Sidebar Sidebar
  • V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Softphone Outside Firewall

Status
Not open for further replies.

Anonymous

Great software, up and running in 10 minutes in a lab environment. Question, is it possible to connect a softphone client to the pbx from outside a firewall without a VPN connection? I think SIP is UDP, is there any way to configure things for TCP to make firewall configuration reasonable?

Thanks.

-Travis
 
Hi Travis,

if you open port 5060 on your firewall plus a client range (this range can usually be configured in your softphone software, X_Lite has the option) you should be in business (works for us). Also, mind the settings for 3CX (see General Settings) where port ranges for internal and external calls are set.
 
travis,

you say that if i configure my x-lite ports if possible to use 3cx outside of the firewall???
 
Here's how we did it: we opened UDP5060 on our firewall and NATed it to the 3CX server. We forced 3CX to use 7000-7500 for internal and 9000-9100 for external calls and opened and NATed these ports as well. Now, using X-Lite from outside our local network took a bit of tweaking, but this is the configuration we use that works:

Images removed (Broken links. Please upload through the forum)

Hope this helps.
 
Thanks for the info, helps to know someone has this working. I tried these settings with no luck so I ran a packet capture on the PBX and I see my SIP register request followed by a 407 Proxy Authentication Required response back to the remote client. Any ideas? Thanks again for your config.

-Travis
 
A 407 would indicate that you are using a proxy server between your SIP client and the (remote) 3CX server, or between the 3CX and the internet. In both cases you need to check your credentials between client and proxy and make sure that the ports mentioned before are allowed by the proxy server.

The configuration I described does not use a proxy, just a NAT-enabled firewall and router. If anyone has experience with a setup involving a proxy server (Microsoft ISA Server or other), with 3CX either in the DMZ or behind the proxy, they would be able to provide feedback on this setup?
 
lairdnet said:
Thanks for the info, helps to know someone has this working. I tried these settings with no luck so I ran a packet capture on the PBX and I see my SIP register request followed by a 407 Proxy Authentication Required response back to the remote client. Any ideas? Thanks again for your config.

-Travis
Click to expand...

Yes, this is correct behavior of PBX. If your phone client doesn't provide Authentication info in the first registration request, PBX will reply with 407 and expects that your client will re-sent registration with authentication info added to it. After receiving such a registration - client is treated as registered.
 
That's interesting, does that mean that 3CX acts as a (SIP) Proxy? And if so, would it be possible to "slave" a 3CX server to another 3CX server? This would open up some interesting implementation scenarios (multiple offices with interconnected 3CX servers, for example).
 
So I have this working, just not ideal from a firewall configuration perspective. My current environment is the 3CX PBX behind an ISA 2006 firewall. Opened 5060 UDP and 7100-7200 UDP inbound. Remote end has an x-lite client behind an ISA 2004 firewall. Configured x-lite to use ports 7100-7101 and opened firewall 7100-7101 UDP inbound to the client and have call setup between the remote x-lite client and a local 3CX Phone client. Is there anyway to get this going over TCP so the client end doesn't need firewall rules (or the firewall client software in the case of ISA)? Great stuff.

-Travis
 
Watashi_FR said:
That's interesting, does that mean that 3CX acts as a (SIP) Proxy? And if so, would it be possible to "slave" a 3CX server to another 3CX server? This would open up some interesting implementation scenarios (multiple offices with interconnected 3CX servers, for example).
Click to expand...

Yes, it's possible. Not in current version, though. But now we're working on new version which will be ready for those scenarios.
 
lairdnet said:
..... Is there anyway to get this going over TCP so the client end doesn't need firewall rules (or the firewall client software in the case of ISA)? Great stuff.

-Travis
Click to expand...

Thank you for nice feedback :)
It is possible to make SIP prefer TCP/IP connection, but right now this option is not accessible for users yet. Anyway, there is no possibility to make RTP stream over SIP, so it will always use UDP.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Members Online Now

Total: 490 (members: 34, guests: 456)

Forum statistics

Threads
141,986
Messages
751,635
Members
145,462
Latest member
RESAUDIO
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Top Bottom
Back