has integrated GetReal Security' AI-powered authentication technology to provide real-time verification of meeting participants, protecting organizations from sophisticated impersonation attacks and synthetic media manipulation. This integration is part of Webex's comprehensive Zero Trust security architecture, which includes end-to-end encryption, identity verification, and content protection.

In this module we shall leverage GetReal Security and Webex for Deepfake detection. Real-time deepfake protection for meetings by integrating deepfake protection into your Cisco Webex environment enhances the security of your meetings by detecting and notifying you of impersonation attacks in real time.

Step 1: Logging into Webex App.

In this module we will be logging into the Webex App on the physical PC and not on any of the virtual workstations.
When you are ready to begin this module reach out to your lab proctor for a specific accounts that you will leverage just for this section.
Stop, confirm that you are logging into the host system and not on a dCloud workstation.
Start a Webex meeting. Log into the Webex App from the host PC with the credentials provided by the proctor, Click the meetings tab and then click "Start a Webex Meeting" and then click on start meeting.
Go to the Apps Panel and search for GetReal Trust Advisor.
Click on Open.

Step 2: Logging into GetReal Labs and inviting participants.

Once you click on Open for GetReal Trust Advisor, you will be prompted to sign in.
Sign in with the credentials that were provided to you by the proctor during the beginning of this module.
Once signed in , the next screen would be " Add GetReal Trust Advisor to the Call". Click on it and add the trust advisor to the call.
If you see any popups from GetReal Trust Advisor for any permissions, click on Accept

If you dont see the option of "Add GetReal Trust Advisor to the Call" , click on the refresh icon at top of the app window.
This process does take a couple of minutes , once its ready you will get a notification on the meeting window to "Let In" the trust advisor.
At this point you should have two participants on the call, the person you are logged in with and the GetReal Trust Advisor.
Invite a few participants like Charles Holland cholland@cbXXX.dc-YY.com and Anita Perez aperez@cbXXX.dc-YY.com and let them into the meeting.
Finally, you'll need to add one of the lab proctors to your meeting. Feel free to raise your hand and we will come assist.

Step 3: Monitoring and detection of participants.

At this point besides yourself (logged in on the local PC), you shall have the two participants from your remote workstations , GetReal Trust Advisor and one of the lab proctors on the meeting bridge.
GetReal should automatically start monitoring the participants. Incase if it doesnt for the participants that are on the call click on the elipsis symbol "..." and then click on start monitoring .
In a minute or two you will the real participants will have a "Green Check" next to their name and for the participants where GetReal has detected impersonation you shall see "Impersonation Detected".
Click on the red "X" on the webex meeting window from your source workstation to end the meeting for all.
Since this is shared account please do not change the password or perform changes on the account that you logged into the source workstation.

Step 4: Preview the violations on GetReal Portal.

So we have created a test case where we have GetReal Trust Advisor flagging the participant as an impersonator.
Let's have a quick look into how those violations are captured on GetReal portal.
On your local PC or any of the lab workstations , open an incognito instance of Chrome browser and Browse to url https://app.getreallabs.com/ , click on "Continue with Webex".
Login with kmelby@cb311.dc-01.com and password dCloud0831!
On the left hand side you will see an option with identity violations, select "Identity Violations" and in the period option select 180 days.
You should your violation right up on top, however before we go there lets review the one which has id "GR-1". You will see it has not only detected a Face Swap but also a known threat actor in terms of Fake IT worker. Expand on both the options to learn more on the violation by clicking "Full Details". Also you will see that there is a video recording of the interaction in GR-1. Move the time stamp to 9-10 minutes into the conversation to how the user faked into a known threat actor.
Perform the same analysis for your recent violation.
Once completed logout of GetReal portal and ensure you are signed out of the webex app from your Local PC.
Since this is a shared account, please do not make any changes on this account.

Provision users and configure Zero Trust End-to-End Encrypted Calling

Note: Before proceeding, please be sure to sign out of any Webex Apps on the lab PC and any of the remote workstations.

First, it is important to understand how the implementation of zero trust E2EE calling works. As with zero trust E2EE meetings, calling data can only be accessed by authorized parties. The calling media encryption key is derived by the calling party and propagated to the called party via MLS key package. As such, encrypted call media cannot be decrypted by Webex cloud services, because Webex DOES NOT have access to the media encryption key - Zero Trust.

Unlike the zero trust E2EE meetings, zero trust E2EE calling will downgrade to standard encryption (where Webex services have access to the media encryption key) if one of the called party's devices does not support zero trust E2EE (non-SIP, PSTN calls). Downgrades from zero trust E2EE to standard encryption will also occur when Webex services are enabled that require access to the media encryption keys - for example, when the call is recorded or when closed captioning is enabled on the call. In the same way that a call can downgrade to standard encryption, calls can also upgrade to zero trust E2EE in real-time after Webex services are removed.

