Important Notice: This article contains outdated content and is here for archival/informational purposes. For the 3CX Session Border Controller view: http://www.3cx.com/docs/3cx-tunnel-session-border-controller/
What is the 3CX SIP Proxy manager?
The SIP Proxy Tunnel can combine all SIP (signaling) and RTP (media) VoIP Packets from one location (typically a remote office) and deliver them to and from another location (typically the PBX Server) using a custom TCP protocol. This simple concept allows us to exploit the SIP Proxy Tunnel to overcome difficult situations, or to simplify a network scenario.
The SIP Proxy Tunnel can be used for the following reasons:
- Resolve issues of NAT Traversal at both the remote and the PBX location
- Simplify Firewall configuration at both the remote and the PBX location
- Overcome difficulties with ISPs that block VoIP Traffic based on port numbers
- Allows VoIP-over-WiFi in some restricted locations, such as Hotel rooms
- “Fixes” Firewalls that cannot handle VoIP traffic correctly or which are very difficult or problematic to configure correctly, such as:
- Microsoft ISA Server
The above diagram shows a typical scenario for implementing the SIP Proxy Tunnel in a remote location. To take advantage of this configuration, we need to configure all the SIP Phones in the remote LAN (192.168.0.x) to communicate with the PBX Server (10.0.0.181) using the SIP Proxy Tunnel on 192.168.0.2.
- 3CX PhoneSystem installed in the Office LAN
- Port Forwarding to the 3CX Phone System machine for incoming tunnel connections
- Configure the NAT device in the Office LAN to forward all packets to TCP:5090 to the PBX Server machine.
- The Public IP Address of the internet connection in the Office LAN. This must be a Static IP Address.
- The Private IP Address of the 3CX Phone System machine in the Office LAN. This must be a Static IP Address.
- The Private IP Address of the machine in the remote LAN where we will be installing the SIP Proxy Tunnel application.
- The Tunnel Password configured on the 3CX Phone System machine.
For the purpose of this setup we shall assume the following:
- Public IP address of the 3CX Server site: 18.104.22.168
- Internal IP address of the 3CX Server : 10.0.0.181
- IP address of your remote PC that will act as proxy: 192.168.0.2
- IP address of the hard phone that will use the proxy: 192.168.0.3
- Tunnel Password: abc
Step 1: Configuring the 3CX Phone System in the main office
- From the 3CX Phone System web interface access the “Settings > Network” node and click on the “Tunnel” tab.
- Enter a password for the tunnel (default is “abc”).
- Select the Internet-facing NIC IP Address from the dropdown list.
- Enter the Tunnel listening port – you can leave the default port number ‘5090’ unless you have a need to change this – if this is changed, port forwarding rules on the Office router will need to updated.
Step 2: Configuring the 3CX SIP Proxy Manager at the remote site
At the remote site choose a PC that has internet access and install the 3CX SIP Proxy Manager. This is a simple application that will install the 3CX Tunnel Service and start it.
- On the machine which will be running the tunnel to the 3CX Phone System, install the SIP Proxy Manager.
- Launch the SIP Proxy Manager.
- In the “SIP Listener IP address” field choose the IP Address on the SIP Proxy Tunnel machine which has internet access (in this example: 192.168.0.2).
- Leave the “SIP Listener Port” as default on 5080 – unless you have a need to change this.
- In the “Server Public IP address” field enter the public IP Address of the Office LAN (in this example: 22.214.171.124).
- Leave the “Server Tunnel Port” at the default value “5090”, unless you have changed your 3CX Phone System Tunnel Port while configuring the 3CX Phone System side.
- In the “Server Tunnel Password” to the same password used while configuring the 3CX Phone System side (in this example: “abc”)
- Click on the “Save Settings” button to commit your settings to the configuration file.
- Select the “File > Tunnel Proxy > Stop Tunnel” menu option to stop the Tunnel Service.
- Select the “File > Tunnel Proxy > Start Tunnel” menu option to start the Tunnel Service with the new settings.
Now that you have configured the SIP Proxy Manager, you will need to configure the phones to connect to the PBX using the SIP Proxy Manager as a Proxy. The easy way to do this is to provision the phones as remote extensions.
The alternative is to configure the phones manually. The rest of the article shows how to do this for Grandstream and Cisco phones.
Step 3 : Configuring a Grandstream GXP series SIP phone to connect via the Tunnel
- Login to the web interface of the phone using a web browser. E.g. http://192.168.0.3
- Click on the “Account 1” tab.
- In the “SIP Server” field, enter the IP Address of the 3CX Phone Server (in this example: 10.0.0.181).
- In the “Outbound Proxy” field, enter the you will be asked to enter the local ip and port (default is 5080) of the sip proxy manager computer in the following format:<ip_address>:<port> (in this example: 192.168.0.2:5080)
- In the “SIP User ID”, “Authenticate ID”, “Authenticate Password”, and “Name” fields, enter the Extension Number, Authentication ID, Authentication Password, and the user’s First and Last Name configured for the with the required information relative to the extension number.
- In the “Register Expiration” enter the re-registration interval – it the inter-site connection is subject to stability issues, it is recommended to reduce this value accordingly. A good reference starting point is 15 minutes.
- Click on the “Apply” button at the bottom of the page to save the settings.
- Click on the “Reboot” button to allow the phone to register with the new settings.
Above is a screenshot of a Grandstream GXP2000 configured to 3CX Phone System using the SIP Proxy Manager - In this example, the Grandstream will send all SIP and RTP to the interface IP and port where the SIP Proxy Manager is installed ie 192.168.0.2:5080. The SIP Proxy manager will then route to the Tunnel interface that is connected to the 3CX Tunnel Service on the PBX ie 126.96.36.199 on port 5090.
Configuring a Cisco SPA5XX series SIP phone to connect via the Tunnel
- Click on the “Ext1″ Tab
- In the “Proxy and Registration” section:
- In the “Proxy” field enter the IP address of the 3CX Phone System machine you want to connect to – in this example it is 10.0.0.181
- In the “Outbound Proxy” field enter the local ip and port (default is 5080) of the sip proxy manager computer. In this example it is 192.168.0.2:5080
- Set “Use Outbound proxy” to YES
- Set “Use OB Proxy in Dialog” to YES
- Set the Subscriber Information as you would normally
- Click the “Submit All Changes” button at the bottom of the page
Currently the Tunnel Protocol included with the SIP Proxy Manager cannot be used with Aastra and Polycom phones since Aastra uses SIP headers which the current Tunnel does not handle. There is no known workaround for this limitation.