Important! This guide applies only to 3CX Phone System 11, it does not apply to 3CX Phone System 12 since the setup wizard makes the procedure automated now.
This guide describes how to configure HTTPS / SSL for 3CX Phone System 11 installed on an Abyss Web Server. You need to be running 3CX Phone System Version 11 Build 27011 or later.
Note: If you have been running a previous release of 3CX Phone System 11, you will need to backup your 3CX Phone System, uninstall, download the latest release of 3CX Phone System and perform a full reinstall. You can restore your configuration after the installation. Unfortunately, updating to Build 27011 through a Service Pack update does not work, since HTTPS support requires an update to the Abyss web server which cannot be performed through an SP update.
An appropriate certificate is required. 3CX Phone System requires end users to be able to verify the server’s identity with the certificate generated. In this case, you need to send a certificate request to a known certificate authority (CA) such as Thawte, VeriSign or Geotrust or you can obtain a certificate from an online CA – in this example we will use https://www.cacert.org
This document consists of 6 parts
- Part 1: Creating a Certificate request in Abyss Web Server
- Part 2: Sending the Certificate request to the Certificate of Authority and getting back a Server Certificate
- Part 3: Completing the Certificate request in Part 1 by entering the server certificate response from the Certificate of authority
- Part 4: Importing the Root Certificate from the Certificate of authority on the 3CX Server machine and any computer that will access 3CX MyPhone
- Part 5: Modifying 3CX MyPhone Web Configuration file for HTTPS to work
- Part 6: Creating the HTTPS binding in Abyss Web Server
Part 1: Creating a Certificate Request in Abyss Web Server
To create a certificate request in Abyss Web Server we need to activate the Abyss Web Server Administrator Console. Proceed as follows:
From the machine running 3CX Phone system, browse to the directory where 3CX Phone System is installed, which by default is <C:\Program Files\3CX PhoneSystem\Bin\Webserver>
Locate the file abyss or abyss.conf, right click and open it with a text editor.
Go to the bottom of the file and under the <version/> tag you should see a tag named <console/>. Inside <console/> there should be a tag named <port/>. Change the value from 0 to 8080 (or any other port of your choice).
Save the file, click on Start > Run >, type Services.msc and restart the service ‘Abyss Web Server’.
Open a browser and type http://127.0.0.1:8080 (Note: for security purposes, the Abyss Management console is by default only accessible from within the 3CX Phone System Server computer).
Enter the following credentials:
You will be presented with the Abyss Web Server Administrator Console.
Click on SSL/TLS Certificates.
In the section “Private Keys” click Add to generate a private key.
Enter a name for this private key – for example, voip4_key. In “Action” select “Generate”, and select “RSA 2048 bits” as the “Type”. Press OK when done.
Upon pressing OK, you will notice that a Private Key has been generated with the name of voip4_key.
Click on the Generate button to start the procedure to generate a certificate signing request.
Private Key: Select the private key that has been created. In this example we will select voip4_key
Host name: Insert the full domain name – in our example voip4.alarm-system.com
Fill in Organization name, Unit name, Locality, State/Province, Country code and contact email. Press OK when done.
A certificate request (CSR) will be generated. Copy the contents of the CSR and save into a text file. Name this text file “voip4_certificaterequest.txt”.
Press OK to complete this procedure.
Part 2: Sending the Certificate Request to the Certificate of Authority and Getting Back a Server Certificate
Now that we have the certificate request, we need to send it to a trusted certificate of authority in order to get a Server Certificate. If you are using a trusted certificate of authority, follow their online documentation from this point onwards. In this example, we will use CAcert to generate the server certificate for our 3CX Phone System server.
Open a browser and browse to https://www.cacert.org. Create an account and once activated proceed to click on ‘Password login’ to login.
Locate the text file that contains the certificate request generated in the previous step (“voip4certificaterequest.txt” in our example) and open it using a text editor. Copy all the contents. Go back to CAcert’s site, click on Server Certificates > New, and paste the text. Click Submit. You will notice that the certificate request will contain the common name. Press Submit to submit this request.
On the next screen, CAcert will generate the Server certificate. Copy the server certificate in it’s entirety, paste it in a new text file and name it “servercertificate.cer”.
Part 3: Completing a Certificate Request in Abyss Web Server
Now that we have the server certificate which contains the authorized response from the certificate authority we can go back to Abyss Web server to complete the certificate request in IIS.
Access the Abyss management console – http://127.0.0.1:8080. Click on SSL/TLS certificates.
In the Certificates section, click the Add button.
Enter a name for this certificate – for example: voip4.alarm-system.com
Select the private key used to generate the certificate request – in this example, voip4_key.
Type: Select Signed by a Certification Authority CA.
In the Main Certificate section copy the contents of the Server certificate from the previous section – voip4servercertificate.txt in our example. Press OK when done.
The certificate has now been created for your domain. This certificate now can be used in the website binding.
Part 4: Importing the Root Certificate from the Certificate of Authority on the 3CX Server Machine and any Computer that will Access 3CX MyPhone
Since CACert’s root certificate does not come shipped with a Windows operating system, we also need to download and install the Root Certificate and Intermediate Certificate. If you are using Thawte or Verisign you can skip this step.
From https://www.cacert.org/index.php?id=3 download the Root Certificate (PEM Format).