To begin, you will need to enable the zero trust end-to-end encryption feature. Then, you'll provision two Webex org users for Webex Calling including assign licenses and phone numbers.

Turn on zero trust E2EE calling

Return to WKST1 and using the Chrome browser navigate (if required) to Webex Contol Hub (https://admin.webex.com). If login is required login with: cholland@cbXXX.dc-YY.com // dCloud123! (or if you did not enable SSO in Module 1, use the default password: dCloudZZZZ!). The zero trust E2EE calling feature needs to be turned on explicitly for the organization.

a. Click Calling (under Services in the left-hand navigation menu)

b. Select Settings and then, click the Webex App. Scroll down to the 'Security' section.

c. Enable zero trust E2EE calling by toggling on 'Enable end-to-end encryption when making calls'.

Tip

Today, zero trust E2EE calling is only supported with Webex Calling SIP lines (NOT 'Call on Webex') - this is why a number is configured here to enable SIP line calling.**
Provision users for Webex Calling

a. Select Users from the navigation window to load the Users page and then select user Charles Holland

b. Scroll down to the licensing section and click 'Edit licenses'

c. On the subsequent screen, click 'Edit licenses again. Next, click on the 'Calling' selection and tick the box next to Webex Calling. Ensure that the Professional box is also ticked.

d. Click Save.

e. On the next screen, select the location CL EMEA from the 'Location' dropdown. This will assign the user to this location.

f. Next, select the 'Phone Number' dropdown and select one of the available numbers - for example, '+31 20 555 4191'. Then, configure the extension with the last 4-digits of the phone number - for example '4191'. (Note: These are just examples. The phone numbers and extensions available in your pod will be different).

g. Click Save to assign the Webex Calling license and phone number to the user. The user now has a SIP line and phone number. Click Close.

h. Click the Calling tab to review the directory number and confirm it was properly allocated.

i. Repeat the process above to assign Webex Calling license and phone number to user Anita Perez. In this case, user the other available phone number (for example, +31 20 555 4192 / extension 4192). (Note: The available phone number in your pod will be different).
Enable call recording for a user.

Enable call recording for one of the users just licensed for Webex Calling and provisioned for phone number.

a. Navigate back to user Charles Holland (or Anita Perez) and click the Calling tab.

b. Scroll down to the 'User calling experience' section and set Call recording to 'On'.

c. Then, toggle on Record incoming and outgoing calls... and tick On Demand. This ensures the user can start/stop call recording.

d. Finally, tick both 'Play recording start/stop announcement for...' boxes.

e. The rest of the settings can be left at default. Click Save.

Zero Trust End-to-End Encrypted Calling

Now that two users have been provisioned for Webex Calling and SIP lines, it is time to confirm that zero trust end-to-end encrypted (E2EE) is operating for Webex calls.

Make a Zero Trust E2EE Webex Call

a. On the local lab PC log back into the Webex App with Charles Holland's account (cholland@cbXXX.dc-YY.com // dCloud 123! - if you did not complete SSO in Module 1, then the password is dCloudZZZZ!).

b. On the remote PC Workstation 2 (WKST2), log back into the Webex App with Anita Perez's account (aperez@cbXXX.dc-YY.com // dCloud 123! - if you did not complete SSO in Module 1, then the password is dCloudZZZZ!).

Once the users are logged into the Webex App, make a call between the two users.

c. Using Charles Holland's Webex App on the local PC, click the Calling tab (1) and search for 'Anita Perez' (2). Right click on the phone icon (3) and select Audio Call (4) > Work (e.g., +31 20 555 4192) (5) to place the call via the user's SIP line. Note: Do not select 'Call on Webex'.

d. On the remote WKST3, answer the incoming call from Charles on Anita Perez's Webex App.

e. Once the call is connected, observe the blue shield call info icon in the upper left-hand side of the call window. Observe as this icon transitions to a blue shield with a lock. (Note: It may take a few seconds for this transition). The message "End-to-end encryption is active" will also be displayed.

f. Click the blue shield call info icon and review the security information. Note that the call audio (and any screen/application share) is 'Zero Trust end-to-end encrypted'. It's worth noting that chat and whiteboards if present are just standard Webex end-to-end encryption (and not zero trust E2EE).
Downgrade call security from zero trust E2EE to standard encryption.

a. As the call continues, on the local PC Webex App (Charles) click the record icon on the menu bar and then the Record button to start recording.

b. Observe that the call media is immediately downgraded to standard encryption. The blue shield with a lock call info icon reverts to the blue shield icon and a message appears indicating call has been moved to standard encryption ('Standard encryption is active').

c. Again, click the blue shield icon to see security details for the call and note that call audio media (and screen/application sharing) is now downgraded to standard encryption.
Upgrade call security from standard encryption back to zero trust E2EE.

a. Return to Charle's Webex App on the local PC and click the recording button and then the Stop button. Note that the call immediately upgrades security back to zero trust E2EE - the blue shield icon reverts back to shield with lock, and the 'End-to-end encryption is active' message is again displayed.

b. Click the 'X' button to hang up the zero trust E2EE Webex call.

