In order for 3CX Phone System to communicate successfully with VoIP providers and Remote Extensions, your firewall/router device must be configured for SIP operation. To maximize your chances of success, make sure you choose a device that does not implement a SIP Helper or SIP ALG, or which can be configured to be disabled.

Microsoft ISA Server is inappropriate for SIP use since it cannot correctly implement UDP Port Forwarding.

Note: LAN security remains the responsibility of the System Administrator, and this information is limited to describing the technical implementation. Generally, any procedure that allows traffic from outside into the LAN may represent a security issue. Please review this article for some pointers about security with 3CX.

Incoming Ports

In a default installation of 3CX Phone System V8, the PBX listens for SIP messages on ports 5060 (UDP & TCP). The audio streams are handled by ports 9000-9049 (UDP only) – this will allow up to 25 simultaneous calls with VoIP providers or with remote extensions. These ports must be forwarded to the LAN IP Address of the 3CX PhoneSystem machine, avoiding port translation for traffic on these ports. You should also perform port forwarding for port 5090 (TCP & UDP) to allow remote extensions to connect using the 3CX Tunnel Protocol.

Outgoing Ports

Configuring your firewall to control and restrict outgoing traffic can be a very time-consuming process, and to avoid errors you should consider granting the PBX machine unrestricted access to the Internet.

Restricting outgoing traffic by destination port is not possible, so you will need to use some other mechanism. Keep in mind that even though 3CX listens for SIP on port 5060 and audio on 9000-9049, a VoIP Provider (or a Remote Extension) has no obligation to use fixed ports.

The PBX will also need access to the STUN servers (typically stun.3cx.com and stun2.3cx.com) to calculate port address translations where port forwarding has not been implemented (unsupported but possible). If, however, you are using a static public IP Address and you have got port forwarding correctly implemented, you should disable STUN completely, and therefore eliminate the need for the PBX to perform STUN requests. Read more about this here: http://www.3cx.com/blog/voip-howto/stun-resolution

Details on configuring specific Router/Firewall devices:

Cisco Router PIX or ASA: http://www.3cx.com/blog/voip-howto/cisco-voip-configuration/

Draytek Vigor 2820: http://www.3cx.com/blog/voip-howto/draytek-firewall-voip/