3CX Tunnel / 3CX Session Border Controller
Zero Admin
With the new Dashboard
Bulletproof Security
With SSL certs and NGINX
Install on $100 Appliance
Intel MiniPC architecture
New, Intuitive Windows Client
More themes, more UC
More CRM Integrations
Scripting Interface to add your own
Improved Integrated Web Conferencing
iOS and Android apps included
Personal Click2Meet URLs

3CX Tunnel / 3CX Session Border Controller

3CX Tunnel / 3CX Session Border Controller

On this topic

3CX Tunnel / 3CX Session Border Controller


How it Works

Configuring the Tunnel

Step 1 – Configure the PBX

Step 2 – Configure the Firewall

Step 3 – Configuring Remote Sites via 3CX SBC, 3CXPhone, Bridges

See Also


3CX includes the 3CX Tunnel allowing easier bridging of remote 3CX Phone Systems and connecting remote extensions. The 3CX Tunnel combines all SIP (signaling) and RTP (media) VoIP Packets from one location and delivers them to and from another location (typically the PBX Server) using a custom TCP protocol. This simple concept allows 3CX to overcome firewall or telecom provider issues. The 3CX Tunnel can be used for the following reasons:

  • Resolve issues of NAT Traversal at both the remote and the PBX location.
  • Simplified Firewall configuration at both the remote and the PBX location.
  • Overcome difficulties with ISPs that block VoIP Traffic based on port numbers.
  • Allows VoIP-over-WiFi in some restricted locations, such as Hotel rooms.
  • “Fixes” Firewalls that cannot handle VoIP traffic correctly or which are very problematic to configure correctly, such as Microsoft ISA Server

Note: Presence information does not get carried through the Tunnel to the remote network as of yet. Make sure that the HTTP/HTTPS ports you have chosen during the installation are open on the PBX server side.

How it Works

The 3CX Tunnel

The image above demonstrates how the 3CX Tunnel works. In this example, 3CX Phone System is on IP Address, and listens on TCP port 5090 (by default) for incoming Tunnel traffic. We must set up a single Port Forwarding rule on the Modem or NAT/Firewall Device, telling it that all incoming TCP traffic received on port 5090 should be delivered to LAN IP Address

The remote setup is shown on the left hand side of the cloud. In this example, the machine with IP address of has 3CXPhone installed. We will need to tell the VoIP Phone the public IP address of the PBX Server (which in this case is, and also the private IP address of the PBX Server (which in this case is Since the 3CXPhone will by default use the standard port numbers used by 3CX Phone System, typically no further configuration will be necessary.

3CX Tunnel technology can be used in the following scenarios:

  • Connect Remote Sites using the SBC - For remote sites with a number of remote phones, you can deploy the 3CX SBC to the site so that all phones will communicate with the 3CX PBX over a single port. This is also the preferred option in case 3CX Phone System is running in the cloud.
  • Connect Remote 3CXPhone Users - 3CXPhone for Windows, Mac, iOS and Android have a built in tunnel that will be used automatically when 3CXPhone detects it is not on the LAN. No configuration is necessary in 3CXPhone.
  • Connect 3CX Phone Systems via a Bridge - When creating a Bridge to another 3CX Phone System, you can choose to use the 3CX Tunnel rather than a direct connection. 

Configuring the Tunnel

We will use the above example in “How the 3CX Tunnel Works” to configure a tunnel connection.

Step 1 – Configure the PBX

In the 3CX Management Console, select  “Settings” > Security > “3CX Tunnel” tab.

  1. Configure the Tunnel Password (e.g. “r6W4Qi”)
  2. Set the Local IP to the Local IP Address of the NIC, which will be receiving tunnel connections. If the PBX has only one NIC, then there will be no need to set this field. In our example this is
  3. Set the Tunnel Listening Port to the port, which will be receiving tunnel connections. The default value is 5090.
  4. Click “OK”. The Tunnel service will be restarted automatically.

Step 2 – Configure the Firewall

The Tunnel protocol is designed to eliminate NAT traversal problems and reduce Firewall configuration work to a minimum. There is only one Firewall setting that needs to be made – we must forward the TCP Tunnel port (set by default to 5090) to the PBX.

Configuring a Port Forward Rule in pfSense

The above picture shows configuration for a pfSense firewall - most firewalls will provide similar functionality. In your firewall:

  1. Enable Port Forwarding.
  2. Specify the PBX’s Local IP Address (which we had set previously to
  3. Set the Type to TCP/UDP.
  4. Set the Port Range to be from 5090 to 5090 (only one port).
  5. Set the Comment field to 3CX Tunnel.
  6. Click on the Add button followed by the Apply button. Your firewall configuration is now done!

Step 3 – Configuring Remote Sites via 3CX SBC, 3CXPhone, Bridges

After you have configured the local tunnel connection and the firewall, the tunnel is now “ready for use”. At the client side you must configure the 3CXPhones, an SBC or the Bridges accordingly.

3CX SBC (Session Border Controller)

The 3CX SBC is suitable for sites with multiple IP Phones in the same LAN. The SBC must be installed at the remote site and is available for Windows and Raspberry Pi:

3CXPhone Clients

No configuration is necessary for 3CXPhone clients. However to view 3CX Tunnel options, see the chapter Configuring the 3CX Phone System Clients – 3CXPhone.

3CX Bridges

To configure a Bridge using the 3CX Tunnel, see the Chapter Connecting 3CX - Bridges.

See Also


You might also be interested in:

Ask a Question

Please only post questions in regards to the document you are currently reading.
Technical support or pre sales questions must be posted via the support or sales channels and such comments will be deleted. Thank you for understanding

Leave a Reply

  1. Pingback: Debian is my Distro - Tech Slap

  2. Cesar Landazuri

    Do the SBC works also with the PSTN gateways?

    March 27, 2016 at 8:39 pm Reply
    • Charalambos Eleftheriou

      @Cesar, PSTN Gateways can only be provisioned on the same local network as the PBX or by using a Network VPN connection. They can not be connected remotely.

      March 28, 2016 at 11:13 pm
  3. Pingback: 3CX SBC - Neu 3CX Session Border Controler V.14 - 3CX - Schweiz

  4. Josh T

    Does this allow phones at a remote site to dial another local extension near them without having to traverse all they way back to the PBX?

    May 13, 2016 at 2:57 pm Reply
    • Charalambos Eleftheriou

      @Josh, Yes when you configure remote phones behind an SBC the audio between 2 extensions on the same remote site will remain local.

      May 13, 2016 at 9:08 pm