This concludes Module 2

*** END of MODULE 2 **

Continue with either Module 1 or Module 3:

Module 1: Webex Identity
Module 2: Zero Trust Encryption (current)
Module 3: Webex Compliance
Conclusion

Module 3: Webex Compliance with Webex and Theta Lake

In this module, you will examine Webex compliance features and capabilities for meetings and calling including eDiscovery and Archiving on an external compliance platform. You will also explore eDiscovery

There are 3 sections in this module:

i. Webex Compliance and Preparing for Compliance Platform Integration

ii. Explore eDiscovery for Webex Meetings in Theta Lake

iii. Explore eDiscovery for Webex Calling in Theta Lake

Compliance integrations are critical for protecting an organization's private data from leakage and ensuring that it complies with appropriate rules and laws related to maintaining business and communication records.

Webex supports both built-in compliance capabilities as well as API-based 3rd party integrations. Specifically:

Webex provides a set of basic built-in compliance capabilities for data loss prevention (DLP), eDiscovery/Legal Hold, and data retention (archive).
Webex also integrates with 3rd party DLP, eDiscovery/Legal Hold, and Archiving applications and services for advanced compliance capabilities including automatic remediation.
Integrations with compliance services rely on Webex Events API to deliver message and meeting data to compliance services.

In this module you will examine the following product-specific capabilities:

Webex built-in compliance capabilities including:
- Archiving with flexible data retention.
- External communication controls, and calling and meeting specific collaboration restrictions.
Other compliance products:
- Theta Lake -- Archiving, eDiscovery

The figure below summarizes the Webex Events API method for compliance platform integration as well as the various platforms explored in this lab and their high-level capabilities. The Webex Events API provides a polling mechanism for compliance platforms to pull user-generated data from Webex for archiving, eDiscovery, and data loss prevention (DLP). In the case of DLP, the compliance platform uses additional Webex APIs to remediate policy violations.

Webex Events API for Compliance Platform Integration

Webex Events APIs as well as remediation APIs require administrators to have the Compliance Officer role to enable and authorize these operations.

For more information for Webex compliance with Webex APIs, please refer to the Webex for Developers site for documentation including:

Compliance and Events: https://developer.webex.com/compliance/docs/compliance
Webex Events API: https://developer.webex.com/admin/docs/api/v1/events
Webex Messages API: https://developer.webex.com/messaging/docs/api/v1/messages
Webex Meetings API: https://developer.webex.com/docs/api/v1/meetings
Webex Calling API: https://developer.webex.com/calling/docs/webex-calling-overview

This lab guide contains coverage for external compliance platform Theta Lake.

Table 2: Compliance Platform Options, Capabilities, and Applicable sections of this Module

Compliance Platform	Capabilities Explored	Module Sections
Webex (built-in)	- Data retention - External communications - Collaboration restrictions	Webex Compliance and Preparing for Compliance Platform Integration
Theta Lake	- eDiscovery & Legal Hold - Archival	Explore eDiscovery for Webex Meetings in Theta Lake Explore eDiscovery for Webex Calling in Theta Lake

Webex Compliance and Preparing for Compliance Platform Integration

Enable the compliance officer role for user Anita Perez.

To integrate compliance platforms with Webex, a full administrator with Compliance Officer privileges is required. This role gives the user permissions for DLP integrations, eDiscovery/Legal Hold, and retention and archival integrations. In this step you are assigning the organization Compliance Officer role to Anita Perez.

Any full administrator can assign the compliance officer role to any person within their organization. However, full administrators cannot assign the Compliance Officer role to themselves, another full administrator must assign the role to them.

To begin, connect to WKST1. Login will be as Charles Holland (dcloud\cholland // dCloud123!).

a. Open the Chrome browser on WKST1 (wkst1.dcloud.cisco.com) and navigate to Webex Control Hub at http://admin.webex.com.

b. Login as full administrator, Charles Holland by entering: cholland@cbXXX.dc-YY.com (refer to the eXpo dCloud Session View Info page to find your DNS domain). Click Sign In.

c. Enter password: dCloud123! (if you did not complete Module 1 and enable SSO, then the password will be dCloudZZZZ!)

d. Once logged in, navigate to Users and select Anita Perez.

e. Scroll down and click Administrator roles.

f. Promote Anita Perez to Compliance Officer for the organization by ticking the box next to 'Compliance officer'. Click Save.
Review retention settings for Webex Messaging, Meetings, and Calling.

One of the first compliance considerations is data retention. How long should data be retained before it is deleted? It's important for the compliance officer to understand the retention policies of the organization and to configure Webex to match these policies.

