Firewall & Router Configuration
pixel500w-500x1
Zero Admin
With the new Dashboard
pixel500w-500x1
Bulletproof Security
With SSL certs and NGINX
pixel500w-500x1
Install on $100 Appliance
Intel MiniPC architecture
pixel500w-500x1
New, Intuitive Windows Client
More themes, more UC
pixel500w-500x1
More CRM Integrations
Scripting Interface to add your own
pixel500w-500x1
Improved Integrated Web Conferencing
iOS and Android apps included
pixel500w-500x1
Personal Click2Meet URLs

Firewall & Router Configuration

Firewall & Router Configuration

On this topic

Firewall & Router Configuration

Introduction

SIP ALG

Configuration for VoIP Provider or SIP Trunk

Configuring ports to allow PUSH messages to smartphones

Configuration for Remote Extensions

Remote Extensions via 3CX Tunnel

Remote Extensions via direct SIP

Configure WebRTC Ports

Firewall checker

See Also

Introduction

If you plan to use remote extensions or a VoIP Provider, you will have to make changes to your firewall configuration. In order for 3CX Phone System to communicate successfully with VoIP providers and remote extensions, your firewall/router device must be correctly configured for SIP operation. You can learn more about Routers, NAT, VoIP and Firewalls in this article.

SIP ALG

To maximize your chances of success, make sure you choose a device that does not implement a SIP Helper or SIP ALG (Application Layer Gateway), or choose a device on which SIP ALG can be disabled. The following links are examples of how to switch off ALG on popular routers:

Configuration for VoIP Provider or SIP Trunk

If you intend to use a VoIP Provider & the 3CX WebRTC Gateway you will need to open the following ports to allow 3CX Phone System to communicate with the VoIP Provider:

  • Port 5060 (UDP) for SIP communications (send & receive) MUST BE STATICALLY MAPPED. See sample firewall configuration.
  • Port 5061 (TCP) for TLS communications – If using secure SIP.
  • Port 9000-9500 (or higher) (UDP) (send & receive) for RTP communications, which contain the actual call. Each call requires 2 RTP ports, one to control the call and one for the call data. Therefore, you must open twice as many ports if you wish to support simultaneous calls via the VoIP Provider. For example, if you want to allow 4 people to make calls via the VoIP provider simultaneously, you must open port 9000 to 9007.

Configuring ports to allow PUSH messages to smartphones

PUSH messages are sent by 3CX Phone System to Extensions using smartphones in order to wake up the devices to take calls. This greatly enhances the usability of the smartphone clients but requires configuration of the firewall to allow outbound PUSH messages.

Configuration for Remote Extensions

For remote extensions, you have the choice of using 3CX SBC (Tunnel) or using Direct SIP. The 3CX SBC service will bundle all VoIP traffic over a single port and vastly simplify firewall configuration and improve reliability. 3CXPhone for Android, iOS, Windows and Mac have the inbuilt tunnel, whilst using the 3CX SBC service on a remote network you can also connect IP phones via the tunnel. More information on SBC can be found in the next chapter.

Remote Extensions via 3CX Tunnel

To connect remote extensions via the 3CX Tunnel, you must open the following ports:

  • Port 5090 (UDP and TCP).
  • Port 80 HTTP / 443 HTTPS for 3CXPhone Presence and Phone Provisioning.

Note: HTTP and HTTPS ports can be configured during installation. If you have chosen to use custom ports other than 80/443 make sure to forward those.

Remote Extensions via direct SIP

If you wish to connect remote extensions via direct SIP, you must open the following ports:

  • Port 5060.
  • Port 5061 if using secure SIP.
  • Port 9000-9255 for RTP.
  • Port 80 HTTP / 443 HTTPS for 3CXPhone Presence and HTTP provisioning. Note: HTTP and HTTPS ports can be configured during installation. If you have chosen to use ports other than 80/443 make sure to forward those.

Configure WebRTC Ports

To be able to configure WebRTC call links, you need to make sure that you have a Public IP Address and configure your FQDN correctly during the setup of your 3CX Phone System. 3CX WebRTC gateway requires ports 9256-9499 UDP to be opened on your firewall/router and forwarded to your PBX.

You can open and forward all the ports required by the media server, in one go, by opening the range: UDP 9000-9499.

Note that the above port ranges are the default ports in 3CX Phone System. You can adjust these ports from the 3CX Management Console, in the “Settings” > “Network” node. From here, you can configure the ports to be used for internal calls, and the ports to be used for external calls being made via a VoIP Provider or calls to and from a remote extension.

Firewall checker

After configuring your firewall, run the 3CX firewall checker to ensure that configuration is correct.

See Also

Example configurations for popular firewalls:

 

 

You might also be interested in:


Ask a Question

Please only post questions in regards to the document you are currently reading.
Technical support or pre sales questions must be posted via the support or sales channels and such comments will be deleted. Thank you for understanding

Leave a Reply

<