From https://www.cacert.org/certs/root.crt download the Intermediate Certificate (PEM format) Also download the file here: https://www.cacert.org/certs/class3.crt). Save these files in a folder on your computer. In our case, the folder is called voip3.alarm-system.com.
Next, Click Start > Run, type ‘MMC’ and press Enter. From File select ‘Add or remove snap-in’.
Select Certificates and click Add.
On the next screen, select Computer Account.
Select ‘local computer’ so you access the certificate store on the local computer. Click Finish.
The selected snap-in is the one displayed on the right side. Press OK for MMC to open the Certificates (Local Computer) snap-in.
The above shows all the certificates that are installed on the Local computer. Expand the Certificates node > Trusted Root Certification Authorities > Certificates.
Click More in the Actions pane (on the right) and select All tasks > import.
The import certificate wizard will launch. Click Next to proceed.
Click Browse and specify the Root certificate which was downloaded in the previous step. In our example, this is named root.cer.
Select the location where you want this certificate to be installed. In our case we want to install this in the Trusted Root Certification Authorities store. Click Next to install the Root Certificate in this location.
The root CA for CAcert is successfully imported and you will see it in the trusted certificates store in the MMC console.
Next we need to install the Intermediate certificate.
Expand the node Intermediate Certification Authorities > Certificates. Right click > All tasks > Import.
Specify the intermediate certificate downloaded from CAcert in this example the file named class3.cer and press Next.
Select the Intermediate Certification Authorities store and click Next.
You will be prompted that the Intermediate Certificate has been imported and you should see the certificate in the certificates list.
Part 5: Configuring 3CX MyPhone to Work in HTTPS Mode
3CX MyPhone is a Silverlight application and requires a change to its configuration files which needs to be done manually.
When using Abyss, 3CX MyPhone cannot work in both HTTP and HTTPS. If you decide to use 3CX MyPhone in HTTPS only, you will need to comment the HTTP section in the configuration file and uncomment the HTTPS section.
On the 3CX Phone System Server computer, browse to the <C:\ProgramData\3CX\Data\Http\Interface\MyPhone> directory (where C:/ProgramData is the path to the common application data folder). Locate the file Web or Web.config, right click and open it with a text editor.
First, search for the line that needs to be commented. Search for ‘comment the below line for HTTPS to work’. The next line (also shown below) is the line that needs to be commented.
<endpoint address=”” binding=”pollingDuplexBinding” bindingConfiguration=”PubSubChunkedBinary” contract=”Tcx.Assistant.IAssistPubSub”/>
After commenting this line it should look like this
<!–endpoint address=”” binding=”pollingDuplexBinding” bindingConfiguration=”PubSubChunkedBinary” contract=”Tcx.Assistant.IAssistPubSub”/ –>
Next, you will need to uncomment the line which enables HTTPS. This is found right below the line commented above.
Before modifications, the line looks like this:
<!– endpoint address=”” binding=”pollingDuplexBinding” bindingConfiguration=”PubSubChunkedBinaryHTTPS” contract=”Tcx.Assistant.IAssistPubSub” –>
After modifications it should look like this
<endpoint address=”” binding=”pollingDuplexBinding” bindingConfiguration=”PubSubChunkedBinaryHTTPS” contract=”Tcx.Assistant.IAssistPubSub” />
Save and close the file when done. 3CX MyPhone is now configured to use HTTPS only.
Part 6: Creating the HTTPS Binding in Abyss Web Server
Access the Abyss Administrator management console – http://127.0.0.1:8080.
Click on Configure.
In the protocol section select HTTP+HTTPS.
In the HTTPS Port section select whether you want the default HTTPS port (443) or whether you want another port.
In the Certificate drop-down menu, select the server certificate – in this example it’s voip4.alarm-system.com
Press OK to return to the General screen. The Abyss Management console will prompt you to restart Abyss Web server. Click on restart.
Congratulations – 3CX Phone System running on Abyss web server is now configured for HTTPS/TLS.
You can now access the following 3CX web sites using HTTPS:
- Management console: https://voip4.alarm-system.com/management or http://voip4.alarm-system.com:5000/management
- Web Reports: https://voip4.alarm-system.com/reports or http://voip4.alarm-system.com:5000/reports
- 3CX MyPhone: https://voip4.alarm-system.com/MyPhoneWhen HTTPS is enabled, normal HTTP cannot work.
- Wallboard: 3CX Wallboard has no support for HTTPS.
- 3CX MyPhone requires the root certificate to be installed on each client computer that needs to access 3CX MyPhone. If you are using Thawte, VeriSign or GeoTrust, the root certificate is shipped with Windows. If you use any other Certificate Authority which does not ship the root certificate with Windows, you will need to repeat Part 4 on all the users’ computers which need access to 3CX MyPhone. Failure to do so will cause 3CX MyPhone to work only with Internet Explorer. Alternatively you can use Group Policies to install the root or intermediate certificates on the computers in the domain.
- When using Abyss Web Server, 3CX MyPhone cannot use HTTP and HTTPS simultaneously. So if you need HTTPS, normal HTTP will need to be disabled.
- For security purposes it is good practice to disable the management console of Abyss webserver. You can do this by changing <console><port> from 8080 to 0. Save the file and restart the Abyss Web Server service.