Before proceeding, move to WKST2 (wkst2.dcloud.cisco.com). If not already connected, connect to WKST2. Login will be as Anita Prerez (dcloud\aperez // dCloud123!).

a. Open the Chrome browser on WKST2 (wkst1.dcloud.cisco.com) and navigate to Control Hub at https://admin.webex.com.

b. Login to Control Hub as the compliance officer, Anita Perez by entering: aperez@cbXXX.dc-YY.com Click Sign In.

c. Enter password: dCloud123! (non-SSO password is dCloudZZZZ!)

d. Once logged in, navigate to Organization Settings. In the search window at the top of the page, enter 'Retention' to locate the retention settings. Notice there are separate retention policies for Webex Messaging (messages, files), Webex Meetings (recordings, transcripts, chats, Q&A, whiteboards, polls, etc.), and Webex Calling (recordings).

e. Click Settings under Webex App Messaging Retention Policy to review current messaging retention settings.

By default, the retention period is set to 360 days. Notice that separate retention periods can be set for 1:1 chat and group chat.

For the purposes of this lab, there is no reason to change the message retention policy, so click Cancel to close the Webex Space retention policy window.

f. Click Settings under Webex Meetings Retention Policy to review current meeting retention settings.

By default, the retention period is set to 360 days. Note that recording retention can be set to purge in 30 days, but by default the recordings follow the meetings retention policy. For the purposes of this lab, there is no reason to change the meeting retention policy, so just click Cancel to close the Webex Meetings Retention Policy window.

g. Click Settings under Webex Calling Retention Policy to review current calling retention settings.

By default, the retention period for call recordings is set to 360 days. Notice that deleted recordings can be set to match the recording rentention period, but by default deleted recordings are set to purge immediately. Note that call details records (CDRs) retention is non-configurable. Again, for the purposes of this lab, there is no reason to change the calling retention policy, so just click Cancel to close the Webex Calling Retention Policy window.

Note: Keep in mind that retention policies in Control Hub apply to data retention for data archived or stored on the Webex platform. When relying on a 3rd party archival system (e.g., Theta Lake), the retention setting of that platform will determine how long organization data is retained. Always ensure that the retention period configured in Control Hub and/or the 3rd party platform matches your organization's retention policy for data.
Review Webex Meeting controls and restrictions.

On Control Hub navigate to Meeting, click Settings, and review the data and communication restriction controls available for meetings.

The internal and external meeting configuration options allow you to control which external users can join your organization's meetings (Internal Webex meetings) and which external organization's meetings (External Webex meeting sites) your users can join. This type of restriction control allows an organization to mitigate potential data loss by disallowing certain attendees and/or meeting sites and may sufficiently address organizational requirements regarding data loss.

By default, external users are allowed to attend your organization's meetings, and your users can attend external meeting sites. For the purposes of this lab, you can leave the default values (e.g., no restrictions).

In addition to controlling which users can join meetings and which meetings users are allowed to join, you can also restrict specific meeting features for both internal and external meetings.

Scroll down and review the various meeting capabilities that can be disabled for internal or external meetings. For example, you could disable in-meeting tools like polling, Q&A, chat, and recording. This type of meeting data restriction control allows an organization to mitigate and reduce potential data loss by disallowing certain channels of communication (e.g., Q&A, chat, polling, etc.).

For the purposes of this lab, please leave the default values (e.g., no restrictions).
Review Webex Calling controls and restrictions

On Control Hub navigate to Calling, click Settings, then select Webex App, and scroll down to 'In-call feature access'. Review the available in-call features that can be disabled.

An administrator can eliminate potential data leakage vectors to disable. For example, an adminstrator could prevent users from sharing content during a call (toggle off Screen Sharing) or sharing video on the call (toggle off Video on desktop/Video on mobile). Likewise, the administrator can prevent escalation of a call to a meeting (toggle off Move call to meetings on desktop app). These restrictions may sufficiently address organizational requirements regarding callingdata loss.

Note that by default, there are no restrictions for in-call features. For the purposes of this lab, please leave the default values (e.g., no restrictions).

Now that you've enabled the Compliance Officer role for user Anita Perez and reviewed Webex's built-in data retention and restrictions capabilities, it's time to move on and explore Webex integration to an external compliance platform.

Explore eDiscovery for Webex Meetings in Theta Lake

eDiscovery is the mechanism for searching through and retrieving data from the retained user-generated data archive of an organization. This ensures that the compliance officer has full access to all retained user data as needed for compliance management and enforcement. Because eDiscovery enables search and retrieval of data, this is often discussed together with Archiving capabilities which pertains with how and where the data that is being searched is stored.

Webex has built-in eDiscovery/Legal Hold and archiving or data storage capabilities which may be sufficient for some organizations. The built-in Webex eDiscovery Search and Extraction portal provides Webex organizations the ability to access Webex stored and retained user-generated data. And as discussed earlier, there are retention settings in Control Hub which determine how long user-generated data is stored on the Webex platform. Note that exploring the Webex eDiscovery Search and Extraction portal is not part of this lab. However, for your reference, the Appendix of this lab guide has a module that covers the built-in Webex eDiscovery tool. If you are interested in this module, please complete the rest of the lab before exploring.

