3CX Tunnel / 3CX Session Border Controller - 3CX
pixel500w-500x1
Zero Admin
With the new Dashboard
pixel500w-500x1
Bulletproof Security
With SSL certs and NGINX
pixel500w-500x1
Install on $150 Appliance
Intel MiniPC architecture
pixel500w-500x1
New, Intuitive Windows Client
More themes, more UC
pixel500w-500x1
More CRM Integrations
Scripting Interface to add your own
pixel500w-500x1
Improved Integrated Web Conferencing
iOS and Android apps included
pixel500w-500x1
Personal Click2Meet URLs

3CX Tunnel / 3CX Session Border Controller

3CX Tunnel / 3CX Session Border Controller

On this topic

3CX Tunnel / 3CX Session Border Controller

Introduction

How it Works

Configuring the Tunnel

Step 1 – Configure the PBX

Step 2 – Configure the Firewall

Step 3 – Configuring Remote Sites via 3CX SBC, 3CXPhone, Bridges

3CX SBC (Session Border Controller)

3CXPhone Clients

3CX Bridges

See Also

Introduction

3CX includes the 3CX Tunnel allowing easier bridging of remote 3CX Phone Systems and connecting remote extensions. The 3CX Tunnel combines all SIP (signaling) and RTP (media) VoIP Packets from one location and delivers them to and from another location (typically the PBX Server) using a custom TCP protocol. This simple concept allows 3CX to overcome firewall or telecom provider issues. The 3CX Tunnel can be used for the following reasons:

  • Resolve issues of NAT Traversal at both the remote and the PBX location.
  • Simplified Firewall configuration at both the remote and the PBX location.
  • Overcome difficulties with ISPs that block VoIP Traffic based on port numbers.
  • Allows VoIP-over-WiFi in some restricted locations, such as Hotel rooms.
  • “Fixes” Firewalls that cannot handle VoIP traffic correctly or which are very problematic to configure correctly, such as Microsoft ISA Server

Note: Presence information does not get carried through the Tunnel to the remote network as of yet. Make sure that the HTTP/HTTPS ports you have chosen during the installation are open on the PBX server side.

How it Works

The 3CX Tunnel

The image above demonstrates how the 3CX Tunnel works. In this example, 3CX Phone System is on IP Address 10.0.0.181, and listens on TCP port 5090 (by default) for incoming Tunnel traffic. We must set up a single Port Forwarding rule on the Modem or NAT/Firewall Device, telling it that all incoming TCP traffic received on port 5090 should be delivered to LAN IP Address 10.0.0.181.

The remote setup is shown on the left hand side of the cloud. In this example, the machine with IP address of 192.168.0.2 has 3CXPhone installed. We will need to tell the VoIP Phone the public IP address of the PBX Server (which in this case is 213.165.190.51), and also the private IP address of the PBX Server (which in this case is 10.0.0.181). Since the 3CXPhone will by default use the standard port numbers used by 3CX Phone System, typically no further configuration will be necessary.

3CX Tunnel technology can be used in the following scenarios:

  • Connect Remote Sites using the SBC - For remote sites with a number of remote phones, you can deploy the 3CX SBC to the site so that all phones will communicate with the 3CX PBX over a single port. This is also the preferred option in case 3CX Phone System is running in the cloud.
  • Connect Remote 3CXPhone Users - 3CXPhone for Windows, Mac, iOS and Android have a built in tunnel that will be used automatically when 3CXPhone detects it is not on the LAN. No configuration is necessary in 3CXPhone.
  • Connect 3CX Phone Systems via a Bridge - When creating a Bridge to another 3CX Phone System, you can choose to use the 3CX Tunnel rather than a direct connection. 

Configuring the Tunnel

We will use the above example in “How the 3CX Tunnel Works” to configure a tunnel connection.

Step 1 – Configure the PBX

In the 3CX Management Console, select  “Settings” > Security > “3CX Tunnel” tab.

  1. Configure the Tunnel Password (e.g. “r6W4Qi”)
  2. Set the Local IP to the Local IP Address of the NIC, which will be receiving tunnel connections. If the PBX has only one NIC, then there will be no need to set this field. In our example this is 192.168.9.213.
  3. Set the Tunnel Listening Port to the port, which will be receiving tunnel connections. The default value is 5090.
  4. Click “OK”. The Tunnel service will be restarted automatically.

Step 2 – Configure the Firewall

The Tunnel protocol is designed to eliminate NAT traversal problems and reduce Firewall configuration work to a minimum. There is only one Firewall setting that needs to be made – we must forward the TCP Tunnel port (set by default to 5090) to the PBX.

Configuring a Port Forward Rule in pfSense

The above picture shows configuration for a pfSense firewall - most firewalls will provide similar functionality. In your firewall:

  1. Enable Port Forwarding.
  2. Specify the PBX’s Local IP Address (which we had set previously to 192.168.9.213)
  3. Set the Type to TCP/UDP.
  4. Set the Port Range to be from 5090 to 5090 (only one port).
  5. Set the Comment field to 3CX Tunnel.
  6. Click on the Add button followed by the Apply button. Your firewall configuration is now done!

Step 3 – Configuring Remote Sites via 3CX SBC, 3CXPhone, Bridges

After you have configured the local tunnel connection and the firewall, the tunnel is now “ready for use”. At the client side you must configure the 3CXPhones, an SBC or the Bridges accordingly.

3CX SBC (Session Border Controller)

The 3CX SBC is suitable for sites with multiple IP Phones in the same LAN. The SBC must be installed at the remote site and is available for Windows and Raspberry Pi:

3CXPhone Clients

No configuration is necessary for 3CXPhone clients. However to view 3CX Tunnel options, see the chapter Configuring the 3CX Phone System Clients – 3CXPhone.

3CX Bridges

To configure a Bridge using the 3CX Tunnel, see the Chapter Connecting 3CX - Bridges.

See Also

You might also be interested in:


Ask a Question

Please only post questions in regards to the document you are currently reading.
Technical support or pre sales questions must be posted via the support or sales channels and such comments will be deleted. Thank you for understanding
<