For advanced implementations of eDiscovery and Archiving, a third-party compliance platform integration is generally preferred.

Theta Lake has a full set of compliance capabilities including eDiscovery and Archiving for collaboration platform data. In this module you'll explore the archiving and eDiscovery capabilities of the Theta Lake platform.

Theta Lake Archiving

Login to Theta Lake management portal with read-only admin login.

As you examine Theta Lake eDiscovery capabilities, it helps to have some historical user data (something beyond just data you might generate today) so you can search and review data over a period days and weeks. In this section you'll use a read-only administrator account for a Theta Lake organization which contains months of user-generated message, meeting, and calling data.

From the Chrome browser on Anita Perez's workstation (WKST2), navigate to the Theta Lake management portal at https://useast.thetalake.ai/.

Login using the read-only administrator account credentials (email / password): co.read.only@gmail.com / dCloud123!

Once logged in navigate to the Policies page by clicking 'Policies' in the navigation menu at the top of the page.
Review the Retention Library page.

The retention library or archive is the final resting place for the data coming from the Webex platform, so it's important to understand where and how your data is archived before even thinking about eDiscovery.

On the Theta Lake platform archiving is managed under the Policies sub-section 'Content Destination'. Retention libraries are managed here.

Navigate to the Archive retention libraries page by clicking 'Content Destination' in the left-hand navigation menu to expand, and then click 'Retention Libraries'.

By default. Theta Lake automatically configures a retention library called 'Default' when the Theta Lake org is created.

Notice that the default retention period for the default retention library is 'Forever', meaning that user data for your org will be archived and maintained indefinitely. Data records have been created and archived to this retention library (Record Count = nnn).

Note: You will see a second retention library called 'Delete Storage'. This retention library is for lab operational purposes. We use this library to clear data records from the Theta Lake tenant after the lab has been completed.

Theta Lake allows for the creation of multiple retention libraries within an organization enabling you to segment data archiving to accommodate variable retention periods and storage requirements.

Given this is a read-only account, you won't be able to edit the retention library and see details. Below is what the retention library edit dialog [would look like if you were to edit or create a new retention library.

Notice that there is a setting to enable specialized storage to meet certain archival compliance requirements for data retention and storage. Specifically, Theta Lake optionally provides SEC Rule 17a-4 compliant storage. Rule 17a-4 requires maintenance and preservation of electronic records exclusively in a non-rewriteable, non-erasable storage format -- referred to as WORM (write once, read many). We don't need WORM storage for the purposes of this lab, so this is not enabled.

As mentioned earlier, this default library currently has no retention period set so data will be maintained indefinitely. If the compliance officer or administrator wanted to adjust the retention period, they simply enable the retention period and then specify the retention period in days.

Theta Lake eDiscovery

Navigate to Theta Lake eDiscvoery.

Click 'Search' from the navigation menu for eDiscovery where the administrator or compliance officer can search against all retained user data records across all media types including messages, files, and meeting and calling recordings. All available records are retrieved by default.

Note that this Theta Lake org has many Webex Messaging, Meeting, and Calling data records and lots of filters that can be applied to search easily through the records.

eDiscovery for Webex Meetings

Please spend some time reviewing some of the compliance options for Webex meetings available with Theta Lake.

Theta Lake can process data from in-meeting chat, polls, Q&A, shared files, and other meeting content (like the data you just generated). Theta Lake can also detect content from users' audio/video streams such as, files shared visually or verbally during the meeting (e.g., an attendee holding a paper with sensitive information written on it or verbally mentioning credit card numbers/SSN/DOB). You will learn how Theta Lake can help us flag these violations as well.

Review Webex Meeting data

You will find pre-populated data that demonstrates some of the violations and types of data that Theta Lake can process. Once logged in click the Search tab, enter the search term Poll, and click the green Search button.

Note: the screenshot below is using the Table viewing format. This can be found on the right side of the screen near the Sort by option.

Explore and review few records that have Meeting Poll

Repeat the search process with Q&A as the search term and click the green Search button.

Close the Poll Search by clicking on the "x" next to search.
Search for and review records with specific built-in policy violations.

In the left-hand navigation menu, under the FAVORITES section, click Policy Hits. In the resulting dialog box, scroll through the drop-down menu and select the following built-in detection rules then click Apply:

Credit Card Number (CC#) -- Audio, Chat, Attachment, and EmailsCryptoCurrency Discussions -- Video, Audio, Chat, Attachment and Emails Social Security Numbers(SSN) -- Audio, Chat, Attachment and Emails
Refine search to include specifc media types.

Scroll down to the Media category in the left-hand navigation menu and click to expand the filter. Click Media Type and tick the boxes for Audio and Video then click Apply.
Review a specific meeting data record.

Select any meeting, you will observe a recording of the meeting and flags where the users have violated policies. You can use Record ID 576714780 as an example.

If you are reviewing record 576714780, scroll to approximately 7 minutes and 06 seconds into the meeting and you will see that Theta Lake has the ability to flag documents held up to the screen containing PII and confidential data.

Feel free to take a few minutes and review a couple more records for various other compliance policy violations to get a good understanding of Theta Lakes detection capabilities.Once you have completed reviewing the options, clear out all the filters that you have selected by clicking "Clear All" on the top left of the screen.

Explore eDiscovery for Webex Calling in Theta Lake

Please spend some time reviewing some of the compliance options for Webex Calling available in Theta Lake.

Theta Lake provides archiving, eDiscovery, and supervision for Webex Calling with automated detection of compliance risks in audio content with comprehensive support for Webex Calling, including recordings, call detail records (CDRs), and business texting (SMS).

In this section you will review Webex Calling data records in Theta Lake.

Search for Webex Calling data records.

Navigate to eDicovery by clicking Search. You will find pre-populated data that demonstrates some of the violations and types of data that Theta Lake can process.

Click Webex Calling to add a platform filter.

Note: the screenshots below show the Table view. This can be found on the right side of the screen near the Sort by option.
Review list of records.

You will find two types of Webex Calling records here: - Call detail records (CDRs) These records have a Record Title that starts with 'Call between...'.
- Call recordings - These records have a Record Title that starts with 'Call with...' and ending with a numeric sequence corresponding to the calling number and call timestamp.

CDRs

If the call is internal (SIP_ENTERPRISE) you will see a pair of CDRs for each call - one for each call leg: originating, terminating.

If the call is external (SIP_NATIONAL - to PSTN, or SIP_INBOUND - from PSTN) you will see a single CDR for each call - the internal call leg: originating or terminating.

Call Recordings

In addition to the CDRs described above, if the call is recorded, you will also find a corresponding recording record.

Note: CDR data records will be the same for both standard and zero trust end-to-end encrypted (E2EE) Webex calls. However, as discussed in Module 2, zero trust E2EE calls do not support call recording (or other features like closed captioning). So if a call has a corresponding audio recording, then it was not a zero trust E2EE call. On the oher hand, for any unrecorded call it would be impossible to tell the difference between a standard encrypted call and a zero trust E2EE call.
Review CDR data record details

Begin to review data records for Webex Calling. Start with an internal call.

Scroll down and locate the set of call records: 750526890, 750526883. These should be listed sequentially and correspond to the terminating and originating legs of an internal call.

To review a record, click the record. Select the Attributes record to see the call detail information.

First, note the CallType for each record is SIP_ENTERPRISE indicating this is an internal call.

Next, look at the CorrelationId attribute and notice that it is the same for both records (3d8bafcd-519b-4ec9-86cd-c68aa4565870). This indicates that these two records are part of the same call. Later you will see that the call recording data record has the same CorrelationId.

Notice one of the records (750526883) is the originating leg: CallDirection=ORIGINATING. And the other record (750526890)is the terminating leg: CallDirection=TERMINATING.

Additional detailed call information is displayed including call duration (CallDurationSeconds), times (CallAnswerTime, CallStartTime), numbers (CalledNumber, CallingNumber), and caller ID (CalledLineId, CallingLineId).
Review a call recording record

Now let's look at record 750527005. This should be listed sequentially above the terminating and originating CDRs reviewed above. This record includes an audio recording of the call.

First, review the Attributes of the record. Observe that the CorrleationId (3d8bafcd-519b-4ec9-86cd-c68aa4565870) matches the two CDRs we reviewed above indicating this is the corresponding recording of that call. Also notice that the CallDirection parameter is 'ORIGINATING' indicating the call recording was started on the originator's leg of the call

Next, select Content Review to display the analysis of the recording made by the Theta Lake platform AI Compliance Advisor. This automated analysis indicates locations during the call recording where potential violations of compliance policy occurred. For example, the Compliance Advisor flagged multiple cases where 'cryptopcurrency' is mentioned during the call which is a violation of the built-in 'CryptoCurrency Discussions' policy. Likewise, the Compliance Advisor flagged instances of social security numbers, credit card numbers, material nonpublic information (insider trading), and sensitive documents being discussed on the call. This analysis is a great starting place for the Compliance Officer when reviewing data records on the Theta Lake platform.

Review the details of this analysis noting the policies that were violated. Using the timestamps in the Content Review analysis see if you can locate one of the potential violations in the audio recording.

Next, review the transcript of the recording. Select Transcript to display the transcript of the audio reocrding generated by the Theta Lake platform AI Compliance Advisor. This transcript along with the automated analysis by the AI Compliance Advisor keeps the Compliance Officer from having to review the audio recording saving a lot of time.

Finally, try translating the transcript into another language. Click Translate, select the language to translate to from the dropdown (e.g., Dutch) and then, click Translate again. Notice the transcipt has been translated into the language selected. This can be very useful if the call audio is in a language that the Compliance Officer is unable to understand.
Review other Webex Calling data records

Take a few minutes to review some other records to see other types of calls and other possible compliance policy violations.

For example, look at the records for a PSTN call with a single CDR data record and the corresponding audio recording data record. Scroll down and locate data recordings: 73125943 and 73125955 which are the respective CDR and audio recording for a PSTN call. (Hint: To find these records faster, use the side panel to select a 'Create Date' filter with a custom data range of January 19, 2026 12:00AM - January 19, 2026 11:00PM. This filter will return just these two data records).

Note that under Attributes for both of these records, the CorrelationId (060b2e06-b871-435e-8a60-33c6be7862db) is the same indicating they are from the same call. The CallType attribute of the CDR is SIP_NATIONAL which indicates this is a PSTN call. This is an outbound call (CallDirection = ORGINATING) to the PSTN and as mentioned previously, this is the only call leg CDR available since the system has no visibility to the PSTN side of the call.

(Note: If this were an inbound PSTN call, then the CallType would be SIP_INBOUND and the CallDirection would be TERMINATING)

Feel free to review the Content Review and Transcript details for the audio recording data record.

Once you are done exploring other Webex Calling data records, before you proceed, ensure that you have cleared any filters and logged out of Theta Lake.

This concludes Theta Lake compliance sections.

*** END of MODULE 3 **

Continue with either Module 1 or Module 2:

Module 1: Webex Identity
Module 2: Zero Trust Encryption
Module 3: Webex Compliance (current)
Conclusion

BRKXXX-1111 My friend's breakout session

Appendix

NOTE: The following module is not part of this lab but has been included here for your reference. If you wish to explore this module, please complete the rest of the lab before proceeding. Screenshots have been provided so even if the lab environment is no longer available, you will still be able to explore this topic.

Explore Webex eDiscovery Search and Extraction Portal

eDiscovery is the mechanism for searching through and retrieving data from the retained user data archive of an organization. This ensures that the compliance officer has full access to all retained user data as needed for compliance management and enforcement. Webex includes a built-in eDiscovery tool which provides access to up to 90 days of user data by default. With Webex Pro Pack](https://help.webex.com/en-us/article/np3c1rm/Pro-Pack-For-Control-Hub), eDiscovery provides access to unlimited user data (up to the configured retention period).

Navigate to the Webex eDiscovery Search and Extraction portal. From the Chrome browser on Anita Perez's workstation (WKST2), login to Webex Control Hub (https://admin.webex.com) if required, with username / password: aperez@cbXXX.dc-YY.com / dCloud123! (see your pod sheet for 'XXX' and 'YY' values and the non-SSO password if you didn't complete Module 1).

Once logged in, click Troubleshooting in the left-hand navigation window. Then, click Status. Finally, in the Tools tile, click the View eDiscovery button to navigate to the eDiscovery portal.

Once connected to the eDiscovery Search and Extraction portal, you'll see the main search page for eDiscovery where the administrator or compliance officer can search against all retained user data records across all media types including messages, files, and meeting transcripts.
Create an eDiscovery report on user Kellie Melby Webex's eDiscovery tool does not provide direct search of user data records. Instead, the compliance officer must generate a report for all activity for a particular user or set of users or for all activity within one or more messaging spaces. Let's generate an eDiscovery report for one of our users: Kellie Melby. Enter the following information on the Search and Generate Compliance Report page:

Report Name: eDiscovery report on Kellie MelbyDescription: eDiscovery report for Kellie Melby (kmelby@cbXXX.dc-YY.com)Activity type: Webex MessagingEmail addresses: kmelby@cbXXX.dc-YY.com (refer to pod sheet for 'XXX' and 'YY' values)Date Range: Leave at 'Last 30 days'. Click the Generate button to start the report generation process.

Generation of the eDiscovery report starts immediately.

The report generation will take some time to complete, in the meantime, go ahead and install the eDiscovery Download Manager which is required to download eDiscovery reports.
Download and install the eDiscovery Download Manager The eDiscovery Download Manager is available for download from the eDiscovery portal.

Download the eDiscovery download tool. Click 'Download Manager' in the left-hand navigation panel.

On the Download Manager page, click Download for Windows 10 to begin download of the software.

Install eDiscovery Download Manager.

Once the software download completes, click the arrow next to the download file at the bottom of the Chrome browser window and select 'Open' to open the executable install file.

After a moment the eDiscovery Download Manager install process will begin.

Allow the install to compete and then click the Finish button to close the install process.
After the eDiscovery report is complete, download summary report and full report.

Return to the Compliance reports page to ensure report generation is complete.

Review the eDiscovery report summary. Once the report status shows 'Completed', click the report name to load the report details.

Review the report information and the content summary. If you followed the instructions in the section Generate User Data with Webex App, the report should contain spaces, activities, and files.

****

Note: Depending on the compliance/DLP platform you selected, the numbers and data in your report may not match what is shown in the screen shots in this section.

Download the eDiscovery report summary and full report. Click the Download button to download the eDiscovery report.

Click the Open eDiscovery Download Manager button when prompted by the browser.

The eDiscovery Download Manager requires user authentication by a user with the compliance officer role to download eDiscovery reports. Login with Anita Perez's Webex account.

Once logged in to the eDiscovery Download Manager, click the top Download button to download the eDiscovery Summary Report. Once the summary report download is complete, click the Dismiss button and then, click the bottom Download button to download the Full Report.

Both the summary report and the full report are downloaded to the Downloads directory (C:\Users\aperez\Downloads).
Review eDiscovery reports Open and review the .csv summary report.

The summary report doesn't provide the user data, but it's a good starting point for reviewing a user or group of users' data.

Open the File Explorer on WKST2 and navigate to C:\Users\aperez\Downloads\.

Locate the .csv file (file ending with '-spaces.csv) and double-click to open the file and review. When prompted for Microsoft Office setup, click 'X' in upper right corner to dismiss. Once open, note the file includes a row with spaceID for each space in the report. For each space included in the report, you'll see information including space name, activities, and members.

Open the full report .zip file and review the full report contents.

The full report zip file contains a nested set of folders for each space in the report with email (.eml) formatted files corresponding to each message, space activity, and shared file. The set of .eml files is the full set of user data within a specific space.

Return to the File Explorer window and double click into the zip file of the full report to navigate and browse through the folders of .eml files corresponding to each space.

You can view individual email messages (.eml files), by double clicking them. When opening the first .eml file, Outlook will prompt you to create a mail profile. Enter any word (e.g., 'Anita', 'Webex', etc.) as the profile name and click to proceed with Outlook application to open and display the .eml file.

See if you can locate messages showing space activities (e.g., users added to a space), messages with compliance violations (e.g., social security number, credit card #), and files (as attachment to the messages).

See the examples below:

Space activities

Messages with compliance violations

Shared files

While user data is certainly available and discoverable through the Webex eDiscovery Search and Extraction tool, reviewing the data in the reports and locating specific pieces of data can be tedious, particularly when the reports contain large numbers of users or spaces.
Legal Hold

The Webex eDiscovery Search and Extraction tool also provides support for Legal Hold support. Legal Hold is a mechanism for creating and managing cases related to legal investigations where specific user data records must be maintained beyond the normal corporate data retention policies. User data records associated to a Legal Hold are maintained indefinitely until the Legal Hold case is closed.

Navigate to 'Legal matters' page on eDiscovery portal.

From the Chrome browser on Anita Perez's workstation (WKST2), return to the eDiscovery Search and Extraction tool session you were using earlier. Log in again, if required (aperez@cbXXX.dc-YY.com / dCloud123! - see your pod sheet for 'XXX' and 'YY' values and the non-SSO password if you didn't complete Module 1).

To create and manage Legal Hold cases, navigate to the 'Legal matters' page by selecting 'Legal matters' from the left-hand navigation menu. Note that currently no Legal Holds have been created.

Create a Legal matter (Legal Hold) for user/custodian Kellie Melby.

Click the 'Create Matter' button to configure a Legal Hold. In this case, you'll create a Legal Hold for the same user you ran an eDiscovery report on earlier: Kellie Melby (kmelby).

Enter the following values in the 'Create Matter' dialog:

Name: LH-M001001Description: Legal hold LH-M001001 on user Kellie Melby

Click 'Download CSV Template' to download the custodian import template. We'll use this template to add a user (custodian) to a Legal Hold/Legal matter.

Open the downloaded CSV template in Excel and add Kellie Melby's email address kmelby@cbXXX.dc-YY.com to the second row (values for 'XXX' and 'YY' are on your pod sheet).

Click the save icon to save your change to the template file.

Click Yes to maintain the custodian file in CSV format.

Return to the Create Matter dialog and click Browse. Locate the CustodianImportTemplate.csv file you just edited and select. Click Open.

Click Save to finish creating the legal matter. Keep an eye on the 'Create Matter' process and ensure that the legal matter setup completes. Click Close to acknowledge once the matter is created.

Returning to the Legal matters page, you will see that there is now an active legal matter. Click the matter name to load the legal matter details. Notice there are options to add/remove user/custodians as well as to 'Release' (or close) a matter.

At this point there is nothing left to do for this legal matter. Note that all users/custodians associated to a legal matter / Legal Hold will have all their available data retained beyond the configured retention period.

In this case, this means that all of Kellie Melby's user generated data will be retained indefinitely, overriding the current Webex Control Hub configured retention period of 360 days which we reviewed earlier. If/when the Legal Hold is released for this matter / custodian, the 360-day period for data retention would apply.

Theta Lake also supports near real-time DLP for files and messages with automatic remediation.